diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index aad198c643..63dce77b81 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -49,22 +49,6 @@ "build_entry_point": "docs", "template_folder": "_themes" }, - { - "docset_name": "smb", - "build_source_folder": "smb", - "build_output_subfolder": "smb", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": false, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, { "docset_name": "store-for-business", "build_source_folder": "store-for-business", @@ -219,7 +203,6 @@ ], "git_repository_url_open_to_public_contributors": "https://github.com/MicrosoftDocs/windows-itpro-docs", "git_repository_branch_open_to_public_contributors": "public", - "skip_source_output_uploading": false, "need_preview_pull_request": true, "resolve_user_profile_using_github": true, "dependent_repositories": [ @@ -252,6 +235,7 @@ } }, "docs_build_engine": {}, + "skip_source_output_uploading": false, "need_generate_pdf_url_template": true, "contribution_branch_mappings": {}, "need_generate_pdf": false, diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index ad456cabb0..decbbc3864 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -420,6 +420,11 @@ "redirect_url": "/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering", "redirect_document_id": false }, + { + "source_path": "windows/security/threat-protection/windows-defender-application-control/citool-commands.md", + "redirect_url": "/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands", + "redirect_document_id": false + }, { "source_path": "devices/hololens/hololens-whats-new.md", "redirect_url": "/hololens/hololens-release-notes", @@ -700,6 +705,21 @@ "redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set", "redirect_document_id": false }, + { + "source_path": "store-for-business/device-guard-signing-portal.md", + "redirect_url": "/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business", + "redirect_document_id": false + }, + { + "source_path": "store-for-business/add-unsigned-app-to-code-integrity-policy.md", + "redirect_url": "/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control", + "redirect_document_id": false + }, + { + "source_path": "store-for-business/sign-code-integrity-policy-with-device-guard-signing.md", + "redirect_url": "/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering", + "redirect_document_id": false + }, { "source_path": "windows/security/threat-protection/device-guard/device-guard-deployment-guide.md", "redirect_url": "/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide", @@ -19924,6 +19944,11 @@ "source_path": "windows/client-management/mdm/wmi-providers-supported-in-windows.md", "redirect_url": "/windows/client-management/wmi-providers-supported-in-windows", "redirect_document_id": false + }, + { + "source_path": "windows/deployment/do/mcc-enterprise.md", + "redirect_url": "/windows/deployment/do/waas-microsoft-connected-cache", + "redirect_document_id": false }, { "source_path": "windows/client-management/advanced-troubleshooting-802-authentication.md", @@ -20149,11 +20174,126 @@ "source_path": "windows/deployment/update/update-status-admin-center.md", "redirect_url": "/windows/deployment/update/wufb-reports-admin-center", "redirect_document_id": false - }, + }, { "source_path": "windows/deployment/update/update-compliance-v2-workbook.md", "redirect_url": "/windows/deployment/update/wufb-reports-workbook", "redirect_document_id": false - } + }, + { + "source_path": "windows/configuration/kiosk-troubleshoot.md", + "redirect_url": "/troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/start-layout-troubleshoot.md", + "redirect_url": "/troubleshoot/windows-client/shell-experience/troubleshoot-start-menu-errors", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/planning/features-lifecycle.md", + "redirect_url": "/windows/whats-new/feature-lifecycle", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/planning/windows-10-deprecated-features.md", + "redirect_url": "/windows/whats-new/deprecated-features", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/planning/windows-10-removed-features.md", + "redirect_url": "/windows/whats-new/removed-features", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/usmt/usmt-common-issues.md", + "redirect_url": "/troubleshoot/windows-client/deployment/usmt-common-issues", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/usmt/usmt-return-codes.md", + "redirect_url": "/troubleshoot/windows-client/deployment/usmt-return-codes", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md", + "redirect_url": "/troubleshoot/windows-client/windows-security/bitlocker-issues-troubleshooting", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md", + "redirect_url": "/troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-issues", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md", + "redirect_url": "/troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-tpm-issues", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md", + "redirect_url": "/troubleshoot/windows-client/windows-security/bitlocker-configuration-known-issues", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md", + "redirect_url": "/troubleshoot/windows-client/windows-security/decode-measured-boot-logs-to-track-pcr-changes", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md", + "redirect_url": "/troubleshoot/windows-client/windows-security/enforcing-bitlocker-policies-by-using-intune-known-issues", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md", + "redirect_url": "/troubleshoot/windows-client/windows-security/bitlocker-network-unlock-known-issues", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md", + "redirect_url": "/troubleshoot/windows-client/windows-security/bitlocker-recovery-known-issues", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md", + "redirect_url": "/troubleshoot/windows-client/windows-security/bitlocker-and-tpm-other-known-issues", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-autopatch/prepare/index.md", + "redirect_url": "/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites", + "redirect_document_id": true + }, + { + "source_path": "windows/deployment/windows-autopatch/deploy/index.md", + "redirect_url": "/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts", + "redirect_document_id": true + }, + { + "source_path": "windows/deployment/windows-autopatch/operate/index.md", + "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management", + "redirect_document_id": true + }, + { + "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-unsupported-policies.md", + "redirect_url": "/windows/deployment/windows-autopatch/references/windows-autopatch-wqu-unsupported-policies", + "redirect_document_id": true + }, + { + "source_path": "windows/deployment/windows-autopatch/references/windows-autopatch-preview-addendum.md", + "redirect_url": "/windows/deployment/windows-autopatch/overview/windows-autopatch-overview", + "redirect_document_id": true + }, + { + "source_path": "windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md", + "redirect_url": "/azure/active-directory/authentication/howto-authentication-passwordless-security-key", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/hello-for-business/reset-security-key.md", + "redirect_url": "/azure/active-directory/authentication/howto-authentication-passwordless-security-key", + "redirect_document_id": false + } ] -} \ No newline at end of file +} diff --git a/README.md b/README.md index 824a7c6d56..98c771d56d 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,67 @@ +# Overview + +## Learn how to contribute + +Anyone who is interested can contribute to the topics. When you contribute, your work will go directly into the content set after being merged. It will then be published to [Microsoft Learn](https://learn.microsoft.com/) and you will be listed as a contributor at: . + +### Quickly update an article using GitHub.com + +Contributors who only make infrequent or small updates can edit the file directly on GitHub.com without having to install any additional software. This article shows you how. [This two-minute video](https://www.microsoft.com/videoplayer/embed/RE1XQTG) also covers how to contribute. + +1. Make sure you're signed in to GitHub.com with your GitHub account. +2. Browse to the page you want to edit on Microsoft Learn. +3. On the right-hand side of the page, click **Edit** (pencil icon). + + ![Edit button on Microsoft Learn.](https://learn.microsoft.com/compliance/media/quick-update-edit.png) + +4. The corresponding topic file on GitHub opens, where you need to click the **Edit this file** pencil icon. + + ![Edit button on github.com.](https://learn.microsoft.com/compliance/media/quick-update-github.png) + +5. The topic opens in a line-numbered editing page where you can make changes to the file. Files in GitHub are written and edited using Markdown language. For help on using Markdown, see [Mastering Markdown](https://guides.github.com/features/mastering-markdown/). Select the **Preview changes** tab to view your changes as you go. + +6. When you're finished making changes, go to the **Propose file change** section at the bottom of the page: + + - A brief title is required. By default, the title is the name of the file, but you can change it. + - Optionally, you can enter more details in the **Add an optional extended description** box. + + When you're ready, click the green **Propose file change** button. + + ![Propose file change section.](https://learn.microsoft.com/compliance/media/propose-file-change.png) + +7. On the **Comparing changes** page that appears, click the green **Create pull request** button. + + ![Comparing changes page.](https://learn.microsoft.com/compliance/media/comparing-changes-page.png) + +8. On the **Open a pull request** page that appears, click the green **Create pull request** button. + + ![Open a pull request page.](https://learn.microsoft.com/compliance/media/open-a-pull-request-page.png) + +> [!NOTE] +> Your permissions in the repo determine what you see in the last several steps. People with no special privileges will see the **Propose file change** section and subsequent confirmation pages as described. People with permissions to create and approve their own pull requests will see a similar **Commit changes** section with extra options for creating a new branch and fewer confirmation pages.

The point is: click any green buttons that are presented to you until there are no more. + +The writer identified in the metadata of the topic will be notified and will eventually review and approve your changes so the topic will be updated on Microsoft Learn. If there are questions or issues with the updates, the writer will contact you. + ## Microsoft Open Source Code of Conduct + This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). -For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments. \ No newline at end of file + +For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments. + +### Contributing + +This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit . + +When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA. + +### Legal Notices + +Microsoft and any contributors grant you a license to the Microsoft documentation and other content in this repository under the [Creative Commons Attribution 4.0 International Public License](https://creativecommons.org/licenses/by/4.0/legalcode), see the [LICENSE](LICENSE) file, and grant you a license to any code in the repository under the [MIT License](https://opensource.org/licenses/MIT), see the [LICENSE-CODE](LICENSE-CODE) file. + +Microsoft, Windows, Microsoft Azure and/or other Microsoft products and services referenced in the documentation may be either trademarks or registered trademarks of Microsoft in the United States and/or other countries. + +The licenses for this project do not grant you rights to use any Microsoft names, logos, or trademarks. Microsoft's general trademark guidelines can be found at . + +Privacy information can be found at + +Microsoft and any contributors reserve all others rights, whether under their respective copyrights, patents, or trademarks, whether by implication, estoppel or otherwise. diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000000..e138ec5d6a --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,41 @@ + + +## Security + +Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/). + +If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://aka.ms/opensource/security/definition), please report it to us as described below. + +## Reporting Security Issues + +**Please do not report security vulnerabilities through public GitHub issues.** + +Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://aka.ms/opensource/security/create-report). + +If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com). If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://aka.ms/opensource/security/pgpkey). + +You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://aka.ms/opensource/security/msrc). + +Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue: + + * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.) + * Full paths of source file(s) related to the manifestation of the issue + * The location of the affected source code (tag/branch/commit or direct URL) + * Any special configuration required to reproduce the issue + * Step-by-step instructions to reproduce the issue + * Proof-of-concept or exploit code (if possible) + * Impact of the issue, including how an attacker might exploit the issue + +This information will help us triage your report more quickly. + +If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://aka.ms/opensource/security/bounty) page for more details about our active programs. + +## Preferred Languages + +We prefer all communications to be in English. + +## Policy + +Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://aka.ms/opensource/security/cvd). + + diff --git a/browsers/edge/breadcrumb/toc.yml b/browsers/edge/breadcrumb/toc.yml index f417737985..83065b36a9 100644 --- a/browsers/edge/breadcrumb/toc.yml +++ b/browsers/edge/breadcrumb/toc.yml @@ -1,7 +1,3 @@ -- name: Docs - tocHref: / - topicHref: / - items: - - name: Microsoft Edge deployment - tocHref: /microsoft-edge/deploy - topicHref: /microsoft-edge/deploy/index \ No newline at end of file +- name: Microsoft Edge + tocHref: /microsoft-edge/ + topicHref: /microsoft-edge/index diff --git a/browsers/edge/docfx.json b/browsers/edge/docfx.json index d786e0bbfb..d36533a87e 100644 --- a/browsers/edge/docfx.json +++ b/browsers/edge/docfx.json @@ -28,7 +28,7 @@ ], "globalMetadata": { "recommendations": true, - "breadcrumb_path": "/microsoft-edge/deploy/breadcrumb/toc.json", + "breadcrumb_path": "/microsoft-edge/breadcrumbs/toc.json", "ROBOTS": "INDEX, FOLLOW", "ms.technology": "microsoft-edge", "audience": "ITPro", diff --git a/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md b/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md index 1a51b8977a..912ce707bd 100644 --- a/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md +++ b/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md @@ -1,7 +1,7 @@ --- author: aczechowski ms.author: aaroncz -ms.date: 10/27/2022 +ms.date: 12/16/2022 ms.reviewer: cathask manager: aaroncz ms.prod: ie11 @@ -9,6 +9,8 @@ ms.topic: include --- > [!WARNING] -> The retired, out-of-support Internet Explorer 11 (IE11) desktop application will be permanently disabled on certain versions of Windows 10 as part of the February 2023 Windows security update ("B") release scheduled for February 14, 2023. We highly recommend setting up IE mode in Microsoft Edge and disabling IE11 prior to this date to ensure your organization doesn't experience business disruption. +> **Update:** The retired, out-of-support Internet Explorer 11 desktop application is scheduled to be permanently disabled through a Microsoft Edge update on certain versions of Windows 10 on February 14, 2023. > -> For more information, see [aka.ms/iemodefaq](https://aka.ms/iemodefaq). +> We highly recommend setting up IE mode in Microsoft Edge and disabling IE11 prior to this date to ensure your organization does not experience business disruption. +> +> For more information, see [Internet Explorer 11 desktop app retirement FAQ](https://aka.ms/iemodefaq). diff --git a/education/docfx.json b/education/docfx.json index df077d1783..70b106e401 100644 --- a/education/docfx.json +++ b/education/docfx.json @@ -62,14 +62,6 @@ "garycentric" ] }, - "fileMetadata": { - "ms.localizationpriority": { - "windows/tutorial-school-deployment/**/**.md": "medium" - }, - "ms.topic": { - "windows/tutorial-school-deployment/**/**.md": "tutorial" - } - }, "externalReference": [], "template": "op.html", "dest": "education", diff --git a/education/images/EDU-FindHelp.svg b/education/images/EDU-FindHelp.svg deleted file mode 100644 index fea3109134..0000000000 --- a/education/images/EDU-FindHelp.svg +++ /dev/null @@ -1,32 +0,0 @@ - - - - -EDUAdmins-50px - - - - toolbox - - - - - - - - - - - diff --git a/education/images/EDUAdmins.svg b/education/images/EDUAdmins.svg deleted file mode 100644 index d512fb942f..0000000000 --- a/education/images/EDUAdmins.svg +++ /dev/null @@ -1 +0,0 @@ -EDUAdmins-50px \ No newline at end of file diff --git a/education/images/EDUDevelopers.svg b/education/images/EDUDevelopers.svg deleted file mode 100644 index 900159699a..0000000000 --- a/education/images/EDUDevelopers.svg +++ /dev/null @@ -1 +0,0 @@ -EDUDevelopers-50px \ No newline at end of file diff --git a/education/images/EDUPartners.svg b/education/images/EDUPartners.svg deleted file mode 100644 index 01b80c9a42..0000000000 --- a/education/images/EDUPartners.svg +++ /dev/null @@ -1 +0,0 @@ -EDUPartners-50px \ No newline at end of file diff --git a/education/images/M365-education.svg b/education/images/M365-education.svg deleted file mode 100644 index 9591f90f68..0000000000 --- a/education/images/M365-education.svg +++ /dev/null @@ -1,171 +0,0 @@ - - - - - M365-education - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/education/images/MSC17_cloud_005.png b/education/images/MSC17_cloud_005.png deleted file mode 100644 index dfda08109c..0000000000 Binary files a/education/images/MSC17_cloud_005.png and /dev/null differ diff --git a/education/images/MSC17_cloud_012_merged.png b/education/images/MSC17_cloud_012_merged.png deleted file mode 100644 index 4defcaa59c..0000000000 Binary files a/education/images/MSC17_cloud_012_merged.png and /dev/null differ diff --git a/education/images/data-streamer.png b/education/images/data-streamer.png deleted file mode 100644 index 6473d9da33..0000000000 Binary files a/education/images/data-streamer.png and /dev/null differ diff --git a/education/images/education-ms-teams.svg b/education/images/education-ms-teams.svg deleted file mode 100644 index 2d1396b3f7..0000000000 --- a/education/images/education-ms-teams.svg +++ /dev/null @@ -1,258 +0,0 @@ - - - - - education-pro-usb copy - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/education/images/education-partner-aep-2.svg b/education/images/education-partner-aep-2.svg deleted file mode 100644 index 6bf0c2c3ac..0000000000 --- a/education/images/education-partner-aep-2.svg +++ /dev/null @@ -1,84 +0,0 @@ - - - - - education-partner-aep-2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/education/images/education-partner-directory-3.svg b/education/images/education-partner-directory-3.svg deleted file mode 100644 index ba8f644949..0000000000 --- a/education/images/education-partner-directory-3.svg +++ /dev/null @@ -1,95 +0,0 @@ - - - - - education-partner-directory-3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/education/images/education-partner-mepn-1.svg b/education/images/education-partner-mepn-1.svg deleted file mode 100644 index b2585e2969..0000000000 --- a/education/images/education-partner-mepn-1.svg +++ /dev/null @@ -1,103 +0,0 @@ - - - - - education-partner-mepn-1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/education/images/education-partner-yammer.svg b/education/images/education-partner-yammer.svg deleted file mode 100644 index c92245652e..0000000000 --- a/education/images/education-partner-yammer.svg +++ /dev/null @@ -1,19 +0,0 @@ - - - - - education-partner-yammer - - - - - - - - - - diff --git a/education/images/education-pro-usb.svg b/education/images/education-pro-usb.svg deleted file mode 100644 index fa714e3b69..0000000000 --- a/education/images/education-pro-usb.svg +++ /dev/null @@ -1,111 +0,0 @@ - - - - - education-pro-usb - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/education/includes/education-content-updates.md b/education/includes/education-content-updates.md deleted file mode 100644 index c0a273e836..0000000000 --- a/education/includes/education-content-updates.md +++ /dev/null @@ -1,52 +0,0 @@ - - - - -## Week of September 19, 2022 - - -| Published On |Topic title | Change | -|------|------------|--------| -| 9/20/2022 | [Education scenarios Microsoft Store for Education](/education/windows/education-scenarios-store-for-business) | modified | - - -## Week of September 12, 2022 - - -| Published On |Topic title | Change | -|------|------------|--------| -| 9/13/2022 | [Chromebook migration guide (Windows 10)](/education/windows/chromebook-migration-guide) | modified | -| 9/14/2022 | [Windows 11 SE Overview](/education/windows/windows-11-se-overview) | modified | -| 9/14/2022 | [Windows 11 SE settings list](/education/windows/windows-11-se-settings-list) | modified | - - -## Week of September 05, 2022 - - -| Published On |Topic title | Change | -|------|------------|--------| -| 9/8/2022 | [Education scenarios Microsoft Store for Education](/education/windows/education-scenarios-store-for-business) | modified | -| 9/8/2022 | [Get Minecraft Education Edition](/education/windows/get-minecraft-for-education) | modified | -| 9/8/2022 | [For teachers get Minecraft Education Edition](/education/windows/teacher-get-minecraft) | modified | -| 9/9/2022 | [Take tests in Windows](/education/windows/take-tests-in-windows-10) | modified | - - -## Week of August 29, 2022 - - -| Published On |Topic title | Change | -|------|------------|--------| -| 8/31/2022 | [Configure applications with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-device-apps) | added | -| 8/31/2022 | [Configure and secure devices with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-device-settings) | added | -| 8/31/2022 | [Configure devices with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-devices-overview) | added | -| 8/31/2022 | [Enrollment in Intune with standard out-of-box experience (OOBE)](/education/windows/tutorial-school-deployment/enroll-aadj) | added | -| 8/31/2022 | [Enrollment in Intune with Windows Autopilot](/education/windows/tutorial-school-deployment/enroll-autopilot) | added | -| 8/31/2022 | [Device enrollment overview](/education/windows/tutorial-school-deployment/enroll-overview) | added | -| 8/31/2022 | [Enrollment of Windows devices with provisioning packages](/education/windows/tutorial-school-deployment/enroll-package) | added | -| 8/31/2022 | [Introduction](/education/windows/tutorial-school-deployment/index) | added | -| 8/31/2022 | [Manage devices with Microsoft Intune](/education/windows/tutorial-school-deployment/manage-overview) | added | -| 8/31/2022 | [Management functionalities for Surface devices](/education/windows/tutorial-school-deployment/manage-surface-devices) | added | -| 8/31/2022 | [Reset and wipe Windows devices](/education/windows/tutorial-school-deployment/reset-wipe) | added | -| 8/31/2022 | [Set up Azure Active Directory](/education/windows/tutorial-school-deployment/set-up-azure-ad) | added | -| 8/31/2022 | [Set up device management](/education/windows/tutorial-school-deployment/set-up-microsoft-intune) | added | -| 8/31/2022 | [Troubleshoot Windows devices](/education/windows/tutorial-school-deployment/troubleshoot-overview) | added | diff --git a/education/index.yml b/education/index.yml index 1a3a69e704..ef45124188 100644 --- a/education/index.yml +++ b/education/index.yml @@ -2,19 +2,13 @@ title: Microsoft 365 Education Documentation summary: Microsoft 365 Education empowers educators to unlock creativity, promote teamwork, and provide a simple and safe experience in a single, affordable solution built for education. -# brand: aspnet | azure | dotnet | dynamics | m365 | ms-graph | office | power-apps | power-automate | power-bi | power-platform | power-virtual-agents | sql | sql-server | vs | visual-studio | windows | xamarin brand: m365 metadata: title: Microsoft 365 Education Documentation description: Learn about product documentation and resources available for school IT administrators, teachers, students, and education app developers. - ms.service: help ms.topic: hub-page - ms.collection: education - author: paolomatarazzo - ms.author: paoloma ms.date: 08/10/2022 - manager: aaroncz productDirectory: title: For IT admins diff --git a/education/windows/TOC.yml b/education/windows/TOC.yml index d3f96435a9..bc030c32e4 100644 --- a/education/windows/TOC.yml +++ b/education/windows/TOC.yml @@ -38,8 +38,12 @@ items: href: edu-stickers.md - name: Configure Take a Test in kiosk mode href: edu-take-a-test-kiosk-mode.md - - name: Configure federated sign-in - href: federated-sign-in.md + - name: Federated identity + items: + - name: Configure federated sign-in + href: federated-sign-in.md + - name: Configure federation between Google Workspace and Azure AD + href: configure-aad-google-trust.md - name: Configure Shared PC href: /windows/configuration/set-up-shared-or-guest-pc?context=/education/context/context - name: Use the Set up School PCs app diff --git a/education/windows/autopilot-reset.md b/education/windows/autopilot-reset.md index b261f4a4e9..0901d32b40 100644 --- a/education/windows/autopilot-reset.md +++ b/education/windows/autopilot-reset.md @@ -3,10 +3,11 @@ title: Reset devices with Autopilot Reset description: Learn about Autopilot Reset and how to enable and use it. ms.date: 08/10/2022 ms.topic: how-to -appliesto: - - ✅ Windows 10 -ms.collection: +appliesto: + - ✅ Windows 10 +ms.collection: - highpri + - education --- # Reset devices with Autopilot Reset diff --git a/education/windows/change-home-to-edu.md b/education/windows/change-home-to-edu.md index d6aa215ab3..1826ecd768 100644 --- a/education/windows/change-home-to-edu.md +++ b/education/windows/change-home-to-edu.md @@ -8,8 +8,7 @@ ms.author: scbree ms.reviewer: paoloma manager: jeffbu appliesto: -- ✅ Windows 10 -- ✅ Windows 11 + - ✅ Windows 10 and later --- # Upgrade Windows Home to Windows Education on student-owned devices diff --git a/education/windows/change-to-pro-education.md b/education/windows/change-to-pro-education.md index 5deee8e80f..f377a4582c 100644 --- a/education/windows/change-to-pro-education.md +++ b/education/windows/change-to-pro-education.md @@ -3,10 +3,11 @@ title: Change to Windows 10 Education from Windows 10 Pro description: Learn how IT Pros can opt into changing to Windows 10 Pro Education from Windows 10 Pro. ms.topic: how-to ms.date: 08/10/2022 -appliesto: - - ✅ Windows 10 -ms.collection: +appliesto: + - ✅ Windows 10 +ms.collection: - highpri + - education --- # Change to Windows 10 Pro Education from Windows 10 Pro diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md index 0c08e17617..05c7db8963 100644 --- a/education/windows/chromebook-migration-guide.md +++ b/education/windows/chromebook-migration-guide.md @@ -4,7 +4,7 @@ description: Learn how to migrate a Google Chromebook-based learning environment ms.topic: how-to ms.date: 08/10/2022 appliesto: -- ✅ Windows 10 + - ✅ Windows 10 --- # Chromebook migration guide diff --git a/education/windows/configure-aad-google-trust.md b/education/windows/configure-aad-google-trust.md new file mode 100644 index 0000000000..5d51041ce7 --- /dev/null +++ b/education/windows/configure-aad-google-trust.md @@ -0,0 +1,128 @@ +--- +title: Configure federation between Google Workspace and Azure AD +description: Configuration of a federated trust between Google Workspace and Azure AD, with Google Workspace acting as an identity provider (IdP) for Azure AD. +ms.date: 1/12/2023 +ms.topic: how-to +--- + +# Configure federation between Google Workspace and Azure AD + +This article describes the steps required to configure Google Workspace as an identity provider (IdP) for Azure AD.\ +Once configured, users will be able to sign in to Azure AD with their Google Workspace credentials. + +## Prerequisites + +To configure Google Workspace as an IdP for Azure AD, the following prerequisites must be met: + +1. An Azure AD tenant, with one or multiple custom DNS domains (that is, domains that aren't in the format \**.onmicrosoft.com*) + - If the federated domain hasn't yet been added to Azure AD, you must have access to the DNS domain to create a DNS record. This is required to verify the ownership of the DNS namespace + - Learn how to [Add your custom domain name using the Azure Active Directory portal](/azure/active-directory/fundamentals/add-custom-domain) +1. Access to Azure AD with an account with the *Global Administrator* role +1. Access to Google Workspace with an account with *super admin* privileges + +To test federation, the following prerequisites must be met: + +1. A Google Workspace environment, with users already created + > [!IMPORTANT] + > Users require an email address defined in Google Workspace, which is used to match the users in Azure AD +1. Individual Azure AD accounts already created: each Google Workspace user will require a matching account defined in Azure AD. These accounts are commonly created through automated solutions, for example: + - School Data Sync (SDS) + - Azure AD Connect sync for environment with on-premises AD DS + - PowerShell scripts that call the Microsoft Graph API + - Provisioning tools offered by the IdP - this capability is offered by Google Workspace through [auto-provisioning](https://support.google.com/a/answer/7365072) + +## Configure Google Workspace as and IdP for Azure AD + +1. Sign in to the [Google Workspace Admin Console](https://admin.google.com) with an account with *super admin* privileges +1. Select **Apps > Web and mobile apps** +1. Select **Add app > Search for apps** and search for *microsoft* +1. In the search results page, hover over the *Microsoft Office 365 - Web (SAML)* app and select **Select** + :::image type="content" source="images/google/google-admin-search-app.png" alt-text="Screenshot showing Google Workspace and the search button for Microsoft Office 365 SAML app."::: +1. On the *Google Identity Provider details* page, select **Download Metadata** and take note of the location where the **IdP metadata** - *GoogleIDPMetadata.xml* - file is saved, as it will be used to setup Azure AD later +1. On the *Service provider details* page + - Select the option **Signed response** + - Verify that the Name ID format is set to **PERSISTENT** + - Depending on how the Azure AD users have been provisioned in Azure AD, you may need to adjust the **Name ID** mapping. For more information, see (article to write).\ + If using Google auto-provisioning, select **Basic Information > Primary email** + - Select **Continue** +1. On the *Attribute mapping* page, map the Google attributes to the Azure AD attributes + + |Google Directory attributes|Azure AD attributes| + |-|-| + |Basic Information: Primary Email|App attributes: IDPEmail| + + > [!IMPORTANT] + > You must ensure that your the Azure AD user accounts email match those in your Google Workspace. + +1. Select **Finish** + +Now that the app is configured, you must enable it for the users in Google Workspace: + +1. Sign in to the [Google Workspace Admin Console](https://admin.google.com) with an account with *super admin* privileges +1. Select **Apps > Web and mobile apps** +1. Select **Microsoft Office 365** +1. Select **User access** +1. Select **ON for everyone > Save** + +## Configure Azure AD as a Service Provider (SP) for Google Workspace + +The configuration of Azure AD consists of changing the authentication method for the custom DNS domains. This configuration can be done using PowerShell.\ +Using the **IdP metadata** XML file downloaded from Google Workspace, modify the *$DomainName* variable of the following script to match your environment, and then run it in an elevated PowerShell session. When prompted to authenticate to Azure AD, use the credentials of an account with the *Global Administrator* role. + +```powershell +Install-Module -Name MSOnline +Import-Module MSOnline + +$DomainName = "" + +$xml = [Xml](Get-Content GoogleIDPMetadata.xml) + +$cert = -join $xml.EntityDescriptor.IDPSSODescriptor.KeyDescriptor.KeyInfo.X509Data.X509Certificate.Split() +$issuerUri = $xml.EntityDescriptor.entityID +$logOnUri = $xml.EntityDescriptor.IDPSSODescriptor.SingleSignOnService | ? { $_.Binding.Contains('Redirect') } | % { $_.Location } +$LogOffUri = "https://accounts.google.com/logout" +$brand = "Google Workspace Identity" +Connect-MsolService +$DomainAuthParams = @{ + DomainName = $DomainName + Authentication = "Federated" + IssuerUri = $issuerUri + FederationBrandName = $brand + ActiveLogOnUri = $logOnUri + PassiveLogOnUri = $logOnUri + LogOffUri = $LogOffUri + SigningCertificate = $cert + PreferredAuthenticationProtocol = "SAMLP" +} +Set-MsolDomainAuthentication @DomainAuthParams +``` + +To verify that the configuration is correct, you can use the following PowerShell command: + +```powershell +Get-MsolDomainFederationSettings -DomainName $DomainName +``` + +```output +ActiveLogOnUri : https://accounts.google.com/o/saml2/idp? +DefaultInteractiveAuthenticationMethod : +FederationBrandName : Google Workspace Identity +IssuerUri : https://accounts.google.com/o/saml2?idpid= +LogOffUri : https://accounts.google.com/logout +MetadataExchangeUri : +NextSigningCertificate : +OpenIdConnectDiscoveryEndpoint : +PassiveLogOnUri : https://accounts.google.com/o/saml2/idp?idpid= +SigningCertificate : +SupportsMfa : +``` + +## Verify federated authentication between Google Workspace and Azure AD + +From a private browser session, navigate to https://portal.azure.com and sign in with a Google Workspace account: + +1. As username, use the email as defined in Google Workspace +1. The user will be redirected to Google Workspace to sign in +1. After Google Workspace authentication, the user will be redirected back to Azure AD and signed in + +:::image type="content" source="images/google/google-sso.gif" alt-text="A GIF that shows the user authenticating the Azure portal using a Google Workspace federated identity."::: \ No newline at end of file diff --git a/education/windows/configure-windows-for-education.md b/education/windows/configure-windows-for-education.md index 6ef47f7153..587d279c84 100644 --- a/education/windows/configure-windows-for-education.md +++ b/education/windows/configure-windows-for-education.md @@ -4,7 +4,7 @@ description: Learn how to configure the OS diagnostic data, consumer experiences ms.topic: how-to ms.date: 08/10/2022 appliesto: -- ✅ Windows 10 + - ✅ Windows 10 --- # Windows 10 configuration recommendations for education customers diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md index 6d13cc8c9d..4935d37ed7 100644 --- a/education/windows/deploy-windows-10-in-a-school-district.md +++ b/education/windows/deploy-windows-10-in-a-school-district.md @@ -4,7 +4,7 @@ description: Learn how to deploy Windows 10 in a school district. Integrate the ms.topic: how-to ms.date: 08/10/2022 appliesto: -- ✅ Windows 10 + - ✅ Windows 10 --- # Deploy Windows 10 in a school district diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md index cb598bc6fd..1655458c44 100644 --- a/education/windows/deploy-windows-10-in-a-school.md +++ b/education/windows/deploy-windows-10-in-a-school.md @@ -4,7 +4,7 @@ description: Learn how to integrate your school environment with Microsoft Offic ms.topic: how-to ms.date: 08/10/2022 appliesto: -- ✅ Windows 10 + - ✅ Windows 10 --- # Deploy Windows 10 in a school diff --git a/education/windows/deploy-windows-10-overview.md b/education/windows/deploy-windows-10-overview.md index 8b772d160c..96d9d002e0 100644 --- a/education/windows/deploy-windows-10-overview.md +++ b/education/windows/deploy-windows-10-overview.md @@ -4,7 +4,7 @@ description: Learn how to use Windows 10 in schools. ms.topic: how-to ms.date: 08/10/2022 appliesto: -- ✅ Windows 10 + - ✅ Windows 10 --- # Windows 10 for Education diff --git a/education/windows/edu-deployment-recommendations.md b/education/windows/edu-deployment-recommendations.md index 983f31ed85..392497fa7d 100644 --- a/education/windows/edu-deployment-recommendations.md +++ b/education/windows/edu-deployment-recommendations.md @@ -1,10 +1,10 @@ --- title: Deployment recommendations for school IT administrators description: Provides guidance on ways to customize the OS privacy settings, and some of the apps, for Windows-based devices used in schools so that you can choose what information is shared with Microsoft. -ms.topic: guide +ms.topic: conceptual ms.date: 08/10/2022 appliesto: -- ✅ Windows 10 + - ✅ Windows 10 --- # Deployment recommendations for school IT administrators diff --git a/education/windows/edu-stickers.md b/education/windows/edu-stickers.md index 0c40174ed0..023393a04f 100644 --- a/education/windows/edu-stickers.md +++ b/education/windows/edu-stickers.md @@ -3,17 +3,18 @@ title: Configure Stickers for Windows 11 SE description: Learn about the Stickers feature and how to configure it via Intune and provisioning package. ms.date: 09/15/2022 ms.topic: how-to -appliesto: - - ✅ Windows 11 SE, version 22H2 -ms.collection: +appliesto: + - ✅ Windows 11 SE +ms.collection: - highpri + - education --- # Configure Stickers for Windows 11 SE Starting in **Windows 11 SE, version 22H2**, *Stickers* is a new feature that allows students to decorate their desktop with digital stickers. Students can choose from over 500 cheerful, education-friendly digital stickers. Stickers can be arranged, resized, and customized on top of the desktop background. Each student's stickers remain, even when the background changes. -Similar to the [education theme packs](edu-themes.md), Stickers is a personalization feature that helps the device feel like it was designed for students. +Similar to the [education theme packs](edu-themes.md "my tooltip example that opens in a new tab"), Stickers is a personalization feature that helps the device feel like it was designed for students. :::image type="content" source="./images/win-11-se-stickers.png" alt-text="Windows 11 SE desktop with 3 stickers" border="true"::: @@ -31,13 +32,26 @@ Stickers aren't enabled by default. Follow the instructions below to configure y #### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune) -To configure devices using Microsoft Intune, create a [custom policy][MEM-1] with the following settings: +[!INCLUDE [intune-custom-settings-1](includes/intune-custom-settings-1.md)] | Setting | |--------| |
  • OMA-URI: **`./Vendor/MSFT/Policy/Config/Stickers/EnableStickers`**
  • Data type: **Integer**
  • Value: **1**
    • | -Assign the policy to a security group that contains as members the devices or users that you want to configure. +[!INCLUDE [intune-custom-settings-2](includes/intune-custom-settings-2.md)] +[!INCLUDE [intune-custom-settings-info](includes/intune-custom-settings-info.md)] + +> [!TIP] +> Use the following Graph call to automatically create the custom policy in your tenant without assignments nor scope tags. [1](#footnote1) + +```msgraph-interactive +POST https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations +Content-Type: application/json + +{"id":"00-0000-0000-0000-000000000000","displayName":"_MSLearn_Stickers","roleScopeTagIds":["0"],"@odata.type":"#microsoft.graph.windows10CustomConfiguration","omaSettings":[{"omaUri":"./Vendor/MSFT/Policy/Config/Stickers/EnableStickers","displayName":"EnableStickers","@odata.type":"#microsoft.graph.omaSettingInteger","value":1}]} +``` + +1 When using this call, authenticate to your tenant in the Graph Explorer window. If it's the first time using Graph Explorer, you may need to authorize the application to access your tenant or to modify the existing permissions. This graph call requires *DeviceManagementConfiguration.ReadWrite.All* permissions. #### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg) @@ -66,8 +80,6 @@ Multiple stickers can be added from the picker by selecting them. The stickers c Select the *X button* at the top of the screen to save your progress and close the sticker editor. ------------ - [MEM-1]: /mem/intune/configuration/custom-settings-windows-10 [WIN-1]: /windows/configuration/provisioning-packages/provisioning-create-package diff --git a/education/windows/edu-take-a-test-kiosk-mode.md b/education/windows/edu-take-a-test-kiosk-mode.md index a3d8944c42..5b6c073fcd 100644 --- a/education/windows/edu-take-a-test-kiosk-mode.md +++ b/education/windows/edu-take-a-test-kiosk-mode.md @@ -4,9 +4,7 @@ description: Learn how to configure Windows to execute the Take a Test app in ki ms.date: 09/30/2022 ms.topic: how-to appliesto: -- ✅ Windows 10 -- ✅ Windows 11 -- ✅ Windows 11 SE + - ✅ Windows 10 and later --- # Configure Take a Test in kiosk mode @@ -57,7 +55,7 @@ To configure devices using Intune for Education, follow these steps: ### Configure Take a Test with a custom policy -To configure devices using Microsoft Intune, create a [custom policy][MEM-1] with the following settings: +[!INCLUDE [intune-custom-settings-1](includes/intune-custom-settings-1.md)] | Setting | |--------| @@ -71,7 +69,8 @@ To configure devices using Microsoft Intune, create a [custom policy][MEM-1] wit :::image type="content" source="./images/takeatest/intune-take-a-test-custom-profile.png" alt-text="Intune portal - creation of a custom policy to configure Take a Test." lightbox="./images/takeatest/intune-take-a-test-custom-profile.png" border="true"::: -Assign the policy to a security group that contains as members the devices or users that you want to configure. +[!INCLUDE [intune-custom-settings-2](includes/intune-custom-settings-2.md)] +[!INCLUDE [intune-custom-settings-info](includes/intune-custom-settings-info.md)] #### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg) @@ -218,8 +217,6 @@ The following animation shows the process of signing in to the test-taking accou :::image type="content" source="./images/takeatest/sign-in-sign-out.gif" alt-text="Signing in and signing out with a test account" border="true"::: ------------ - [MEM-1]: /mem/intune/configuration/custom-settings-windows-10 [MEM-2]: /mem/intune/configuration/settings-catalog diff --git a/education/windows/edu-themes.md b/education/windows/edu-themes.md index a477121ca5..f76298ef68 100644 --- a/education/windows/edu-themes.md +++ b/education/windows/edu-themes.md @@ -4,8 +4,7 @@ description: Learn about education themes for Windows 11 and how to configure th ms.date: 09/15/2022 ms.topic: how-to appliesto: -- ✅ Windows 11, version 22H2 -- ✅ Windows 11 SE, version 22H2 + - ✅ Windows 11 --- # Configure education themes for Windows 11 @@ -23,13 +22,14 @@ Education themes aren't enabled by default. Follow the instructions below to con #### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune) -To configure devices using Microsoft Intune, create a [custom policy][MEM-1] with the following settings: +[!INCLUDE [intune-custom-settings-1](includes/intune-custom-settings-1.md)] | Setting | |--------| |
  • OMA-URI: **`./Vendor/MSFT/Policy/Config/Education/EnableEduThemes`**
  • Data type: **Integer**
  • Value: **1**
    • | -Assign the policy to a security group that contains as members the devices or users that you want to configure. +[!INCLUDE [intune-custom-settings-2](includes/intune-custom-settings-2.md)] +[!INCLUDE [intune-custom-settings-info](includes/intune-custom-settings-info.md)] #### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg) diff --git a/education/windows/education-scenarios-store-for-business.md b/education/windows/education-scenarios-store-for-business.md index cf50d7cf3e..1a86e4e1c4 100644 --- a/education/windows/education-scenarios-store-for-business.md +++ b/education/windows/education-scenarios-store-for-business.md @@ -4,9 +4,7 @@ description: Learn how IT admins and teachers can use Microsoft Store for Educat ms.topic: article ms.date: 08/10/2022 appliesto: -- ✅ Windows 10 -- ✅ Windows 11 -- ✅ Windows 11 SE + - ✅ Windows 10 and later --- # Working with Microsoft Store for Education diff --git a/education/windows/enable-s-mode-on-surface-go-devices.md b/education/windows/enable-s-mode-on-surface-go-devices.md index 39f39952b6..6fa45fd3e7 100644 --- a/education/windows/enable-s-mode-on-surface-go-devices.md +++ b/education/windows/enable-s-mode-on-surface-go-devices.md @@ -4,7 +4,7 @@ description: Learn how to enable S mode on Surface Go devices. ms.date: 08/10/2022 ms.topic: how-to appliesto: -- ✅ Windows 10 + - ✅ Windows 10 --- # Surface Go for Education - Enabling S mode diff --git a/education/windows/federated-sign-in.md b/education/windows/federated-sign-in.md index 0f769a31e1..09ceb1908c 100644 --- a/education/windows/federated-sign-in.md +++ b/education/windows/federated-sign-in.md @@ -1,24 +1,16 @@ --- title: Configure federated sign-in for Windows devices description: Description of federated sign-in feature for Windows 11 SE and how to configure it via Intune -ms.date: 09/15/2022 -ms.prod: windows -ms.technology: windows +ms.date: 01/12/2023 ms.topic: how-to -ms.localizationpriority: medium -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: -manager: aaroncz -ms.collection: education appliesto: -- ✅ Windows 11 SE, version 22H2 + - ✅ Windows 11 SE --- # Configure federated sign-in for Windows 11 SE -Starting in **Windows 11 SE, version 22H2**, you can enable your users to sign-in using a SAML 2.0 identity provider (IdP). This feature is called **federated sign-in**. Federated sign-in is a great way to simplify the sign-in process for your users: instead of having to remember a username and password defined in Azure AD, they can sign-in using their existing credentials from the IdP. For example, students and educators can use QR code badges to sign-in. +Starting in Windows 11 SE, version 22H2, you can enable your users to sign-in using a SAML 2.0 identity provider (IdP). This feature is called *federated sign-in*. Federated sign-in is a great way to simplify the sign-in process for your users: instead of having to remember a username and password defined in Azure AD, they can sign-in using their existing credentials from the IdP. For example, students and educators can use QR code badges to sign-in. ## Benefits of federated sign-in @@ -33,7 +25,9 @@ To implement federated sign-in, the following prerequisites must be met: 1. An Azure AD tenant, with one or multiple domains federated to a third-party SAML 2.0 IdP. For more information, see [Use a SAML 2.0 Identity Provider (IdP) for Single Sign On][AZ-1] >[!NOTE] - >If your organization uses a third-party federation solution, you can configure single sign-on to Azure Active Directory if the solution is compatible with Azure Active Directory. For questions regarding compatibility, please contact your identity provider. If you're an IdP, and would like to validate your solution for interoperability, please refer to these [guidelines][MSFT-1]. + >If your organization uses a third-party federation solution, you can configure single sign-on to Azure Active Directory if the solution is compatible with Azure Active Directory. For questions regarding compatibility, contact your identity provider. If you're an IdP, and would like to validate your solution for interoperability, refer to these [guidelines][MSFT-1]. + > + >For a step-by-step guide on how to configure Google Workspace as an identity provider for Azure AD, see [Configure federation between Google Workspace and Azure AD](configure-aad-google-trust.md). 1. Individual IdP accounts created: each user will require an account defined in the third-party IdP platform 1. Individual Azure AD accounts created: each user will require a matching account defined in Azure AD. These accounts are commonly created through automated solutions, for example: - [School Data Sync (SDS)][SDS-1] @@ -57,7 +51,7 @@ To configure federated sign-in using Microsoft Intune, [create a custom profile] To sign-in with a SAML 2.0 identity provider, your devices must be configured with different policies, which can be configured using Microsoft Intune. -To configure federated sign-in using Microsoft Intune, [create a custom profile][MEM-1] with the following settings: +[!INCLUDE [intune-custom-settings-1](includes/intune-custom-settings-1.md)] | Setting | |--------| @@ -68,7 +62,8 @@ To configure federated sign-in using Microsoft Intune, [create a custom profile] :::image type="content" source="images/federated-sign-in-settings-intune.png" alt-text="Custom policy showing the settings to be configured to enable federated sign-in" lightbox="images/federated-sign-in-settings-intune.png" border="true"::: -Assign the policy to a security group that contains as members the devices that require federated sign-in. +[!INCLUDE [intune-custom-settings-2](includes/intune-custom-settings-2.md)] +[!INCLUDE [intune-custom-settings-info](includes/intune-custom-settings-info.md)] - - - -## Week of July 18, 2022 - - -| Published On |Topic title | Change | -|------|------------|--------| -| 7/22/2022 | Deploy and manage a full cloud IT solution for your business | removed | -| 7/22/2022 | Windows 10/11 for small to midsize businesses | removed | diff --git a/store-for-business/add-unsigned-app-to-code-integrity-policy.md b/store-for-business/add-unsigned-app-to-code-integrity-policy.md deleted file mode 100644 index a8b8b8d0a5..0000000000 --- a/store-for-business/add-unsigned-app-to-code-integrity-policy.md +++ /dev/null @@ -1,119 +0,0 @@ ---- -title: Add unsigned app to code integrity policy (Windows 10) -description: When you want to add an unsigned app to a code integrity policy, you need to start with a code integrity policy created from a reference device. -ms.assetid: 580E18B1-2FFD-4EE4-8CC5-6F375BE224EA -ms.reviewer: -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: store, security -ms.author: cmcatee -author: cmcatee-MSFT -manager: scotv -ms.topic: conceptual -ms.localizationpriority: medium -ms.date: 07/21/2021 ---- - -# Add unsigned app to code integrity policy - -> [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). - -> [!IMPORTANT] -> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until June 9, 2021 to transition to DGSS v2. On June 9, 2021, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by June 9, 2021. -> -> Following are the major changes we are making to the service: -> -> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download at [https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/](https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/). -> - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it). -> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired, you will no longer be able to download the leaf certificates used to sign your files. -> -> The following functionality will be available via these PowerShell cmdlets: -> -> - Get a CI policy -> - Sign a CI policy -> - Sign a catalog -> - Download root cert -> - Download history of your signing operations -> -> For any questions, please contact us at DGSSMigration@microsoft.com. - -**Applies to** - -- Windows 10 - -When you want to add an unsigned app to a code integrity policy, you need to start with a code integrity policy created from a reference device. Then, create the catalog files for your unsigned app, sign the catalog files, and then merge the default policy that includes your signing certificate with existing code integrity policies. - -## Create a code integrity policy based on a reference device - -To add an unsigned app to a code integrity policy, your code integrity policy must be created from golden image machine. For more information, see [Create a Device Guard code integrity policy based on a reference device](/windows/device-security/device-guard/device-guard-deployment-guide). - -## Create catalog files for your unsigned app - -Creating catalog files starts the process for adding an unsigned app to a code integrity policy. - -Before you get started, be sure to review these best practices and requirements: - -### Requirements - -- You'll use Package Inspector during this process. -- Only perform this process with a code integrity policy running in audit mode. You should not perform this process on a system running an enforced Device Guard policy. - -### Best practices - -- **Naming convention** -- Using a naming convention makes it easier to find deployed catalog files. We'll use \*-Contoso.cat as the naming convention in this topic. For more information, see the section Inventorying catalog files by using Microsoft Endpoint Manager in the [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide). -- **Where to deploy code integrity policy** -- The [code integrity policy that you created](#create-a-code-integrity-policy-based-on-a-reference-device) should be deployed to the system on which you are running Package Inspector. This will ensure that the code integrity policy binaries are trusted. - -Copy the commands for each step into an elevated Windows PowerShell session. You'll use Package Inspector to find and trust all binaries in the app. - -### To create catalog files for your unsigned app - -1. Start Package Inspector to scan the C drive. - - `PackageInspector.exe Start C:` - -2. Copy the installation media to the C drive. - - Copying the installation media to the C drive ensures that Package Inspector finds and catalogs the installer. If you skip this step, the code integrity policy may trust the application to run, but not trust it to be installed. - -3. Install and start the app. - - All binaries that are used while Package Inspector is running will be part of the catalog files. After the installation, start the app and make sure that any product updates are installed and any downloadable content was found during the scan. Then, close and restart the app to make sure that the scan found all binaries. - -4. Stop the scan and create definition and catalog files. - - After app install is complete, stop the Package Inspector scan and create catalog and definition files on your desktop. - - `$ExamplePath=$env:userprofile+"\Desktop"` - - `$CatFileName=$ExamplePath+"\LOBApp-Contoso.cat"` - - `$CatDefName=$ExamplePath+"\LOBApp.cdf"` - - `PackageInspector.exe Stop C: -Name $CatFileName -cdfpath $CatDefName` - -The Package Inspector scan catalogs the hash values for each binary file that is finds. If the app that was scanned are updated, do this process again to trust the new binaries hash values. - -After you're done, the files are saved to your desktop. You still need to sign the catalog file so that it will be trusted within the code integrity policy. - -## Catalog signing with Device Guard signing portal - -To sign catalog files with the Device Guard signing portal, you need to be signed up with the Microsoft Store for Business. - -Catalog signing is a vital step to adding your unsigned apps to your code integrity policy. - -### To sign a catalog file with Device Guard signing portal - -1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com) or [Store for Education](https://educationstore.microsoft.com). -2. Click **Settings**, click **Store settings**, and then click **Device Guard**. -3. Click **Upload** to upload your unsigned catalog files. These are the catalog files you created earlier in [Create catalog files for your unsigned app](#create-catalog-files-for-your-unsigned-app). -4. After the files are uploaded, click **Sign** to sign the catalog files. -5. Click Download to download each item: - - signed catalog file - - default policy - - root certificate for your organization - - When you use the Device Guard signing portal to sign a catalog file, the signing certificate is added to the default policy. When you download the signed catalog file, you should also download the default policy and merge this code integrity policy with your existing code integrity policies to protect machines running the catalog file. You need to do this step to trust and run your catalog files. For more information, see the Merging code integrity policies in the [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide). - -6. Open the root certificate that you downloaded, and follow the steps in **Certificate Import wizard** to install the certificate in your machine's certificate store. -7. Deploy signed catalogs to your managed devices. For more information, see Deploy catalog files with Group Policy, or Deploy catalog files with Microsoft Endpoint Manager in the [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide). diff --git a/store-for-business/device-guard-signing-portal.md b/store-for-business/device-guard-signing-portal.md deleted file mode 100644 index b74d000f43..0000000000 --- a/store-for-business/device-guard-signing-portal.md +++ /dev/null @@ -1,201 +0,0 @@ ---- -title: Device Guard signing (Windows 10) -description: Device Guard signing is a Device Guard feature that is available in the Microsoft Store for Business and Microsoft Store for Education. -ms.assetid: 8D9CD2B9-5FC6-4C3D-AA96-F135AFEEBB78 -ms.reviewer: -manager: dansimp -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: store, security -author: TrudyHa -ms.author: TrudyHa -ms.topic: conceptual -ms.localizationpriority: medium -ms.date: 07/21/2021 ---- - -# Device Guard signing - -**Applies to** - -- Windows 10 - -> [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). - -> [!IMPORTANT] -> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until June 9, 2021 to transition to DGSS v2. On June 9, 2021, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by June 9, 2021. -> -> Following are the major changes we are making to the service: -> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download, https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/. -> - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it). -> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired, you will no longer be able to download the leaf certificates used to sign your files. -> -> The following functionality will be available via these PowerShell cmdlets: -> - Get a CI policy -> - Sign a CI policy -> - Sign a catalog -> - Download root cert -> - Download history of your signing operations -> -> For any questions, please contact us at DGSSMigration@microsoft.com. - -Device Guard signing is a Device Guard feature that gives admins a single place to sign catalog files and code integrity policies. After admins have created catalog files for unsigned apps and signed the catalog files, they can add the signers to a code integrity policy. You can merge the code integrity policy with your existing policy to include your custom signing certificate. This allows you to trust the catalog files. - -Device Guard is a feature set that consists of both hardware and software system integrity hardening features. These features use new virtualization-based security options and the trust-nothing mobile device operating system model. A key feature in this model is called configurable code integrity, which allows your organization to choose exactly which software or trusted software publishers are allowed to run code on your client machines. Also, Device Guard offers organizations a way to sign existing line-of-business (LOB) applications so that they can trust their own code, without the requirement that the application be repackaged. Also, this same method of signing allows organizations to trust individual third-party applications. For more information, see [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide). - -## In this section - -| Topic | Description | -| ----- | ----------- | -| [Add unsigned app to code integrity policy](add-unsigned-app-to-code-integrity-policy.md) | When you want to add an unsigned app to a code integrity policy, you need to start with a code integrity policy created from a reference device. Then, create the catalog files for your unsigned app, sign the catalog files, and then merge the default policy that includes your signing certificate with existing code integrity policies. | -| [Sign code integrity policy with Device Guard signing](sign-code-integrity-policy-with-device-guard-signing.md) | Signing code integrity policies prevents policies from being tampered with after they're deployed. You can sign code integrity policies with the Device Guard signing portal. | - -## Device Guard Signing Service (v2) PowerShell Commands - -> [!NOTE] -> [.. common ..] are parameters common across all commands that are documented below the command definitions. - -**Get-DefaultPolicy** Gets the default .xml policy file associated with the current tenant. - -- Usage: - - ```powershell - Get-DefaultPolicy -OutFile filename [-PassThru] [.. common ..] - ``` - -- Parameters: - - **OutFile** - string, mandatory - The filename where the default policy file should be persisted to disk. The file name should be an .xml file. If the file already exists, it will be overwritten (note: create the folder first). - - **PassThru** - switch, optional - If present, returns an XmlDocument object returning the default policy file. - -- Command running time: - - The average running time is under 20 seconds but may be up to 3 minutes. - -**Get-RootCertificate** Gets the root certificate for the current tenant. All Authenticode and policy signing certificates will eventually chain up to this root certificate. - -- Usage: - - ```powershell - Get-RootCertificate -OutFile filename [-PassThru] [.. common ..] - ``` - -- Parameters: - - **OutFile** - string, mandatory - The filename where the root certificate file should be persisted to disk. The file name should be a .cer file. If the file already exists, it will be overwritten (note: create the folder first). - - **PassThru** - switch, optional - If present, returns an X509Certificate2 object returning the default policy file. - -- Command running time: - - The average running time is under 20 seconds but may be up to 3 minutes. - -**Get-SigningHistory** Gets information for the latest 100 files signed by the current tenant. Results are returned as a collection with elements in reverse chronological order (most recent to least recent). - -- Usage: - - ```powershell - Get-SigningHistory -OutFile filename [-PassThru] [.. common ..] - ``` - -- Parameters: - - **OutFile** - string, mandatory - The filename where the signing history file should be persisted to disk. The file name should be a .xml file. If the file already exists, it will be overwritten (note: create the folder first). - - **PassThru** - switch, optional - If present, returns XML objects returning the XML file. - -- Command running time: - - The average running time is under 10 seconds. - -**Submit-SigningJob** Submits a file to the service for signing and timestamping. The module supports valid file type for Authenticode signing is Catalog file (.cat). Valid file type for policy signing is binary policy files with the extension (.bin) that have been created via the ConvertFrom-CiPolicy cmdlet. Otherwise, binary policy file may not be deployed properly. - -- Usage: - - ```powershell - Submit-SigningJob -InFile filename -OutFile filename [-NoTimestamp][- TimeStamperUrl "timestamper url"] [-JobDescription "description"] [.. common ..] - ``` - -- Parameters: - - **InFile** - string, mandatory - The file to be signed. This should be a file of the types described in description above (.cat or .bin). - - **OutFile** - string, mandatory - The output file that should be generated by the signing process. If this file already exists, it will be overwritten. (note: create the folder first) - - **NoTimestamp** - switch, optional - If present, the signing operation will skip timestamping the output file, and it will be signed only. If not present (default) and TimeStamperUrl presents, the output file will be both signed and timestamped. If both NoTimestamp and TimeStamperUrl not present, the signing operation will skip timestamping the output file, and it will be signed only. - - **TimeStamperUrl** - string, optional - If this value is invalid Url (and NoTimestamp not present), the module will throw exception. To understand more about timestamping, refer to [Timestamping](/windows/msix/package/signing-package-overview#timestamping). - - **JobDescription** - string, optional - A short (< 100 chars), human-readable description of this submission. If the script is being called as part of an automated build rocess the agent may wish to pass a version number or changeset number for this field. This information will be provided as part of the results of the Get-SigningHistory command. - -**Submit-SigningV1MigrationPolicy** Submits a file to the service for signing and timestamping. The only valid file type for policy -signing is binary policy files with the extension (.bin) that have been created via the [ConvertFromCiPolicy](/powershell/module/configci/convertfrom-cipolicy) cmdlet. Otherwise, binary policy file may not be deployed properly. Note: Only use for V1 migration. - -- Usage: - - ```powershell - Submit-SigningV1MigrationPolicy -InFile filename -OutFile filename [-NoTimestamp][-TimeStamperUrl "timestamper url"] [-JobDescription "description"] [.. common ..] - ``` - -- Parameters: - - **InFile** - string, mandatory - The file to be signed. This should be a file of the types described in description above (.bin). - - **OutFile** - string, mandatory - The output file that should be generated by the signing process. If this file already exists, it will be overwritten. - - > [!NOTE] - > Create the folder first. - - **NoTimestamp** - switch, optional - If present, the signing operation will skip timestamping the output file, and it will be signed only. If not present (default) and TimeStamperUrl presents, the output file will be both signed and timestamped. If both NoTimestamp and TimeStamperUrl not present, the signing operation will skip timestamping the output file, and it will be signed only. - - **TimeStamperUrl** - string, optional - If this value is invalid Url (and NoTimestamp not present), the module will throw exception. To understand more about timestamping, refer to [Timestamping](/windows/msix/package/signing-package-overview#timestamping). - - **JobDescription** - string, optional - A short (< 100 chars), human-readable description of this submission. If the script is being called as part of an automated build process the agent may wish to pass a version number or changeset number for this field. This information will be provided as part of the results of the Get-SigningHistory command. - -- Command running time: - - The average running time is under 20 seconds but may be up to 3 minutes. - -**Common parameters [.. common ..]** - -In addition to cmdlet-specific parameters, each cmdlet understands the following common parameters. - -- Usage: - - ```powershell - ... [-NoPrompt] [-Credential $creds] [-AppId AppId] [-Verbose] - ``` - -- Parameters: - - **NoPrompt** - switch, optional - If present, indicates that the script is running in a headless - environment and that all UI should be suppressed. If UI must be displayed (e.g., for - authentication) when the switch is set, the operation will instead fail. - - **Credential + AppId** - PSCredential - A login credential (username and password) and AppId. - - -## File and size limits -When you're uploading files for Device Guard signing, there are a few limits for files and file size: - -| Description | Limit | -|-------------------------------------------------------|----------| -| Maximum size for a policy or catalog file | 3.5 MB | -| Maximum size for multiple files (uploaded in a group) | 4 MB | -| Maximum number of files per upload | 15 files | - -## File types -Catalog and policy files have required files types. - -| File | Required file type | -|---------------|--------------------| -| catalog files | .cat | -| policy files | .bin | - -## Store for Business roles and permissions -Signing code integrity policies and access to Device Guard portal requires the Device Guard signer role. - -## Device Guard signing certificates -All certificates generated by the Device Guard signing service are unique per customer and are independent of the Microsoft production code signing certificate authorities. All Certification Authority (CA) keys are stored within the cryptographic boundary of Federal Information Processing Standards (FIPS) publication 140-2 compliant hardware security modules. After initial generation, root certificate keys and top level CA keys are removed from the online signing service, encrypted, and stored offline. diff --git a/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md b/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md deleted file mode 100644 index f9fdb79f49..0000000000 --- a/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md +++ /dev/null @@ -1,63 +0,0 @@ ---- -title: Sign code integrity policy with Device Guard signing (Windows 10) -description: Signing code integrity policies prevents policies from being tampered with after they're deployed. You can sign code integrity policies with the Device Guard signing portal. -ms.assetid: 63B56B8B-2A40-44B5-B100-DC50C43D20A9 -ms.reviewer: -manager: dansimp -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: store, security -author: TrudyHa -ms.author: TrudyHa -ms.topic: conceptual -ms.localizationpriority: medium -ms.date: 07/21/2021 ---- - -# Sign code integrity policy with Device Guard signing - -> [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). - - -> [!IMPORTANT] -> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until June 9, 2021 to transition to DGSS v2. On June 9, 2021, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by June 9, 2021. -> -> Following are the major changes we are making to the service: -> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download, https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/. -> - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it). -> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired, you will no longer be able to download the leaf certificates used to sign your files. -> -> The following functionality will be available via these PowerShell cmdlets: -> - Get a CI policy -> - Sign a CI policy -> - Sign a catalog -> - Download root cert -> - Download history of your signing operations -> -> For any questions, please contact us at DGSSMigration@microsoft.com. - - -**Applies to** - -- Windows 10 - -Signing code integrity policies prevents policies from being tampered with after they're deployed. You can sign code integrity policies with the Device Guard signing portal. - -## Sign your code integrity policy -Before you get started, be sure to review these best practices: - -**Best practices** - -- Test your code integrity policies on a group of devices before deploying them to a large group of devices. -- Use rule options 9 and 10 during testing. For more information, see the section Code integrity policy rules in the [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide). - -**To sign a code integrity policy** - -1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com). -2. Click **Manage**, click **Store settings**, and then click **Device Guard**. -3. Click **Upload** to upload your code integrity policy. -4. After the files are uploaded, click **Sign** to sign the code integrity policy. -5. Click **Download** to download the signed code integrity policy. - - When you sign a code integrity policy with the Device Guard signing portal, the signing certificate is added to the policy. This means you can't modify this policy. If you need to make changes, make them to an unsigned version of the policy, and then resign the policy. diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md index 425e703738..506b43cbea 100644 --- a/windows/application-management/apps-in-windows-10.md +++ b/windows/application-management/apps-in-windows-10.md @@ -5,6 +5,7 @@ ms.prod: windows-client author: nicholasswhite ms.author: nwhite manager: aaroncz +ms.date: 12/07/2017 ms.reviewer: ms.localizationpriority: medium ms.topic: article @@ -82,6 +83,10 @@ For more information, see: When your apps are ready, you can add or deploy these apps to your Windows devices. This section lists some common options. +> [!NOTE] +> Microsoft Store for Business and Microsoft Store for Education will be retired on March 31, 2023. Customers may continue to use the current capabilities for free apps until that time. There will be no support for Microsoft Store for Business and Education for Windows 11. +>Visit [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution) for more information about the new Microsoft Store experience for both Windows 11 and Windows 10, and learn about other options for getting and managing apps. + - **Manually install**: On your devices, users can install apps from the Microsoft Store, from the internet, and from an organization shared drive. These apps, and more, are listed in **Settings** > **Apps** > **Apps and Features**. If you want to prevent users from downloading apps on organization owned devices, use an MDM provider, like Microsoft Intune. For example, you can create a policy that allows or prevents users from sideloading apps, only allow the private store, and more. For more information on the features you can restrict, see [Windows client device settings to allow or restrict features using Intune](/mem/intune/configuration/device-restrictions-windows-10). diff --git a/windows/application-management/docfx.json b/windows/application-management/docfx.json index 0c2d4413bb..4cd7b0588c 100644 --- a/windows/application-management/docfx.json +++ b/windows/application-management/docfx.json @@ -36,7 +36,7 @@ "recommendations": true, "breadcrumb_path": "/windows/resources/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-M365-IT", - "ms.technology": "windows", + "ms.technology": "itpro-apps", "ms.topic": "article", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", diff --git a/windows/application-management/images/Createpackage.PNG b/windows/application-management/images/Createpackage.PNG deleted file mode 100644 index 4ae246a743..0000000000 Binary files a/windows/application-management/images/Createpackage.PNG and /dev/null differ diff --git a/windows/application-management/images/Installation.PNG b/windows/application-management/images/Installation.PNG deleted file mode 100644 index 9c3197ada5..0000000000 Binary files a/windows/application-management/images/Installation.PNG and /dev/null differ diff --git a/windows/application-management/images/Managefirstlaunchtasks.PNG b/windows/application-management/images/Managefirstlaunchtasks.PNG deleted file mode 100644 index edcf1a23e8..0000000000 Binary files a/windows/application-management/images/Managefirstlaunchtasks.PNG and /dev/null differ diff --git a/windows/application-management/images/PackageSupport.PNG b/windows/application-management/images/PackageSupport.PNG deleted file mode 100644 index 1bbca6865a..0000000000 Binary files a/windows/application-management/images/PackageSupport.PNG and /dev/null differ diff --git a/windows/application-management/images/Packageinfo.PNG b/windows/application-management/images/Packageinfo.PNG deleted file mode 100644 index be3b9b98dd..0000000000 Binary files a/windows/application-management/images/Packageinfo.PNG and /dev/null differ diff --git a/windows/application-management/images/Selectinstaller.PNG b/windows/application-management/images/Selectinstaller.PNG deleted file mode 100644 index 7ffd984bed..0000000000 Binary files a/windows/application-management/images/Selectinstaller.PNG and /dev/null differ diff --git a/windows/application-management/images/donemonitoring..PNG b/windows/application-management/images/donemonitoring..PNG deleted file mode 100644 index d39102b961..0000000000 Binary files a/windows/application-management/images/donemonitoring..PNG and /dev/null differ diff --git a/windows/application-management/images/preparecomputer.PNG b/windows/application-management/images/preparecomputer.PNG deleted file mode 100644 index 43b2e3e965..0000000000 Binary files a/windows/application-management/images/preparecomputer.PNG and /dev/null differ diff --git a/windows/application-management/images/preparingpackagestep.PNG b/windows/application-management/images/preparingpackagestep.PNG deleted file mode 100644 index 5b06e11d0d..0000000000 Binary files a/windows/application-management/images/preparingpackagestep.PNG and /dev/null differ diff --git a/windows/application-management/images/selectEnvironmentThiscomputer.PNG b/windows/application-management/images/selectEnvironmentThiscomputer.PNG deleted file mode 100644 index bf6f3b4bf0..0000000000 Binary files a/windows/application-management/images/selectEnvironmentThiscomputer.PNG and /dev/null differ diff --git a/windows/application-management/images/selectEnvironmentVM.PNG b/windows/application-management/images/selectEnvironmentVM.PNG deleted file mode 100644 index dd6e1f9168..0000000000 Binary files a/windows/application-management/images/selectEnvironmentVM.PNG and /dev/null differ diff --git a/windows/application-management/images/welcomescreen.PNG b/windows/application-management/images/welcomescreen.PNG deleted file mode 100644 index cd551740a8..0000000000 Binary files a/windows/application-management/images/welcomescreen.PNG and /dev/null differ diff --git a/windows/application-management/index.yml b/windows/application-management/index.yml index e13b0747f4..73c14c4195 100644 --- a/windows/application-management/index.yml +++ b/windows/application-management/index.yml @@ -1,25 +1,19 @@ ### YamlMime:Landing -title: Windows application management # < 60 chars -summary: Learn about managing applications in Windows client, including how to remove background task resource restrictions. # < 160 chars +title: Windows application management +summary: Learn about managing applications in Windows client, including how to remove background task resource restrictions. metadata: - title: Windows application management # Required; page title displayed in search results. Include the brand. < 60 chars. - description: Learn about managing applications in Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars. - services: windows-10 - ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. - ms.subservice: subservice - ms.topic: landing-page # Required - ms.collection: - - windows-10 + title: Windows application management + description: Learn about managing applications in Windows 10 and Windows 11. + ms.topic: landing-page + ms.prod: windows-client + ms.collection: - highpri author: nicholasswhite ms.author: nwhite manager: aaroncz - ms.date: 08/24/2021 #Required; mm/dd/yyyy format. - ms.localizationpriority : medium - -# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new + ms.date: 08/24/2021 landingContent: # Cards and links should be based on top customer tasks or top subjects diff --git a/windows/application-management/media/app-upgrade-cm-console.png b/windows/application-management/media/app-upgrade-cm-console.png deleted file mode 100644 index 2ce9cd411e..0000000000 Binary files a/windows/application-management/media/app-upgrade-cm-console.png and /dev/null differ diff --git a/windows/application-management/media/app-upgrade-no-supersedence.png b/windows/application-management/media/app-upgrade-no-supersedence.png deleted file mode 100644 index 9a9bb9bb53..0000000000 Binary files a/windows/application-management/media/app-upgrade-no-supersedence.png and /dev/null differ diff --git a/windows/application-management/media/app-upgrade-old-version.png b/windows/application-management/media/app-upgrade-old-version.png deleted file mode 100644 index e430be170e..0000000000 Binary files a/windows/application-management/media/app-upgrade-old-version.png and /dev/null differ diff --git a/windows/application-management/media/app-upgrade-supersede-deploy-type.png b/windows/application-management/media/app-upgrade-supersede-deploy-type.png deleted file mode 100644 index 24a45c5939..0000000000 Binary files a/windows/application-management/media/app-upgrade-supersede-deploy-type.png and /dev/null differ diff --git a/windows/application-management/media/icon_hyperlink.png b/windows/application-management/media/icon_hyperlink.png deleted file mode 100644 index 847e8f62ad..0000000000 Binary files a/windows/application-management/media/icon_hyperlink.png and /dev/null differ diff --git a/windows/application-management/provisioned-apps-windows-client-os.md b/windows/application-management/provisioned-apps-windows-client-os.md index c695094f62..fb6660fbcf 100644 --- a/windows/application-management/provisioned-apps-windows-client-os.md +++ b/windows/application-management/provisioned-apps-windows-client-os.md @@ -4,6 +4,7 @@ ms.reviewer: author: nicholasswhite ms.author: nwhite manager: aaroncz +ms.date: 12/07/2017 description: Use the Windows PowerShell Get-AppxProvisionedPackage command to get a list off the provisioned apps installed in Windows OS. See a list of some common provisioned apps installed a Windows Enterprise client computer or device, including Windows 10/11. ms.prod: windows-client ms.localizationpriority: medium @@ -45,9 +46,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809| - | --- | --- | --- | --- | --- | --- | --- |--- | - | ✔️ | ✔️ | ✔️ | | | | | | + | Uninstall through UI? | 22H2| 21H1 | 20H2 | + | --- | --- | --- | --- | + | ✔️ | ✔️ | ✔️ || --- @@ -55,9 +56,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- | --- |--- | - | ✔️ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? | 22H2| 21H1 | 20H2 | + | --- | --- | --- | --- | + | ✔️ | ✔️ | ✔️ | ✔️️| --- @@ -65,9 +66,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- | --- |--- | - | Use Settings App | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? | 22H2| 21H1 | 20H2 | + | --- | --- | --- | --- | + | Use Settings App | ✔️ | ✔️ | ✔️| --- @@ -75,9 +76,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - |---| --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | + |---| --- | --- | --- | + | ❌ | ✔️| ✔️| ✔️| --- @@ -85,9 +86,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️| ✔️| --- @@ -95,31 +96,31 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | + | --- | --- | --- | --- | + | ❌ | ✔️| ✔️| ✔️| --- -- [HEVC Video Extensions](ms-windows-store://pdp/?PFN=Microsoft.HEVCVideoExtension_8wekyb3d8bbwe) | Package name: Microsoft.HEVCVideoExtension -> [!NOTE] -> For devices running Windows 11, version 21H2, and any supported version of Windows 10, you need to acquire the [HEVC Video Extensions](ms-windows-store://pdp/?PFN=Microsoft.HEVCVideoExtension_8wekyb3d8bbwe) from the Microsoft Store. +- [HEVC Video Extensions](ms-windows-store://pdp/?productid=9NMZLZ57R3T7) | Package name: Microsoft.HEVCVideoExtension - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️||||||| + | Uninstall through UI? |22H2| 21H1 | 20H2 | + | --- | --- | --- | --- | + | ❌ | ✔️||| --- + >[!NOTE] + >For devices running Windows 11, version 21H2, and any supported version of Windows 10, you need to acquire the [HEVC Video Extensions](ms-windows-store://pdp/?productid=9NMZLZ57R3T7) from the Microsoft Store. - [Microsoft Messaging](ms-windows-store://pdp/?PFN=Microsoft.Messaging_8wekyb3d8bbwe) | Package name:Microsoft.Messaging - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️ | ✔️| | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️ | ✔️| --- @@ -127,9 +128,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - |---| --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️ | ✔️| --- @@ -137,9 +138,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- | --- |--- | - | ✔️ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? | 22H2| 21H1 | 20H2 | + | --- | --- | --- | --- | + | ✔️ | ✔️ | ✔️ | ✔️️| --- @@ -147,9 +148,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- | --- |--- | - | ✔️ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? | 22H2| 21H1 | 20H2 | + | --- | --- | --- | --- | + | ✔️ | ✔️ | ✔️ | ✔️️| --- @@ -157,9 +158,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - |---| --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️ | ✔️| --- @@ -167,9 +168,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - |---| --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️ | ✔️| --- @@ -177,9 +178,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - |---| --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️ | ✔️| --- @@ -187,9 +188,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- | --- |--- | - | ✔️ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? | 22H2| 21H1 | 20H2 | + | --- | --- | --- | --- | + | ✔️ | ✔️ | ✔️ | ✔️️| --- @@ -197,9 +198,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - |---| --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️ | ✔️| | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️ | ✔️| --- @@ -207,9 +208,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- | --- |--- | - |️ | ✔️ | ✔️ | ✔️|️ | ✔️|️️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | + | --- | --- | --- | --- | + | | ✔️ | ✔️ | ✔️| --- @@ -217,9 +218,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - |---| --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️ | ✔️| --- @@ -227,9 +228,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - |---| --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️ | ✔️| | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️ | ✔️| --- @@ -237,9 +238,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - |---| --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️ | ✔️| --- @@ -247,9 +248,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - |---| --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️ | ✔️| --- @@ -257,9 +258,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - |---| --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️ | ✔️| --- @@ -267,9 +268,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - |---| --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️ | ✔️| --- @@ -277,9 +278,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - |---| --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️ | ✔️| --- @@ -287,9 +288,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - |---| --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️ | ✔️| --- @@ -297,9 +298,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - |---| --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️ | ✔️| --- @@ -307,9 +308,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - |---| --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️ | ✔️| --- @@ -317,9 +318,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - |---| --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️ | ✔️| --- @@ -327,9 +328,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - |---| --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️ | ✔️| --- @@ -337,9 +338,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - |---| --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️ | ✔️| --- @@ -347,9 +348,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - |---| --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️ | ✔️| --- @@ -357,9 +358,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - |---| --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️ | ✔️| --- @@ -367,9 +368,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - |---| --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️ | ✔️| --- @@ -377,9 +378,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - |---| --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️ | ✔️| --- @@ -387,9 +388,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - |---| --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️ | ✔️| --- @@ -399,9 +400,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - |---| --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️ | ✔️| --- @@ -409,9 +410,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - |---| --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️ | ✔️| --- @@ -419,9 +420,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - |---| --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️ | ✔️| --- @@ -429,9 +430,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - |---| --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️ | ✔️| --- @@ -439,9 +440,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - |---| --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️ | ✔️| --- @@ -449,9 +450,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - |---| --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️ | ✔️| --- @@ -459,9 +460,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - |---| --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️ | ✔️| --- @@ -469,9 +470,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - |---| --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️ | ✔️| --- @@ -479,8 +480,8 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - |---| --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️ | ✔️| --- diff --git a/windows/application-management/sideload-apps-in-windows-10.md b/windows/application-management/sideload-apps-in-windows-10.md index baeae78bd8..f4ab632036 100644 --- a/windows/application-management/sideload-apps-in-windows-10.md +++ b/windows/application-management/sideload-apps-in-windows-10.md @@ -5,9 +5,11 @@ ms.reviewer: author: nicholasswhite ms.author: nwhite manager: aaroncz +ms.date: 12/07/2017 ms.prod: windows-client ms.localizationpriority: medium ms.technology: itpro-apps +ms.topic: article --- # Sideload line of business (LOB) apps in Windows client devices diff --git a/windows/application-management/system-apps-windows-client-os.md b/windows/application-management/system-apps-windows-client-os.md index 0788b793d8..1e692a53a0 100644 --- a/windows/application-management/system-apps-windows-client-os.md +++ b/windows/application-management/system-apps-windows-client-os.md @@ -4,6 +4,7 @@ ms.reviewer: author: nicholasswhite ms.author: nwhite manager: aaroncz +ms.date: 12/07/2017 description: Use the Windows PowerShell Get-AppxPackage command to get a list off the system apps installed in Windows OS. See a list of some common system apps installed a Windows Enterprise client computer or device, including Windows 10/11. ms.prod: windows-client ms.localizationpriority: medium diff --git a/windows/application-management/toc.yml b/windows/application-management/toc.yml index 4be6d524af..395cecb920 100644 --- a/windows/application-management/toc.yml +++ b/windows/application-management/toc.yml @@ -20,7 +20,7 @@ items: - name: Remove background task resource restrictions href: enterprise-background-activity-controls.md - name: Enable or block Windows Mixed Reality apps in the enterprise - href: manage-windows-mixed-reality.md + href: /windows/mixed-reality/enthusiast-guide/manage-windows-mixed-reality - name: Application Virtualization (App-V) items: - name: App-V for Windows overview diff --git a/windows/client-management/azure-active-directory-integration-with-mdm.md b/windows/client-management/azure-active-directory-integration-with-mdm.md index d02f1b1f53..f2c906993c 100644 --- a/windows/client-management/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/azure-active-directory-integration-with-mdm.md @@ -1,6 +1,6 @@ --- title: Azure Active Directory integration with MDM -description: Azure Active Directory is the world largest enterprise cloud identity management service. +description: Azure Active Directory is the world's largest enterprise cloud identity management service. ms.reviewer: manager: aaroncz ms.author: vinpa @@ -9,11 +9,12 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.collection: highpri +ms.date: 12/31/2017 --- # Azure Active Directory integration with MDM -Azure Active Directory is the world largest enterprise cloud identity management service. It’s used by organizations to access Office 365 and business applications from Microsoft and third-party software as a service (SaaS) vendors. Many of the rich Windows 10 experiences for organizational users (such as store access or OS state roaming) use Azure AD as the underlying identity infrastructure. Windows integrates with Azure AD, allowing devices to be registered in Azure AD and enrolled into MDM in an integrated flow. +Azure Active Directory is the world's largest enterprise cloud identity management service. It’s used by organizations to access Office 365 and business applications from Microsoft and third-party software as a service (SaaS) vendors. Many of the rich Windows 10 experiences for organizational users (such as store access or OS state roaming) use Azure AD as the underlying identity infrastructure. Windows integrates with Azure AD, allowing devices to be registered in Azure AD and enrolled into MDM in an integrated flow. Once a device is enrolled in MDM, the MDM: @@ -202,9 +203,9 @@ The following table shows the required information to create an entry in the Azu ### Add on-premises MDM to the app gallery -There are no special requirements for adding on-premises MDM to the app gallery. There's a generic entry for administrator to add an app to their tenant. +There are no special requirements for adding on-premises MDM to the app gallery. There's a generic entry for administrators to add an app to their tenant. -However, key management is different for on-premises MDM. You must obtain the client ID (app ID) and key assigned to the MDM app within the customer's tenant. Thee ID and key obtain authorization to access the Microsoft Graph API and for reporting device compliance. +However, key management is different for on-premises MDM. You must obtain the client ID (app ID) and key assigned to the MDM app within the customer's tenant. The ID and key obtain authorization to access the Microsoft Graph API and for reporting device compliance. ## Themes diff --git a/windows/client-management/docfx.json b/windows/client-management/docfx.json index 21740e86df..8c038b6c43 100644 --- a/windows/client-management/docfx.json +++ b/windows/client-management/docfx.json @@ -36,7 +36,7 @@ "recommendations": true, "breadcrumb_path": "/windows/resources/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-M365-IT", - "ms.technology": "windows", + "ms.technology": "itpro-manage", "audience": "ITPro", "ms.topic": "article", "manager": "dansimp", diff --git a/windows/client-management/enable-admx-backed-policies-in-mdm.md b/windows/client-management/enable-admx-backed-policies-in-mdm.md index a5dc882b93..ce77a2e025 100644 --- a/windows/client-management/enable-admx-backed-policies-in-mdm.md +++ b/windows/client-management/enable-admx-backed-policies-in-mdm.md @@ -8,7 +8,7 @@ ms.technology: itpro-manage author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 11/01/2017 -ms.reviewer: +ms.reviewer: manager: aaroncz --- @@ -105,7 +105,7 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/ 2. Find the variable names of the parameters in the ADMX file. - You can find the ADMX file name in the policy description in Policy CSP. In this example, the filename appv.admx is listed in [AppVirtualization/PublishingAllowServer2](mdm/policy-configuration-service-provider.md#appvirtualization-publishingallowserver2). + You can find the ADMX file name in the policy description in Policy CSP. In this example, the filename appv.admx is listed in [AppVirtualization/PublishingAllowServer2](mdm/policy-csp-appvirtualization.md#appvirtualization-publishingallowserver2). ![Publishing server 2 policy description.](images/admx-appv-policy-description.png) diff --git a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md index a27bb4a05a..ec40469278 100644 --- a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -125,7 +125,7 @@ Requirements: > [!NOTE] > In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later. The default behavior for older releases is to revert to **User Credential**. - > **Device Credential** is only supported for Microsoft Intune enrollment in scenarios with Co-management or Azure Virtual Desktop because the Intune subscription is user centric. + > **Device Credential** is only supported for Microsoft Intune enrollment in scenarios with Co-management or [Azure Virtual Desktop multi-session host pools](/mem/intune/fundamentals/azure-virtual-desktop-multi-session) because the Intune subscription is user centric. User credentials are supported for [Azure Virtual Desktop personal host pools](/mem/intune/fundamentals/azure-virtual-desktop). When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called "Schedule created by enrollment client for automatically enrolling in MDM from Azure Active Directory." diff --git a/windows/client-management/esim-enterprise-management.md b/windows/client-management/esim-enterprise-management.md index be730b8fd9..5acabf7ab8 100644 --- a/windows/client-management/esim-enterprise-management.md +++ b/windows/client-management/esim-enterprise-management.md @@ -7,6 +7,7 @@ ms.localizationpriority: medium ms.author: vinpa ms.topic: conceptual ms.technology: itpro-manage +ms.date: 12/31/2017 --- # How Mobile Device Management Providers support eSIM Management on Windows diff --git a/windows/client-management/images/NPS_sidepacket_capture_data.png b/windows/client-management/images/NPS_sidepacket_capture_data.png deleted file mode 100644 index 9d43a3ebed..0000000000 Binary files a/windows/client-management/images/NPS_sidepacket_capture_data.png and /dev/null differ diff --git a/windows/client-management/images/auditfailure.png b/windows/client-management/images/auditfailure.png deleted file mode 100644 index f235ad8148..0000000000 Binary files a/windows/client-management/images/auditfailure.png and /dev/null differ diff --git a/windows/client-management/images/auditsuccess.png b/windows/client-management/images/auditsuccess.png deleted file mode 100644 index 66ce98acb1..0000000000 Binary files a/windows/client-management/images/auditsuccess.png and /dev/null differ diff --git a/windows/client-management/images/authenticator_flow_chart.png b/windows/client-management/images/authenticator_flow_chart.png deleted file mode 100644 index 729895e60e..0000000000 Binary files a/windows/client-management/images/authenticator_flow_chart.png and /dev/null differ diff --git a/windows/client-management/images/boot-sequence-thumb.png b/windows/client-management/images/boot-sequence-thumb.png deleted file mode 100644 index 164f9f9848..0000000000 Binary files a/windows/client-management/images/boot-sequence-thumb.png and /dev/null differ diff --git a/windows/client-management/images/boot-sequence.png b/windows/client-management/images/boot-sequence.png deleted file mode 100644 index 31e6dc34c9..0000000000 Binary files a/windows/client-management/images/boot-sequence.png and /dev/null differ diff --git a/windows/client-management/images/bugcheck-analysis.png b/windows/client-management/images/bugcheck-analysis.png deleted file mode 100644 index e4b4f033f8..0000000000 Binary files a/windows/client-management/images/bugcheck-analysis.png and /dev/null differ diff --git a/windows/client-management/images/capi.png b/windows/client-management/images/capi.png deleted file mode 100644 index 76bbcd0650..0000000000 Binary files a/windows/client-management/images/capi.png and /dev/null differ diff --git a/windows/client-management/images/check-disk.png b/windows/client-management/images/check-disk.png deleted file mode 100644 index 2c5859470e..0000000000 Binary files a/windows/client-management/images/check-disk.png and /dev/null differ diff --git a/windows/client-management/images/clientsidepacket_cap_data.png b/windows/client-management/images/clientsidepacket_cap_data.png deleted file mode 100644 index b162d2e285..0000000000 Binary files a/windows/client-management/images/clientsidepacket_cap_data.png and /dev/null differ diff --git a/windows/client-management/images/comparisontable.png b/windows/client-management/images/comparisontable.png deleted file mode 100644 index 0f6781d93e..0000000000 Binary files a/windows/client-management/images/comparisontable.png and /dev/null differ diff --git a/windows/client-management/images/controlset.png b/windows/client-management/images/controlset.png deleted file mode 100644 index fe9d3c8820..0000000000 Binary files a/windows/client-management/images/controlset.png and /dev/null differ diff --git a/windows/client-management/images/eappropertymenu.png b/windows/client-management/images/eappropertymenu.png deleted file mode 100644 index 127d7a7e49..0000000000 Binary files a/windows/client-management/images/eappropertymenu.png and /dev/null differ diff --git a/windows/client-management/images/etl.png b/windows/client-management/images/etl.png deleted file mode 100644 index 14a62c6450..0000000000 Binary files a/windows/client-management/images/etl.png and /dev/null differ diff --git a/windows/client-management/images/eventviewer.png b/windows/client-management/images/eventviewer.png deleted file mode 100644 index e0aa5d1721..0000000000 Binary files a/windows/client-management/images/eventviewer.png and /dev/null differ diff --git a/windows/client-management/images/loadhive.png b/windows/client-management/images/loadhive.png deleted file mode 100644 index 62c6643140..0000000000 Binary files a/windows/client-management/images/loadhive.png and /dev/null differ diff --git a/windows/client-management/images/miniport.png b/windows/client-management/images/miniport.png deleted file mode 100644 index ba1b2fed2d..0000000000 Binary files a/windows/client-management/images/miniport.png and /dev/null differ diff --git a/windows/client-management/images/msm.png b/windows/client-management/images/msm.png deleted file mode 100644 index 397df3e350..0000000000 Binary files a/windows/client-management/images/msm.png and /dev/null differ diff --git a/windows/client-management/images/msmdetails.png b/windows/client-management/images/msmdetails.png deleted file mode 100644 index cbcf20e114..0000000000 Binary files a/windows/client-management/images/msmdetails.png and /dev/null differ diff --git a/windows/client-management/images/nm-adapters.png b/windows/client-management/images/nm-adapters.png deleted file mode 100644 index f4e25fdbc8..0000000000 Binary files a/windows/client-management/images/nm-adapters.png and /dev/null differ diff --git a/windows/client-management/images/nm-start.png b/windows/client-management/images/nm-start.png deleted file mode 100644 index ec92f013a2..0000000000 Binary files a/windows/client-management/images/nm-start.png and /dev/null differ diff --git a/windows/client-management/images/out-of-memory.png b/windows/client-management/images/out-of-memory.png deleted file mode 100644 index c377389128..0000000000 Binary files a/windows/client-management/images/out-of-memory.png and /dev/null differ diff --git a/windows/client-management/images/pendingupdate.png b/windows/client-management/images/pendingupdate.png deleted file mode 100644 index 19d8c9dec4..0000000000 Binary files a/windows/client-management/images/pendingupdate.png and /dev/null differ diff --git a/windows/client-management/images/revertpending.png b/windows/client-management/images/revertpending.png deleted file mode 100644 index 7b60c6446d..0000000000 Binary files a/windows/client-management/images/revertpending.png and /dev/null differ diff --git a/windows/client-management/images/rpc-error.png b/windows/client-management/images/rpc-error.png deleted file mode 100644 index 0e0828522b..0000000000 Binary files a/windows/client-management/images/rpc-error.png and /dev/null differ diff --git a/windows/client-management/images/rpc-flow.png b/windows/client-management/images/rpc-flow.png deleted file mode 100644 index a3d9c13030..0000000000 Binary files a/windows/client-management/images/rpc-flow.png and /dev/null differ diff --git a/windows/client-management/images/screenshot1.png b/windows/client-management/images/screenshot1.png deleted file mode 100644 index 5138b41016..0000000000 Binary files a/windows/client-management/images/screenshot1.png and /dev/null differ diff --git a/windows/client-management/images/sfc-scannow.png b/windows/client-management/images/sfc-scannow.png deleted file mode 100644 index 1c079288a8..0000000000 Binary files a/windows/client-management/images/sfc-scannow.png and /dev/null differ diff --git a/windows/client-management/images/task-manager-commit.png b/windows/client-management/images/task-manager-commit.png deleted file mode 100644 index 86d289eebe..0000000000 Binary files a/windows/client-management/images/task-manager-commit.png and /dev/null differ diff --git a/windows/client-management/images/task-manager.png b/windows/client-management/images/task-manager.png deleted file mode 100644 index c52163f46e..0000000000 Binary files a/windows/client-management/images/task-manager.png and /dev/null differ diff --git a/windows/client-management/images/tat.png b/windows/client-management/images/tat.png deleted file mode 100644 index 90eb328c38..0000000000 Binary files a/windows/client-management/images/tat.png and /dev/null differ diff --git a/windows/client-management/images/tcp-ts-10.png b/windows/client-management/images/tcp-ts-10.png deleted file mode 100644 index 7bf332b57a..0000000000 Binary files a/windows/client-management/images/tcp-ts-10.png and /dev/null differ diff --git a/windows/client-management/images/tcp-ts-11.png b/windows/client-management/images/tcp-ts-11.png deleted file mode 100644 index 75b0361f89..0000000000 Binary files a/windows/client-management/images/tcp-ts-11.png and /dev/null differ diff --git a/windows/client-management/images/tcp-ts-12.png b/windows/client-management/images/tcp-ts-12.png deleted file mode 100644 index 592ccf0e76..0000000000 Binary files a/windows/client-management/images/tcp-ts-12.png and /dev/null differ diff --git a/windows/client-management/images/tcp-ts-13.png b/windows/client-management/images/tcp-ts-13.png deleted file mode 100644 index da6157c72a..0000000000 Binary files a/windows/client-management/images/tcp-ts-13.png and /dev/null differ diff --git a/windows/client-management/images/tcp-ts-14.png b/windows/client-management/images/tcp-ts-14.png deleted file mode 100644 index b1db37cd1a..0000000000 Binary files a/windows/client-management/images/tcp-ts-14.png and /dev/null differ diff --git a/windows/client-management/images/tcp-ts-15.png b/windows/client-management/images/tcp-ts-15.png deleted file mode 100644 index e3e161317f..0000000000 Binary files a/windows/client-management/images/tcp-ts-15.png and /dev/null differ diff --git a/windows/client-management/images/tcp-ts-16.png b/windows/client-management/images/tcp-ts-16.png deleted file mode 100644 index 52a5e24e2b..0000000000 Binary files a/windows/client-management/images/tcp-ts-16.png and /dev/null differ diff --git a/windows/client-management/images/tcp-ts-17.png b/windows/client-management/images/tcp-ts-17.png deleted file mode 100644 index e690bbdf1c..0000000000 Binary files a/windows/client-management/images/tcp-ts-17.png and /dev/null differ diff --git a/windows/client-management/images/tcp-ts-18.png b/windows/client-management/images/tcp-ts-18.png deleted file mode 100644 index 95cf36dbe7..0000000000 Binary files a/windows/client-management/images/tcp-ts-18.png and /dev/null differ diff --git a/windows/client-management/images/tcp-ts-19.png b/windows/client-management/images/tcp-ts-19.png deleted file mode 100644 index 4f2d239e57..0000000000 Binary files a/windows/client-management/images/tcp-ts-19.png and /dev/null differ diff --git a/windows/client-management/images/tcp-ts-20.png b/windows/client-management/images/tcp-ts-20.png deleted file mode 100644 index 9b3c573f7e..0000000000 Binary files a/windows/client-management/images/tcp-ts-20.png and /dev/null differ diff --git a/windows/client-management/images/tcp-ts-21.png b/windows/client-management/images/tcp-ts-21.png deleted file mode 100644 index 1e29a2061e..0000000000 Binary files a/windows/client-management/images/tcp-ts-21.png and /dev/null differ diff --git a/windows/client-management/images/tcp-ts-22.png b/windows/client-management/images/tcp-ts-22.png deleted file mode 100644 index c49dcd72ee..0000000000 Binary files a/windows/client-management/images/tcp-ts-22.png and /dev/null differ diff --git a/windows/client-management/images/tcp-ts-23.png b/windows/client-management/images/tcp-ts-23.png deleted file mode 100644 index 16ef4604c1..0000000000 Binary files a/windows/client-management/images/tcp-ts-23.png and /dev/null differ diff --git a/windows/client-management/images/tcp-ts-24.png b/windows/client-management/images/tcp-ts-24.png deleted file mode 100644 index 14ae950076..0000000000 Binary files a/windows/client-management/images/tcp-ts-24.png and /dev/null differ diff --git a/windows/client-management/images/tcp-ts-25.png b/windows/client-management/images/tcp-ts-25.png deleted file mode 100644 index 21e8b97a08..0000000000 Binary files a/windows/client-management/images/tcp-ts-25.png and /dev/null differ diff --git a/windows/client-management/images/tcp-ts-4.png b/windows/client-management/images/tcp-ts-4.png deleted file mode 100644 index 73bc5f90be..0000000000 Binary files a/windows/client-management/images/tcp-ts-4.png and /dev/null differ diff --git a/windows/client-management/images/tcp-ts-5.png b/windows/client-management/images/tcp-ts-5.png deleted file mode 100644 index ee64c96da0..0000000000 Binary files a/windows/client-management/images/tcp-ts-5.png and /dev/null differ diff --git a/windows/client-management/images/tcp-ts-6.png b/windows/client-management/images/tcp-ts-6.png deleted file mode 100644 index 8db75fdb08..0000000000 Binary files a/windows/client-management/images/tcp-ts-6.png and /dev/null differ diff --git a/windows/client-management/images/tcp-ts-7.png b/windows/client-management/images/tcp-ts-7.png deleted file mode 100644 index 4b61bf7e36..0000000000 Binary files a/windows/client-management/images/tcp-ts-7.png and /dev/null differ diff --git a/windows/client-management/images/tcp-ts-8.png b/windows/client-management/images/tcp-ts-8.png deleted file mode 100644 index f0ef8300ba..0000000000 Binary files a/windows/client-management/images/tcp-ts-8.png and /dev/null differ diff --git a/windows/client-management/images/tcp-ts-9.png b/windows/client-management/images/tcp-ts-9.png deleted file mode 100644 index dba375fd65..0000000000 Binary files a/windows/client-management/images/tcp-ts-9.png and /dev/null differ diff --git a/windows/client-management/images/unloadhive.png b/windows/client-management/images/unloadhive.png deleted file mode 100644 index e8eb2f859e..0000000000 Binary files a/windows/client-management/images/unloadhive.png and /dev/null differ diff --git a/windows/client-management/images/unloadhive1.png b/windows/client-management/images/unloadhive1.png deleted file mode 100644 index 3b269f294c..0000000000 Binary files a/windows/client-management/images/unloadhive1.png and /dev/null differ diff --git a/windows/client-management/images/wcm.png b/windows/client-management/images/wcm.png deleted file mode 100644 index 6c26a3aeb7..0000000000 Binary files a/windows/client-management/images/wcm.png and /dev/null differ diff --git a/windows/client-management/images/wifi-stack.png b/windows/client-management/images/wifi-stack.png deleted file mode 100644 index cf94f491c4..0000000000 Binary files a/windows/client-management/images/wifi-stack.png and /dev/null differ diff --git a/windows/client-management/images/windbg.png b/windows/client-management/images/windbg.png deleted file mode 100644 index 2f489e81a7..0000000000 Binary files a/windows/client-management/images/windbg.png and /dev/null differ diff --git a/windows/client-management/images/wlan.png b/windows/client-management/images/wlan.png deleted file mode 100644 index fea20f7272..0000000000 Binary files a/windows/client-management/images/wlan.png and /dev/null differ diff --git a/windows/client-management/includes/allow-cortana-shortdesc.md b/windows/client-management/includes/allow-cortana-shortdesc.md deleted file mode 100644 index 234b73f7d2..0000000000 --- a/windows/client-management/includes/allow-cortana-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Since Microsoft Edge is integration with Cortana, Microsoft Edge allows users to use Cortana voice assistant by default. With this policy, you can configure Microsoft Edge to prevent users from using Cortana but can still search to find items on their device. diff --git a/windows/client-management/includes/configure-favorites-shortdesc.md b/windows/client-management/includes/configure-favorites-shortdesc.md deleted file mode 100644 index 34e0cded8f..0000000000 --- a/windows/client-management/includes/configure-favorites-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Discontinued in Windows 10, version 1809. Use the **[Provision Favorites](../available-policies.md#provision-favorites)** policy instead. diff --git a/windows/client-management/includes/do-not-sync-shortdesc.md b/windows/client-management/includes/do-not-sync-shortdesc.md deleted file mode 100644 index 2fe09c0260..0000000000 --- a/windows/client-management/includes/do-not-sync-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge turns on the _Sync your settings_ toggle in **Settings > Device sync settings** letting users choose what to sync on their devices. Enabling this policy turns off and disables the _Sync your settings_ toggle preventing the syncing of user’s settings between their devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable this policy and select the _Allow users to turn syncing on_ option. diff --git a/windows/client-management/includes/microsoft-browser-extension-policy-shortdesc.md b/windows/client-management/includes/microsoft-browser-extension-policy-shortdesc.md deleted file mode 100644 index 2b26624e8c..0000000000 --- a/windows/client-management/includes/microsoft-browser-extension-policy-shortdesc.md +++ /dev/null @@ -1,12 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 04/23/2020 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -[Microsoft browser extension policy](/legal/microsoft-edge/microsoft-browser-extension-policy): -This article describes the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer, or the content these browsers display. Techniques that aren't explicitly listed in this article are considered to be **unsupported**. \ No newline at end of file diff --git a/windows/client-management/includes/search-provider-discovery-shortdesc.md b/windows/client-management/includes/search-provider-discovery-shortdesc.md deleted file mode 100644 index 8524933996..0000000000 --- a/windows/client-management/includes/search-provider-discovery-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge follows the OpenSearch 1.1 specification to discover and use web search providers. When a user browses to a search service, the OpenSearch description is picked up and saved for later use. Users can then choose to add the search service to use in the Microsoft Edge address bar. diff --git a/windows/client-management/index.yml b/windows/client-management/index.yml index 7fdf68a9fa..ff469792d0 100644 --- a/windows/client-management/index.yml +++ b/windows/client-management/index.yml @@ -6,12 +6,10 @@ summary: Find out how to apply custom configurations to Windows client devices. metadata: title: Manage Windows client # Required; page title displayed in search results. Include the brand. < 60 chars. description: Learn about the administrative tools, tasks, and best practices for managing Windows clients across your enterprise. # Required; article description that is displayed in search results. < 160 chars. - services: windows-10 - ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. - ms.subservice: subservice - ms.topic: landing-page # Required + ms.topic: landing-page + ms.prod: windows-client + ms.technology: itpro-manage ms.collection: - - windows-10 - highpri author: aczechowski ms.author: aaroncz diff --git a/windows/client-management/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm-enrollment-of-windows-devices.md index 368defcb39..eba080fea2 100644 --- a/windows/client-management/mdm-enrollment-of-windows-devices.md +++ b/windows/client-management/mdm-enrollment-of-windows-devices.md @@ -12,6 +12,7 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.collection: highpri +ms.date: 12/31/2017 --- # MDM enrollment of Windows 10-based devices diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index f0d3fb39b0..dd6034f807 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -1,445 +1,3100 @@ --- title: Defender CSP -description: Learn how the Windows Defender configuration service provider is used to configure various Windows Defender actions across the enterprise. -ms.reviewer: +description: Learn more about the Defender CSP +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 11/02/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 02/22/2022 +ms.topic: reference --- + + + # Defender CSP -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +The following example shows the Defender configuration service provider in tree format. -The Windows Defender configuration service provider is used to configure various Windows Defender actions across the enterprise. - -The following example shows the Windows Defender configuration service provider in tree format. +```text +./Device/Vendor/MSFT/Defender +--- Configuration +------ AllowDatagramProcessingOnWinServer +------ AllowNetworkProtectionDownLevel +------ AllowNetworkProtectionOnWinServer +------ ASROnlyPerRuleExclusions +------ DataDuplicationDirectory +------ DataDuplicationRemoteLocation +------ DefaultEnforcement +------ DeviceControl +--------- PolicyGroups +------------ {GroupId} +--------------- GroupData +--------- PolicyRules +------------ {RuleId} +--------------- RuleData +------ DeviceControlEnabled +------ DisableCpuThrottleOnIdleScans +------ DisableDnsOverTcpParsing +------ DisableDnsParsing +------ DisableFtpParsing +------ DisableGradualRelease +------ DisableHttpParsing +------ DisableInboundConnectionFiltering +------ DisableLocalAdminMerge +------ DisableNetworkProtectionPerfTelemetry +------ DisableRdpParsing +------ DisableSshParsing +------ DisableTlsParsing +------ EnableDnsSinkhole +------ EnableFileHashComputation +------ EngineUpdatesChannel +------ ExcludedIpAddresses +------ HideExclusionsFromLocalAdmins +------ MeteredConnectionUpdates +------ PassiveRemediation +------ PauseUpdateExpirationTime +------ PauseUpdateFlag +------ PauseUpdateStartTime +------ PlatformUpdatesChannel +------ SchedulerRandomizationTime +------ SecurityIntelligenceUpdatesChannel +------ SupportLogLocation +------ TamperProtection +------ TDTFeatureEnabled +------ ThrottleForScheduledScanOnly +--- Detections +------ {ThreatId} +--------- Category +--------- CurrentStatus +--------- ExecutionStatus +--------- InitialDetectionTime +--------- LastThreatStatusChangeTime +--------- Name +--------- NumberOfDetections +--------- Severity +--------- URL +--- Health +------ ComputerState +------ DefenderEnabled +------ DefenderVersion +------ EngineVersion +------ FullScanOverdue +------ FullScanRequired +------ FullScanSigVersion +------ FullScanTime +------ IsVirtualMachine +------ NisEnabled +------ ProductStatus +------ QuickScanOverdue +------ QuickScanSigVersion +------ QuickScanTime +------ RebootRequired +------ RtpEnabled +------ SignatureOutOfDate +------ SignatureVersion +------ TamperProtectionEnabled +--- OfflineScan +--- RollbackEngine +--- RollbackPlatform +--- Scan +--- UpdateSignature ``` -./Vendor/MSFT -Defender -----Detections ---------ThreatId -------------Name -------------URL -------------Severity -------------Category -------------CurrentStatus -------------ExecutionStatus -------------InitialDetectionTime -------------LastThreatStatusChangeTime -------------NumberOfDetections -----EnableNetworkProtection ---------AllowNetworkProtectionDownLevel ---------AllowNetworkProtectionOnWinServer ---------DisableNetworkProtectionPerfTelemetry ---------DisableDatagramProcessing ---------DisableInboundConnectionFiltering ---------EnableDnsSinkhole ---------DisableDnsOverTcpParsing ---------DisableHttpParsing ---------DisableRdpParsing ---------DisableSshParsing ---------DisableTlsParsing -----Health ---------ProductStatus (Added in Windows 10 version 1809) ---------ComputerState ---------DefenderEnabled ---------RtpEnabled ---------NisEnabled ---------QuickScanOverdue ---------FullScanOverdue ---------SignatureOutOfDate ---------RebootRequired ---------FullScanRequired ---------EngineVersion ---------SignatureVersion ---------DefenderVersion ---------QuickScanTime ---------FullScanTime ---------QuickScanSigVersion ---------FullScanSigVersion ---------TamperProtectionEnabled (Added in Windows 10, version 1903) ---------IsVirtualMachine (Added in Windows 10, version 1903) -----Configuration (Added in Windows 10, version 1903) ---------TamperProtection (Added in Windows 10, version 1903) ---------EnableFileHashComputation (Added in Windows 10, version 1903) ---------SupportLogLocation (Added in the next major release of Windows 10) ---------PlatformUpdatesChannel (Added with the 4.18.2106.5 Defender platform release) ---------EngineUpdatesChannel (Added with the 4.18.2106.5 Defender platform release) ---------SecurityIntelligenceUpdatesChannel (Added with the 4.18.2106.5 Defender platform release) ---------DisableGradualRelease (Added with the 4.18.2106.5 Defender platform release) ---------PassiveRemediation (Added with the 4.18.2202.X Defender platform release) -----Scan -----UpdateSignature -----OfflineScan (Added in Windows 10 version 1803) + + + +## Configuration + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration ``` -**Detections** + + + +An interior node to group Windows Defender configuration information. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### Configuration/AllowDatagramProcessingOnWinServer + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/AllowDatagramProcessingOnWinServer +``` + + + +This settings controls whether Network Protection is allowed to enable datagram processing on Windows Server. If false, the value of DisableDatagramProcessing will be ignored and default to disabling Datagram inspection. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | Datagram processing on Windows Server is enabled. | +| 0 | Datagram processing on Windows Server is disabled. | + + + + + + + + + +### Configuration/AllowNetworkProtectionDownLevel + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/AllowNetworkProtectionDownLevel +``` + + + +This settings controls whether Network Protection is allowed to be configured into block or audit mode on windows downlevel of RS3. If false, the value of EnableNetworkProtection will be ignored. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | Network protection will be enabled downlevel. | +| 0 | Network protection will be disabled downlevel. | + + + + + + + + + +### Configuration/AllowNetworkProtectionOnWinServer + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/AllowNetworkProtectionOnWinServer +``` + + + +This settings controls whether Network Protection is allowed to be configured into block or audit mode on Windows Server. If false, the value of EnableNetworkProtection will be ignored. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 (Default) | Allow | +| 0 | Disallow | + + + + + + + + + +### Configuration/ASROnlyPerRuleExclusions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/ASROnlyPerRuleExclusions +``` + + + +Apply ASR only per rule exclusions. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +### Configuration/DataDuplicationDirectory + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/DataDuplicationDirectory +``` + + + +Define data duplication directory for device control. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +### Configuration/DataDuplicationRemoteLocation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/DataDuplicationRemoteLocation +``` + + + +Define data duplication remote location for device control. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +### Configuration/DefaultEnforcement + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/DefaultEnforcement +``` + + + +Control Device Control default enforcement. This is the enforcement applied if there are no policy rules present or at the end of the policy rules evaluation none were matched. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | Default Allow Enforcement | +| 2 | Default Deny Enforcement | + + + + + + + + + +### Configuration/DeviceControl + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/DeviceControl +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +#### Configuration/DeviceControl/PolicyGroups + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +##### Configuration/DeviceControl/PolicyGroups/{GroupId} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/{GroupId} +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +###### Configuration/DeviceControl/PolicyGroups/{GroupId}/GroupData + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/{GroupId}/GroupData +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### Configuration/DeviceControl/PolicyRules + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +##### Configuration/DeviceControl/PolicyRules/{RuleId} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/{RuleId} +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +###### Configuration/DeviceControl/PolicyRules/{RuleId}/RuleData + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/{RuleId}/RuleData +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +### Configuration/DeviceControlEnabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/DeviceControlEnabled +``` + + + +Control Device Control feature. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | | +| 0 | | + + + + + + + + + +### Configuration/DisableCpuThrottleOnIdleScans + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/DisableCpuThrottleOnIdleScans +``` + + + +Indicates whether the CPU will be throttled for scheduled scans while the device is idle. This feature is enabled by default and will not throttle the CPU for scheduled scans performed when the device is otherwise idle, regardless of what ScanAvgCPULoadFactor is set to. For all other scheduled scans this flag will have no impact and normal throttling will occur. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 (Default) | Disable CPU Throttle on idle scans | +| 0 | Enable CPU Throttle on idle scans | + + + + + + + + + +### Configuration/DisableDnsOverTcpParsing + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/DisableDnsOverTcpParsing +``` + + + +This setting disables DNS over TCP Parsing for Network Protection. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | DNS over TCP parsing is disabled | +| 0 (Default) | DNS over TCP parsing is enabled | + + + + + + + + + +### Configuration/DisableDnsParsing + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/DisableDnsParsing +``` + + + +This setting disables DNS Parsing for Network Protection. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | DNS parsing is disabled | +| 0 (Default) | DNS parsing is enabled | + + + + + + + + + +### Configuration/DisableFtpParsing + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/DisableFtpParsing +``` + + + +This setting disables FTP Parsing for Network Protection. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | FTP parsing is disabled | +| 0 (Default) | FTP parsing is enabled | + + + + + + + + + +### Configuration/DisableGradualRelease + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/DisableGradualRelease +``` + + + +Enable this policy to disable gradual rollout of Defender updates. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | Gradual release is disabled | +| 0 | Gradual release is enabled | + + + + + + + + + +### Configuration/DisableHttpParsing + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/DisableHttpParsing +``` + + + +This setting disables HTTP Parsing for Network Protection. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | HTTP parsing is disabled | +| 0 (Default) | HTTP parsing is enabled | + + + + + + + + + +### Configuration/DisableInboundConnectionFiltering + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/DisableInboundConnectionFiltering +``` + + + +This setting disables Inbound connection filtering for Network Protection. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | Inbound connection filtering is disabled | +| 0 | Inbound connection filtering is enabled | + + + + + + + + + +### Configuration/DisableLocalAdminMerge + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/DisableLocalAdminMerge +``` + + + +When this value is set to false, it allows a local admin the ability to specify some settings for complex list type that will then merge /override the Preference settings with the Policy settings + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | Disable Local Admin Merge | +| 0 | Enable Local Admin Merge | + + + + + + + + + +### Configuration/DisableNetworkProtectionPerfTelemetry + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/DisableNetworkProtectionPerfTelemetry +``` + + + +This setting disables the gathering and send of performance telemetry from Network Protection. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | Network protection telemetry is disabled | +| 0 | Network protection telemetry is enabled | + + + + + + + + + +### Configuration/DisableRdpParsing + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/DisableRdpParsing +``` + + + +This setting disables RDP Parsing for Network Protection. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | RDP Parsing is disabled | +| 0 | RDP Parsing is enabled | + + + + + + + + + +### Configuration/DisableSshParsing + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/DisableSshParsing +``` + + + +This setting disables SSH Parsing for Network Protection. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | SSH parsing is disabled | +| 0 (Default) | SSH parsing is enabled | + + + + + + + + + +### Configuration/DisableTlsParsing + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/DisableTlsParsing +``` + + + +This setting disables TLS Parsing for Network Protection. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | TLS parsing is disabled | +| 0 (Default) | TLS parsing is enabled | + + + + + + + + + +### Configuration/EnableDnsSinkhole + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/EnableDnsSinkhole +``` + + + +This setting enables the DNS Sinkhole feature for Network Protection, respecting the value of EnableNetworkProtection for block vs audit, does nothing in inspect mode. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | DNS Sinkhole is disabled | +| 0 | DNS Sinkhole is enabled | + + + + + + + + + +### Configuration/EnableFileHashComputation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/EnableFileHashComputation +``` + + + +Enables or disables file hash computation feature. When this feature is enabled Windows defender will compute hashes for files it scans. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disable | +| 1 | Enable | + + + + + + + + + +### Configuration/EngineUpdatesChannel + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/EngineUpdatesChannel +``` + + + +Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. | +| 2 | Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. | +| 3 | Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. | +| 4 | Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). | +| 5 | Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). | +| 6 | Critical - Time delay: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only. | + + + + + + + + + +### Configuration/ExcludedIpAddresses + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/ExcludedIpAddresses +``` + + + +This node contains a list of values specifying any IP addresses that wdnisdrv will ignore when intercepting traffic. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `|`) | + + + + + + + + + +### Configuration/HideExclusionsFromLocalAdmins + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/HideExclusionsFromLocalAdmins +``` + + + +This policy setting controls whether or not exclusions are visible to local admins. For end users (that are not local admins) exclusions are not visible, whether or not this setting is enabled. + + + + +> [!NOTE] +> Applying this setting won't remove exclusions from the device registry, it will only prevent them from being applied/used. This is reflected in Get-MpPreference. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | If you enable this setting, local admins will no longer be able to see the exclusion list in Windows Security App or via PowerShell. | +| 0 | If you disable or do not configure this setting, local admins will be able to see exclusions in the Windows Security App and via PowerShell. | + + + + + + + + + +### Configuration/MeteredConnectionUpdates + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/MeteredConnectionUpdates +``` + + + +Allow managed devices to update through metered connections. Default is 0 - not allowed, 1 - allowed + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | Allowed | +| 0 (Default) | Not Allowed | + + + + + + + + + +### Configuration/PassiveRemediation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/PassiveRemediation +``` + + + +Setting to control automatic remediation for Sense scans. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Flag | Description | +|:--|:--| +| 0x1 | PASSIVE_REMEDIATION_FLAG_SENSE_AUTO_REMEDIATION: Passive Remediation Sense AutoRemediation | +| 0x2 | PASSIVE_REMEDIATION_FLAG_RTP_AUDIT: Passive Remediation Realtime Protection Audit | +| 0x4 | PASSIVE_REMEDIATION_FLAG_RTP_REMEDIATION: Passive Remediation Realtime Protection Remediation | + + + + + + + + + +### Configuration/PauseUpdateExpirationTime + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/PauseUpdateExpirationTime +``` + + + +Pause update until the UTC time in ISO string format without milliseconds, for example, 2022-02-24T00:03:59Z. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +### Configuration/PauseUpdateFlag + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/PauseUpdateFlag +``` + + + +Setting to control automatic remediation for Sense scans. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Update not paused | +| 1 | Update paused | + + + + + + + + + +### Configuration/PauseUpdateStartTime + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/PauseUpdateStartTime +``` + + + +Pause update from the UTC time in ISO string format without milliseconds, for example, 2022-02-24T00:03:59Z. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +### Configuration/PlatformUpdatesChannel + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/PlatformUpdatesChannel +``` + + + +Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. | +| 2 | Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. | +| 3 | Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. | +| 4 | Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). | +| 5 | Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). | +| 6 | Critical - Time delay: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only. | + + + + + + + + + +### Configuration/SchedulerRandomizationTime + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/SchedulerRandomizationTime +``` + + + +This setting allows you to configure the scheduler randomization in hours. The randomization interval is [1 - 23] hours. For more information on the randomization effect please check the RandomizeScheduleTaskTimes setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[1-23]` | +| Default Value | 4 | + + + + + + + + + +### Configuration/SecurityIntelligenceUpdatesChannel + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/SecurityIntelligenceUpdatesChannel +``` + + + +Enable this policy to specify when devices receive Microsoft Defender security intelligence updates during the daily gradual rollout. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. | +| 4 | Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%). | +| 5 | Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). | + + + + + + + + + +### Configuration/SupportLogLocation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/SupportLogLocation +``` + + + +The support log location setting allows the administrator to specify where the Microsoft Defender Antivirus diagnostic data collection tool (MpCmdRun.exe) will save the resulting log files. This setting is configured with an MDM solution, such as Intune, and is available for Windows 10 Enterprise. + + + + +Intune Support Log Location setting UI supports three states: + +- Not configured (default) - Doesn't have any impact on the default state of the device. +- 1 - Enabled. Enables the Support log location feature. Requires admin to set custom file path. +- 0 - Disabled. Turns off the Support log location feature. + +When enabled or disabled exists on the client and admin moves the setting to not configured, it won't have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly. + +More details: + +- [Microsoft Defender Antivirus diagnostic data](/microsoft-365/security/defender-endpoint/collect-diagnostic-data) +- [Collect investigation package from devices](/microsoft-365/security/defender-endpoint/respond-machine-alerts#collect-investigation-package-from-devices) + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +### Configuration/TamperProtection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/TamperProtection +``` + + + +Tamper protection helps protect important security features from unwanted changes and interference. This includes real-time protection, behavior monitoring, and more. Accepts signed string to turn the feature on or off. Settings are configured with an MDM solution, such as Intune and is available in Windows 10 Enterprise E5 or equivalent subscriptions. Send off blob to device to reset tamper protection state before setting this configuration to "not configured" or "unassigned" in Intune. The data type is a Signed blob. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +### Configuration/TDTFeatureEnabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/TDTFeatureEnabled +``` + + + +This policy setting configures the integration level for Intel TDT integration for Intel TDT-capable devices. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | If you do not configure this setting, the default value will be applied. The default value is set to control by signatures. TDT will be enabled based on particular signatures that are released by Microsoft. | +| 2 | If you configure this setting to disabled, Intel TDT integration will be turned off. | + + + + + + + + + +### Configuration/ThrottleForScheduledScanOnly + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/ThrottleForScheduledScanOnly +``` + + + +A CPU usage limit can be applied to scheduled scans only, or to scheduled and custom scans. The default value applies a CPU usage limit to scheduled scans only. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 (Default) | If you enable this setting, CPU throttling will apply only to scheduled scans. | +| 0 | If you disable this setting, CPU throttling will apply to scheduled and custom scans. | + + + + + + + + + +## Detections + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Detections +``` + + + An interior node to group all threats detected by Windows Defender. + -Supported operation is Get. + + + -**Detections/***ThreatId* + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### Detections/{ThreatId} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Detections/{ThreatId} +``` + + + The ID of a threat that has been detected by Windows Defender. + -Supported operation is Get. + + + -**Detections/*ThreatId*/Name** -The name of the specific threat. + +**Description framework properties**: -The data type is a string. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | +| Dynamic Node Naming | ClientInventory | + -Supported operation is Get. + + + -**Detections/*ThreatId*/URL** -URL link for more threat information. + -The data type is a string. + +#### Detections/{ThreatId}/Category -Supported operation is Get. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -**Detections/*ThreatId*/Severity** -Threat severity ID. + +```Device +./Device/Vendor/MSFT/Defender/Detections/{ThreatId}/Category +``` + -The data type is integer. + +Threat category ID. Supported values: -The following list shows the supported values: +| Value | Description | +|:--|:--| +| 0 | Invalid | +| 1 | Adware | +| 2 | Spyware | +| 3 | Password stealer | +| 4 | Trojan downloader | +| 5 | Worm | +| 6 | Backdoor | +| 7 | Remote access Trojan | +| 8 | Trojan | +| 9 | Email flooder | +| 10 | Keylogger | +| 11 | Dialer | +| 12 | Monitoring software | +| 13 | Browser modifier | +| 14 | Cookie | +| 15 | Browser plugin | +| 16 | AOL exploit | +| 17 | Nuker | +| 18 | Security disabler | +| 19 | Joke program | +| 20 | Hostile ActiveX control | +| 21 | Software bundler | +| 22 | Stealth modifier | +| 23 | Settings modifier | +| 24 | Toolbar | +| 25 | Remote control software | +| 26 | Trojan FTP | +| 27 | Potential unwanted software | +| 28 | ICQ exploit | +| 29 | Trojan telnet | +| 30 | Exploit | +| 31 | File sharing program | +| 32 | Malware creation tool | +| 33 | Remote control software | +| 34 | Tool | +| 36 | Trojan denial of service | +| 37 | Trojan dropper | +| 38 | Trojan mass mailer | +| 39 | Trojan monitoring software | +| 40 | Trojan proxy server | +| 42 | Virus | +| 43 | Known | +| 44 | Unknown | +| 45 | SPP | +| 46 | Behavior | +| 47 | Vulnerability | +| 48 | Policy | +| 49 | EUS (Enterprise Unwanted Software) | +| 50 | Ransomware | +| 51 | ASR Rule | + -- 0 = Unknown -- 1 = Low -- 2 = Moderate -- 4 = High -- 5 = Severe + + + -Supported operation is Get. + +**Description framework properties**: -**Detections/*ThreatId*/Category** -Threat category ID. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + -The data type is integer. + + + -The following table describes the supported values: -

    + -| Value | Description | -|-------|-----------------------------| -| 0 | Invalid | -| 1 | Adware | -| 2 | Spyware | -| 3 | Password stealer | -| 4 | Trojan downloader | -| 5 | Worm | -| 6 | Backdoor | -| 7 | Remote access Trojan | -| 8 | Trojan | -| 9 | Email flooder | -| 10 | Key logger | -| 11 | Dialer | -| 12 | Monitoring software | -| 13 | Browser modifier | -| 14 | Cookie | -| 15 | Browser plugin | -| 16 | AOL exploit | -| 17 | Nuker | -| 18 | Security disabler | -| 19 | Joke program | -| 20 | Hostile ActiveX control | -| 21 | Software bundler | -| 22 | Stealth modifier | -| 23 | Settings modifier | -| 24 | Toolbar | -| 25 | Remote control software | -| 26 | Trojan FTP | -| 27 | Potential unwanted software | -| 28 | ICQ exploit | -| 29 | Trojan telnet | -| 30 | Exploit | -| 31 | File sharing program | -| 32 | Malware creation tool | -| 33 | Remote control software | -| 34 | Tool | -| 36 | Trojan denial of service | -| 37 | Trojan dropper | -| 38 | Trojan mass mailer | -| 39 | Trojan monitoring software | -| 40 | Trojan proxy server | -| 42 | Virus | -| 43 | Known | -| 44 | Unknown | -| 45 | SPP | -| 46 | Behavior | -| 47 | Vulnerability | -| 48 | Policy | -| 49 | EUS (Enterprise Unwanted Software)| -| 50 | Ransomware | -| 51 | ASR Rule | + +#### Detections/{ThreatId}/CurrentStatus -Supported operation is Get. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -**Detections/*ThreatId*/CurrentStatus** -Information about the current status of the threat. + +```Device +./Device/Vendor/MSFT/Defender/Detections/{ThreatId}/CurrentStatus +``` + -The data type is integer. + +Information about the current status of the threat. The following list shows the supported values: -The following list shows the supported values: +| Value | Description | +|:--|:--| +| 0 | Active | +| 1 | Action failed | +| 2 | Manual steps required | +| 3 | Full scan required | +| 4 | Reboot required | +| 5 | Remediated with noncritical failures | +| 6 | Quarantined | +| 7 | Removed | +| 8 | Cleaned | +| 9 | Allowed | +| 10 | No Status ( Cleared) | + -- 0 = Active -- 1 = Action failed -- 2 = Manual steps required -- 3 = Full scan required -- 4 = Reboot required -- 5 = Remediated with noncritical failures -- 6 = Quarantined -- 7 = Removed -- 8 = Cleaned -- 9 = Allowed -- 10 = No Status (Cleared) + + + -Supported operation is Get. + +**Description framework properties**: -**Detections/*ThreatId*/CurrentStatus** -Information about the current status of the threat. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + -The data type is integer. + + + -The following list shows the supported values: + -- 0 = Active -- 1 = Action failed -- 2 = Manual steps required -- 3 = Full scan required -- 4 = Reboot required -- 5 = Remediated with noncritical failures -- 6 = Quarantined -- 7 = Removed -- 8 = Cleaned -- 9 = Allowed -- 10 = No Status (Cleared) + +#### Detections/{ThreatId}/ExecutionStatus -Supported operation is Get. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -**Detections/*ThreatId*/ExecutionStatus** + +```Device +./Device/Vendor/MSFT/Defender/Detections/{ThreatId}/ExecutionStatus +``` + + + Information about the execution status of the threat. + -The data type is integer. + + + -The following list shows the supported values: + +**Description framework properties**: -- 0 = Unknown -- 1 = Blocked -- 2 = Allowed -- 3 = Running -- 4 = Not running +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + -Supported operation is Get. + + + -**Detections/*ThreatId*/InitialDetectionTime** + + + +#### Detections/{ThreatId}/InitialDetectionTime + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Detections/{ThreatId}/InitialDetectionTime +``` + + + The first time this particular threat was detected. + -The data type is a string. + + + -Supported operation is Get. + +**Description framework properties**: -**Detections/*ThreatId*/LastThreatStatusChangeTime** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### Detections/{ThreatId}/LastThreatStatusChangeTime + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Detections/{ThreatId}/LastThreatStatusChangeTime +``` + + + The last time this particular threat was changed. + -The data type is a string. + + + -Supported operation is Get. + +**Description framework properties**: -**Detections/*ThreatId*/NumberOfDetections** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### Detections/{ThreatId}/Name + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Detections/{ThreatId}/Name +``` + + + +The name of the specific threat. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### Detections/{ThreatId}/NumberOfDetections + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Detections/{ThreatId}/NumberOfDetections +``` + + + Number of times this threat has been detected on a particular client. + -The data type is integer. + + + -Supported operation is Get. + +**Description framework properties**: -**EnableNetworkProtection** +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + -The Network Protection Service is a network filter that helps to protect you against web-based malicious threats, including phishing and malware. The Network Protection service contacts the SmartScreen URL reputation service to validate the safety of connections to web resources. -The acceptable values for this parameter are: -- 0: Disabled. The Network Protection service won't block navigation to malicious websites, or contact the SmartScreen URL reputation service. It will still send connection metadata to the antimalware engine if behavior monitoring is enabled, to enhance AV Detections. -- 1: Enabled. The Network Protection service will block connections to malicious websites based on URL Reputation from the SmartScreen URL reputation service. -- 2: AuditMode. As above, but the Network Protection service won't block connections to malicious websites, but will instead log the access to the event log. + + + -Accepted values: Disabled, Enabled, and AuditMode -Position: Named -Default value: Disabled -Accept pipeline input: False -Accept wildcard characters: False + -**EnableNetworkProtection/AllowNetworkProtectionDownLevel** + +#### Detections/{ThreatId}/Severity -By default, network protection isn't allowed to be enabled on Windows versions before 1709, regardless of the setting of the EnableNetworkProtection configuration. Set this configuration to "$true" to override that behavior and allow Network Protection to be set to Enabled or Audit Mode. -- Type: Boolean -- Position: Named -- Default value: False -- Accept pipeline input: False -- Accept wildcard characters: False + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -**EnableNetworkProtection/AllowNetworkProtectionOnWinServer** + +```Device +./Device/Vendor/MSFT/Defender/Detections/{ThreatId}/Severity +``` + -By default, network protection isn't allowed to be enabled on Windows Server, regardless of the setting of the EnableNetworkProtection configuration. Set this configuration to "$true" to override that behavior and allow Network Protection to be set to Enabled or Audit Mode. + +Threat severity ID. The following list shows the supported values: -- Type: Boolean -- Position: Named -- Default value: False -- Accept pipeline input: False -- Accept wildcard characters: False +| Value | Description | +|:--|:--| +| 0 | Unknown | +| 1 | Low | +| 2 | Moderate | +| 4 | High | +| 5 | Severe | + -**EnableNetworkProtection/DisableNetworkProtectionPerfTelemetry** + + + -Network Protection sends up anonymized performance statistics about its connection monitoring to improve our product and help to find bugs. You can disable this behavior by setting this configuration to "$true". + +**Description framework properties**: -- Type: Boolean -- Position: Named -- Default value: False -- Accept pipeline input: False -- Accept wildcard characters: False +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + -**EnableNetworkProtection/DisableDatagramProcessing** + + + -Network Protection inspects UDP connections allowing us to find malicious DNS or other UDP Traffic. To disable this functionality, set this configuration to "$true". + -- Type: Boolean -- Position: Named -- Default value: False -- Accept pipeline input: False -- Accept wildcard characters: False + +#### Detections/{ThreatId}/URL -**EnableNetworkProtection/DisableInboundConnectionFiltering** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -Network Protection inspects and can block both connections that originate from the host machine, and those connections that originate from outside the machine. To have network connection to inspect only outbound connections, set this configuration to "$true". + +```Device +./Device/Vendor/MSFT/Defender/Detections/{ThreatId}/URL +``` + -- Type: Boolean -- Position: Named -- Default value: False -- Accept pipeline input: False -- Accept wildcard characters: False + +URL link for additional threat information. + -**EnableNetworkProtection/EnableDnsSinkhole** + + + -Network Protection can inspect the DNS traffic of a machine and, in conjunction with behavior monitoring, detect and sink hole DNS exfiltration attempts and other DNS-based malicious attacks. Set this configuration to "$true" to enable this feature. + +**Description framework properties**: -- Type: Boolean -- Position: Named -- Default value: False -- Accept pipeline input: False -- Accept wildcard characters: False +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + -**EnableNetworkProtection/DisableDnsOverTcpParsing** + + + -Network Protection inspects DNS traffic that occurs over a TCP channel, to provide metadata for Anti-malware Behavior Monitoring or to allow for DNS sink holing if the -EnableDnsSinkhole configuration is set. This attribute can be disabled by setting this value to "$true". + -- Type: Boolean -- Position: Named -- Default value: False -- Accept pipeline input: False -- Accept wildcard characters: False + +## Health -**EnableNetworkProtection/DisableDnsParsing** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -Network Protection inspects DNS traffic that occurs over a UDP channel, to provide metadata for Anti-malware Behavior Monitoring or to allow for DNS sink holing if the -EnableDnsSinkhole configuration is set. This attribute can be disabled by setting this value to "$true". + +```Device +./Device/Vendor/MSFT/Defender/Health +``` + -- Type: Boolean -- Position: Named -- Default value: False -- Accept pipeline input: False -- Accept wildcard characters: False - -**EnableNetworkProtection/DisableHttpParsing** - -Network Protection inspects HTTP traffic to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. HTTP connections to malicious websites can also be blocked if Enable Network Protection is set to enabled. HTTP inspection can be disabled by setting this value to "$true". - -- Type: Boolean -- Position: Named -- Default value: False -- Accept pipeline input: False -- Accept wildcard characters: False - -**EnableNetworkProtection/DisableRdpParsing** - -Network Protection inspects RDP traffic so that it can block connections from known malicious hosts if Enable Network Protection is set to be enabled, and to provide metadata to behavior monitoring. RDP inspection can be disabled by setting this value to "$true". - -- Type: Boolean -- Position: Named -- Default value: False -- Accept pipeline input: False -- Accept wildcard characters: False - -**EnableNetworkProtection/DisableSshParsing** - -Network Protection inspects SSH traffic, so that it can block connections from known malicious hosts. If Enable Network Protection is set to be enabled, and to provide metadata to behavior monitoring. SSH inspection can be disabled by setting this value to "$true". - -- Type: Boolean -- Position: Named -- Default value: False -- Accept pipeline input: False -- Accept wildcard characters: False - -**EnableNetworkProtection/DisableTlsParsing** - -Network Protection inspects TLS traffic (also known as HTTPS traffic) to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. TLS connections to malicious websites can also be blocked if Enable Network Protection is set to enabled. HTTP inspection can be disabled by setting this value to "$true". - -- Type: Boolean -- Position: Named -- Default value: False -- Accept pipeline input: False -- Accept wildcard characters: False - -**Health** + An interior node to group information about Windows Defender health status. + -Supported operation is Get. + + + -**Health/ProductStatus** -Added in Windows 10, version 1809. Provide the current state of the product. This value is a bitmask flag value that can represent one or multiple product states from below list. + +**Description framework properties**: -The data type is integer. Supported operation is Get. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + -Supported product status values: -- No status = 0 -- Service not running = 1 << 0 -- Service started without any malware protection engine = 1 << 1 -- Pending full scan due to threat action = 1 << 2 -- Pending reboot due to threat action = 1 << 3 -- ending manual steps due to threat action = 1 << 4 -- AV signatures out of date = 1 << 5 -- AS signatures out of date = 1 << 6 -- No quick scan has happened for a specified period = 1 << 7 -- No full scan has happened for a specified period = 1 << 8 -- System initiated scan in progress = 1 << 9 -- System initiated clean in progress = 1 << 10 -- There are samples pending submission = 1 << 11 -- Product running in evaluation mode = 1 << 12 -- Product running in non-genuine Windows mode = 1 << 13 -- Product expired = 1 << 14 -- Off-line scan required = 1 << 15 -- Service is shutting down as part of system shutdown = 1 << 16 -- Threat remediation failed critically = 1 << 17 -- Threat remediation failed non-critically = 1 << 18 -- No status flags set (well-initialized state) = 1 << 19 -- Platform is out of date = 1 << 20 -- Platform update is in progress = 1 << 21 -- Platform is about to be outdated = 1 << 22 -- Signature or platform end of life is past or is impending = 1 << 23 -- Windows SMode signatures still in use on non-Win10S install = 1 << 24 + + + -Example: + + + +### Health/ComputerState + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Health/ComputerState +``` + + + +Provide the current state of the device. The following list shows the supported values: + +| Value | Description | +|:--|:--| +| 0 | Clean | +| 1 | Pending full scan | +| 2 | Pending reboot | +| 4 | Pending manual steps (Windows Defender is waiting for the user to take some action, such as restarting the computer or running a full scan) | +| 8 | Pending offline scan | +| 16 | Pending critical failure (Windows Defender has failed critically and an Administrator needs to investigate and take some action, such as restarting the computer or reinstalling Windows Defender) | + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +### Health/DefenderEnabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Health/DefenderEnabled +``` + + + +Indicates whether the Windows Defender service is running. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get | + + + + + + + + + +### Health/DefenderVersion + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Health/DefenderVersion +``` + + + +Version number of Windows Defender on the device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +### Health/EngineVersion + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Health/EngineVersion +``` + + + +Version number of the current Windows Defender engine on the device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +### Health/FullScanOverdue + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Health/FullScanOverdue +``` + + + +Indicates whether a Windows Defender full scan is overdue for the device. A Full scan is overdue when a scheduled Full scan did not complete successfully for 2 weeks and catchup Full scans are disabled (default). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get | + + + + + + + + + +### Health/FullScanRequired + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Health/FullScanRequired +``` + + + +Indicates whether a Windows Defender full scan is required. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get | + + + + + + + + + +### Health/FullScanSigVersion + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Health/FullScanSigVersion +``` + + + +Signature version used for the last full scan of the device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +### Health/FullScanTime + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Health/FullScanTime +``` + + + +Time of the last Windows Defender full scan of the device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +### Health/IsVirtualMachine + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Health/IsVirtualMachine +``` + + + +Indicates whether the device is a virtual machine. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get | + + + + + + + + + +### Health/NisEnabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Health/NisEnabled +``` + + + +Indicates whether network protection is running. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get | + + + + + + + + + +### Health/ProductStatus + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Health/ProductStatus +``` + + + +Provide the current state of the product. This is a bitmask flag value that can represent one or multiple product states from below list. Supported product status values: + +| Value | Description | +|:--|:--| +| 0 | No status | +| 1 (1 << 0) | Service not running | +| 2 (1 << 1) | Service started without any malware protection engine | +| 4 (1 << 2) | Pending full scan due to threat action | +| 8 (1 << 3) | Pending reboot due to threat action | +| 16 (1 << 4) | ending manual steps due to threat action | +| 32 (1 << 5) | AV signatures out of date | +| 64 (1 << 6) | AS signatures out of date | +| 128 (1 << 7) | No quick scan has happened for a specified period | +| 256 (1 << 8) | No full scan has happened for a specified period | +| 512 (1 << 9) | System initiated scan in progress | +| 1024 (1 << 10) | System initiated clean in progress | +| 2048 (1 << 11) | There are samples pending submission | +| 4096 (1 << 12) | Product running in evaluation mode | +| 8192 (1 << 13) | Product running in non-genuine Windows mode | +| 16384 (1 << 14) | Product expired | +| 32768 (1 << 15) | Off-line scan required | +| 65536 (1 << 16) | Service is shutting down as part of system shutdown | +| 131072 (1 << 17) | Threat remediation failed critically | +| 262144 (1 << 18) | Threat remediation failed non-critically | +| 524288 (1 << 19) | No status flags set (well initialized state) | +| 1048576 (1 << 20) | Platform is out of date | +| 2097152 (1 << 21) | Platform update is in progress | +| 4194304 (1 << 22) | Platform is about to be outdated | +| 8388608 (1 << 23) | Signature or platform end of life is past or is impending | +| 16777216 (1 << 24) | Windows SMode signatures still in use on non-Win10S install | + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + +**Example**: ```xml @@ -456,421 +3111,522 @@ Example: ``` + -**Health/ComputerState** -Provide the current state of the device. + -The data type is integer. + +### Health/QuickScanOverdue -The following list shows the supported values: + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -- 0 = Clean -- 1 = Pending full scan -- 2 = Pending reboot -- 4 = Pending manual steps (Windows Defender is waiting for the user to take some action, such as restarting the computer or running a full scan) -- 8 = Pending offline scan -- 16 = Pending critical failure (Windows Defender has failed critically and an Administrator needs to investigate and take some action, such as restarting the computer or reinstalling Windows Defender) + +```Device +./Device/Vendor/MSFT/Defender/Health/QuickScanOverdue +``` + -Supported operation is Get. + +Indicates whether a Windows Defender quick scan is overdue for the device. A Quick scan is overdue when a scheduled Quick scan did not complete successfully for 2 weeks and catchup Quick scans are disabled (default). + -**Health/DefenderEnabled** -Indicates whether the Windows Defender service is running. + + + -The data type is a Boolean. + +**Description framework properties**: -Supported operation is Get. +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get | + -**Health/RtpEnabled** -Indicates whether real-time protection is running. + + + -The data type is a Boolean. + -Supported operation is Get. + +### Health/QuickScanSigVersion -**Health/NisEnabled** -Indicates whether network protection is running. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + -The data type is a Boolean. + +```Device +./Device/Vendor/MSFT/Defender/Health/QuickScanSigVersion +``` + -Supported operation is Get. - -**Health/QuickScanOverdue** -Indicates whether a Windows Defender quick scan is overdue for the device. - -A Quick scan is overdue when a scheduled Quick scan didn't complete successfully for 2 weeks and [catchup Quick scans](./policy-csp-defender.md#defender-disablecatchupquickscan) are disabled (default). - -The data type is a Boolean. - -Supported operation is Get. - -**Health/FullScanOverdue** -Indicates whether a Windows Defender full scan is overdue for the device. - -A Full scan is overdue when a scheduled Full scan didn't complete successfully for 2 weeks and [catchup Full scans](./policy-csp-defender.md#defender-disablecatchupfullscan) are disabled (default). - -The data type is a Boolean. - -Supported operation is Get. - -**Health/SignatureOutOfDate** -Indicates whether the Windows Defender signature is outdated. - -The data type is a Boolean. - -Supported operation is Get. - -**Health/RebootRequired** -Indicates whether a device reboot is needed. - -The data type is a Boolean. - -Supported operation is Get. - -**Health/FullScanRequired** -Indicates whether a Windows Defender full scan is required. - -The data type is a Boolean. - -Supported operation is Get. - -**Health/EngineVersion** -Version number of the current Windows Defender engine on the device. - -The data type is a string. - -Supported operation is Get. - -**Health/SignatureVersion** -Version number of the current Windows Defender signatures on the device. - -The data type is a string. - -Supported operation is Get. - -**Health/DefenderVersion** -Version number of Windows Defender on the device. - -The data type is a string. - -Supported operation is Get. - -**Health/QuickScanTime** -Time of the last Windows Defender quick scan of the device. - -The data type is a string. - -Supported operation is Get. - -**Health/FullScanTime** -Time of the last Windows Defender full scan of the device. - -The data type is a string. - -Supported operation is Get. - -**Health/QuickScanSigVersion** + Signature version used for the last quick scan of the device. + -The data type is a string. + + + -Supported operation is Get. - -**Health/FullScanSigVersion** -Signature version used for the last full scan of the device. - -The data type is a string. - -Supported operation is Get. - -**Health/TamperProtectionEnabled** -Indicates whether the Windows Defender tamper protection feature is enabled.​ - -The data type is a Boolean. - -Supported operation is Get. - -**Health/IsVirtualMachine** -Indicates whether the device is a virtual machine. - -The data type is a string. - -Supported operation is Get. - -**Configuration** -An interior node to group Windows Defender configuration information. - -Supported operation is Get. - -**Configuration/TamperProtection** - -Tamper protection helps protect important security features from unwanted changes and interference. This protection includes real-time protection, behavior monitoring, and more. Accepts signed string to turn the feature on or off. Settings are configured with an MDM solution, such as Intune and is available in Windows 10 Enterprise E5 or equivalent subscriptions. - - -Send off blob to device to reset the tamper protection state before setting this configuration to "not configured" or "unassigned" in Intune. - -The data type is a Signed BLOB. - -Supported operations are Add, Delete, Get, Replace. - -Intune tamper protection setting UX supports three states: -- Not configured (default): Doesn't have any impact on the default state of the device. -- Enabled: Enables the tamper protection feature. -- Disabled: Turns off the tamper protection feature. - -When enabled or disabled exists on the client and admin moves the setting to not configured, it won't have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly. - -**Configuration/DisableLocalAdminMerge**
    -This policy setting controls whether or not complex list settings configured by a local administrator are merged with managed settings. This setting applies to lists such as threats and exclusion list. - -If you disable or don't configure this setting, unique items defined in preference settings configured by the local administrator will be merged into the resulting effective policy. If conflicts occur, management settings will override preference settings. - -If you enable this setting, only items defined by management will be used in the resulting effective policy. Managed settings will override preference settings configured by the local administrator. - -> [!NOTE] -> Applying this setting won't remove exclusions from the device registry, it will only prevent them from being applied/used. This is reflected in **Get-MpPreference**. - -Supported OS versions: Windows 10 - -The data type is integer. - -Supported operations are Add, Delete, Get, Replace. - -Valid values are: -- 1 – Enable. -- 0 (default) – Disable. - -**Configuration/HideExclusionsFromLocalAdmins**
    - -This policy setting controls whether or not exclusions are visible to Local Admins. For end users (that aren't Local Admins) exclusions aren't visible, whether or not this setting is enabled. - -If you disable or don't configure this setting, Local Admins will be able to see exclusions in the Windows Security App, in the registry, and via PowerShell. - -If you enable this setting, Local Admins will no longer be able to see the exclusion list in the Windows Security app, in the registry, or via PowerShell. - -> [!NOTE] -> Applying this setting won't remove exclusions, it will only prevent them from being visible to Local Admins. This is reflected in **Get-MpPreference**. - -Supported OS versions: Windows 10 - -The data type is integer. - -Supported operations are Add, Delete, Get, and Replace. - -Valid values are: -- 1 – Enable. -- 0 (default) – Disable. - -**Configuration/DisableCpuThrottleOnIdleScans**
    - -Indicates whether the CPU will be throttled for scheduled scans while the device is idle. This feature is enabled by default and won't throttle the CPU for scheduled scans performed when the device is otherwise idle, regardless of what ScanAvgCPULoadFactor is set to. For all other scheduled scans, this flag will have no impact and normal throttling will occur. - -The data type is integer. - -Supported operations are Add, Delete, Get, and Replace. - -Valid values are: -- 1 (default) – Enable. -- 0 – Disable. - -**Configuration/MeteredConnectionUpdates**
    -Allow managed devices to update through metered connections. Data charges may apply. - -The data type is integer. - -Supported operations are Add, Delete, Get, and Replace. - -Valid values are: -- 1 – Enable. -- 0 (default) – Disable. - -**Configuration/AllowNetworkProtectionOnWinServer**
    -This settings controls whether Network Protection is allowed to be configured into block or audit mode on Windows Server. If false, the value of EnableNetworkProtection will be ignored. - -The data type is integer. - -Supported operations are Add, Delete, Get, and Replace. - -Valid values are: -- 1 – Enable. -- 0 (default) – Disable. - -**Configuration/ExclusionIpAddress**
    -Allows an administrator to explicitly disable network packet inspection made by wdnisdrv on a particular set of IP addresses. - -The data type is string. - -Supported operations are Add, Delete, Get, and Replace. - -**Configuration/EnableFileHashComputation** -Enables or disables file hash computation feature. -When this feature is enabled, Windows Defender will compute hashes for files it scans. - -The data type is integer. - -Supported operations are Add, Delete, Get, and Replace. - -Valid values are: -- 1 – Enable. -- 0 (default) – Disable. - -**Configuration/SupportLogLocation** -The support log location setting allows the administrator to specify where the Microsoft Defender Antivirus diagnostic data collection tool (**MpCmdRun.exe**) will save the resulting log files. This setting is configured with an MDM solution, such as Intune, and is available for Windows 10 Enterprise. - -Data type is string. - -Supported operations are Add, Delete, Get, and Replace. - -Intune Support log location setting UX supports three states: - -- Not configured (default) - Doesn't have any impact on the default state of the device. -- 1 - Enabled. Enables the Support log location feature. Requires admin to set custom file path. -- 0 - Disabled. Turns off the Support log location feature. - -When enabled or disabled exists on the client and admin moves the setting to not configured, it won't have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly. - -More details: - -- [Microsoft Defender Antivirus diagnostic data](/microsoft-365/security/defender-endpoint/collect-diagnostic-data) -- [Collect investigation package from devices](/microsoft-365/security/defender-endpoint/respond-machine-alerts#collect-investigation-package-from-devices) - -**Configuration/PlatformUpdatesChannel** -Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout. - -Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. - -Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. - -Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested applying to a small, representative part of your production population (~10%). - -Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). - -Critical: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only - -If you disable or don't configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices. - -The data type is integer. - -Supported operations are Add, Delete, Get, and Replace. - -Valid values are: -- 0: Not configured (Default) -- 2: Beta Channel - Prerelease -- 3: Current Channel (Preview) -- 4: Current Channel (Staged) -- 5: Current Channel (Broad) -- 6: Critical- Time Delay - - -More details: - -- [Manage the gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/manage-gradual-rollout) -- [Create a custom gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/configure-updates) - -**Configuration/EngineUpdatesChannel** -Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout. - -Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. - -Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. - -Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested applying to a small, representative part of your production population (~10%). - -Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). - -Critical: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only - -If you disable or don't configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices. - -The data type is integer. - -Supported operations are Add, Delete, Get, and Replace. - -Valid values are: -- 0: Not configured (Default) -- 2: Beta Channel - Prerelease -- 3: Current Channel (Preview) -- 4: Current Channel (Staged) -- 5: Current Channel (Broad) -- 6: Critical- Time Delay - -More details: - -- [Manage the gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/manage-gradual-rollout) -- [Create a custom gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/configure-updates) - -**Configuration/SecurityIntelligenceUpdatesChannel** -Enable this policy to specify when devices receive daily Microsoft Defender security intelligence (definition) updates during the daily gradual rollout. - -Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%). - -Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). - -If you disable or don't configure this policy, the device will stay up to date automatically during the daily release cycle. Suitable for most devices. - -The data type is integer. -Supported operations are Add, Delete, Get, and Replace. - -Valid Values are: -- 0: Not configured (Default) -- 4: Current Channel (Staged) -- 5: Current Channel (Broad) - -More details: - -- [Manage the gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/manage-gradual-rollout) -- [Create a custom gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/configure-updates) - -**Configuration/DisableGradualRelease** -Enable this policy to disable gradual rollout of monthly and daily Microsoft Defender updates. -Devices will be offered all Microsoft Defender updates after the gradual release cycle completes. This facility for devices is best for datacenters that only receive limited updates. - -> [!NOTE] -> This setting applies to both monthly as well as daily Microsoft Defender updates and will override any previously configured channel selections for platform and engine updates. - -If you disable or don't configure this policy, the device will remain in Current Channel (Default) unless specified otherwise in specific channels for platform and engine updates. Stay up to date automatically during the gradual release cycle. Suitable for most devices. - -The data type is integer. - -Supported operations are Add, Delete, Get, and Replace. - -Valid values are: -- 1 – Enabled. -- 0 (default) – Not Configured. - -More details: - -- [Manage the gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/manage-gradual-rollout) -- [Create a custom gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/configure-updates) - -**Configuration/PassiveRemediation** -This policy setting enables or disables EDR in block mode (recommended for devices running Microsoft Defender Antivirus in passive mode). For more information, see Endpoint detection and response in block mode | Microsoft Docs. Available with platform release: 4.18.2202.X - -The data type is integer - -Supported values: -- 1: Turn EDR in block mode on -- 0: Turn EDR in block mode off - - -**Scan** + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +### Health/QuickScanTime + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Health/QuickScanTime +``` + + + +Time of the last Windows Defender quick scan of the device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +### Health/RebootRequired + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Health/RebootRequired +``` + + + +Indicates whether a device reboot is needed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get | + + + + + + + + + +### Health/RtpEnabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Health/RtpEnabled +``` + + + +Indicates whether real-time protection is running. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get | + + + + + + + + + +### Health/SignatureOutOfDate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Health/SignatureOutOfDate +``` + + + +Indicates whether the Windows Defender signature is outdated. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get | + + + + + + + + + +### Health/SignatureVersion + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Health/SignatureVersion +``` + + + +Version number of the current Windows Defender signatures on the device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +### Health/TamperProtectionEnabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Health/TamperProtectionEnabled +``` + + + +Indicates whether the Windows Defender tamper protection feature is enabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get | + + + + + + + + + +## OfflineScan + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/OfflineScan +``` + + + +OfflineScan action starts a Microsoft Defender Offline scan on the computer where you run the command. After the next OS reboot, the device will start in Microsoft Defender Offline mode to begin the scan. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Exec, Get | +| Reboot Behavior | ServerInitiated | + + + + + + + + + +## RollbackEngine + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/RollbackEngine +``` + + + +RollbackEngine action rolls back Microsoft Defender engine to it's last known good saved version on the computer where you run the command. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Exec, Get | +| Reboot Behavior | ServerInitiated | + + + + + + + + + +## RollbackPlatform + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/RollbackPlatform +``` + + + +RollbackPlatform action rolls back Microsoft Defender to it's last known good installation location on the computer where you run the command. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Exec, Get | +| Reboot Behavior | ServerInitiated | + + + + + + + + + +## Scan + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Scan +``` + + + Node that can be used to start a Windows Defender scan on a device. + -Valid values are: -- 1 - quick scan -- 2 - full scan + + + -Supported operations are Get and Execute. + +**Description framework properties**: -**UpdateSignature** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Exec, Get | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | quick scan | +| 2 | full scan | + + + + + + + + + +## UpdateSignature + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/UpdateSignature +``` + + + Node that can be used to perform signature updates for Windows Defender. + -Supported operations are Get and Execute. + + + -**OfflineScan** -Added in Windows 10, version 1803. OfflineScan action starts a Microsoft Defender Offline scan on the computer where you run the command. After the next OS reboot, the device will start in Microsoft Defender Offline mode to begin the scan. + +**Description framework properties**: -Supported operations are Get and Execute. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Exec, Get | + -## See also + + + -[Configuration service provider reference](index.yml) + + + + + + + + +## Related articles + +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md index 03f96374f6..661c491b22 100644 --- a/windows/client-management/mdm/defender-ddf.md +++ b/windows/client-management/mdm/defender-ddf.md @@ -1,35 +1,748 @@ --- title: Defender DDF file -description: Learn how the OMA DM device description framework (DDF) for the Defender configuration service provider is used. -ms.reviewer: +description: View the XML file containing the device description framework (DDF) for the Defender configuration service provider. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 11/02/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 07/23/2021 +ms.topic: reference --- + + # Defender DDF file -This article shows the OMA DM device description framework (DDF) for the Defender configuration service provider. DDF files are used only with OMA DM provisioning XML. - -Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md). - -The XML below is the current version for this CSP. +The following XML file contains the device description framework (DDF) for the Defender configuration service provider. ```xml -]> +]> 1.2 + + + + Defender + ./Device/Vendor/MSFT + + + + + + + + + + + + + + + + + + 10.0.10586 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB; + + + + Detections + + + + + An interior node to group all threats detected by Windows Defender. + + + + + + + + + + + + + - Defender - ./Vendor/MSFT + + + + + + + The ID of a threat that has been detected by Windows Defender. + + + + + + + + + + ThreatId + + + + + + + + + Name + + + + + The name of the specific threat. + + + + + + + + + + + + + + + + URL + + + + + URL link for additional threat information. + + + + + + + + + + + + + + + + Severity + + + + + Threat severity ID. The following list shows the supported values: 0 = Unknown; 1 = Low; 2 = Moderate; 4 = High; 5 = Severe; + + + + + + + + + + + + + + + + Category + + + + + Threat category ID. Supported values: 0-Invalid; 1-Adware; 2-Spyware; 3-Password stealer; 4-Trojan downloader; 5-Worm; 6-Backdoor; 7-Remote access Trojan; 8-Trojan; 9-Email flooder; 10-Keylogger; 11-Dialer; 12-Monitoring software; 13-Browser modifier; 14-Cookie; 15-Browser plugin; 16-AOL exploit; 17-Nuker; 18-Security disabler; 19-Joke program; 20-Hostile ActiveX control; 21-Software bundler; 22-Stealth modifier; 23-Settings modifier; 24-Toolbar; 25-Remote control software; 26-Trojan FTP; 27-Potential unwanted software; 28-ICQ exploit; 29-Trojan telnet; 30-Exploit; 31-File sharing program; 32-Malware creation tool; 33-Remote control software; 34-Tool; 36-Trojan denial of service; 37-Trojan dropper; 38-Trojan mass mailer; 39-Trojan monitoring software; 40-Trojan proxy server; 42-Virus; 43-Known; 44-Unknown; 45-SPP; 46-Behavior; 47-Vulnerability; 48-Policy; 49-EUS (Enterprise Unwanted Software); 50-Ransomware; 51-ASR Rule + + + + + + + + + + + + + + + + CurrentStatus + + + + + Information about the current status of the threat. The following list shows the supported values: 0 = Active; 1 = Action failed; 2 = Manual steps required; 3 = Full scan required; 4 = Reboot required; 5 = Remediated with noncritical failures; 6 = Quarantined; 7 = Removed; 8 = Cleaned; 9 = Allowed; 10 = No Status ( Cleared) + + + + + + + + + + + + + + + + ExecutionStatus + + + + + Information about the execution status of the threat. + + + + + + + + + + + + + + + + InitialDetectionTime + + + + + The first time this particular threat was detected. + + + + + + + + + + + + + + + + LastThreatStatusChangeTime + + + + + The last time this particular threat was changed. + + + + + + + + + + + + + + + + NumberOfDetections + + + + + Number of times this threat has been detected on a particular client. + + + + + + + + + + + + + + + + + + Health + + + + + An interior node to group information about Windows Defender health status. + + + + + + + + + + + + + + + ProductStatus + + + + + + + + + + + + + + + + + + + 10.0.17763 + 1.2 + + + + + ComputerState + + + + + Provide the current state of the device. The following list shows the supported values: 0 = Clean; 1 = Pending full scan; 2 = Pending reboot; 4 = Pending manual steps (Windows Defender is waiting for the user to take some action, such as restarting the computer or running a full scan); 8 = Pending offline scan; 16 = Pending critical failure (Windows Defender has failed critically and an Administrator needs to investigate and take some action, such as restarting the computer or reinstalling Windows Defender) + + + + + + + + + + + + + + + + DefenderEnabled + + + + + Indicates whether the Windows Defender service is running. + + + + + + + + + + + + + + + + RtpEnabled + + + + + Indicates whether real-time protection is running. + + + + + + + + + + + + + + + + NisEnabled + + + + + Indicates whether network protection is running. + + + + + + + + + + + + + + + + QuickScanOverdue + + + + + Indicates whether a Windows Defender quick scan is overdue for the device. A Quick scan is overdue when a scheduled Quick scan did not complete successfully for 2 weeks and catchup Quick scans are disabled (default). + + + + + + + + + + + + + + + + FullScanOverdue + + + + + Indicates whether a Windows Defender full scan is overdue for the device. A Full scan is overdue when a scheduled Full scan did not complete successfully for 2 weeks and catchup Full scans are disabled (default). + + + + + + + + + + + + + + + + SignatureOutOfDate + + + + + Indicates whether the Windows Defender signature is outdated. + + + + + + + + + + + + + + + + RebootRequired + + + + + Indicates whether a device reboot is needed. + + + + + + + + + + + + + + + + FullScanRequired + + + + + Indicates whether a Windows Defender full scan is required. + + + + + + + + + + + + + + + + EngineVersion + + + + + Version number of the current Windows Defender engine on the device. + + + + + + + + + + + + + + + + SignatureVersion + + + + + Version number of the current Windows Defender signatures on the device. + + + + + + + + + + + + + + + + DefenderVersion + + + + + Version number of Windows Defender on the device. + + + + + + + + + + + + + + + + QuickScanTime + + + + + Time of the last Windows Defender quick scan of the device. + + + + + + + + + + + + + + + + FullScanTime + + + + + Time of the last Windows Defender full scan of the device. + + + + + + + + + + + + + + + + QuickScanSigVersion + + + + + Signature version used for the last quick scan of the device. + + + + + + + + + + + + + + + + FullScanSigVersion + + + + + Signature version used for the last full scan of the device. + + + + + + + + + + + + + + + + TamperProtectionEnabled + + + + + Indicates whether the Windows Defender tamper protection feature is enabled. + + + + + + + + + + + + + + 10.0.18362 + 1.3 + + + + + IsVirtualMachine + + + + + Indicates whether the device is a virtual machine. + + + + + + + + + + + + + + 10.0.18362 + 1.3 + + + + + + Configuration + + + + + An interior node to group Windows Defender configuration information. + + + + + + + + + + + + + + 10.0.18362 + 1.3 + + + + DeviceControl @@ -41,14 +754,18 @@ The XML below is the current version for this CSP. - + - com.microsoft/1.3/MDM/Defender + + + 10.0.17763 + 1.3 + - Detections + PolicyGroups @@ -63,14 +780,18 @@ The XML below is the current version for this CSP. - + - + + + + + @@ -81,16 +802,19 @@ The XML below is the current version for this CSP. - ThreatId + GroupId - + - Name + GroupData + + + @@ -102,174 +826,14 @@ The XML below is the current version for this CSP. - text/plain - - - - - URL - - - - - - - - - - - - - - - text/plain - - - - - Severity - - - - - - - - - - - - - - - text/plain - - - - - Category - - - - - - - - - - - - - - - text/plain - - - - - CurrentStatus - - - - - - - - - - - - - - - text/plain - - - - - ExecutionStatus - - - - - - - - - - - - - - - text/plain - - - - - InitialDetectionTime - - - - - - - - - - - - - - - text/plain - - - - - LastThreatStatusChangeTime - - - - - - - - - - - - - - - text/plain - - - - - NumberOfDetections - - - - - - - - - - - - - - - text/plain + - Health + PolicyRules @@ -284,480 +848,61 @@ The XML below is the current version for this CSP. - + - ProductStatus + + + + + - + - + + RuleId - text/plain - - - - - ComputerState - - - - - - - - - - - - - - - text/plain - - - - - DefenderEnabled - - - - - - - - - - - - - - - text/plain - - - - - RtpEnabled - - - - - - - - - - - - - - - text/plain - - - - - NisEnabled - - - - - - - - - - - - - - - text/plain - - - - - QuickScanOverdue - - - - - - - - - - - - - - - text/plain - - - - - FullScanOverdue - - - - - - - - - - - - - - - text/plain - - - - - SignatureOutOfDate - - - - - - - - - - - - - - - text/plain - - - - - RebootRequired - - - - - - - - - - - - - - - text/plain - - - - - FullScanRequired - - - - - - - - - - - - - - - text/plain - - - - - EngineVersion - - - - - - - - - - - - - - - text/plain - - - - - SignatureVersion - - - - - - - - - - - - - - - text/plain - - - - - DefenderVersion - - - - - - - - - - - - - - - text/plain - - - - - QuickScanTime - - - - - - - - - - - - - - - text/plain - - - - - FullScanTime - - - - - - - - - - - - - - - text/plain - - - - - QuickScanSigVersion - - - - - - - - - - - - - - - text/plain - - - - - FullScanSigVersion - - - - - - - - - - - - - - - text/plain - - - - - TamperProtectionEnabled - - - - - - - - - - - - - - - text/plain - - - - - IsVirtualMachine - - - - - - - - - - - - - - - text/plain + + + RuleData + + + + + + + + + + + + + + + + + + + + + - - Configuration - - - - - - - - - - - - - - - - - - - TamperProtection - - - - - - - - - - - - - - - - - - text/plain - - - - - EnableFileHashComputation - - - - - - - - - - - - - - - - - - text/plain - - - - - SupportLogLocation - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableGradualRelease + + + TamperProtection @@ -765,7 +910,34 @@ The XML below is the current version for this CSP. - Enable this policy to disable gradual rollout of Defender updates. + Tamper protection helps protect important security features from unwanted changes and interference. This includes real-time protection, behavior monitoring, and more. Accepts signed string to turn the feature on or off. Settings are configured with an MDM solution, such as Intune and is available in Windows 10 Enterprise E5 or equivalent subscriptions. Send off blob to device to reset tamper protection state before setting this configuration to "not configured" or "unassigned" in Intune. The data type is a Signed blob. + + + + + + + + + + + + + + + + + + EnableFileHashComputation + + + + + + + + 0 + Enables or disables file hash computation feature. When this feature is enabled Windows defender will compute hashes for files it scans. @@ -776,26 +948,22 @@ The XML below is the current version for this CSP. - text/plain + - - 99.9.99999 - 1.3 - - - - 1 - Gradual release is disabled - - - 0 - Gradual release is enabled - - + + + 0 + Disable + + + 1 + Enable + + - - DefinitionUpdatesChannel + + MeteredConnectionUpdates @@ -803,7 +971,8 @@ The XML below is the current version for this CSP. - Enable this policy to specify when devices receive daily Microsoft Defender definition updates during the daily gradual rollout. + 0 + Allow managed devices to update through metered connections. Default is 0 - not allowed, 1 - allowed @@ -814,30 +983,25 @@ The XML below is the current version for this CSP. - text/plain + - - 99.9.99999 - 1.3 - - - - 0 - Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. - - - 4 - Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). - - - 5 - Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). - - + + 10.0.14393 + + + + 1 + Allowed + + + 0 + Not Allowed + + - - EngineUpdatesChannel + + SupportLogLocation @@ -845,7 +1009,38 @@ The XML below is the current version for this CSP. - Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout. + The support log location setting allows the administrator to specify where the Microsoft Defender Antivirus diagnostic data collection tool (MpCmdRun.exe) will save the resulting log files. This setting is configured with an MDM solution, such as Intune, and is available for Windows 10 Enterprise. + + + + + + + + + + + + + + 10.0.14393 + 9.9 + + + + + + + AllowNetworkProtectionOnWinServer + + + + + + + + 1 + This settings controls whether Network Protection is allowed to be configured into block or audit mode on Windows Server. If false, the value of EnableNetworkProtection will be ignored. @@ -856,37 +1051,399 @@ The XML below is the current version for this CSP. - text/plain + - - 99.9.99999 - 1.3 - - - - 0 - Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. - - - 2 - Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. - - - 3 - Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. - - - 4 - Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). - - - 5 - Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). - - + + 10.0.16299 + 1.3 + + + + 1 + Allow + + + 0 + Disallow + + - + + ExcludedIpAddresses + + + + + + + + This node contains a list of values specifying any IP addresses that wdnisdrv will ignore when intercepting traffic. + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + + + + + DisableCpuThrottleOnIdleScans + + + + + + + + 1 + Indicates whether the CPU will be throttled for scheduled scans while the device is idle. This feature is enabled by default and will not throttle the CPU for scheduled scans performed when the device is otherwise idle, regardless of what ScanAvgCPULoadFactor is set to. For all other scheduled scans this flag will have no impact and normal throttling will occur. + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + 1 + Disable CPU Throttle on idle scans + + + 0 + Enable CPU Throttle on idle scans + + + + + + DisableLocalAdminMerge + + + + + + + + When this value is set to false, it allows a local admin the ability to specify some settings for complex list type that will then merge /override the Preference settings with the Policy settings + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + 1 + Disable Local Admin Merge + + + 0 + Enable Local Admin Merge + + + + + + SchedulerRandomizationTime + + + + + + + + 4 + This setting allows you to configure the scheduler randomization in hours. The randomization interval is [1 - 23] hours. For more information on the randomization effect please check the RandomizeScheduleTaskTimes setting. + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + [1-23] + + + + + DisableTlsParsing + + + + + + + + 0 + This setting disables TLS Parsing for Network Protection. + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + 1 + TLS parsing is disabled + + + 0 + TLS parsing is enabled + + + + + + DisableFtpParsing + + + + + + + + 0 + This setting disables FTP Parsing for Network Protection. + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + 1 + FTP parsing is disabled + + + 0 + FTP parsing is enabled + + + + + + DisableHttpParsing + + + + + + + + 0 + This setting disables HTTP Parsing for Network Protection. + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + 1 + HTTP parsing is disabled + + + 0 + HTTP parsing is enabled + + + + + + DisableDnsParsing + + + + + + + + 0 + This setting disables DNS Parsing for Network Protection. + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + 1 + DNS parsing is disabled + + + 0 + DNS parsing is enabled + + + + + + DisableDnsOverTcpParsing + + + + + + + + 0 + This setting disables DNS over TCP Parsing for Network Protection. + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + 1 + DNS over TCP parsing is disabled + + + 0 + DNS over TCP parsing is enabled + + + + + + DisableSshParsing + + + + + + + + 0 + This setting disables SSH Parsing for Network Protection. + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + 1 + SSH parsing is disabled + + + 0 + SSH parsing is enabled + + + + + PlatformUpdatesChannel @@ -906,104 +1463,966 @@ The XML below is the current version for this CSP. - text/plain + - - 99.9.99999 - 1.3 - - - - 0 - Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. - - - 2 - Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. - - - 3 - Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. - - - 4 - Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). - - - 5 - Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). - - + + 10.0.14393 + 1.3 + + + + 0 + Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. + + + 2 + Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. + + + 3 + Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. + + + 4 + Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). + + + 5 + Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). + + + 6 + Critical - Time delay: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only. + + - - - Scan - - - - - - - - - - - - - - - - text/plain - - - - - UpdateSignature - - - - - - - - - - - - - - - - text/plain - - - - - OfflineScan - - - - - - - - - - - - - - - - text/plain - - - + + EngineUpdatesChannel + + + + + + + + Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout. + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + 0 + Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. + + + 2 + Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. + + + 3 + Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. + + + 4 + Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). + + + 5 + Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). + + + 6 + Critical - Time delay: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only. + + + + + SecurityIntelligenceUpdatesChannel + + + + + + + + Enable this policy to specify when devices receive Microsoft Defender security intelligence updates during the daily gradual rollout. + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + 0 + Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. + + + 4 + Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%). + + + 5 + Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). + + + + + + DisableGradualRelease + + + + + + + + Enable this policy to disable gradual rollout of Defender updates. + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + 1 + Gradual release is disabled + + + 0 + Gradual release is enabled + + + + + + AllowNetworkProtectionDownLevel + + + + + + + + This settings controls whether Network Protection is allowed to be configured into block or audit mode on windows downlevel of RS3. If false, the value of EnableNetworkProtection will be ignored. + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + 1 + Network protection will be enabled downlevel. + + + 0 + Network protection will be disabled downlevel. + + + + + + EnableDnsSinkhole + + + + + + + + This setting enables the DNS Sinkhole feature for Network Protection, respecting the value of EnableNetworkProtection for block vs audit, does nothing in inspect mode. + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + 1 + DNS Sinkhole is disabled + + + 0 + DNS Sinkhole is enabled + + + + + + DisableInboundConnectionFiltering + + + + + + + + This setting disables Inbound connection filtering for Network Protection. + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + 1 + Inbound connection filtering is disabled + + + 0 + Inbound connection filtering is enabled + + + + + + DisableRdpParsing + + + + + + + + This setting disables RDP Parsing for Network Protection. + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + 1 + RDP Parsing is disabled + + + 0 + RDP Parsing is enabled + + + + + + AllowDatagramProcessingOnWinServer + + + + + + + + This settings controls whether Network Protection is allowed to enable datagram processing on Windows Server. If false, the value of DisableDatagramProcessing will be ignored and default to disabling Datagram inspection. + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + 1 + Datagram processing on Windows Server is enabled. + + + 0 + Datagram processing on Windows Server is disabled. + + + + + + DisableNetworkProtectionPerfTelemetry + + + + + + + + This setting disables the gathering and send of performance telemetry from Network Protection. + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + 1 + Network protection telemetry is disabled + + + 0 + Network protection telemetry is enabled + + + + + + HideExclusionsFromLocalAdmins + + + + + + + + This policy setting controls whether or not exclusions are visible to local admins. For end users (that are not local admins) exclusions are not visible, whether or not this setting is enabled. + + + + + + + + + + + + + + 10.0.17763 + 1.3 + + + + 1 + If you enable this setting, local admins will no longer be able to see the exclusion list in Windows Security App or via PowerShell. + + + 0 + If you disable or do not configure this setting, local admins will be able to see exclusions in the Windows Security App and via PowerShell. + + + + + + ThrottleForScheduledScanOnly + + + + + + + + 1 + A CPU usage limit can be applied to scheduled scans only, or to scheduled and custom scans. The default value applies a CPU usage limit to scheduled scans only. + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + 1 + If you enable this setting, CPU throttling will apply only to scheduled scans. + + + 0 + If you disable this setting, CPU throttling will apply to scheduled and custom scans. + + + + + + ASROnlyPerRuleExclusions + + + + + + + + Apply ASR only per rule exclusions. + + + + + + + + + + + + + + 10.0.16299 + 1.3 + + + + + + + DataDuplicationDirectory + + + + + + + + Define data duplication directory for device control. + + + + + + + + + + + + + + 10.0.17763 + 1.3 + + + + + + + DataDuplicationRemoteLocation + + + + + + + + Define data duplication remote location for device control. + + + + + + + + + + + + + + 10.0.17763 + 1.3 + + + + + + + DeviceControlEnabled + + + + + + + + Control Device Control feature. + + + + + + + + + + + + + + 10.0.17763 + 1.3 + + + + 1 + + + + + 0 + + + + + + + + DefaultEnforcement + + + + + + + + Control Device Control default enforcement. This is the enforcement applied if there are no policy rules present or at the end of the policy rules evaluation none were matched. + + + + + + + + + + + + + + 10.0.17763 + 1.3 + + + + 1 + Default Allow Enforcement + + + 2 + Default Deny Enforcement + + + + + + PassiveRemediation + + + + + + + + Setting to control automatic remediation for Sense scans. + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + 0x1 + PASSIVE_REMEDIATION_FLAG_SENSE_AUTO_REMEDIATION: Passive Remediation Sense AutoRemediation + + + 0x2 + PASSIVE_REMEDIATION_FLAG_RTP_AUDIT: Passive Remediation Realtime Protection Audit + + + 0x4 + PASSIVE_REMEDIATION_FLAG_RTP_REMEDIATION: Passive Remediation Realtime Protection Remediation + + + + + + PauseUpdateStartTime + + + + + + + + Pause update from the UTC time in ISO string format without milliseconds, for example, 2022-02-24T00:03:59Z. + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + + + + PauseUpdateExpirationTime + + + + + + + + Pause update until the UTC time in ISO string format without milliseconds, for example, 2022-02-24T00:03:59Z. + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + + + + PauseUpdateFlag + + + + + + + + Setting to control automatic remediation for Sense scans. + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + 0 + Update not paused + + + 1 + Update paused + + + + + + TDTFeatureEnabled + + + + + + + + 0 + This policy setting configures the integration level for Intel TDT integration for Intel TDT-capable devices. + + + + + + + + + + + + + + 10.0.19041 + 1.3 + + + + 0 + If you do not configure this setting, the default value will be applied. The default value is set to control by signatures. TDT will be enabled based on particular signatures that are released by Microsoft. + + + 2 + If you configure this setting to disabled, Intel TDT integration will be turned off. + + + + + + + Scan + + + + + + Node that can be used to start a Windows Defender scan on a device. + + + + + + + + + + + + + + + 1 + quick scan + + + 2 + full scan + + + + + + UpdateSignature + + + + + + Node that can be used to perform signature updates for Windows Defender. + + + + + + + + + + + + + + + + OfflineScan + + + + + + OfflineScan action starts a Microsoft Defender Offline scan on the computer where you run the command. After the next OS reboot, the device will start in Microsoft Defender Offline mode to begin the scan. + + + + + + + + + + + + + + 10.0.17134 + 1.1 + + ServerInitiated + + + + RollbackPlatform + + + + + + RollbackPlatform action rolls back Microsoft Defender to it's last known good installation location on the computer where you run the command. + + + + + + + + + + + + + + 10.0.17134 + 1.1 + + ServerInitiated + + + + RollbackEngine + + + + + + RollbackEngine action rolls back Microsoft Defender engine to it's last known good saved version on the computer where you run the command. + + + + + + + + + + + + + + 10.0.17134 + 1.1 + + ServerInitiated + + + ``` -## See also +## Related articles -[Defender configuration service provider](defender-csp.md) +[Defender configuration service provider reference](defender-csp.md) diff --git a/windows/client-management/mdm/enterprisedataprotection-csp.md b/windows/client-management/mdm/enterprisedataprotection-csp.md index 86f5334e40..3a3a87afe4 100644 --- a/windows/client-management/mdm/enterprisedataprotection-csp.md +++ b/windows/client-management/mdm/enterprisedataprotection-csp.md @@ -277,7 +277,7 @@ Specifies whether to allow Azure RMS encryption for Windows Information Protecti Supported operations are Add, Get, Replace, and Delete. Value type is integer. **Settings/SMBAutoEncryptedFileExtensions** -Added in Windows 10, version 1703. Specifies a list of file extensions, so that files with these extensions are encrypted when copying from a Server Message Block (SMB) share within the corporate boundary as defined in the Policy CSP nodes for [NetworkIsolation/EnterpriseIPRange](policy-configuration-service-provider.md#networkisolation-enterpriseiprange) and [NetworkIsolation/EnterpriseNetworkDomainNames](policy-configuration-service-provider.md#networkisolation-enterprisenetworkdomainnames). Use semicolon (;) delimiter in the list. +Added in Windows 10, version 1703. Specifies a list of file extensions, so that files with these extensions are encrypted when copying from a Server Message Block (SMB) share within the corporate boundary as defined in the Policy CSP nodes for [NetworkIsolation/EnterpriseIPRange](policy-csp-networkisolation.md) and [NetworkIsolation/EnterpriseNetworkDomainNames](policy-csp-networkisolation.md). Use semicolon (;) delimiter in the list. When this policy isn't specified, the existing auto-encryption behavior is applied. When this policy is configured, only files with the extensions in the list will be encrypted. Supported operations are Add, Get, Replace and Delete. Value type is string. diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md index f048be039c..a425989761 100644 --- a/windows/client-management/mdm/firewall-csp.md +++ b/windows/client-management/mdm/firewall-csp.md @@ -8,6 +8,7 @@ ms.technology: itpro-manage author: vinaypamnani-msft ms.reviewer: manager: aaroncz +ms.date: 12/31/2017 --- # Firewall configuration service provider (CSP) @@ -25,8 +26,6 @@ The table below shows the applicability of Windows: The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, and the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. This CSP was added Windows 10, version 1709. -The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, and the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. This CSP was added Windows 10, version 1709. - Firewall rules in the FirewallRules section must be wrapped in an Atomic block in SyncML, either individually or collectively. For detailed information on some of the fields below, see [[MS-FASP]: Firewall and Advanced Security Protocol documentation](/openspecs/windows_protocols/ms-winerrata/6521c5c4-1f76-4003-9ade-5cccfc27c8ac). @@ -53,6 +52,11 @@ Firewall ------------DisableStealthMode ------------Shielded ------------DisableUnicastResponsesToMulticastBroadcast +------------EnableLogDroppedPackets +------------EnableLogSuccessConnections +------------EnableLogIgnoredRules +------------LogMaxFileSize +------------LogFilePath ------------DisableInboundNotifications ------------AuthAppsAllowUserPrefMerge ------------GlobalPortsAllowUserPrefMerge @@ -66,6 +70,11 @@ Firewall ------------DisableStealthMode ------------Shielded ------------DisableUnicastResponsesToMulticastBroadcast +------------EnableLogDroppedPackets +------------EnableLogSuccessConnections +------------EnableLogIgnoredRules +------------LogMaxFileSize +------------LogFilePath ------------DisableInboundNotifications ------------AuthAppsAllowUserPrefMerge ------------GlobalPortsAllowUserPrefMerge @@ -79,6 +88,11 @@ Firewall ------------DisableStealthMode ------------Shielded ------------DisableUnicastResponsesToMulticastBroadcast +------------EnableLogDroppedPackets +------------EnableLogSuccessConnections +------------EnableLogIgnoredRules +------------LogMaxFileSize +------------LogFilePath ------------DisableInboundNotifications ------------AuthAppsAllowUserPrefMerge ------------GlobalPortsAllowUserPrefMerge @@ -224,6 +238,25 @@ Boolean value. If it's true, unicast responses to multicast broadcast traffic ar Default value is false. Value type is bool. Supported operations are Add, Get and Replace. +**/EnableLogDroppedPackets** +Boolean value. If this value is true, firewall will log all dropped packets. The merge law for this option is to let "on" values win. +Default value is false. Supported operations are Get and Replace. + +**/EnableLogSuccessConnections** +Boolean value. If this value is true, firewall will log all successful inbound connections. The merge law for this option is to let "on" values win. +Default value is false. Supported operations are Get and Replace. + +**/EnableLogIgnoredRules** +Boolean value. If this value is true, firewall will log ignored firewall rules. The merge law for this option is to let "on" values win. +Default value is false. Supported operations are Get and Replace. + +**/LogMaxFileSize** +Integer value that specifies the size, in kilobytes, of the log file where dropped packets, successful connections and ignored rules are logged. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured, otherwise the MdmStore value wins if it is configured, otherwise the local store value is used. +Default value is 1024. Supported operations are Get and Replace + +**/LogFilePath** +String value that represents the file path to the log where firewall logs dropped packets, successful connections and ignored rules. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured, otherwise the MdmStore value wins if it is configured, otherwise the local store value is used. Default value is "%systemroot%\system32\LogFiles\Firewall\pfirewall.log". Supported operations are Get and Replace + **/DisableInboundNotifications** Boolean value. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. Default value is false. @@ -350,7 +383,7 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete. **FirewallRules/_FirewallRuleName_/IcmpTypesAndCodes** -ICMP types and codes applicable to the firewall rule. To specify all ICMP types and codes, use the “\*” character. For specific ICMP types and codes, use the “:” character to separate the type and code, for example, 3:4, 1:\*. The “\*” character can be used to represent any code. The “\*” character cannot be used to specify any type; examples such as “\*:4” or “\*:\*” are invalid. +Comma separated list of ICMP types and codes applicable to the firewall rule. To specify all ICMP types and codes, use the “\*” character. For specific ICMP types and codes, use the “:” character to separate the type and code, for example, 3:4, 1:\*. The “\*” character can be used to represent any code. The “\*” character cannot be used to specify any type; examples such as “\*:4” or “\*:\*” are invalid. If not specified, the default is All. Value type is string. Supported operations are Add, Get, Replace, and Delete. @@ -432,6 +465,7 @@ Comma separated list of interface types. Valid values: - RemoteAccess - Wireless - Lan +- MBB (i.e. Mobile Broadband) If not specified, the default is All. Value type is string. Supported operations are Get and Replace. diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index ef26f2ef61..63c5843f83 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -8,7 +8,7 @@ ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: +ms.date: 4/5/2022 --- # Device HealthAttestation CSP diff --git a/windows/client-management/mdm/index.yml b/windows/client-management/mdm/index.yml index fe657489a9..d8bd8ed982 100644 --- a/windows/client-management/mdm/index.yml +++ b/windows/client-management/mdm/index.yml @@ -6,11 +6,10 @@ summary: Learn more about the configuration service provider (CSP) policies avai metadata: title: Configuration Service Provider # Required; page title displayed in search results. Include the brand. < 60 chars. description: Learn more about the configuration service provider (CSP) policies available on Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars. - ms.topic: landing-page # Required - services: windows-10 - ms.prod: windows + ms.topic: landing-page + ms.technology: itpro-manage + ms.prod: windows-client ms.collection: - - windows-10 - highpri ms.custom: intro-hub-or-landing author: vinaypamnani-msft diff --git a/windows/client-management/mdm/laps-csp.md b/windows/client-management/mdm/laps-csp.md index 9c383468c7..f5c69b2fcd 100644 --- a/windows/client-management/mdm/laps-csp.md +++ b/windows/client-management/mdm/laps-csp.md @@ -17,7 +17,7 @@ ms.date: 09/20/2022 The Local Administrator Password Solution (LAPS) configuration service provider (CSP) is used by the enterprise to manage back up of local administrator account passwords. This CSP was added in Windows 11 as of version 25145. > [!IMPORTANT] -> Windows LAPS is currently only available in Windows Insider builds as of 25145 and later. Support for the Windows LAPS Azure AD scenario is currently limited to a small group of Windows Insiders. +> Windows LAPS currently is available only in [Windows 11 Insider Preview Build 25145 and later](/windows-insider/flight-hub/#active-development-builds-of-windows-11). Support for the Windows LAPS Azure Active Directory scenario is currently in private preview, and limited to a small number of customers who have a direct engagement with engineering. Once public preview is declared in 2023, all customers will be able to evaluate this AAD scenario. > [!TIP] > This article covers the specific technical details of the LAPS CSP. For more information about the scenarios in which the LAPS CSP would be used, see [Windows Local Administrator Password Solution](/windows-server/identity/laps/laps). @@ -63,7 +63,7 @@ The LAPS CSP can be used to manage devices that are either joined to Azure AD or |ResetPasswordStatus|Yes|Yes| > [!IMPORTANT] -> Windows supports a LAPS Group Policy Object that is entirely separate from the LAPS CSP. Many of the various settings are common across both the LAPS GPO and CSP (GPO does not support any of the Action-related settings). As long as at least one LAPS setting is configured via CSP, any GPO-configured settings will be ignored. Also see the TBD reference on LAPS policy configuration. +> Windows supports a LAPS Group Policy Object that is entirely separate from the LAPS CSP. Many of the various settings are common across both the LAPS GPO and CSP (GPO does not support any of the Action-related settings). As long as at least one LAPS setting is configured via CSP, any GPO-configured settings will be ignored. Also see [Configure policy settings for Windows LAPS](/windows-server/identity/laps/laps-management-policy-settings). ## ./Device/Vendor/MSFT/LAPS diff --git a/windows/client-management/mdm/networkqospolicy-csp.md b/windows/client-management/mdm/networkqospolicy-csp.md index f4af5800f6..70a952ccd4 100644 --- a/windows/client-management/mdm/networkqospolicy-csp.md +++ b/windows/client-management/mdm/networkqospolicy-csp.md @@ -40,7 +40,7 @@ The following actions are supported: > - Azure AD Hybrid joined devices. > - Devices that use both GPO and CSP at the same time. > -> The minimum operating system requirement for this CSP is Windows 10, version 2004. This CSP is supported only in Microsoft Surface Hub prior to Windows 10, version 2004. +> The minimum operating system requirement for this CSP is Windows 10, version 1703. This CSP is not supported in Microsoft Surface Hub prior to Windows 10, version 1703. The following example shows the NetworkQoSPolicy configuration service provider in tree format. ``` diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index b683f12d06..0224b374cf 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -1,1913 +1,3028 @@ --- title: ADMX-backed policies in Policy CSP description: Learn about the ADMX-backed policies in Policy CSP. -ms.reviewer: +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 11/29/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 10/08/2020 +ms.topic: reference --- + + # ADMX-backed policies in Policy CSP -- [ActiveXControls/ApprovedInstallationSites](./policy-csp-activexcontrols.md#activexcontrols-approvedinstallationsites) -- [ADMX_ActiveXInstallService/AxISURLZonePolicies](./policy-csp-admx-activexinstallservice.md#admx-activexinstallservice-axisurlzonepolicies) -- [ADMX_AddRemovePrograms/DefaultCategory](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-defaultcategory) -- [ADMX_AddRemovePrograms/NoAddFromCDorFloppy](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddfromcdorfloppy) -- [ADMX_AddRemovePrograms/NoAddFromInternet](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddfrominternet) -- [ADMX_AddRemovePrograms/NoAddFromNetwork](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddfromnetwork) -- [ADMX_AddRemovePrograms/NoAddPage](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddpage) -- [ADMX_AddRemovePrograms/NoAddRemovePrograms](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddremoveprograms) -- [ADMX_AddRemovePrograms/NoChooseProgramsPage](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-nochooseprogramspage) -- [ADMX_AddRemovePrograms/NoRemovePage](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noremovepage) -- [ADMX_AddRemovePrograms/NoServices](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noservices) -- [ADMX_AddRemovePrograms/NoSupportInfo](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-nosupportinfo) -- [ADMX_AddRemovePrograms/NoWindowsSetupPage](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-nowindowssetuppage) -- [ADMX_AdmPwd/POL_AdmPwd_DontAllowPwdExpirationBehindPolicy](./policy-csp-admx-admpwd.md#admx-admpwd-pol_admpwd_dontallowpwdexpirationbehindpolicy) -- [ADMX_AdmPwd/POL_AdmPwd_Enabled](./policy-csp-admx-admpwd.md#admx-admpwd-pol_admpwd_enabled) -- [ADMX_AdmPwd/POL_AdmPwd_AdminName](./policy-csp-admx-admpwd.md#admx-admpwd-pol_admpwd_adminname) -- [ADMX_AdmPwd/POL_AdmPwd](./policy-csp-admx-admpwd.md#admx-admpwd-pol_admpwd) -- [ADMX_AppCompat/AppCompatPrevent16BitMach](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatprevent16bitmach) -- [ADMX_AppCompat/AppCompatRemoveProgramCompatPropPage](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatremoveprogramcompatproppage) -- [ADMX_AppCompat/AppCompatTurnOffApplicationImpactTelemetry](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffapplicationimpacttelemetry) -- [ADMX_AppCompat/AppCompatTurnOffSwitchBack](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffswitchback) -- [ADMX_AppCompat/AppCompatTurnOffEngine](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffengine) -- [ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_1](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffprogramcompatibilityassistant_1) -- [ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_2](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffprogramcompatibilityassistant_2) -- [ADMX_AppCompat/AppCompatTurnOffUserActionRecord](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffuseractionrecord) -- [ADMX_AppCompat/AppCompatTurnOffProgramInventory](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffprograminventory) -- [ADMX_AppxPackageManager/AllowDeploymentInSpecialProfiles](./policy-csp-admx-appxpackagemanager.md#admx-appxpackagemanager-allowdeploymentinspecialprofiles) -- [ADMX_AppXRuntime/AppxRuntimeApplicationContentUriRules](./policy-csp-admx-appxruntime.md#admx-appxruntime-appxruntimeapplicationcontenturirules) -- [ADMX_AppXRuntime/AppxRuntimeBlockFileElevation](./policy-csp-admx-appxruntime.md#admx-appxruntime-appxruntimeblockfileelevation) -- [ADMX_AppXRuntime/AppxRuntimeBlockHostedAppAccessWinRT](./policy-csp-admx-appxruntime.md#admx-appxruntime-appxruntimeblockhostedappaccesswinrt) -- [ADMX_AppXRuntime/AppxRuntimeBlockProtocolElevation](./policy-csp-admx-appxruntime.md#admx-appxruntime-appxruntimeblockprotocolelevation) -- [ADMX_AttachmentManager/AM_EstimateFileHandlerRisk](./policy-csp-admx-attachmentmanager.md#admx-attachmentmanager-am-estimatefilehandlerrisk) -- [ADMX_AttachmentManager/AM_SetFileRiskLevel](./policy-csp-admx-attachmentmanager.md#admx-attachmentmanager-am-setfilerisklevel) -- [ADMX_AttachmentManager/AM_SetHighRiskInclusion](./policy-csp-admx-attachmentmanager.md#admx-attachmentmanager-am-sethighriskinclusion) -- [ADMX_AttachmentManager/AM_SetLowRiskInclusion](./policy-csp-admx-attachmentmanager.md#admx-attachmentmanager-am-setlowriskinclusion) -- [ADMX_AttachmentManager/AM_SetModRiskInclusion](./policy-csp-admx-attachmentmanager.md#admx-attachmentmanager-am-setmodriskinclusion) -- [ADMX_AuditSettings/IncludeCmdLine](./policy-csp-admx-auditsettings.md#admx-auditsettings-includecmdline) -- [ADMX_Bits/BITS_DisableBranchCache](./policy-csp-admx-bits.md#admx-bits-bits-disablebranchcache) -- [ADMX_Bits/BITS_DisablePeercachingClient](./policy-csp-admx-bits.md#admx-bits-bits-disablepeercachingclient) -- [ADMX_Bits/BITS_DisablePeercachingServer](./policy-csp-admx-bits.md#admx-bits-bits-disablepeercachingserver) -- [ADMX_Bits/BITS_EnablePeercaching](./policy-csp-admx-bits.md#admx-bits-bits-enablepeercaching) -- [ADMX_Bits/BITS_MaxBandwidthServedForPeers](./policy-csp-admx-bits.md#admx-bits-bits-maxbandwidthservedforpeers) -- [ADMX_Bits/BITS_MaxBandwidthV2_Maintenance](./policy-csp-admx-bits.md#admx-bits-bits-maxbandwidthv2-maintenance) -- [ADMX_Bits/BITS_MaxBandwidthV2_Work](./policy-csp-admx-bits.md#admx-bits-bits-maxbandwidthv2-work) -- [ADMX_Bits/BITS_MaxCacheSize](./policy-csp-admx-bits.md#admx-bits-bits-maxcachesize) -- [ADMX_Bits/BITS_MaxContentAge](./policy-csp-admx-bits.md#admx-bits-bits-maxcontentage) -- [ADMX_Bits/BITS_MaxDownloadTime](./policy-csp-admx-bits.md#admx-bits-bits-maxdownloadtime) -- [ADMX_Bits/BITS_MaxFilesPerJob](./policy-csp-admx-bits.md#admx-bits-bits-maxfilesperjob) -- [ADMX_Bits/BITS_MaxJobsPerMachine](./policy-csp-admx-bits.md#admx-bits-bits-maxjobspermachine) -- [ADMX_Bits/BITS_MaxJobsPerUser](./policy-csp-admx-bits.md#admx-bits-bits-maxjobsperuser) -- [ADMX_Bits/BITS_MaxRangesPerFile](./policy-csp-admx-bits.md#admx-bits-bits-maxrangesperfile) -- [ADMX_CipherSuiteOrder/SSLCipherSuiteOrder](./policy-csp-admx-ciphersuiteorder.md#admx-ciphersuiteorder-sslciphersuiteorder) -- [ADMX_CipherSuiteOrder/SSLCurveOrder](./policy-csp-admx-ciphersuiteorder.md#admx-ciphersuiteorder-sslcurveorder) -- [ADMX_COM/AppMgmt_COM_SearchForCLSID_1](./policy-csp-admx-com.md#admx-com-appmgmt-com-searchforclsid-1) -- [ADMX_COM/AppMgmt_COM_SearchForCLSID_2](./policy-csp-admx-com.md#admx-com-appmgmt-com-searchforclsid-2) -- [ADMX_ControlPanel/DisallowCpls](./policy-csp-admx-controlpanel.md#admx-controlpanel-disallowcpls) -- [ADMX_ControlPanel/ForceClassicControlPanel](./policy-csp-admx-controlpanel.md#admx-controlpanel-forceclassiccontrolpanel) -- [ADMX_ControlPanel/NoControlPanel](./policy-csp-admx-controlpanel.md#admx-controlpanel-nocontrolpanel) -- [ADMX_ControlPanel/RestrictCpls](./policy-csp-admx-controlpanel.md#admx-controlpanel-restrictcpls) -- [ADMX_ControlPanelDisplay/CPL_Display_Disable](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-display-disable) -- [ADMX_ControlPanelDisplay/CPL_Display_HideSettings](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-display-hidesettings) -- [ADMX_ControlPanelDisplay/CPL_Personalization_DisableColorSchemeChoice](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-disablecolorschemechoice) -- [ADMX_ControlPanelDisplay/CPL_Personalization_DisableThemeChange](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-disablethemechange) -- [ADMX_ControlPanelDisplay/CPL_Personalization_DisableVisualStyle](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-disablevisualstyle) -- [ADMX_ControlPanelDisplay/CPL_Personalization_EnableScreenSaver](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-enablescreensaver) -- [ADMX_ControlPanelDisplay/CPL_Personalization_ForceDefaultLockScreen](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-forcedefaultlockscreen) -- [ADMX_ControlPanelDisplay/CPL_Personalization_LockFontSize](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-lockfontsize) -- [ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingLockScreen](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nochanginglockscreen) -- [ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingStartMenuBackground](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nochangingstartmenubackground) -- [ADMX_ControlPanelDisplay/CPL_Personalization_NoColorAppearanceUI](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nocolorappearanceui) -- [ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopBackgroundUI](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nodesktopbackgroundui) -- [ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopIconsUI](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nodesktopiconsui) -- [ADMX_ControlPanelDisplay/CPL_Personalization_NoLockScreen](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nolockscreen) -- [ADMX_ControlPanelDisplay/CPL_Personalization_NoMousePointersUI](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nomousepointersui) -- [ADMX_ControlPanelDisplay/CPL_Personalization_NoScreenSaverUI](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-noscreensaverui) -- [ADMX_ControlPanelDisplay/CPL_Personalization_NoSoundSchemeUI](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nosoundschemeui) -- [ADMX_ControlPanelDisplay/CPL_Personalization_PersonalColors](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-personalcolors) -- [ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverIsSecure](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-screensaverissecure) -- [ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverTimeOut](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-screensavertimeout) -- [ADMX_ControlPanelDisplay/CPL_Personalization_SetScreenSaver](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-setscreensaver) -- [ADMX_ControlPanelDisplay/CPL_Personalization_SetTheme](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-settheme) -- [ADMX_ControlPanelDisplay/CPL_Personalization_SetVisualStyle](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-setvisualstyle) -- [ADMX_ControlPanelDisplay/CPL_Personalization_StartBackground](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-startbackground) -- [ADMX_Cpls/UseDefaultTile](./policy-csp-admx-cpls.md#admx-cpls-usedefaulttile) -- [ADMX_CredentialProviders/AllowDomainDelayLock](./policy-csp-admx-credentialproviders.md#admx-credentialproviders-allowdomaindelaylock) -- [ADMX_CredentialProviders/DefaultCredentialProvider](./policy-csp-admx-credentialproviders.md#admx-credentialproviders-defaultcredentialprovider) -- [ADMX_CredentialProviders/ExcludedCredentialProviders](./policy-csp-admx-credentialproviders.md#admx-credentialproviders-excludedcredentialproviders) -- [ADMX_CredSsp/AllowDefCredentialsWhenNTLMOnly](./policy-csp-admx-credssp.md#admx-credssp-allowdefcredentialswhenntlmonly) -- [ADMX_CredSsp/AllowDefaultCredentials](./policy-csp-admx-credssp.md#admx-credssp-allowdefaultcredentials) -- [ADMX_CredSsp/AllowEncryptionOracle](./policy-csp-admx-credssp.md#admx-credssp-allowencryptionoracle) -- [ADMX_CredSsp/AllowFreshCredentials](./policy-csp-admx-credssp.md#admx-credssp-allowfreshcredentials) -- [ADMX_CredSsp/AllowFreshCredentialsWhenNTLMOnly](./policy-csp-admx-credssp.md#admx-credssp-allowfreshcredentialswhenntlmonly) -- [ADMX_CredSsp/AllowSavedCredentials](./policy-csp-admx-credssp.md#admx-credssp-allowsavedcredentials) -- [ADMX_CredSsp/AllowSavedCredentialsWhenNTLMOnly](./policy-csp-admx-credssp.md#admx-credssp-allowsavedcredentialswhenntlmonly) -- [ADMX_CredSsp/DenyDefaultCredentials](./policy-csp-admx-credssp.md#admx-credssp-denydefaultcredentials) -- [ADMX_CredSsp/DenyFreshCredentials](./policy-csp-admx-credssp.md#admx-credssp-denyfreshcredentials) -- [ADMX_CredSsp/DenySavedCredentials](./policy-csp-admx-credssp.md#admx-credssp-denysavedcredentials) -- [ADMX_CredSsp/RestrictedRemoteAdministration](./policy-csp-admx-credssp.md#admx-credssp-restrictedremoteadministration) -- [ADMX_CredUI/EnableSecureCredentialPrompting](./policy-csp-admx-credui.md#admx-credui-enablesecurecredentialprompting) -- [ADMX_CredUI/NoLocalPasswordResetQuestions](./policy-csp-admx-credui.md#admx-credui-nolocalpasswordresetquestions) -- [ADMX_CtrlAltDel/DisableChangePassword](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-disablechangepassword) -- [ADMX_CtrlAltDel/DisableLockComputer](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-disablelockcomputer) -- [ADMX_CtrlAltDel/DisableTaskMgr](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-disabletaskmgr) -- [ADMX_CtrlAltDel/NoLogoff](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-nologoff) -- [ADMX_DataCollection/CommercialIdPolicy](./policy-csp-admx-datacollection.md#admx-datacollection-commercialidpolicy) -- [ADMX_DCOM/DCOMActivationSecurityCheckAllowLocalList](./policy-csp-admx-dcom.md#admx-dcom-dcomactivationsecuritycheckallowlocallist) -- [ADMX_DCOM/DCOMActivationSecurityCheckExemptionList](./policy-csp-admx-dcom.md#admx-dcom-dcomactivationsecuritycheckexemptionlist) -- [ADMX_Desktop/AD_EnableFilter](./policy-csp-admx-desktop.md#admx-desktop-ad-enablefilter) -- [ADMX_Desktop/AD_HideDirectoryFolder](./policy-csp-admx-desktop.md#admx-desktop-ad-hidedirectoryfolder) -- [ADMX_Desktop/AD_QueryLimit](./policy-csp-admx-desktop.md#admx-desktop-ad-querylimit) -- [ADMX_Desktop/ForceActiveDesktopOn](./policy-csp-admx-desktop.md#admx-desktop-forceactivedesktopon) -- [ADMX_Desktop/NoActiveDesktop](./policy-csp-admx-desktop.md#admx-desktop-noactivedesktop) -- [ADMX_Desktop/NoActiveDesktopChanges](./policy-csp-admx-desktop.md#admx-desktop-noactivedesktopchanges) -- [ADMX_Desktop/NoDesktop](./policy-csp-admx-desktop.md#admx-desktop-nodesktop) -- [ADMX_Desktop/NoDesktopCleanupWizard](./policy-csp-admx-desktop.md#admx-desktop-nodesktopcleanupwizard) -- [ADMX_Desktop/NoInternetIcon](./policy-csp-admx-desktop.md#admx-desktop-nointerneticon) -- [ADMX_Desktop/NoMyComputerIcon](./policy-csp-admx-desktop.md#admx-desktop-nomycomputericon) -- [ADMX_Desktop/NoMyDocumentsIcon](./policy-csp-admx-desktop.md#admx-desktop-nomydocumentsicon) -- [ADMX_Desktop/NoNetHood](./policy-csp-admx-desktop.md#admx-desktop-nonethood) -- [ADMX_Desktop/NoPropertiesMyComputer](./policy-csp-admx-desktop.md#admx-desktop-nopropertiesmycomputer) -- [ADMX_Desktop/NoPropertiesMyDocuments](./policy-csp-admx-desktop.md#admx-desktop-nopropertiesmydocuments) -- [ADMX_Desktop/NoRecentDocsNetHood](./policy-csp-admx-desktop.md#admx-desktop-norecentdocsnethood) -- [ADMX_Desktop/NoRecycleBinIcon](./policy-csp-admx-desktop.md#admx-desktop-norecyclebinicon) -- [ADMX_Desktop/NoRecycleBinProperties](./policy-csp-admx-desktop.md#admx-desktop-norecyclebinproperties) -- [ADMX_Desktop/NoSaveSettings](./policy-csp-admx-desktop.md#admx-desktop-nosavesettings) -- [ADMX_Desktop/NoWindowMinimizingShortcuts](./policy-csp-admx-desktop.md#admx-desktop-nowindowminimizingshortcuts) -- [ADMX_Desktop/Wallpaper](./policy-csp-admx-desktop.md#admx-desktop-wallpaper) -- [ADMX_Desktop/sz_ATC_DisableAdd](./policy-csp-admx-desktop.md#admx-desktop-sz-atc-disableadd) -- [ADMX_Desktop/sz_ATC_DisableClose](./policy-csp-admx-desktop.md#admx-desktop-sz-atc-disableclose) -- [ADMX_Desktop/sz_ATC_DisableDel](./policy-csp-admx-desktop.md#admx-desktop-sz-atc-disabledel) -- [ADMX_Desktop/sz_ATC_DisableEdit](./policy-csp-admx-desktop.md#admx-desktop-sz-atc-disableedit) -- [ADMX_Desktop/sz_ATC_NoComponents](./policy-csp-admx-desktop.md#admx-desktop-sz-atc-nocomponents) -- [ADMX_Desktop/sz_AdminComponents_Title](./policy-csp-admx-desktop.md#admx-desktop-sz-admincomponents-title) -- [ADMX_Desktop/sz_DB_DragDropClose](./policy-csp-admx-desktop.md#admx-desktop-sz-db-dragdropclose) -- [ADMX_Desktop/sz_DB_Moving](./policy-csp-admx-desktop.md#admx-desktop-sz-db-moving) -- [ADMX_Desktop/sz_DWP_NoHTMLPaper](./policy-csp-admx-desktop.md#admx-desktop-sz-dwp-nohtmlpaper) -- [ADMX_DeviceCompat/DeviceFlags](./policy-csp-admx-devicecompat.md#admx-devicecompat-deviceflags) -- [ADMX_DeviceCompat/DriverShims](./policy-csp-admx-devicecompat.md#admx-devicecompat-drivershims) -- [ADMX_DeviceInstallation/DeviceInstall_AllowAdminInstall](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-allowadmininstall) -- [ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_DetailText](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-deniedpolicy-detailtext) -- [ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_SimpleText](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-deniedpolicy-simpletext) -- [ADMX_DeviceInstallation/DeviceInstall_InstallTimeout](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-installtimeout) -- [ADMX_DeviceInstallation/DeviceInstall_Policy_RebootTime](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-policy-reboottime) -- [ADMX_DeviceInstallation/DeviceInstall_Removable_Deny](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-removable-deny) -- [ADMX_DeviceInstallation/DeviceInstall_SystemRestore](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-systemrestore) -- [ADMX_DeviceInstallation/DriverInstall_Classes_AllowUser](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-classes-allowuser) -- [ADMX_DeviceGuard/ConfigCIPolicy](./policy-csp-admx-deviceguard.md#admx-deviceguard-configcipolicy) -- [ADMX_DeviceSetup/DeviceInstall_BalloonTips](./policy-csp-admx-devicesetup.md#admx-devicesetup-deviceinstall-balloontips) -- [ADMX_DeviceSetup/DriverSearchPlaces_SearchOrderConfiguration](./policy-csp-admx-devicesetup.md#admx-devicesetup-driversearchplaces-searchorderconfiguration) -- [ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_1](./policy-csp-admx-digitallocker.md#admx-digitallocker-digitalx-diableapplication-titletext-1) -- [ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_2](./policy-csp-admx-digitallocker.md#admx-digitallocker-digitalx-diableapplication-titletext-2) -- [ADMX_DiskNVCache/BootResumePolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-bootresumepolicy) -- [ADMX_DiskNVCache/FeatureOffPolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-featureoffpolicy) -- [ADMX_DiskNVCache/SolidStatePolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-solidstatepolicy) -- [ADMX_DiskQuota/DQ_RemovableMedia](./policy-csp-admx-diskquota.md#admx-diskquota-dq_removablemedia) -- [ADMX_DiskQuota/DQ_Enable](./policy-csp-admx-diskquota.md#admx-diskquota-dq_enable) -- [ADMX_DiskQuota/DQ_Enforce](./policy-csp-admx-diskquota.md#admx-diskquota-dq_enforce) -- [ADMX_DiskQuota/DQ_LogEventOverLimit](./policy-csp-admx-diskquota.md#admx-diskquota-dq_logeventoverlimit) -- [ADMX_DiskQuota/DQ_LogEventOverThreshold](./policy-csp-admx-diskquota.md#admx-diskquota-dq_logeventoverthreshold) -- [ADMX_DiskQuota/DQ_Limit](./policy-csp-admx-diskquota.md#admx-diskquota-dq_limit) -- [ADMX_DistributedLinkTracking/DLT_AllowDomainMode](./policy-csp-admx-distributedlinktracking.md#admx-distributedlinktracking-dlt_allowdomainmode) -- [ADMX_DnsClient/DNS_AllowFQDNNetBiosQueries](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-allowfqdnnetbiosqueries) -- [ADMX_DnsClient/DNS_AppendToMultiLabelName](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-appendtomultilabelname) -- [ADMX_DnsClient/DNS_Domain](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-domain) -- [ADMX_DnsClient/DNS_DomainNameDevolutionLevel](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-domainnamedevolutionlevel) -- [ADMX_DnsClient/DNS_IdnEncoding](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-idnencoding) -- [ADMX_DnsClient/DNS_IdnMapping](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-idnmapping) -- [ADMX_DnsClient/DNS_NameServer](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-nameserver) -- [ADMX_DnsClient/DNS_PreferLocalResponsesOverLowerOrderDns](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-preferlocalresponsesoverlowerorderdns) -- [ADMX_DnsClient/DNS_PrimaryDnsSuffix](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-primarydnssuffix) -- [ADMX_DnsClient/DNS_RegisterAdapterName](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-registeradaptername) -- [ADMX_DnsClient/DNS_RegisterReverseLookup](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-registerreverselookup) -- [ADMX_DnsClient/DNS_RegistrationEnabled](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-registrationenabled) -- [ADMX_DnsClient/DNS_RegistrationOverwritesInConflict](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-registrationoverwritesinconflict) -- [ADMX_DnsClient/DNS_RegistrationRefreshInterval](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-registrationrefreshinterval) -- [ADMX_DnsClient/DNS_RegistrationTtl](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-registrationttl) -- [ADMX_DnsClient/DNS_SearchList](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-searchlist) -- [ADMX_DnsClient/DNS_SmartMultiHomedNameResolution](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-smartmultihomednameresolution) -- [ADMX_DnsClient/DNS_SmartProtocolReorder](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-smartprotocolreorder) -- [ADMX_DnsClient/DNS_UpdateSecurityLevel](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-updatesecuritylevel) -- [ADMX_DnsClient/DNS_UpdateTopLevelDomainZones](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-updatetopleveldomainzones) -- [ADMX_DnsClient/DNS_UseDomainNameDevolution](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-usedomainnamedevolution) -- [ADMX_DnsClient/Turn_Off_Multicast](./policy-csp-admx-dnsclient.md#admx-dnsclient-turn-off-multicast) -- [ADMX_DFS/DFSDiscoverDC](./policy-csp-admx-dfs.md#admx-dfs-dfsdiscoverdc) -- [ADMX_DWM/DwmDefaultColorizationColor_1](./policy-csp-admx-dwm.md#admx-dwm-dwmdefaultcolorizationcolor-1) -- [ADMX_DWM/DwmDefaultColorizationColor_2](./policy-csp-admx-dwm.md#admx-dwm-dwmdefaultcolorizationcolor-2) -- [ADMX_DWM/DwmDisallowAnimations_1](./policy-csp-admx-dwm.md#admx-dwm-dwmdisallowanimations-1) -- [ADMX_DWM/DwmDisallowAnimations_2](./policy-csp-admx-dwm.md#admx-dwm-dwmdisallowanimations-2) -- [ADMX_DWM/DwmDisallowColorizationColorChanges_1](./policy-csp-admx-dwm.md#admx-dwm-dwmdisallowcolorizationcolorchanges-1) -- [ADMX_DWM/DwmDisallowColorizationColorChanges_2](./policy-csp-admx-dwm.md#admx-dwm-dwmdisallowcolorizationcolorchanges-2) -- [ADMX_EAIME/L_DoNotIncludeNonPublishingStandardGlyphInTheCandidateList](./policy-csp-admx-eaime.md#admx-eaime-l-donotincludenonpublishingstandardglyphinthecandidatelist) -- [ADMX_EAIME/L_RestrictCharacterCodeRangeOfConversion](./policy-csp-admx-eaime.md#admx-eaime-l-restrictcharactercoderangeofconversion) -- [ADMX_EAIME/L_TurnOffCustomDictionary](./policy-csp-admx-eaime.md#admx-eaime-l-turnoffcustomdictionary) -- [ADMX_EAIME/L_TurnOffHistorybasedPredictiveInput](./policy-csp-admx-eaime.md#admx-eaime-l-turnoffhistorybasedpredictiveinput) -- [ADMX_EAIME/L_TurnOffInternetSearchIntegration](./policy-csp-admx-eaime.md#admx-eaime-l-turnoffinternetsearchintegration) -- [ADMX_EAIME/L_TurnOffOpenExtendedDictionary](./policy-csp-admx-eaime.md#admx-eaime-l-turnoffopenextendeddictionary) -- [ADMX_EAIME/L_TurnOffSavingAutoTuningDataToFile](./policy-csp-admx-eaime.md#admx-eaime-l-turnoffsavingautotuningdatatofile) -- [ADMX_EAIME/L_TurnOnCloudCandidate](./policy-csp-admx-eaime.md#admx-eaime-l-turnoncloudcandidate) -- [ADMX_EAIME/L_TurnOnCloudCandidateCHS](./policy-csp-admx-eaime.md#admx-eaime-l-turnoncloudcandidatechs) -- [ADMX_EAIME/L_TurnOnLexiconUpdate](./policy-csp-admx-eaime.md#admx-eaime-l-turnonlexiconupdate) -- [ADMX_EAIME/L_TurnOnLiveStickers](./policy-csp-admx-eaime.md#admx-eaime-l-turnonlivestickers) -- [ADMX_EAIME/L_TurnOnMisconversionLoggingForMisconversionReport](./policy-csp-admx-eaime.md#admx-eaime-l-turnonmisconversionloggingformisconversionreport) -- [ADMX_EventLogging/EnableProtectedEventLogging](./policy-csp-admx-eventlogging.md#admx-eventlogging-enableprotectedeventlogging) -- [ADMX_EncryptFilesonMove/NoEncryptOnMove](./policy-csp-admx-encryptfilesonmove.md#admx-encryptfilesonmove-noencryptonmove) -- [ADMX_EnhancedStorage/ApprovedEnStorDevices](./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-approvedenstordevices) -- [ADMX_EnhancedStorage/ApprovedSilos](./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-approvedsilos) -- [ADMX_EnhancedStorage/DisablePasswordAuthentication](./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-disablepasswordauthentication) -- [ADMX_EnhancedStorage/DisallowLegacyDiskDevices](./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-disallowlegacydiskdevices) -- [ADMX_EnhancedStorage/LockDeviceOnMachineLock](./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-lockdeviceonmachinelock) -- [ADMX_EnhancedStorage/RootHubConnectedEnStorDevices](./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-roothubconnectedenstordevices) -- [ADMX_ErrorReporting/PCH_AllOrNoneDef](./policy-csp-admx-errorreporting.md#admx-errorreporting-pch-allornonedef) -- [ADMX_ErrorReporting/PCH_AllOrNoneEx](./policy-csp-admx-errorreporting.md#admx-errorreporting-pch-allornoneex) -- [ADMX_ErrorReporting/PCH_AllOrNoneInc](./policy-csp-admx-errorreporting.md#admx-errorreporting-pch-allornoneinc) -- [ADMX_ErrorReporting/PCH_ConfigureReport](./policy-csp-admx-errorreporting.md#admx-errorreporting-pch-configurereport) -- [ADMX_ErrorReporting/PCH_ReportOperatingSystemFaults](./policy-csp-admx-errorreporting.md#admx-errorreporting-pch-reportoperatingsystemfaults) -- [ADMX_ErrorReporting/WerArchive_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werarchive-1) -- [ADMX_ErrorReporting/WerArchive_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werarchive-2) -- [ADMX_ErrorReporting/WerAutoApproveOSDumps_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werautoapproveosdumps-1) -- [ADMX_ErrorReporting/WerAutoApproveOSDumps_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werautoapproveosdumps-2) -- [ADMX_ErrorReporting/WerBypassDataThrottling_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypassdatathrottling-1) -- [ADMX_ErrorReporting/WerBypassDataThrottling_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypassdatathrottling-2) -- [ADMX_ErrorReporting/WerBypassNetworkCostThrottling_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypassnetworkcostthrottling-1) -- [ADMX_ErrorReporting/WerBypassNetworkCostThrottling_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypassnetworkcostthrottling-2) -- [ADMX_ErrorReporting/WerBypassPowerThrottling_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypasspowerthrottling-1) -- [ADMX_ErrorReporting/WerBypassPowerThrottling_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypasspowerthrottling-2) -- [ADMX_ErrorReporting/WerCER](./policy-csp-admx-errorreporting.md#admx-errorreporting-wercer) -- [ADMX_ErrorReporting/WerConsentCustomize_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werconsentcustomize-1) -- [ADMX_ErrorReporting/WerConsentOverride_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werconsentoverride-1) -- [ADMX_ErrorReporting/WerConsentOverride_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werconsentoverride-2) -- [ADMX_ErrorReporting/WerDefaultConsent_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werdefaultconsent-1) -- [ADMX_ErrorReporting/WerDefaultConsent_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werdefaultconsent-2) -- [ADMX_ErrorReporting/WerDisable_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werdisable-1) -- [ADMX_ErrorReporting/WerExlusion_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werexlusion-1) -- [ADMX_ErrorReporting/WerExlusion_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werexlusion-2) -- [ADMX_ErrorReporting/WerNoLogging_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-wernologging-1) -- [ADMX_ErrorReporting/WerNoLogging_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-wernologging-2) -- [ADMX_ErrorReporting/WerNoSecondLevelData_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-wernosecondleveldata-1) -- [ADMX_ErrorReporting/WerQueue_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werqueue-1) -- [ADMX_ErrorReporting/WerQueue_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werqueue-2) -- [ADMX_EventForwarding/ForwarderResourceUsage](./policy-csp-admx-eventforwarding.md#admx_eventforwarding-forwarderresourceusage) -- [ADMX_EventForwarding/SubscriptionManager](./policy-csp-admx-eventforwarding.md#admx_eventforwarding-subscriptionmanager) -- [ADMX_EventLog/Channel_LogEnabled](./policy-csp-admx-eventlog.md#admx-eventlog-channel-logenabled) -- [ADMX_EventLog/Channel_LogFilePath_1](./policy-csp-admx-eventlog.md#admx-eventlog-channel-logfilepath-1) -- [ADMX_EventLog/Channel_LogFilePath_2](./policy-csp-admx-eventlog.md#admx-eventlog-channel-logfilepath-2) -- [ADMX_EventLog/Channel_LogFilePath_3](./policy-csp-admx-eventlog.md#admx-eventlog-channel-logfilepath-3) -- [ADMX_EventLog/Channel_LogFilePath_4](./policy-csp-admx-eventlog.md#admx-eventlog-channel-logfilepath-4) -- [ADMX_EventLog/Channel_LogMaxSize_3](./policy-csp-admx-eventlog.md#admx-eventlog-channel-logmaxsize-3) -- [ADMX_EventLog/Channel_Log_AutoBackup_1](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-autobackup-1) -- [ADMX_EventLog/Channel_Log_AutoBackup_2](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-autobackup-2) -- [ADMX_EventLog/Channel_Log_AutoBackup_3](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-autobackup-3) -- [ADMX_EventLog/Channel_Log_AutoBackup_4](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-autobackup-4) -- [ADMX_EventLog/Channel_Log_FileLogAccess_1](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-1) -- [ADMX_EventLog/Channel_Log_FileLogAccess_2](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-2) -- [ADMX_EventLog/Channel_Log_FileLogAccess_3](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-3) -- [ADMX_EventLog/Channel_Log_FileLogAccess_4](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-4) -- [ADMX_EventLog/Channel_Log_FileLogAccess_5](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-5) -- [ADMX_EventLog/Channel_Log_FileLogAccess_6](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-6) -- [ADMX_EventLog/Channel_Log_FileLogAccess_7](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-7) -- [ADMX_EventLog/Channel_Log_FileLogAccess_8](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-8) -- [ADMX_EventLog/Channel_Log_Retention_2](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-retention-2) -- [ADMX_EventLog/Channel_Log_Retention_3](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-retention-3) -- [ADMX_EventLog/Channel_Log_Retention_4](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-retention-4) -- [ADMX_EventViewer/EventViewer_RedirectionProgram](./policy-csp-admx-eventviewer.md#admx-eventviewer-eventviewer_redirectionprogram) -- [ADMX_EventViewer/EventViewer_RedirectionProgramCommandLineParameters](./policy-csp-admx-eventviewer.md#admx-eventviewer-eventviewer_redirectionprogramcommandlineparameters) -- [ADMX_EventViewer/EventViewer_RedirectionURL](./policy-csp-admx-eventviewer.md#admx-eventviewer-eventviewer_redirectionurl) -- [ADMX_Explorer/AdminInfoUrl](./policy-csp-admx-explorer.md#admx-explorer-admininfourl) -- [ADMX_Explorer/AlwaysShowClassicMenu](./policy-csp-admx-explorer.md#admx-explorer-alwaysshowclassicmenu) -- [ADMX_Explorer/DisableRoamedProfileInit](./policy-csp-admx-explorer.md#admx-explorer-disableroamedprofileinit) -- [ADMX_Explorer/PreventItemCreationInUsersFilesFolder](./policy-csp-admx-explorer.md#admx-explorer-preventitemcreationinusersfilesfolder) -- [ADMX_Explorer/TurnOffSPIAnimations](./policy-csp-admx-explorer.md#admx-explorer-turnoffspianimations) -- [ADMX_ExternalBoot/PortableOperatingSystem_Hibernate](./policy-csp-admx-externalboot.md#admx-externalboot-portableoperatingsystem_hibernate) -- [ADMX_ExternalBoot/PortableOperatingSystem_Sleep](./policy-csp-admx-externalboot.md#admx-externalboot-portableoperatingsystem_sleep) -- [ADMX_ExternalBoot/PortableOperatingSystem_Launcher](./policy-csp-admx-externalboot.md#admx-externalboot-portableoperatingsystem_launcher) -- [ADMX_FileRecovery/WdiScenarioExecutionPolicy](./policy-csp-admx-filerecovery.md#admx-filerecovery-wdiscenarioexecutionpolicy) -- [ADMX_FileServerVSSProvider/Pol_EncryptProtocol](./policy-csp-admx-fileservervssprovider.md#admx-fileservervssprovider-pol-encryptprotocol) -- [ADMX_FileSys/DisableCompression](./policy-csp-admx-filesys.md#admx-filesys-disablecompression) -- [ADMX_FileSys/DisableDeleteNotification](./policy-csp-admx-filesys.md#admx-filesys-disabledeletenotification) -- [ADMX_FileSys/DisableEncryption](./policy-csp-admx-filesys.md#admx-filesys-disableencryption) -- [ADMX_FileSys/EnablePagefileEncryption](./policy-csp-admx-filesys.md#admx-filesys-enablepagefileencryption) -- [ADMX_FileSys/LongPathsEnabled](./policy-csp-admx-filesys.md#admx-filesys-longpathsenabled) -- [ADMX_FileSys/ShortNameCreationSettings](./policy-csp-admx-filesys.md#admx-filesys-shortnamecreationsettings) -- [ADMX_FileSys/SymlinkEvaluation](./policy-csp-admx-filesys.md#admx-filesys-symlinkevaluation) -- [ADMX_FileSys/TxfDeprecatedFunctionality](./policy-csp-admx-filesys.md#admx-filesys-txfdeprecatedfunctionality) -- [ADMX_FileRecovery/WdiScenarioExecutionPolicy](./policy-csp-admx-filerecovery.md#admx-filerecovery-wdiscenarioexecutionpolicy) -- [ADMX_FileRevocation/DelegatedPackageFamilyNames](./policy-csp-admx-filerevocation.md#admx-filerevocation-delegatedpackagefamilynames) -- [ADMX_FolderRedirection/DisableFRAdminPin](./policy-csp-admx-folderredirection.md#admx-folderredirection-disablefradminpin) -- [ADMX_FolderRedirection/DisableFRAdminPinByFolder](./policy-csp-admx-folderredirection.md#admx-folderredirection-disablefradminpinbyfolder) -- [ADMX_FolderRedirection/FolderRedirectionEnableCacheRename](./policy-csp-admx-folderredirection.md#admx-folderredirection-folderredirectionenablecacherename) -- [ADMX_FolderRedirection/LocalizeXPRelativePaths_1](./policy-csp-admx-folderredirection.md#admx-folderredirection-localizexprelativepaths-1) -- [ADMX_FolderRedirection/LocalizeXPRelativePaths_2](./policy-csp-admx-folderredirection.md#admx-folderredirection-localizexprelativepaths-2) -- [ADMX_FolderRedirection/PrimaryComputer_FR_1](./policy-csp-admx-folderredirection.md#admx-folderredirection-primarycomputer-fr-1) -- [ADMX_FolderRedirection/PrimaryComputer_FR_2](./policy-csp-admx-folderredirection.md#admx-folderredirection-primarycomputer-fr-2) -- [ADMX_FramePanes/NoReadingPane](./policy-csp-admx-framepanes.md#admx-framepanes-noreadingpane) -- [ADMX_FramePanes/NoPreviewPane](./policy-csp-admx-framepanes.md#admx-framepanes-nopreviewpane) -- [ADMX_FTHSVC/WdiScenarioExecutionPolicy](./policy-csp-admx-fthsvc.md#admx-fthsvc-wdiscenarioexecutionpolicy) -- [ADMX_Globalization/BlockUserInputMethodsForSignIn](./policy-csp-admx-globalization.md#admx-globalization-blockuserinputmethodsforsignin) -- [ADMX_Globalization/CustomLocalesNoSelect_1](./policy-csp-admx-globalization.md#admx-globalization-customlocalesnoselect-1) -- [ADMX_Globalization/CustomLocalesNoSelect_2](./policy-csp-admx-globalization.md#admx-globalization-customlocalesnoselect-2) -- [ADMX_Globalization/HideAdminOptions](./policy-csp-admx-globalization.md#admx-globalization-hideadminoptions) -- [ADMX_Globalization/HideCurrentLocation](./policy-csp-admx-globalization.md#admx-globalization-hidecurrentlocation) -- [ADMX_Globalization/HideLanguageSelection](./policy-csp-admx-globalization.md#admx-globalization-hidelanguageselection) -- [ADMX_Globalization/HideLocaleSelectAndCustomize](./policy-csp-admx-globalization.md#admx-globalization-hidelocaleselectandcustomize) -- [ADMX_Globalization/ImplicitDataCollectionOff_1](./policy-csp-admx-globalization.md#admx-globalization-implicitdatacollectionoff-1) -- [ADMX_Globalization/ImplicitDataCollectionOff_2](./policy-csp-admx-globalization.md#admx-globalization-implicitdatacollectionoff-2) -- [ADMX_Globalization/LocaleSystemRestrict](./policy-csp-admx-globalization.md#admx-globalization-localesystemrestrict) -- [ADMX_Globalization/LocaleUserRestrict_1](./policy-csp-admx-globalization.md#admx-globalization-localeuserrestrict-1) -- [ADMX_Globalization/LocaleUserRestrict_2](./policy-csp-admx-globalization.md#admx-globalization-localeuserrestrict-2) -- [ADMX_Globalization/LockMachineUILanguage](./policy-csp-admx-globalization.md#admx-globalization-lockmachineuilanguage) -- [ADMX_Globalization/LockUserUILanguage](./policy-csp-admx-globalization.md#admx-globalization-lockuseruilanguage) -- [ADMX_Globalization/PreventGeoIdChange_1](./policy-csp-admx-globalization.md#admx-globalization-preventgeoidchange-1) -- [ADMX_Globalization/PreventGeoIdChange_2](./policy-csp-admx-globalization.md#admx-globalization-preventgeoidchange-2) -- [ADMX_Globalization/PreventUserOverrides_1](./policy-csp-admx-globalization.md#admx-globalization-preventuseroverrides-1) -- [ADMX_Globalization/PreventUserOverrides_2](./policy-csp-admx-globalization.md#admx-globalization-preventuseroverrides-2) -- [ADMX_Globalization/RestrictUILangSelect](./policy-csp-admx-globalization.md#admx-globalization-restrictuilangselect) -- [ADMX_Globalization/TurnOffAutocorrectMisspelledWords](./policy-csp-admx-globalization.md#admx-globalization-turnoffautocorrectmisspelledwords) -- [ADMX_Globalization/TurnOffHighlightMisspelledWords](./policy-csp-admx-globalization.md#admx-globalization-turnoffhighlightmisspelledwords) -- [ADMX_Globalization/TurnOffInsertSpace](./policy-csp-admx-globalization.md#admx-globalization-turnoffinsertspace) -- [ADMX_Globalization/TurnOffOfferTextPredictions](./policy-csp-admx-globalization.md#admx-globalization-turnoffoffertextpredictions) -- [ADMX_Globalization/Y2K](./policy-csp-admx-globalization.md#admx-globalization-y2k) -- [ADMX_GroupPolicy/AllowX-ForestPolicy-and-RUP](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-allowx-forestpolicy-and-rup) -- [ADMX_GroupPolicy/CSE_AppMgmt](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-appmgmt) -- [ADMX_GroupPolicy/CSE_DiskQuota](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-diskquota) -- [ADMX_GroupPolicy/CSE_EFSRecovery](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-efsrecovery) -- [ADMX_GroupPolicy/CSE_FolderRedirection](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-folderredirection) -- [ADMX_GroupPolicy/CSE_IEM](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-iem) -- [ADMX_GroupPolicy/CSE_IPSecurity](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-ipsecurity) -- [ADMX_GroupPolicy/CSE_Registry](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-registry) -- [ADMX_GroupPolicy/CSE_Scripts](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-scripts) -- [ADMX_GroupPolicy/CSE_Security](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-security) -- [ADMX_GroupPolicy/CSE_Wired](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-wired) -- [ADMX_GroupPolicy/CSE_Wireless](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-wireless) -- [ADMX_GroupPolicy/CorpConnSyncWaitTime](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-corpconnsyncwaittime) -- [ADMX_GroupPolicy/DenyRsopToInteractiveUser_1](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-denyrsoptointeractiveuser-1) -- [ADMX_GroupPolicy/DenyRsopToInteractiveUser_2](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-denyrsoptointeractiveuser-2) -- [ADMX_GroupPolicy/DisableAOACProcessing](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-disableaoacprocessing) -- [ADMX_GroupPolicy/DisableAutoADMUpdate](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-disableautoadmupdate) -- [ADMX_GroupPolicy/DisableBackgroundPolicy](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-disablebackgroundpolicy) -- [ADMX_GroupPolicy/DisableLGPOProcessing](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-disablelgpoprocessing) -- [ADMX_GroupPolicy/DisableUsersFromMachGP](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-disableusersfrommachgp) -- [ADMX_GroupPolicy/EnableCDP](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-enablecdp) -- [ADMX_GroupPolicy/EnableLogonOptimization](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-enablelogonoptimization) -- [ADMX_GroupPolicy/EnableLogonOptimizationOnServerSKU](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-enablelogonoptimizationonserversku) -- [ADMX_GroupPolicy/EnableMMX](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-enablemmx) -- [ADMX_GroupPolicy/EnforcePoliciesOnly](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-enforcepoliciesonly) -- [ADMX_GroupPolicy/FontMitigation](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-fontmitigation) -- [ADMX_GroupPolicy/GPDCOptions](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-gpdcoptions) -- [ADMX_GroupPolicy/GPTransferRate_1](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-gptransferrate-1) -- [ADMX_GroupPolicy/GPTransferRate_2](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-gptransferrate-2) -- [ADMX_GroupPolicy/GroupPolicyRefreshRate](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-grouppolicyrefreshrate) -- [ADMX_GroupPolicy/GroupPolicyRefreshRateDC](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-grouppolicyrefreshratedc) -- [ADMX_GroupPolicy/GroupPolicyRefreshRateUser](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-grouppolicyrefreshrateuser) -- [ADMX_GroupPolicy/LogonScriptDelay](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-logonscriptdelay) -- [ADMX_GroupPolicy/NewGPODisplayName](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-newgpodisplayname) -- [ADMX_GroupPolicy/NewGPOLinksDisabled](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-newgpolinksdisabled) -- [ADMX_GroupPolicy/OnlyUseLocalAdminFiles](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-onlyuselocaladminfiles) -- [ADMX_GroupPolicy/ProcessMitigationOptions](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-processmitigationoptions) -- [ADMX_GroupPolicy/RSoPLogging](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-rsoplogging) -- [ADMX_GroupPolicy/ResetDfsClientInfoDuringRefreshPolicy](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-resetdfsclientinfoduringrefreshpolicy) -- [ADMX_GroupPolicy/SlowLinkDefaultForDirectAccess](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-slowlinkdefaultfordirectaccess) -- [ADMX_GroupPolicy/SlowlinkDefaultToAsync](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-slowlinkdefaulttoasync) -- [ADMX_GroupPolicy/SyncWaitTime](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-syncwaittime) -- [ADMX_GroupPolicy/UserPolicyMode](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-userpolicymode) -- [ADMX_Help/DisableHHDEP](./policy-csp-admx-help.md#admx-help-disablehhdep) -- [ADMX_Help/HelpQualifiedRootDir_Comp](./policy-csp-admx-help.md#admx-help-helpqualifiedrootdir-comp) -- [ADMX_Help/RestrictRunFromHelp](./policy-csp-admx-help.md#admx-help-restrictrunfromhelp) -- [ADMX_Help/RestrictRunFromHelp_Comp](./policy-csp-admx-help.md#admx-help-restrictrunfromhelp-comp) -- [ADMX_HelpAndSupport/ActiveHelp](./policy-csp-admx-helpandsupport.md#admx-helpandsupport-activehelp) -- [ADMX_HelpAndSupport/HPExplicitFeedback](./policy-csp-admx-helpandsupport.md#admx-helpandsupport-hpexplicitfeedback) -- [ADMX_HelpAndSupport/HPImplicitFeedback](./policy-csp-admx-helpandsupport.md#admx-helpandsupport-hpimplicitfeedback) -- [ADMX_HelpAndSupport/HPOnlineAssistance](./policy-csp-admx-helpandsupport.md#admx-helpandsupport-hponlineassistance) -- [ADMX_ICM/CEIPEnable](./policy-csp-admx-icm.md#admx-icm-ceipenable) -- [ADMX_ICM/CertMgr_DisableAutoRootUpdates](./policy-csp-admx-icm.md#admx-icm-certmgr-disableautorootupdates) -- [ADMX_ICM/DisableHTTPPrinting_1](./policy-csp-admx-icm.md#admx-icm-disablehttpprinting-1) -- [ADMX_ICM/DisableWebPnPDownload_1](./policy-csp-admx-icm.md#admx-icm-disablewebpnpdownload-1) -- [ADMX_ICM/DriverSearchPlaces_DontSearchWindowsUpdate](./policy-csp-admx-icm.md#admx-icm-driversearchplaces-dontsearchwindowsupdate) -- [ADMX_ICM/EventViewer_DisableLinks](./policy-csp-admx-icm.md#admx-icm-eventviewer-disablelinks) -- [ADMX_ICM/HSS_HeadlinesPolicy](./policy-csp-admx-icm.md#admx-icm-hss-headlinespolicy) -- [ADMX_ICM/HSS_KBSearchPolicy](./policy-csp-admx-icm.md#admx-icm-hss-kbsearchpolicy) -- [ADMX_ICM/InternetManagement_RestrictCommunication_1](./policy-csp-admx-icm.md#admx-icm-internetmanagement-restrictcommunication-1) -- [ADMX_ICM/InternetManagement_RestrictCommunication_2](./policy-csp-admx-icm.md#admx-icm-internetmanagement-restrictcommunication-2) -- [ADMX_ICM/NC_ExitOnISP](./policy-csp-admx-icm.md#admx-icm-nc-exitonisp) -- [ADMX_ICM/NC_NoRegistration](./policy-csp-admx-icm.md#admx-icm-nc-noregistration) -- [ADMX_ICM/PCH_DoNotReport](./policy-csp-admx-icm.md#admx-icm-pch-donotreport) -- [ADMX_ICM/RemoveWindowsUpdate_ICM](./policy-csp-admx-icm.md#admx-icm-removewindowsupdate-icm) -- [ADMX_ICM/SearchCompanion_DisableFileUpdates](./policy-csp-admx-icm.md#admx-icm-searchcompanion-disablefileupdates) -- [ADMX_ICM/ShellNoUseInternetOpenWith_1](./policy-csp-admx-icm.md#admx-icm-shellnouseinternetopenwith-1) -- [ADMX_ICM/ShellNoUseInternetOpenWith_2](./policy-csp-admx-icm.md#admx-icm-shellnouseinternetopenwith-2) -- [ADMX_ICM/ShellNoUseStoreOpenWith_1](./policy-csp-admx-icm.md#admx-icm-shellnousestoreopenwith-1) -- [ADMX_ICM/ShellNoUseStoreOpenWith_2](./policy-csp-admx-icm.md#admx-icm-shellnousestoreopenwith-2) -- [ADMX_ICM/ShellPreventWPWDownload_1](./policy-csp-admx-icm.md#admx-icm-shellpreventwpwdownload-1) -- [ADMX_ICM/ShellRemoveOrderPrints_1](./policy-csp-admx-icm.md#admx-icm-shellremoveorderprints-1) -- [ADMX_ICM/ShellRemoveOrderPrints_2](./policy-csp-admx-icm.md#admx-icm-shellremoveorderprints-2) -- [ADMX_ICM/ShellRemovePublishToWeb_1](./policy-csp-admx-icm.md#admx-icm-shellremovepublishtoweb-1) -- [ADMX_ICM/ShellRemovePublishToWeb_2](./policy-csp-admx-icm.md#admx-icm-shellremovepublishtoweb-2) -- [ADMX_ICM/WinMSG_NoInstrumentation_1](./policy-csp-admx-icm.md#admx-icm-winmsg_noinstrumentation-1) -- [ADMX_ICM/WinMSG_NoInstrumentation_2](./policy-csp-admx-icm.md#admx-icm-winmsg_noinstrumentation-2) -- [ADMX_IIS/PreventIISInstall](./policy-csp-admx-iis.md#admx-iis-preventiisinstall) -- [ADMX_iSCSI/iSCSIGeneral_RestrictAdditionalLogins](./policy-csp-admx-iscsi.md#admx-iscsi-iscsigeneral_restrictadditionallogins) -- [ADMX_iSCSI/iSCSIGeneral_ChangeIQNName](./policy-csp-admx-iscsi.md#admx-iscsi-iscsigeneral_changeiqnname) -- [ADMX_iSCSI/iSCSISecurity_ChangeCHAPSecret](./policy-csp-admx-iscsi.md#admx-iscsi-iscsisecurity_changechapsecret) -- [ADMX_kdc/CbacAndArmor](./policy-csp-admx-kdc.md#admx-kdc-cbacandarmor) -- [ADMX_kdc/ForestSearch](./policy-csp-admx-kdc.md#admx-kdc-forestsearch) -- [ADMX_kdc/PKINITFreshness](./policy-csp-admx-kdc.md#admx-kdc-pkinitfreshness) -- [ADMX_kdc/RequestCompoundId](./policy-csp-admx-kdc.md#admx-kdc-requestcompoundid) -- [ADMX_kdc/TicketSizeThreshold](./policy-csp-admx-kdc.md#admx-kdc-ticketsizethreshold) -- [ADMX_kdc/emitlili](./policy-csp-admx-kdc.md#admx-kdc-emitlili) -- [ADMX_Kerberos/AlwaysSendCompoundId](./policy-csp-admx-kerberos.md#admx-kerberos-alwayssendcompoundid) -- [ADMX_Kerberos/DevicePKInitEnabled](./policy-csp-admx-kerberos.md#admx-kerberos-devicepkinitenabled) -- [ADMX_Kerberos/HostToRealm](./policy-csp-admx-kerberos.md#admx-kerberos-hosttorealm) -- [ADMX_Kerberos/KdcProxyDisableServerRevocationCheck](./policy-csp-admx-kerberos.md#admx-kerberos-kdcproxydisableserverrevocationcheck) -- [ADMX_Kerberos/KdcProxyServer](./policy-csp-admx-kerberos.md#admx-kerberos-kdcproxyserver) -- [ADMX_Kerberos/MitRealms](./policy-csp-admx-kerberos.md#admx-kerberos-mitrealms) -- [ADMX_Kerberos/ServerAcceptsCompound](./policy-csp-admx-kerberos.md#admx-kerberos-serveracceptscompound) -- [ADMX_Kerberos/StrictTarget](./policy-csp-admx-kerberos.md#admx-kerberos-stricttarget) -- [ADMX_LanmanServer/Pol_CipherSuiteOrder](./policy-csp-admx-lanmanserver.md#admx-lanmanserver-pol-ciphersuiteorder) -- [ADMX_LanmanServer/Pol_HashPublication](./policy-csp-admx-lanmanserver.md#admx-lanmanserver-pol-hashpublication) -- [ADMX_LanmanServer/Pol_HashSupportVersion](./policy-csp-admx-lanmanserver.md#admx-lanmanserver-pol-hashsupportversion) -- [ADMX_LanmanServer/Pol_HonorCipherSuiteOrder](./policy-csp-admx-lanmanserver.md#admx-lanmanserver-pol-honorciphersuiteorder) -- [ADMX_LanmanWorkstation/Pol_CipherSuiteOrder](./policy-csp-admx-lanmanworkstation.md#admx-lanmanworkstation-pol-ciphersuiteorder) -- [ADMX_LanmanWorkstation/Pol_EnableHandleCachingForCAFiles](./policy-csp-admx-lanmanworkstation.md#admx-lanmanworkstation-pol-enablehandlecachingforcafiles) -- [ADMX_LanmanWorkstation/Pol_EnableOfflineFilesforCAShares](./policy-csp-admx-lanmanworkstation.md#admx-lanmanworkstation-pol-enableofflinefilesforcashares) -- [ADMX_LeakDiagnostic/WdiScenarioExecutionPolicy](./policy-csp-admx-leakdiagnostic.md#admx-leakdiagnostic-wdiscenarioexecutionpolicy) -- [ADMX_LinkLayerTopologyDiscovery/LLTD_EnableLLTDIO](./policy-csp-admx-linklayertopologydiscovery.md#admx-linklayertopologydiscovery-lltd-enablelltdio) -- [ADMX_LinkLayerTopologyDiscovery/LLTD_EnableRspndr](./policy-csp-admx-linklayertopologydiscovery.md#admx-linklayertopologydiscovery-lltd-enablerspndr) -- [ADMX_LocationProviderAdm/DisableWindowsLocationProvider_1](./policy-csp-admx-locationprovideradm.md#admx-locationprovideradm-disablewindowslocationprovider_1) -- [ADMX_Logon/BlockUserFromShowingAccountDetailsOnSignin](./policy-csp-admx-logon.md#admx-logon-blockuserfromshowingaccountdetailsonsignin) -- [ADMX_Logon/DisableAcrylicBackgroundOnLogon](./policy-csp-admx-logon.md#admx-logon-disableacrylicbackgroundonlogon) -- [ADMX_Logon/DisableExplorerRunLegacy_1](./policy-csp-admx-logon.md#admx-logon-disableexplorerrunlegacy-1) -- [ADMX_Logon/DisableExplorerRunLegacy_2](./policy-csp-admx-logon.md#admx-logon-disableexplorerrunlegacy-2) -- [ADMX_Logon/DisableExplorerRunOnceLegacy_1](./policy-csp-admx-logon.md#admx-logon-disableexplorerrunoncelegacy-1) -- [ADMX_Logon/DisableExplorerRunOnceLegacy_2](./policy-csp-admx-logon.md#admx-logon-disableexplorerrunoncelegacy-2) -- [ADMX_Logon/DisableStatusMessages](./policy-csp-admx-logon.md#admx-logon-disablestatusmessages) -- [ADMX_Logon/DontEnumerateConnectedUsers](./policy-csp-admx-logon.md#admx-logon-dontenumerateconnectedusers) -- [ADMX_Logon/NoWelcomeTips_1](./policy-csp-admx-logon.md#admx-logon-nowelcometips-1) -- [ADMX_Logon/NoWelcomeTips_2](./policy-csp-admx-logon.md#admx-logon-nowelcometips-2) -- [ADMX_Logon/Run_1](./policy-csp-admx-logon.md#admx-logon-run-1) -- [ADMX_Logon/Run_2](./policy-csp-admx-logon.md#admx-logon-run-2) -- [ADMX_Logon/SyncForegroundPolicy](./policy-csp-admx-logon.md#admx-logon-syncforegroundpolicy) -- [ADMX_Logon/UseOEMBackground](./policy-csp-admx-logon.md#admx-logon-useoembackground) -- [ADMX_Logon/VerboseStatus](./policy-csp-admx-logon.md#admx-logon-verbosestatus) -- [ADMX_MicrosoftDefenderAntivirus/AllowFastServiceStartup](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-allowfastservicestartup) -- [ADMX_MicrosoftDefenderAntivirus/DisableAntiSpywareDefender](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disableantispywaredefender) -- [ADMX_MicrosoftDefenderAntivirus/DisableAutoExclusions](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disableautoexclusions) -- [ADMX_MicrosoftDefenderAntivirus/DisableBlockAtFirstSeen](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disableblockatfirstseen) -- [ADMX_MicrosoftDefenderAntivirus/DisableLocalAdminMerge](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disablelocaladminmerge) -- [ADMX_MicrosoftDefenderAntivirus/DisableRealtimeMonitoring](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disablerealtimemonitoring) -- [ADMX_MicrosoftDefenderAntivirus/DisableRoutinelyTakingAction](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disableroutinelytakingaction) -- [ADMX_MicrosoftDefenderAntivirus/Exclusions_Extensions](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exclusions-extensions) -- [ADMX_MicrosoftDefenderAntivirus/Exclusions_Paths](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exclusions-paths) -- [ADMX_MicrosoftDefenderAntivirus/Exclusions_Processes](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exclusions-processes) -- [ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_ASROnlyExclusions](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exploitguard-asr-asronlyexclusions) -- [ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_Rules](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exploitguard-asr-rules) -- [ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_AllowedApplications](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exploitguard-controlledfolderaccess-allowedapplications) -- [ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_ProtectedFolders](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exploitguard-controlledfolderaccess-protectedfolders) -- [ADMX_MicrosoftDefenderAntivirus/MpEngine_EnableFileHashComputation](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-mpengine-enablefilehashcomputation) -- [ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_DisableSignatureRetirement](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-nis-consumers-ips-disablesignatureretirement) -- [ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_sku_differentiation_Signature_Set_Guid](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-nis-consumers-ips-sku-differentiation-signature-set-guid) -- [ADMX_MicrosoftDefenderAntivirus/Nis_DisableProtocolRecognition](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-nis-disableprotocolrecognition) -- [ADMX_MicrosoftDefenderAntivirus/ProxyBypass](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-proxybypass) -- [ADMX_MicrosoftDefenderAntivirus/ProxyPacUrl](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-proxypacurl) -- [ADMX_MicrosoftDefenderAntivirus/ProxyServer](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-proxyserver) -- [ADMX_MicrosoftDefenderAntivirus/Quarantine_LocalSettingOverridePurgeItemsAfterDelay](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-quarantine-localsettingoverridepurgeitemsafterdelay) -- [ADMX_MicrosoftDefenderAntivirus/Quarantine_PurgeItemsAfterDelay](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-quarantine-purgeitemsafterdelay) -- [ADMX_MicrosoftDefenderAntivirus/RandomizeScheduleTaskTimes](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-randomizescheduletasktimes) -- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableBehaviorMonitoring](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-disablebehaviormonitoring) -- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableIOAVProtection](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-disableioavprotection) -- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableOnAccessProtection](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-disableonaccessprotection) -- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableRawWriteNotification](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-disablerawwritenotification) -- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableScanOnRealtimeEnable](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-disablescanonrealtimeenable) -- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_IOAVMaxSize](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-ioavmaxsize) -- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableBehaviorMonitoring](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverridedisablebehaviormonitoring) -- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableIOAVProtection](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverridedisableioavprotection) -- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableOnAccessProtection](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverridedisableonaccessprotection) -- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableRealtimeMonitoring](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverridedisablerealtimemonitoring) -- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideRealtimeScanDirection](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverriderealtimescandirection) -- [ADMX_MicrosoftDefenderAntivirus/Remediation_LocalSettingOverrideScan_ScheduleTime](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-remediation-localsettingoverridescan-scheduletime) -- [ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleDay](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-remediation-scan-scheduleday) -- [ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleTime](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-remediation-scan-scheduletime) -- [ADMX_MicrosoftDefenderAntivirus/Reporting_AdditionalActionTimeout](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-additionalactiontimeout) -- [ADMX_MicrosoftDefenderAntivirus/Reporting_CriticalFailureTimeout](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-criticalfailuretimeout) -- [ADMX_MicrosoftDefenderAntivirus/Reporting_DisableEnhancedNotifications](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-disableenhancednotifications) -- [ADMX_MicrosoftDefenderAntivirus/Reporting_Disablegenericreports](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-disablegenericreports) -- [ADMX_MicrosoftDefenderAntivirus/Reporting_NonCriticalTimeout](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-noncriticaltimeout) -- [ADMX_MicrosoftDefenderAntivirus/Reporting_RecentlyCleanedTimeout](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-recentlycleanedtimeout) -- [ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingComponents](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-wpptracingcomponents) -- [ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingLevel](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-wpptracinglevel) -- [ADMX_MicrosoftDefenderAntivirus/Scan_AllowPause](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-allowpause) -- [ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxDepth](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-archivemaxdepth) -- [ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxSize](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-archivemaxsize) -- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableArchiveScanning](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablearchivescanning) -- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableEmailScanning](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disableemailscanning) -- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableHeuristics](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disableheuristics) -- [ADMX_MicrosoftDefenderAntivirus/Scan_DisablePackedExeScanning](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablepackedexescanning) -- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableRemovableDriveScanning](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disableremovabledrivescanning) -- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableReparsePointScanning](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablereparsepointscanning) -- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableRestorePoint](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablerestorepoint) -- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningMappedNetworkDrivesForFullScan](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablescanningmappednetworkdrivesforfullscan) -- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningNetworkFiles](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablescanningnetworkfiles) -- [ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideAvgCPULoadFactor](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-localsettingoverrideavgcpuloadfactor) -- [ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScanParameters](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-localsettingoverridescanparameters) -- [ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleDay](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-localsettingoverridescheduleday) -- [ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleQuickScantime](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-localsettingoverrideschedulequickscantime) -- [ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleTime](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-localsettingoverridescheduletime) -- [ADMX_MicrosoftDefenderAntivirus/Scan_LowCpuPriority](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-lowcpupriority) -- [ADMX_MicrosoftDefenderAntivirus/Scan_MissedScheduledScanCountBeforeCatchup](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-missedscheduledscancountbeforecatchup) -- [ADMX_MicrosoftDefenderAntivirus/Scan_PurgeItemsAfterDelay](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-purgeitemsafterdelay) -- [ADMX_MicrosoftDefenderAntivirus/Scan_QuickScanInterval](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-quickscaninterval) -- [ADMX_MicrosoftDefenderAntivirus/Scan_ScanOnlyIfIdle](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-scanonlyifidle) -- [ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleDay](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-scheduleday) -- [ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleTime](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-scheduletime) -- [ADMX_MicrosoftDefenderAntivirus/ServiceKeepAlive](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-servicekeepalive) -- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ASSignatureDue](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-assignaturedue) -- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_AVSignatureDue](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-avsignaturedue) -- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DefinitionUpdateFileSharesSources](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-definitionupdatefilesharessources) -- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScanOnUpdate](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-disablescanonupdate) -- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScheduledSignatureUpdateonBattery](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-disablescheduledsignatureupdateonbattery) -- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableUpdateOnStartupWithoutEngine](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-disableupdateonstartupwithoutengine) -- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_FallbackOrder](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-fallbackorder) -- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ForceUpdateFromMU](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-forceupdatefrommu) -- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_RealtimeSignatureDelivery](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-realtimesignaturedelivery) -- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleDay](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-scheduleday) -- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleTime](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-scheduletime) -- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SharedSignaturesLocation](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-sharedsignatureslocation) -- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureDisableNotification](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-signaturedisablenotification) -- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureUpdateCatchupInterval](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-signatureupdatecatchupinterval) -- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_UpdateOnStartup](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-updateonstartup) -- [ADMX_MicrosoftDefenderAntivirus/SpynetReporting](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-spynetreporting) -- [ADMX_MicrosoftDefenderAntivirus/Spynet_LocalSettingOverrideSpynetReporting](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-spynet-localsettingoverridespynetreporting) -- [ADMX_MicrosoftDefenderAntivirus/Threats_ThreatIdDefaultAction](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-threats-threatiddefaultaction) -- [ADMX_MicrosoftDefenderAntivirus/UX_Configuration_CustomDefaultActionToastString](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-ux-configuration-customdefaultactiontoaststring) -- [ADMX_MicrosoftDefenderAntivirus/UX_Configuration_Notification_Suppress](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-ux-configuration-notification-suppress) -- [ADMX_MicrosoftDefenderAntivirus/UX_Configuration_SuppressRebootNotification](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-ux-configuration-suppressrebootnotification) -- [ADMX_MicrosoftDefenderAntivirus/UX_Configuration_UILockdown](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-ux-configuration-uilockdown) -- [ADMX_MMC/MMC_ActiveXControl](./policy-csp-admx-mmc.md#admx-mmc-mmc-activexcontrol) -- [ADMX_MMC/MMC_ExtendView](./policy-csp-admx-mmc.md#admx-mmc-mmc-extendview) -- [ADMX_MMC/MMC_LinkToWeb](./policy-csp-admx-mmc.md#admx-mmc-mmc-linktoweb) -- [ADMX_MMC/MMC_Restrict_Author](./policy-csp-admx-mmc.md#admx-mmc-mmc-restrict-author) -- [ADMX_MMC/MMC_Restrict_To_Permitted_Snapins](./policy-csp-admx-mmc.md#admx-mmc-mmc-restrict-to-permitted-snapins) -- [ADMX_MMCSnapins/MMC_ADMComputers_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-admcomputers-1) -- [ADMX_MMCSnapins/MMC_ADMComputers_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-admcomputers-2) -- [ADMX_MMCSnapins/MMC_ADMUsers_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-admusers-1) -- [ADMX_MMCSnapins/MMC_ADMUsers_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-admusers-2) -- [ADMX_MMCSnapins/MMC_ADSI](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-adsi) -- [ADMX_MMCSnapins/MMC_ActiveDirDomTrusts](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-activedirdomtrusts) -- [ADMX_MMCSnapins/MMC_ActiveDirSitesServices](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-activedirsitesservices) -- [ADMX_MMCSnapins/MMC_ActiveDirUsersComp](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-activediruserscomp) -- [ADMX_MMCSnapins/MMC_AppleTalkRouting](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-appletalkrouting) -- [ADMX_MMCSnapins/MMC_AuthMan](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-authman) -- [ADMX_MMCSnapins/MMC_CertAuth](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-certauth) -- [ADMX_MMCSnapins/MMC_CertAuthPolSet](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-certauthpolset) -- [ADMX_MMCSnapins/MMC_Certs](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-certs) -- [ADMX_MMCSnapins/MMC_CertsTemplate](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-certstemplate) -- [ADMX_MMCSnapins/MMC_ComponentServices](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-componentservices) -- [ADMX_MMCSnapins/MMC_ComputerManagement](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-computermanagement) -- [ADMX_MMCSnapins/MMC_ConnectionSharingNAT](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-connectionsharingnat) -- [ADMX_MMCSnapins/MMC_DCOMCFG](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-dcomcfg) -- [ADMX_MMCSnapins/MMC_DFS](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-dfs) -- [ADMX_MMCSnapins/MMC_DHCPRelayMgmt](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-dhcprelaymgmt) -- [ADMX_MMCSnapins/MMC_DeviceManager_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-devicemanager-1) -- [ADMX_MMCSnapins/MMC_DeviceManager_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-devicemanager-2) -- [ADMX_MMCSnapins/MMC_DiskDefrag](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-diskdefrag) -- [ADMX_MMCSnapins/MMC_DiskMgmt](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-diskmgmt) -- [ADMX_MMCSnapins/MMC_EnterprisePKI](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-enterprisepki) -- [ADMX_MMCSnapins/MMC_EventViewer_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-eventviewer-1) -- [ADMX_MMCSnapins/MMC_EventViewer_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-eventviewer-2) -- [ADMX_MMCSnapins/MMC_EventViewer_3](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-eventviewer-3) -- [ADMX_MMCSnapins/MMC_EventViewer_4](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-eventviewer-4) -- [ADMX_MMCSnapins/MMC_FAXService](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-faxservice) -- [ADMX_MMCSnapins/MMC_FailoverClusters](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-failoverclusters) -- [ADMX_MMCSnapins/MMC_FolderRedirection_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-folderredirection-1) -- [ADMX_MMCSnapins/MMC_FolderRedirection_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-folderredirection-2) -- [ADMX_MMCSnapins/MMC_FrontPageExt](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-frontpageext) -- [ADMX_MMCSnapins/MMC_GroupPolicyManagementSnapIn](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-grouppolicymanagementsnapin) -- [ADMX_MMCSnapins/MMC_GroupPolicySnapIn](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-grouppolicysnapin) -- [ADMX_MMCSnapins/MMC_GroupPolicyTab](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-grouppolicytab) -- [ADMX_MMCSnapins/MMC_HRA](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-hra) -- [ADMX_MMCSnapins/MMC_IAS](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ias) -- [ADMX_MMCSnapins/MMC_IASLogging](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-iaslogging) -- [ADMX_MMCSnapins/MMC_IEMaintenance_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-iemaintenance-1) -- [ADMX_MMCSnapins/MMC_IEMaintenance_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-iemaintenance-2) -- [ADMX_MMCSnapins/MMC_IGMPRouting](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-igmprouting) -- [ADMX_MMCSnapins/MMC_IIS](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-iis) -- [ADMX_MMCSnapins/MMC_IPRouting](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-iprouting) -- [ADMX_MMCSnapins/MMC_IPSecManage_GP](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ipsecmanage-gp) -- [ADMX_MMCSnapins/MMC_IPXRIPRouting](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ipxriprouting) -- [ADMX_MMCSnapins/MMC_IPXRouting](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ipxrouting) -- [ADMX_MMCSnapins/MMC_IPXSAPRouting](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ipxsaprouting) -- [ADMX_MMCSnapins/MMC_IndexingService](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-indexingservice) -- [ADMX_MMCSnapins/MMC_IpSecManage](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ipsecmanage) -- [ADMX_MMCSnapins/MMC_IpSecMonitor](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ipsecmonitor) -- [ADMX_MMCSnapins/MMC_LocalUsersGroups](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-localusersgroups) -- [ADMX_MMCSnapins/MMC_LogicalMappedDrives](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-logicalmappeddrives) -- [ADMX_MMCSnapins/MMC_NPSUI](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-npsui) -- [ADMX_MMCSnapins/MMC_NapSnap](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-napsnap) -- [ADMX_MMCSnapins/MMC_NapSnap_GP](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-napsnap-gp) -- [ADMX_MMCSnapins/MMC_Net_Framework](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-net-framework) -- [ADMX_MMCSnapins/MMC_OCSP](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ocsp) -- [ADMX_MMCSnapins/MMC_OSPFRouting](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ospfrouting) -- [ADMX_MMCSnapins/MMC_PerfLogsAlerts](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-perflogsalerts) -- [ADMX_MMCSnapins/MMC_PublicKey](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-publickey) -- [ADMX_MMCSnapins/MMC_QoSAdmission](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-qosadmission) -- [ADMX_MMCSnapins/MMC_RAS_DialinUser](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ras-dialinuser) -- [ADMX_MMCSnapins/MMC_RIPRouting](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-riprouting) -- [ADMX_MMCSnapins/MMC_RIS](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ris) -- [ADMX_MMCSnapins/MMC_RRA](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-rra) -- [ADMX_MMCSnapins/MMC_RSM](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-rsm) -- [ADMX_MMCSnapins/MMC_RemStore](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-remstore) -- [ADMX_MMCSnapins/MMC_RemoteAccess](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-remoteaccess) -- [ADMX_MMCSnapins/MMC_RemoteDesktop](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-remotedesktop) -- [ADMX_MMCSnapins/MMC_ResultantSetOfPolicySnapIn](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-resultantsetofpolicysnapin) -- [ADMX_MMCSnapins/MMC_Routing](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-routing) -- [ADMX_MMCSnapins/MMC_SCA](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-sca) -- [ADMX_MMCSnapins/MMC_SMTPProtocol](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-smtpprotocol) -- [ADMX_MMCSnapins/MMC_SNMP](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-snmp) -- [ADMX_MMCSnapins/MMC_ScriptsMachine_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-scriptsmachine-1) -- [ADMX_MMCSnapins/MMC_ScriptsMachine_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-scriptsmachine-2) -- [ADMX_MMCSnapins/MMC_ScriptsUser_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-scriptsuser-1) -- [ADMX_MMCSnapins/MMC_ScriptsUser_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-scriptsuser-2) -- [ADMX_MMCSnapins/MMC_SecuritySettings_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-securitysettings-1) -- [ADMX_MMCSnapins/MMC_SecuritySettings_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-securitysettings-2) -- [ADMX_MMCSnapins/MMC_SecurityTemplates](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-securitytemplates) -- [ADMX_MMCSnapins/MMC_SendConsoleMessage](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-sendconsolemessage) -- [ADMX_MMCSnapins/MMC_ServerManager](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-servermanager) -- [ADMX_MMCSnapins/MMC_ServiceDependencies](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-servicedependencies) -- [ADMX_MMCSnapins/MMC_Services](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-services) -- [ADMX_MMCSnapins/MMC_SharedFolders](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-sharedfolders) -- [ADMX_MMCSnapins/MMC_SharedFolders_Ext](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-sharedfolders-ext) -- [ADMX_MMCSnapins/MMC_SoftwareInstalationComputers_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-softwareinstalationcomputers-1) -- [ADMX_MMCSnapins/MMC_SoftwareInstalationComputers_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-softwareinstalationcomputers-2) -- [ADMX_MMCSnapins/MMC_SoftwareInstallationUsers_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-softwareinstallationusers-1) -- [ADMX_MMCSnapins/MMC_SoftwareInstallationUsers_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-softwareinstallationusers-2) -- [ADMX_MMCSnapins/MMC_SysInfo](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-sysinfo) -- [ADMX_MMCSnapins/MMC_SysProp](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-sysprop) -- [ADMX_MMCSnapins/MMC_TPMManagement](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-tpmmanagement) -- [ADMX_MMCSnapins/MMC_Telephony](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-telephony) -- [ADMX_MMCSnapins/MMC_TerminalServices](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-terminalservices) -- [ADMX_MMCSnapins/MMC_WMI](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-wmi) -- [ADMX_MMCSnapins/MMC_WindowsFirewall](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-windowsfirewall) -- [ADMX_MMCSnapins/MMC_WindowsFirewall_GP](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-windowsfirewall-gp) -- [ADMX_MMCSnapins/MMC_WiredNetworkPolicy](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-wirednetworkpolicy) -- [ADMX_MMCSnapins/MMC_WirelessMon](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-wirelessmon) -- [ADMX_MMCSnapins/MMC_WirelessNetworkPolicy](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-wirelessnetworkpolicy) -- [ADMX_MobilePCMobilityCenter/MobilityCenterEnable_1](./policy-csp-admx-mobilepcmobilitycenter.md#admx-mobilepcmobilitycenter-mobilitycenterenable_1) -- [ADMX_MobilePCMobilityCenter/MobilityCenterEnable_2](./policy-csp-admx-mobilepcmobilitycenter.md#admx-mobilepcmobilitycenter-mobilitycenterenable_2) -- [ADMX_MobilePCPresentationSettings/PresentationSettingsEnable_1](./policy-csp-admx-mobilepcpresentationsettings.md#admx-mobilepcpresentationsettings-presentationsettingsenable_1) -- [ADMX_MobilePCPresentationSettings/PresentationSettingsEnable_2](./policy-csp-admx-mobilepcpresentationsettings.md#admx-mobilepcpresentationsettings-presentationsettingsenable_2) -- [ADMX_MSAPolicy/IncludeMicrosoftAccount_DisableUserAuthCmdLine](./policy-csp-admx-msapolicy.md#admx-msapolicy-microsoftaccount-disableuserauth) -- [ADMX_msched/ActivationBoundaryPolicy](./policy-csp-admx-msched.md#admx-msched-activationboundarypolicy) -- [ADMX_msched/RandomDelayPolicy](./policy-csp-admx-msched.md#admx-msched-randomdelaypolicy) -- [ADMX_MSDT/MsdtSupportProvider](./policy-csp-admx-msdt.md#admx-msdt-msdtsupportprovider) -- [ADMX_MSDT/MsdtToolDownloadPolicy](./policy-csp-admx-msdt.md#admx-msdt-msdttooldownloadpolicy) -- [ADMX_MSDT/WdiScenarioExecutionPolicy](./policy-csp-admx-msdt.md#admx-msdt-wdiscenarioexecutionpolicy) -- [ADMX_MSI/AllowLockdownBrowse](./policy-csp-admx-msi.md#admx-msi-allowlockdownbrowse) -- [ADMX_MSI/AllowLockdownMedia](./policy-csp-admx-msi.md#admx-msi-allowlockdownmedia) -- [ADMX_MSI/AllowLockdownPatch](./policy-csp-admx-msi.md#admx-msi-allowlockdownpatch) -- [ADMX_MSI/DisableAutomaticApplicationShutdown](./policy-csp-admx-msi.md#admx-msi-disableautomaticapplicationshutdown) -- [ADMX_MSI/DisableBrowse](./policy-csp-admx-msi.md#admx-msi-disablebrowse) -- [ADMX_MSI/DisableFlyweightPatching](./policy-csp-admx-msi.md#admx-msi-disableflyweightpatching) -- [ADMX_MSI/DisableLoggingFromPackage](./policy-csp-admx-msi.md#admx-msi-disableloggingfrompackage) -- [ADMX_MSI/DisableMSI](./policy-csp-admx-msi.md#admx-msi-disablemsi) -- [ADMX_MSI/DisableMedia](./policy-csp-admx-msi.md#admx-msi-disablemedia) -- [ADMX_MSI/DisablePatch](./policy-csp-admx-msi.md#admx-msi-disablepatch) -- [ADMX_MSI/DisableRollback_1](./policy-csp-admx-msi.md#admx-msi-disablerollback-1) -- [ADMX_MSI/DisableRollback_2](./policy-csp-admx-msi.md#admx-msi-disablerollback-2) -- [ADMX_MSI/DisableSharedComponent](./policy-csp-admx-msi.md#admx-msi-disablesharedcomponent) -- [ADMX_MSI/MSILogging](./policy-csp-admx-msi.md#admx-msi-msilogging) -- [ADMX_MSI/MSI_DisableLUAPatching](./policy-csp-admx-msi.md#admx-msi-msi-disableluapatching) -- [ADMX_MSI/MSI_DisablePatchUninstall](./policy-csp-admx-msi.md#admx-msi-msi-disablepatchuninstall) -- [ADMX_MSI/MSI_DisableSRCheckPoints](./policy-csp-admx-msi.md#admx-msi-msi-disablesrcheckpoints) -- [ADMX_MSI/MSI_DisableUserInstalls](./policy-csp-admx-msi.md#admx-msi-msi-disableuserinstalls) -- [ADMX_MSI/MSI_EnforceUpgradeComponentRules](./policy-csp-admx-msi.md#admx-msi-msi-enforceupgradecomponentrules) -- [ADMX_MSI/MSI_MaxPatchCacheSize](./policy-csp-admx-msi.md#admx-msi-msi-maxpatchcachesize) -- [ADMX_MSI/MsiDisableEmbeddedUI](./policy-csp-admx-msi.md#admx-msi-msidisableembeddedui) -- [ADMX_MSI/SafeForScripting](./policy-csp-admx-msi.md#admx-msi-safeforscripting) -- [ADMX_MSI/SearchOrder](./policy-csp-admx-msi.md#admx-msi-searchorder) -- [ADMX_MSI/TransformsSecure](./policy-csp-admx-msi.md#admx-msi-transformssecure) -- [ADMX_MsiFileRecovery/WdiScenarioExecutionPolicy](./policy-csp-admx-msifilerecovery.md#admx-msifilerecovery-wdiscenarioexecutionpolicy) -- [ADMX_nca/CorporateResources](./policy-csp-admx-nca.md#admx-nca-corporateresources) -- [ADMX_nca/CustomCommands](./policy-csp-admx-nca.md#admx-nca-customcommands) -- [ADMX_nca/DTEs](./policy-csp-admx-nca.md#admx-nca-dtes) -- [ADMX_nca/FriendlyName](./policy-csp-admx-nca.md#admx-nca-friendlyname) -- [ADMX_nca/LocalNamesOn](./policy-csp-admx-nca.md#admx-nca-localnameson) -- [ADMX_nca/PassiveMode](./policy-csp-admx-nca.md#admx-nca-passivemode) -- [ADMX_nca/ShowUI](./policy-csp-admx-nca.md#admx-nca-showui) -- [ADMX_nca/SupportEmail](./policy-csp-admx-nca.md#admx-nca-supportemail) -- [ADMX_NCSI/NCSI_CorpDnsProbeContent](./policy-csp-admx-ncsi.md#admx-ncsi-ncsi-corpdnsprobecontent) -- [ADMX_NCSI/NCSI_CorpDnsProbeHost](./policy-csp-admx-ncsi.md#admx-ncsi-ncsi-corpdnsprobehost) -- [ADMX_NCSI/NCSI_CorpSitePrefixes](./policy-csp-admx-ncsi.md#admx-ncsi-ncsi-corpsiteprefixes) -- [ADMX_NCSI/NCSI_CorpWebProbeUrl](./policy-csp-admx-ncsi.md#admx-ncsi-ncsi-corpwebprobeurl) -- [ADMX_NCSI/NCSI_DomainLocationDeterminationUrl](./policy-csp-admx-ncsi.md#admx-ncsi-ncsi-domainlocationdeterminationurl) -- [ADMX_NCSI/NCSI_GlobalDns](./policy-csp-admx-ncsi.md#admx-ncsi-ncsi-globaldns) -- [ADMX_NCSI/NCSI_PassivePolling](./policy-csp-admx-ncsi.md#admx-ncsi-ncsi-passivepolling) -- [ADMX_Netlogon/Netlogon_AddressLookupOnPingBehavior](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-addresslookuponpingbehavior) -- [ADMX_Netlogon/Netlogon_AddressTypeReturned](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-addresstypereturned) -- [ADMX_Netlogon/Netlogon_AllowDnsSuffixSearch](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-allowdnssuffixsearch) -- [ADMX_Netlogon/Netlogon_AllowNT4Crypto](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-allownt4crypto) -- [ADMX_Netlogon/Netlogon_AllowSingleLabelDnsDomain](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-allowsinglelabeldnsdomain) -- [ADMX_Netlogon/Netlogon_AutoSiteCoverage](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-autositecoverage) -- [ADMX_Netlogon/Netlogon_AvoidFallbackNetbiosDiscovery](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-avoidfallbacknetbiosdiscovery) -- [ADMX_Netlogon/Netlogon_AvoidPdcOnWan](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-avoidpdconwan) -- [ADMX_Netlogon/Netlogon_BackgroundRetryInitialPeriod](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-backgroundretryinitialperiod) -- [ADMX_Netlogon/Netlogon_BackgroundRetryMaximumPeriod](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-backgroundretrymaximumperiod) -- [ADMX_Netlogon/Netlogon_BackgroundRetryQuitTime](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-backgroundretryquittime) -- [ADMX_Netlogon/Netlogon_BackgroundSuccessfulRefreshPeriod](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-backgroundsuccessfulrefreshperiod) -- [ADMX_Netlogon/Netlogon_DebugFlag](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-debugflag) -- [ADMX_Netlogon/Netlogon_DnsAvoidRegisterRecords](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-dnsavoidregisterrecords) -- [ADMX_Netlogon/Netlogon_DnsRefreshInterval](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-dnsrefreshinterval) -- [ADMX_Netlogon/Netlogon_DnsSrvRecordUseLowerCaseHostNames](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-dnssrvrecorduselowercasehostnames) -- [ADMX_Netlogon/Netlogon_DnsTtl](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-dnsttl) -- [ADMX_Netlogon/Netlogon_ExpectedDialupDelay](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-expecteddialupdelay) -- [ADMX_Netlogon/Netlogon_ForceRediscoveryInterval](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-forcerediscoveryinterval) -- [ADMX_Netlogon/Netlogon_GcSiteCoverage](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-gcsitecoverage) -- [ADMX_Netlogon/Netlogon_IgnoreIncomingMailslotMessages](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-ignoreincomingmailslotmessages) -- [ADMX_Netlogon/Netlogon_LdapSrvPriority](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-ldapsrvpriority) -- [ADMX_Netlogon/Netlogon_LdapSrvWeight](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-ldapsrvweight) -- [ADMX_Netlogon/Netlogon_MaximumLogFileSize](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-maximumlogfilesize) -- [ADMX_Netlogon/Netlogon_NdncSiteCoverage](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-ndncsitecoverage) -- [ADMX_Netlogon/Netlogon_NegativeCachePeriod](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-negativecacheperiod) -- [ADMX_Netlogon/Netlogon_NetlogonShareCompatibilityMode](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-netlogonsharecompatibilitymode) -- [ADMX_Netlogon/Netlogon_NonBackgroundSuccessfulRefreshPeriod](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-nonbackgroundsuccessfulrefreshperiod) -- [ADMX_Netlogon/Netlogon_PingUrgencyMode](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-pingurgencymode) -- [ADMX_Netlogon/Netlogon_ScavengeInterval](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-scavengeinterval) -- [ADMX_Netlogon/Netlogon_SiteCoverage](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-sitecoverage) -- [ADMX_Netlogon/Netlogon_SiteName](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-sitename) -- [ADMX_Netlogon/Netlogon_SysvolShareCompatibilityMode](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-sysvolsharecompatibilitymode) -- [ADMX_Netlogon/Netlogon_TryNextClosestSite](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-trynextclosestsite) -- [ADMX_Netlogon/Netlogon_UseDynamicDns](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-usedynamicdns) -- [ADMX_NetworkConnections/NC_AddRemoveComponents](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-addremovecomponents) -- [ADMX_NetworkConnections/NC_AdvancedSettings](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-advancedsettings) -- [ADMX_NetworkConnections/NC_AllowAdvancedTCPIPConfig](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-allowadvancedtcpipconfig) -- [ADMX_NetworkConnections/NC_ChangeBindState](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-changebindstate) -- [ADMX_NetworkConnections/NC_DeleteAllUserConnection](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-deletealluserconnection) -- [ADMX_NetworkConnections/NC_DeleteConnection](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-deleteconnection) -- [ADMX_NetworkConnections/NC_DialupPrefs](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-dialupprefs) -- [ADMX_NetworkConnections/NC_DoNotShowLocalOnlyIcon](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-donotshowlocalonlyicon) -- [ADMX_NetworkConnections/NC_EnableAdminProhibits](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-enableadminprohibits) -- [ADMX_NetworkConnections/NC_ForceTunneling](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-forcetunneling) -- [ADMX_NetworkConnections/NC_IpStateChecking](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-ipstatechecking) -- [ADMX_NetworkConnections/NC_LanChangeProperties](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-lanchangeproperties) -- [ADMX_NetworkConnections/NC_LanConnect](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-lanconnect) -- [ADMX_NetworkConnections/NC_LanProperties](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-lanproperties) -- [ADMX_NetworkConnections/NC_NewConnectionWizard](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-newconnectionwizard) -- [ADMX_NetworkConnections/NC_PersonalFirewallConfig](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-personalfirewallconfig) -- [ADMX_NetworkConnections/NC_RasAllUserProperties](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-rasalluserproperties) -- [ADMX_NetworkConnections/NC_RasChangeProperties](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-raschangeproperties) -- [ADMX_NetworkConnections/NC_RasConnect](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-rasconnect) -- [ADMX_NetworkConnections/NC_RasMyProperties](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-rasmyproperties) -- [ADMX_NetworkConnections/NC_RenameAllUserRasConnection](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-renamealluserrasconnection) -- [ADMX_NetworkConnections/NC_RenameConnection](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-renameconnection) -- [ADMX_NetworkConnections/NC_RenameLanConnection](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-renamelanconnection) -- [ADMX_NetworkConnections/NC_RenameMyRasConnection](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-renamemyrasconnection) -- [ADMX_NetworkConnections/NC_ShowSharedAccessUI](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-showsharedaccessui) -- [ADMX_NetworkConnections/NC_Statistics](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-statistics) -- [ADMX_NetworkConnections/NC_StdDomainUserSetLocation](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-stddomainusersetlocation) -- [ADMX_OfflineFiles/Pol_AlwaysPinSubFolders](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-alwayspinsubfolders) -- [ADMX_OfflineFiles/Pol_AssignedOfflineFiles_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-assignedofflinefiles-1) -- [ADMX_OfflineFiles/Pol_AssignedOfflineFiles_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-assignedofflinefiles-2) -- [ADMX_OfflineFiles/Pol_BackgroundSyncSettings](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-backgroundsyncsettings) -- [ADMX_OfflineFiles/Pol_CacheSize](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-cachesize) -- [ADMX_OfflineFiles/Pol_CustomGoOfflineActions_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-customgoofflineactions-1) -- [ADMX_OfflineFiles/Pol_CustomGoOfflineActions_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-customgoofflineactions-2) -- [ADMX_OfflineFiles/Pol_DefCacheSize](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-defcachesize) -- [ADMX_OfflineFiles/Pol_Enabled](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-enabled) -- [ADMX_OfflineFiles/Pol_EncryptOfflineFiles](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-encryptofflinefiles) -- [ADMX_OfflineFiles/Pol_EventLoggingLevel_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-eventlogginglevel-1) -- [ADMX_OfflineFiles/Pol_EventLoggingLevel_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-eventlogginglevel-2) -- [ADMX_OfflineFiles/Pol_ExclusionListSettings](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-exclusionlistsettings) -- [ADMX_OfflineFiles/Pol_ExtExclusionList](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-extexclusionlist) -- [ADMX_OfflineFiles/Pol_GoOfflineAction_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-goofflineaction-1) -- [ADMX_OfflineFiles/Pol_GoOfflineAction_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-goofflineaction-2) -- [ADMX_OfflineFiles/Pol_NoCacheViewer_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-nocacheviewer-1) -- [ADMX_OfflineFiles/Pol_NoCacheViewer_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-nocacheviewer-2) -- [ADMX_OfflineFiles/Pol_NoConfigCache_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-noconfigcache-1) -- [ADMX_OfflineFiles/Pol_NoConfigCache_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-noconfigcache-2) -- [ADMX_OfflineFiles/Pol_NoMakeAvailableOffline_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-nomakeavailableoffline-1) -- [ADMX_OfflineFiles/Pol_NoMakeAvailableOffline_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-nomakeavailableoffline-2) -- [ADMX_OfflineFiles/Pol_NoPinFiles_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-nopinfiles-1) -- [ADMX_OfflineFiles/Pol_NoPinFiles_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-nopinfiles-2) -- [ADMX_OfflineFiles/Pol_NoReminders_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-noreminders-1) -- [ADMX_OfflineFiles/Pol_NoReminders_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-noreminders-2) -- [ADMX_OfflineFiles/Pol_OnlineCachingSettings](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-onlinecachingsettings) -- [ADMX_OfflineFiles/Pol_PurgeAtLogoff](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-purgeatlogoff) -- [ADMX_OfflineFiles/Pol_QuickAdimPin](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-quickadimpin) -- [ADMX_OfflineFiles/Pol_ReminderFreq_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-reminderfreq-1) -- [ADMX_OfflineFiles/Pol_ReminderFreq_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-reminderfreq-2) -- [ADMX_OfflineFiles/Pol_ReminderInitTimeout_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-reminderinittimeout-1) -- [ADMX_OfflineFiles/Pol_ReminderInitTimeout_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-reminderinittimeout-2) -- [ADMX_OfflineFiles/Pol_ReminderTimeout_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-remindertimeout-1) -- [ADMX_OfflineFiles/Pol_ReminderTimeout_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-remindertimeout-2) -- [ADMX_OfflineFiles/Pol_SlowLinkSettings](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-slowlinksettings) -- [ADMX_OfflineFiles/Pol_SlowLinkSpeed](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-slowlinkspeed) -- [ADMX_OfflineFiles/Pol_SyncAtLogoff_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-syncatlogoff-1) -- [ADMX_OfflineFiles/Pol_SyncAtLogoff_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-syncatlogoff-2) -- [ADMX_OfflineFiles/Pol_SyncAtLogon_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-syncatlogon-1) -- [ADMX_OfflineFiles/Pol_SyncAtLogon_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-syncatlogon-2) -- [ADMX_OfflineFiles/Pol_SyncAtSuspend_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-syncatsuspend-1) -- [ADMX_OfflineFiles/Pol_SyncAtSuspend_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-syncatsuspend-2) -- [ADMX_OfflineFiles/Pol_SyncOnCostedNetwork](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-synconcostednetwork) -- [ADMX_OfflineFiles/Pol_WorkOfflineDisabled_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-workofflinedisabled-1) -- [ADMX_OfflineFiles/Pol_WorkOfflineDisabled_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-workofflinedisabled-2) -- [ADMX_pca/DetectDeprecatedCOMComponentFailuresPolicy](./policy-csp-admx-pca.md#admx-pca-detectdeprecatedcomcomponentfailurespolicy) -- [ADMX_pca/DetectDeprecatedComponentFailuresPolicy](./policy-csp-admx-pca.md#admx-pca-detectdeprecatedcomponentfailurespolicy) -- [ADMX_pca/DetectInstallFailuresPolicy](./policy-csp-admx-pca.md#admx-pca-detectinstallfailurespolicy) -- [ADMX_pca/DetectUndetectedInstallersPolicy](./policy-csp-admx-pca.md#admx-pca-detectundetectedinstallerspolicy) -- [ADMX_pca/DetectUpdateFailuresPolicy](./policy-csp-admx-pca.md#admx-pca-detectupdatefailurespolicy) -- [ADMX_pca/DisablePcaUIPolicy](./policy-csp-admx-pca.md#admx-pca-disablepcauipolicy) -- [ADMX_pca/DetectBlockedDriversPolicy](./policy-csp-admx-pca.md#admx-pca-detectblockeddriverspolicy) -- [ADMX_PeerToPeerCaching/EnableWindowsBranchCache](./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-enablewindowsbranchcache) -- [ADMX_PeerToPeerCaching/EnableWindowsBranchCache_Distributed](./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-enablewindowsbranchcache-distributed) -- [ADMX_PeerToPeerCaching/EnableWindowsBranchCache_Hosted](./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-enablewindowsbranchcache-hosted) -- [ADMX_PeerToPeerCaching/EnableWindowsBranchCache_HostedCacheDiscovery](./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-enablewindowsbranchcache-hostedcachediscovery) -- [ADMX_PeerToPeerCaching/EnableWindowsBranchCache_HostedMultipleServers](./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-enablewindowsbranchcache-hostedmultipleservers) -- [ADMX_PeerToPeerCaching/EnableWindowsBranchCache_SMB](./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-enablewindowsbranchcache-smb) -- [ADMX_PeerToPeerCaching/SetCachePercent](./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-setcachepercent) -- [ADMX_PeerToPeerCaching/SetDataCacheEntryMaxAge](./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-setdatacacheentrymaxage) -- [ADMX_PeerToPeerCaching/SetDowngrading](./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-setdowngrading) -- [ADMX_PenTraining/PenTrainingOff_1](./policy-csp-admx-pentraining.md#admx-pentraining-pentrainingoff_1) -- [ADMX_PenTraining/PenTrainingOff_2](./policy-csp-admx-pentraining.md#admx-pentraining-pentrainingoff_2) -- [ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_1](./policy-csp-admx-performancediagnostics.md#admx-performancediagnostics-wdiscenarioexecutionpolicy-1) -- [ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_2](./policy-csp-admx-performancediagnostics.md#admx-performancediagnostics-wdiscenarioexecutionpolicy-2) -- [ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_3](./policy-csp-admx-performancediagnostics.md#admx-performancediagnostics-wdiscenarioexecutionpolicy-3) -- [ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_4](./policy-csp-admx-performancediagnostics.md#admx-performancediagnostics-wdiscenarioexecutionpolicy-4) -- [ADMX_Power/ACConnectivityInStandby_2](./policy-csp-admx-power.md#admx-power-acconnectivityinstandby-2) -- [ADMX_Power/ACCriticalSleepTransitionsDisable_2](./policy-csp-admx-power.md#admx-power-accriticalsleeptransitionsdisable-2) -- [ADMX_Power/ACStartMenuButtonAction_2](./policy-csp-admx-power.md#admx-power-acstartmenubuttonaction-2) -- [ADMX_Power/AllowSystemPowerRequestAC](./policy-csp-admx-power.md#admx-power-allowsystempowerrequestac) -- [ADMX_Power/AllowSystemPowerRequestDC](./policy-csp-admx-power.md#admx-power-allowsystempowerrequestdc) -- [ADMX_Power/AllowSystemSleepWithRemoteFilesOpenAC](./policy-csp-admx-power.md#admx-power-allowsystemsleepwithremotefilesopenac) -- [ADMX_Power/AllowSystemSleepWithRemoteFilesOpenDC](./policy-csp-admx-power.md#admx-power-allowsystemsleepwithremotefilesopendc) -- [ADMX_Power/CustomActiveSchemeOverride_2](./policy-csp-admx-power.md#admx-power-customactiveschemeoverride-2) -- [ADMX_Power/DCBatteryDischargeAction0_2](./policy-csp-admx-power.md#admx-power-dcbatterydischargeaction0-2) -- [ADMX_Power/DCBatteryDischargeAction1_2](./policy-csp-admx-power.md#admx-power-dcbatterydischargeaction1-2) -- [ADMX_Power/DCBatteryDischargeLevel0_2](./policy-csp-admx-power.md#admx-power-dcbatterydischargelevel0-2) -- [ADMX_Power/DCBatteryDischargeLevel1UINotification_2](./policy-csp-admx-power.md#admx-power-dcbatterydischargelevel1uinotification-2) -- [ADMX_Power/DCBatteryDischargeLevel1_2](./policy-csp-admx-power.md#admx-power-dcbatterydischargelevel1-2) -- [ADMX_Power/DCConnectivityInStandby_2](./policy-csp-admx-power.md#admx-power-dcconnectivityinstandby-2) -- [ADMX_Power/DCCriticalSleepTransitionsDisable_2](./policy-csp-admx-power.md#admx-power-dccriticalsleeptransitionsdisable-2) -- [ADMX_Power/DCStartMenuButtonAction_2](./policy-csp-admx-power.md#admx-power-dcstartmenubuttonaction-2) -- [ADMX_Power/DiskACPowerDownTimeOut_2](./policy-csp-admx-power.md#admx-power-diskacpowerdowntimeout-2) -- [ADMX_Power/DiskDCPowerDownTimeOut_2](./policy-csp-admx-power.md#admx-power-diskdcpowerdowntimeout-2) -- [ADMX_Power/Dont_PowerOff_AfterShutdown](./policy-csp-admx-power.md#admx-power-dont-poweroff-aftershutdown) -- [ADMX_Power/EnableDesktopSlideShowAC](./policy-csp-admx-power.md#admx-power-enabledesktopslideshowac) -- [ADMX_Power/EnableDesktopSlideShowDC](./policy-csp-admx-power.md#admx-power-enabledesktopslideshowdc) -- [ADMX_Power/InboxActiveSchemeOverride_2](./policy-csp-admx-power.md#admx-power-inboxactiveschemeoverride-2) -- [ADMX_Power/PW_PromptPasswordOnResume](./policy-csp-admx-power.md#admx-power-pw-promptpasswordonresume) -- [ADMX_Power/PowerThrottlingTurnOff](./policy-csp-admx-power.md#admx-power-powerthrottlingturnoff) -- [ADMX_Power/ReserveBatteryNotificationLevel](./policy-csp-admx-power.md#admx-power-reservebatterynotificationlevel) -- [ADMX_PowerShellExecutionPolicy/EnableModuleLogging](./policy-csp-admx-powershellexecutionpolicy.md#admx-powershellexecutionpolicy-enablemodulelogging) -- [ADMX_PowerShellExecutionPolicy/EnableScripts](./policy-csp-admx-powershellexecutionpolicy.md#admx-powershellexecutionpolicy-enablescripts) -- [ADMX_PowerShellExecutionPolicy/EnableTranscripting](./policy-csp-admx-powershellexecutionpolicy.md#admx-powershellexecutionpolicy-enabletranscripting) -- [ADMX_PowerShellExecutionPolicy/EnableUpdateHelpDefaultSourcePath](./policy-csp-admx-powershellexecutionpolicy.md#admx-powershellexecutionpolicy-enableupdatehelpdefaultsourcepath) -- [ADMX_PreviousVersions/DisableLocalPage_1](./policy-csp-admx-previousversions.md#admx-previousversions-disablelocalpage_1) -- [ADMX_PreviousVersions/DisableLocalPage_2](./policy-csp-admx-previousversions.md#admx-previousversions-disablelocalpage_2) -- [ADMX_PreviousVersions/DisableRemotePage_1](./policy-csp-admx-previousversions.md#admx-previousversions-disableremotepage_1) -- [ADMX_PreviousVersions/DisableRemotePage_2](./policy-csp-admx-previousversions.md#admx-previousversions-disableremotepage_2) -- [ADMX_PreviousVersions/HideBackupEntries_1](./policy-csp-admx-previousversions.md#admx-previousversions-hidebackupentries_1) -- [ADMX_PreviousVersions/HideBackupEntries_2](./policy-csp-admx-previousversions.md#admx-previousversions-hidebackupentries_2) -- [ADMX_PreviousVersions/DisableLocalRestore_1](./policy-csp-admx-previousversions.md#admx-previousversions-disablelocalrestore_1) -- [ADMX_PreviousVersions/DisableLocalRestore_2](./policy-csp-admx-previousversions.md#admx-previousversions-disablelocalrestore_2) -- [ADMX_Printing/AllowWebPrinting](./policy-csp-admx-printing.md#admx-printing-allowwebprinting) -- [ADMX_Printing/ApplicationDriverIsolation](./policy-csp-admx-printing.md#admx-printing-applicationdriverisolation) -- [ADMX_Printing/CustomizedSupportUrl](./policy-csp-admx-printing.md#admx-printing-customizedsupporturl) -- [ADMX_Printing/DoNotInstallCompatibleDriverFromWindowsUpdate](./policy-csp-admx-printing.md#admx-printing-donotinstallcompatibledriverfromwindowsupdate) -- [ADMX_Printing/DomainPrinters](./policy-csp-admx-printing.md#admx-printing-domainprinters) -- [ADMX_Printing/DownlevelBrowse](./policy-csp-admx-printing.md#admx-printing-downlevelbrowse) -- [ADMX_Printing/EMFDespooling](./policy-csp-admx-printing.md#admx-printing-emfdespooling) -- [ADMX_Printing/ForceSoftwareRasterization](./policy-csp-admx-printing.md#admx-printing-forcesoftwarerasterization) -- [ADMX_Printing/IntranetPrintersUrl](./policy-csp-admx-printing.md#admx-printing-intranetprintersurl) -- [ADMX_Printing/KMPrintersAreBlocked](./policy-csp-admx-printing.md#admx-printing-kmprintersareblocked) -- [ADMX_Printing/LegacyDefaultPrinterMode](./policy-csp-admx-printing.md#admx-printing-legacydefaultprintermode) -- [ADMX_Printing/MXDWUseLegacyOutputFormatMSXPS](./policy-csp-admx-printing.md#admx-printing-mxdwuselegacyoutputformatmsxps) -- [ADMX_Printing/NoDeletePrinter](./policy-csp-admx-printing.md#admx-printing-nodeleteprinter) -- [ADMX_Printing/NonDomainPrinters](./policy-csp-admx-printing.md#admx-printing-nondomainprinters) -- [ADMX_Printing/PackagePointAndPrintOnly](./policy-csp-admx-printing.md#admx-printing-packagepointandprintonly) -- [ADMX_Printing/PackagePointAndPrintOnly_Win7](./policy-csp-admx-printing.md#admx-printing-packagepointandprintonly-win7) -- [ADMX_Printing/PackagePointAndPrintServerList](./policy-csp-admx-printing.md#admx-printing-packagepointandprintserverlist) -- [ADMX_Printing/PackagePointAndPrintServerList_Win7](./policy-csp-admx-printing.md#admx-printing-packagepointandprintserverlist-win7) -- [ADMX_Printing/PhysicalLocation](./policy-csp-admx-printing.md#admx-printing-physicallocation) -- [ADMX_Printing/PhysicalLocationSupport](./policy-csp-admx-printing.md#admx-printing-physicallocationsupport) -- [ADMX_Printing/PrintDriverIsolationExecutionPolicy](./policy-csp-admx-printing.md#admx-printing-printdriverisolationexecutionpolicy -) -- [ADMX_Printing/PrintDriverIsolationOverrideCompat](./policy-csp-admx-printing.md#admx-printing-printdriverisolationoverridecompat) -- [ADMX_Printing/PrinterDirectorySearchScope](./policy-csp-admx-printing.md#admx-printing-printerdirectorysearchscope) -- [ADMX_Printing/PrinterServerThread](./policy-csp-admx-printing.md#admx-printing-printerserverthread) -- [ADMX_Printing/ShowJobTitleInEventLogs](./policy-csp-admx-printing.md#admx-printing-showjobtitleineventlogs) -- [ADMX_Printing/V4DriverDisallowPrinterExtension](./policy-csp-admx-printing.md#admx-printing-v4driverdisallowprinterextension) -- [ADMX_Printing2/AutoPublishing](./policy-csp-admx-printing2.md#admx-printing2-autopublishing) -- [ADMX_Printing2/ImmortalPrintQueue](./policy-csp-admx-printing2.md#admx-printing2-immortalprintqueue) -- [ADMX_Printing2/PruneDownlevel](./policy-csp-admx-printing2.md#admx-printing2-prunedownlevel) -- [ADMX_Printing2/PruningInterval](./policy-csp-admx-printing2.md#admx-printing2-pruninginterval) -- [ADMX_Printing2/PruningPriority](./policy-csp-admx-printing2.md#admx-printing2-pruningpriority) -- [ADMX_Printing2/PruningRetries](./policy-csp-admx-printing2.md#admx-printing2-pruningretries) -- [ADMX_Printing2/PruningRetryLog](./policy-csp-admx-printing2.md#admx-printing2-pruningretrylog) -- [ADMX_Printing2/RegisterSpoolerRemoteRpcEndPoint](./policy-csp-admx-printing2.md#admx-printing2-registerspoolerremoterpcendpoint) -- [ADMX_Printing2/VerifyPublishedState](./policy-csp-admx-printing2.md#admx-printing2-verifypublishedstate) -- [ADMX_Programs/NoDefaultPrograms](./policy-csp-admx-programs.md#admx-programs-nodefaultprograms) -- [ADMX_Programs/NoGetPrograms](./policy-csp-admx-programs.md#admx-programs-nogetprograms) -- [ADMX_Programs/NoInstalledUpdates](./policy-csp-admx-programs.md#admx-programs-noinstalledupdates) -- [ADMX_Programs/NoProgramsAndFeatures](./policy-csp-admx-programs.md#admx-programs-noprogramsandfeatures) -- [ADMX_Programs/NoProgramsCPL](./policy-csp-admx-programs.md#admx-programs-noprogramscpl) -- [ADMX_Programs/NoWindowsFeatures](./policy-csp-admx-programs.md#admx-programs-nowindowsfeatures) -- [ADMX_Programs/NoWindowsMarketplace](./policy-csp-admx-programs.md#admx-programs-nowindowsmarketplace) -- [ADMX_Reliability/EE_EnablePersistentTimeStamp](./policy-csp-admx-reliability.md#admx-reliability-ee-enablepersistenttimestamp) -- [ADMX_Reliability/PCH_ReportShutdownEvents](./policy-csp-admx-reliability.md#admx-reliability-pch-reportshutdownevents) -- [ADMX_Reliability/ShutdownEventTrackerStateFile](./policy-csp-admx-reliability.md#admx-reliability-shutdowneventtrackerstatefile) -- [ADMX_Reliability/ShutdownReason](./policy-csp-admx-reliability.md#admx-reliability-shutdownreason) -- [ADMX_RemoteAssistance/RA_EncryptedTicketOnly](./policy-csp-admx-remoteassistance.md#admx-remoteassistance-ra-encryptedticketonly) -- [ADMX_RemoteAssistance/RA_Optimize_Bandwidth](./policy-csp-admx-remoteassistance.md#admx-remoteassistance-ra-optimize-bandwidth) -- [ADMX_RemovableStorage/AccessRights_RebootTime_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-accessrights-reboottime-1) -- [ADMX_RemovableStorage/AccessRights_RebootTime_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-accessrights-reboottime-2) -- [ADMX_RemovableStorage/CDandDVD_DenyExecute_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-cdanddvd-denyexecute-access-2) -- [ADMX_RemovableStorage/CDandDVD_DenyRead_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-cdanddvd-denyread-access-1) -- [ADMX_RemovableStorage/CDandDVD_DenyRead_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-cdanddvd-denyread-access-2) -- [ADMX_RemovableStorage/CDandDVD_DenyWrite_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-cdanddvd-denywrite-access-1) -- [ADMX_RemovableStorage/CDandDVD_DenyWrite_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-cdanddvd-denywrite-access-2) -- [ADMX_RemovableStorage/CustomClasses_DenyRead_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-customclasses-denyread-access-1) -- [ADMX_RemovableStorage/CustomClasses_DenyRead_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-customclasses-denyread-access-2) -- [ADMX_RemovableStorage/CustomClasses_DenyWrite_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-customclasses-denywrite-access-1) -- [ADMX_RemovableStorage/CustomClasses_DenyWrite_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-customclasses-denywrite-access-2) -- [ADMX_RemovableStorage/FloppyDrives_DenyExecute_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-floppydrives-denyexecute-access-2) -- [ADMX_RemovableStorage/FloppyDrives_DenyRead_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-floppydrives-denyread-access-1) -- [ADMX_RemovableStorage/FloppyDrives_DenyRead_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-floppydrives-denyread-access-2) -- [ADMX_RemovableStorage/FloppyDrives_DenyWrite_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-floppydrives-denywrite-access-1) -- [ADMX_RemovableStorage/FloppyDrives_DenyWrite_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-floppydrives-denywrite-access-2) -- [ADMX_RemovableStorage/RemovableDisks_DenyExecute_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-removabledisks-denyexecute-access-2) -- [ADMX_RemovableStorage/RemovableDisks_DenyRead_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-removabledisks-denyread-access-1) -- [ADMX_RemovableStorage/RemovableDisks_DenyRead_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-removabledisks-denyread-access-2) -- [ADMX_RemovableStorage/RemovableDisks_DenyWrite_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-removabledisks-denywrite-access-1) -- [ADMX_RemovableStorage/RemovableStorageClasses_DenyAll_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-removablestorageclasses-denyall-access-1) -- [ADMX_RemovableStorage/RemovableStorageClasses_DenyAll_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-removablestorageclasses-denyall-access-2) -- [ADMX_RemovableStorage/Removable_Remote_Allow_Access](./policy-csp-admx-removablestorage.md#admx-removablestorage-removable-remote-allow-access) -- [ADMX_RemovableStorage/TapeDrives_DenyExecute_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-tapedrives-denyexecute-access-2) -- [ADMX_RemovableStorage/TapeDrives_DenyRead_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-tapedrives-denyread-access-1) -- [ADMX_RemovableStorage/TapeDrives_DenyRead_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-tapedrives-denyread-access-2) -- [ADMX_RemovableStorage/TapeDrives_DenyWrite_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-tapedrives-denywrite-access-1) -- [ADMX_RemovableStorage/TapeDrives_DenyWrite_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-tapedrives-denywrite-access-2) -- [ADMX_RemovableStorage/WPDDevices_DenyRead_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-wpddevices-denyread-access-1) -- [ADMX_RemovableStorage/WPDDevices_DenyRead_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-wpddevices-denyread-access-2) -- [ADMX_RemovableStorage/WPDDevices_DenyWrite_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-wpddevices-denywrite-access-1) -- [ADMX_RemovableStorage/WPDDevices_DenyWrite_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-wpddevices-denywrite-access-2) -- [ADMX_RPC/RpcExtendedErrorInformation](./policy-csp-admx-rpc.md#admx-rpc-rpcextendederrorinformation) -- [ADMX_RPC/RpcIgnoreDelegationFailure](./policy-csp-admx-rpc.md#admx-rpc-rpcignoredelegationfailure) -- [ADMX_RPC/RpcMinimumHttpConnectionTimeout](./policy-csp-admx-rpc.md#admx-rpc-rpcminimumhttpconnectiontimeout) -- [ADMX_RPC/RpcStateInformation](./policy-csp-admx-rpc.md#admx-rpc-rpcstateinformation) -- [ADMX_Scripts/Allow_Logon_Script_NetbiosDisabled](./policy-csp-admx-scripts.md#admx-scripts-allow-logon-script-netbiosdisabled) -- [ADMX_Scripts/MaxGPOScriptWaitPolicy](./policy-csp-admx-scripts.md#admx-scripts-maxgposcriptwaitpolicy) -- [ADMX_Scripts/Run_Computer_PS_Scripts_First](./policy-csp-admx-scripts.md#admx-scripts-run-computer-ps-scripts-first) -- [ADMX_Scripts/Run_Legacy_Logon_Script_Hidden](./policy-csp-admx-scripts.md#admx-scripts-run-legacy-logon-script-hidden) -- [ADMX_Scripts/Run_Logoff_Script_Visible](./policy-csp-admx-scripts.md#admx-scripts-run-logoff-script-visible) -- [ADMX_Scripts/Run_Logon_Script_Sync_1](./policy-csp-admx-scripts.md#admx-scripts-run-logon-script-sync-1) -- [ADMX_Scripts/Run_Logon_Script_Sync_2](./policy-csp-admx-scripts.md#admx-scripts-run-logon-script-sync-2) -- [ADMX_Scripts/Run_Logon_Script_Visible](./policy-csp-admx-scripts.md#admx-scripts-run-logon-script-visible) -- [ADMX_Scripts/Run_Shutdown_Script_Visible](./policy-csp-admx-scripts.md#admx-scripts-run-shutdown-script-visible) -- [ADMX_Scripts/Run_Startup_Script_Sync](./policy-csp-admx-scripts.md#admx-scripts-run-startup-script-sync) -- [ADMX_Scripts/Run_Startup_Script_Visible](./policy-csp-admx-scripts.md#admx-scripts-run-startup-script-visible) -- [ADMX_Scripts/Run_User_PS_Scripts_First](./policy-csp-admx-scripts.md#admx-scripts-run-user-ps-scripts-first) -- [ADMX_sdiageng/BetterWhenConnected](./policy-csp-admx-sdiageng.md#admx-sdiageng-betterwhenconnected) -- [ADMX_sdiageng/ScriptedDiagnosticsExecutionPolicy](./policy-csp-admx-sdiageng.md#admx-sdiageng-scripteddiagnosticsexecutionpolicy) -- [ADMX_sdiageng/ScriptedDiagnosticsSecurityPolicy](./policy-csp-admx-sdiageng.md#admx-sdiageng-scripteddiagnosticssecuritypolicy) -- [ADMX_sdiagschd/ScheduledDiagnosticsExecutionPolicy](./policy-csp-admx-sdiagschd.md#admx-sdiagschd-scheduleddiagnosticsexecutionpolicy) -- [ADMX_Securitycenter/SecurityCenter_SecurityCenterInDomain](./policy-csp-admx-securitycenter.md#admx-securitycenter-securitycenter-securitycenterindomain) -- [ADMX_Sensors/DisableLocationScripting_1](./policy-csp-admx-sensors.md#admx-sensors-disablelocationscripting-1) -- [ADMX_Sensors/DisableLocationScripting_2](./policy-csp-admx-sensors.md#admx-sensors-disablelocationscripting-2) -- [ADMX_Sensors/DisableLocation_1](./policy-csp-admx-sensors.md#admx-sensors-disablelocation-1) -- [ADMX_Sensors/DisableSensors_1](./policy-csp-admx-sensors.md#admx-sensors-disablesensors-1) -- [ADMX_Sensors/DisableSensors_2](./policy-csp-admx-sensors.md#admx-sensors-disablesensors-2) -- [ADMX_ServerManager/Do_not_display_Manage_Your_Server_page](./policy-csp-admx-servermanager.md#admx-servermanager-do_not_display_manage_your_server_page) -- [ADMX_ServerManager/ServerManagerAutoRefreshRate](./policy-csp-admx-servermanager.md#admx-servermanager-servermanagerautorefreshrate) -- [ADMX_ServerManager/DoNotLaunchInitialConfigurationTasks](./policy-csp-admx-servermanager.md#admx-servermanager-donotlaunchinitialconfigurationtasks) -- [ADMX_ServerManager/DoNotLaunchServerManager](./policy-csp-admx-servermanager.md#admx-servermanager-donotlaunchservermanager) -- [ADMX_Servicing/Servicing](./policy-csp-admx-servicing.md#admx-servicing-servicing) -- [ADMX_SettingSync/DisableAppSyncSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disableappsyncsettingsync) -- [ADMX_SettingSync/DisableApplicationSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disableapplicationsettingsync) -- [ADMX_SettingSync/DisableCredentialsSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disablecredentialssettingsync) -- [ADMX_SettingSync/DisableDesktopThemeSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disabledesktopthemesettingsync) -- [ADMX_SettingSync/DisablePersonalizationSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disablepersonalizationsettingsync) -- [ADMX_SettingSync/DisableSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disablesettingsync) -- [ADMX_SettingSync/DisableStartLayoutSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disablestartlayoutsettingsync) -- [ADMX_SettingSync/DisableSyncOnPaidNetwork](./policy-csp-admx-settingsync.md#admx-settingsync-disablesynconpaidnetwork) -- [ADMX_SettingSync/DisableWindowsSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disablewindowssettingsync) -- [ADMX_SharedFolders/PublishDfsRoots](./policy-csp-admx-sharedfolders.md#admx-sharedfolders-publishdfsroots) -- [ADMX_SharedFolders/PublishSharedFolders](./policy-csp-admx-sharedfolders.md#admx-sharedfolders-publishsharedfolders) -- [ADMX_Sharing/NoInplaceSharing](./policy-csp-admx-sharing.md#admx-sharing-noinplacesharing) -- [ADMX_ShellCommandPromptRegEditTools/DisallowApps](./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-disallowapps) -- [ADMX_ShellCommandPromptRegEditTools/DisableRegedit](./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-disableregedit) -- [ADMX_ShellCommandPromptRegEditTools/DisableCMD](./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-disablecmd) -- [ADMX_ShellCommandPromptRegEditTools/RestrictApps](./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-restrictapps) -- [ADMX_Smartcard/AllowCertificatesWithNoEKU](./policy-csp-admx-smartcard.md#admx-smartcard-allowcertificateswithnoeku) -- [ADMX_Smartcard/AllowIntegratedUnblock](./policy-csp-admx-smartcard.md#admx-smartcard-allowintegratedunblock) -- [ADMX_Smartcard/AllowSignatureOnlyKeys](./policy-csp-admx-smartcard.md#admx-smartcard-allowsignatureonlykeys) -- [ADMX_Smartcard/AllowTimeInvalidCertificates](./policy-csp-admx-smartcard.md#admx-smartcard-allowtimeinvalidcertificates) -- [ADMX_Smartcard/CertPropEnabledString](./policy-csp-admx-smartcard.md#admx-smartcard-certpropenabledstring) -- [ADMX_Smartcard/CertPropRootCleanupString](./policy-csp-admx-smartcard.md#admx-smartcard-certproprootcleanupstring) -- [ADMX_Smartcard/CertPropRootEnabledString](./policy-csp-admx-smartcard.md#admx-smartcard-certproprootenabledstring) -- [ADMX_Smartcard/DisallowPlaintextPin](./policy-csp-admx-smartcard.md#admx-smartcard-disallowplaintextpin) -- [ADMX_Smartcard/EnumerateECCCerts](./policy-csp-admx-smartcard.md#admx-smartcard-enumerateecccerts) -- [ADMX_Smartcard/FilterDuplicateCerts](./policy-csp-admx-smartcard.md#admx-smartcard-filterduplicatecerts) -- [ADMX_Smartcard/ForceReadingAllCertificates](./policy-csp-admx-smartcard.md#admx-smartcard-forcereadingallcertificates) -- [ADMX_Smartcard/IntegratedUnblockPromptString](./policy-csp-admx-smartcard.md#admx-smartcard-integratedunblockpromptstring) -- [ADMX_Smartcard/ReverseSubject](./policy-csp-admx-smartcard.md#admx-smartcard-reversesubject) -- [ADMX_Smartcard/SCPnPEnabled](./policy-csp-admx-smartcard.md#admx-smartcard-scpnpenabled) -- [ADMX_Smartcard/SCPnPNotification](./policy-csp-admx-smartcard.md#admx-smartcard-scpnpnotification) -- [ADMX_Smartcard/X509HintsNeeded](./policy-csp-admx-smartcard.md#admx-smartcard-x509hintsneeded) -- [ADMX_Snmp/SNMP_Communities](./policy-csp-admx-snmp.md#admx-snmp-snmp-communities) -- [ADMX_Snmp/SNMP_PermittedManagers](./policy-csp-admx-snmp.md#admx-snmp-snmp-permittedmanagers) -- [ADMX_Snmp/SNMP_Traps_Public](./policy-csp-admx-snmp.md#admx-snmp-snmp-traps-public) -- [ADMX_StartMenu/AddSearchInternetLinkInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-addsearchinternetlinkinstartmenu) -- [ADMX_StartMenu/ClearRecentDocsOnExit](./policy-csp-admx-startmenu.md#admx-startmenu-clearrecentdocsonexit) -- [ADMX_StartMenu/ClearRecentProgForNewUserInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-clearrecentprogfornewuserinstartmenu) -- [ADMX_StartMenu/ClearTilesOnExit](./policy-csp-admx-startmenu.md#admx-startmenu-cleartilesonexit) -- [ADMX_StartMenu/DesktopAppsFirstInAppsView](./policy-csp-admx-startmenu.md#admx-startmenu-desktopappsfirstinappsview) -- [ADMX_StartMenu/DisableGlobalSearchOnAppsView](./policy-csp-admx-startmenu.md#admx-startmenu-disableglobalsearchonappsview) -- [ADMX_StartMenu/ForceStartMenuLogOff](./policy-csp-admx-startmenu.md#admx-startmenu-forcestartmenulogoff) -- [ADMX_StartMenu/GoToDesktopOnSignIn](./policy-csp-admx-startmenu.md#admx-startmenu-gotodesktoponsignin) -- [ADMX_StartMenu/GreyMSIAds](./policy-csp-admx-startmenu.md#admx-startmenu-greymsiads) -- [ADMX_StartMenu/HidePowerOptions](./policy-csp-admx-startmenu.md#admx-startmenu-hidepoweroptions) -- [ADMX_StartMenu/Intellimenus](./policy-csp-admx-startmenu.md#admx-startmenu-intellimenus) -- [ADMX_StartMenu/LockTaskbar](./policy-csp-admx-startmenu.md#admx-startmenu-locktaskbar) -- [ADMX_StartMenu/MemCheckBoxInRunDlg](./policy-csp-admx-startmenu.md#admx-startmenu-memcheckboxinrundlg) -- [ADMX_StartMenu/NoAutoTrayNotify](./policy-csp-admx-startmenu.md#admx-startmenu-noautotraynotify) -- [ADMX_StartMenu/NoBalloonTip](./policy-csp-admx-startmenu.md#admx-startmenu-noballoontip) -- [ADMX_StartMenu/NoChangeStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nochangestartmenu) -- [ADMX_StartMenu/NoClose](./policy-csp-admx-startmenu.md#admx-startmenu-noclose) -- [ADMX_StartMenu/NoCommonGroups](./policy-csp-admx-startmenu.md#admx-startmenu-nocommongroups) -- [ADMX_StartMenu/NoFavoritesMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nofavoritesmenu) -- [ADMX_StartMenu/NoFind](./policy-csp-admx-startmenu.md#admx-startmenu-nofind) -- [ADMX_StartMenu/NoGamesFolderOnStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nogamesfolderonstartmenu) -- [ADMX_StartMenu/NoHelp](./policy-csp-admx-startmenu.md#admx-startmenu-nohelp) -- [ADMX_StartMenu/NoInstrumentation](./policy-csp-admx-startmenu.md#admx-startmenu-noinstrumentation) -- [ADMX_StartMenu/NoMoreProgramsList](./policy-csp-admx-startmenu.md#admx-startmenu-nomoreprogramslist) -- [ADMX_StartMenu/NoNetAndDialupConnect](./policy-csp-admx-startmenu.md#admx-startmenu-nonetanddialupconnect) -- [ADMX_StartMenu/NoPinnedPrograms](./policy-csp-admx-startmenu.md#admx-startmenu-nopinnedprograms) -- [ADMX_StartMenu/NoRecentDocsMenu](./policy-csp-admx-startmenu.md#admx-startmenu-norecentdocsmenu) -- [ADMX_StartMenu/NoResolveSearch](./policy-csp-admx-startmenu.md#admx-startmenu-noresolvesearch) -- [ADMX_StartMenu/NoResolveTrack](./policy-csp-admx-startmenu.md#admx-startmenu-noresolvetrack) -- [ADMX_StartMenu/NoRun](./policy-csp-admx-startmenu.md#admx-startmenu-norun) -- [ADMX_StartMenu/NoSMConfigurePrograms](./policy-csp-admx-startmenu.md#admx-startmenu-nosmconfigureprograms) -- [ADMX_StartMenu/NoSMMyDocuments](./policy-csp-admx-startmenu.md#admx-startmenu-nosmmydocuments) -- [ADMX_StartMenu/NoSMMyMusic](./policy-csp-admx-startmenu.md#admx-startmenu-nosmmymusic) -- [ADMX_StartMenu/NoSMMyNetworkPlaces](./policy-csp-admx-startmenu.md#admx-startmenu-nosmmynetworkplaces) -- [ADMX_StartMenu/NoSMMyPictures](./policy-csp-admx-startmenu.md#admx-startmenu-nosmmypictures) -- [ADMX_StartMenu/NoSearchCommInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nosearchcomminstartmenu) -- [ADMX_StartMenu/NoSearchComputerLinkInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nosearchcomputerlinkinstartmenu) -- [ADMX_StartMenu/NoSearchEverywhereLinkInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nosearcheverywherelinkinstartmenu) -- [ADMX_StartMenu/NoSearchFilesInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nosearchfilesinstartmenu) -- [ADMX_StartMenu/NoSearchInternetInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nosearchinternetinstartmenu) -- [ADMX_StartMenu/NoSearchProgramsInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nosearchprogramsinstartmenu) -- [ADMX_StartMenu/NoSetFolders](./policy-csp-admx-startmenu.md#admx-startmenu-nosetfolders) -- [ADMX_StartMenu/NoSetTaskbar](./policy-csp-admx-startmenu.md#admx-startmenu-nosettaskbar) -- [ADMX_StartMenu/NoStartMenuDownload](./policy-csp-admx-startmenu.md#admx-startmenu-nostartmenudownload) -- [ADMX_StartMenu/NoStartMenuHomegroup](./policy-csp-admx-startmenu.md#admx-startmenu-nostartmenuhomegroup) -- [ADMX_StartMenu/NoStartMenuRecordedTV](./policy-csp-admx-startmenu.md#admx-startmenu-nostartmenurecordedtv) -- [ADMX_StartMenu/NoStartMenuSubFolders](./policy-csp-admx-startmenu.md#admx-startmenu-nostartmenusubfolders) -- [ADMX_StartMenu/NoStartMenuVideos](./policy-csp-admx-startmenu.md#admx-startmenu-nostartmenuvideos) -- [ADMX_StartMenu/NoStartPage](./policy-csp-admx-startmenu.md#admx-startmenu-nostartpage) -- [ADMX_StartMenu/NoTaskBarClock](./policy-csp-admx-startmenu.md#admx-startmenu-notaskbarclock) -- [ADMX_StartMenu/NoTaskGrouping](./policy-csp-admx-startmenu.md#admx-startmenu-notaskgrouping) -- [ADMX_StartMenu/NoToolbarsOnTaskbar](./policy-csp-admx-startmenu.md#admx-startmenu-notoolbarsontaskbar) -- [ADMX_StartMenu/NoTrayContextMenu](./policy-csp-admx-startmenu.md#admx-startmenu-notraycontextmenu) -- [ADMX_StartMenu/NoTrayItemsDisplay](./policy-csp-admx-startmenu.md#admx-startmenu-notrayitemsdisplay) -- [ADMX_StartMenu/NoUninstallFromStart](./policy-csp-admx-startmenu.md#admx-startmenu-nouninstallfromstart) -- [ADMX_StartMenu/NoUserFolderOnStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nouserfolderonstartmenu) -- [ADMX_StartMenu/NoUserNameOnStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nousernameonstartmenu) -- [ADMX_StartMenu/NoWindowsUpdate](./policy-csp-admx-startmenu.md#admx-startmenu-nowindowsupdate) -- [ADMX_StartMenu/PowerButtonAction](./policy-csp-admx-startmenu.md#admx-startmenu-powerbuttonaction) -- [ADMX_StartMenu/QuickLaunchEnabled](./policy-csp-admx-startmenu.md#admx-startmenu-quicklaunchenabled) -- [ADMX_StartMenu/RemoveUnDockPCButton](./policy-csp-admx-startmenu.md#admx-startmenu-removeundockpcbutton) -- [ADMX_StartMenu/ShowAppsViewOnStart](./policy-csp-admx-startmenu.md#admx-startmenu-showappsviewonstart) -- [ADMX_StartMenu/ShowRunAsDifferentUserInStart](./policy-csp-admx-startmenu.md#admx-startmenu-showrunasdifferentuserinstart) -- [ADMX_StartMenu/ShowRunInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-showruninstartmenu) -- [ADMX_StartMenu/ShowStartOnDisplayWithForegroundOnWinKey](./policy-csp-admx-startmenu.md#admx-startmenu-showstartondisplaywithforegroundonwinkey) -- [ADMX_StartMenu/StartMenuLogOff](./policy-csp-admx-startmenu.md#admx-startmenu-startmenulogoff) -- [ADMX_StartMenu/StartPinAppsWhenInstalled](./policy-csp-admx-startmenu.md#admx-startmenu-startpinappswheninstalled) -- [ADMX_SystemRestore/SR_DisableConfig](./policy-csp-admx-systemrestore.md#admx-systemrestore-sr-disableconfig) -- [ADMX_TabletShell/DisableInkball_1](./policy-csp-admx-tabletshell.md#admx-tabletshell-disableinkball_1) -- [ADMX_TabletShell/DisableNoteWriterPrinting_1](./policy-csp-admx-tabletshell.md#admx-tabletshell-disablenotewriterprinting_1) -- [ADMX_Taskbar/DisableNotificationCenter](./policy-csp-admx-taskbar.md#admx-taskbar-disablenotificationcenter) -- [ADMX_Taskbar/EnableLegacyBalloonNotifications](./policy-csp-admx-taskbar.md#admx-taskbar-enablelegacyballoonnotifications) -- [ADMX_Taskbar/HideSCAHealth](./policy-csp-admx-taskbar.md#admx-taskbar-hidescahealth) -- [ADMX_Taskbar/HideSCANetwork](./policy-csp-admx-taskbar.md#admx-taskbar-hidescanetwork) -- [ADMX_Taskbar/HideSCAPower](./policy-csp-admx-taskbar.md#admx-taskbar-hidescapower) -- [ADMX_Taskbar/HideSCAVolume](./policy-csp-admx-taskbar.md#admx-taskbar-hidescavolume) -- [ADMX_Taskbar/NoBalloonFeatureAdvertisements](./policy-csp-admx-taskbar.md#admx-taskbar-noballoonfeatureadvertisements) -- [ADMX_Taskbar/NoPinningStoreToTaskbar](./policy-csp-admx-taskbar.md#admx-taskbar-nopinningstoretotaskbar) -- [ADMX_Taskbar/NoPinningToDestinations](./policy-csp-admx-taskbar.md#admx-taskbar-nopinningtodestinations) -- [ADMX_Taskbar/NoPinningToTaskbar](./policy-csp-admx-taskbar.md#admx-taskbar-nopinningtotaskbar) -- [ADMX_Taskbar/NoRemoteDestinations](./policy-csp-admx-taskbar.md#admx-taskbar-noremotedestinations) -- [ADMX_Taskbar/NoSystraySystemPromotion](./policy-csp-admx-taskbar.md#admx-taskbar-nosystraysystempromotion) -- [ADMX_Taskbar/ShowWindowsStoreAppsOnTaskbar](./policy-csp-admx-taskbar.md#admx-taskbar-showwindowsstoreappsontaskbar) -- [ADMX_Taskbar/TaskbarLockAll](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarlockall) -- [ADMX_Taskbar/TaskbarNoAddRemoveToolbar](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnoaddremovetoolbar) -- [ADMX_Taskbar/TaskbarNoDragToolbar](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnodragtoolbar) -- [ADMX_Taskbar/TaskbarNoMultimon](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnomultimon) -- [ADMX_Taskbar/TaskbarNoNotification](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnonotification) -- [ADMX_Taskbar/TaskbarNoPinnedList](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnopinnedlist) -- [ADMX_Taskbar/TaskbarNoRedock](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnoredock) -- [ADMX_Taskbar/TaskbarNoResize](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnoresize) -- [ADMX_Taskbar/TaskbarNoThumbnail](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnothumbnail) -- [ADMX_tcpip/6to4_Router_Name](./policy-csp-admx-tcpip.md#admx-tcpip-6to4-router-name) -- [ADMX_tcpip/6to4_Router_Name_Resolution_Interval](./policy-csp-admx-tcpip.md#admx-tcpip-6to4-router-name-resolution-interval) -- [ADMX_tcpip/6to4_State](./policy-csp-admx-tcpip.md#admx-tcpip-6to4-state) -- [ADMX_tcpip/IPHTTPS_ClientState](./policy-csp-admx-tcpip.md#admx-tcpip-iphttps-clientstate) -- [ADMX_tcpip/IP_Stateless_Autoconfiguration_Limits_State](./policy-csp-admx-tcpip.md#admx-tcpip-ip-stateless-autoconfiguration-limits-state) -- [ADMX_tcpip/ISATAP_Router_Name](./policy-csp-admx-tcpip.md#admx-tcpip-isatap-router-name) -- [ADMX_tcpip/ISATAP_State](./policy-csp-admx-tcpip.md#admx-tcpip-isatap-state) -- [ADMX_tcpip/Teredo_Client_Port](./policy-csp-admx-tcpip.md#admx-tcpip-teredo-client-port) -- [ADMX_tcpip/Teredo_Default_Qualified](./policy-csp-admx-tcpip.md#admx-tcpip-teredo-default-qualified) -- [ADMX_tcpip/Teredo_Refresh_Rate](./policy-csp-admx-tcpip.md#admx-tcpip-teredo-refresh-rate) -- [ADMX_tcpip/Teredo_Server_Name](./policy-csp-admx-tcpip.md#admx-tcpip-teredo-server-name) -- [ADMX_tcpip/Teredo_State](./policy-csp-admx-tcpip.md#admx-tcpip-teredo-state) -- [ADMX_tcpip/Windows_Scaling_Heuristics_State](./policy-csp-admx-tcpip.md#admx-tcpip-windows-scaling-heuristics-state) -- [ADMX_TerminalServer/TS_AUTO_RECONNECT](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_auto_reconnect) -- [ADMX_TerminalServer/TS_CAMERA_REDIRECTION](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_camera_redirection) -- [ADMX_TerminalServer/TS_CERTIFICATE_TEMPLATE_POLICY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_certificate_template_policy) -- [ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_allow_signed_files_1) -- [ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_allow_signed_files_2) -- [ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_allow_unsigned_files_1) -- [ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_allow_unsigned_files_2) -- [ADMX_TerminalServer/TS_CLIENT_AUDIO](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_audio) -- [ADMX_TerminalServer/TS_CLIENT_AUDIO_CAPTURE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_audio_capture) -- [ADMX_TerminalServer/TS_CLIENT_AUDIO_QUALITY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_audio_quality) -- [ADMX_TerminalServer/TS_CLIENT_CLIPBOARD](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_clipboard) -- [ADMX_TerminalServer/TS_CLIENT_COM](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_com) -- [ADMX_TerminalServer/TS_CLIENT_DEFAULT_M](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_default_m) -- [ADMX_TerminalServer/TS_CLIENT_DISABLE_HARDWARE_MODE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_disable_hardware_mode) -- [ADMX_TerminalServer/TS_CLIENT_DISABLE_PASSWORD_SAVING_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_disable_password_saving_1) -- [ADMX_TerminalServer/TS_CLIENT_LPT](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_lpt) -- [ADMX_TerminalServer/TS_CLIENT_PNP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_pnp) -- [ADMX_TerminalServer/TS_CLIENT_PRINTER](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_printer) -- [ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_trusted_certificate_thumbprints_1) -- [ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_trusted_certificate_thumbprints_2) -- [ADMX_TerminalServer/TS_CLIENT_TURN_OFF_UDP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_turn_off_udp) -- [ADMX_TerminalServer/TS_COLORDEPTH](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_colordepth) -- [ADMX_TerminalServer/TS_DELETE_ROAMING_USER_PROFILES](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_delete_roaming_user_profiles) -- [ADMX_TerminalServer/TS_DISABLE_REMOTE_DESKTOP_WALLPAPER](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_disable_remote_desktop_wallpaper) -- [ADMX_TerminalServer/TS_DX_USE_FULL_HWGPU](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_dx_use_full_hwgpu) -- [ADMX_TerminalServer/TS_EASY_PRINT](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_easy_print) -- [ADMX_TerminalServer/TS_EASY_PRINT_User](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_easy_print_user) -- [ADMX_TerminalServer/TS_EnableVirtualGraphics](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_enablevirtualgraphics) -- [ADMX_TerminalServer/TS_FALLBACKPRINTDRIVERTYPE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_fallbackprintdrivertype) -- [ADMX_TerminalServer/TS_FORCIBLE_LOGOFF](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_forcible_logoff) -- [ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_enable) -- [ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_auth_method) -- [ADMX_TerminalServer/TS_GATEWAY_POLICY_SERVER](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_server) -- [ADMX_TerminalServer/TS_JOIN_SESSION_DIRECTORY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_join_session_directory) -- [ADMX_TerminalServer/TS_KEEP_ALIVE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_keep_alive) -- [ADMX_TerminalServer/TS_LICENSE_SECGROUP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_license_secgroup) -- [ADMX_TerminalServer/TS_LICENSE_SERVERS](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_license_servers) -- [ADMX_TerminalServer/TS_LICENSE_TOOLTIP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_license_tooltip) -- [ADMX_TerminalServer/TS_LICENSING_MODE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_licensing_mode) -- [ADMX_TerminalServer/TS_MAX_CON_POLICY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_max_con_policy) -- [ADMX_TerminalServer/TS_MAXDISPLAYRES](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_maxdisplayres) -- [ADMX_TerminalServer/TS_MAXMONITOR](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_maxmonitor) -- [ADMX_TerminalServer/TS_NoDisconnectMenu](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_nodisconnectmenu) -- [ADMX_TerminalServer/TS_NoSecurityMenu](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_nosecuritymenu) -- [ADMX_TerminalServer/TS_PreventLicenseUpgrade](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_preventlicenseupgrade) -- [ADMX_TerminalServer/TS_PROMT_CREDS_CLIENT_COMP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_promt_creds_client_comp) -- [ADMX_TerminalServer/TS_RADC_DefaultConnection](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_radc_defaultconnection) -- [ADMX_TerminalServer/TS_RDSAppX_WaitForRegistration](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_rdsappx_waitforregistration) -- [ADMX_TerminalServer/TS_RemoteControl_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_remotecontrol_1) -- [ADMX_TerminalServer/TS_RemoteControl_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_remotecontrol_2) -- [ADMX_TerminalServer/TS_RemoteDesktopVirtualGraphics](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_remotedesktopvirtualgraphics) -- [ADMX_TerminalServer/TS_SD_ClustName](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sd_clustname) -- [ADMX_TerminalServer/TS_SD_EXPOSE_ADDRESS](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sd_expose_address) -- [ADMX_TerminalServer/TS_SD_Loc](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sd_loc) -- [ADMX_TerminalServer/TS_SECURITY_LAYER_POLICY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_security_layer_policy) -- [ADMX_TerminalServer/TS_SELECT_NETWORK_DETECT](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_select_network_detect) -- [ADMX_TerminalServer/TS_SELECT_TRANSPORT](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_select_transport) -- [ADMX_TerminalServer/TS_SERVER_ADVANCED_REMOTEFX_REMOTEAPP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_advanced_remotefx_remoteapp) -- [ADMX_TerminalServer/TS_SERVER_AUTH](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_auth) -- [ADMX_TerminalServer/TS_SERVER_AVC_HW_ENCODE_PREFERRED](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_avc_hw_encode_preferred) -- [ADMX_TerminalServer/TS_SERVER_AVC444_MODE_PREFERRED](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_avc444_mode_preferred) -- [ADMX_TerminalServer/TS_SERVER_COMPRESSOR](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_compressor) -- [ADMX_TerminalServer/TS_SERVER_IMAGE_QUALITY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_image_quality) -- [ADMX_TerminalServer/TS_SERVER_LEGACY_RFX](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_legacy_rfx) -- [ADMX_TerminalServer/TS_SERVER_PROFILE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_profile) -- [ADMX_TerminalServer/TS_SERVER_VISEXP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_visexp) -- [ADMX_TerminalServer/TS_SERVER_WDDM_GRAPHICS_DRIVER](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_wddm_graphics_driver) -- [ADMX_TerminalServer/TS_Session_End_On_Limit_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_session_end_on_limit_1) -- [ADMX_TerminalServer/TS_Session_End_On_Limit_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_session_end_on_limit_2) -- [ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_disconnected_timeout_1) -- [ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_disconnected_timeout_2) -- [ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_idle_limit_1) -- [ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_idle_limit_2) -- [ADMX_TerminalServer/TS_SESSIONS_Limits_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_limits_1) -- [ADMX_TerminalServer/TS_SESSIONS_Limits_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_limits_2) -- [ADMX_TerminalServer/TS_SINGLE_SESSION](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_single_session) -- [ADMX_TerminalServer/TS_SMART_CARD](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_smart_card) -- [ADMX_TerminalServer/TS_START_PROGRAM_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_start_program_1) -- [ADMX_TerminalServer/TS_START_PROGRAM_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_start_program_2) -- [ADMX_TerminalServer/TS_TEMP_DELETE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_temp_delete) -- [ADMX_TerminalServer/TS_TEMP_PER_SESSION](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_temp_per_session) -- [ADMX_TerminalServer/TS_TIME_ZONE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_time_zone) -- [ADMX_TerminalServer/TS_TSCC_PERMISSIONS_POLICY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_tscc_permissions_policy) -- [ADMX_TerminalServer/TS_TURNOFF_SINGLEAPP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_turnoff_singleapp) -- [ADMX_TerminalServer/TS_UIA](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_uia) -- [ADMX_TerminalServer/TS_USB_REDIRECTION_DISABLE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_usb_redirection_disable) -- [ADMX_TerminalServer/TS_USER_AUTHENTICATION_POLICY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_user_authentication_policy) -- [ADMX_TerminalServer/TS_USER_HOME](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_user_home) -- [ADMX_TerminalServer/TS_USER_MANDATORY_PROFILES](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_user_mandatory_profiles) -- [ADMX_TerminalServer/TS_USER_PROFILES](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_user_profiles) -- [ADMX_Thumbnails/DisableThumbnails](./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbnails) -- [ADMX_Thumbnails/DisableThumbnailsOnNetworkFolders](./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbnailsonnetworkfolders) -- [ADMX_Thumbnails/DisableThumbsDBOnNetworkFolders](./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbsdbonnetworkfolders) -- [ADMX_TouchInput/TouchInputOff_1](./policy-csp-admx-touchinput.md#admx-touchinput-touchinputoff_1) -- [ADMX_TouchInput/TouchInputOff_2](./policy-csp-admx-touchinput.md#admx-touchinput-touchinputoff_2) -- [ADMX_TouchInput/PanningEverywhereOff_1](./policy-csp-admx-touchinput.md#admx-touchinput-panningeverywhereoff_1) -- [ADMX_TouchInput/PanningEverywhereOff_2](./policy-csp-admx-touchinput.md#admx-touchinput-panningeverywhereoff_2) -- [ADMX_TPM/BlockedCommandsList_Name](./policy-csp-admx-tpm.md#admx-tpm-blockedcommandslist-name) -- [ADMX_TPM/ClearTPMIfNotReady_Name](./policy-csp-admx-tpm.md#admx-tpm-cleartpmifnotready-name) -- [ADMX_TPM/IgnoreDefaultList_Name](./policy-csp-admx-tpm.md#admx-tpm-ignoredefaultlist-name) -- [ADMX_TPM/IgnoreLocalList_Name](./policy-csp-admx-tpm.md#admx-tpm-ignorelocallist-name) -- [ADMX_TPM/OSManagedAuth_Name](./policy-csp-admx-tpm.md#admx-tpm-osmanagedauth-name) -- [ADMX_TPM/OptIntoDSHA_Name](./policy-csp-admx-tpm.md#admx-tpm-optintodsha-name) -- [ADMX_TPM/StandardUserAuthorizationFailureDuration_Name](./policy-csp-admx-tpm.md#admx-tpm-standarduserauthorizationfailureduration-name) -- [ADMX_TPM/StandardUserAuthorizationFailureIndividualThreshold_Name](./policy-csp-admx-tpm.md#admx-tpm-standarduserauthorizationfailureindividualthreshold-name) -- [ADMX_TPM/StandardUserAuthorizationFailureTotalThreshold_Name](./policy-csp-admx-tpm.md#admx-tpm-standarduserauthorizationfailuretotalthreshold-name) -- [ADMX_TPM/UseLegacyDAP_Name](./policy-csp-admx-tpm.md#admx-tpm-uselegacydap-name) -- [ADMX_UserExperienceVirtualization/Calculator](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-calculator) -- [ADMX_UserExperienceVirtualization/ConfigureSyncMethod](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-configuresyncmethod) -- [ADMX_UserExperienceVirtualization/ConfigureVdi](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-configurevdi) -- [ADMX_UserExperienceVirtualization/ContactITDescription](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-contactitdescription) -- [ADMX_UserExperienceVirtualization/ContactITUrl](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-contactiturl) -- [ADMX_UserExperienceVirtualization/DisableWin8Sync](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-disablewin8sync) -- [ADMX_UserExperienceVirtualization/DisableWindowsOSSettings](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-disablewindowsossettings) -- [ADMX_UserExperienceVirtualization/EnableUEV](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-enableuev) -- [ADMX_UserExperienceVirtualization/Finance](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-finance) -- [ADMX_UserExperienceVirtualization/FirstUseNotificationEnabled](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-firstusenotificationenabled) -- [ADMX_UserExperienceVirtualization/Games](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-games) -- [ADMX_UserExperienceVirtualization/InternetExplorer8](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-internetexplorer8) -- [ADMX_UserExperienceVirtualization/InternetExplorer9](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-internetexplorer9) -- [ADMX_UserExperienceVirtualization/InternetExplorer10](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-internetexplorer10) -- [ADMX_UserExperienceVirtualization/InternetExplorer11](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-internetexplorer11) -- [ADMX_UserExperienceVirtualization/InternetExplorerCommon](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-internetexplorercommon) -- [ADMX_UserExperienceVirtualization/Maps](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-maps) -- [ADMX_UserExperienceVirtualization/MaxPackageSizeInBytes](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-maxpackagesizeinbytes) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2010Access](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010access) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2010Common](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010common) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2010Excel](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010excel) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2010InfoPath](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010infopath) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2010Lync](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010lync) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2010OneNote](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010onenote) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2010Outlook](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010outlook) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2010PowerPoint](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010powerpoint) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2010Project](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010project) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2010Publisher](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010publisher) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2010SharePointDesigner](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010sharepointdesigner) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2010SharePointWorkspace](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010sharepointworkspace) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2010Visio](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010visio) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2010Word](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010word) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013Access](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013access) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013AccessBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013accessbackup) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013Common](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013common) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013CommonBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013commonbackup) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013Excel](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013excel) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013ExcelBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013excelbackup) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013InfoPath](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013infopath) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013InfoPathBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013infopathbackup) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013Lync](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013lync) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013LyncBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013lyncbackup) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013OneDriveForBusiness](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013onedriveforbusiness) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013OneNote](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013onenote) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013OneNoteBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013onenotebackup) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013Outlook](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013outlook) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013OutlookBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013outlookbackup) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013PowerPoint](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013powerpoint) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013PowerPointBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013powerpointbackup) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013Project](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013project) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013ProjectBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013projectbackup) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013Publisher](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013publisher) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013PublisherBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013publisherbackup) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013SharePointDesigner](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013sharepointdesigner) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013SharePointDesignerBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013sharepointdesignerbackup) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013UploadCenter](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013uploadcenter) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013Visio](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013visio) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013VisioBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013visiobackup) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013Word](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013word) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013WordBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013wordbackup) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016Access](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016access) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016AccessBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016accessbackup) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016Common](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016common) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016CommonBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016commonbackup) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016Excel](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016excel) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016ExcelBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016excelbackup) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016Lync](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016lync) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016LyncBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016lyncbackup) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016OneDriveForBusiness](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016onedriveforbusiness) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016OneNote](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016onenote) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016OneNoteBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016onenotebackup) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016Outlook](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016outlook) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016OutlookBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016outlookbackup) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016PowerPoint](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016powerpoint) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016PowerPointBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016powerpointbackup) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016Project](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016project) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016ProjectBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016projectbackup) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016Publisher](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016publisher) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016PublisherBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016publisherbackup) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016UploadCenter](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016uploadcenter) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016Visio](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016visio) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016VisioBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016visiobackup) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016Word](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016word) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016WordBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016wordbackup) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Access2013](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365access2013) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Access2016](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365access2016) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Common2013](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365common2013) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Common2016](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365common2016) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Excel2013](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365excel2013) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Excel2016](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365excel2016) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice365InfoPath2013](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365infopath2013) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Lync2013](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365lync2013) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Lync2016](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365lync2016) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice365OneNote2013](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365onenote2013) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice365OneNote2016](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365onenote2016) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Outlook2013](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365outlook2013) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Outlook2016](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365outlook2016) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice365PowerPoint2013](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365powerpoint2013) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice365PowerPoint2016](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365powerpoint2016) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Project2013](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365project2013) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Project2016](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365project2016) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Publisher2013](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365publisher2013) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Publisher2016](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365publisher2016) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice365SharePointDesigner2013](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365sharepointdesigner2013) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Visio2013](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365visio2013) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Visio2016](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365visio2016) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Word2013](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365word2013) -- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Word2016](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365word2016) -- [ADMX_UserExperienceVirtualization/Music](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-music) -- [ADMX_UserExperienceVirtualization/News](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-news) -- [ADMX_UserExperienceVirtualization/Notepad](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-notepad) -- [ADMX_UserExperienceVirtualization/Reader](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-reader) -- [ADMX_UserExperienceVirtualization/RepositoryTimeout](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-repositorytimeout) -- [ADMX_UserExperienceVirtualization/SettingsStoragePath](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-settingsstoragepath) -- [ADMX_UserExperienceVirtualization/SettingsTemplateCatalogPath](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-settingstemplatecatalogpath) -- [ADMX_UserExperienceVirtualization/Sports](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-sports) -- [ADMX_UserExperienceVirtualization/SyncEnabled](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-syncenabled) -- [ADMX_UserExperienceVirtualization/SyncOverMeteredNetwork](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-syncovermeterednetwork) -- [ADMX_UserExperienceVirtualization/SyncOverMeteredNetworkWhenRoaming](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-syncovermeterednetworkwhenroaming) -- [ADMX_UserExperienceVirtualization/SyncProviderPingEnabled](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-syncproviderpingenabled) -- [ADMX_UserExperienceVirtualization/SyncUnlistedWindows8Apps](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-syncunlistedwindows8apps) -- [ADMX_UserExperienceVirtualization/Travel](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-travel) -- [ADMX_UserExperienceVirtualization/TrayIconEnabled](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-trayiconenabled) -- [ADMX_UserExperienceVirtualization/Video](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-video) -- [ADMX_UserExperienceVirtualization/Weather](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-weather) -- [ADMX_UserExperienceVirtualization/Wordpad](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-wordpad) -- [ADMX_UserProfiles/CleanupProfiles](./policy-csp-admx-userprofiles.md#admx-userprofiles-cleanupprofiles) -- [ADMX_UserProfiles/DontForceUnloadHive](./policy-csp-admx-userprofiles.md#admx-userprofiles-dontforceunloadhive) -- [ADMX_UserProfiles/LeaveAppMgmtData](./policy-csp-admx-userprofiles.md#admx-userprofiles-leaveappmgmtdata) -- [ADMX_UserProfiles/LimitSize](./policy-csp-admx-userprofiles.md#admx-userprofiles-limitsize) -- [ADMX_UserProfiles/ProfileErrorAction](./policy-csp-admx-userprofiles.md#admx-userprofiles-profileerroraction) -- [ADMX_UserProfiles/SlowLinkTimeOut](./policy-csp-admx-userprofiles.md#admx-userprofiles-slowlinktimeout) -- [ADMX_UserProfiles/USER_HOME](./policy-csp-admx-userprofiles.md#admx-userprofiles-user-home) -- [ADMX_UserProfiles/UserInfoAccessAction](./policy-csp-admx-userprofiles.md#admx-userprofiles-userinfoaccessaction) -- [ADMX_W32Time/W32TIME_POLICY_CONFIG](./policy-csp-admx-w32time.md#admx-w32time-policy-config) -- [ADMX_W32Time/W32TIME_POLICY_CONFIGURE_NTPCLIENT](./policy-csp-admx-w32time.md#admx-w32time-policy-configure-ntpclient) -- [ADMX_W32Time/W32TIME_POLICY_ENABLE_NTPCLIENT](./policy-csp-admx-w32time.md#admx-w32time-policy-enable-ntpclient) -- [ADMX_W32Time/W32TIME_POLICY_ENABLE_NTPSERVER](./policy-csp-admx-w32time.md#admx-w32time-policy-enable-ntpserver) -- [ADMX_WCM/WCM_DisablePowerManagement](./policy-csp-admx-wcm.md#admx-wcm-wcm-disablepowermanagement) -- [ADMX_WCM/WCM_EnableSoftDisconnect](./policy-csp-admx-wcm.md#admx-wcm-wcm-enablesoftdisconnect) -- [ADMX_WCM/WCM_MinimizeConnections](./policy-csp-admx-wcm.md#admx-wcm-wcm-minimizeconnections) -- [ADMX_WDI/WdiDpsScenarioExecutionPolicy](./policy-csp-admx-wdi.md#admx-wdi-wdidpsscenarioexecutionpolicy) -- [ADMX_WDI/WdiDpsScenarioDataSizeLimitPolicy](./policy-csp-admx-wdi.md#admx-wdi-wdidpsscenariodatasizelimitpolicy) -- [ADMX_WinCal/TurnOffWinCal_1](./policy-csp-admx-wincal.md#admx-wincal-turnoffwincal-1) -- [ADMX_WinCal/TurnOffWinCal_2](./policy-csp-admx-wincal.md#admx-wincal-turnoffwincal-2) -- [ADMX_WindowsConnectNow/WCN_DisableWcnUi_1](./policy-csp-admx-windowsconnectnow.md#admx-windowsconnectnow-wcn-disablewcnui-1) -- [ADMX_WindowsConnectNow/WCN_DisableWcnUi_2](./policy-csp-admx-windowsconnectnow.md#admx-windowsconnectnow-wcn-disablewcnui-2) -- [ADMX_WindowsConnectNow/WCN_EnableRegistrar](./policy-csp-admx-windowsconnectnow.md#admx-windowsconnectnow-wcn-enableregistrar) -- [ADMX_WindowsExplorer/CheckSameSourceAndTargetForFRAndDFS](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-checksamesourceandtargetforfranddfs) -- [ADMX_WindowsExplorer/ClassicShell](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-classicshell) -- [ADMX_WindowsExplorer/ConfirmFileDelete](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-confirmfiledelete) -- [ADMX_WindowsExplorer/DefaultLibrariesLocation](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-defaultlibrarieslocation) -- [ADMX_WindowsExplorer/DisableBindDirectlyToPropertySetStorage](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-disablebinddirectlytopropertysetstorage) -- [ADMX_WindowsExplorer/DisableIndexedLibraryExperience](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-disableindexedlibraryexperience) -- [ADMX_WindowsExplorer/DisableKnownFolders](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-disableknownfolders) -- [ADMX_WindowsExplorer/DisableSearchBoxSuggestions](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-disablesearchboxsuggestions) -- [ADMX_WindowsExplorer/EnableShellShortcutIconRemotePath](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-enableshellshortcuticonremotepath) -- [ADMX_WindowsExplorer/EnableSmartScreen](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-enablesmartscreen) -- [ADMX_WindowsExplorer/EnforceShellExtensionSecurity](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-enforceshellextensionsecurity) -- [ADMX_WindowsExplorer/ExplorerRibbonStartsMinimized](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-explorerribbonstartsminimized) -- [ADMX_WindowsExplorer/HideContentViewModeSnippets](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-hidecontentviewmodesnippets) -- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Internet](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-internet) -- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_InternetLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-internetlockdown) -- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Intranet](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-intranet) -- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_IntranetLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-intranetlockdown) -- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_LocalMachine](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-localmachine) -- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_LocalMachineLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-localmachinelockdown) -- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Restricted](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-restricted) -- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_RestrictedLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-restrictedlockdown) -- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Trusted](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-trusted) -- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_TrustedLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-trustedlockdown) -- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Internet](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-internet) -- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_InternetLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-internetlockdown) -- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Intranet](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-intranet) -- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_IntranetLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-intranetlockdown) -- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_LocalMachine](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-localmachine) -- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_LocalMachineLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-localmachinelockdown) -- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Restricted](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-restricted) -- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_RestrictedLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-restrictedlockdown) -- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Trusted](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-trusted) -- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_TrustedLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-trustedlockdown) -- [ADMX_WindowsExplorer/LinkResolveIgnoreLinkInfo](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-linkresolveignorelinkinfo) -- [ADMX_WindowsExplorer/MaxRecentDocs](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-maxrecentdocs) -- [ADMX_WindowsExplorer/NoBackButton](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nobackbutton) -- [ADMX_WindowsExplorer/NoCDBurning](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nocdburning) -- [ADMX_WindowsExplorer/NoCacheThumbNailPictures](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nocachethumbnailpictures) -- [ADMX_WindowsExplorer/NoChangeAnimation](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nochangeanimation) -- [ADMX_WindowsExplorer/NoChangeKeyboardNavigationIndicators](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nochangekeyboardnavigationindicators) -- [ADMX_WindowsExplorer/NoDFSTab](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nodfstab) -- [ADMX_WindowsExplorer/NoDrives](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nodrives) -- [ADMX_WindowsExplorer/NoEntireNetwork](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-noentirenetwork) -- [ADMX_WindowsExplorer/NoFileMRU](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nofilemru) -- [ADMX_WindowsExplorer/NoFileMenu](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nofilemenu) -- [ADMX_WindowsExplorer/NoFolderOptions](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nofolderoptions) -- [ADMX_WindowsExplorer/NoHardwareTab](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nohardwaretab) -- [ADMX_WindowsExplorer/NoManageMyComputerVerb](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nomanagemycomputerverb) -- [ADMX_WindowsExplorer/NoMyComputerSharedDocuments](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nomycomputershareddocuments) -- [ADMX_WindowsExplorer/NoNetConnectDisconnect](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nonetconnectdisconnect) -- [ADMX_WindowsExplorer/NoNewAppAlert](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nonewappalert) -- [ADMX_WindowsExplorer/NoPlacesBar](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-noplacesbar) -- [ADMX_WindowsExplorer/NoRecycleFiles](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-norecyclefiles) -- [ADMX_WindowsExplorer/NoRunAsInstallPrompt](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-norunasinstallprompt) -- [ADMX_WindowsExplorer/NoSearchInternetTryHarderButton](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nosearchinternettryharderbutton) -- [ADMX_WindowsExplorer/NoSecurityTab](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nosecuritytab) -- [ADMX_WindowsExplorer/NoShellSearchButton](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-noshellsearchbutton) -- [ADMX_WindowsExplorer/NoStrCmpLogical](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nostrcmplogical) -- [ADMX_WindowsExplorer/NoViewContextMenu](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-noviewcontextmenu) -- [ADMX_WindowsExplorer/NoViewOnDrive](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-noviewondrive) -- [ADMX_WindowsExplorer/NoWindowsHotKeys](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nowindowshotkeys) -- [ADMX_WindowsExplorer/NoWorkgroupContents](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-noworkgroupcontents) -- [ADMX_WindowsExplorer/PlacesBar](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-placesbar) -- [ADMX_WindowsExplorer/PromptRunasInstallNetPath](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-promptrunasinstallnetpath) -- [ADMX_WindowsExplorer/RecycleBinSize](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-recyclebinsize) -- [ADMX_WindowsExplorer/ShellProtocolProtectedModeTitle_1](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-shellprotocolprotectedmodetitle-1) -- [ADMX_WindowsExplorer/ShellProtocolProtectedModeTitle_2](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-shellprotocolprotectedmodetitle-2) -- [ADMX_WindowsExplorer/ShowHibernateOption](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-showhibernateoption) -- [ADMX_WindowsExplorer/ShowSleepOption](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-showsleepoption) -- [ADMX_WindowsExplorer/TryHarderPinnedLibrary](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-tryharderpinnedlibrary) -- [ADMX_WindowsExplorer/TryHarderPinnedOpenSearch](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-tryharderpinnedopensearch) -- [ADMX_WindowsMediaDRM/DisableOnline](./policy-csp-admx-windowsmediadrm.md#admx-windowsmediadrm-disableonline) -- [ADMX_WindowsMediaPlayer/ConfigureHTTPProxySettings](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-configurehttpproxysettings) -- [ADMX_WindowsMediaPlayer/ConfigureMMSProxySettings](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-configuremmsproxysettings) -- [ADMX_WindowsMediaPlayer/ConfigureRTSPProxySettings](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-configurertspproxysettings) -- [ADMX_WindowsMediaPlayer/DisableAutoUpdate](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-disableautoupdate) -- [ADMX_WindowsMediaPlayer/DisableNetworkSettings](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-disablenetworksettings) -- [ADMX_WindowsMediaPlayer/DisableSetupFirstUseConfiguration](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-disablesetupfirstuseconfiguration) -- [ADMX_WindowsMediaPlayer/DoNotShowAnchor](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-donotshowanchor) -- [ADMX_WindowsMediaPlayer/DontUseFrameInterpolation](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-dontuseframeinterpolation) -- [ADMX_WindowsMediaPlayer/EnableScreenSaver](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-enablescreensaver) -- [ADMX_WindowsMediaPlayer/HidePrivacyTab](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-hideprivacytab) -- [ADMX_WindowsMediaPlayer/HideSecurityTab](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-hidesecuritytab) -- [ADMX_WindowsMediaPlayer/NetworkBuffering](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-networkbuffering) -- [ADMX_WindowsMediaPlayer/PolicyCodecUpdate](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-policycodecupdate) -- [ADMX_WindowsMediaPlayer/PreventCDDVDMetadataRetrieval](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-preventcddvdmetadataretrieval) -- [ADMX_WindowsMediaPlayer/PreventLibrarySharing](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-preventlibrarysharing) -- [ADMX_WindowsMediaPlayer/PreventMusicFileMetadataRetrieval](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-preventmusicfilemetadataretrieval) -- [ADMX_WindowsMediaPlayer/PreventQuickLaunchShortcut](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-preventquicklaunchshortcut) -- [ADMX_WindowsMediaPlayer/PreventRadioPresetsRetrieval](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-preventradiopresetsretrieval) -- [ADMX_WindowsMediaPlayer/PreventWMPDeskTopShortcut](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-preventwmpdesktopshortcut) -- [ADMX_WindowsMediaPlayer/SkinLockDown](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-skinlockdown) -- [ADMX_WindowsMediaPlayer/WindowsStreamingMediaProtocols](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-windowsstreamingmediaprotocols) -- [ADMX_WindowsRemoteManagement/DisallowKerberos_1](./policy-csp-admx-windowsremotemanagement.md#admx-windowsremotemanagement-disallowkerberos-1) -- [ADMX_WindowsRemoteManagement/DisallowKerberos_2](./policy-csp-admx-windowsremotemanagement.md#admx-windowsremotemanagement-disallowkerberos-2) -- [ADMX_WindowsStore/DisableAutoDownloadWin8](./policy-csp-admx-windowsstore.md#admx-windowsstore-disableautodownloadwin8) -- [ADMX_WindowsStore/DisableOSUpgrade_1](./policy-csp-admx-windowsstore.md#admx-windowsstore-disableosupgrade-1) -- [ADMX_WindowsStore/DisableOSUpgrade_2](./policy-csp-admx-windowsstore.md#admx-windowsstore-disableosupgrade-2) -- [ADMX_WindowsStore/RemoveWindowsStore_1](./policy-csp-admx-windowsstore.md#admx-windowsstore-removewindowsstore-1) -- [ADMX_WindowsStore/RemoveWindowsStore_2](./policy-csp-admx-windowsstore.md#admx-windowsstore-removewindowsstore-2) -- [ADMX_WinInit/DisableNamedPipeShutdownPolicyDescription](./policy-csp-admx-wininit.md#admx-wininit-disablenamedpipeshutdownpolicydescription) -- [ADMX_WinInit/Hiberboot](./policy-csp-admx-wininit.md#admx-wininit-hiberboot) -- [ADMX_WinInit/ShutdownTimeoutHungSessionsDescription](./policy-csp-admx-wininit.md#admx-wininit-shutdowntimeouthungsessionsdescription) -- [ADMX_WinLogon/CustomShell](./policy-csp-admx-winlogon.md#admx-winlogon-customshell) -- [ADMX_WinLogon/DisplayLastLogonInfoDescription](./policy-csp-admx-winlogon.md#admx-winlogon-displaylastlogoninfodescription) -- [ADMX_WinLogon/LogonHoursNotificationPolicyDescription](./policy-csp-admx-winlogon.md#admx-winlogon-logonhoursnotificationpolicydescription) -- [ADMX_WinLogon/LogonHoursPolicyDescription](./policy-csp-admx-winlogon.md#admx-winlogon-logonhourspolicydescription) -- [ADMX_WinLogon/ReportCachedLogonPolicyDescription](./policy-csp-admx-winlogon.md#admx-winlogon-reportcachedlogonpolicydescription) -- [ADMX_WinLogon/SoftwareSASGeneration](./policy-csp-admx-winlogon.md#admx-winlogon-softwaresasgeneration) -- [ADMX_Winsrv/AllowBlockingAppsAtShutdown](./policy-csp-admx-winsrv.md#admx-winsrv-allowblockingappsatshutdown) -- [ADMX_wlansvc/SetCost](./policy-csp-admx-wlansvc.md#admx-wlansvc-setcost) -- [ADMX_wlansvc/SetPINEnforced](./policy-csp-admx-wlansvc.md#admx-wlansvc-setpinenforced) -- [ADMX_wlansvc/SetPINPreferred](./policy-csp-admx-wlansvc.md#admx-wlansvc-setpinpreferred) -- [ADMX_WordWheel/CustomSearch](./policy-csp-admx-wordwheel.md#admx-wordwheel-customsearch) -- [ADMX_WorkFoldersClient/Pol_UserEnableTokenBroker](./policy-csp-admx-workfoldersclient.md#admx-workfoldersclient-pol_userenabletokenbroker) -- [ADMX_WorkFoldersClient/Pol_UserEnableWorkFolders](./policy-csp-admx-workfoldersclient.md#admx-workfoldersclient-pol_userenableworkfolders) -- [ADMX_WorkFoldersClient/Pol_MachineEnableWorkFolders](./policy-csp-admx-workfoldersclient.md#admx-workfoldersclient-pol_machineenableworkfolders) -- [ADMX_WPN/NoCallsDuringQuietHours](./policy-csp-admx-wpn.md#admx-wpn-nocallsduringquiethours) -- [ADMX_WPN/NoLockScreenToastNotification](./policy-csp-admx-wpn.md#admx-wpn-nolockscreentoastnotification) -- [ADMX_WPN/NoQuietHours](./policy-csp-admx-wpn.md#admx-wpn-noquiethours) -- [ADMX_WPN/NoToastNotification](./policy-csp-admx-wpn.md#admx-wpn-notoastnotification) -- [ADMX_WPN/QuietHoursDailyBeginMinute](./policy-csp-admx-wpn.md#admx-wpn-quiethoursdailybeginminute) -- [ADMX_WPN/QuietHoursDailyEndMinute](./policy-csp-admx-wpn.md#admx-wpn-quiethoursdailyendminute) -- [AppRuntime/AllowMicrosoftAccountsToBeOptional](./policy-csp-appruntime.md#appruntime-allowmicrosoftaccountstobeoptional) -- [AppVirtualization/AllowAppVClient](./policy-csp-appvirtualization.md#appvirtualization-allowappvclient) -- [AppVirtualization/AllowDynamicVirtualization](./policy-csp-appvirtualization.md#appvirtualization-allowdynamicvirtualization) -- [AppVirtualization/AllowPackageCleanup](./policy-csp-appvirtualization.md#appvirtualization-allowpackagecleanup) -- [AppVirtualization/AllowPackageScripts](./policy-csp-appvirtualization.md#appvirtualization-allowpackagescripts) -- [AppVirtualization/AllowPublishingRefreshUX](./policy-csp-appvirtualization.md#appvirtualization-allowpublishingrefreshux) -- [AppVirtualization/AllowReportingServer](./policy-csp-appvirtualization.md#appvirtualization-allowreportingserver) -- [AppVirtualization/AllowRoamingFileExclusions](./policy-csp-appvirtualization.md#appvirtualization-allowroamingfileexclusions) -- [AppVirtualization/AllowRoamingRegistryExclusions](./policy-csp-appvirtualization.md#appvirtualization-allowroamingregistryexclusions) -- [AppVirtualization/AllowStreamingAutoload](./policy-csp-appvirtualization.md#appvirtualization-allowstreamingautoload) -- [AppVirtualization/ClientCoexistenceAllowMigrationmode](./policy-csp-appvirtualization.md#appvirtualization-clientcoexistenceallowmigrationmode) -- [AppVirtualization/IntegrationAllowRootGlobal](./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootglobal) -- [AppVirtualization/IntegrationAllowRootUser](./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootuser) -- [AppVirtualization/PublishingAllowServer1](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver1) -- [AppVirtualization/PublishingAllowServer2](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver2) -- [AppVirtualization/PublishingAllowServer3](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver3) -- [AppVirtualization/PublishingAllowServer4](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver4) -- [AppVirtualization/PublishingAllowServer5](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver5) -- [AppVirtualization/StreamingAllowCertificateFilterForClient_SSL](./policy-csp-appvirtualization.md#appvirtualization-streamingallowcertificatefilterforclient-ssl) -- [AppVirtualization/StreamingAllowHighCostLaunch](./policy-csp-appvirtualization.md#appvirtualization-streamingallowhighcostlaunch) -- [AppVirtualization/StreamingAllowLocationProvider](./policy-csp-appvirtualization.md#appvirtualization-streamingallowlocationprovider) -- [AppVirtualization/StreamingAllowPackageInstallationRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackageinstallationroot) -- [AppVirtualization/StreamingAllowPackageSourceRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackagesourceroot) -- [AppVirtualization/StreamingAllowReestablishmentInterval](./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentinterval) -- [AppVirtualization/StreamingAllowReestablishmentRetries](./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentretries) -- [AppVirtualization/StreamingSharedContentStoreMode](./policy-csp-appvirtualization.md#appvirtualization-streamingsharedcontentstoremode) -- [AppVirtualization/StreamingSupportBranchCache](./policy-csp-appvirtualization.md#appvirtualization-streamingsupportbranchcache) -- [AppVirtualization/StreamingVerifyCertificateRevocationList](./policy-csp-appvirtualization.md#appvirtualization-streamingverifycertificaterevocationlist) -- [AppVirtualization/VirtualComponentsAllowList](./policy-csp-appvirtualization.md#appvirtualization-virtualcomponentsallowlist) -- [AttachmentManager/DoNotPreserveZoneInformation](./policy-csp-attachmentmanager.md#attachmentmanager-donotpreservezoneinformation) -- [AttachmentManager/HideZoneInfoMechanism](./policy-csp-attachmentmanager.md#attachmentmanager-hidezoneinfomechanism) -- [AttachmentManager/NotifyAntivirusPrograms](./policy-csp-attachmentmanager.md#attachmentmanager-notifyantivirusprograms) -- [Autoplay/DisallowAutoplayForNonVolumeDevices](./policy-csp-autoplay.md#autoplay-disallowautoplayfornonvolumedevices) -- [Autoplay/SetDefaultAutoRunBehavior](./policy-csp-autoplay.md#autoplay-setdefaultautorunbehavior) -- [Autoplay/TurnOffAutoPlay](./policy-csp-autoplay.md#autoplay-turnoffautoplay) -- [Cellular/ShowAppCellularAccessUI](./policy-csp-cellular.md#cellular-showappcellularaccessui) -- [Connectivity/DiablePrintingOverHTTP](./policy-csp-connectivity.md#connectivity-disableprintingoverhttp) -- [Connectivity/DisableDownloadingOfPrintDriversOverHTTP](./policy-csp-connectivity.md#connectivity-disabledownloadingofprintdriversoverhttp) -- [Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](./policy-csp-connectivity.md#connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards) -- [Connectivity/HardenedUNCPaths](./policy-csp-connectivity.md#connectivity-hardeneduncpaths) -- [Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge](./policy-csp-connectivity.md#connectivity-prohibitinstallationandconfigurationofnetworkbridge) -- [CredentialProviders/AllowPINLogon](./policy-csp-credentialproviders.md#credentialproviders-allowpinlogon) -- [CredentialProviders/BlockPicturePassword](./policy-csp-credentialproviders.md#credentialproviders-blockpicturepassword) -- [CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials](./policy-csp-credentialsdelegation.md#credentialsdelegation-remotehostallowsdelegationofnonexportablecredentials) -- [CredentialsUI/DisablePasswordReveal](./policy-csp-credentialsui.md#credentialsui-disablepasswordreveal) -- [CredentialsUI/EnumerateAdministrators](./policy-csp-credentialsui.md#credentialsui-enumerateadministrators) -- [DataUsage/SetCost4G](./policy-csp-datausage.md#datausage-setcost4g) -- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth) -- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth) -- [Desktop/PreventUserRedirectionOfProfileFolders](./policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders) -- [DesktopAppInstaller/EnableAdditionalSources](./policy-csp-desktopappinstaller.md#desktopappinstaller-enableadditionalsources) -- [DesktopAppInstaller/EnableAppInstaller](./policy-csp-desktopappinstaller.md#desktopappinstaller-enableappinstaller) -- [DesktopAppInstaller/EnableLocalManifestFiles](./policy-csp-desktopappinstaller.md#desktopappinstaller-enablelocalmanifestfiles) -- [DesktopAppInstaller/EnableHashOverride](./policy-csp-desktopappinstaller.md#desktopappinstaller-enablehashoverride) -- [DesktopAppInstaller/EnableMicrosoftStoreSource](./policy-csp-desktopappinstaller.md#desktopappinstaller-enablemicrosoftstoresource) -- [DesktopAppInstaller/EnableMSAppInstallerProtocol](./policy-csp-desktopappinstaller.md#desktopappinstaller-enablemsappinstallerprotocol) -- [DesktopAppInstaller/EnableSettings](./policy-csp-desktopappinstaller.md#desktopappinstaller-enablesettings) -- [DesktopAppInstaller/EnableAllowedSources](./policy-csp-desktopappinstaller.md#desktopappinstaller-enableallowedsources) -- [DesktopAppInstaller/EnableExperimentalFeatures](./policy-csp-desktopappinstaller.md#desktopappinstaller-enableexperimentalfeatures) -- [DesktopAppInstaller/SourceAutoUpdateInterval](./policy-csp-desktopappinstaller.md#desktopappinstaller-sourceautoupdateinterval) -- [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdeviceids) -- [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdevicesetupclasses) -- [DeviceInstallation/PreventDeviceMetadataFromNetwork](./policy-csp-deviceinstallation.md#deviceinstallationpreventdevicemetadatafromnetwork) -- [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](./policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofdevicesnotdescribedbyotherpolicysettings) -- [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofmatchingdeviceids) -- [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofmatchingdevicesetupclasses) -- [DeviceLock/PreventEnablingLockScreenCamera](./policy-csp-devicelock.md#devicelock-preventenablinglockscreencamera) -- [DeviceLock/PreventLockScreenSlideShow](./policy-csp-devicelock.md#devicelock-preventlockscreenslideshow) -- [ErrorReporting/CustomizeConsentSettings](./policy-csp-errorreporting.md#errorreporting-customizeconsentsettings) -- [ErrorReporting/DisableWindowsErrorReporting](./policy-csp-errorreporting.md#errorreporting-disablewindowserrorreporting) -- [ErrorReporting/DisplayErrorNotification](./policy-csp-errorreporting.md#errorreporting-displayerrornotification) -- [ErrorReporting/DoNotSendAdditionalData](./policy-csp-errorreporting.md#errorreporting-donotsendadditionaldata) -- [ErrorReporting/PreventCriticalErrorDisplay](./policy-csp-errorreporting.md#errorreporting-preventcriticalerrordisplay) -- [EventLogService/ControlEventLogBehavior](./policy-csp-eventlogservice.md#eventlogservice-controleventlogbehavior) -- [EventLogService/SpecifyMaximumFileSizeApplicationLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizeapplicationlog) -- [EventLogService/SpecifyMaximumFileSizeSecurityLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesecuritylog) -- [EventLogService/SpecifyMaximumFileSizeSystemLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesystemlog) -- [FileExplorer/TurnOffDataExecutionPreventionForExplorer](./policy-csp-fileexplorer.md#fileexplorer-turnoffdataexecutionpreventionforexplorer) -- [FileExplorer/TurnOffHeapTerminationOnCorruption](./policy-csp-fileexplorer.md#fileexplorer-turnoffheapterminationoncorruption) -- [InternetExplorer/AddSearchProvider](./policy-csp-internetexplorer.md#internetexplorer-addsearchprovider) -- [InternetExplorer/AllowActiveXFiltering](./policy-csp-internetexplorer.md#internetexplorer-allowactivexfiltering) -- [InternetExplorer/AllowAddOnList](./policy-csp-internetexplorer.md#internetexplorer-allowaddonlist) -- [InternetExplorer/AllowAutoComplete](./policy-csp-internetexplorer.md#internetexplorer-allowautocomplete) -- [InternetExplorer/AllowCertificateAddressMismatchWarning](./policy-csp-internetexplorer.md#internetexplorer-allowcertificateaddressmismatchwarning) -- [InternetExplorer/AllowDeletingBrowsingHistoryOnExit](./policy-csp-internetexplorer.md#internetexplorer-allowdeletingbrowsinghistoryonexit) -- [InternetExplorer/AllowEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-allowenhancedprotectedmode) -- [InternetExplorer/AllowEnhancedSuggestionsInAddressBar](./policy-csp-internetexplorer.md#internetexplorer-allowenhancedsuggestionsinaddressbar) -- [InternetExplorer/AllowEnterpriseModeFromToolsMenu](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodefromtoolsmenu) -- [InternetExplorer/AllowEnterpriseModeSiteList](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodesitelist) -- [InternetExplorer/AllowFallbackToSSL3](./policy-csp-internetexplorer.md#internetexplorer-allowfallbacktossl3) -- [InternetExplorer/AllowInternetExplorer7PolicyList](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorer7policylist) -- [InternetExplorer/AllowInternetExplorerStandardsMode](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorerstandardsmode) -- [InternetExplorer/AllowInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowinternetzonetemplate) -- [InternetExplorer/AllowIntranetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowintranetzonetemplate) -- [InternetExplorer/AllowLocalMachineZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlocalmachinezonetemplate) -- [InternetExplorer/AllowLockedDownInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddowninternetzonetemplate) -- [InternetExplorer/AllowLockedDownIntranetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownintranetzonetemplate) -- [InternetExplorer/AllowLockedDownLocalMachineZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownlocalmachinezonetemplate) -- [InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownrestrictedsiteszonetemplate) -- [InternetExplorer/AllowOneWordEntry](./policy-csp-internetexplorer.md#internetexplorer-allowonewordentry) -- [InternetExplorer/AllowSiteToZoneAssignmentList](./policy-csp-internetexplorer.md#internetexplorer-allowsitetozoneassignmentlist) -- [InternetExplorer/AllowSoftwareWhenSignatureIsInvalid](./policy-csp-internetexplorer.md#internetexplorer-allowsoftwarewhensignatureisinvalid) -- [InternetExplorer/AllowSuggestedSites](./policy-csp-internetexplorer.md#internetexplorer-allowsuggestedsites) -- [InternetExplorer/AllowTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowtrustedsiteszonetemplate) -- [InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowslockeddowntrustedsiteszonetemplate) -- [InternetExplorer/AllowsRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowsrestrictedsiteszonetemplate) -- [InternetExplorer/CheckServerCertificateRevocation](./policy-csp-internetexplorer.md#internetexplorer-checkservercertificaterevocation) -- [InternetExplorer/CheckSignaturesOnDownloadedPrograms](./policy-csp-internetexplorer.md#internetexplorer-checksignaturesondownloadedprograms) -- [InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-consistentmimehandlinginternetexplorerprocesses) -- [InternetExplorer/DisableActiveXVersionListAutoDownload](./policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload) -- [InternetExplorer/DisableAdobeFlash](./policy-csp-internetexplorer.md#internetexplorer-disableadobeflash) -- [InternetExplorer/DisableBypassOfSmartScreenWarnings](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarnings) -- [InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarningsaboutuncommonfiles) -- [InternetExplorer/DisableCompatView](./policy-csp-internetexplorer.md#internetexplorer-disablecompatview) -- [InternetExplorer/DisableConfiguringHistory](./policy-csp-internetexplorer.md#internetexplorer-disableconfiguringhistory) -- [InternetExplorer/DisableCrashDetection](./policy-csp-internetexplorer.md#internetexplorer-disablecrashdetection) -- [InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation](./policy-csp-internetexplorer.md#internetexplorer-disablecustomerexperienceimprovementprogramparticipation) -- [InternetExplorer/DisableDeletingUserVisitedWebsites](./policy-csp-internetexplorer.md#internetexplorer-disabledeletinguservisitedwebsites) -- [InternetExplorer/DisableEnclosureDownloading](./policy-csp-internetexplorer.md#internetexplorer-disableenclosuredownloading) -- [InternetExplorer/DisableEncryptionSupport](./policy-csp-internetexplorer.md#internetexplorer-disableencryptionsupport) -- [InternetExplorer/DisableFeedsBackgroundSync](./policy-csp-internetexplorer.md#internetexplorer-disablefeedsbackgroundsync) -- [InternetExplorer/DisableFirstRunWizard](./policy-csp-internetexplorer.md#internetexplorer-disablefirstrunwizard) -- [InternetExplorer/DisableFlipAheadFeature](./policy-csp-internetexplorer.md#internetexplorer-disableflipaheadfeature) -- [InternetExplorer/DisableGeolocation](./policy-csp-internetexplorer.md#internetexplorer-disablegeolocation) -- [InternetExplorer/DisableHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablehomepagechange) -- [InternetExplorer/DisableIgnoringCertificateErrors](./policy-csp-internetexplorer.md#internetexplorer-disableignoringcertificateerrors) -- [InternetExplorer/DisableInPrivateBrowsing](./policy-csp-internetexplorer.md#internetexplorer-disableinprivatebrowsing) -- [InternetExplorer/DisableProcessesInEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-disableprocessesinenhancedprotectedmode) -- [InternetExplorer/DisableProxyChange](./policy-csp-internetexplorer.md#internetexplorer-disableproxychange) -- [InternetExplorer/DisableSearchProviderChange](./policy-csp-internetexplorer.md#internetexplorer-disablesearchproviderchange) -- [InternetExplorer/DisableSecondaryHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablesecondaryhomepagechange) -- [InternetExplorer/DisableSecuritySettingsCheck](./policy-csp-internetexplorer.md#internetexplorer-disablesecuritysettingscheck) -- [InternetExplorer/DisableUpdateCheck](./policy-csp-internetexplorer.md#internetexplorer-disableupdatecheck) -- [InternetExplorer/DisableWebAddressAutoComplete](./policy-csp-internetexplorer.md#internetexplorer-disablewebaddressautocomplete) -- [InternetExplorer/DoNotAllowActiveXControlsInProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-donotallowactivexcontrolsinprotectedmode) -- [InternetExplorer/DoNotAllowUsersToAddSites](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstoaddsites) -- [InternetExplorer/DoNotAllowUsersToChangePolicies](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstochangepolicies) -- [InternetExplorer/DoNotBlockOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrols) -- [InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrolsonspecificdomains) -- [InternetExplorer/IncludeAllLocalSites](./policy-csp-internetexplorer.md#internetexplorer-includealllocalsites) -- [InternetExplorer/IncludeAllNetworkPaths](./policy-csp-internetexplorer.md#internetexplorer-includeallnetworkpaths) -- [InternetExplorer/InternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowaccesstodatasources) -- [InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/InternetZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowcopypasteviascript) -- [InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowdraganddropcopyandpastefiles) -- [InternetExplorer/InternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowfontdownloads) -- [InternetExplorer/InternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowlessprivilegedsites) -- [InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowloadingofxamlfiles) -- [InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallownetframeworkreliantcomponents) -- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstouseactivexcontrols) -- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstousetdcactivexcontrol) -- [InternetExplorer/InternetZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptinitiatedwindows) -- [InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptingofinternetexplorerwebbrowsercontrols) -- [InternetExplorer/InternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptlets) -- [InternetExplorer/InternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowsmartscreenie) -- [InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowupdatestostatusbarviascript) -- [InternetExplorer/InternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowuserdatapersistence) -- [InternetExplorer/InternetZoneAllowVBScriptToRunInInternetExplorer](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowvbscripttorunininternetexplorer) -- [InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedonotrunantimalwareagainstactivexcontrols) -- [InternetExplorer/InternetZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadsignedactivexcontrols) -- [InternetExplorer/InternetZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadunsignedactivexcontrols) -- [InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablecrosssitescriptingfilter) -- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainsacrosswindows) -- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainswithinwindows) -- [InternetExplorer/InternetZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablemimesniffing) -- [InternetExplorer/InternetZoneEnableProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenableprotectedmode) -- [InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#internetexplorer-internetzoneincludelocalpathwhenuploadingfilestoserver) -- [InternetExplorer/InternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneinitializeandscriptactivexcontrols) -- [InternetExplorer/InternetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-internetzonejavapermissions) -- [InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-internetzonelaunchingapplicationsandfilesiniframe) -- [InternetExplorer/InternetZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-internetzonelogonoptions) -- [InternetExplorer/InternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-internetzonenavigatewindowsandframes) -- [InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-internetzonerunnetframeworkreliantcomponentssignedwithauthenticode) -- [InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneshowsecuritywarningforpotentiallyunsafefiles) -- [InternetExplorer/InternetZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-internetzoneusepopupblocker) -- [InternetExplorer/IntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowaccesstodatasources) -- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/IntranetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowfontdownloads) -- [InternetExplorer/IntranetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowlessprivilegedsites) -- [InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallownetframeworkreliantcomponents) -- [InternetExplorer/IntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowscriptlets) -- [InternetExplorer/IntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowsmartscreenie) -- [InternetExplorer/IntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowuserdatapersistence) -- [InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzonedonotrunantimalwareagainstactivexcontrols) -- [InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneinitializeandscriptactivexcontrols) -- [InternetExplorer/IntranetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-intranetzonejavapermissions) -- [InternetExplorer/IntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-intranetzonenavigatewindowsandframes) -- [InternetExplorer/LocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowaccesstodatasources) -- [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/LocalMachineZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowfontdownloads) -- [InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowlessprivilegedsites) -- [InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallownetframeworkreliantcomponents) -- [InternetExplorer/LocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowscriptlets) -- [InternetExplorer/LocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowsmartscreenie) -- [InternetExplorer/LocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowuserdatapersistence) -- [InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonedonotrunantimalwareagainstactivexcontrols) -- [InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneinitializeandscriptactivexcontrols) -- [InternetExplorer/LocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonejavapermissions) -- [InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonenavigatewindowsandframes) -- [InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowaccesstodatasources) -- [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/LockedDownInternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowfontdownloads) -- [InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowlessprivilegedsites) -- [InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallownetframeworkreliantcomponents) -- [InternetExplorer/LockedDownInternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowscriptlets) -- [InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowsmartscreenie) -- [InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowuserdatapersistence) -- [InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneinitializeandscriptactivexcontrols) -- [InternetExplorer/LockedDownInternetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonejavapermissions) -- [InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonenavigatewindowsandframes) -- [InternetExplorer/LockedDownIntranetJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetjavapermissions) -- [InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowaccesstodatasources) -- [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/LockedDownIntranetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowfontdownloads) -- [InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowlessprivilegedsites) -- [InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallownetframeworkreliantcomponents) -- [InternetExplorer/LockedDownIntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowscriptlets) -- [InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowsmartscreenie) -- [InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowuserdatapersistence) -- [InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneinitializeandscriptactivexcontrols) -- [InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzonenavigatewindowsandframes) -- [InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowaccesstodatasources) -- [InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowfontdownloads) -- [InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowlessprivilegedsites) -- [InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallownetframeworkreliantcomponents) -- [InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowscriptlets) -- [InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowsmartscreenie) -- [InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowuserdatapersistence) -- [InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneinitializeandscriptactivexcontrols) -- [InternetExplorer/LockedDownLocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonejavapermissions) -- [InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonenavigatewindowsandframes) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowaccesstodatasources) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowfontdownloads) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowlessprivilegedsites) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallownetframeworkreliantcomponents) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowscriptlets) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowsmartscreenie) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowuserdatapersistence) -- [InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneinitializeandscriptactivexcontrols) -- [InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonejavapermissions) -- [InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonenavigatewindowsandframes) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowaccesstodatasources) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowfontdownloads) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowlessprivilegedsites) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallownetframeworkreliantcomponents) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowscriptlets) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowsmartscreenie) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowuserdatapersistence) -- [InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneinitializeandscriptactivexcontrols) -- [InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonejavapermissions) -- [InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonenavigatewindowsandframes) -- [InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mkprotocolsecurityrestrictioninternetexplorerprocesses) -- [InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mimesniffingsafetyfeatureinternetexplorerprocesses) -- [InternetExplorer/NewTabDefaultPage](./policy-csp-internetexplorer.md#internetexplorer-newtabdefaultpage) -- [InternetExplorer/NotificationBarInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-notificationbarinternetexplorerprocesses) -- [InternetExplorer/PreventManagingSmartScreenFilter](./policy-csp-internetexplorer.md#internetexplorer-preventmanagingsmartscreenfilter) -- [InternetExplorer/PreventPerUserInstallationOfActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-preventperuserinstallationofactivexcontrols) -- [InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-protectionfromzoneelevationinternetexplorerprocesses) -- [InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-removerunthistimebuttonforoutdatedactivexcontrols) -- [InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-restrictactivexinstallinternetexplorerprocesses) -- [InternetExplorer/RestrictFileDownloadInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-restrictfiledownloadinternetexplorerprocesses) -- [InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowaccesstodatasources) -- [InternetExplorer/RestrictedSitesZoneAllowActiveScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowactivescripting) -- [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowbinaryandscriptbehaviors) -- [InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowcopypasteviascript) -- [InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowdraganddropcopyandpastefiles) -- [InternetExplorer/RestrictedSitesZoneAllowFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfiledownloads) -- [InternetExplorer/RestrictedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfontdownloads) -- [InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowlessprivilegedsites) -- [InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowloadingofxamlfiles) -- [InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowmetarefresh) -- [InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallownetframeworkreliantcomponents) -- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstouseactivexcontrols) -- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstousetdcactivexcontrol) -- [InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptinitiatedwindows) -- [InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptingofinternetexplorerwebbrowsercontrols) -- [InternetExplorer/RestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptlets) -- [InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowsmartscreenie) -- [InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowupdatestostatusbarviascript) -- [InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowuserdatapersistence) -- [InternetExplorer/RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowvbscripttorunininternetexplorer) -- [InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedonotrunantimalwareagainstactivexcontrols) -- [InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadsignedactivexcontrols) -- [InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadunsignedactivexcontrols) -- [InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablecrosssitescriptingfilter) -- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainsacrosswindows) -- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainswithinwindows) -- [InternetExplorer/RestrictedSitesZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablemimesniffing) -- [InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneincludelocalpathwhenuploadingfilestoserver) -- [InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneinitializeandscriptactivexcontrols) -- [InternetExplorer/RestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonejavapermissions) -- [InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelaunchingapplicationsandfilesiniframe) -- [InternetExplorer/RestrictedSitesZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelogonoptions) -- [InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonenavigatewindowsandframes) -- [InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunactivexcontrolsandplugins) -- [InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunnetframeworkreliantcomponentssignedwithauthenticode) -- [InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptactivexcontrolsmarkedsafeforscripting) -- [InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptingofjavaapplets) -- [InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneshowsecuritywarningforpotentiallyunsafefiles) -- [InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneturnonprotectedmode) -- [InternetExplorer/RestrictedSitesZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneusepopupblocker) -- [InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-scriptedwindowsecurityrestrictionsinternetexplorerprocesses) -- [InternetExplorer/SearchProviderList](./policy-csp-internetexplorer.md#internetexplorer-searchproviderlist) -- [InternetExplorer/SecurityZonesUseOnlyMachineSettings](./policy-csp-internetexplorer.md#internetexplorer-securityzonesuseonlymachinesettings) -- [InternetExplorer/SpecifyUseOfActiveXInstallerService](./policy-csp-internetexplorer.md#internetexplorer-specifyuseofactivexinstallerservice) -- [InternetExplorer/TrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowaccesstodatasources) -- [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/TrustedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowfontdownloads) -- [InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowlessprivilegedsites) -- [InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallownetframeworkreliantcomponents) -- [InternetExplorer/TrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowscriptlets) -- [InternetExplorer/TrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowsmartscreenie) -- [InternetExplorer/TrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowuserdatapersistence) -- [InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonedonotrunantimalwareagainstactivexcontrols) -- [InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrols) -- [InternetExplorer/TrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonejavapermissions) -- [InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonenavigatewindowsandframes) -- [Kerberos/AllowForestSearchOrder](./policy-csp-kerberos.md#kerberos-allowforestsearchorder) -- [Kerberos/KerberosClientSupportsClaimsCompoundArmor](./policy-csp-kerberos.md#kerberos-kerberosclientsupportsclaimscompoundarmor) -- [Kerberos/RequireKerberosArmoring](./policy-csp-kerberos.md#kerberos-requirekerberosarmoring) -- [Kerberos/RequireStrictKDCValidation](./policy-csp-kerberos.md#kerberos-requirestrictkdcvalidation) -- [Kerberos/SetMaximumContextTokenSize](./policy-csp-kerberos.md#kerberos-setmaximumcontexttokensize) -- [MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes](./policy-csp-msslegacy.md#msslegacy-allowicmpredirectstooverrideospfgeneratedroutes) -- [MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers](./policy-csp-msslegacy.md#msslegacy-allowthecomputertoignorenetbiosnamereleaserequestsexceptfromwinsservers) -- [MSSLegacy/IPSourceRoutingProtectionLevel](./policy-csp-msslegacy.md#msslegacy-ipsourceroutingprotectionlevel) -- [MSSLegacy/IPv6SourceRoutingProtectionLevel](./policy-csp-msslegacy.md#msslegacy-ipv6sourceroutingprotectionlevel) -- [MSSecurityGuide/ApplyUACRestrictionsToLocalAccountsOnNetworkLogon](./policy-csp-mssecurityguide.md#mssecurityguide-applyuacrestrictionstolocalaccountsonnetworklogon) -- [MSSecurityGuide/ConfigureSMBV1ClientDriver](./policy-csp-mssecurityguide.md#mssecurityguide-configuresmbv1clientdriver) -- [MSSecurityGuide/ConfigureSMBV1Server](./policy-csp-mssecurityguide.md#mssecurityguide-configuresmbv1server) -- [MSSecurityGuide/EnableStructuredExceptionHandlingOverwriteProtection](./policy-csp-mssecurityguide.md#mssecurityguide-enablestructuredexceptionhandlingoverwriteprotection) -- [MSSecurityGuide/TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications](./policy-csp-mssecurityguide.md#mssecurityguide-turnonwindowsdefenderprotectionagainstpotentiallyunwantedapplications) -- [MSSecurityGuide/WDigestAuthentication](./policy-csp-mssecurityguide.md#mssecurityguide-wdigestauthentication) -- [Power/AllowStandbyStatesWhenSleepingOnBattery](./policy-csp-power.md#power-allowstandbystateswhensleepingonbattery) -- [Power/AllowStandbyWhenSleepingPluggedIn](./policy-csp-power.md#power-allowstandbywhensleepingpluggedin) -- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery) -- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#power-displayofftimeoutpluggedin) -- [Power/HibernateTimeoutOnBattery](./policy-csp-power.md#power-hibernatetimeoutonbattery) -- [Power/HibernateTimeoutPluggedIn](./policy-csp-power.md#power-hibernatetimeoutpluggedin) -- [Power/RequirePasswordWhenComputerWakesOnBattery](./policy-csp-power.md#power-requirepasswordwhencomputerwakesonbattery) -- [Power/RequirePasswordWhenComputerWakesPluggedIn](./policy-csp-power.md#power-requirepasswordwhencomputerwakespluggedin) -- [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#power-standbytimeoutonbattery) -- [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#power-standbytimeoutpluggedin) -- [Printers/PointAndPrintRestrictions](./policy-csp-printers.md#printers-pointandprintrestrictions) -- [Printers/PointAndPrintRestrictions_User](./policy-csp-printers.md#printers-pointandprintrestrictions-user) -- [Printers/PublishPrinters](./policy-csp-printers.md#printers-publishprinters) -- [RemoteAssistance/CustomizeWarningMessages](./policy-csp-remoteassistance.md#remoteassistance-customizewarningmessages) -- [RemoteAssistance/SessionLogging](./policy-csp-remoteassistance.md#remoteassistance-sessionlogging) -- [RemoteAssistance/SolicitedRemoteAssistance](./policy-csp-remoteassistance.md#remoteassistance-solicitedremoteassistance) -- [RemoteAssistance/UnsolicitedRemoteAssistance](./policy-csp-remoteassistance.md#remoteassistance-unsolicitedremoteassistance) -- [RemoteDesktopServices/AllowUsersToConnectRemotely](./policy-csp-remotedesktopservices.md#remotedesktopservices-allowuserstoconnectremotely) -- [RemoteDesktopServices/ClientConnectionEncryptionLevel](./policy-csp-remotedesktopservices.md#remotedesktopservices-clientconnectionencryptionlevel) -- [RemoteDesktopServices/DoNotAllowDriveRedirection](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowdriveredirection) -- [RemoteDesktopServices/DoNotAllowPasswordSaving](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowpasswordsaving) -- [RemoteDesktopServices/PromptForPasswordUponConnection](./policy-csp-remotedesktopservices.md#remotedesktopservices-promptforpassworduponconnection) -- [RemoteDesktopServices/RequireSecureRPCCommunication](./policy-csp-remotedesktopservices.md#remotedesktopservices-requiresecurerpccommunication) -- [RemoteManagement/AllowBasicAuthentication_Client](./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-client) -- [RemoteManagement/AllowBasicAuthentication_Service](./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-service) -- [RemoteManagement/AllowCredSSPAuthenticationClient](./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationclient) -- [RemoteManagement/AllowCredSSPAuthenticationService](./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationservice) -- [RemoteManagement/AllowRemoteServerManagement](./policy-csp-remotemanagement.md#remotemanagement-allowremoteservermanagement) -- [RemoteManagement/AllowUnencryptedTraffic_Client](./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-client) -- [RemoteManagement/AllowUnencryptedTraffic_Service](./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-service) -- [RemoteManagement/DisallowDigestAuthentication](./policy-csp-remotemanagement.md#remotemanagement-disallowdigestauthentication) -- [RemoteManagement/DisallowNegotiateAuthenticationClient](./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationclient) -- [RemoteManagement/DisallowNegotiateAuthenticationService](./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationservice) -- [RemoteManagement/DisallowStoringOfRunAsCredentials](./policy-csp-remotemanagement.md#remotemanagement-disallowstoringofrunascredentials) -- [RemoteManagement/SpecifyChannelBindingTokenHardeningLevel](./policy-csp-remotemanagement.md#remotemanagement-specifychannelbindingtokenhardeninglevel) -- [RemoteManagement/TrustedHosts](./policy-csp-remotemanagement.md#remotemanagement-trustedhosts) -- [RemoteManagement/TurnOnCompatibilityHTTPListener](./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttplistener) -- [RemoteManagement/TurnOnCompatibilityHTTPSListener](./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttpslistener) -- [RemoteProcedureCall/RPCEndpointMapperClientAuthentication](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-rpcendpointmapperclientauthentication) -- [RemoteProcedureCall/RestrictUnauthenticatedRPCClients](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-restrictunauthenticatedrpcclients) -- [RemoteShell/AllowRemoteShellAccess](./policy-csp-remoteshell.md#remoteshell-allowremoteshellaccess) -- [RemoteShell/MaxConcurrentUsers](./policy-csp-remoteshell.md#remoteshell-maxconcurrentusers) -- [RemoteShell/SpecifyIdleTimeout](./policy-csp-remoteshell.md#remoteshell-specifyidletimeout) -- [RemoteShell/SpecifyMaxMemory](./policy-csp-remoteshell.md#remoteshell-specifymaxmemory) -- [RemoteShell/SpecifyMaxProcesses](./policy-csp-remoteshell.md#remoteshell-specifymaxprocesses) -- [RemoteShell/SpecifyMaxRemoteShells](./policy-csp-remoteshell.md#remoteshell-specifymaxremoteshells) -- [RemoteShell/SpecifyShellTimeout](./policy-csp-remoteshell.md#remoteshell-specifyshelltimeout) -- [ServiceControlManager/SvchostProcessMitigation](./policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation) -- [Storage/EnhancedStorageDevices](./policy-csp-storage.md#storage-enhancedstoragedevices) -- [System/BootStartDriverInitialization](./policy-csp-system.md#system-bootstartdriverinitialization) -- [System/DisableSystemRestore](./policy-csp-system.md#system-disablesystemrestore) -- [WindowsConnectionManager/ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork](./policy-csp-windowsconnectionmanager.md#windowsconnectionmanager-prohitconnectiontonondomainnetworkswhenconnectedtodomainauthenticatednetwork) -- [WindowsLogon/AllowAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-allowautomaticrestartsignon) -- [WindowsLogon/ConfigAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-configautomaticrestartsignon) -- [WindowsLogon/DisableLockScreenAppNotifications](./policy-csp-windowslogon.md#windowslogon-disablelockscreenappnotifications) -- [WindowsLogon/DontDisplayNetworkSelectionUI](./policy-csp-windowslogon.md#windowslogon-dontdisplaynetworkselectionui) -- [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers](./policy-csp-windowslogon.md#windowslogon-enumeratelocalusersondomainjoinedcomputers) -- [WindowsPowerShell/TurnOnPowerShellScriptBlockLogging](./policy-csp-windowspowershell.md#windowspowershell-turnonpowershellscriptblocklogging) +This article lists the ADMX-backed policies in Policy CSP. -## Related topics +## ActiveXControls -[Policy CSP](policy-configuration-service-provider.md) +- [ApprovedInstallationSites](policy-csp-activexcontrols.md) + +## ADMX_ActiveXInstallService + +- [AxISURLZonePolicies](policy-csp-admx-activexinstallservice.md) + +## ADMX_AddRemovePrograms + +- [NoServices](policy-csp-admx-addremoveprograms.md) +- [NoAddPage](policy-csp-admx-addremoveprograms.md) +- [NoWindowsSetupPage](policy-csp-admx-addremoveprograms.md) +- [NoRemovePage](policy-csp-admx-addremoveprograms.md) +- [NoAddFromCDorFloppy](policy-csp-admx-addremoveprograms.md) +- [NoAddFromInternet](policy-csp-admx-addremoveprograms.md) +- [NoAddFromNetwork](policy-csp-admx-addremoveprograms.md) +- [NoChooseProgramsPage](policy-csp-admx-addremoveprograms.md) +- [NoAddRemovePrograms](policy-csp-admx-addremoveprograms.md) +- [NoSupportInfo](policy-csp-admx-addremoveprograms.md) +- [DefaultCategory](policy-csp-admx-addremoveprograms.md) + +## ADMX_AdmPwd + +- [POL_AdmPwd_DontAllowPwdExpirationBehindPolicy](policy-csp-admx-admpwd.md) +- [POL_AdmPwd_Enabled](policy-csp-admx-admpwd.md) +- [POL_AdmPwd_AdminName](policy-csp-admx-admpwd.md) +- [POL_AdmPwd](policy-csp-admx-admpwd.md) + +## ADMX_AppCompat + +- [AppCompatTurnOffProgramCompatibilityAssistant_1](policy-csp-admx-appcompat.md) +- [AppCompatPrevent16BitMach](policy-csp-admx-appcompat.md) +- [AppCompatRemoveProgramCompatPropPage](policy-csp-admx-appcompat.md) +- [AppCompatTurnOffEngine](policy-csp-admx-appcompat.md) +- [AppCompatTurnOffApplicationImpactTelemetry](policy-csp-admx-appcompat.md) +- [AppCompatTurnOffProgramInventory](policy-csp-admx-appcompat.md) +- [AppCompatTurnOffProgramCompatibilityAssistant_2](policy-csp-admx-appcompat.md) +- [AppCompatTurnOffUserActionRecord](policy-csp-admx-appcompat.md) +- [AppCompatTurnOffSwitchBack](policy-csp-admx-appcompat.md) + +## ADMX_AppxPackageManager + +- [AllowDeploymentInSpecialProfiles](policy-csp-admx-appxpackagemanager.md) + +## ADMX_AppXRuntime + +- [AppxRuntimeBlockFileElevation](policy-csp-admx-appxruntime.md) +- [AppxRuntimeBlockProtocolElevation](policy-csp-admx-appxruntime.md) +- [AppxRuntimeBlockFileElevation](policy-csp-admx-appxruntime.md) +- [AppxRuntimeBlockProtocolElevation](policy-csp-admx-appxruntime.md) +- [AppxRuntimeBlockHostedAppAccessWinRT](policy-csp-admx-appxruntime.md) +- [AppxRuntimeApplicationContentUriRules](policy-csp-admx-appxruntime.md) + +## ADMX_AttachmentManager + +- [AM_SetFileRiskLevel](policy-csp-admx-attachmentmanager.md) +- [AM_SetHighRiskInclusion](policy-csp-admx-attachmentmanager.md) +- [AM_SetLowRiskInclusion](policy-csp-admx-attachmentmanager.md) +- [AM_SetModRiskInclusion](policy-csp-admx-attachmentmanager.md) +- [AM_EstimateFileHandlerRisk](policy-csp-admx-attachmentmanager.md) + +## ADMX_AuditSettings + +- [IncludeCmdLine](policy-csp-admx-auditsettings.md) + +## ADMX_Bits + +- [BITS_EnablePeercaching](policy-csp-admx-bits.md) +- [BITS_DisableBranchCache](policy-csp-admx-bits.md) +- [BITS_DisablePeercachingClient](policy-csp-admx-bits.md) +- [BITS_DisablePeercachingServer](policy-csp-admx-bits.md) +- [BITS_MaxContentAge](policy-csp-admx-bits.md) +- [BITS_MaxCacheSize](policy-csp-admx-bits.md) +- [BITS_MaxDownloadTime](policy-csp-admx-bits.md) +- [BITS_MaxBandwidthServedForPeers](policy-csp-admx-bits.md) +- [BITS_MaxJobsPerUser](policy-csp-admx-bits.md) +- [BITS_MaxJobsPerMachine](policy-csp-admx-bits.md) +- [BITS_MaxFilesPerJob](policy-csp-admx-bits.md) +- [BITS_MaxRangesPerFile](policy-csp-admx-bits.md) +- [BITS_MaxBandwidthV2_Maintenance](policy-csp-admx-bits.md) +- [BITS_MaxBandwidthV2_Work](policy-csp-admx-bits.md) + +## ADMX_CipherSuiteOrder + +- [SSLCurveOrder](policy-csp-admx-ciphersuiteorder.md) +- [SSLCipherSuiteOrder](policy-csp-admx-ciphersuiteorder.md) + +## ADMX_COM + +- [AppMgmt_COM_SearchForCLSID_1](policy-csp-admx-com.md) +- [AppMgmt_COM_SearchForCLSID_2](policy-csp-admx-com.md) + +## ADMX_ControlPanel + +- [ForceClassicControlPanel](policy-csp-admx-controlpanel.md) +- [DisallowCpls](policy-csp-admx-controlpanel.md) +- [NoControlPanel](policy-csp-admx-controlpanel.md) +- [RestrictCpls](policy-csp-admx-controlpanel.md) + +## ADMX_ControlPanelDisplay + +- [CPL_Display_Disable](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Display_HideSettings](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_EnableScreenSaver](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_SetVisualStyle](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_SetScreenSaver](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_SetTheme](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_ScreenSaverIsSecure](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_NoColorAppearanceUI](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_DisableColorSchemeChoice](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_NoDesktopBackgroundUI](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_NoDesktopIconsUI](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_NoMousePointersUI](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_NoScreenSaverUI](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_NoSoundSchemeUI](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_DisableThemeChange](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_DisableVisualStyle](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_LockFontSize](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_ScreenSaverTimeOut](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_NoLockScreen](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_PersonalColors](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_ForceDefaultLockScreen](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_StartBackground](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_SetTheme](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_NoChangingLockScreen](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_NoChangingStartMenuBackground](policy-csp-admx-controlpaneldisplay.md) + +## ADMX_Cpls + +- [UseDefaultTile](policy-csp-admx-cpls.md) + +## ADMX_CredentialProviders + +- [AllowDomainDelayLock](policy-csp-admx-credentialproviders.md) +- [DefaultCredentialProvider](policy-csp-admx-credentialproviders.md) +- [ExcludedCredentialProviders](policy-csp-admx-credentialproviders.md) + +## ADMX_CredSsp + +- [AllowDefaultCredentials](policy-csp-admx-credssp.md) +- [AllowDefCredentialsWhenNTLMOnly](policy-csp-admx-credssp.md) +- [AllowFreshCredentials](policy-csp-admx-credssp.md) +- [AllowFreshCredentialsWhenNTLMOnly](policy-csp-admx-credssp.md) +- [AllowSavedCredentials](policy-csp-admx-credssp.md) +- [AllowSavedCredentialsWhenNTLMOnly](policy-csp-admx-credssp.md) +- [DenyDefaultCredentials](policy-csp-admx-credssp.md) +- [DenyFreshCredentials](policy-csp-admx-credssp.md) +- [DenySavedCredentials](policy-csp-admx-credssp.md) +- [AllowEncryptionOracle](policy-csp-admx-credssp.md) +- [RestrictedRemoteAdministration](policy-csp-admx-credssp.md) + +## ADMX_CredUI + +- [NoLocalPasswordResetQuestions](policy-csp-admx-credui.md) +- [EnableSecureCredentialPrompting](policy-csp-admx-credui.md) + +## ADMX_CtrlAltDel + +- [DisableChangePassword](policy-csp-admx-ctrlaltdel.md) +- [DisableLockComputer](policy-csp-admx-ctrlaltdel.md) +- [NoLogoff](policy-csp-admx-ctrlaltdel.md) +- [DisableTaskMgr](policy-csp-admx-ctrlaltdel.md) + +## ADMX_DataCollection + +- [CommercialIdPolicy](policy-csp-admx-datacollection.md) + +## ADMX_DCOM + +- [DCOMActivationSecurityCheckAllowLocalList](policy-csp-admx-dcom.md) +- [DCOMActivationSecurityCheckExemptionList](policy-csp-admx-dcom.md) + +## ADMX_Desktop + +- [AD_EnableFilter](policy-csp-admx-desktop.md) +- [AD_HideDirectoryFolder](policy-csp-admx-desktop.md) +- [AD_QueryLimit](policy-csp-admx-desktop.md) +- [sz_AdminComponents_Title](policy-csp-admx-desktop.md) +- [sz_DWP_NoHTMLPaper](policy-csp-admx-desktop.md) +- [Wallpaper](policy-csp-admx-desktop.md) +- [NoActiveDesktop](policy-csp-admx-desktop.md) +- [sz_ATC_NoComponents](policy-csp-admx-desktop.md) +- [ForceActiveDesktopOn](policy-csp-admx-desktop.md) +- [sz_ATC_DisableAdd](policy-csp-admx-desktop.md) +- [NoActiveDesktopChanges](policy-csp-admx-desktop.md) +- [sz_ATC_DisableClose](policy-csp-admx-desktop.md) +- [sz_ATC_DisableDel](policy-csp-admx-desktop.md) +- [sz_ATC_DisableEdit](policy-csp-admx-desktop.md) +- [NoRecentDocsNetHood](policy-csp-admx-desktop.md) +- [NoSaveSettings](policy-csp-admx-desktop.md) +- [NoDesktop](policy-csp-admx-desktop.md) +- [NoInternetIcon](policy-csp-admx-desktop.md) +- [NoNetHood](policy-csp-admx-desktop.md) +- [sz_DB_DragDropClose](policy-csp-admx-desktop.md) +- [sz_DB_Moving](policy-csp-admx-desktop.md) +- [NoMyComputerIcon](policy-csp-admx-desktop.md) +- [NoMyDocumentsIcon](policy-csp-admx-desktop.md) +- [NoPropertiesMyComputer](policy-csp-admx-desktop.md) +- [NoPropertiesMyDocuments](policy-csp-admx-desktop.md) +- [NoRecycleBinProperties](policy-csp-admx-desktop.md) +- [NoRecycleBinIcon](policy-csp-admx-desktop.md) +- [NoDesktopCleanupWizard](policy-csp-admx-desktop.md) +- [NoWindowMinimizingShortcuts](policy-csp-admx-desktop.md) +- [NoDesktop](policy-csp-admx-desktop.md) + +## ADMX_DeviceCompat + +- [DeviceFlags](policy-csp-admx-devicecompat.md) +- [DriverShims](policy-csp-admx-devicecompat.md) + +## ADMX_DeviceGuard + +- [ConfigCIPolicy](policy-csp-admx-deviceguard.md) + +## ADMX_DeviceInstallation + +- [DeviceInstall_InstallTimeout](policy-csp-admx-deviceinstallation.md) +- [DeviceInstall_AllowAdminInstall](policy-csp-admx-deviceinstallation.md) +- [DeviceInstall_DeniedPolicy_SimpleText](policy-csp-admx-deviceinstallation.md) +- [DeviceInstall_DeniedPolicy_DetailText](policy-csp-admx-deviceinstallation.md) +- [DeviceInstall_Removable_Deny](policy-csp-admx-deviceinstallation.md) +- [DeviceInstall_Policy_RebootTime](policy-csp-admx-deviceinstallation.md) +- [DeviceInstall_SystemRestore](policy-csp-admx-deviceinstallation.md) +- [DriverInstall_Classes_AllowUser](policy-csp-admx-deviceinstallation.md) + +## ADMX_DeviceSetup + +- [DriverSearchPlaces_SearchOrderConfiguration](policy-csp-admx-devicesetup.md) +- [DeviceInstall_BalloonTips](policy-csp-admx-devicesetup.md) + +## ADMX_DFS + +- [DFSDiscoverDC](policy-csp-admx-dfs.md) + +## ADMX_DigitalLocker + +- [Digitalx_DiableApplication_TitleText_1](policy-csp-admx-digitallocker.md) +- [Digitalx_DiableApplication_TitleText_2](policy-csp-admx-digitallocker.md) + +## ADMX_DiskDiagnostic + +- [DfdAlertPolicy](policy-csp-admx-diskdiagnostic.md) +- [WdiScenarioExecutionPolicy](policy-csp-admx-diskdiagnostic.md) + +## ADMX_DiskNVCache + +- [BootResumePolicy](policy-csp-admx-disknvcache.md) +- [CachePowerModePolicy](policy-csp-admx-disknvcache.md) +- [FeatureOffPolicy](policy-csp-admx-disknvcache.md) +- [SolidStatePolicy](policy-csp-admx-disknvcache.md) + +## ADMX_DiskQuota + +- [DQ_RemovableMedia](policy-csp-admx-diskquota.md) +- [DQ_Enable](policy-csp-admx-diskquota.md) +- [DQ_Enforce](policy-csp-admx-diskquota.md) +- [DQ_LogEventOverLimit](policy-csp-admx-diskquota.md) +- [DQ_LogEventOverThreshold](policy-csp-admx-diskquota.md) +- [DQ_Limit](policy-csp-admx-diskquota.md) + +## ADMX_DistributedLinkTracking + +- [DLT_AllowDomainMode](policy-csp-admx-distributedlinktracking.md) + +## ADMX_DnsClient + +- [DNS_AppendToMultiLabelName](policy-csp-admx-dnsclient.md) +- [DNS_AllowFQDNNetBiosQueries](policy-csp-admx-dnsclient.md) +- [DNS_Domain](policy-csp-admx-dnsclient.md) +- [DNS_NameServer](policy-csp-admx-dnsclient.md) +- [DNS_SearchList](policy-csp-admx-dnsclient.md) +- [DNS_RegistrationEnabled](policy-csp-admx-dnsclient.md) +- [DNS_IdnMapping](policy-csp-admx-dnsclient.md) +- [DNS_PreferLocalResponsesOverLowerOrderDns](policy-csp-admx-dnsclient.md) +- [DNS_PrimaryDnsSuffix](policy-csp-admx-dnsclient.md) +- [DNS_UseDomainNameDevolution](policy-csp-admx-dnsclient.md) +- [DNS_DomainNameDevolutionLevel](policy-csp-admx-dnsclient.md) +- [DNS_RegisterAdapterName](policy-csp-admx-dnsclient.md) +- [DNS_RegisterReverseLookup](policy-csp-admx-dnsclient.md) +- [DNS_RegistrationRefreshInterval](policy-csp-admx-dnsclient.md) +- [DNS_RegistrationOverwritesInConflict](policy-csp-admx-dnsclient.md) +- [DNS_RegistrationTtl](policy-csp-admx-dnsclient.md) +- [DNS_IdnEncoding](policy-csp-admx-dnsclient.md) +- [Turn_Off_Multicast](policy-csp-admx-dnsclient.md) +- [DNS_SmartMultiHomedNameResolution](policy-csp-admx-dnsclient.md) +- [DNS_SmartProtocolReorder](policy-csp-admx-dnsclient.md) +- [DNS_UpdateSecurityLevel](policy-csp-admx-dnsclient.md) +- [DNS_UpdateTopLevelDomainZones](policy-csp-admx-dnsclient.md) + +## ADMX_DWM + +- [DwmDisallowAnimations_1](policy-csp-admx-dwm.md) +- [DwmDisallowColorizationColorChanges_1](policy-csp-admx-dwm.md) +- [DwmDefaultColorizationColor_1](policy-csp-admx-dwm.md) +- [DwmDisallowAnimations_2](policy-csp-admx-dwm.md) +- [DwmDisallowColorizationColorChanges_2](policy-csp-admx-dwm.md) +- [DwmDefaultColorizationColor_2](policy-csp-admx-dwm.md) + +## ADMX_EAIME + +- [L_DoNotIncludeNonPublishingStandardGlyphInTheCandidateList](policy-csp-admx-eaime.md) +- [L_RestrictCharacterCodeRangeOfConversion](policy-csp-admx-eaime.md) +- [L_TurnOffCustomDictionary](policy-csp-admx-eaime.md) +- [L_TurnOffHistorybasedPredictiveInput](policy-csp-admx-eaime.md) +- [L_TurnOffInternetSearchIntegration](policy-csp-admx-eaime.md) +- [L_TurnOffOpenExtendedDictionary](policy-csp-admx-eaime.md) +- [L_TurnOffSavingAutoTuningDataToFile](policy-csp-admx-eaime.md) +- [L_TurnOnCloudCandidate](policy-csp-admx-eaime.md) +- [L_TurnOnCloudCandidateCHS](policy-csp-admx-eaime.md) +- [L_TurnOnLexiconUpdate](policy-csp-admx-eaime.md) +- [L_TurnOnLiveStickers](policy-csp-admx-eaime.md) +- [L_TurnOnMisconversionLoggingForMisconversionReport](policy-csp-admx-eaime.md) + +## ADMX_EncryptFilesonMove + +- [NoEncryptOnMove](policy-csp-admx-encryptfilesonmove.md) + +## ADMX_EnhancedStorage + +- [RootHubConnectedEnStorDevices](policy-csp-admx-enhancedstorage.md) +- [ApprovedEnStorDevices](policy-csp-admx-enhancedstorage.md) +- [ApprovedSilos](policy-csp-admx-enhancedstorage.md) +- [DisallowLegacyDiskDevices](policy-csp-admx-enhancedstorage.md) +- [DisablePasswordAuthentication](policy-csp-admx-enhancedstorage.md) +- [LockDeviceOnMachineLock](policy-csp-admx-enhancedstorage.md) + +## ADMX_ErrorReporting + +- [WerArchive_1](policy-csp-admx-errorreporting.md) +- [WerQueue_1](policy-csp-admx-errorreporting.md) +- [WerExlusion_1](policy-csp-admx-errorreporting.md) +- [WerAutoApproveOSDumps_1](policy-csp-admx-errorreporting.md) +- [WerDefaultConsent_1](policy-csp-admx-errorreporting.md) +- [WerConsentCustomize_1](policy-csp-admx-errorreporting.md) +- [WerConsentOverride_1](policy-csp-admx-errorreporting.md) +- [WerNoLogging_1](policy-csp-admx-errorreporting.md) +- [WerDisable_1](policy-csp-admx-errorreporting.md) +- [WerNoSecondLevelData_1](policy-csp-admx-errorreporting.md) +- [WerBypassDataThrottling_1](policy-csp-admx-errorreporting.md) +- [WerBypassPowerThrottling_1](policy-csp-admx-errorreporting.md) +- [WerBypassNetworkCostThrottling_1](policy-csp-admx-errorreporting.md) +- [WerCER](policy-csp-admx-errorreporting.md) +- [WerArchive_2](policy-csp-admx-errorreporting.md) +- [WerQueue_2](policy-csp-admx-errorreporting.md) +- [PCH_AllOrNoneDef](policy-csp-admx-errorreporting.md) +- [PCH_AllOrNoneInc](policy-csp-admx-errorreporting.md) +- [WerExlusion_2](policy-csp-admx-errorreporting.md) +- [PCH_AllOrNoneEx](policy-csp-admx-errorreporting.md) +- [PCH_ReportOperatingSystemFaults](policy-csp-admx-errorreporting.md) +- [WerAutoApproveOSDumps_2](policy-csp-admx-errorreporting.md) +- [PCH_ConfigureReport](policy-csp-admx-errorreporting.md) +- [WerDefaultConsent_2](policy-csp-admx-errorreporting.md) +- [WerConsentOverride_2](policy-csp-admx-errorreporting.md) +- [WerNoLogging_2](policy-csp-admx-errorreporting.md) +- [WerBypassDataThrottling_2](policy-csp-admx-errorreporting.md) +- [WerBypassPowerThrottling_2](policy-csp-admx-errorreporting.md) +- [WerBypassNetworkCostThrottling_2](policy-csp-admx-errorreporting.md) + +## ADMX_EventForwarding + +- [ForwarderResourceUsage](policy-csp-admx-eventforwarding.md) +- [SubscriptionManager](policy-csp-admx-eventforwarding.md) + +## ADMX_EventLog + +- [Channel_Log_AutoBackup_1](policy-csp-admx-eventlog.md) +- [Channel_Log_FileLogAccess_1](policy-csp-admx-eventlog.md) +- [Channel_Log_FileLogAccess_5](policy-csp-admx-eventlog.md) +- [Channel_LogFilePath_1](policy-csp-admx-eventlog.md) +- [Channel_Log_AutoBackup_2](policy-csp-admx-eventlog.md) +- [Channel_Log_FileLogAccess_2](policy-csp-admx-eventlog.md) +- [Channel_Log_FileLogAccess_6](policy-csp-admx-eventlog.md) +- [Channel_Log_Retention_2](policy-csp-admx-eventlog.md) +- [Channel_LogFilePath_2](policy-csp-admx-eventlog.md) +- [Channel_Log_AutoBackup_3](policy-csp-admx-eventlog.md) +- [Channel_Log_FileLogAccess_3](policy-csp-admx-eventlog.md) +- [Channel_Log_FileLogAccess_7](policy-csp-admx-eventlog.md) +- [Channel_Log_Retention_3](policy-csp-admx-eventlog.md) +- [Channel_LogFilePath_3](policy-csp-admx-eventlog.md) +- [Channel_LogMaxSize_3](policy-csp-admx-eventlog.md) +- [Channel_LogEnabled](policy-csp-admx-eventlog.md) +- [Channel_Log_AutoBackup_4](policy-csp-admx-eventlog.md) +- [Channel_Log_FileLogAccess_4](policy-csp-admx-eventlog.md) +- [Channel_Log_FileLogAccess_8](policy-csp-admx-eventlog.md) +- [Channel_Log_Retention_4](policy-csp-admx-eventlog.md) +- [Channel_LogFilePath_4](policy-csp-admx-eventlog.md) + +## ADMX_EventLogging + +- [EnableProtectedEventLogging](policy-csp-admx-eventlogging.md) + +## ADMX_EventViewer + +- [EventViewer_RedirectionProgram](policy-csp-admx-eventviewer.md) +- [EventViewer_RedirectionProgramCommandLineParameters](policy-csp-admx-eventviewer.md) +- [EventViewer_RedirectionURL](policy-csp-admx-eventviewer.md) + +## ADMX_Explorer + +- [AlwaysShowClassicMenu](policy-csp-admx-explorer.md) +- [PreventItemCreationInUsersFilesFolder](policy-csp-admx-explorer.md) +- [TurnOffSPIAnimations](policy-csp-admx-explorer.md) +- [DisableRoamedProfileInit](policy-csp-admx-explorer.md) +- [AdminInfoUrl](policy-csp-admx-explorer.md) + +## ADMX_ExternalBoot + +- [PortableOperatingSystem_Hibernate](policy-csp-admx-externalboot.md) +- [PortableOperatingSystem_Sleep](policy-csp-admx-externalboot.md) +- [PortableOperatingSystem_Launcher](policy-csp-admx-externalboot.md) + +## ADMX_FileRecovery + +- [WdiScenarioExecutionPolicy](policy-csp-admx-filerecovery.md) + +## ADMX_FileRevocation + +- [DelegatedPackageFamilyNames](policy-csp-admx-filerevocation.md) + +## ADMX_FileServerVSSProvider + +- [Pol_EncryptProtocol](policy-csp-admx-fileservervssprovider.md) + +## ADMX_FileSys + +- [DisableDeleteNotification](policy-csp-admx-filesys.md) +- [LongPathsEnabled](policy-csp-admx-filesys.md) +- [DisableCompression](policy-csp-admx-filesys.md) +- [DisableEncryption](policy-csp-admx-filesys.md) +- [TxfDeprecatedFunctionality](policy-csp-admx-filesys.md) +- [EnablePagefileEncryption](policy-csp-admx-filesys.md) +- [ShortNameCreationSettings](policy-csp-admx-filesys.md) +- [SymlinkEvaluation](policy-csp-admx-filesys.md) + +## ADMX_FolderRedirection + +- [DisableFRAdminPin](policy-csp-admx-folderredirection.md) +- [DisableFRAdminPinByFolder](policy-csp-admx-folderredirection.md) +- [FolderRedirectionEnableCacheRename](policy-csp-admx-folderredirection.md) +- [PrimaryComputer_FR_1](policy-csp-admx-folderredirection.md) +- [LocalizeXPRelativePaths_1](policy-csp-admx-folderredirection.md) +- [PrimaryComputer_FR_2](policy-csp-admx-folderredirection.md) +- [LocalizeXPRelativePaths_2](policy-csp-admx-folderredirection.md) + +## ADMX_FramePanes + +- [NoReadingPane](policy-csp-admx-framepanes.md) +- [NoPreviewPane](policy-csp-admx-framepanes.md) + +## ADMX_fthsvc + +- [WdiScenarioExecutionPolicy](policy-csp-admx-fthsvc.md) + +## ADMX_Globalization + +- [ImplicitDataCollectionOff_1](policy-csp-admx-globalization.md) +- [HideAdminOptions](policy-csp-admx-globalization.md) +- [HideCurrentLocation](policy-csp-admx-globalization.md) +- [HideLanguageSelection](policy-csp-admx-globalization.md) +- [HideLocaleSelectAndCustomize](policy-csp-admx-globalization.md) +- [RestrictUILangSelect](policy-csp-admx-globalization.md) +- [LockUserUILanguage](policy-csp-admx-globalization.md) +- [TurnOffAutocorrectMisspelledWords](policy-csp-admx-globalization.md) +- [TurnOffHighlightMisspelledWords](policy-csp-admx-globalization.md) +- [TurnOffInsertSpace](policy-csp-admx-globalization.md) +- [TurnOffOfferTextPredictions](policy-csp-admx-globalization.md) +- [Y2K](policy-csp-admx-globalization.md) +- [PreventGeoIdChange_1](policy-csp-admx-globalization.md) +- [CustomLocalesNoSelect_1](policy-csp-admx-globalization.md) +- [PreventUserOverrides_1](policy-csp-admx-globalization.md) +- [LocaleUserRestrict_1](policy-csp-admx-globalization.md) +- [ImplicitDataCollectionOff_2](policy-csp-admx-globalization.md) +- [LockMachineUILanguage](policy-csp-admx-globalization.md) +- [PreventGeoIdChange_2](policy-csp-admx-globalization.md) +- [BlockUserInputMethodsForSignIn](policy-csp-admx-globalization.md) +- [CustomLocalesNoSelect_2](policy-csp-admx-globalization.md) +- [PreventUserOverrides_2](policy-csp-admx-globalization.md) +- [LocaleSystemRestrict](policy-csp-admx-globalization.md) +- [LocaleUserRestrict_2](policy-csp-admx-globalization.md) + +## ADMX_GroupPolicy + +- [GPDCOptions](policy-csp-admx-grouppolicy.md) +- [GPTransferRate_1](policy-csp-admx-grouppolicy.md) +- [NewGPOLinksDisabled](policy-csp-admx-grouppolicy.md) +- [DenyRsopToInteractiveUser_1](policy-csp-admx-grouppolicy.md) +- [EnforcePoliciesOnly](policy-csp-admx-grouppolicy.md) +- [NewGPODisplayName](policy-csp-admx-grouppolicy.md) +- [GroupPolicyRefreshRateUser](policy-csp-admx-grouppolicy.md) +- [DisableAutoADMUpdate](policy-csp-admx-grouppolicy.md) +- [ProcessMitigationOptions](policy-csp-admx-grouppolicy.md) +- [AllowX-ForestPolicy-and-RUP](policy-csp-admx-grouppolicy.md) +- [OnlyUseLocalAdminFiles](policy-csp-admx-grouppolicy.md) +- [SlowlinkDefaultToAsync](policy-csp-admx-grouppolicy.md) +- [SlowLinkDefaultForDirectAccess](policy-csp-admx-grouppolicy.md) +- [CSE_DiskQuota](policy-csp-admx-grouppolicy.md) +- [CSE_EFSRecovery](policy-csp-admx-grouppolicy.md) +- [CSE_FolderRedirection](policy-csp-admx-grouppolicy.md) +- [EnableLogonOptimization](policy-csp-admx-grouppolicy.md) +- [GPTransferRate_2](policy-csp-admx-grouppolicy.md) +- [CSE_IEM](policy-csp-admx-grouppolicy.md) +- [CSE_IPSecurity](policy-csp-admx-grouppolicy.md) +- [LogonScriptDelay](policy-csp-admx-grouppolicy.md) +- [CSE_Registry](policy-csp-admx-grouppolicy.md) +- [CSE_Scripts](policy-csp-admx-grouppolicy.md) +- [CSE_Security](policy-csp-admx-grouppolicy.md) +- [CSE_AppMgmt](policy-csp-admx-grouppolicy.md) +- [UserPolicyMode](policy-csp-admx-grouppolicy.md) +- [CSE_Wired](policy-csp-admx-grouppolicy.md) +- [CSE_Wireless](policy-csp-admx-grouppolicy.md) +- [EnableCDP](policy-csp-admx-grouppolicy.md) +- [DenyRsopToInteractiveUser_2](policy-csp-admx-grouppolicy.md) +- [ResetDfsClientInfoDuringRefreshPolicy](policy-csp-admx-grouppolicy.md) +- [EnableLogonOptimizationOnServerSKU](policy-csp-admx-grouppolicy.md) +- [EnableMMX](policy-csp-admx-grouppolicy.md) +- [DisableUsersFromMachGP](policy-csp-admx-grouppolicy.md) +- [GroupPolicyRefreshRate](policy-csp-admx-grouppolicy.md) +- [GroupPolicyRefreshRateDC](policy-csp-admx-grouppolicy.md) +- [SyncWaitTime](policy-csp-admx-grouppolicy.md) +- [CorpConnSyncWaitTime](policy-csp-admx-grouppolicy.md) +- [DisableBackgroundPolicy](policy-csp-admx-grouppolicy.md) +- [DisableAOACProcessing](policy-csp-admx-grouppolicy.md) +- [DisableLGPOProcessing](policy-csp-admx-grouppolicy.md) +- [RSoPLogging](policy-csp-admx-grouppolicy.md) +- [ProcessMitigationOptions](policy-csp-admx-grouppolicy.md) +- [FontMitigation](policy-csp-admx-grouppolicy.md) + +## ADMX_Help + +- [RestrictRunFromHelp](policy-csp-admx-help.md) +- [HelpQualifiedRootDir_Comp](policy-csp-admx-help.md) +- [RestrictRunFromHelp_Comp](policy-csp-admx-help.md) +- [DisableHHDEP](policy-csp-admx-help.md) + +## ADMX_HelpAndSupport + +- [HPImplicitFeedback](policy-csp-admx-helpandsupport.md) +- [HPExplicitFeedback](policy-csp-admx-helpandsupport.md) +- [HPOnlineAssistance](policy-csp-admx-helpandsupport.md) +- [ActiveHelp](policy-csp-admx-helpandsupport.md) + +## ADMX_hotspotauth + +- [HotspotAuth_Enable](policy-csp-admx-hotspotauth.md) + +## ADMX_ICM + +- [ShellNoUseStoreOpenWith_1](policy-csp-admx-icm.md) +- [DisableWebPnPDownload_1](policy-csp-admx-icm.md) +- [ShellPreventWPWDownload_1](policy-csp-admx-icm.md) +- [ShellNoUseInternetOpenWith_1](policy-csp-admx-icm.md) +- [DisableHTTPPrinting_1](policy-csp-admx-icm.md) +- [ShellRemoveOrderPrints_1](policy-csp-admx-icm.md) +- [ShellRemovePublishToWeb_1](policy-csp-admx-icm.md) +- [WinMSG_NoInstrumentation_1](policy-csp-admx-icm.md) +- [InternetManagement_RestrictCommunication_1](policy-csp-admx-icm.md) +- [RemoveWindowsUpdate_ICM](policy-csp-admx-icm.md) +- [ShellNoUseStoreOpenWith_2](policy-csp-admx-icm.md) +- [CertMgr_DisableAutoRootUpdates](policy-csp-admx-icm.md) +- [EventViewer_DisableLinks](policy-csp-admx-icm.md) +- [HSS_HeadlinesPolicy](policy-csp-admx-icm.md) +- [HSS_KBSearchPolicy](policy-csp-admx-icm.md) +- [NC_ExitOnISP](policy-csp-admx-icm.md) +- [ShellNoUseInternetOpenWith_2](policy-csp-admx-icm.md) +- [NC_NoRegistration](policy-csp-admx-icm.md) +- [SearchCompanion_DisableFileUpdates](policy-csp-admx-icm.md) +- [ShellRemoveOrderPrints_2](policy-csp-admx-icm.md) +- [ShellRemovePublishToWeb_2](policy-csp-admx-icm.md) +- [WinMSG_NoInstrumentation_2](policy-csp-admx-icm.md) +- [CEIPEnable](policy-csp-admx-icm.md) +- [PCH_DoNotReport](policy-csp-admx-icm.md) +- [DriverSearchPlaces_DontSearchWindowsUpdate](policy-csp-admx-icm.md) +- [InternetManagement_RestrictCommunication_2](policy-csp-admx-icm.md) + +## ADMX_IIS + +- [PreventIISInstall](policy-csp-admx-iis.md) + +## ADMX_iSCSI + +- [iSCSIGeneral_RestrictAdditionalLogins](policy-csp-admx-iscsi.md) +- [iSCSIGeneral_ChangeIQNName](policy-csp-admx-iscsi.md) +- [iSCSISecurity_ChangeCHAPSecret](policy-csp-admx-iscsi.md) +- [iSCSISecurity_RequireIPSec](policy-csp-admx-iscsi.md) +- [iSCSISecurity_RequireMutualCHAP](policy-csp-admx-iscsi.md) +- [iSCSISecurity_RequireOneWayCHAP](policy-csp-admx-iscsi.md) +- [iSCSIDiscovery_NewStaticTargets](policy-csp-admx-iscsi.md) +- [iSCSIDiscovery_ConfigureTargets](policy-csp-admx-iscsi.md) +- [iSCSIDiscovery_ConfigureiSNSServers](policy-csp-admx-iscsi.md) +- [iSCSIDiscovery_ConfigureTargetPortals](policy-csp-admx-iscsi.md) + +## ADMX_kdc + +- [CbacAndArmor](policy-csp-admx-kdc.md) +- [PKINITFreshness](policy-csp-admx-kdc.md) +- [emitlili](policy-csp-admx-kdc.md) +- [RequestCompoundId](policy-csp-admx-kdc.md) +- [ForestSearch](policy-csp-admx-kdc.md) +- [TicketSizeThreshold](policy-csp-admx-kdc.md) + +## ADMX_Kerberos + +- [AlwaysSendCompoundId](policy-csp-admx-kerberos.md) +- [HostToRealm](policy-csp-admx-kerberos.md) +- [MitRealms](policy-csp-admx-kerberos.md) +- [KdcProxyDisableServerRevocationCheck](policy-csp-admx-kerberos.md) +- [StrictTarget](policy-csp-admx-kerberos.md) +- [KdcProxyServer](policy-csp-admx-kerberos.md) +- [ServerAcceptsCompound](policy-csp-admx-kerberos.md) +- [DevicePKInitEnabled](policy-csp-admx-kerberos.md) + +## ADMX_LanmanServer + +- [Pol_CipherSuiteOrder](policy-csp-admx-lanmanserver.md) +- [Pol_HashPublication](policy-csp-admx-lanmanserver.md) +- [Pol_HashSupportVersion](policy-csp-admx-lanmanserver.md) +- [Pol_HonorCipherSuiteOrder](policy-csp-admx-lanmanserver.md) + +## ADMX_LanmanWorkstation + +- [Pol_CipherSuiteOrder](policy-csp-admx-lanmanworkstation.md) +- [Pol_EnableHandleCachingForCAFiles](policy-csp-admx-lanmanworkstation.md) +- [Pol_EnableOfflineFilesforCAShares](policy-csp-admx-lanmanworkstation.md) + +## ADMX_LeakDiagnostic + +- [WdiScenarioExecutionPolicy](policy-csp-admx-leakdiagnostic.md) + +## ADMX_LinkLayerTopologyDiscovery + +- [LLTD_EnableLLTDIO](policy-csp-admx-linklayertopologydiscovery.md) +- [LLTD_EnableRspndr](policy-csp-admx-linklayertopologydiscovery.md) + +## ADMX_LocationProviderAdm + +- [DisableWindowsLocationProvider_1](policy-csp-admx-locationprovideradm.md) + +## ADMX_Logon + +- [NoWelcomeTips_1](policy-csp-admx-logon.md) +- [DisableExplorerRunLegacy_1](policy-csp-admx-logon.md) +- [DisableExplorerRunOnceLegacy_1](policy-csp-admx-logon.md) +- [Run_1](policy-csp-admx-logon.md) +- [VerboseStatus](policy-csp-admx-logon.md) +- [UseOEMBackground](policy-csp-admx-logon.md) +- [SyncForegroundPolicy](policy-csp-admx-logon.md) +- [BlockUserFromShowingAccountDetailsOnSignin](policy-csp-admx-logon.md) +- [NoWelcomeTips_2](policy-csp-admx-logon.md) +- [DontEnumerateConnectedUsers](policy-csp-admx-logon.md) +- [DisableExplorerRunLegacy_2](policy-csp-admx-logon.md) +- [DisableExplorerRunOnceLegacy_2](policy-csp-admx-logon.md) +- [Run_2](policy-csp-admx-logon.md) +- [DisableAcrylicBackgroundOnLogon](policy-csp-admx-logon.md) +- [DisableStatusMessages](policy-csp-admx-logon.md) + +## ADMX_MicrosoftDefenderAntivirus + +- [ServiceKeepAlive](policy-csp-admx-microsoftdefenderantivirus.md) +- [AllowFastServiceStartup](policy-csp-admx-microsoftdefenderantivirus.md) +- [UX_Configuration_CustomDefaultActionToastString](policy-csp-admx-microsoftdefenderantivirus.md) +- [UX_Configuration_UILockdown](policy-csp-admx-microsoftdefenderantivirus.md) +- [UX_Configuration_Notification_Suppress](policy-csp-admx-microsoftdefenderantivirus.md) +- [UX_Configuration_SuppressRebootNotification](policy-csp-admx-microsoftdefenderantivirus.md) +- [DisableLocalAdminMerge](policy-csp-admx-microsoftdefenderantivirus.md) +- [ProxyBypass](policy-csp-admx-microsoftdefenderantivirus.md) +- [ProxyPacUrl](policy-csp-admx-microsoftdefenderantivirus.md) +- [ProxyServer](policy-csp-admx-microsoftdefenderantivirus.md) +- [Exclusions_Extensions](policy-csp-admx-microsoftdefenderantivirus.md) +- [Exclusions_Paths](policy-csp-admx-microsoftdefenderantivirus.md) +- [Exclusions_Processes](policy-csp-admx-microsoftdefenderantivirus.md) +- [DisableAutoExclusions](policy-csp-admx-microsoftdefenderantivirus.md) +- [Spynet_LocalSettingOverrideSpynetReporting](policy-csp-admx-microsoftdefenderantivirus.md) +- [DisableBlockAtFirstSeen](policy-csp-admx-microsoftdefenderantivirus.md) +- [SpynetReporting](policy-csp-admx-microsoftdefenderantivirus.md) +- [ExploitGuard_ASR_Rules](policy-csp-admx-microsoftdefenderantivirus.md) +- [ExploitGuard_ASR_ASROnlyExclusions](policy-csp-admx-microsoftdefenderantivirus.md) +- [ExploitGuard_ControlledFolderAccess_AllowedApplications](policy-csp-admx-microsoftdefenderantivirus.md) +- [ExploitGuard_ControlledFolderAccess_ProtectedFolders](policy-csp-admx-microsoftdefenderantivirus.md) +- [MpEngine_EnableFileHashComputation](policy-csp-admx-microsoftdefenderantivirus.md) +- [Nis_Consumers_IPS_sku_differentiation_Signature_Set_Guid](policy-csp-admx-microsoftdefenderantivirus.md) +- [Nis_Consumers_IPS_DisableSignatureRetirement](policy-csp-admx-microsoftdefenderantivirus.md) +- [Nis_DisableProtocolRecognition](policy-csp-admx-microsoftdefenderantivirus.md) +- [Quarantine_LocalSettingOverridePurgeItemsAfterDelay](policy-csp-admx-microsoftdefenderantivirus.md) +- [Quarantine_PurgeItemsAfterDelay](policy-csp-admx-microsoftdefenderantivirus.md) +- [RandomizeScheduleTaskTimes](policy-csp-admx-microsoftdefenderantivirus.md) +- [RealtimeProtection_LocalSettingOverrideDisableOnAccessProtection](policy-csp-admx-microsoftdefenderantivirus.md) +- [RealtimeProtection_LocalSettingOverrideRealtimeScanDirection](policy-csp-admx-microsoftdefenderantivirus.md) +- [RealtimeProtection_LocalSettingOverrideDisableIOAVProtection](policy-csp-admx-microsoftdefenderantivirus.md) +- [RealtimeProtection_LocalSettingOverrideDisableBehaviorMonitoring](policy-csp-admx-microsoftdefenderantivirus.md) +- [RealtimeProtection_LocalSettingOverrideDisableRealtimeMonitoring](policy-csp-admx-microsoftdefenderantivirus.md) +- [RealtimeProtection_IOAVMaxSize](policy-csp-admx-microsoftdefenderantivirus.md) +- [RealtimeProtection_DisableOnAccessProtection](policy-csp-admx-microsoftdefenderantivirus.md) +- [RealtimeProtection_DisableIOAVProtection](policy-csp-admx-microsoftdefenderantivirus.md) +- [DisableRealtimeMonitoring](policy-csp-admx-microsoftdefenderantivirus.md) +- [RealtimeProtection_DisableBehaviorMonitoring](policy-csp-admx-microsoftdefenderantivirus.md) +- [RealtimeProtection_DisableScanOnRealtimeEnable](policy-csp-admx-microsoftdefenderantivirus.md) +- [RealtimeProtection_DisableRawWriteNotification](policy-csp-admx-microsoftdefenderantivirus.md) +- [Remediation_LocalSettingOverrideScan_ScheduleTime](policy-csp-admx-microsoftdefenderantivirus.md) +- [Remediation_Scan_ScheduleDay](policy-csp-admx-microsoftdefenderantivirus.md) +- [Remediation_Scan_ScheduleTime](policy-csp-admx-microsoftdefenderantivirus.md) +- [Reporting_CriticalFailureTimeout](policy-csp-admx-microsoftdefenderantivirus.md) +- [Reporting_NonCriticalTimeout](policy-csp-admx-microsoftdefenderantivirus.md) +- [Reporting_RecentlyCleanedTimeout](policy-csp-admx-microsoftdefenderantivirus.md) +- [Reporting_AdditionalActionTimeout](policy-csp-admx-microsoftdefenderantivirus.md) +- [Reporting_DisablegenericrePorts](policy-csp-admx-microsoftdefenderantivirus.md) +- [Reporting_WppTracingComponents](policy-csp-admx-microsoftdefenderantivirus.md) +- [Reporting_WppTracingLevel](policy-csp-admx-microsoftdefenderantivirus.md) +- [Reporting_DisableEnhancedNotifications](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_AllowPause](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_LocalSettingOverrideAvgCPULoadFactor](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_LocalSettingOverrideScheduleDay](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_LocalSettingOverrideScheduleQuickScantime](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_LocalSettingOverrideScheduleTime](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_LocalSettingOverrideScanParameters](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_LowCpuPriority](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_DisableRestorePoint](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_MissedScheduledScanCountBeforeCatchup](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_DisableScanningMappedNetworkDrivesForFullScan](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_DisableArchiveScanning](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_DisableScanningNetworkFiles](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_DisablePackedExeScanning](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_DisableRemovableDriveScanning](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_ScheduleDay](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_QuickScanInterval](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_ArchiveMaxDepth](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_ArchiveMaxSize](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_ScheduleTime](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_ScanOnlyIfIdle](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_DisableEmailScanning](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_DisableHeuristics](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_PurgeItemsAfterDelay](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_DisableReparsePointScanning](policy-csp-admx-microsoftdefenderantivirus.md) +- [SignatureUpdate_SignatureDisableNotification](policy-csp-admx-microsoftdefenderantivirus.md) +- [SignatureUpdate_RealtimeSignatureDelivery](policy-csp-admx-microsoftdefenderantivirus.md) +- [SignatureUpdate_ForceUpdateFromMU](policy-csp-admx-microsoftdefenderantivirus.md) +- [SignatureUpdate_DisableScheduledSignatureUpdateonBattery](policy-csp-admx-microsoftdefenderantivirus.md) +- [SignatureUpdate_UpdateOnStartup](policy-csp-admx-microsoftdefenderantivirus.md) +- [SignatureUpdate_DefinitionUpdateFileSharesSources](policy-csp-admx-microsoftdefenderantivirus.md) +- [SignatureUpdate_SharedSignaturesLocation](policy-csp-admx-microsoftdefenderantivirus.md) +- [SignatureUpdate_SignatureUpdateCatchupInterval](policy-csp-admx-microsoftdefenderantivirus.md) +- [SignatureUpdate_ASSignatureDue](policy-csp-admx-microsoftdefenderantivirus.md) +- [SignatureUpdate_AVSignatureDue](policy-csp-admx-microsoftdefenderantivirus.md) +- [SignatureUpdate_FallbackOrder](policy-csp-admx-microsoftdefenderantivirus.md) +- [SignatureUpdate_DisableUpdateOnStartupWithoutEngine](policy-csp-admx-microsoftdefenderantivirus.md) +- [SignatureUpdate_ScheduleDay](policy-csp-admx-microsoftdefenderantivirus.md) +- [SignatureUpdate_ScheduleTime](policy-csp-admx-microsoftdefenderantivirus.md) +- [SignatureUpdate_DisableScanOnUpdate](policy-csp-admx-microsoftdefenderantivirus.md) +- [Threats_ThreatIdDefaultAction](policy-csp-admx-microsoftdefenderantivirus.md) +- [DisableAntiSpywareDefender](policy-csp-admx-microsoftdefenderantivirus.md) +- [DisableRoutinelyTakingAction](policy-csp-admx-microsoftdefenderantivirus.md) + +## ADMX_MMC + +- [MMC_Restrict_Author](policy-csp-admx-mmc.md) +- [MMC_Restrict_To_Permitted_Snapins](policy-csp-admx-mmc.md) +- [MMC_ActiveXControl](policy-csp-admx-mmc.md) +- [MMC_ExtendView](policy-csp-admx-mmc.md) +- [MMC_LinkToWeb](policy-csp-admx-mmc.md) + +## ADMX_MMCSnapins + +- [MMC_Net_Framework](policy-csp-admx-mmcsnapins.md) +- [MMC_ActiveDirDomTrusts](policy-csp-admx-mmcsnapins.md) +- [MMC_ActiveDirSitesServices](policy-csp-admx-mmcsnapins.md) +- [MMC_ActiveDirUsersComp](policy-csp-admx-mmcsnapins.md) +- [MMC_ADSI](policy-csp-admx-mmcsnapins.md) +- [MMC_CertsTemplate](policy-csp-admx-mmcsnapins.md) +- [MMC_Certs](policy-csp-admx-mmcsnapins.md) +- [MMC_CertAuth](policy-csp-admx-mmcsnapins.md) +- [MMC_ComponentServices](policy-csp-admx-mmcsnapins.md) +- [MMC_ComputerManagement](policy-csp-admx-mmcsnapins.md) +- [MMC_DeviceManager_2](policy-csp-admx-mmcsnapins.md) +- [MMC_DiskDefrag](policy-csp-admx-mmcsnapins.md) +- [MMC_DiskMgmt](policy-csp-admx-mmcsnapins.md) +- [MMC_DFS](policy-csp-admx-mmcsnapins.md) +- [MMC_EnterprisePKI](policy-csp-admx-mmcsnapins.md) +- [MMC_EventViewer_3](policy-csp-admx-mmcsnapins.md) +- [MMC_EventViewer_4](policy-csp-admx-mmcsnapins.md) +- [MMC_AppleTalkRouting](policy-csp-admx-mmcsnapins.md) +- [MMC_AuthMan](policy-csp-admx-mmcsnapins.md) +- [MMC_CertAuthPolSet](policy-csp-admx-mmcsnapins.md) +- [MMC_ConnectionSharingNAT](policy-csp-admx-mmcsnapins.md) +- [MMC_DCOMCFG](policy-csp-admx-mmcsnapins.md) +- [MMC_DeviceManager_1](policy-csp-admx-mmcsnapins.md) +- [MMC_DHCPRelayMgmt](policy-csp-admx-mmcsnapins.md) +- [MMC_EventViewer_1](policy-csp-admx-mmcsnapins.md) +- [MMC_EventViewer_2](policy-csp-admx-mmcsnapins.md) +- [MMC_IASLogging](policy-csp-admx-mmcsnapins.md) +- [MMC_IGMPRouting](policy-csp-admx-mmcsnapins.md) +- [MMC_IPRouting](policy-csp-admx-mmcsnapins.md) +- [MMC_IPXRIPRouting](policy-csp-admx-mmcsnapins.md) +- [MMC_IPXRouting](policy-csp-admx-mmcsnapins.md) +- [MMC_IPXSAPRouting](policy-csp-admx-mmcsnapins.md) +- [MMC_LogicalMappedDrives](policy-csp-admx-mmcsnapins.md) +- [MMC_OSPFRouting](policy-csp-admx-mmcsnapins.md) +- [MMC_PublicKey](policy-csp-admx-mmcsnapins.md) +- [MMC_RAS_DialinUser](policy-csp-admx-mmcsnapins.md) +- [MMC_RemoteAccess](policy-csp-admx-mmcsnapins.md) +- [MMC_RemStore](policy-csp-admx-mmcsnapins.md) +- [MMC_RIPRouting](policy-csp-admx-mmcsnapins.md) +- [MMC_Routing](policy-csp-admx-mmcsnapins.md) +- [MMC_SendConsoleMessage](policy-csp-admx-mmcsnapins.md) +- [MMC_ServiceDependencies](policy-csp-admx-mmcsnapins.md) +- [MMC_SharedFolders_Ext](policy-csp-admx-mmcsnapins.md) +- [MMC_SMTPProtocol](policy-csp-admx-mmcsnapins.md) +- [MMC_SNMP](policy-csp-admx-mmcsnapins.md) +- [MMC_SysProp](policy-csp-admx-mmcsnapins.md) +- [MMC_FailoverClusters](policy-csp-admx-mmcsnapins.md) +- [MMC_FAXService](policy-csp-admx-mmcsnapins.md) +- [MMC_FrontPageExt](policy-csp-admx-mmcsnapins.md) +- [MMC_GroupPolicyManagementSnapIn](policy-csp-admx-mmcsnapins.md) +- [MMC_GroupPolicySnapIn](policy-csp-admx-mmcsnapins.md) +- [MMC_ADMComputers_1](policy-csp-admx-mmcsnapins.md) +- [MMC_ADMUsers_1](policy-csp-admx-mmcsnapins.md) +- [MMC_FolderRedirection_1](policy-csp-admx-mmcsnapins.md) +- [MMC_IEMaintenance_1](policy-csp-admx-mmcsnapins.md) +- [MMC_IPSecManage_GP](policy-csp-admx-mmcsnapins.md) +- [MMC_NapSnap_GP](policy-csp-admx-mmcsnapins.md) +- [MMC_RIS](policy-csp-admx-mmcsnapins.md) +- [MMC_ScriptsUser_1](policy-csp-admx-mmcsnapins.md) +- [MMC_ScriptsMachine_1](policy-csp-admx-mmcsnapins.md) +- [MMC_SecuritySettings_1](policy-csp-admx-mmcsnapins.md) +- [MMC_SoftwareInstalationComputers_1](policy-csp-admx-mmcsnapins.md) +- [MMC_SoftwareInstallationUsers_1](policy-csp-admx-mmcsnapins.md) +- [MMC_WindowsFirewall_GP](policy-csp-admx-mmcsnapins.md) +- [MMC_WiredNetworkPolicy](policy-csp-admx-mmcsnapins.md) +- [MMC_WirelessNetworkPolicy](policy-csp-admx-mmcsnapins.md) +- [MMC_GroupPolicyTab](policy-csp-admx-mmcsnapins.md) +- [MMC_ResultantSetOfPolicySnapIn](policy-csp-admx-mmcsnapins.md) +- [MMC_ADMComputers_2](policy-csp-admx-mmcsnapins.md) +- [MMC_ADMUsers_2](policy-csp-admx-mmcsnapins.md) +- [MMC_FolderRedirection_2](policy-csp-admx-mmcsnapins.md) +- [MMC_IEMaintenance_2](policy-csp-admx-mmcsnapins.md) +- [MMC_ScriptsUser_2](policy-csp-admx-mmcsnapins.md) +- [MMC_ScriptsMachine_2](policy-csp-admx-mmcsnapins.md) +- [MMC_SecuritySettings_2](policy-csp-admx-mmcsnapins.md) +- [MMC_SoftwareInstalationComputers_2](policy-csp-admx-mmcsnapins.md) +- [MMC_SoftwareInstallationUsers_2](policy-csp-admx-mmcsnapins.md) +- [MMC_HRA](policy-csp-admx-mmcsnapins.md) +- [MMC_IndexingService](policy-csp-admx-mmcsnapins.md) +- [MMC_IAS](policy-csp-admx-mmcsnapins.md) +- [MMC_IIS](policy-csp-admx-mmcsnapins.md) +- [MMC_IpSecMonitor](policy-csp-admx-mmcsnapins.md) +- [MMC_IpSecManage](policy-csp-admx-mmcsnapins.md) +- [MMC_LocalUsersGroups](policy-csp-admx-mmcsnapins.md) +- [MMC_NapSnap](policy-csp-admx-mmcsnapins.md) +- [MMC_NPSUI](policy-csp-admx-mmcsnapins.md) +- [MMC_OCSP](policy-csp-admx-mmcsnapins.md) +- [MMC_PerfLogsAlerts](policy-csp-admx-mmcsnapins.md) +- [MMC_QoSAdmission](policy-csp-admx-mmcsnapins.md) +- [MMC_TerminalServices](policy-csp-admx-mmcsnapins.md) +- [MMC_RemoteDesktop](policy-csp-admx-mmcsnapins.md) +- [MMC_RSM](policy-csp-admx-mmcsnapins.md) +- [MMC_RRA](policy-csp-admx-mmcsnapins.md) +- [MMC_SCA](policy-csp-admx-mmcsnapins.md) +- [MMC_SecurityTemplates](policy-csp-admx-mmcsnapins.md) +- [MMC_ServerManager](policy-csp-admx-mmcsnapins.md) +- [MMC_Services](policy-csp-admx-mmcsnapins.md) +- [MMC_SharedFolders](policy-csp-admx-mmcsnapins.md) +- [MMC_SysInfo](policy-csp-admx-mmcsnapins.md) +- [MMC_Telephony](policy-csp-admx-mmcsnapins.md) +- [MMC_TPMManagement](policy-csp-admx-mmcsnapins.md) +- [MMC_WindowsFirewall](policy-csp-admx-mmcsnapins.md) +- [MMC_WirelessMon](policy-csp-admx-mmcsnapins.md) +- [MMC_WMI](policy-csp-admx-mmcsnapins.md) + +## ADMX_MobilePCMobilityCenter + +- [MobilityCenterEnable_1](policy-csp-admx-mobilepcmobilitycenter.md) +- [MobilityCenterEnable_2](policy-csp-admx-mobilepcmobilitycenter.md) + +## ADMX_MobilePCPresentationSettings + +- [PresentationSettingsEnable_1](policy-csp-admx-mobilepcpresentationsettings.md) +- [PresentationSettingsEnable_2](policy-csp-admx-mobilepcpresentationsettings.md) + +## ADMX_MSAPolicy + +- [MicrosoftAccount_DisableUserAuth](policy-csp-admx-msapolicy.md) + +## ADMX_msched + +- [ActivationBoundaryPolicy](policy-csp-admx-msched.md) +- [RandomDelayPolicy](policy-csp-admx-msched.md) + +## ADMX_MSDT + +- [WdiScenarioExecutionPolicy](policy-csp-admx-msdt.md) +- [MsdtToolDownloadPolicy](policy-csp-admx-msdt.md) +- [MsdtSupportProvider](policy-csp-admx-msdt.md) + +## ADMX_MSI + +- [DisableMedia](policy-csp-admx-msi.md) +- [DisableRollback_1](policy-csp-admx-msi.md) +- [SearchOrder](policy-csp-admx-msi.md) +- [AllowLockdownBrowse](policy-csp-admx-msi.md) +- [AllowLockdownPatch](policy-csp-admx-msi.md) +- [AllowLockdownMedia](policy-csp-admx-msi.md) +- [MSI_MaxPatchCacheSize](policy-csp-admx-msi.md) +- [MSI_EnforceUpgradeComponentRules](policy-csp-admx-msi.md) +- [MsiDisableEmbeddedUI](policy-csp-admx-msi.md) +- [SafeForScripting](policy-csp-admx-msi.md) +- [DisablePatch](policy-csp-admx-msi.md) +- [DisableFlyweightPatching](policy-csp-admx-msi.md) +- [MSI_DisableLUAPatching](policy-csp-admx-msi.md) +- [MSI_DisablePatchUninstall](policy-csp-admx-msi.md) +- [DisableRollback_2](policy-csp-admx-msi.md) +- [DisableAutomaticApplicationShutdown](policy-csp-admx-msi.md) +- [MSI_DisableUserInstalls](policy-csp-admx-msi.md) +- [DisableBrowse](policy-csp-admx-msi.md) +- [TransformsSecure](policy-csp-admx-msi.md) +- [MSILogging](policy-csp-admx-msi.md) +- [MSI_DisableSRCheckPoints](policy-csp-admx-msi.md) +- [DisableLoggingFromPackage](policy-csp-admx-msi.md) +- [DisableSharedComponent](policy-csp-admx-msi.md) +- [DisableMSI](policy-csp-admx-msi.md) + +## ADMX_MsiFileRecovery + +- [WdiScenarioExecutionPolicy](policy-csp-admx-msifilerecovery.md) + +## ADMX_MSS-legacy + +- [Pol_MSS_AutoAdminLogon](policy-csp-admx-mss-legacy.md) +- [Pol_MSS_AutoReboot](policy-csp-admx-mss-legacy.md) +- [Pol_MSS_AutoShareServer](policy-csp-admx-mss-legacy.md) +- [Pol_MSS_AutoShareWks](policy-csp-admx-mss-legacy.md) +- [Pol_MSS_DisableSavePassword](policy-csp-admx-mss-legacy.md) +- [Pol_MSS_EnableDeadGWDetect](policy-csp-admx-mss-legacy.md) +- [Pol_MSS_HideFromBrowseList](policy-csp-admx-mss-legacy.md) +- [Pol_MSS_KeepAliveTime](policy-csp-admx-mss-legacy.md) +- [Pol_MSS_NoDefaultExempt](policy-csp-admx-mss-legacy.md) +- [Pol_MSS_NtfsDisable8dot3NameCreation](policy-csp-admx-mss-legacy.md) +- [Pol_MSS_PerformRouterDiscovery](policy-csp-admx-mss-legacy.md) +- [Pol_MSS_SafeDllSearchMode](policy-csp-admx-mss-legacy.md) +- [Pol_MSS_ScreenSaverGracePeriod](policy-csp-admx-mss-legacy.md) +- [Pol_MSS_SynAttackProtect](policy-csp-admx-mss-legacy.md) +- [Pol_MSS_TcpMaxConnectResponseRetransmissions](policy-csp-admx-mss-legacy.md) +- [Pol_MSS_TcpMaxDataRetransmissionsIPv6](policy-csp-admx-mss-legacy.md) +- [Pol_MSS_TcpMaxDataRetransmissions](policy-csp-admx-mss-legacy.md) +- [Pol_MSS_WarningLevel](policy-csp-admx-mss-legacy.md) + +## ADMX_nca + +- [CorporateResources](policy-csp-admx-nca.md) +- [CustomCommands](policy-csp-admx-nca.md) +- [PassiveMode](policy-csp-admx-nca.md) +- [FriendlyName](policy-csp-admx-nca.md) +- [DTEs](policy-csp-admx-nca.md) +- [LocalNamesOn](policy-csp-admx-nca.md) +- [SupportEmail](policy-csp-admx-nca.md) +- [ShowUI](policy-csp-admx-nca.md) + +## ADMX_NCSI + +- [NCSI_CorpDnsProbeContent](policy-csp-admx-ncsi.md) +- [NCSI_CorpDnsProbeHost](policy-csp-admx-ncsi.md) +- [NCSI_CorpSitePrefixes](policy-csp-admx-ncsi.md) +- [NCSI_CorpWebProbeUrl](policy-csp-admx-ncsi.md) +- [NCSI_DomainLocationDeterminationUrl](policy-csp-admx-ncsi.md) +- [NCSI_GlobalDns](policy-csp-admx-ncsi.md) +- [NCSI_PassivePolling](policy-csp-admx-ncsi.md) + +## ADMX_Netlogon + +- [Netlogon_AllowNT4Crypto](policy-csp-admx-netlogon.md) +- [Netlogon_AvoidPdcOnWan](policy-csp-admx-netlogon.md) +- [Netlogon_IgnoreIncomingMailslotMessages](policy-csp-admx-netlogon.md) +- [Netlogon_AvoidFallbackNetbiosDiscovery](policy-csp-admx-netlogon.md) +- [Netlogon_ForceRediscoveryInterval](policy-csp-admx-netlogon.md) +- [Netlogon_AddressTypeReturned](policy-csp-admx-netlogon.md) +- [Netlogon_LdapSrvPriority](policy-csp-admx-netlogon.md) +- [Netlogon_DnsTtl](policy-csp-admx-netlogon.md) +- [Netlogon_LdapSrvWeight](policy-csp-admx-netlogon.md) +- [Netlogon_AddressLookupOnPingBehavior](policy-csp-admx-netlogon.md) +- [Netlogon_DnsAvoidRegisterRecords](policy-csp-admx-netlogon.md) +- [Netlogon_UseDynamicDns](policy-csp-admx-netlogon.md) +- [Netlogon_DnsRefreshInterval](policy-csp-admx-netlogon.md) +- [Netlogon_NdncSiteCoverage](policy-csp-admx-netlogon.md) +- [Netlogon_SiteCoverage](policy-csp-admx-netlogon.md) +- [Netlogon_GcSiteCoverage](policy-csp-admx-netlogon.md) +- [Netlogon_TryNextClosestSite](policy-csp-admx-netlogon.md) +- [Netlogon_AutoSiteCoverage](policy-csp-admx-netlogon.md) +- [Netlogon_AllowDnsSuffixSearch](policy-csp-admx-netlogon.md) +- [Netlogon_AllowSingleLabelDnsDomain](policy-csp-admx-netlogon.md) +- [Netlogon_DnsSrvRecordUseLowerCaseHostNames](policy-csp-admx-netlogon.md) +- [Netlogon_NetlogonShareCompatibilityMode](policy-csp-admx-netlogon.md) +- [Netlogon_ScavengeInterval](policy-csp-admx-netlogon.md) +- [Netlogon_SysvolShareCompatibilityMode](policy-csp-admx-netlogon.md) +- [Netlogon_ExpectedDialupDelay](policy-csp-admx-netlogon.md) +- [Netlogon_DebugFlag](policy-csp-admx-netlogon.md) +- [Netlogon_MaximumLogFileSize](policy-csp-admx-netlogon.md) +- [Netlogon_NegativeCachePeriod](policy-csp-admx-netlogon.md) +- [Netlogon_NonBackgroundSuccessfulRefreshPeriod](policy-csp-admx-netlogon.md) +- [Netlogon_SiteName](policy-csp-admx-netlogon.md) +- [Netlogon_BackgroundRetryQuitTime](policy-csp-admx-netlogon.md) +- [Netlogon_BackgroundRetryInitialPeriod](policy-csp-admx-netlogon.md) +- [Netlogon_BackgroundRetryMaximumPeriod](policy-csp-admx-netlogon.md) +- [Netlogon_BackgroundSuccessfulRefreshPeriod](policy-csp-admx-netlogon.md) +- [Netlogon_PingUrgencyMode](policy-csp-admx-netlogon.md) + +## ADMX_NetworkConnections + +- [NC_RasAllUserProperties](policy-csp-admx-networkconnections.md) +- [NC_DeleteAllUserConnection](policy-csp-admx-networkconnections.md) +- [NC_LanConnect](policy-csp-admx-networkconnections.md) +- [NC_RenameAllUserRasConnection](policy-csp-admx-networkconnections.md) +- [NC_RenameLanConnection](policy-csp-admx-networkconnections.md) +- [NC_RenameConnection](policy-csp-admx-networkconnections.md) +- [NC_EnableAdminProhibits](policy-csp-admx-networkconnections.md) +- [NC_LanProperties](policy-csp-admx-networkconnections.md) +- [NC_LanChangeProperties](policy-csp-admx-networkconnections.md) +- [NC_RasChangeProperties](policy-csp-admx-networkconnections.md) +- [NC_AdvancedSettings](policy-csp-admx-networkconnections.md) +- [NC_NewConnectionWizard](policy-csp-admx-networkconnections.md) +- [NC_DialupPrefs](policy-csp-admx-networkconnections.md) +- [NC_AddRemoveComponents](policy-csp-admx-networkconnections.md) +- [NC_RasMyProperties](policy-csp-admx-networkconnections.md) +- [NC_RasConnect](policy-csp-admx-networkconnections.md) +- [NC_DeleteConnection](policy-csp-admx-networkconnections.md) +- [NC_ChangeBindState](policy-csp-admx-networkconnections.md) +- [NC_RenameMyRasConnection](policy-csp-admx-networkconnections.md) +- [NC_AllowAdvancedTCPIPConfig](policy-csp-admx-networkconnections.md) +- [NC_Statistics](policy-csp-admx-networkconnections.md) +- [NC_IpStateChecking](policy-csp-admx-networkconnections.md) +- [NC_DoNotShowLocalOnlyIcon](policy-csp-admx-networkconnections.md) +- [NC_PersonalFirewallConfig](policy-csp-admx-networkconnections.md) +- [NC_ShowSharedAccessUI](policy-csp-admx-networkconnections.md) +- [NC_StdDomainUserSetLocation](policy-csp-admx-networkconnections.md) +- [NC_ForceTunneling](policy-csp-admx-networkconnections.md) + +## ADMX_OfflineFiles + +- [Pol_GoOfflineAction_1](policy-csp-admx-offlinefiles.md) +- [Pol_EventLoggingLevel_1](policy-csp-admx-offlinefiles.md) +- [Pol_ReminderInitTimeout_1](policy-csp-admx-offlinefiles.md) +- [Pol_CustomGoOfflineActions_1](policy-csp-admx-offlinefiles.md) +- [Pol_NoCacheViewer_1](policy-csp-admx-offlinefiles.md) +- [Pol_NoConfigCache_1](policy-csp-admx-offlinefiles.md) +- [Pol_ReminderFreq_1](policy-csp-admx-offlinefiles.md) +- [Pol_ReminderTimeout_1](policy-csp-admx-offlinefiles.md) +- [Pol_NoMakeAvailableOffline_1](policy-csp-admx-offlinefiles.md) +- [Pol_NoPinFiles_1](policy-csp-admx-offlinefiles.md) +- [Pol_WorkOfflineDisabled_1](policy-csp-admx-offlinefiles.md) +- [Pol_AssignedOfflineFiles_1](policy-csp-admx-offlinefiles.md) +- [Pol_SyncAtLogoff_1](policy-csp-admx-offlinefiles.md) +- [Pol_SyncAtLogon_1](policy-csp-admx-offlinefiles.md) +- [Pol_SyncAtSuspend_1](policy-csp-admx-offlinefiles.md) +- [Pol_NoReminders_1](policy-csp-admx-offlinefiles.md) +- [Pol_GoOfflineAction_2](policy-csp-admx-offlinefiles.md) +- [Pol_Enabled](policy-csp-admx-offlinefiles.md) +- [Pol_PurgeAtLogoff](policy-csp-admx-offlinefiles.md) +- [Pol_BackgroundSyncSettings](policy-csp-admx-offlinefiles.md) +- [Pol_SlowLinkSpeed](policy-csp-admx-offlinefiles.md) +- [Pol_SlowLinkSettings](policy-csp-admx-offlinefiles.md) +- [Pol_DefCacheSize](policy-csp-admx-offlinefiles.md) +- [Pol_ExclusionListSettings](policy-csp-admx-offlinefiles.md) +- [Pol_SyncOnCostedNetwork](policy-csp-admx-offlinefiles.md) +- [Pol_OnlineCachingSettings](policy-csp-admx-offlinefiles.md) +- [Pol_EncryptOfflineFiles](policy-csp-admx-offlinefiles.md) +- [Pol_EventLoggingLevel_2](policy-csp-admx-offlinefiles.md) +- [Pol_ExtExclusionList](policy-csp-admx-offlinefiles.md) +- [Pol_ReminderInitTimeout_2](policy-csp-admx-offlinefiles.md) +- [Pol_CacheSize](policy-csp-admx-offlinefiles.md) +- [Pol_CustomGoOfflineActions_2](policy-csp-admx-offlinefiles.md) +- [Pol_NoCacheViewer_2](policy-csp-admx-offlinefiles.md) +- [Pol_NoConfigCache_2](policy-csp-admx-offlinefiles.md) +- [Pol_ReminderFreq_2](policy-csp-admx-offlinefiles.md) +- [Pol_ReminderTimeout_2](policy-csp-admx-offlinefiles.md) +- [Pol_NoMakeAvailableOffline_2](policy-csp-admx-offlinefiles.md) +- [Pol_NoPinFiles_2](policy-csp-admx-offlinefiles.md) +- [Pol_WorkOfflineDisabled_2](policy-csp-admx-offlinefiles.md) +- [Pol_AssignedOfflineFiles_2](policy-csp-admx-offlinefiles.md) +- [Pol_AlwaysPinSubFolders](policy-csp-admx-offlinefiles.md) +- [Pol_SyncAtLogoff_2](policy-csp-admx-offlinefiles.md) +- [Pol_SyncAtLogon_2](policy-csp-admx-offlinefiles.md) +- [Pol_SyncAtSuspend_2](policy-csp-admx-offlinefiles.md) +- [Pol_NoReminders_2](policy-csp-admx-offlinefiles.md) +- [Pol_QuickAdimPin](policy-csp-admx-offlinefiles.md) + +## ADMX_pca + +- [DetectDeprecatedCOMComponentFailuresPolicy](policy-csp-admx-pca.md) +- [DetectDeprecatedComponentFailuresPolicy](policy-csp-admx-pca.md) +- [DetectInstallFailuresPolicy](policy-csp-admx-pca.md) +- [DetectUndetectedInstallersPolicy](policy-csp-admx-pca.md) +- [DetectUpdateFailuresPolicy](policy-csp-admx-pca.md) +- [DisablePcaUIPolicy](policy-csp-admx-pca.md) +- [DetectBlockedDriversPolicy](policy-csp-admx-pca.md) + +## ADMX_PeerToPeerCaching + +- [EnableWindowsBranchCache_SMB](policy-csp-admx-peertopeercaching.md) +- [SetDowngrading](policy-csp-admx-peertopeercaching.md) +- [EnableWindowsBranchCache_HostedMultipleServers](policy-csp-admx-peertopeercaching.md) +- [EnableWindowsBranchCache_HostedCacheDiscovery](policy-csp-admx-peertopeercaching.md) +- [SetDataCacheEntryMaxAge](policy-csp-admx-peertopeercaching.md) +- [EnableWindowsBranchCache_Distributed](policy-csp-admx-peertopeercaching.md) +- [EnableWindowsBranchCache_Hosted](policy-csp-admx-peertopeercaching.md) +- [SetCachePercent](policy-csp-admx-peertopeercaching.md) +- [EnableWindowsBranchCache](policy-csp-admx-peertopeercaching.md) + +## ADMX_PenTraining + +- [PenTrainingOff_1](policy-csp-admx-pentraining.md) +- [PenTrainingOff_2](policy-csp-admx-pentraining.md) + +## ADMX_PerformanceDiagnostics + +- [WdiScenarioExecutionPolicy_1](policy-csp-admx-performancediagnostics.md) +- [WdiScenarioExecutionPolicy_3](policy-csp-admx-performancediagnostics.md) +- [WdiScenarioExecutionPolicy_4](policy-csp-admx-performancediagnostics.md) +- [WdiScenarioExecutionPolicy_2](policy-csp-admx-performancediagnostics.md) + +## ADMX_Power + +- [PW_PromptPasswordOnResume](policy-csp-admx-power.md) +- [Dont_PowerOff_AfterShutdown](policy-csp-admx-power.md) +- [DCStartMenuButtonAction_2](policy-csp-admx-power.md) +- [ACStartMenuButtonAction_2](policy-csp-admx-power.md) +- [DiskDCPowerDownTimeOut_2](policy-csp-admx-power.md) +- [DiskACPowerDownTimeOut_2](policy-csp-admx-power.md) +- [DCBatteryDischargeAction0_2](policy-csp-admx-power.md) +- [DCBatteryDischargeLevel0_2](policy-csp-admx-power.md) +- [DCBatteryDischargeAction1_2](policy-csp-admx-power.md) +- [DCBatteryDischargeLevel1_2](policy-csp-admx-power.md) +- [ReserveBatteryNotificationLevel](policy-csp-admx-power.md) +- [DCBatteryDischargeLevel1UINotification_2](policy-csp-admx-power.md) +- [PowerThrottlingTurnOff](policy-csp-admx-power.md) +- [InboxActiveSchemeOverride_2](policy-csp-admx-power.md) +- [AllowSystemPowerRequestDC](policy-csp-admx-power.md) +- [AllowSystemPowerRequestAC](policy-csp-admx-power.md) +- [AllowSystemSleepWithRemoteFilesOpenDC](policy-csp-admx-power.md) +- [AllowSystemSleepWithRemoteFilesOpenAC](policy-csp-admx-power.md) +- [DCConnectivityInStandby_2](policy-csp-admx-power.md) +- [ACConnectivityInStandby_2](policy-csp-admx-power.md) +- [DCCriticalSleepTransitionsDisable_2](policy-csp-admx-power.md) +- [ACCriticalSleepTransitionsDisable_2](policy-csp-admx-power.md) +- [CustomActiveSchemeOverride_2](policy-csp-admx-power.md) +- [EnableDesktopSlideShowDC](policy-csp-admx-power.md) +- [EnableDesktopSlideShowAC](policy-csp-admx-power.md) + +## ADMX_PowerShellExecutionPolicy + +- [EnableUpdateHelpDefaultSourcePath](policy-csp-admx-powershellexecutionpolicy.md) +- [EnableModuleLogging](policy-csp-admx-powershellexecutionpolicy.md) +- [EnableTranscripting](policy-csp-admx-powershellexecutionpolicy.md) +- [EnableScripts](policy-csp-admx-powershellexecutionpolicy.md) +- [EnableUpdateHelpDefaultSourcePath](policy-csp-admx-powershellexecutionpolicy.md) +- [EnableModuleLogging](policy-csp-admx-powershellexecutionpolicy.md) +- [EnableTranscripting](policy-csp-admx-powershellexecutionpolicy.md) +- [EnableScripts](policy-csp-admx-powershellexecutionpolicy.md) + +## ADMX_PreviousVersions + +- [DisableLocalPage_1](policy-csp-admx-previousversions.md) +- [DisableRemotePage_1](policy-csp-admx-previousversions.md) +- [HideBackupEntries_1](policy-csp-admx-previousversions.md) +- [DisableLocalRestore_1](policy-csp-admx-previousversions.md) +- [DisableBackupRestore_1](policy-csp-admx-previousversions.md) +- [DisableRemoteRestore_1](policy-csp-admx-previousversions.md) +- [DisableLocalPage_2](policy-csp-admx-previousversions.md) +- [DisableRemotePage_2](policy-csp-admx-previousversions.md) +- [HideBackupEntries_2](policy-csp-admx-previousversions.md) +- [DisableLocalRestore_2](policy-csp-admx-previousversions.md) +- [DisableBackupRestore_2](policy-csp-admx-previousversions.md) +- [DisableRemoteRestore_2](policy-csp-admx-previousversions.md) + +## ADMX_Printing + +- [IntranetPrintersUrl](policy-csp-admx-printing.md) +- [DownlevelBrowse](policy-csp-admx-printing.md) +- [PrinterDirectorySearchScope](policy-csp-admx-printing.md) +- [PackagePointAndPrintOnly](policy-csp-admx-printing.md) +- [PackagePointAndPrintServerList](policy-csp-admx-printing.md) +- [NoDeletePrinter](policy-csp-admx-printing.md) +- [LegacyDefaultPrinterMode](policy-csp-admx-printing.md) +- [AllowWebPrinting](policy-csp-admx-printing.md) +- [DomainPrinters](policy-csp-admx-printing.md) +- [NonDomainPrinters](policy-csp-admx-printing.md) +- [ShowJobTitleInEventLogs](policy-csp-admx-printing.md) +- [ForceSoftwareRasterization](policy-csp-admx-printing.md) +- [EMFDespooling](policy-csp-admx-printing.md) +- [MXDWUseLegacyOutputFormatMSXPS](policy-csp-admx-printing.md) +- [PhysicalLocation](policy-csp-admx-printing.md) +- [CustomizedSupportUrl](policy-csp-admx-printing.md) +- [KMPrintersAreBlocked](policy-csp-admx-printing.md) +- [V4DriverDisallowPrinterExtension](policy-csp-admx-printing.md) +- [PrintDriverIsolationExecutionPolicy](policy-csp-admx-printing.md) +- [DoNotInstallCompatibleDriverFromWindowsUpdate](policy-csp-admx-printing.md) +- [ApplicationDriverIsolation](policy-csp-admx-printing.md) +- [PackagePointAndPrintOnly_Win7](policy-csp-admx-printing.md) +- [PrintDriverIsolationOverrideCompat](policy-csp-admx-printing.md) +- [PackagePointAndPrintServerList_Win7](policy-csp-admx-printing.md) +- [PhysicalLocationSupport](policy-csp-admx-printing.md) +- [PrinterServerThread](policy-csp-admx-printing.md) + +## ADMX_Printing2 + +- [RegisterSpoolerRemoteRpcEndPoint](policy-csp-admx-printing2.md) +- [ImmortalPrintQueue](policy-csp-admx-printing2.md) +- [AutoPublishing](policy-csp-admx-printing2.md) +- [VerifyPublishedState](policy-csp-admx-printing2.md) +- [PruningInterval](policy-csp-admx-printing2.md) +- [PruningPriority](policy-csp-admx-printing2.md) +- [PruningRetries](policy-csp-admx-printing2.md) +- [PruningRetryLog](policy-csp-admx-printing2.md) +- [PruneDownlevel](policy-csp-admx-printing2.md) + +## ADMX_Programs + +- [NoGetPrograms](policy-csp-admx-programs.md) +- [NoInstalledUpdates](policy-csp-admx-programs.md) +- [NoProgramsAndFeatures](policy-csp-admx-programs.md) +- [NoDefaultPrograms](policy-csp-admx-programs.md) +- [NoWindowsFeatures](policy-csp-admx-programs.md) +- [NoWindowsMarketplace](policy-csp-admx-programs.md) +- [NoProgramsCPL](policy-csp-admx-programs.md) + +## ADMX_PushToInstall + +- [DisablePushToInstall](policy-csp-admx-pushtoinstall.md) + +## ADMX_QOS + +- [QosServiceTypeBestEffort_C](policy-csp-admx-qos.md) +- [QosServiceTypeControlledLoad_C](policy-csp-admx-qos.md) +- [QosServiceTypeGuaranteed_C](policy-csp-admx-qos.md) +- [QosServiceTypeNetworkControl_C](policy-csp-admx-qos.md) +- [QosServiceTypeQualitative_C](policy-csp-admx-qos.md) +- [QosServiceTypeBestEffort_NC](policy-csp-admx-qos.md) +- [QosServiceTypeControlledLoad_NC](policy-csp-admx-qos.md) +- [QosServiceTypeGuaranteed_NC](policy-csp-admx-qos.md) +- [QosServiceTypeNetworkControl_NC](policy-csp-admx-qos.md) +- [QosServiceTypeQualitative_NC](policy-csp-admx-qos.md) +- [QosServiceTypeBestEffort_PV](policy-csp-admx-qos.md) +- [QosServiceTypeControlledLoad_PV](policy-csp-admx-qos.md) +- [QosServiceTypeGuaranteed_PV](policy-csp-admx-qos.md) +- [QosServiceTypeNetworkControl_PV](policy-csp-admx-qos.md) +- [QosServiceTypeNonConforming](policy-csp-admx-qos.md) +- [QosServiceTypeQualitative_PV](policy-csp-admx-qos.md) +- [QosMaxOutstandingSends](policy-csp-admx-qos.md) +- [QosNonBestEffortLimit](policy-csp-admx-qos.md) +- [QosTimerResolution](policy-csp-admx-qos.md) + +## ADMX_Radar + +- [WdiScenarioExecutionPolicy](policy-csp-admx-radar.md) + +## ADMX_Reliability + +- [ShutdownEventTrackerStateFile](policy-csp-admx-reliability.md) +- [ShutdownReason](policy-csp-admx-reliability.md) +- [EE_EnablePersistentTimeStamp](policy-csp-admx-reliability.md) +- [PCH_ReportShutdownEvents](policy-csp-admx-reliability.md) + +## ADMX_RemoteAssistance + +- [RA_EncryptedTicketOnly](policy-csp-admx-remoteassistance.md) +- [RA_Optimize_Bandwidth](policy-csp-admx-remoteassistance.md) + +## ADMX_RemovableStorage + +- [RemovableStorageClasses_DenyAll_Access_1](policy-csp-admx-removablestorage.md) +- [CDandDVD_DenyRead_Access_1](policy-csp-admx-removablestorage.md) +- [CDandDVD_DenyWrite_Access_1](policy-csp-admx-removablestorage.md) +- [CustomClasses_DenyRead_Access_1](policy-csp-admx-removablestorage.md) +- [CustomClasses_DenyWrite_Access_1](policy-csp-admx-removablestorage.md) +- [FloppyDrives_DenyRead_Access_1](policy-csp-admx-removablestorage.md) +- [FloppyDrives_DenyWrite_Access_1](policy-csp-admx-removablestorage.md) +- [RemovableDisks_DenyRead_Access_1](policy-csp-admx-removablestorage.md) +- [RemovableDisks_DenyWrite_Access_1](policy-csp-admx-removablestorage.md) +- [AccessRights_RebootTime_1](policy-csp-admx-removablestorage.md) +- [TapeDrives_DenyRead_Access_1](policy-csp-admx-removablestorage.md) +- [TapeDrives_DenyWrite_Access_1](policy-csp-admx-removablestorage.md) +- [WPDDevices_DenyRead_Access_1](policy-csp-admx-removablestorage.md) +- [WPDDevices_DenyWrite_Access_1](policy-csp-admx-removablestorage.md) +- [RemovableStorageClasses_DenyAll_Access_2](policy-csp-admx-removablestorage.md) +- [Removable_Remote_Allow_Access](policy-csp-admx-removablestorage.md) +- [CDandDVD_DenyExecute_Access_2](policy-csp-admx-removablestorage.md) +- [CDandDVD_DenyRead_Access_2](policy-csp-admx-removablestorage.md) +- [CDandDVD_DenyWrite_Access_2](policy-csp-admx-removablestorage.md) +- [CustomClasses_DenyRead_Access_2](policy-csp-admx-removablestorage.md) +- [CustomClasses_DenyWrite_Access_2](policy-csp-admx-removablestorage.md) +- [FloppyDrives_DenyExecute_Access_2](policy-csp-admx-removablestorage.md) +- [FloppyDrives_DenyRead_Access_2](policy-csp-admx-removablestorage.md) +- [FloppyDrives_DenyWrite_Access_2](policy-csp-admx-removablestorage.md) +- [RemovableDisks_DenyExecute_Access_2](policy-csp-admx-removablestorage.md) +- [RemovableDisks_DenyRead_Access_2](policy-csp-admx-removablestorage.md) +- [AccessRights_RebootTime_2](policy-csp-admx-removablestorage.md) +- [TapeDrives_DenyExecute_Access_2](policy-csp-admx-removablestorage.md) +- [TapeDrives_DenyRead_Access_2](policy-csp-admx-removablestorage.md) +- [TapeDrives_DenyWrite_Access_2](policy-csp-admx-removablestorage.md) +- [WPDDevices_DenyRead_Access_2](policy-csp-admx-removablestorage.md) +- [WPDDevices_DenyWrite_Access_2](policy-csp-admx-removablestorage.md) + +## ADMX_RPC + +- [RpcIgnoreDelegationFailure](policy-csp-admx-rpc.md) +- [RpcStateInformation](policy-csp-admx-rpc.md) +- [RpcExtendedErrorInformation](policy-csp-admx-rpc.md) +- [RpcMinimumHttpConnectionTimeout](policy-csp-admx-rpc.md) + +## ADMX_sam + +- [SamNGCKeyROCAValidation](policy-csp-admx-sam.md) + +## ADMX_Scripts + +- [Run_Logoff_Script_Visible](policy-csp-admx-scripts.md) +- [Run_Logon_Script_Visible](policy-csp-admx-scripts.md) +- [Run_Legacy_Logon_Script_Hidden](policy-csp-admx-scripts.md) +- [Run_Logon_Script_Sync_1](policy-csp-admx-scripts.md) +- [Run_User_PS_Scripts_First](policy-csp-admx-scripts.md) +- [Allow_Logon_Script_NetbiosDisabled](policy-csp-admx-scripts.md) +- [Run_Shutdown_Script_Visible](policy-csp-admx-scripts.md) +- [Run_Startup_Script_Visible](policy-csp-admx-scripts.md) +- [Run_Logon_Script_Sync_2](policy-csp-admx-scripts.md) +- [Run_Startup_Script_Sync](policy-csp-admx-scripts.md) +- [Run_Computer_PS_Scripts_First](policy-csp-admx-scripts.md) +- [Run_User_PS_Scripts_First](policy-csp-admx-scripts.md) +- [MaxGPOScriptWaitPolicy](policy-csp-admx-scripts.md) + +## ADMX_sdiageng + +- [ScriptedDiagnosticsSecurityPolicy](policy-csp-admx-sdiageng.md) +- [ScriptedDiagnosticsExecutionPolicy](policy-csp-admx-sdiageng.md) +- [BetterWhenConnected](policy-csp-admx-sdiageng.md) + +## ADMX_sdiagschd + +- [ScheduledDiagnosticsExecutionPolicy](policy-csp-admx-sdiagschd.md) + +## ADMX_Securitycenter + +- [SecurityCenter_SecurityCenterInDomain](policy-csp-admx-securitycenter.md) + +## ADMX_Sensors + +- [DisableLocation_1](policy-csp-admx-sensors.md) +- [DisableLocationScripting_1](policy-csp-admx-sensors.md) +- [DisableSensors_1](policy-csp-admx-sensors.md) +- [DisableLocationScripting_2](policy-csp-admx-sensors.md) +- [DisableSensors_2](policy-csp-admx-sensors.md) + +## ADMX_ServerManager + +- [Do_not_display_Manage_Your_Server_page](policy-csp-admx-servermanager.md) +- [ServerManagerAutoRefreshRate](policy-csp-admx-servermanager.md) +- [DoNotLaunchInitialConfigurationTasks](policy-csp-admx-servermanager.md) +- [DoNotLaunchServerManager](policy-csp-admx-servermanager.md) + +## ADMX_Servicing + +- [Servicing](policy-csp-admx-servicing.md) + +## ADMX_SettingSync + +- [DisableSettingSync](policy-csp-admx-settingsync.md) +- [DisableApplicationSettingSync](policy-csp-admx-settingsync.md) +- [DisableAppSyncSettingSync](policy-csp-admx-settingsync.md) +- [DisableDesktopThemeSettingSync](policy-csp-admx-settingsync.md) +- [DisableSyncOnPaidNetwork](policy-csp-admx-settingsync.md) +- [DisableWindowsSettingSync](policy-csp-admx-settingsync.md) +- [DisableCredentialsSettingSync](policy-csp-admx-settingsync.md) +- [DisablePersonalizationSettingSync](policy-csp-admx-settingsync.md) +- [DisableStartLayoutSettingSync](policy-csp-admx-settingsync.md) + +## ADMX_SharedFolders + +- [PublishDfsRoots](policy-csp-admx-sharedfolders.md) +- [PublishSharedFolders](policy-csp-admx-sharedfolders.md) + +## ADMX_Sharing + +- [NoInplaceSharing](policy-csp-admx-sharing.md) +- [DisableHomeGroup](policy-csp-admx-sharing.md) + +## ADMX_ShellCommandPromptRegEditTools + +- [DisallowApps](policy-csp-admx-shellcommandpromptregedittools.md) +- [DisableRegedit](policy-csp-admx-shellcommandpromptregedittools.md) +- [DisableCMD](policy-csp-admx-shellcommandpromptregedittools.md) +- [RestrictApps](policy-csp-admx-shellcommandpromptregedittools.md) + +## ADMX_Smartcard + +- [AllowCertificatesWithNoEKU](policy-csp-admx-smartcard.md) +- [EnumerateECCCerts](policy-csp-admx-smartcard.md) +- [AllowIntegratedUnblock](policy-csp-admx-smartcard.md) +- [AllowSignatureOnlyKeys](policy-csp-admx-smartcard.md) +- [AllowTimeInvalidCertificates](policy-csp-admx-smartcard.md) +- [X509HintsNeeded](policy-csp-admx-smartcard.md) +- [CertPropRootCleanupString](policy-csp-admx-smartcard.md) +- [IntegratedUnblockPromptString](policy-csp-admx-smartcard.md) +- [FilterDuplicateCerts](policy-csp-admx-smartcard.md) +- [ForceReadingAllCertificates](policy-csp-admx-smartcard.md) +- [SCPnPNotification](policy-csp-admx-smartcard.md) +- [DisallowPlaintextPin](policy-csp-admx-smartcard.md) +- [ReverseSubject](policy-csp-admx-smartcard.md) +- [CertPropEnabledString](policy-csp-admx-smartcard.md) +- [CertPropRootEnabledString](policy-csp-admx-smartcard.md) +- [SCPnPEnabled](policy-csp-admx-smartcard.md) + +## ADMX_Snmp + +- [SNMP_Communities](policy-csp-admx-snmp.md) +- [SNMP_PermittedManagers](policy-csp-admx-snmp.md) +- [SNMP_Traps_Public](policy-csp-admx-snmp.md) + +## ADMX_SoundRec + +- [Soundrec_DiableApplication_TitleText_1](policy-csp-admx-soundrec.md) +- [Soundrec_DiableApplication_TitleText_2](policy-csp-admx-soundrec.md) + +## ADMX_srmfci + +- [AccessDeniedConfiguration](policy-csp-admx-srmfci.md) +- [EnableShellAccessCheck](policy-csp-admx-srmfci.md) +- [EnableManualUX](policy-csp-admx-srmfci.md) +- [CentralClassificationList](policy-csp-admx-srmfci.md) + +## ADMX_StartMenu + +- [MemCheckBoxInRunDlg](policy-csp-admx-startmenu.md) +- [ForceStartMenuLogOff](policy-csp-admx-startmenu.md) +- [AddSearchInternetLinkInStartMenu](policy-csp-admx-startmenu.md) +- [ShowRunInStartMenu](policy-csp-admx-startmenu.md) +- [PowerButtonAction](policy-csp-admx-startmenu.md) +- [ClearRecentDocsOnExit](policy-csp-admx-startmenu.md) +- [ClearRecentProgForNewUserInStartMenu](policy-csp-admx-startmenu.md) +- [ClearTilesOnExit](policy-csp-admx-startmenu.md) +- [NoToolbarsOnTaskbar](policy-csp-admx-startmenu.md) +- [NoSearchCommInStartMenu](policy-csp-admx-startmenu.md) +- [NoSearchFilesInStartMenu](policy-csp-admx-startmenu.md) +- [NoSearchInternetInStartMenu](policy-csp-admx-startmenu.md) +- [NoSearchProgramsInStartMenu](policy-csp-admx-startmenu.md) +- [NoResolveSearch](policy-csp-admx-startmenu.md) +- [NoResolveTrack](policy-csp-admx-startmenu.md) +- [NoStartPage](policy-csp-admx-startmenu.md) +- [GoToDesktopOnSignIn](policy-csp-admx-startmenu.md) +- [GreyMSIAds](policy-csp-admx-startmenu.md) +- [NoTrayItemsDisplay](policy-csp-admx-startmenu.md) +- [DesktopAppsFirstInAppsView](policy-csp-admx-startmenu.md) +- [LockTaskbar](policy-csp-admx-startmenu.md) +- [StartPinAppsWhenInstalled](policy-csp-admx-startmenu.md) +- [NoSetTaskbar](policy-csp-admx-startmenu.md) +- [NoTaskGrouping](policy-csp-admx-startmenu.md) +- [NoChangeStartMenu](policy-csp-admx-startmenu.md) +- [NoUninstallFromStart](policy-csp-admx-startmenu.md) +- [NoTrayContextMenu](policy-csp-admx-startmenu.md) +- [NoMoreProgramsList](policy-csp-admx-startmenu.md) +- [NoClose](policy-csp-admx-startmenu.md) +- [NoBalloonTip](policy-csp-admx-startmenu.md) +- [NoTaskBarClock](policy-csp-admx-startmenu.md) +- [NoCommonGroups](policy-csp-admx-startmenu.md) +- [NoSMConfigurePrograms](policy-csp-admx-startmenu.md) +- [NoSMMyDocuments](policy-csp-admx-startmenu.md) +- [NoStartMenuDownload](policy-csp-admx-startmenu.md) +- [NoFavoritesMenu](policy-csp-admx-startmenu.md) +- [NoGamesFolderOnStartMenu](policy-csp-admx-startmenu.md) +- [NoHelp](policy-csp-admx-startmenu.md) +- [NoStartMenuHomegroup](policy-csp-admx-startmenu.md) +- [NoWindowsUpdate](policy-csp-admx-startmenu.md) +- [StartMenuLogOff](policy-csp-admx-startmenu.md) +- [NoSMMyMusic](policy-csp-admx-startmenu.md) +- [NoNetAndDialupConnect](policy-csp-admx-startmenu.md) +- [NoSMMyNetworkPlaces](policy-csp-admx-startmenu.md) +- [NoSMMyPictures](policy-csp-admx-startmenu.md) +- [NoPinnedPrograms](policy-csp-admx-startmenu.md) +- [NoSetFolders](policy-csp-admx-startmenu.md) +- [NoRecentDocsMenu](policy-csp-admx-startmenu.md) +- [NoStartMenuRecordedTV](policy-csp-admx-startmenu.md) +- [NoRun](policy-csp-admx-startmenu.md) +- [NoSearchComputerLinkInStartMenu](policy-csp-admx-startmenu.md) +- [NoFind](policy-csp-admx-startmenu.md) +- [NoSearchEverywhereLinkInStartMenu](policy-csp-admx-startmenu.md) +- [RemoveUnDockPCButton](policy-csp-admx-startmenu.md) +- [NoUserFolderOnStartMenu](policy-csp-admx-startmenu.md) +- [NoUserNameOnStartMenu](policy-csp-admx-startmenu.md) +- [NoStartMenuSubFolders](policy-csp-admx-startmenu.md) +- [NoStartMenuVideos](policy-csp-admx-startmenu.md) +- [DisableGlobalSearchOnAppsView](policy-csp-admx-startmenu.md) +- [ShowRunAsDifferentUserInStart](policy-csp-admx-startmenu.md) +- [QuickLaunchEnabled](policy-csp-admx-startmenu.md) +- [ShowStartOnDisplayWithForegroundOnWinKey](policy-csp-admx-startmenu.md) +- [ShowAppsViewOnStart](policy-csp-admx-startmenu.md) +- [NoAutoTrayNotify](policy-csp-admx-startmenu.md) +- [Intellimenus](policy-csp-admx-startmenu.md) +- [NoInstrumentation](policy-csp-admx-startmenu.md) +- [StartPinAppsWhenInstalled](policy-csp-admx-startmenu.md) +- [NoSetTaskbar](policy-csp-admx-startmenu.md) +- [NoChangeStartMenu](policy-csp-admx-startmenu.md) +- [NoUninstallFromStart](policy-csp-admx-startmenu.md) +- [NoTrayContextMenu](policy-csp-admx-startmenu.md) +- [NoMoreProgramsList](policy-csp-admx-startmenu.md) +- [HidePowerOptions](policy-csp-admx-startmenu.md) +- [NoRun](policy-csp-admx-startmenu.md) + +## ADMX_SystemRestore + +- [SR_DisableConfig](policy-csp-admx-systemrestore.md) + +## ADMX_TabletPCInputPanel + +- [Prediction_1](policy-csp-admx-tabletpcinputpanel.md) +- [IPTIPTarget_1](policy-csp-admx-tabletpcinputpanel.md) +- [IPTIPTouchTarget_1](policy-csp-admx-tabletpcinputpanel.md) +- [RareChar_1](policy-csp-admx-tabletpcinputpanel.md) +- [EdgeTarget_1](policy-csp-admx-tabletpcinputpanel.md) +- [AutoComplete_1](policy-csp-admx-tabletpcinputpanel.md) +- [PasswordSecurity_1](policy-csp-admx-tabletpcinputpanel.md) +- [ScratchOut_1](policy-csp-admx-tabletpcinputpanel.md) +- [Prediction_2](policy-csp-admx-tabletpcinputpanel.md) +- [IPTIPTarget_2](policy-csp-admx-tabletpcinputpanel.md) +- [IPTIPTouchTarget_2](policy-csp-admx-tabletpcinputpanel.md) +- [RareChar_2](policy-csp-admx-tabletpcinputpanel.md) +- [EdgeTarget_2](policy-csp-admx-tabletpcinputpanel.md) +- [AutoComplete_2](policy-csp-admx-tabletpcinputpanel.md) +- [PasswordSecurity_2](policy-csp-admx-tabletpcinputpanel.md) +- [ScratchOut_2](policy-csp-admx-tabletpcinputpanel.md) + +## ADMX_TabletShell + +- [DisableInkball_1](policy-csp-admx-tabletshell.md) +- [DisableNoteWriterPrinting_1](policy-csp-admx-tabletshell.md) +- [DisableSnippingTool_1](policy-csp-admx-tabletshell.md) +- [DisableJournal_1](policy-csp-admx-tabletshell.md) +- [TurnOffFeedback_1](policy-csp-admx-tabletshell.md) +- [PreventBackEscMapping_1](policy-csp-admx-tabletshell.md) +- [PreventLaunchApp_1](policy-csp-admx-tabletshell.md) +- [PreventPressAndHold_1](policy-csp-admx-tabletshell.md) +- [TurnOffButtons_1](policy-csp-admx-tabletshell.md) +- [PreventFlicksLearningMode_1](policy-csp-admx-tabletshell.md) +- [PreventFlicks_1](policy-csp-admx-tabletshell.md) +- [DisableInkball_2](policy-csp-admx-tabletshell.md) +- [DisableNoteWriterPrinting_2](policy-csp-admx-tabletshell.md) +- [DisableSnippingTool_2](policy-csp-admx-tabletshell.md) +- [DisableJournal_2](policy-csp-admx-tabletshell.md) +- [TurnOffFeedback_2](policy-csp-admx-tabletshell.md) +- [PreventBackEscMapping_2](policy-csp-admx-tabletshell.md) +- [PreventLaunchApp_2](policy-csp-admx-tabletshell.md) +- [PreventPressAndHold_2](policy-csp-admx-tabletshell.md) +- [TurnOffButtons_2](policy-csp-admx-tabletshell.md) +- [PreventFlicksLearningMode_2](policy-csp-admx-tabletshell.md) +- [PreventFlicks_2](policy-csp-admx-tabletshell.md) + +## ADMX_Taskbar + +- [EnableLegacyBalloonNotifications](policy-csp-admx-taskbar.md) +- [NoPinningToDestinations](policy-csp-admx-taskbar.md) +- [NoPinningToTaskbar](policy-csp-admx-taskbar.md) +- [NoPinningStoreToTaskbar](policy-csp-admx-taskbar.md) +- [TaskbarNoMultimon](policy-csp-admx-taskbar.md) +- [NoRemoteDestinations](policy-csp-admx-taskbar.md) +- [TaskbarLockAll](policy-csp-admx-taskbar.md) +- [TaskbarNoAddRemoveToolbar](policy-csp-admx-taskbar.md) +- [TaskbarNoRedock](policy-csp-admx-taskbar.md) +- [TaskbarNoDragToolbar](policy-csp-admx-taskbar.md) +- [TaskbarNoResize](policy-csp-admx-taskbar.md) +- [DisableNotificationCenter](policy-csp-admx-taskbar.md) +- [TaskbarNoPinnedList](policy-csp-admx-taskbar.md) +- [HideSCAPower](policy-csp-admx-taskbar.md) +- [HideSCANetwork](policy-csp-admx-taskbar.md) +- [HideSCAHealth](policy-csp-admx-taskbar.md) +- [HideSCAVolume](policy-csp-admx-taskbar.md) +- [ShowWindowsStoreAppsOnTaskbar](policy-csp-admx-taskbar.md) +- [TaskbarNoNotification](policy-csp-admx-taskbar.md) +- [NoSystraySystemPromotion](policy-csp-admx-taskbar.md) +- [NoBalloonFeatureAdvertisements](policy-csp-admx-taskbar.md) +- [TaskbarNoThumbnail](policy-csp-admx-taskbar.md) +- [DisableNotificationCenter](policy-csp-admx-taskbar.md) +- [TaskbarNoPinnedList](policy-csp-admx-taskbar.md) + +## ADMX_tcpip + +- [6to4_Router_Name](policy-csp-admx-tcpip.md) +- [6to4_Router_Name_Resolution_Interval](policy-csp-admx-tcpip.md) +- [6to4_State](policy-csp-admx-tcpip.md) +- [IPHTTPS_ClientState](policy-csp-admx-tcpip.md) +- [ISATAP_Router_Name](policy-csp-admx-tcpip.md) +- [ISATAP_State](policy-csp-admx-tcpip.md) +- [Teredo_Client_Port](policy-csp-admx-tcpip.md) +- [Teredo_Default_Qualified](policy-csp-admx-tcpip.md) +- [Teredo_Refresh_Rate](policy-csp-admx-tcpip.md) +- [Teredo_Server_Name](policy-csp-admx-tcpip.md) +- [Teredo_State](policy-csp-admx-tcpip.md) +- [IP_Stateless_Autoconfiguration_Limits_State](policy-csp-admx-tcpip.md) +- [Windows_Scaling_Heuristics_State](policy-csp-admx-tcpip.md) + +## ADMX_TerminalServer + +- [TS_GATEWAY_POLICY_ENABLE](policy-csp-admx-terminalserver.md) +- [TS_GATEWAY_POLICY_AUTH_METHOD](policy-csp-admx-terminalserver.md) +- [TS_GATEWAY_POLICY_SERVER](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_ALLOW_UNSIGNED_FILES_1](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_ALLOW_SIGNED_FILES_1](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_DISABLE_PASSWORD_SAVING_1](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_2](policy-csp-admx-terminalserver.md) +- [TS_RemoteControl_1](policy-csp-admx-terminalserver.md) +- [TS_EASY_PRINT_User](policy-csp-admx-terminalserver.md) +- [TS_START_PROGRAM_1](policy-csp-admx-terminalserver.md) +- [TS_Session_End_On_Limit_1](policy-csp-admx-terminalserver.md) +- [TS_SESSIONS_Idle_Limit_1](policy-csp-admx-terminalserver.md) +- [TS_SESSIONS_Limits_1](policy-csp-admx-terminalserver.md) +- [TS_SESSIONS_Disconnected_Timeout_1](policy-csp-admx-terminalserver.md) +- [TS_RADC_DefaultConnection](policy-csp-admx-terminalserver.md) +- [TS_LICENSE_SECGROUP](policy-csp-admx-terminalserver.md) +- [TS_PreventLicenseUpgrade](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_ALLOW_UNSIGNED_FILES_2](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_ALLOW_SIGNED_FILES_2](policy-csp-admx-terminalserver.md) +- [TS_SERVER_AUTH](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_DISABLE_HARDWARE_MODE](policy-csp-admx-terminalserver.md) +- [TS_PROMT_CREDS_CLIENT_COMP](policy-csp-admx-terminalserver.md) +- [TS_USB_REDIRECTION_DISABLE](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_1](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_TURN_OFF_UDP](policy-csp-admx-terminalserver.md) +- [TS_AUTO_RECONNECT](policy-csp-admx-terminalserver.md) +- [TS_KEEP_ALIVE](policy-csp-admx-terminalserver.md) +- [TS_FORCIBLE_LOGOFF](policy-csp-admx-terminalserver.md) +- [TS_MAX_CON_POLICY](policy-csp-admx-terminalserver.md) +- [TS_SINGLE_SESSION](policy-csp-admx-terminalserver.md) +- [TS_SELECT_NETWORK_DETECT](policy-csp-admx-terminalserver.md) +- [TS_SELECT_TRANSPORT](policy-csp-admx-terminalserver.md) +- [TS_RemoteControl_2](policy-csp-admx-terminalserver.md) +- [TS_RDSAppX_WaitForRegistration](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_AUDIO](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_AUDIO_CAPTURE](policy-csp-admx-terminalserver.md) +- [TS_TIME_ZONE](policy-csp-admx-terminalserver.md) +- [TS_UIA](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_CLIPBOARD](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_COM](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_LPT](policy-csp-admx-terminalserver.md) +- [TS_SMART_CARD](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_PNP](policy-csp-admx-terminalserver.md) +- [TS_CAMERA_REDIRECTION](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_AUDIO_QUALITY](policy-csp-admx-terminalserver.md) +- [TS_LICENSE_TOOLTIP](policy-csp-admx-terminalserver.md) +- [TS_LICENSING_MODE](policy-csp-admx-terminalserver.md) +- [TS_LICENSE_SERVERS](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_PRINTER](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_DEFAULT_M](policy-csp-admx-terminalserver.md) +- [TS_FALLBACKPRINTDRIVERTYPE](policy-csp-admx-terminalserver.md) +- [TS_EASY_PRINT](policy-csp-admx-terminalserver.md) +- [TS_DELETE_ROAMING_USER_PROFILES](policy-csp-admx-terminalserver.md) +- [TS_USER_PROFILES](policy-csp-admx-terminalserver.md) +- [TS_USER_HOME](policy-csp-admx-terminalserver.md) +- [TS_USER_MANDATORY_PROFILES](policy-csp-admx-terminalserver.md) +- [TS_SD_ClustName](policy-csp-admx-terminalserver.md) +- [TS_SD_Loc](policy-csp-admx-terminalserver.md) +- [TS_JOIN_SESSION_DIRECTORY](policy-csp-admx-terminalserver.md) +- [TS_SD_EXPOSE_ADDRESS](policy-csp-admx-terminalserver.md) +- [TS_TURNOFF_SINGLEAPP](policy-csp-admx-terminalserver.md) +- [TS_SERVER_COMPRESSOR](policy-csp-admx-terminalserver.md) +- [TS_SERVER_AVC_HW_ENCODE_PREFERRED](policy-csp-admx-terminalserver.md) +- [TS_SERVER_IMAGE_QUALITY](policy-csp-admx-terminalserver.md) +- [TS_SERVER_PROFILE](policy-csp-admx-terminalserver.md) +- [TS_SERVER_LEGACY_RFX](policy-csp-admx-terminalserver.md) +- [TS_DISABLE_REMOTE_DESKTOP_WALLPAPER](policy-csp-admx-terminalserver.md) +- [TS_COLORDEPTH](policy-csp-admx-terminalserver.md) +- [TS_MAXDISPLAYRES](policy-csp-admx-terminalserver.md) +- [TS_MAXMONITOR](policy-csp-admx-terminalserver.md) +- [TS_SERVER_AVC444_MODE_PREFERRED](policy-csp-admx-terminalserver.md) +- [TS_EnableVirtualGraphics](policy-csp-admx-terminalserver.md) +- [TS_SERVER_VISEXP](policy-csp-admx-terminalserver.md) +- [TS_RemoteDesktopVirtualGraphics](policy-csp-admx-terminalserver.md) +- [TS_NoDisconnectMenu](policy-csp-admx-terminalserver.md) +- [TS_NoSecurityMenu](policy-csp-admx-terminalserver.md) +- [TS_START_PROGRAM_2](policy-csp-admx-terminalserver.md) +- [TS_SERVER_ADVANCED_REMOTEFX_REMOTEAPP](policy-csp-admx-terminalserver.md) +- [TS_DX_USE_FULL_HWGPU](policy-csp-admx-terminalserver.md) +- [TS_SERVER_WDDM_GRAPHICS_DRIVER](policy-csp-admx-terminalserver.md) +- [TS_TSCC_PERMISSIONS_POLICY](policy-csp-admx-terminalserver.md) +- [TS_SECURITY_LAYER_POLICY](policy-csp-admx-terminalserver.md) +- [TS_USER_AUTHENTICATION_POLICY](policy-csp-admx-terminalserver.md) +- [TS_CERTIFICATE_TEMPLATE_POLICY](policy-csp-admx-terminalserver.md) +- [TS_Session_End_On_Limit_2](policy-csp-admx-terminalserver.md) +- [TS_SESSIONS_Idle_Limit_2](policy-csp-admx-terminalserver.md) +- [TS_SESSIONS_Limits_2](policy-csp-admx-terminalserver.md) +- [TS_SESSIONS_Disconnected_Timeout_2](policy-csp-admx-terminalserver.md) +- [TS_TEMP_DELETE](policy-csp-admx-terminalserver.md) +- [TS_TEMP_PER_SESSION](policy-csp-admx-terminalserver.md) + +## ADMX_Thumbnails + +- [DisableThumbsDBOnNetworkFolders](policy-csp-admx-thumbnails.md) +- [DisableThumbnailsOnNetworkFolders](policy-csp-admx-thumbnails.md) +- [DisableThumbnails](policy-csp-admx-thumbnails.md) + +## ADMX_TouchInput + +- [TouchInputOff_1](policy-csp-admx-touchinput.md) +- [PanningEverywhereOff_1](policy-csp-admx-touchinput.md) +- [TouchInputOff_2](policy-csp-admx-touchinput.md) +- [PanningEverywhereOff_2](policy-csp-admx-touchinput.md) + +## ADMX_TPM + +- [OptIntoDSHA_Name](policy-csp-admx-tpm.md) +- [OSManagedAuth_Name](policy-csp-admx-tpm.md) +- [BlockedCommandsList_Name](policy-csp-admx-tpm.md) +- [ClearTPMIfNotReady_Name](policy-csp-admx-tpm.md) +- [UseLegacyDAP_Name](policy-csp-admx-tpm.md) +- [IgnoreDefaultList_Name](policy-csp-admx-tpm.md) +- [IgnoreLocalList_Name](policy-csp-admx-tpm.md) +- [StandardUserAuthorizationFailureIndividualThreshold_Name](policy-csp-admx-tpm.md) +- [StandardUserAuthorizationFailureDuration_Name](policy-csp-admx-tpm.md) +- [StandardUserAuthorizationFailureTotalThreshold_Name](policy-csp-admx-tpm.md) + +## ADMX_UserExperienceVirtualization + +- [MicrosoftOffice2013AccessBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016AccessBackup](policy-csp-admx-userexperiencevirtualization.md) +- [Calculator](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013CommonBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016CommonBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013ExcelBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016ExcelBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013InfoPathBackup](policy-csp-admx-userexperiencevirtualization.md) +- [InternetExplorer10](policy-csp-admx-userexperiencevirtualization.md) +- [InternetExplorer11](policy-csp-admx-userexperiencevirtualization.md) +- [InternetExplorer8](policy-csp-admx-userexperiencevirtualization.md) +- [InternetExplorer9](policy-csp-admx-userexperiencevirtualization.md) +- [InternetExplorerCommon](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013LyncBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016LyncBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Access](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Access](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Access](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Excel](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Excel](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Excel](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010InfoPath](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013InfoPath](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Lync](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Lync](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Lync](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Common](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Common](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013UploadCenter](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Common](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016UploadCenter](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Access2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Access2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Common2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Common2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Excel2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Excel2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365InfoPath2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Lync2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Lync2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365OneNote2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365OneNote2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Outlook2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Outlook2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365PowerPoint2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365PowerPoint2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Project2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Project2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Publisher2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Publisher2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365SharePointDesigner2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Visio2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Visio2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Word2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Word2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013OneDriveForBusiness](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016OneDriveForBusiness](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010OneNote](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013OneNote](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016OneNote](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Outlook](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Outlook](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Outlook](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010PowerPoint](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013PowerPoint](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016PowerPoint](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Project](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Project](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Project](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Publisher](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Publisher](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Publisher](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010SharePointDesigner](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013SharePointDesigner](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010SharePointWorkspace](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Visio](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Visio](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Visio](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Word](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Word](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Word](policy-csp-admx-userexperiencevirtualization.md) +- [Notepad](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013OneNoteBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016OneNoteBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013OutlookBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016OutlookBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013PowerPointBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016PowerPointBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013ProjectBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016ProjectBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013PublisherBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016PublisherBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013SharePointDesignerBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013VisioBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016VisioBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013WordBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016WordBackup](policy-csp-admx-userexperiencevirtualization.md) +- [Wordpad](policy-csp-admx-userexperiencevirtualization.md) +- [ConfigureSyncMethod](policy-csp-admx-userexperiencevirtualization.md) +- [DisableWin8Sync](policy-csp-admx-userexperiencevirtualization.md) +- [SyncProviderPingEnabled](policy-csp-admx-userexperiencevirtualization.md) +- [MaxPackageSizeInBytes](policy-csp-admx-userexperiencevirtualization.md) +- [SettingsStoragePath](policy-csp-admx-userexperiencevirtualization.md) +- [SyncOverMeteredNetwork](policy-csp-admx-userexperiencevirtualization.md) +- [SyncOverMeteredNetworkWhenRoaming](policy-csp-admx-userexperiencevirtualization.md) +- [RepositoryTimeout](policy-csp-admx-userexperiencevirtualization.md) +- [DisableWindowsOSSettings](policy-csp-admx-userexperiencevirtualization.md) +- [SyncEnabled](policy-csp-admx-userexperiencevirtualization.md) +- [ConfigureVdi](policy-csp-admx-userexperiencevirtualization.md) +- [Finance](policy-csp-admx-userexperiencevirtualization.md) +- [Games](policy-csp-admx-userexperiencevirtualization.md) +- [Maps](policy-csp-admx-userexperiencevirtualization.md) +- [Music](policy-csp-admx-userexperiencevirtualization.md) +- [News](policy-csp-admx-userexperiencevirtualization.md) +- [Reader](policy-csp-admx-userexperiencevirtualization.md) +- [Sports](policy-csp-admx-userexperiencevirtualization.md) +- [Travel](policy-csp-admx-userexperiencevirtualization.md) +- [Video](policy-csp-admx-userexperiencevirtualization.md) +- [Weather](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013AccessBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016AccessBackup](policy-csp-admx-userexperiencevirtualization.md) +- [Calculator](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013CommonBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016CommonBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013ExcelBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016ExcelBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013InfoPathBackup](policy-csp-admx-userexperiencevirtualization.md) +- [InternetExplorer10](policy-csp-admx-userexperiencevirtualization.md) +- [InternetExplorer11](policy-csp-admx-userexperiencevirtualization.md) +- [InternetExplorer8](policy-csp-admx-userexperiencevirtualization.md) +- [InternetExplorer9](policy-csp-admx-userexperiencevirtualization.md) +- [InternetExplorerCommon](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013LyncBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016LyncBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Access](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Access](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Access](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Excel](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Excel](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Excel](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010InfoPath](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013InfoPath](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Lync](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Lync](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Lync](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Common](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Common](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013UploadCenter](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Common](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016UploadCenter](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Access2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Access2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Common2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Common2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Excel2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Excel2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365InfoPath2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Lync2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Lync2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365OneNote2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365OneNote2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Outlook2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Outlook2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365PowerPoint2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365PowerPoint2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Project2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Project2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Publisher2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Publisher2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365SharePointDesigner2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Visio2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Visio2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Word2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Word2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013OneDriveForBusiness](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016OneDriveForBusiness](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010OneNote](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013OneNote](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016OneNote](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Outlook](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Outlook](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Outlook](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010PowerPoint](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013PowerPoint](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016PowerPoint](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Project](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Project](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Project](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Publisher](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Publisher](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Publisher](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010SharePointDesigner](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013SharePointDesigner](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010SharePointWorkspace](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Visio](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Visio](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Visio](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Word](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Word](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Word](policy-csp-admx-userexperiencevirtualization.md) +- [Notepad](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013OneNoteBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016OneNoteBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013OutlookBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016OutlookBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013PowerPointBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016PowerPointBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013ProjectBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016ProjectBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013PublisherBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016PublisherBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013SharePointDesignerBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013VisioBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016VisioBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013WordBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016WordBackup](policy-csp-admx-userexperiencevirtualization.md) +- [Wordpad](policy-csp-admx-userexperiencevirtualization.md) +- [ConfigureSyncMethod](policy-csp-admx-userexperiencevirtualization.md) +- [ContactITDescription](policy-csp-admx-userexperiencevirtualization.md) +- [ContactITUrl](policy-csp-admx-userexperiencevirtualization.md) +- [DisableWin8Sync](policy-csp-admx-userexperiencevirtualization.md) +- [EnableUEV](policy-csp-admx-userexperiencevirtualization.md) +- [FirstUseNotificationEnabled](policy-csp-admx-userexperiencevirtualization.md) +- [SyncProviderPingEnabled](policy-csp-admx-userexperiencevirtualization.md) +- [MaxPackageSizeInBytes](policy-csp-admx-userexperiencevirtualization.md) +- [SettingsStoragePath](policy-csp-admx-userexperiencevirtualization.md) +- [SettingsTemplateCatalogPath](policy-csp-admx-userexperiencevirtualization.md) +- [SyncOverMeteredNetwork](policy-csp-admx-userexperiencevirtualization.md) +- [SyncOverMeteredNetworkWhenRoaming](policy-csp-admx-userexperiencevirtualization.md) +- [SyncUnlistedWindows8Apps](policy-csp-admx-userexperiencevirtualization.md) +- [RepositoryTimeout](policy-csp-admx-userexperiencevirtualization.md) +- [DisableWindowsOSSettings](policy-csp-admx-userexperiencevirtualization.md) +- [TrayIconEnabled](policy-csp-admx-userexperiencevirtualization.md) +- [SyncEnabled](policy-csp-admx-userexperiencevirtualization.md) +- [ConfigureVdi](policy-csp-admx-userexperiencevirtualization.md) +- [Finance](policy-csp-admx-userexperiencevirtualization.md) +- [Games](policy-csp-admx-userexperiencevirtualization.md) +- [Maps](policy-csp-admx-userexperiencevirtualization.md) +- [Music](policy-csp-admx-userexperiencevirtualization.md) +- [News](policy-csp-admx-userexperiencevirtualization.md) +- [Reader](policy-csp-admx-userexperiencevirtualization.md) +- [Sports](policy-csp-admx-userexperiencevirtualization.md) +- [Travel](policy-csp-admx-userexperiencevirtualization.md) +- [Video](policy-csp-admx-userexperiencevirtualization.md) +- [Weather](policy-csp-admx-userexperiencevirtualization.md) + +## ADMX_UserProfiles + +- [LimitSize](policy-csp-admx-userprofiles.md) +- [SlowLinkTimeOut](policy-csp-admx-userprofiles.md) +- [CleanupProfiles](policy-csp-admx-userprofiles.md) +- [DontForceUnloadHive](policy-csp-admx-userprofiles.md) +- [ProfileErrorAction](policy-csp-admx-userprofiles.md) +- [LeaveAppMgmtData](policy-csp-admx-userprofiles.md) +- [USER_HOME](policy-csp-admx-userprofiles.md) +- [UserInfoAccessAction](policy-csp-admx-userprofiles.md) + +## ADMX_W32Time + +- [W32TIME_POLICY_CONFIG](policy-csp-admx-w32time.md) +- [W32TIME_POLICY_CONFIGURE_NTPCLIENT](policy-csp-admx-w32time.md) +- [W32TIME_POLICY_ENABLE_NTPCLIENT](policy-csp-admx-w32time.md) +- [W32TIME_POLICY_ENABLE_NTPSERVER](policy-csp-admx-w32time.md) + +## ADMX_WCM + +- [WCM_DisablePowerManagement](policy-csp-admx-wcm.md) +- [WCM_EnableSoftDisconnect](policy-csp-admx-wcm.md) +- [WCM_MinimizeConnections](policy-csp-admx-wcm.md) + +## ADMX_WDI + +- [WdiDpsScenarioExecutionPolicy](policy-csp-admx-wdi.md) +- [WdiDpsScenarioDataSizeLimitPolicy](policy-csp-admx-wdi.md) + +## ADMX_WinCal + +- [TurnOffWinCal_1](policy-csp-admx-wincal.md) +- [TurnOffWinCal_2](policy-csp-admx-wincal.md) + +## ADMX_WindowsColorSystem + +- [ProhibitChangingInstalledProfileList_1](policy-csp-admx-windowscolorsystem.md) +- [ProhibitChangingInstalledProfileList_2](policy-csp-admx-windowscolorsystem.md) + +## ADMX_WindowsConnectNow + +- [WCN_DisableWcnUi_1](policy-csp-admx-windowsconnectnow.md) +- [WCN_EnableRegistrar](policy-csp-admx-windowsconnectnow.md) +- [WCN_DisableWcnUi_2](policy-csp-admx-windowsconnectnow.md) + +## ADMX_WindowsExplorer + +- [EnforceShellExtensionSecurity](policy-csp-admx-windowsexplorer.md) +- [NoBackButton](policy-csp-admx-windowsexplorer.md) +- [NoPlacesBar](policy-csp-admx-windowsexplorer.md) +- [NoFileMRU](policy-csp-admx-windowsexplorer.md) +- [PlacesBar](policy-csp-admx-windowsexplorer.md) +- [DisableBindDirectlyToPropertySetStorage](policy-csp-admx-windowsexplorer.md) +- [DisableKnownFolders](policy-csp-admx-windowsexplorer.md) +- [ConfirmFileDelete](policy-csp-admx-windowsexplorer.md) +- [NoFolderOptions](policy-csp-admx-windowsexplorer.md) +- [NoRecycleFiles](policy-csp-admx-windowsexplorer.md) +- [NoRunAsInstallPrompt](policy-csp-admx-windowsexplorer.md) +- [LinkResolveIgnoreLinkInfo](policy-csp-admx-windowsexplorer.md) +- [NoDrives](policy-csp-admx-windowsexplorer.md) +- [NoManageMyComputerVerb](policy-csp-admx-windowsexplorer.md) +- [DefaultLibrariesLocation](policy-csp-admx-windowsexplorer.md) +- [RecycleBinSize](policy-csp-admx-windowsexplorer.md) +- [MaxRecentDocs](policy-csp-admx-windowsexplorer.md) +- [NoWorkgroupContents](policy-csp-admx-windowsexplorer.md) +- [NoEntireNetwork](policy-csp-admx-windowsexplorer.md) +- [TryHarderPinnedOpenSearch](policy-csp-admx-windowsexplorer.md) +- [TryHarderPinnedLibrary](policy-csp-admx-windowsexplorer.md) +- [NoViewOnDrive](policy-csp-admx-windowsexplorer.md) +- [NoNetConnectDisconnect](policy-csp-admx-windowsexplorer.md) +- [NoCDBurning](policy-csp-admx-windowsexplorer.md) +- [NoDFSTab](policy-csp-admx-windowsexplorer.md) +- [NoViewContextMenu](policy-csp-admx-windowsexplorer.md) +- [NoFileMenu](policy-csp-admx-windowsexplorer.md) +- [NoHardwareTab](policy-csp-admx-windowsexplorer.md) +- [NoShellSearchButton](policy-csp-admx-windowsexplorer.md) +- [NoSecurityTab](policy-csp-admx-windowsexplorer.md) +- [NoMyComputerSharedDocuments](policy-csp-admx-windowsexplorer.md) +- [NoSearchInternetTryHarderButton](policy-csp-admx-windowsexplorer.md) +- [NoChangeKeyboardNavigationIndicators](policy-csp-admx-windowsexplorer.md) +- [NoChangeAnimation](policy-csp-admx-windowsexplorer.md) +- [PromptRunasInstallNetPath](policy-csp-admx-windowsexplorer.md) +- [ExplorerRibbonStartsMinimized](policy-csp-admx-windowsexplorer.md) +- [NoCacheThumbNailPictures](policy-csp-admx-windowsexplorer.md) +- [DisableSearchBoxSuggestions](policy-csp-admx-windowsexplorer.md) +- [NoStrCmpLogical](policy-csp-admx-windowsexplorer.md) +- [ShellProtocolProtectedModeTitle_1](policy-csp-admx-windowsexplorer.md) +- [HideContentViewModeSnippets](policy-csp-admx-windowsexplorer.md) +- [NoWindowsHotKeys](policy-csp-admx-windowsexplorer.md) +- [DisableIndexedLibraryExperience](policy-csp-admx-windowsexplorer.md) +- [ClassicShell](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_Internet](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_Internet](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_Intranet](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_Intranet](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_LocalMachine](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_LocalMachine](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_InternetLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_InternetLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_IntranetLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_IntranetLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_LocalMachineLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_LocalMachineLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_RestrictedLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_RestrictedLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_TrustedLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_TrustedLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_Restricted](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_Restricted](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_Trusted](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_Trusted](policy-csp-admx-windowsexplorer.md) +- [EnableShellShortcutIconRemotePath](policy-csp-admx-windowsexplorer.md) +- [EnableSmartScreen](policy-csp-admx-windowsexplorer.md) +- [DisableBindDirectlyToPropertySetStorage](policy-csp-admx-windowsexplorer.md) +- [NoNewAppAlert](policy-csp-admx-windowsexplorer.md) +- [DefaultLibrariesLocation](policy-csp-admx-windowsexplorer.md) +- [ShowHibernateOption](policy-csp-admx-windowsexplorer.md) +- [ShowSleepOption](policy-csp-admx-windowsexplorer.md) +- [ExplorerRibbonStartsMinimized](policy-csp-admx-windowsexplorer.md) +- [NoStrCmpLogical](policy-csp-admx-windowsexplorer.md) +- [ShellProtocolProtectedModeTitle_2](policy-csp-admx-windowsexplorer.md) +- [CheckSameSourceAndTargetForFRAndDFS](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_Internet](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_Internet](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_Intranet](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_Intranet](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_LocalMachine](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_LocalMachine](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_InternetLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_InternetLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_IntranetLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_IntranetLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_LocalMachineLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_LocalMachineLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_RestrictedLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_RestrictedLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_TrustedLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_TrustedLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_Restricted](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_Restricted](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_Trusted](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_Trusted](policy-csp-admx-windowsexplorer.md) + +## ADMX_WindowsMediaDRM + +- [DisableOnline](policy-csp-admx-windowsmediadrm.md) + +## ADMX_WindowsMediaPlayer + +- [ConfigureHTTPProxySettings](policy-csp-admx-windowsmediaplayer.md) +- [ConfigureMMSProxySettings](policy-csp-admx-windowsmediaplayer.md) +- [NetworkBuffering](policy-csp-admx-windowsmediaplayer.md) +- [ConfigureRTSPProxySettings](policy-csp-admx-windowsmediaplayer.md) +- [DisableNetworkSettings](policy-csp-admx-windowsmediaplayer.md) +- [WindowsStreamingMediaProtocols](policy-csp-admx-windowsmediaplayer.md) +- [EnableScreenSaver](policy-csp-admx-windowsmediaplayer.md) +- [PolicyCodecUpdate](policy-csp-admx-windowsmediaplayer.md) +- [PreventCDDVDMetadataRetrieval](policy-csp-admx-windowsmediaplayer.md) +- [PreventMusicFileMetadataRetrieval](policy-csp-admx-windowsmediaplayer.md) +- [PreventRadioPresetsRetrieval](policy-csp-admx-windowsmediaplayer.md) +- [DoNotShowAnchor](policy-csp-admx-windowsmediaplayer.md) +- [HidePrivacyTab](policy-csp-admx-windowsmediaplayer.md) +- [HideSecurityTab](policy-csp-admx-windowsmediaplayer.md) +- [SkinLockDown](policy-csp-admx-windowsmediaplayer.md) +- [DisableSetupFirstUseConfiguration](policy-csp-admx-windowsmediaplayer.md) +- [DisableAutoUpdate](policy-csp-admx-windowsmediaplayer.md) +- [PreventWMPDeskTopShortcut](policy-csp-admx-windowsmediaplayer.md) +- [PreventLibrarySharing](policy-csp-admx-windowsmediaplayer.md) +- [PreventQuickLaunchShortcut](policy-csp-admx-windowsmediaplayer.md) +- [DontUseFrameInterpolation](policy-csp-admx-windowsmediaplayer.md) + +## ADMX_WindowsRemoteManagement + +- [DisallowKerberos_2](policy-csp-admx-windowsremotemanagement.md) +- [DisallowKerberos_1](policy-csp-admx-windowsremotemanagement.md) + +## ADMX_WindowsStore + +- [DisableOSUpgrade_1](policy-csp-admx-windowsstore.md) +- [RemoveWindowsStore_1](policy-csp-admx-windowsstore.md) +- [DisableAutoDownloadWin8](policy-csp-admx-windowsstore.md) +- [DisableOSUpgrade_2](policy-csp-admx-windowsstore.md) +- [RemoveWindowsStore_2](policy-csp-admx-windowsstore.md) + +## ADMX_WinInit + +- [Hiberboot](policy-csp-admx-wininit.md) +- [ShutdownTimeoutHungSessionsDescription](policy-csp-admx-wininit.md) +- [DisableNamedPipeShutdownPolicyDescription](policy-csp-admx-wininit.md) + +## ADMX_WinLogon + +- [CustomShell](policy-csp-admx-winlogon.md) +- [LogonHoursNotificationPolicyDescription](policy-csp-admx-winlogon.md) +- [ReportCachedLogonPolicyDescription](policy-csp-admx-winlogon.md) +- [LogonHoursPolicyDescription](policy-csp-admx-winlogon.md) +- [SoftwareSASGeneration](policy-csp-admx-winlogon.md) +- [DisplayLastLogonInfoDescription](policy-csp-admx-winlogon.md) +- [ReportCachedLogonPolicyDescription](policy-csp-admx-winlogon.md) + +## ADMX_Winsrv + +- [AllowBlockingAppsAtShutdown](policy-csp-admx-winsrv.md) + +## ADMX_wlansvc + +- [SetPINPreferred](policy-csp-admx-wlansvc.md) +- [SetPINEnforced](policy-csp-admx-wlansvc.md) +- [SetCost](policy-csp-admx-wlansvc.md) + +## ADMX_WordWheel + +- [CustomSearch](policy-csp-admx-wordwheel.md) + +## ADMX_WorkFoldersClient + +- [Pol_UserEnableTokenBroker](policy-csp-admx-workfoldersclient.md) +- [Pol_UserEnableWorkFolders](policy-csp-admx-workfoldersclient.md) +- [Pol_MachineEnableWorkFolders](policy-csp-admx-workfoldersclient.md) + +## ADMX_WPN + +- [QuietHoursDailyBeginMinute](policy-csp-admx-wpn.md) +- [QuietHoursDailyEndMinute](policy-csp-admx-wpn.md) +- [NoCallsDuringQuietHours](policy-csp-admx-wpn.md) +- [NoQuietHours](policy-csp-admx-wpn.md) +- [NoToastNotification](policy-csp-admx-wpn.md) +- [NoLockScreenToastNotification](policy-csp-admx-wpn.md) +- [NoToastNotification](policy-csp-admx-wpn.md) + +## AppRuntime + +- [AllowMicrosoftAccountsToBeOptional](policy-csp-appruntime.md) + +## AppVirtualization + +- [AllowAppVClient](policy-csp-appvirtualization.md) +- [ClientCoexistenceAllowMigrationmode](policy-csp-appvirtualization.md) +- [IntegrationAllowRootUser](policy-csp-appvirtualization.md) +- [IntegrationAllowRootGlobal](policy-csp-appvirtualization.md) +- [AllowRoamingFileExclusions](policy-csp-appvirtualization.md) +- [AllowRoamingRegistryExclusions](policy-csp-appvirtualization.md) +- [AllowPackageCleanup](policy-csp-appvirtualization.md) +- [AllowPublishingRefreshUX](policy-csp-appvirtualization.md) +- [PublishingAllowServer1](policy-csp-appvirtualization.md) +- [PublishingAllowServer2](policy-csp-appvirtualization.md) +- [PublishingAllowServer3](policy-csp-appvirtualization.md) +- [PublishingAllowServer4](policy-csp-appvirtualization.md) +- [PublishingAllowServer5](policy-csp-appvirtualization.md) +- [AllowReportingServer](policy-csp-appvirtualization.md) +- [AllowPackageScripts](policy-csp-appvirtualization.md) +- [StreamingAllowHighCostLaunch](policy-csp-appvirtualization.md) +- [StreamingAllowCertificateFilterForClient_SSL](policy-csp-appvirtualization.md) +- [StreamingSupportBranchCache](policy-csp-appvirtualization.md) +- [StreamingAllowLocationProvider](policy-csp-appvirtualization.md) +- [StreamingAllowPackageInstallationRoot](policy-csp-appvirtualization.md) +- [StreamingAllowPackageSourceRoot](policy-csp-appvirtualization.md) +- [StreamingAllowReestablishmentInterval](policy-csp-appvirtualization.md) +- [StreamingAllowReestablishmentRetries](policy-csp-appvirtualization.md) +- [StreamingSharedContentStoreMode](policy-csp-appvirtualization.md) +- [AllowStreamingAutoload](policy-csp-appvirtualization.md) +- [StreamingVerifyCertificateRevocationList](policy-csp-appvirtualization.md) +- [AllowDynamicVirtualization](policy-csp-appvirtualization.md) +- [VirtualComponentsAllowList](policy-csp-appvirtualization.md) + +## AttachmentManager + +- [DoNotPreserveZoneInformation](policy-csp-attachmentmanager.md) +- [HideZoneInfoMechanism](policy-csp-attachmentmanager.md) +- [NotifyAntivirusPrograms](policy-csp-attachmentmanager.md) + +## Autoplay + +- [DisallowAutoplayForNonVolumeDevices](policy-csp-autoplay.md) +- [SetDefaultAutoRunBehavior](policy-csp-autoplay.md) +- [TurnOffAutoPlay](policy-csp-autoplay.md) +- [DisallowAutoplayForNonVolumeDevices](policy-csp-autoplay.md) +- [SetDefaultAutoRunBehavior](policy-csp-autoplay.md) +- [TurnOffAutoPlay](policy-csp-autoplay.md) + +## Cellular + +- [ShowAppCellularAccessUI](policy-csp-cellular.md) + +## Connectivity + +- [HardenedUNCPaths](policy-csp-connectivity.md) +- [ProhibitInstallationAndConfigurationOfNetworkBridge](policy-csp-connectivity.md) +- [DisableDownloadingOfPrintDriversOverHTTP](policy-csp-connectivity.md) +- [DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](policy-csp-connectivity.md) +- [DiablePrintingOverHTTP](policy-csp-connectivity.md) + +## CredentialProviders + +- [BlockPicturePassword](policy-csp-credentialproviders.md) +- [AllowPINLogon](policy-csp-credentialproviders.md) + +## CredentialsDelegation + +- [RemoteHostAllowsDelegationOfNonExportableCredentials](policy-csp-credentialsdelegation.md) + +## CredentialsUI + +- [DisablePasswordReveal](policy-csp-credentialsui.md) +- [DisablePasswordReveal](policy-csp-credentialsui.md) +- [EnumerateAdministrators](policy-csp-credentialsui.md) + +## DataUsage + +- [SetCost3G](policy-csp-datausage.md) +- [SetCost4G](policy-csp-datausage.md) + +## DeliveryOptimization + +- [DOSetHoursToLimitBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md) +- [DOSetHoursToLimitForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md) + +## Desktop + +- [PreventUserRedirectionOfProfileFolders](policy-csp-desktop.md) + +## DesktopAppInstaller + +- [EnableAppInstaller](policy-csp-desktopappinstaller.md) +- [EnableSettings](policy-csp-desktopappinstaller.md) +- [EnableExperimentalFeatures](policy-csp-desktopappinstaller.md) +- [EnableLocalManifestFiles](policy-csp-desktopappinstaller.md) +- [EnableHashOverride](policy-csp-desktopappinstaller.md) +- [EnableDefaultSource](policy-csp-desktopappinstaller.md) +- [EnableMicrosoftStoreSource](policy-csp-desktopappinstaller.md) +- [SourceAutoUpdateInterval](policy-csp-desktopappinstaller.md) +- [EnableAdditionalSources](policy-csp-desktopappinstaller.md) +- [EnableAllowedSources](policy-csp-desktopappinstaller.md) +- [EnableMSAppInstallerProtocol](policy-csp-desktopappinstaller.md) + +## DeviceInstallation + +- [PreventInstallationOfMatchingDeviceIDs](policy-csp-deviceinstallation.md) +- [PreventInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md) +- [PreventInstallationOfMatchingDeviceSetupClasses](policy-csp-deviceinstallation.md) +- [PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](policy-csp-deviceinstallation.md) +- [EnableInstallationPolicyLayering](policy-csp-deviceinstallation.md) +- [AllowInstallationOfMatchingDeviceSetupClasses](policy-csp-deviceinstallation.md) +- [AllowInstallationOfMatchingDeviceIDs](policy-csp-deviceinstallation.md) +- [AllowInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md) +- [PreventDeviceMetadataFromNetwork](policy-csp-deviceinstallation.md) + +## DeviceLock + +- [PreventLockScreenSlideShow](policy-csp-devicelock.md) +- [PreventEnablingLockScreenCamera](policy-csp-devicelock.md) + +## ErrorReporting + +- [DisableWindowsErrorReporting](policy-csp-errorreporting.md) +- [DisplayErrorNotification](policy-csp-errorreporting.md) +- [DoNotSendAdditionalData](policy-csp-errorreporting.md) +- [PreventCriticalErrorDisplay](policy-csp-errorreporting.md) +- [CustomizeConsentSettings](policy-csp-errorreporting.md) + +## EventLogService + +- [ControlEventLogBehavior](policy-csp-eventlogservice.md) +- [SpecifyMaximumFileSizeApplicationLog](policy-csp-eventlogservice.md) +- [SpecifyMaximumFileSizeSecurityLog](policy-csp-eventlogservice.md) +- [SpecifyMaximumFileSizeSystemLog](policy-csp-eventlogservice.md) + +## FileExplorer + +- [TurnOffDataExecutionPreventionForExplorer](policy-csp-fileexplorer.md) +- [TurnOffHeapTerminationOnCorruption](policy-csp-fileexplorer.md) + +## InternetExplorer + +- [AddSearchProvider](policy-csp-internetexplorer.md) +- [DisableSecondaryHomePageChange](policy-csp-internetexplorer.md) +- [DisableProxyChange](policy-csp-internetexplorer.md) +- [DisableSearchProviderChange](policy-csp-internetexplorer.md) +- [DisableCustomerExperienceImprovementProgramParticipation](policy-csp-internetexplorer.md) +- [AllowEnhancedSuggestionsInAddressBar](policy-csp-internetexplorer.md) +- [AllowSuggestedSites](policy-csp-internetexplorer.md) +- [DisableActiveXVersionListAutoDownload](policy-csp-internetexplorer.md) +- [DisableCompatView](policy-csp-internetexplorer.md) +- [DisableFeedsBackgroundSync](policy-csp-internetexplorer.md) +- [DisableFirstRunWizard](policy-csp-internetexplorer.md) +- [DisableFlipAheadFeature](policy-csp-internetexplorer.md) +- [DisableGeolocation](policy-csp-internetexplorer.md) +- [DisableHomePageChange](policy-csp-internetexplorer.md) +- [DisableWebAddressAutoComplete](policy-csp-internetexplorer.md) +- [NewTabDefaultPage](policy-csp-internetexplorer.md) +- [PreventManagingSmartScreenFilter](policy-csp-internetexplorer.md) +- [SearchProviderList](policy-csp-internetexplorer.md) +- [AllowActiveXFiltering](policy-csp-internetexplorer.md) +- [AllowEnterpriseModeSiteList](policy-csp-internetexplorer.md) +- [SendSitesNotInEnterpriseSiteListToEdge](policy-csp-internetexplorer.md) +- [ConfigureEdgeRedirectChannel](policy-csp-internetexplorer.md) +- [KeepIntranetSitesInInternetExplorer](policy-csp-internetexplorer.md) +- [AllowSaveTargetAsInIEMode](policy-csp-internetexplorer.md) +- [DisableInternetExplorerApp](policy-csp-internetexplorer.md) +- [EnableExtendedIEModeHotkeys](policy-csp-internetexplorer.md) +- [ResetZoomForDialogInIEMode](policy-csp-internetexplorer.md) +- [EnableGlobalWindowListInIEMode](policy-csp-internetexplorer.md) +- [JScriptReplacement](policy-csp-internetexplorer.md) +- [AllowInternetExplorerStandardsMode](policy-csp-internetexplorer.md) +- [AllowInternetExplorer7PolicyList](policy-csp-internetexplorer.md) +- [DisableEncryptionSupport](policy-csp-internetexplorer.md) +- [AllowEnhancedProtectedMode](policy-csp-internetexplorer.md) +- [AllowInternetZoneTemplate](policy-csp-internetexplorer.md) +- [IncludeAllLocalSites](policy-csp-internetexplorer.md) +- [IncludeAllNetworkPaths](policy-csp-internetexplorer.md) +- [AllowIntranetZoneTemplate](policy-csp-internetexplorer.md) +- [AllowLocalMachineZoneTemplate](policy-csp-internetexplorer.md) +- [AllowLockedDownInternetZoneTemplate](policy-csp-internetexplorer.md) +- [AllowLockedDownIntranetZoneTemplate](policy-csp-internetexplorer.md) +- [AllowLockedDownLocalMachineZoneTemplate](policy-csp-internetexplorer.md) +- [AllowLockedDownRestrictedSitesZoneTemplate](policy-csp-internetexplorer.md) +- [AllowsLockedDownTrustedSitesZoneTemplate](policy-csp-internetexplorer.md) +- [AllowsRestrictedSitesZoneTemplate](policy-csp-internetexplorer.md) +- [AllowSiteToZoneAssignmentList](policy-csp-internetexplorer.md) +- [AllowTrustedSitesZoneTemplate](policy-csp-internetexplorer.md) +- [InternetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [IntranetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [InternetZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [IntranetZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [InternetZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [IntranetZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [InternetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [IntranetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [InternetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [IntranetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [InternetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [IntranetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [TrustedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [LocalMachineZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [InternetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [IntranetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [TrustedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [LocalMachineZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [InternetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [IntranetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [InternetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [IntranetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [InternetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [IntranetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [InternetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [IntranetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [AllowAddOnList](policy-csp-internetexplorer.md) +- [DoNotBlockOutdatedActiveXControls](policy-csp-internetexplorer.md) +- [DoNotBlockOutdatedActiveXControlsOnSpecificDomains](policy-csp-internetexplorer.md) +- [DisableEnclosureDownloading](policy-csp-internetexplorer.md) +- [DisableBypassOfSmartScreenWarnings](policy-csp-internetexplorer.md) +- [DisableBypassOfSmartScreenWarningsAboutUncommonFiles](policy-csp-internetexplorer.md) +- [AllowOneWordEntry](policy-csp-internetexplorer.md) +- [AllowEnterpriseModeFromToolsMenu](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowActiveScripting](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowBinaryAndScriptBehaviors](policy-csp-internetexplorer.md) +- [InternetZoneAllowCopyPasteViaScript](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowCopyPasteViaScript](policy-csp-internetexplorer.md) +- [AllowDeletingBrowsingHistoryOnExit](policy-csp-internetexplorer.md) +- [InternetZoneAllowDragAndDropCopyAndPasteFiles](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowFileDownloads](policy-csp-internetexplorer.md) +- [InternetZoneAllowLoadingOfXAMLFiles](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowLoadingOfXAMLFiles](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowMETAREFRESH](policy-csp-internetexplorer.md) +- [InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls](policy-csp-internetexplorer.md) +- [InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](policy-csp-internetexplorer.md) +- [InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls](policy-csp-internetexplorer.md) +- [InternetZoneAllowScriptInitiatedWindows](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowScriptInitiatedWindows](policy-csp-internetexplorer.md) +- [AllowSoftwareWhenSignatureIsInvalid](policy-csp-internetexplorer.md) +- [InternetZoneAllowUpdatesToStatusBarViaScript](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowUpdatesToStatusBarViaScript](policy-csp-internetexplorer.md) +- [CheckServerCertificateRevocation](policy-csp-internetexplorer.md) +- [CheckSignaturesOnDownloadedPrograms](policy-csp-internetexplorer.md) +- [DisableConfiguringHistory](policy-csp-internetexplorer.md) +- [DoNotAllowActiveXControlsInProtectedMode](policy-csp-internetexplorer.md) +- [InternetZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md) +- [IntranetZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md) +- [LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md) +- [TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md) +- [InternetZoneDownloadSignedActiveXControls](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneDownloadSignedActiveXControls](policy-csp-internetexplorer.md) +- [InternetZoneDownloadUnsignedActiveXControls](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneDownloadUnsignedActiveXControls](policy-csp-internetexplorer.md) +- [InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](policy-csp-internetexplorer.md) +- [InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](policy-csp-internetexplorer.md) +- [InternetZoneEnableMIMESniffing](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneEnableMIMESniffing](policy-csp-internetexplorer.md) +- [InternetZoneIncludeLocalPathWhenUploadingFilesToServer](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer](policy-csp-internetexplorer.md) +- [ConsistentMimeHandlingInternetExplorerProcesses](policy-csp-internetexplorer.md) +- [MimeSniffingSafetyFeatureInternetExplorerProcesses](policy-csp-internetexplorer.md) +- [MKProtocolSecurityRestrictionInternetExplorerProcesses](policy-csp-internetexplorer.md) +- [NotificationBarInternetExplorerProcesses](policy-csp-internetexplorer.md) +- [ProtectionFromZoneElevationInternetExplorerProcesses](policy-csp-internetexplorer.md) +- [RestrictActiveXInstallInternetExplorerProcesses](policy-csp-internetexplorer.md) +- [RestrictFileDownloadInternetExplorerProcesses](policy-csp-internetexplorer.md) +- [ScriptedWindowSecurityRestrictionsInternetExplorerProcesses](policy-csp-internetexplorer.md) +- [InternetZoneJavaPermissions](policy-csp-internetexplorer.md) +- [IntranetZoneJavaPermissions](policy-csp-internetexplorer.md) +- [LocalMachineZoneJavaPermissions](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneJavaPermissions](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneJavaPermissions](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneJavaPermissions](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneJavaPermissions](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneJavaPermissions](policy-csp-internetexplorer.md) +- [TrustedSitesZoneJavaPermissions](policy-csp-internetexplorer.md) +- [InternetZoneLaunchingApplicationsAndFilesInIFRAME](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME](policy-csp-internetexplorer.md) +- [InternetZoneLogonOptions](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneLogonOptions](policy-csp-internetexplorer.md) +- [DisableDeletingUserVisitedWebsites](policy-csp-internetexplorer.md) +- [DisableIgnoringCertificateErrors](policy-csp-internetexplorer.md) +- [PreventPerUserInstallationOfActiveXControls](policy-csp-internetexplorer.md) +- [RemoveRunThisTimeButtonForOutdatedActiveXControls](policy-csp-internetexplorer.md) +- [InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneRunActiveXControlsAndPlugins](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneScriptingOfJavaApplets](policy-csp-internetexplorer.md) +- [InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles](policy-csp-internetexplorer.md) +- [SpecifyUseOfActiveXInstallerService](policy-csp-internetexplorer.md) +- [DisableCrashDetection](policy-csp-internetexplorer.md) +- [DisableInPrivateBrowsing](policy-csp-internetexplorer.md) +- [DisableSecuritySettingsCheck](policy-csp-internetexplorer.md) +- [DisableProcessesInEnhancedProtectedMode](policy-csp-internetexplorer.md) +- [AllowCertificateAddressMismatchWarning](policy-csp-internetexplorer.md) +- [InternetZoneEnableCrossSiteScriptingFilter](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneEnableCrossSiteScriptingFilter](policy-csp-internetexplorer.md) +- [InternetZoneEnableProtectedMode](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneTurnOnProtectedMode](policy-csp-internetexplorer.md) +- [AllowAutoComplete](policy-csp-internetexplorer.md) +- [InternetZoneUsePopupBlocker](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneUsePopupBlocker](policy-csp-internetexplorer.md) +- [InternetZoneAllowVBScriptToRunInInternetExplorer](policy-csp-internetexplorer.md) +- [LockedDownIntranetJavaPermissions](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer](policy-csp-internetexplorer.md) +- [DisableHTMLApplication](policy-csp-internetexplorer.md) +- [AddSearchProvider](policy-csp-internetexplorer.md) +- [DisableSecondaryHomePageChange](policy-csp-internetexplorer.md) +- [DisableUpdateCheck](policy-csp-internetexplorer.md) +- [DisableProxyChange](policy-csp-internetexplorer.md) +- [DisableSearchProviderChange](policy-csp-internetexplorer.md) +- [DisableCustomerExperienceImprovementProgramParticipation](policy-csp-internetexplorer.md) +- [AllowEnhancedSuggestionsInAddressBar](policy-csp-internetexplorer.md) +- [AllowSuggestedSites](policy-csp-internetexplorer.md) +- [DisableCompatView](policy-csp-internetexplorer.md) +- [DisableFeedsBackgroundSync](policy-csp-internetexplorer.md) +- [DisableFirstRunWizard](policy-csp-internetexplorer.md) +- [DisableFlipAheadFeature](policy-csp-internetexplorer.md) +- [DisableGeolocation](policy-csp-internetexplorer.md) +- [DisableWebAddressAutoComplete](policy-csp-internetexplorer.md) +- [NewTabDefaultPage](policy-csp-internetexplorer.md) +- [PreventManagingSmartScreenFilter](policy-csp-internetexplorer.md) +- [SearchProviderList](policy-csp-internetexplorer.md) +- [DoNotAllowUsersToAddSites](policy-csp-internetexplorer.md) +- [DoNotAllowUsersToChangePolicies](policy-csp-internetexplorer.md) +- [AllowActiveXFiltering](policy-csp-internetexplorer.md) +- [AllowEnterpriseModeSiteList](policy-csp-internetexplorer.md) +- [SendSitesNotInEnterpriseSiteListToEdge](policy-csp-internetexplorer.md) +- [ConfigureEdgeRedirectChannel](policy-csp-internetexplorer.md) +- [KeepIntranetSitesInInternetExplorer](policy-csp-internetexplorer.md) +- [AllowSaveTargetAsInIEMode](policy-csp-internetexplorer.md) +- [DisableInternetExplorerApp](policy-csp-internetexplorer.md) +- [EnableExtendedIEModeHotkeys](policy-csp-internetexplorer.md) +- [ResetZoomForDialogInIEMode](policy-csp-internetexplorer.md) +- [EnableGlobalWindowListInIEMode](policy-csp-internetexplorer.md) +- [JScriptReplacement](policy-csp-internetexplorer.md) +- [AllowInternetExplorerStandardsMode](policy-csp-internetexplorer.md) +- [AllowInternetExplorer7PolicyList](policy-csp-internetexplorer.md) +- [DisableEncryptionSupport](policy-csp-internetexplorer.md) +- [AllowEnhancedProtectedMode](policy-csp-internetexplorer.md) +- [AllowInternetZoneTemplate](policy-csp-internetexplorer.md) +- [IncludeAllLocalSites](policy-csp-internetexplorer.md) +- [IncludeAllNetworkPaths](policy-csp-internetexplorer.md) +- [AllowIntranetZoneTemplate](policy-csp-internetexplorer.md) +- [AllowLocalMachineZoneTemplate](policy-csp-internetexplorer.md) +- [AllowLockedDownInternetZoneTemplate](policy-csp-internetexplorer.md) +- [AllowLockedDownIntranetZoneTemplate](policy-csp-internetexplorer.md) +- [AllowLockedDownLocalMachineZoneTemplate](policy-csp-internetexplorer.md) +- [AllowLockedDownRestrictedSitesZoneTemplate](policy-csp-internetexplorer.md) +- [AllowsLockedDownTrustedSitesZoneTemplate](policy-csp-internetexplorer.md) +- [AllowsRestrictedSitesZoneTemplate](policy-csp-internetexplorer.md) +- [AllowSiteToZoneAssignmentList](policy-csp-internetexplorer.md) +- [AllowTrustedSitesZoneTemplate](policy-csp-internetexplorer.md) +- [InternetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [IntranetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [InternetZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [IntranetZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [InternetZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [IntranetZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [InternetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [IntranetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [InternetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [IntranetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [InternetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [IntranetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [TrustedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [LocalMachineZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [InternetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [IntranetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [TrustedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [LocalMachineZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [InternetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [IntranetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [InternetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [IntranetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [InternetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [IntranetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [InternetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [IntranetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [AllowAddOnList](policy-csp-internetexplorer.md) +- [DoNotBlockOutdatedActiveXControls](policy-csp-internetexplorer.md) +- [DoNotBlockOutdatedActiveXControlsOnSpecificDomains](policy-csp-internetexplorer.md) +- [DisableEnclosureDownloading](policy-csp-internetexplorer.md) +- [DisableBypassOfSmartScreenWarnings](policy-csp-internetexplorer.md) +- [DisableBypassOfSmartScreenWarningsAboutUncommonFiles](policy-csp-internetexplorer.md) +- [AllowOneWordEntry](policy-csp-internetexplorer.md) +- [AllowEnterpriseModeFromToolsMenu](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowActiveScripting](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowBinaryAndScriptBehaviors](policy-csp-internetexplorer.md) +- [InternetZoneAllowCopyPasteViaScript](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowCopyPasteViaScript](policy-csp-internetexplorer.md) +- [AllowDeletingBrowsingHistoryOnExit](policy-csp-internetexplorer.md) +- [InternetZoneAllowDragAndDropCopyAndPasteFiles](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles](policy-csp-internetexplorer.md) +- [AllowFallbackToSSL3](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowFileDownloads](policy-csp-internetexplorer.md) +- [InternetZoneAllowLoadingOfXAMLFiles](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowLoadingOfXAMLFiles](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowMETAREFRESH](policy-csp-internetexplorer.md) +- [InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls](policy-csp-internetexplorer.md) +- [InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](policy-csp-internetexplorer.md) +- [InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls](policy-csp-internetexplorer.md) +- [InternetZoneAllowScriptInitiatedWindows](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowScriptInitiatedWindows](policy-csp-internetexplorer.md) +- [AllowSoftwareWhenSignatureIsInvalid](policy-csp-internetexplorer.md) +- [InternetZoneAllowUpdatesToStatusBarViaScript](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowUpdatesToStatusBarViaScript](policy-csp-internetexplorer.md) +- [CheckServerCertificateRevocation](policy-csp-internetexplorer.md) +- [CheckSignaturesOnDownloadedPrograms](policy-csp-internetexplorer.md) +- [DisableConfiguringHistory](policy-csp-internetexplorer.md) +- [DoNotAllowActiveXControlsInProtectedMode](policy-csp-internetexplorer.md) +- [InternetZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md) +- [IntranetZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md) +- [LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md) +- [TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md) +- [InternetZoneDownloadSignedActiveXControls](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneDownloadSignedActiveXControls](policy-csp-internetexplorer.md) +- [InternetZoneDownloadUnsignedActiveXControls](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneDownloadUnsignedActiveXControls](policy-csp-internetexplorer.md) +- [InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](policy-csp-internetexplorer.md) +- [InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](policy-csp-internetexplorer.md) +- [InternetZoneEnableMIMESniffing](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneEnableMIMESniffing](policy-csp-internetexplorer.md) +- [InternetZoneIncludeLocalPathWhenUploadingFilesToServer](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer](policy-csp-internetexplorer.md) +- [ConsistentMimeHandlingInternetExplorerProcesses](policy-csp-internetexplorer.md) +- [MimeSniffingSafetyFeatureInternetExplorerProcesses](policy-csp-internetexplorer.md) +- [MKProtocolSecurityRestrictionInternetExplorerProcesses](policy-csp-internetexplorer.md) +- [NotificationBarInternetExplorerProcesses](policy-csp-internetexplorer.md) +- [ProtectionFromZoneElevationInternetExplorerProcesses](policy-csp-internetexplorer.md) +- [RestrictActiveXInstallInternetExplorerProcesses](policy-csp-internetexplorer.md) +- [RestrictFileDownloadInternetExplorerProcesses](policy-csp-internetexplorer.md) +- [ScriptedWindowSecurityRestrictionsInternetExplorerProcesses](policy-csp-internetexplorer.md) +- [InternetZoneJavaPermissions](policy-csp-internetexplorer.md) +- [IntranetZoneJavaPermissions](policy-csp-internetexplorer.md) +- [LocalMachineZoneJavaPermissions](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneJavaPermissions](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneJavaPermissions](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneJavaPermissions](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneJavaPermissions](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneJavaPermissions](policy-csp-internetexplorer.md) +- [TrustedSitesZoneJavaPermissions](policy-csp-internetexplorer.md) +- [InternetZoneLaunchingApplicationsAndFilesInIFRAME](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME](policy-csp-internetexplorer.md) +- [InternetZoneLogonOptions](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneLogonOptions](policy-csp-internetexplorer.md) +- [DisableDeletingUserVisitedWebsites](policy-csp-internetexplorer.md) +- [DisableIgnoringCertificateErrors](policy-csp-internetexplorer.md) +- [PreventPerUserInstallationOfActiveXControls](policy-csp-internetexplorer.md) +- [RemoveRunThisTimeButtonForOutdatedActiveXControls](policy-csp-internetexplorer.md) +- [InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneRunActiveXControlsAndPlugins](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneScriptingOfJavaApplets](policy-csp-internetexplorer.md) +- [SecurityZonesUseOnlyMachineSettings](policy-csp-internetexplorer.md) +- [InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles](policy-csp-internetexplorer.md) +- [SpecifyUseOfActiveXInstallerService](policy-csp-internetexplorer.md) +- [DisableCrashDetection](policy-csp-internetexplorer.md) +- [DisableInPrivateBrowsing](policy-csp-internetexplorer.md) +- [DisableSecuritySettingsCheck](policy-csp-internetexplorer.md) +- [DisableProcessesInEnhancedProtectedMode](policy-csp-internetexplorer.md) +- [AllowCertificateAddressMismatchWarning](policy-csp-internetexplorer.md) +- [InternetZoneEnableCrossSiteScriptingFilter](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneEnableCrossSiteScriptingFilter](policy-csp-internetexplorer.md) +- [InternetZoneEnableProtectedMode](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneTurnOnProtectedMode](policy-csp-internetexplorer.md) +- [InternetZoneUsePopupBlocker](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneUsePopupBlocker](policy-csp-internetexplorer.md) +- [InternetZoneAllowVBScriptToRunInInternetExplorer](policy-csp-internetexplorer.md) +- [LockedDownIntranetJavaPermissions](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer](policy-csp-internetexplorer.md) +- [DisableHTMLApplication](policy-csp-internetexplorer.md) + +## Kerberos + +- [RequireKerberosArmoring](policy-csp-kerberos.md) +- [KerberosClientSupportsClaimsCompoundArmor](policy-csp-kerberos.md) +- [RequireStrictKDCValidation](policy-csp-kerberos.md) +- [SetMaximumContextTokenSize](policy-csp-kerberos.md) +- [AllowForestSearchOrder](policy-csp-kerberos.md) + +## LocalSecurityAuthority + +- [AllowCustomSSPsAPs](policy-csp-lsa.md) + +## MixedReality + +- [ConfigureNtpClient](policy-csp-mixedreality.md) +- [NtpClientEnabled](policy-csp-mixedreality.md) + +## MSSecurityGuide + +- [ApplyUACRestrictionsToLocalAccountsOnNetworkLogon](policy-csp-mssecurityguide.md) +- [ConfigureSMBV1Server](policy-csp-mssecurityguide.md) +- [ConfigureSMBV1ClientDriver](policy-csp-mssecurityguide.md) +- [EnableStructuredExceptionHandlingOverwriteProtection](policy-csp-mssecurityguide.md) +- [WDigestAuthentication](policy-csp-mssecurityguide.md) +- [TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications](policy-csp-mssecurityguide.md) + +## MSSLegacy + +- [IPv6SourceRoutingProtectionLevel](policy-csp-msslegacy.md) +- [IPSourceRoutingProtectionLevel](policy-csp-msslegacy.md) +- [AllowICMPRedirectsToOverrideOSPFGeneratedRoutes](policy-csp-msslegacy.md) +- [AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers](policy-csp-msslegacy.md) + +## Power + +- [AllowStandbyWhenSleepingPluggedIn](policy-csp-power.md) +- [RequirePasswordWhenComputerWakesOnBattery](policy-csp-power.md) +- [RequirePasswordWhenComputerWakesPluggedIn](policy-csp-power.md) +- [StandbyTimeoutPluggedIn](policy-csp-power.md) +- [StandbyTimeoutOnBattery](policy-csp-power.md) +- [HibernateTimeoutPluggedIn](policy-csp-power.md) +- [HibernateTimeoutOnBattery](policy-csp-power.md) +- [DisplayOffTimeoutPluggedIn](policy-csp-power.md) +- [DisplayOffTimeoutOnBattery](policy-csp-power.md) +- [AllowStandbyStatesWhenSleepingOnBattery](policy-csp-power.md) + +## Printers + +- [PointAndPrintRestrictions_User](policy-csp-printers.md) +- [EnableDeviceControlUser](policy-csp-printers.md) +- [ApprovedUsbPrintDevicesUser](policy-csp-printers.md) +- [PointAndPrintRestrictions](policy-csp-printers.md) +- [PublishPrinters](policy-csp-printers.md) +- [EnableDeviceControl](policy-csp-printers.md) +- [ApprovedUsbPrintDevices](policy-csp-printers.md) +- [RestrictDriverInstallationToAdministrators](policy-csp-printers.md) +- [ConfigureCopyFilesPolicy](policy-csp-printers.md) +- [ConfigureDriverValidationLevel](policy-csp-printers.md) +- [ManageDriverExclusionList](policy-csp-printers.md) +- [ConfigureRpcListenerPolicy](policy-csp-printers.md) +- [ConfigureRpcConnectionPolicy](policy-csp-printers.md) +- [ConfigureRpcTcpPort](policy-csp-printers.md) +- [ConfigureIppPageCountsPolicy](policy-csp-printers.md) +- [ConfigureRedirectionGuardPolicy](policy-csp-printers.md) + +## RemoteAssistance + +- [UnsolicitedRemoteAssistance](policy-csp-remoteassistance.md) +- [SolicitedRemoteAssistance](policy-csp-remoteassistance.md) +- [CustomizeWarningMessages](policy-csp-remoteassistance.md) +- [SessionLogging](policy-csp-remoteassistance.md) + +## RemoteDesktopServices + +- [DoNotAllowPasswordSaving](policy-csp-remotedesktopservices.md) +- [AllowUsersToConnectRemotely](policy-csp-remotedesktopservices.md) +- [DoNotAllowDriveRedirection](policy-csp-remotedesktopservices.md) +- [PromptForPasswordUponConnection](policy-csp-remotedesktopservices.md) +- [RequireSecureRPCCommunication](policy-csp-remotedesktopservices.md) +- [ClientConnectionEncryptionLevel](policy-csp-remotedesktopservices.md) +- [DoNotAllowWebAuthnRedirection](policy-csp-remotedesktopservices.md) + +## RemoteManagement + +- [AllowBasicAuthentication_Client](policy-csp-remotemanagement.md) +- [AllowBasicAuthentication_Service](policy-csp-remotemanagement.md) +- [AllowUnencryptedTraffic_Client](policy-csp-remotemanagement.md) +- [AllowUnencryptedTraffic_Service](policy-csp-remotemanagement.md) +- [DisallowDigestAuthentication](policy-csp-remotemanagement.md) +- [DisallowStoringOfRunAsCredentials](policy-csp-remotemanagement.md) +- [AllowCredSSPAuthenticationClient](policy-csp-remotemanagement.md) +- [AllowCredSSPAuthenticationService](policy-csp-remotemanagement.md) +- [DisallowNegotiateAuthenticationClient](policy-csp-remotemanagement.md) +- [DisallowNegotiateAuthenticationService](policy-csp-remotemanagement.md) +- [TrustedHosts](policy-csp-remotemanagement.md) +- [AllowRemoteServerManagement](policy-csp-remotemanagement.md) +- [SpecifyChannelBindingTokenHardeningLevel](policy-csp-remotemanagement.md) +- [TurnOnCompatibilityHTTPListener](policy-csp-remotemanagement.md) +- [TurnOnCompatibilityHTTPSListener](policy-csp-remotemanagement.md) + +## RemoteProcedureCall + +- [RPCEndpointMapperClientAuthentication](policy-csp-remoteprocedurecall.md) +- [RestrictUnauthenticatedRPCClients](policy-csp-remoteprocedurecall.md) + +## RemoteShell + +- [AllowRemoteShellAccess](policy-csp-remoteshell.md) +- [SpecifyIdleTimeout](policy-csp-remoteshell.md) +- [MaxConcurrentUsers](policy-csp-remoteshell.md) +- [SpecifyMaxMemory](policy-csp-remoteshell.md) +- [SpecifyMaxProcesses](policy-csp-remoteshell.md) +- [SpecifyMaxRemoteShells](policy-csp-remoteshell.md) +- [SpecifyShellTimeout](policy-csp-remoteshell.md) + +## ServiceControlManager + +- [SvchostProcessMitigation](policy-csp-servicecontrolmanager.md) + +## SettingsSync + +- [DisableAccessibilitySettingSync](policy-csp-settingssync.md) + +## Storage + +- [WPDDevicesDenyReadAccessPerUser](policy-csp-storage.md) +- [WPDDevicesDenyWriteAccessPerUser](policy-csp-storage.md) +- [EnhancedStorageDevices](policy-csp-storage.md) +- [WPDDevicesDenyReadAccessPerDevice](policy-csp-storage.md) +- [WPDDevicesDenyWriteAccessPerDevice](policy-csp-storage.md) + +## System + +- [BootStartDriverInitialization](policy-csp-system.md) +- [DisableSystemRestore](policy-csp-system.md) + +## TenantRestrictions + +- [ConfigureTenantRestrictions](policy-csp-tenantrestrictions.md) + +## WindowsConnectionManager + +- [ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork](policy-csp-windowsconnectionmanager.md) + +## WindowsLogon + +- [DontDisplayNetworkSelectionUI](policy-csp-windowslogon.md) +- [DisableLockScreenAppNotifications](policy-csp-windowslogon.md) +- [EnumerateLocalUsersOnDomainJoinedComputers](policy-csp-windowslogon.md) +- [AllowAutomaticRestartSignOn](policy-csp-windowslogon.md) +- [ConfigAutomaticRestartSignOn](policy-csp-windowslogon.md) +- [EnableMPRNotifications](policy-csp-windowslogon.md) + +## WindowsPowerShell + +- [TurnOnPowerShellScriptBlockLogging](policy-csp-windowspowershell.md) +- [TurnOnPowerShellScriptBlockLogging](policy-csp-windowspowershell.md) + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md index a3a69669c7..df5363e3dd 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md @@ -1,903 +1,937 @@ --- title: Policies in Policy CSP supported by Group Policy description: Learn about the policies in Policy CSP supported by Group Policy. -ms.reviewer: +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 11/29/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 07/18/2019 +ms.topic: reference --- -# Policies in Policy CSP supported by Group Policy + -- [AboveLock/AllowCortanaAboveLock](./policy-csp-abovelock.md#abovelock-allowcortanaabovelock) -- [ActiveXControls/ApprovedInstallationSites](./policy-csp-activexcontrols.md#activexcontrols-approvedinstallationsites) -- [AppRuntime/AllowMicrosoftAccountsToBeOptional](./policy-csp-appruntime.md#appruntime-allowmicrosoftaccountstobeoptional) -- [AppVirtualization/AllowAppVClient](./policy-csp-appvirtualization.md#appvirtualization-allowappvclient) -- [AppVirtualization/AllowDynamicVirtualization](./policy-csp-appvirtualization.md#appvirtualization-allowdynamicvirtualization) -- [AppVirtualization/AllowPackageCleanup](./policy-csp-appvirtualization.md#appvirtualization-allowpackagecleanup) -- [AppVirtualization/AllowPackageScripts](./policy-csp-appvirtualization.md#appvirtualization-allowpackagescripts) -- [AppVirtualization/AllowPublishingRefreshUX](./policy-csp-appvirtualization.md#appvirtualization-allowpublishingrefreshux) -- [AppVirtualization/AllowReportingServer](./policy-csp-appvirtualization.md#appvirtualization-allowreportingserver) -- [AppVirtualization/AllowRoamingFileExclusions](./policy-csp-appvirtualization.md#appvirtualization-allowroamingfileexclusions) -- [AppVirtualization/AllowRoamingRegistryExclusions](./policy-csp-appvirtualization.md#appvirtualization-allowroamingregistryexclusions) -- [AppVirtualization/AllowStreamingAutoload](./policy-csp-appvirtualization.md#appvirtualization-allowstreamingautoload) -- [AppVirtualization/ClientCoexistenceAllowMigrationmode](./policy-csp-appvirtualization.md#appvirtualization-clientcoexistenceallowmigrationmode) -- [AppVirtualization/IntegrationAllowRootGlobal](./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootglobal) -- [AppVirtualization/IntegrationAllowRootUser](./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootuser) -- [AppVirtualization/PublishingAllowServer1](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver1) -- [AppVirtualization/PublishingAllowServer2](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver2) -- [AppVirtualization/PublishingAllowServer3](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver3) -- [AppVirtualization/PublishingAllowServer4](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver4) -- [AppVirtualization/PublishingAllowServer5](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver5) -- [AppVirtualization/StreamingAllowCertificateFilterForClient_SSL](./policy-csp-appvirtualization.md#appvirtualization-streamingallowcertificatefilterforclient-ssl) -- [AppVirtualization/StreamingAllowHighCostLaunch](./policy-csp-appvirtualization.md#appvirtualization-streamingallowhighcostlaunch) -- [AppVirtualization/StreamingAllowLocationProvider](./policy-csp-appvirtualization.md#appvirtualization-streamingallowlocationprovider) -- [AppVirtualization/StreamingAllowPackageInstallationRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackageinstallationroot) -- [AppVirtualization/StreamingAllowPackageSourceRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackagesourceroot) -- [AppVirtualization/StreamingAllowReestablishmentInterval](./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentinterval) -- [AppVirtualization/StreamingAllowReestablishmentRetries](./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentretries) -- [AppVirtualization/StreamingSharedContentStoreMode](./policy-csp-appvirtualization.md#appvirtualization-streamingsharedcontentstoremode) -- [AppVirtualization/StreamingSupportBranchCache](./policy-csp-appvirtualization.md#appvirtualization-streamingsupportbranchcache) -- [AppVirtualization/StreamingVerifyCertificateRevocationList](./policy-csp-appvirtualization.md#appvirtualization-streamingverifycertificaterevocationlist) -- [AppVirtualization/VirtualComponentsAllowList](./policy-csp-appvirtualization.md#appvirtualization-virtualcomponentsallowlist) -- [ApplicationDefaults/DefaultAssociationsConfiguration](./policy-csp-applicationdefaults.md#applicationdefaults-defaultassociationsconfiguration) -- [ApplicationDefaults/EnableAppUriHandlers](./policy-csp-applicationdefaults.md#applicationdefaults-enableappurihandlers) -- [ApplicationManagement/AllowAllTrustedApps](./policy-csp-applicationmanagement.md#applicationmanagement-allowalltrustedapps) -- [ApplicationManagement/AllowAppStoreAutoUpdate](./policy-csp-applicationmanagement.md#applicationmanagement-allowappstoreautoupdate) -- [ApplicationManagement/AllowDeveloperUnlock](./policy-csp-applicationmanagement.md#applicationmanagement-allowdeveloperunlock) -- [ApplicationManagement/AllowGameDVR](./policy-csp-applicationmanagement.md#applicationmanagement-allowgamedvr) -- [ApplicationManagement/AllowSharedUserAppData](./policy-csp-applicationmanagement.md#applicationmanagement-allowshareduserappdata) -- [ApplicationManagement/DisableStoreOriginatedApps](./policy-csp-applicationmanagement.md#applicationmanagement-disablestoreoriginatedapps) -- [ApplicationManagement/MSIAllowUserControlOverInstall](./policy-csp-applicationmanagement.md#applicationmanagement-msiallowusercontroloverinstall) -- [ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges](./policy-csp-applicationmanagement.md#applicationmanagement-msialwaysinstallwithelevatedprivileges) -- [ApplicationManagement/RequirePrivateStoreOnly](./policy-csp-applicationmanagement.md#applicationmanagement-requireprivatestoreonly) -- [ApplicationManagement/RestrictAppDataToSystemVolume](./policy-csp-applicationmanagement.md#applicationmanagement-restrictappdatatosystemvolume) -- [ApplicationManagement/RestrictAppToSystemVolume](./policy-csp-applicationmanagement.md#applicationmanagement-restrictapptosystemvolume) -- [AttachmentManager/DoNotPreserveZoneInformation](./policy-csp-attachmentmanager.md#attachmentmanager-donotpreservezoneinformation) -- [AttachmentManager/HideZoneInfoMechanism](./policy-csp-attachmentmanager.md#attachmentmanager-hidezoneinfomechanism) -- [AttachmentManager/NotifyAntivirusPrograms](./policy-csp-attachmentmanager.md#attachmentmanager-notifyantivirusprograms) -- [Authentication/AllowSecondaryAuthenticationDevice](./policy-csp-authentication.md#authentication-allowsecondaryauthenticationdevice) -- [Autoplay/DisallowAutoplayForNonVolumeDevices](./policy-csp-autoplay.md#autoplay-disallowautoplayfornonvolumedevices) -- [Autoplay/SetDefaultAutoRunBehavior](./policy-csp-autoplay.md#autoplay-setdefaultautorunbehavior) -- [Autoplay/TurnOffAutoPlay](./policy-csp-autoplay.md#autoplay-turnoffautoplay) -- [BITS/BandwidthThrottlingEndTime](./policy-csp-bits.md#bits-bandwidththrottlingendtime) -- [BITS/BandwidthThrottlingStartTime](./policy-csp-bits.md#bits-bandwidththrottlingstarttime) -- [BITS/BandwidthThrottlingTransferRate](./policy-csp-bits.md#bits-bandwidththrottlingtransferrate) -- [BITS/CostedNetworkBehaviorBackgroundPriority](./policy-csp-bits.md#bits-costednetworkbehaviorbackgroundpriority) -- [BITS/CostedNetworkBehaviorForegroundPriority](./policy-csp-bits.md#bits-costednetworkbehaviorforegroundpriority) -- [BITS/JobInactivityTimeout](./policy-csp-bits.md#bits-jobinactivitytimeout) -- [Browser/AllowAddressBarDropdown](./policy-csp-browser.md#browser-allowaddressbardropdown) -- [Browser/AllowAutofill](./policy-csp-browser.md#browser-allowautofill) -- [Browser/AllowCookies](./policy-csp-browser.md#browser-allowcookies) -- [Browser/AllowDeveloperTools](./policy-csp-browser.md#browser-allowdevelopertools) -- [Browser/AllowDoNotTrack](./policy-csp-browser.md#browser-allowdonottrack) -- [Browser/AllowExtensions](./policy-csp-browser.md#browser-allowextensions) -- [Browser/AllowFlash](./policy-csp-browser.md#browser-allowflash) -- [Browser/AllowFlashClickToRun](./policy-csp-browser.md#browser-allowflashclicktorun) -- [Browser/AllowFullScreenMode](./policy-csp-browser.md#browser-allowfullscreenmode) -- [Browser/AllowInPrivate](./policy-csp-browser.md#browser-allowinprivate) -- [Browser/AllowMicrosoftCompatibilityList](./policy-csp-browser.md#browser-allowmicrosoftcompatibilitylist) -- [Browser/AllowPasswordManager](./policy-csp-browser.md#browser-allowpasswordmanager) -- [Browser/AllowPopups](./policy-csp-browser.md#browser-allowpopups) -- [Browser/AllowPrelaunch](./policy-csp-browser.md#browser-allowprelaunch) -- [Browser/AllowPrinting](./policy-csp-browser.md#browser-allowprinting) -- [Browser/AllowSavingHistory](./policy-csp-browser.md#browser-allowsavinghistory) -- [Browser/AllowSearchEngineCustomization](./policy-csp-browser.md#browser-allowsearchenginecustomization) -- [Browser/AllowSearchSuggestionsinAddressBar](./policy-csp-browser.md#browser-allowsearchsuggestionsinaddressbar) -- [Browser/AllowSideloadingOfExtensions](./policy-csp-browser.md#browser-allowsideloadingofextensions) -- [Browser/AllowSmartScreen](./policy-csp-browser.md#browser-allowsmartscreen) -- [Browser/AllowTabPreloading](./policy-csp-browser.md#browser-allowtabpreloading) -- [Browser/AllowWebContentOnNewTabPage](./policy-csp-browser.md#browser-allowwebcontentonnewtabpage) -- [Browser/AlwaysEnableBooksLibrary](./policy-csp-browser.md#browser-alwaysenablebookslibrary) -- [Browser/ClearBrowsingDataOnExit](./policy-csp-browser.md#browser-clearbrowsingdataonexit) -- [Browser/ConfigureAdditionalSearchEngines](./policy-csp-browser.md#browser-configureadditionalsearchengines) -- [Browser/ConfigureFavoritesBar](./policy-csp-browser.md#browser-configurefavoritesbar) -- [Browser/ConfigureHomeButton](./policy-csp-browser.md#browser-configurehomebutton) -- [Browser/ConfigureKioskMode](./policy-csp-browser.md#browser-configurekioskmode) -- [Browser/ConfigureKioskResetAfterIdleTimeout](./policy-csp-browser.md#browser-configurekioskresetafteridletimeout) -- [Browser/ConfigureOpenMicrosoftEdgeWith](./policy-csp-browser.md#browser-configureopenmicrosoftedgewith) -- [Browser/ConfigureTelemetryForMicrosoft365Analytics](./policy-csp-browser.md#browser-configuretelemetryformicrosoft365analytics) -- [Browser/DisableLockdownOfStartPages](./policy-csp-browser.md#browser-disablelockdownofstartpages) -- [Browser/EnableExtendedBooksTelemetry](./policy-csp-browser.md#browser-enableextendedbookstelemetry) -- [Browser/EnterpriseModeSiteList](./policy-csp-browser.md#browser-enterprisemodesitelist) -- [Browser/HomePages](./policy-csp-browser.md#browser-homepages) -- [Browser/LockdownFavorites](./policy-csp-browser.md#browser-lockdownfavorites) -- [Browser/PreventAccessToAboutFlagsInMicrosoftEdge](./policy-csp-browser.md#browser-preventaccesstoaboutflagsinmicrosoftedge) -- [Browser/PreventCertErrorOverrides](./policy-csp-browser.md#browser-preventcerterroroverrides) -- [Browser/PreventFirstRunPage](./policy-csp-browser.md#browser-preventfirstrunpage) -- [Browser/PreventLiveTileDataCollection](./policy-csp-browser.md#browser-preventlivetiledatacollection) -- [Browser/PreventSmartScreenPromptOverride](./policy-csp-browser.md#browser-preventsmartscreenpromptoverride) -- [Browser/PreventSmartScreenPromptOverrideForFiles](./policy-csp-browser.md#browser-preventsmartscreenpromptoverrideforfiles) -- [Browser/PreventUsingLocalHostIPAddressForWebRTC](./policy-csp-browser.md#browser-preventusinglocalhostipaddressforwebrtc) -- [Browser/ProvisionFavorites](./policy-csp-browser.md#browser-provisionfavorites) -- [Browser/SendIntranetTraffictoInternetExplorer](./policy-csp-browser.md#browser-sendintranettraffictointernetexplorer) -- [Browser/SetDefaultSearchEngine](./policy-csp-browser.md#browser-setdefaultsearchengine) -- [Browser/SetHomeButtonURL](./policy-csp-browser.md#browser-sethomebuttonurl) -- [Browser/SetNewTabPageURL](./policy-csp-browser.md#browser-setnewtabpageurl) -- [Browser/ShowMessageWhenOpeningSitesInInternetExplorer](./policy-csp-browser.md#browser-showmessagewhenopeningsitesininternetexplorer) -- [Browser/SyncFavoritesBetweenIEAndMicrosoftEdge](./policy-csp-browser.md#browser-syncfavoritesbetweenieandmicrosoftedge) -- [Browser/UnlockHomeButton](./policy-csp-browser.md#browser-unlockhomebutton) -- [Browser/UseSharedFolderForBooks](./policy-csp-browser.md#browser-usesharedfolderforbooks) -- [Camera/AllowCamera](./policy-csp-camera.md#camera-allowcamera) -- [Cellular/LetAppsAccessCellularData](./policy-csp-cellular.md#cellular-letappsaccesscellulardata) -- [Cellular/LetAppsAccessCellularData_ForceAllowTheseApps](./policy-csp-cellular.md#cellular-letappsaccesscellulardata-forceallowtheseapps) -- [Cellular/LetAppsAccessCellularData_ForceDenyTheseApps](./policy-csp-cellular.md#cellular-letappsaccesscellulardata-forcedenytheseapps) -- [Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps](./policy-csp-cellular.md#cellular-letappsaccesscellulardata-userincontroloftheseapps) -- [Cellular/ShowAppCellularAccessUI](./policy-csp-cellular.md#cellular-showappcellularaccessui) -- [Connectivity/AllowCellularDataRoaming](./policy-csp-connectivity.md#connectivity-allowcellulardataroaming) -- [Connectivity/AllowPhonePCLinking](./policy-csp-connectivity.md#connectivity-allowphonepclinking) -- [Connectivity/DiablePrintingOverHTTP](./policy-csp-connectivity.md#connectivity-disableprintingoverhttp) -- [Connectivity/DisableDownloadingOfPrintDriversOverHTTP](./policy-csp-connectivity.md#connectivity-disabledownloadingofprintdriversoverhttp) -- [Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](./policy-csp-connectivity.md#connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards) -- [Connectivity/DisallowNetworkConnectivityActiveTests](./policy-csp-connectivity.md#connectivity-disallownetworkconnectivityactivetests) -- [Connectivity/HardenedUNCPaths](./policy-csp-connectivity.md#connectivity-hardeneduncpaths) -- [Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge](./policy-csp-connectivity.md#connectivity-prohibitinstallationandconfigurationofnetworkbridge) -- [CredentialProviders/AllowPINLogon](./policy-csp-credentialproviders.md#credentialproviders-allowpinlogon) -- [CredentialProviders/BlockPicturePassword](./policy-csp-credentialproviders.md#credentialproviders-blockpicturepassword) -- [CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials](./policy-csp-credentialsdelegation.md#credentialsdelegation-remotehostallowsdelegationofnonexportablecredentials) -- [CredentialsUI/DisablePasswordReveal](./policy-csp-credentialsui.md#credentialsui-disablepasswordreveal) -- [CredentialsUI/EnumerateAdministrators](./policy-csp-credentialsui.md#credentialsui-enumerateadministrators) -- [Cryptography/AllowFipsAlgorithmPolicy](./policy-csp-cryptography.md#cryptography-allowfipsalgorithmpolicy) -- [DataUsage/SetCost4G](./policy-csp-datausage.md#datausage-setcost4g) -- [Defender/AllowArchiveScanning](./policy-csp-defender.md#defender-allowarchivescanning) -- [Defender/AllowBehaviorMonitoring](./policy-csp-defender.md#defender-allowbehaviormonitoring) -- [Defender/AllowCloudProtection](./policy-csp-defender.md#defender-allowcloudprotection) -- [Defender/AllowEmailScanning](./policy-csp-defender.md#defender-allowemailscanning) -- [Defender/AllowFullScanOnMappedNetworkDrives](./policy-csp-defender.md#defender-allowfullscanonmappednetworkdrives) -- [Defender/AllowFullScanRemovableDriveScanning](./policy-csp-defender.md#defender-allowfullscanremovabledrivescanning) -- [Defender/AllowIOAVProtection](./policy-csp-defender.md#defender-allowioavprotection) -- [Defender/AllowOnAccessProtection](./policy-csp-defender.md#defender-allowonaccessprotection) -- [Defender/AllowRealtimeMonitoring](./policy-csp-defender.md#defender-allowrealtimemonitoring) -- [Defender/AllowScanningNetworkFiles](./policy-csp-defender.md#defender-allowscanningnetworkfiles) -- [Defender/AllowUserUIAccess](./policy-csp-defender.md#defender-allowuseruiaccess) -- [Defender/AttackSurfaceReductionOnlyExclusions](./policy-csp-defender.md#defender-attacksurfacereductiononlyexclusions) -- [Defender/AttackSurfaceReductionRules](./policy-csp-defender.md#defender-attacksurfacereductionrules) -- [Defender/AvgCPULoadFactor](./policy-csp-defender.md#defender-avgcpuloadfactor) -- [Defender/CheckForSignaturesBeforeRunningScan](./policy-csp-defender.md#defender-checkforsignaturesbeforerunningscan) -- [Defender/CloudBlockLevel](./policy-csp-defender.md#defender-cloudblocklevel) -- [Defender/CloudExtendedTimeout](./policy-csp-defender.md#defender-cloudextendedtimeout) -- [Defender/ControlledFolderAccessAllowedApplications](./policy-csp-defender.md#defender-controlledfolderaccessallowedapplications) -- [Defender/ControlledFolderAccessProtectedFolders](./policy-csp-defender.md#defender-controlledfolderaccessprotectedfolders) -- [Defender/DaysToRetainCleanedMalware](./policy-csp-defender.md#defender-daystoretaincleanedmalware) -- [Defender/DisableCatchupFullScan](./policy-csp-defender.md#defender-disablecatchupfullscan) -- [Defender/DisableCatchupQuickScan](./policy-csp-defender.md#defender-disablecatchupquickscan) -- [Defender/EnableControlledFolderAccess](./policy-csp-defender.md#defender-enablecontrolledfolderaccess) -- [Defender/EnableLowCPUPriority](./policy-csp-defender.md#defender-enablelowcpupriority) -- [Defender/EnableNetworkProtection](./policy-csp-defender.md#defender-enablenetworkprotection) -- [Defender/ExcludedExtensions](./policy-csp-defender.md#defender-excludedextensions) -- [Defender/ExcludedPaths](./policy-csp-defender.md#defender-excludedpaths) -- [Defender/ExcludedProcesses](./policy-csp-defender.md#defender-excludedprocesses) -- [Defender/RealTimeScanDirection](./policy-csp-defender.md#defender-realtimescandirection) -- [Defender/ScanParameter](./policy-csp-defender.md#defender-scanparameter) -- [Defender/ScheduleQuickScanTime](./policy-csp-defender.md#defender-schedulequickscantime) -- [Defender/ScheduleScanDay](./policy-csp-defender.md#defender-schedulescanday) -- [Defender/ScheduleScanTime](./policy-csp-defender.md#defender-schedulescantime) -- [Defender/SignatureUpdateFallbackOrder](./policy-csp-defender.md#defender-signatureupdatefallbackorder) -- [Defender/SignatureUpdateFileSharesSources](./policy-csp-defender.md#defender-signatureupdatefilesharessources) -- [Defender/SignatureUpdateInterval](./policy-csp-defender.md#defender-signatureupdateinterval) -- [Defender/SubmitSamplesConsent](./policy-csp-defender.md#defender-submitsamplesconsent) -- [Defender/ThreatSeverityDefaultAction](./policy-csp-defender.md#defender-threatseveritydefaultaction) -- [DeliveryOptimization/DOAbsoluteMaxCacheSize](./policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize) -- [DeliveryOptimization/DOAllowVPNPeerCaching](./policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching) -- [DeliveryOptimization/DOCacheHost](./policy-csp-deliveryoptimization.md#deliveryoptimization-docachehost) -- [DeliveryOptimization/DODelayBackgroundDownloadFromHttp](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaybackgrounddownloadfromhttp) -- [DeliveryOptimization/DODelayForegroundDownloadFromHttp](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelayforegrounddownloadfromhttp) -- [DeliveryOptimization/DODelayCacheServerFallbackBackground](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackbackground) -- [DeliveryOptimization/DODelayCacheServerFallbackForeground](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackforeground) -- [DeliveryOptimization/DODownloadMode](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode) -- [DeliveryOptimization/DOGroupId](./policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupid) -- [DeliveryOptimization/DOGroupIdSource](./policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupidsource) -- [DeliveryOptimization/DOMaxCacheAge](./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcacheage) -- [DeliveryOptimization/DOMaxCacheSize](./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcachesize) -- [DeliveryOptimization/DOMaxDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth) -- [DeliveryOptimization/DOMaxUploadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth) -- [DeliveryOptimization/DOMinBackgroundQos](./policy-csp-deliveryoptimization.md#deliveryoptimization-dominbackgroundqos) -- [DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload](./policy-csp-deliveryoptimization.md#deliveryoptimization-dominbatterypercentageallowedtoupload) -- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](./policy-csp-deliveryoptimization.md#deliveryoptimization-domindisksizeallowedtopeer) -- [DeliveryOptimization/DOMinFileSizeToCache](./policy-csp-deliveryoptimization.md#deliveryoptimization-dominfilesizetocache) -- [DeliveryOptimization/DOMinRAMAllowedToPeer](./policy-csp-deliveryoptimization.md#deliveryoptimization-dominramallowedtopeer) -- [DeliveryOptimization/DOModifyCacheDrive](./policy-csp-deliveryoptimization.md#deliveryoptimization-domodifycachedrive) -- [DeliveryOptimization/DOMonthlyUploadDataCap](./policy-csp-deliveryoptimization.md#deliveryoptimization-domonthlyuploaddatacap) -- [DeliveryOptimization/DOPercentageMaxBackgroundBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxbackgroundbandwidth) -- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth) -- [DeliveryOptimization/DOPercentageMaxForegroundBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxforegroundbandwidth) -- [DeliveryOptimization/DORestrictPeerSelectionBy](./policy-csp-deliveryoptimization.md#deliveryoptimization-dorestrictpeerselectionby) -- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth) -- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth) -- [Desktop/PreventUserRedirectionOfProfileFolders](./policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders) -- [DeviceGuard/ConfigureSystemGuardLaunch](./policy-csp-deviceguard.md#deviceguard-configuresystemguardlaunch) -- [DeviceGuard/EnableVirtualizationBasedSecurity](./policy-csp-deviceguard.md#deviceguard-enablevirtualizationbasedsecurity) -- [DeviceGuard/LsaCfgFlags](./policy-csp-deviceguard.md#deviceguard-lsacfgflags) -- [DeviceGuard/RequirePlatformSecurityFeatures](./policy-csp-deviceguard.md#deviceguard-requireplatformsecurityfeatures) -- [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdeviceids) -- [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdevicesetupclasses) -- [DeviceInstallation/PreventDeviceMetadataFromNetwork](./policy-csp-deviceinstallation.md#deviceinstallationpreventdevicemetadatafromnetwork) -- [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](./policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofdevicesnotdescribedbyotherpolicysettings) -- [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofmatchingdeviceids) -- [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofmatchingdevicesetupclasses) -- [DeviceLock/MinimumPasswordAge](./policy-csp-devicelock.md#devicelock-minimumpasswordage) -- [DeviceLock/PreventEnablingLockScreenCamera](./policy-csp-devicelock.md#devicelock-preventenablinglockscreencamera) -- [DeviceLock/PreventLockScreenSlideShow](./policy-csp-devicelock.md#devicelock-preventlockscreenslideshow) -- [Display/DisablePerProcessDpiForApps](./policy-csp-display.md#display-disableperprocessdpiforapps) -- [Display/EnablePerProcessDpi](./policy-csp-display.md#display-enableperprocessdpi) -- [Display/EnablePerProcessDpiForApps](./policy-csp-display.md#display-enableperprocessdpiforapps) -- [Display/TurnOffGdiDPIScalingForApps](./policy-csp-display.md#display-turnoffgdidpiscalingforapps) -- [Display/TurnOnGdiDPIScalingForApps](./policy-csp-display.md#display-turnongdidpiscalingforapps) -- [DmaGuard/DeviceEnumerationPolicy](./policy-csp-dmaguard.md#dmaguard-deviceenumerationpolicy) -- [Education/PreventAddingNewPrinters](./policy-csp-education.md#education-preventaddingnewprinters) -- [ErrorReporting/CustomizeConsentSettings](./policy-csp-errorreporting.md#errorreporting-customizeconsentsettings) -- [ErrorReporting/DisableWindowsErrorReporting](./policy-csp-errorreporting.md#errorreporting-disablewindowserrorreporting) -- [ErrorReporting/DisplayErrorNotification](./policy-csp-errorreporting.md#errorreporting-displayerrornotification) -- [ErrorReporting/DoNotSendAdditionalData](./policy-csp-errorreporting.md#errorreporting-donotsendadditionaldata) -- [ErrorReporting/PreventCriticalErrorDisplay](./policy-csp-errorreporting.md#errorreporting-preventcriticalerrordisplay) -- [EventLogService/ControlEventLogBehavior](./policy-csp-eventlogservice.md#eventlogservice-controleventlogbehavior) -- [EventLogService/SpecifyMaximumFileSizeApplicationLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizeapplicationlog) -- [EventLogService/SpecifyMaximumFileSizeSecurityLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesecuritylog) -- [EventLogService/SpecifyMaximumFileSizeSystemLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesystemlog) -- [Experience/AllowClipboardHistory](./policy-csp-experience.md#experience-allowclipboardhistory) -- [Experience/AllowCortana](./policy-csp-experience.md#experience-allowcortana) -- [Experience/AllowFindMyDevice](./policy-csp-experience.md#experience-allowfindmydevice) -- [Experience/AllowTailoredExperiencesWithDiagnosticData](./policy-csp-experience.md#experience-allowtailoredexperienceswithdiagnosticdata) -- [Experience/AllowThirdPartySuggestionsInWindowsSpotlight](./policy-csp-experience.md#experience-allowthirdpartysuggestionsinwindowsspotlight) -- [Experience/AllowWindowsConsumerFeatures](./policy-csp-experience.md#experience-allowwindowsconsumerfeatures) -- [Experience/AllowWindowsSpotlight](./policy-csp-experience.md#experience-allowwindowsspotlight) -- [Experience/AllowWindowsSpotlightOnActionCenter](./policy-csp-experience.md#experience-allowwindowsspotlightonactioncenter) -- [Experience/AllowWindowsSpotlightOnSettings](./policy-csp-experience.md#experience-allowwindowsspotlightonsettings) -- [Experience/AllowWindowsSpotlightWindowsWelcomeExperience](./policy-csp-experience.md#experience-allowwindowsspotlightwindowswelcomeexperience) -- [Experience/AllowWindowsTips](./policy-csp-experience.md#experience-allowwindowstips) -- [Experience/ConfigureWindowsSpotlightOnLockScreen](./policy-csp-experience.md#experience-configurewindowsspotlightonlockscreen) -- [Experience/DoNotShowFeedbackNotifications](./policy-csp-experience.md#experience-donotshowfeedbacknotifications) -- [Experience/DoNotSyncBrowserSettings](./policy-csp-experience.md#experience-donotsyncbrowsersetting) -- [Experience/PreventUsersFromTurningOnBrowserSyncing](./policy-csp-experience.md#experience-preventusersfromturningonbrowsersyncing) -- [Experience/ShowLockOnUserTile](policy-csp-experience.md#experience-showlockonusertile) -- [ExploitGuard/ExploitProtectionSettings](./policy-csp-exploitguard.md#exploitguard-exploitprotectionsettings) -- [FileExplorer/TurnOffDataExecutionPreventionForExplorer](./policy-csp-fileexplorer.md#fileexplorer-turnoffdataexecutionpreventionforexplorer) -- [FileExplorer/TurnOffHeapTerminationOnCorruption](./policy-csp-fileexplorer.md#fileexplorer-turnoffheapterminationoncorruption) -- [Handwriting/PanelDefaultModeDocked](./policy-csp-handwriting.md#handwriting-paneldefaultmodedocked) -- [InternetExplorer/AddSearchProvider](./policy-csp-internetexplorer.md#internetexplorer-addsearchprovider) -- [InternetExplorer/AllowActiveXFiltering](./policy-csp-internetexplorer.md#internetexplorer-allowactivexfiltering) -- [InternetExplorer/AllowAddOnList](./policy-csp-internetexplorer.md#internetexplorer-allowaddonlist) -- [InternetExplorer/AllowAutoComplete](./policy-csp-internetexplorer.md#internetexplorer-allowautocomplete) -- [InternetExplorer/AllowCertificateAddressMismatchWarning](./policy-csp-internetexplorer.md#internetexplorer-allowcertificateaddressmismatchwarning) -- [InternetExplorer/AllowDeletingBrowsingHistoryOnExit](./policy-csp-internetexplorer.md#internetexplorer-allowdeletingbrowsinghistoryonexit) -- [InternetExplorer/AllowEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-allowenhancedprotectedmode) -- [InternetExplorer/AllowEnhancedSuggestionsInAddressBar](./policy-csp-internetexplorer.md#internetexplorer-allowenhancedsuggestionsinaddressbar) -- [InternetExplorer/AllowEnterpriseModeFromToolsMenu](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodefromtoolsmenu) -- [InternetExplorer/AllowEnterpriseModeSiteList](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodesitelist) -- [InternetExplorer/AllowFallbackToSSL3](./policy-csp-internetexplorer.md#internetexplorer-allowfallbacktossl3) -- [InternetExplorer/AllowInternetExplorer7PolicyList](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorer7policylist) -- [InternetExplorer/AllowInternetExplorerStandardsMode](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorerstandardsmode) -- [InternetExplorer/AllowInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowinternetzonetemplate) -- [InternetExplorer/AllowIntranetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowintranetzonetemplate) -- [InternetExplorer/AllowLocalMachineZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlocalmachinezonetemplate) -- [InternetExplorer/AllowLockedDownInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddowninternetzonetemplate) -- [InternetExplorer/AllowLockedDownIntranetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownintranetzonetemplate) -- [InternetExplorer/AllowLockedDownLocalMachineZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownlocalmachinezonetemplate) -- [InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownrestrictedsiteszonetemplate) -- [InternetExplorer/AllowOneWordEntry](./policy-csp-internetexplorer.md#internetexplorer-allowonewordentry) -- [InternetExplorer/AllowSiteToZoneAssignmentList](./policy-csp-internetexplorer.md#internetexplorer-allowsitetozoneassignmentlist) -- [InternetExplorer/AllowSoftwareWhenSignatureIsInvalid](./policy-csp-internetexplorer.md#internetexplorer-allowsoftwarewhensignatureisinvalid) -- [InternetExplorer/AllowSuggestedSites](./policy-csp-internetexplorer.md#internetexplorer-allowsuggestedsites) -- [InternetExplorer/AllowTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowtrustedsiteszonetemplate) -- [InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowslockeddowntrustedsiteszonetemplate) -- [InternetExplorer/AllowsRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowsrestrictedsiteszonetemplate) -- [InternetExplorer/CheckServerCertificateRevocation](./policy-csp-internetexplorer.md#internetexplorer-checkservercertificaterevocation) -- [InternetExplorer/CheckSignaturesOnDownloadedPrograms](./policy-csp-internetexplorer.md#internetexplorer-checksignaturesondownloadedprograms) -- [InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-consistentmimehandlinginternetexplorerprocesses) -- [InternetExplorer/DisableActiveXVersionListAutoDownload](./policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload) -- [InternetExplorer/DisableAdobeFlash](./policy-csp-internetexplorer.md#internetexplorer-disableadobeflash) -- [InternetExplorer/DisableBypassOfSmartScreenWarnings](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarnings) -- [InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarningsaboutuncommonfiles) -- [InternetExplorer/DisableCompatView](./policy-csp-internetexplorer.md#internetexplorer-disablecompatview) -- [InternetExplorer/DisableConfiguringHistory](./policy-csp-internetexplorer.md#internetexplorer-disableconfiguringhistory) -- [InternetExplorer/DisableCrashDetection](./policy-csp-internetexplorer.md#internetexplorer-disablecrashdetection) -- [InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation](./policy-csp-internetexplorer.md#internetexplorer-disablecustomerexperienceimprovementprogramparticipation) -- [InternetExplorer/DisableDeletingUserVisitedWebsites](./policy-csp-internetexplorer.md#internetexplorer-disabledeletinguservisitedwebsites) -- [InternetExplorer/DisableEnclosureDownloading](./policy-csp-internetexplorer.md#internetexplorer-disableenclosuredownloading) -- [InternetExplorer/DisableEncryptionSupport](./policy-csp-internetexplorer.md#internetexplorer-disableencryptionsupport) -- [InternetExplorer/DisableFeedsBackgroundSync](./policy-csp-internetexplorer.md#internetexplorer-disablefeedsbackgroundsync) -- [InternetExplorer/DisableFirstRunWizard](./policy-csp-internetexplorer.md#internetexplorer-disablefirstrunwizard) -- [InternetExplorer/DisableFlipAheadFeature](./policy-csp-internetexplorer.md#internetexplorer-disableflipaheadfeature) -- [InternetExplorer/DisableGeolocation](./policy-csp-internetexplorer.md#internetexplorer-disablegeolocation) -- [InternetExplorer/DisableHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablehomepagechange) -- [InternetExplorer/DisableIgnoringCertificateErrors](./policy-csp-internetexplorer.md#internetexplorer-disableignoringcertificateerrors) -- [InternetExplorer/DisableInPrivateBrowsing](./policy-csp-internetexplorer.md#internetexplorer-disableinprivatebrowsing) -- [InternetExplorer/DisableProcessesInEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-disableprocessesinenhancedprotectedmode) -- [InternetExplorer/DisableProxyChange](./policy-csp-internetexplorer.md#internetexplorer-disableproxychange) -- [InternetExplorer/DisableSearchProviderChange](./policy-csp-internetexplorer.md#internetexplorer-disablesearchproviderchange) -- [InternetExplorer/DisableSecondaryHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablesecondaryhomepagechange) -- [InternetExplorer/DisableSecuritySettingsCheck](./policy-csp-internetexplorer.md#internetexplorer-disablesecuritysettingscheck) -- [InternetExplorer/DisableUpdateCheck](./policy-csp-internetexplorer.md#internetexplorer-disableupdatecheck) -- [InternetExplorer/DisableWebAddressAutoComplete](./policy-csp-internetexplorer.md#internetexplorer-disablewebaddressautocomplete) -- [InternetExplorer/DoNotAllowActiveXControlsInProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-donotallowactivexcontrolsinprotectedmode) -- [InternetExplorer/DoNotAllowUsersToAddSites](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstoaddsites) -- [InternetExplorer/DoNotAllowUsersToChangePolicies](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstochangepolicies) -- [InternetExplorer/DoNotBlockOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrols) -- [InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrolsonspecificdomains) -- [InternetExplorer/IncludeAllLocalSites](./policy-csp-internetexplorer.md#internetexplorer-includealllocalsites) -- [InternetExplorer/IncludeAllNetworkPaths](./policy-csp-internetexplorer.md#internetexplorer-includeallnetworkpaths) -- [InternetExplorer/InternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowaccesstodatasources) -- [InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/InternetZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowcopypasteviascript) -- [InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowdraganddropcopyandpastefiles) -- [InternetExplorer/InternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowfontdownloads) -- [InternetExplorer/InternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowlessprivilegedsites) -- [InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowloadingofxamlfiles) -- [InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallownetframeworkreliantcomponents) -- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstouseactivexcontrols) -- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstousetdcactivexcontrol) -- [InternetExplorer/InternetZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptinitiatedwindows) -- [InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptingofinternetexplorerwebbrowsercontrols) -- [InternetExplorer/InternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptlets) -- [InternetExplorer/InternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowsmartscreenie) -- [InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowupdatestostatusbarviascript) -- [InternetExplorer/InternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowuserdatapersistence) -- [InternetExplorer/InternetZoneAllowVBScriptToRunInInternetExplorer](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowvbscripttorunininternetexplorer) -- [InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedonotrunantimalwareagainstactivexcontrols) -- [InternetExplorer/InternetZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadsignedactivexcontrols) -- [InternetExplorer/InternetZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadunsignedactivexcontrols) -- [InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablecrosssitescriptingfilter) -- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainsacrosswindows) -- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainswithinwindows) -- [InternetExplorer/InternetZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablemimesniffing) -- [InternetExplorer/InternetZoneEnableProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenableprotectedmode) -- [InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#internetexplorer-internetzoneincludelocalpathwhenuploadingfilestoserver) -- [InternetExplorer/InternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneinitializeandscriptactivexcontrols) -- [InternetExplorer/InternetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-internetzonejavapermissions) -- [InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-internetzonelaunchingapplicationsandfilesiniframe) -- [InternetExplorer/InternetZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-internetzonelogonoptions) -- [InternetExplorer/InternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-internetzonenavigatewindowsandframes) -- [InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-internetzonerunnetframeworkreliantcomponentssignedwithauthenticode) -- [InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneshowsecuritywarningforpotentiallyunsafefiles) -- [InternetExplorer/InternetZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-internetzoneusepopupblocker) -- [InternetExplorer/IntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowaccesstodatasources) -- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/IntranetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowfontdownloads) -- [InternetExplorer/IntranetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowlessprivilegedsites) -- [InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallownetframeworkreliantcomponents) -- [InternetExplorer/IntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowscriptlets) -- [InternetExplorer/IntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowsmartscreenie) -- [InternetExplorer/IntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowuserdatapersistence) -- [InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzonedonotrunantimalwareagainstactivexcontrols) -- [InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneinitializeandscriptactivexcontrols) -- [InternetExplorer/IntranetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-intranetzonejavapermissions) -- [InternetExplorer/IntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-intranetzonenavigatewindowsandframes) -- [InternetExplorer/LocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowaccesstodatasources) -- [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/LocalMachineZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowfontdownloads) -- [InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowlessprivilegedsites) -- [InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallownetframeworkreliantcomponents) -- [InternetExplorer/LocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowscriptlets) -- [InternetExplorer/LocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowsmartscreenie) -- [InternetExplorer/LocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowuserdatapersistence) -- [InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonedonotrunantimalwareagainstactivexcontrols) -- [InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneinitializeandscriptactivexcontrols) -- [InternetExplorer/LocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonejavapermissions) -- [InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonenavigatewindowsandframes) -- [InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowaccesstodatasources) -- [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/LockedDownInternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowfontdownloads) -- [InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowlessprivilegedsites) -- [InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallownetframeworkreliantcomponents) -- [InternetExplorer/LockedDownInternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowscriptlets) -- [InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowsmartscreenie) -- [InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowuserdatapersistence) -- [InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneinitializeandscriptactivexcontrols) -- [InternetExplorer/LockedDownInternetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonejavapermissions) -- [InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonenavigatewindowsandframes) -- [InternetExplorer/LockedDownIntranetJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetjavapermissions) -- [InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowaccesstodatasources) -- [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/LockedDownIntranetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowfontdownloads) -- [InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowlessprivilegedsites) -- [InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallownetframeworkreliantcomponents) -- [InternetExplorer/LockedDownIntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowscriptlets) -- [InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowsmartscreenie) -- [InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowuserdatapersistence) -- [InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneinitializeandscriptactivexcontrols) -- [InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzonenavigatewindowsandframes) -- [InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowaccesstodatasources) -- [InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowfontdownloads) -- [InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowlessprivilegedsites) -- [InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallownetframeworkreliantcomponents) -- [InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowscriptlets) -- [InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowsmartscreenie) -- [InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowuserdatapersistence) -- [InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneinitializeandscriptactivexcontrols) -- [InternetExplorer/LockedDownLocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonejavapermissions) -- [InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonenavigatewindowsandframes) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowaccesstodatasources) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowfontdownloads) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowlessprivilegedsites) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallownetframeworkreliantcomponents) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowscriptlets) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowsmartscreenie) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowuserdatapersistence) -- [InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneinitializeandscriptactivexcontrols) -- [InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonejavapermissions) -- [InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonenavigatewindowsandframes) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowaccesstodatasources) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowfontdownloads) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowlessprivilegedsites) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallownetframeworkreliantcomponents) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowscriptlets) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowsmartscreenie) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowuserdatapersistence) -- [InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneinitializeandscriptactivexcontrols) -- [InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonejavapermissions) -- [InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonenavigatewindowsandframes) -- [InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mkprotocolsecurityrestrictioninternetexplorerprocesses) -- [InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mimesniffingsafetyfeatureinternetexplorerprocesses) -- [InternetExplorer/NewTabDefaultPage](./policy-csp-internetexplorer.md#internetexplorer-newtabdefaultpage) -- [InternetExplorer/NotificationBarInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-notificationbarinternetexplorerprocesses) -- [InternetExplorer/PreventManagingSmartScreenFilter](./policy-csp-internetexplorer.md#internetexplorer-preventmanagingsmartscreenfilter) -- [InternetExplorer/PreventPerUserInstallationOfActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-preventperuserinstallationofactivexcontrols) -- [InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-protectionfromzoneelevationinternetexplorerprocesses) -- [InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-removerunthistimebuttonforoutdatedactivexcontrols) -- [InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-restrictactivexinstallinternetexplorerprocesses) -- [InternetExplorer/RestrictFileDownloadInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-restrictfiledownloadinternetexplorerprocesses) -- [InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowaccesstodatasources) -- [InternetExplorer/RestrictedSitesZoneAllowActiveScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowactivescripting) -- [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowbinaryandscriptbehaviors) -- [InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowcopypasteviascript) -- [InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowdraganddropcopyandpastefiles) -- [InternetExplorer/RestrictedSitesZoneAllowFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfiledownloads) -- [InternetExplorer/RestrictedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfontdownloads) -- [InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowlessprivilegedsites) -- [InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowloadingofxamlfiles) -- [InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowmetarefresh) -- [InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallownetframeworkreliantcomponents) -- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstouseactivexcontrols) -- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstousetdcactivexcontrol) -- [InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptinitiatedwindows) -- [InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptingofinternetexplorerwebbrowsercontrols) -- [InternetExplorer/RestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptlets) -- [InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowsmartscreenie) -- [InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowupdatestostatusbarviascript) -- [InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowuserdatapersistence) -- [InternetExplorer/RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowvbscripttorunininternetexplorer) -- [InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedonotrunantimalwareagainstactivexcontrols) -- [InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadsignedactivexcontrols) -- [InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadunsignedactivexcontrols) -- [InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablecrosssitescriptingfilter) -- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainsacrosswindows) -- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainswithinwindows) -- [InternetExplorer/RestrictedSitesZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablemimesniffing) -- [InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneincludelocalpathwhenuploadingfilestoserver) -- [InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneinitializeandscriptactivexcontrols) -- [InternetExplorer/RestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonejavapermissions) -- [InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelaunchingapplicationsandfilesiniframe) -- [InternetExplorer/RestrictedSitesZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelogonoptions) -- [InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonenavigatewindowsandframes) -- [InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunactivexcontrolsandplugins) -- [InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunnetframeworkreliantcomponentssignedwithauthenticode) -- [InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptactivexcontrolsmarkedsafeforscripting) -- [InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptingofjavaapplets) -- [InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneshowsecuritywarningforpotentiallyunsafefiles) -- [InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneturnonprotectedmode) -- [InternetExplorer/RestrictedSitesZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneusepopupblocker) -- [InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-scriptedwindowsecurityrestrictionsinternetexplorerprocesses) -- [InternetExplorer/SearchProviderList](./policy-csp-internetexplorer.md#internetexplorer-searchproviderlist) -- [InternetExplorer/SecurityZonesUseOnlyMachineSettings](./policy-csp-internetexplorer.md#internetexplorer-securityzonesuseonlymachinesettings) -- [InternetExplorer/SpecifyUseOfActiveXInstallerService](./policy-csp-internetexplorer.md#internetexplorer-specifyuseofactivexinstallerservice) -- [InternetExplorer/TrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowaccesstodatasources) -- [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/TrustedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowfontdownloads) -- [InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowlessprivilegedsites) -- [InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallownetframeworkreliantcomponents) -- [InternetExplorer/TrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowscriptlets) -- [InternetExplorer/TrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowsmartscreenie) -- [InternetExplorer/TrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowuserdatapersistence) -- [InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonedonotrunantimalwareagainstactivexcontrols) -- [InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrols) -- [InternetExplorer/TrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonejavapermissions) -- [InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonenavigatewindowsandframes) -- [Kerberos/AllowForestSearchOrder](./policy-csp-kerberos.md#kerberos-allowforestsearchorder) -- [Kerberos/KerberosClientSupportsClaimsCompoundArmor](./policy-csp-kerberos.md#kerberos-kerberosclientsupportsclaimscompoundarmor) -- [Kerberos/RequireKerberosArmoring](./policy-csp-kerberos.md#kerberos-requirekerberosarmoring) -- [Kerberos/RequireStrictKDCValidation](./policy-csp-kerberos.md#kerberos-requirestrictkdcvalidation) -- [Kerberos/SetMaximumContextTokenSize](./policy-csp-kerberos.md#kerberos-setmaximumcontexttokensize) -- [LanmanWorkstation/EnableInsecureGuestLogons](./policy-csp-lanmanworkstation.md#lanmanworkstation-enableinsecureguestlogons) -- [Licensing/AllowWindowsEntitlementReactivation](./policy-csp-licensing.md#licensing-allowwindowsentitlementreactivation) -- [Licensing/DisallowKMSClientOnlineAVSValidation](./policy-csp-licensing.md#licensing-disallowkmsclientonlineavsvalidation) -- [LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-blockmicrosoftaccounts) -- [LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-limitlocalaccountuseofblankpasswordstoconsolelogononly) -- [LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-renameadministratoraccount) -- [LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-renameguestaccount) -- [LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-allowundockwithouthavingtologon) -- [LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-allowedtoformatandejectremovablemedia) -- [LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-preventusersfrominstallingprinterdriverswhenconnectingtosharedprinters) -- [LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-restrictcdromaccesstolocallyloggedonuseronly) -- [LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked) -- [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin) -- [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplayusernameatsignin) -- [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotRequireCTRLALTDEL](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotrequirectrlaltdel) -- [LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-machineinactivitylimit) -- [LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-messagetextforusersattemptingtologon) -- [LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-messagetitleforusersattemptingtologon) -- [LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-smartcardremovalbehavior) -- [LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsifserveragrees) -- [LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-sendunencryptedpasswordtothirdpartysmbservers) -- [LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsalways) -- [LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsifclientagrees) -- [LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-donotallowanonymousenumerationofsamaccounts) -- [LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-donotallowanonymousenumerationofsamaccountsandshares) -- [LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-restrictanonymousaccesstonamedpipesandshares) -- [LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-restrictclientsallowedtomakeremotecallstosam) -- [LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-allowpku2uauthenticationrequests) -- [LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-donotstorelanmanagerhashvalueonnextpasswordchange) -- [LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-lanmanagerauthenticationlevel) -- [LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedservers) -- [LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-addremoteserverexceptionsforntlmauthentication) -- [LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-auditincomingntlmtraffic) -- [LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-incomingntlmtraffic) -- [LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-outgoingntlmtraffictoremoteservers) -- [LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon) -- [LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-shutdown-clearvirtualmemorypagefile) -- [LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-allowuiaccessapplicationstopromptforelevation) -- [LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforadministrators) -- [LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforstandardusers) -- [LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-detectapplicationinstallationsandpromptforelevation) -- [LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-onlyelevateexecutablefilesthataresignedandvalidated) -- [LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-onlyelevateuiaccessapplicationsthatareinstalledinsecurelocations) -- [LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-runalladministratorsinadminapprovalmode) -- [LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-switchtothesecuredesktopwhenpromptingforelevation) -- [LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-useadminapprovalmode) -- [LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-virtualizefileandregistrywritefailurestoperuserlocations) -- [LockDown/AllowEdgeSwipe](./policy-csp-lockdown.md#lockdown-allowedgeswipe) -- [MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes](./policy-csp-msslegacy.md#msslegacy-allowicmpredirectstooverrideospfgeneratedroutes) -- [MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers](./policy-csp-msslegacy.md#msslegacy-allowthecomputertoignorenetbiosnamereleaserequestsexceptfromwinsservers) -- [MSSLegacy/IPSourceRoutingProtectionLevel](./policy-csp-msslegacy.md#msslegacy-ipsourceroutingprotectionlevel) -- [MSSLegacy/IPv6SourceRoutingProtectionLevel](./policy-csp-msslegacy.md#msslegacy-ipv6sourceroutingprotectionlevel) -- [MSSecurityGuide/ApplyUACRestrictionsToLocalAccountsOnNetworkLogon](./policy-csp-mssecurityguide.md#mssecurityguide-applyuacrestrictionstolocalaccountsonnetworklogon) -- [MSSecurityGuide/ConfigureSMBV1ClientDriver](./policy-csp-mssecurityguide.md#mssecurityguide-configuresmbv1clientdriver) -- [MSSecurityGuide/ConfigureSMBV1Server](./policy-csp-mssecurityguide.md#mssecurityguide-configuresmbv1server) -- [MSSecurityGuide/EnableStructuredExceptionHandlingOverwriteProtection](./policy-csp-mssecurityguide.md#mssecurityguide-enablestructuredexceptionhandlingoverwriteprotection) -- [MSSecurityGuide/TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications](./policy-csp-mssecurityguide.md#mssecurityguide-turnonwindowsdefenderprotectionagainstpotentiallyunwantedapplications) -- [MSSecurityGuide/WDigestAuthentication](./policy-csp-mssecurityguide.md#mssecurityguide-wdigestauthentication) -- [Maps/EnableOfflineMapsAutoUpdate](./policy-csp-maps.md#maps-enableofflinemapsautoupdate) -- [Messaging/AllowMessageSync](./policy-csp-messaging.md#messaging-allowmessagesync) -- [NetworkIsolation/EnterpriseCloudResources](./policy-csp-networkisolation.md#networkisolation-enterprisecloudresources) -- [NetworkIsolation/EnterpriseIPRange](./policy-csp-networkisolation.md#networkisolation-enterpriseiprange) -- [NetworkIsolation/EnterpriseIPRangesAreAuthoritative](./policy-csp-networkisolation.md#networkisolation-enterpriseiprangesareauthoritative) -- [NetworkIsolation/EnterpriseInternalProxyServers](./policy-csp-networkisolation.md#networkisolation-enterpriseinternalproxyservers) -- [NetworkIsolation/EnterpriseProxyServers](./policy-csp-networkisolation.md#networkisolation-enterpriseproxyservers) -- [NetworkIsolation/EnterpriseProxyServersAreAuthoritative](./policy-csp-networkisolation.md#networkisolation-enterpriseproxyserversareauthoritative) -- [NetworkIsolation/NeutralResources](./policy-csp-networkisolation.md#networkisolation-neutralresources) -- [Notifications/DisallowCloudNotification](./policy-csp-notifications.md#notifications-disallowcloudnotification) -- [Notifications/DisallowNotificationMirroring](./policy-csp-notifications.md#notifications-disallownotificationmirroring) -- [Notifications/DisallowTileNotification](./policy-csp-notifications.md#notifications-disallowtilenotification) -- [Power/AllowStandbyStatesWhenSleepingOnBattery](./policy-csp-power.md#power-allowstandbystateswhensleepingonbattery) -- [Power/AllowStandbyWhenSleepingPluggedIn](./policy-csp-power.md#power-allowstandbywhensleepingpluggedin) -- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery) -- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#power-displayofftimeoutpluggedin) -- [Power/EnergySaverBatteryThresholdOnBattery](./policy-csp-power.md#power-energysaverbatterythresholdonbattery) -- [Power/EnergySaverBatteryThresholdPluggedIn](./policy-csp-power.md#power-energysaverbatterythresholdpluggedin) -- [Power/HibernateTimeoutOnBattery](./policy-csp-power.md#power-hibernatetimeoutonbattery) -- [Power/HibernateTimeoutPluggedIn](./policy-csp-power.md#power-hibernatetimeoutpluggedin) -- [Power/RequirePasswordWhenComputerWakesOnBattery](./policy-csp-power.md#power-requirepasswordwhencomputerwakesonbattery) -- [Power/RequirePasswordWhenComputerWakesPluggedIn](./policy-csp-power.md#power-requirepasswordwhencomputerwakespluggedin) -- [Power/SelectLidCloseActionOnBattery](./policy-csp-power.md#power-selectlidcloseactiononbattery) -- [Power/SelectLidCloseActionPluggedIn](./policy-csp-power.md#power-selectlidcloseactionpluggedin) -- [Power/SelectPowerButtonActionOnBattery](./policy-csp-power.md#power-selectpowerbuttonactiononbattery) -- [Power/SelectPowerButtonActionPluggedIn](./policy-csp-power.md#power-selectpowerbuttonactionpluggedin) -- [Power/SelectSleepButtonActionOnBattery](./policy-csp-power.md#power-selectsleepbuttonactiononbattery) -- [Power/SelectSleepButtonActionPluggedIn](./policy-csp-power.md#power-selectsleepbuttonactionpluggedin) -- [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#power-standbytimeoutonbattery) -- [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#power-standbytimeoutpluggedin) -- [Power/TurnOffHybridSleepOnBattery](./policy-csp-power.md#power-turnoffhybridsleeponbattery) -- [Power/TurnOffHybridSleepPluggedIn](./policy-csp-power.md#power-turnoffhybridsleeppluggedin) -- [Power/UnattendedSleepTimeoutOnBattery](./policy-csp-power.md#power-unattendedsleeptimeoutonbattery) -- [Power/UnattendedSleepTimeoutPluggedIn](./policy-csp-power.md#power-unattendedsleeptimeoutpluggedin) -- [Printers/PointAndPrintRestrictions](./policy-csp-printers.md#printers-pointandprintrestrictions) -- [Printers/PointAndPrintRestrictions_User](./policy-csp-printers.md#printers-pointandprintrestrictions-user) -- [Printers/PublishPrinters](./policy-csp-printers.md#printers-publishprinters) -- [Privacy/AllowCrossDeviceClipboard](./policy-csp-privacy.md#privacy-allowcrossdeviceclipboard) -- [Privacy/AllowInputPersonalization](./policy-csp-privacy.md#privacy-allowinputpersonalization) -- [Privacy/DisableAdvertisingId](./policy-csp-privacy.md#privacy-disableadvertisingid) -- [Privacy/DisablePrivacyExperience](./policy-csp-privacy.md#privacy-disableprivacyexperience) -- [Privacy/EnableActivityFeed](./policy-csp-privacy.md#privacy-enableactivityfeed) -- [Privacy/LetAppsAccessAccountInfo](./policy-csp-privacy.md#privacy-letappsaccessaccountinfo) -- [Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forceallowtheseapps) -- [Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forcedenytheseapps) -- [Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessaccountinfo-userincontroloftheseapps) -- [Privacy/LetAppsAccessCalendar](./policy-csp-privacy.md#privacy-letappsaccesscalendar) -- [Privacy/LetAppsAccessCalendar_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscalendar-forceallowtheseapps) -- [Privacy/LetAppsAccessCalendar_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscalendar-forcedenytheseapps) -- [Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscalendar-userincontroloftheseapps) -- [Privacy/LetAppsAccessCallHistory](./policy-csp-privacy.md#privacy-letappsaccesscallhistory) -- [Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscallhistory-forceallowtheseapps) -- [Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscallhistory-forcedenytheseapps) -- [Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscallhistory-userincontroloftheseapps) -- [Privacy/LetAppsAccessCamera](./policy-csp-privacy.md#privacy-letappsaccesscamera) -- [Privacy/LetAppsAccessCamera_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscamera-forceallowtheseapps) -- [Privacy/LetAppsAccessCamera_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscamera-forcedenytheseapps) -- [Privacy/LetAppsAccessCamera_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscamera-userincontroloftheseapps) -- [Privacy/LetAppsAccessContacts](./policy-csp-privacy.md#privacy-letappsaccesscontacts) -- [Privacy/LetAppsAccessContacts_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscontacts-forceallowtheseapps) -- [Privacy/LetAppsAccessContacts_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscontacts-forcedenytheseapps) -- [Privacy/LetAppsAccessContacts_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscontacts-userincontroloftheseapps) -- [Privacy/LetAppsAccessEmail](./policy-csp-privacy.md#privacy-letappsaccessemail) -- [Privacy/LetAppsAccessEmail_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessemail-forceallowtheseapps) -- [Privacy/LetAppsAccessEmail_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessemail-forcedenytheseapps) -- [Privacy/LetAppsAccessEmail_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessemail-userincontroloftheseapps) -- [Privacy/LetAppsAccessLocation](./policy-csp-privacy.md#privacy-letappsaccesslocation) -- [Privacy/LetAppsAccessLocation_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesslocation-forceallowtheseapps) -- [Privacy/LetAppsAccessLocation_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesslocation-forcedenytheseapps) -- [Privacy/LetAppsAccessLocation_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesslocation-userincontroloftheseapps) -- [Privacy/LetAppsAccessMessaging](./policy-csp-privacy.md#privacy-letappsaccessmessaging) -- [Privacy/LetAppsAccessMessaging_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmessaging-forceallowtheseapps) -- [Privacy/LetAppsAccessMessaging_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmessaging-forcedenytheseapps) -- [Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmessaging-userincontroloftheseapps) -- [Privacy/LetAppsAccessMicrophone](./policy-csp-privacy.md#privacy-letappsaccessmicrophone) -- [Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmicrophone-forceallowtheseapps) -- [Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmicrophone-forcedenytheseapps) -- [Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmicrophone-userincontroloftheseapps) -- [Privacy/LetAppsAccessMotion](./policy-csp-privacy.md#privacy-letappsaccessmotion) -- [Privacy/LetAppsAccessMotion_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmotion-forceallowtheseapps) -- [Privacy/LetAppsAccessMotion_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmotion-forcedenytheseapps) -- [Privacy/LetAppsAccessMotion_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmotion-userincontroloftheseapps) -- [Privacy/LetAppsAccessNotifications](./policy-csp-privacy.md#privacy-letappsaccessnotifications) -- [Privacy/LetAppsAccessNotifications_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessnotifications-forceallowtheseapps) -- [Privacy/LetAppsAccessNotifications_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessnotifications-forcedenytheseapps) -- [Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessnotifications-userincontroloftheseapps) -- [Privacy/LetAppsAccessPhone](./policy-csp-privacy.md#privacy-letappsaccessphone) -- [Privacy/LetAppsAccessPhone_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessphone-forceallowtheseapps) -- [Privacy/LetAppsAccessPhone_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessphone-forcedenytheseapps) -- [Privacy/LetAppsAccessPhone_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessphone-userincontroloftheseapps) -- [Privacy/LetAppsAccessRadios](./policy-csp-privacy.md#privacy-letappsaccessradios) -- [Privacy/LetAppsAccessRadios_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessradios-forceallowtheseapps) -- [Privacy/LetAppsAccessRadios_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessradios-forcedenytheseapps) -- [Privacy/LetAppsAccessRadios_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessradios-userincontroloftheseapps) -- [Privacy/LetAppsAccessTasks](./policy-csp-privacy.md#privacy-letappsaccesstasks) -- [Privacy/LetAppsAccessTasks_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstasks-forceallowtheseapps) -- [Privacy/LetAppsAccessTasks_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstasks-forcedenytheseapps) -- [Privacy/LetAppsAccessTasks_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstasks-userincontroloftheseapps) -- [Privacy/LetAppsAccessTrustedDevices](./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices) -- [Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices-forceallowtheseapps) -- [Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices-forcedenytheseapps) -- [Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices-userincontroloftheseapps) -- [Privacy/LetAppsGetDiagnosticInfo](./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo) -- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo-forceallowtheseapps) -- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo-forcedenytheseapps) -- [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps) -- [Privacy/LetAppsRunInBackground](./policy-csp-privacy.md#privacy-letappsruninbackground) -- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsruninbackground-forceallowtheseapps) -- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsruninbackground-forcedenytheseapps) -- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsruninbackground-userincontroloftheseapps) -- [Privacy/LetAppsSyncWithDevices](./policy-csp-privacy.md#privacy-letappssyncwithdevices) -- [Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappssyncwithdevices-forceallowtheseapps) -- [Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappssyncwithdevices-forcedenytheseapps) -- [Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappssyncwithdevices-userincontroloftheseapps) -- [Privacy/PublishUserActivities](./policy-csp-privacy.md#privacy-publishuseractivities) -- [Privacy/UploadUserActivities](./policy-csp-privacy.md#privacy-uploaduseractivities) -- [RemoteAssistance/CustomizeWarningMessages](./policy-csp-remoteassistance.md#remoteassistance-customizewarningmessages) -- [RemoteAssistance/SessionLogging](./policy-csp-remoteassistance.md#remoteassistance-sessionlogging) -- [RemoteAssistance/SolicitedRemoteAssistance](./policy-csp-remoteassistance.md#remoteassistance-solicitedremoteassistance) -- [RemoteAssistance/UnsolicitedRemoteAssistance](./policy-csp-remoteassistance.md#remoteassistance-unsolicitedremoteassistance) -- [RemoteDesktopServices/AllowUsersToConnectRemotely](./policy-csp-remotedesktopservices.md#remotedesktopservices-allowuserstoconnectremotely) -- [RemoteDesktopServices/ClientConnectionEncryptionLevel](./policy-csp-remotedesktopservices.md#remotedesktopservices-clientconnectionencryptionlevel) -- [RemoteDesktopServices/DoNotAllowDriveRedirection](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowdriveredirection) -- [RemoteDesktopServices/DoNotAllowPasswordSaving](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowpasswordsaving) -- [RemoteDesktopServices/PromptForPasswordUponConnection](./policy-csp-remotedesktopservices.md#remotedesktopservices-promptforpassworduponconnection) -- [RemoteDesktopServices/RequireSecureRPCCommunication](./policy-csp-remotedesktopservices.md#remotedesktopservices-requiresecurerpccommunication) -- [RemoteManagement/AllowBasicAuthentication_Client](./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-client) -- [RemoteManagement/AllowBasicAuthentication_Service](./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-service) -- [RemoteManagement/AllowCredSSPAuthenticationClient](./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationclient) -- [RemoteManagement/AllowCredSSPAuthenticationService](./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationservice) -- [RemoteManagement/AllowRemoteServerManagement](./policy-csp-remotemanagement.md#remotemanagement-allowremoteservermanagement) -- [RemoteManagement/AllowUnencryptedTraffic_Client](./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-client) -- [RemoteManagement/AllowUnencryptedTraffic_Service](./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-service) -- [RemoteManagement/DisallowDigestAuthentication](./policy-csp-remotemanagement.md#remotemanagement-disallowdigestauthentication) -- [RemoteManagement/DisallowNegotiateAuthenticationClient](./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationclient) -- [RemoteManagement/DisallowNegotiateAuthenticationService](./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationservice) -- [RemoteManagement/DisallowStoringOfRunAsCredentials](./policy-csp-remotemanagement.md#remotemanagement-disallowstoringofrunascredentials) -- [RemoteManagement/SpecifyChannelBindingTokenHardeningLevel](./policy-csp-remotemanagement.md#remotemanagement-specifychannelbindingtokenhardeninglevel) -- [RemoteManagement/TrustedHosts](./policy-csp-remotemanagement.md#remotemanagement-trustedhosts) -- [RemoteManagement/TurnOnCompatibilityHTTPListener](./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttplistener) -- [RemoteManagement/TurnOnCompatibilityHTTPSListener](./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttpslistener) -- [RemoteProcedureCall/RPCEndpointMapperClientAuthentication](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-rpcendpointmapperclientauthentication) -- [RemoteProcedureCall/RestrictUnauthenticatedRPCClients](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-restrictunauthenticatedrpcclients) -- [RemoteShell/AllowRemoteShellAccess](./policy-csp-remoteshell.md#remoteshell-allowremoteshellaccess) -- [RemoteShell/MaxConcurrentUsers](./policy-csp-remoteshell.md#remoteshell-maxconcurrentusers) -- [RemoteShell/SpecifyIdleTimeout](./policy-csp-remoteshell.md#remoteshell-specifyidletimeout) -- [RemoteShell/SpecifyMaxMemory](./policy-csp-remoteshell.md#remoteshell-specifymaxmemory) -- [RemoteShell/SpecifyMaxProcesses](./policy-csp-remoteshell.md#remoteshell-specifymaxprocesses) -- [RemoteShell/SpecifyMaxRemoteShells](./policy-csp-remoteshell.md#remoteshell-specifymaxremoteshells) -- [RemoteShell/SpecifyShellTimeout](./policy-csp-remoteshell.md#remoteshell-specifyshelltimeout) -- [Search/AllowCloudSearch](./policy-csp-search.md#search-allowcloudsearch) -- [Search/AllowFindMyFiles](./policy-csp-search.md#search-allowfindmyfiles) -- [Search/AllowIndexingEncryptedStoresOrItems](./policy-csp-search.md#search-allowindexingencryptedstoresoritems) -- [Search/AllowSearchToUseLocation](./policy-csp-search.md#search-allowsearchtouselocation) -- [Search/AllowUsingDiacritics](./policy-csp-search.md#search-allowusingdiacritics) -- [Search/AlwaysUseAutoLangDetection](./policy-csp-search.md#search-alwaysuseautolangdetection) -- [Search/DisableBackoff](./policy-csp-search.md#search-disablebackoff) -- [Search/DisableRemovableDriveIndexing](./policy-csp-search.md#search-disableremovabledriveindexing) -- [Search/DoNotUseWebResults](./policy-csp-search.md#search-donotusewebresults) -- [Search/PreventIndexingLowDiskSpaceMB](./policy-csp-search.md#search-preventindexinglowdiskspacemb) -- [Search/PreventRemoteQueries](./policy-csp-search.md#search-preventremotequeries) -- [Security/ClearTPMIfNotReady](./policy-csp-security.md#security-cleartpmifnotready) -- [ServiceControlManager/SvchostProcessMitigation](./policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation) -- [Settings/AllowOnlineTips](./policy-csp-settings.md#settings-allowonlinetips) -- [Settings/ConfigureTaskbarCalendar](./policy-csp-settings.md#settings-configuretaskbarcalendar) -- [Settings/PageVisibilityList](./policy-csp-settings.md#settings-pagevisibilitylist) -- [SmartScreen/EnableAppInstallControl](./policy-csp-smartscreen.md#smartscreen-enableappinstallcontrol) -- [SmartScreen/EnableSmartScreenInShell](./policy-csp-smartscreen.md#smartscreen-enablesmartscreeninshell) -- [SmartScreen/PreventOverrideForFilesInShell](./policy-csp-smartscreen.md#smartscreen-preventoverrideforfilesinshell) -- [Speech/AllowSpeechModelUpdate](./policy-csp-speech.md#speech-allowspeechmodelupdate) -- [Start/DisableContextMenus](./policy-csp-start.md#start-disablecontextmenus) -- [Start/HidePeopleBar](./policy-csp-start.md#start-hidepeoplebar) -- [Start/HideRecentlyAddedApps](./policy-csp-start.md#start-hiderecentlyaddedapps) -- [Start/StartLayout](./policy-csp-start.md#start-startlayout) -- [Storage/AllowDiskHealthModelUpdates](./policy-csp-storage.md#storage-allowdiskhealthmodelupdates) -- [Storage/EnhancedStorageDevices](./policy-csp-storage.md#storage-enhancedstoragedevices) -- [System/AllowBuildPreview](./policy-csp-system.md#system-allowbuildpreview) -- [System/AllowCommercialDataPipeline](./policy-csp-system.md#system-allowcommercialdatapipeline) -- [System/AllowDeviceNameInDiagnosticData](./policy-csp-system.md#system-allowdevicenameindiagnosticdata) -- [System/AllowFontProviders](./policy-csp-system.md#system-allowfontproviders) -- [System/AllowLocation](./policy-csp-system.md#system-allowlocation) -- [System/AllowTelemetry](./policy-csp-system.md#system-allowtelemetry) -- [System/BootStartDriverInitialization](./policy-csp-system.md#system-bootstartdriverinitialization) -- [System/ConfigureMicrosoft365UploadEndpoint](./policy-csp-system.md#system-configuremicrosoft365uploadendpoint) -- [System/ConfigureTelemetryOptInChangeNotification](./policy-csp-system.md#system-configuretelemetryoptinchangenotification) -- [System/ConfigureTelemetryOptInSettingsUx](./policy-csp-system.md#system-configuretelemetryoptinsettingsux) -- [System/DisableDeviceDelete](./policy-csp-system.md#system-disabledevicedelete) -- [System/DisableDiagnosticDataViewer](./policy-csp-system.md#system-disablediagnosticdataviewer) -- [System/DisableEnterpriseAuthProxy](./policy-csp-system.md#system-disableenterpriseauthproxy) -- [System/DisableOneDriveFileSync](./policy-csp-system.md#system-disableonedrivefilesync) -- [System/DisableSystemRestore](./policy-csp-system.md#system-disablesystemrestore) -- [System/LimitEnhancedDiagnosticDataWindowsAnalytics](./policy-csp-system.md#system-limitenhanceddiagnosticdatawindowsanalytics) -- [System/TelemetryProxy](./policy-csp-system.md#system-telemetryproxy) -- [System/TurnOffFileHistory](./policy-csp-system.md#system-turnofffilehistory) -- [SystemServices/ConfigureHomeGroupListenerServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurehomegrouplistenerservicestartupmode) -- [SystemServices/ConfigureHomeGroupProviderServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurehomegroupproviderservicestartupmode) -- [SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurexboxaccessorymanagementservicestartupmode) -- [SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurexboxliveauthmanagerservicestartupmode) -- [SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurexboxlivegamesaveservicestartupmode) -- [SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurexboxlivenetworkingservicestartupmode) -- [TextInput/AllowLanguageFeaturesUninstall](./policy-csp-textinput.md#textinput-allowlanguagefeaturesuninstall) -- [TextInput/AllowLinguisticDataCollection](./policy-csp-textinput.md#textinput-allowlinguisticdatacollection) -- [Troubleshooting/AllowRecommendations](./policy-csp-troubleshooting.md#troubleshooting-allowrecommendations) -- [Update/ActiveHoursEnd](./policy-csp-update.md#update-activehoursend) -- [Update/ActiveHoursMaxRange](./policy-csp-update.md#update-activehoursmaxrange) -- [Update/ActiveHoursStart](./policy-csp-update.md#update-activehoursstart) -- [Update/AllowAutoUpdate](./policy-csp-update.md#update-allowautoupdate) -- [Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork](./policy-csp-update.md#update-allowautowindowsupdatedownloadovermeterednetwork) -- [Update/AllowMUUpdateService](./policy-csp-update.md#update-allowmuupdateservice) -- [Update/AllowUpdateService](./policy-csp-update.md#update-allowupdateservice) -- [Update/AutoRestartDeadlinePeriodInDays](./policy-csp-update.md#update-autorestartdeadlineperiodindays) -- [Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates](./policy-csp-update.md#update-autorestartdeadlineperiodindaysforfeatureupdates) -- [Update/AutoRestartNotificationSchedule](./policy-csp-update.md#update-autorestartnotificationschedule) -- [Update/AutoRestartRequiredNotificationDismissal](./policy-csp-update.md#update-autorestartrequirednotificationdismissal) -- [Update/AutomaticMaintenanceWakeUp](./policy-csp-update.md#update-automaticmaintenancewakeup) -- [Update/BranchReadinessLevel](./policy-csp-update.md#update-branchreadinesslevel) -- [Update/ConfigureDeadlineForFeatureUpdates](./policy-csp-update.md#update-configuredeadlineforfeatureupdates) -- [Update/ConfigureDeadlineForQualityUpdates](./policy-csp-update.md#update-configuredeadlineforqualityupdates) -- [Update/ConfigureDeadlineGracePeriod](./policy-csp-update.md#update-configuredeadlinegraceperiod) -- [Update/ConfigureDeadlineNoAutoReboot](./policy-csp-update.md#update-configuredeadlinenoautoreboot) -- [Update/DeferFeatureUpdatesPeriodInDays](./policy-csp-update.md#update-deferfeatureupdatesperiodindays) -- [Update/DeferQualityUpdatesPeriodInDays](./policy-csp-update.md#update-deferqualityupdatesperiodindays) -- [Update/DeferUpdatePeriod](./policy-csp-update.md#update-deferupdateperiod) -- [Update/DeferUpgradePeriod](./policy-csp-update.md#update-deferupgradeperiod) -- [Update/DetectionFrequency](./policy-csp-update.md#update-detectionfrequency) -- [Update/DisableDualScan](./policy-csp-update.md#update-disabledualscan) -- [Update/EngagedRestartDeadline](./policy-csp-update.md#update-engagedrestartdeadline) -- [Update/EngagedRestartDeadlineForFeatureUpdates](./policy-csp-update.md#update-engagedrestartdeadlineforfeatureupdates) -- [Update/EngagedRestartSnoozeSchedule](./policy-csp-update.md#update-engagedrestartsnoozeschedule) -- [Update/EngagedRestartSnoozeScheduleForFeatureUpdates](./policy-csp-update.md#update-engagedrestartsnoozescheduleforfeatureupdates) -- [Update/EngagedRestartTransitionSchedule](./policy-csp-update.md#update-engagedrestarttransitionschedule) -- [Update/EngagedRestartTransitionScheduleForFeatureUpdates](./policy-csp-update.md#update-engagedrestarttransitionscheduleforfeatureupdates) -- [Update/ExcludeWUDriversInQualityUpdate](./policy-csp-update.md#update-excludewudriversinqualityupdate) -- [Update/FillEmptyContentUrls](./policy-csp-update.md#update-fillemptycontenturls) -- [Update/ManagePreviewBuilds](./policy-csp-update.md#update-managepreviewbuilds) -- [Update/PauseDeferrals](./policy-csp-update.md#update-pausedeferrals) -- [Update/PauseFeatureUpdates](./policy-csp-update.md#update-pausefeatureupdates) -- [Update/PauseFeatureUpdatesStartTime](./policy-csp-update.md#update-pausefeatureupdatesstarttime) -- [Update/PauseQualityUpdates](./policy-csp-update.md#update-pausequalityupdates) -- [Update/PauseQualityUpdatesStartTime](./policy-csp-update.md#update-pausequalityupdatesstarttime) -- [Update/RequireDeferUpgrade](./policy-csp-update.md#update-requiredeferupgrade) -- [Update/ScheduleImminentRestartWarning](./policy-csp-update.md#update-scheduleimminentrestartwarning) -- [Update/ScheduleRestartWarning](./policy-csp-update.md#update-schedulerestartwarning) -- [Update/ScheduledInstallDay](./policy-csp-update.md#update-scheduledinstallday) -- [Update/ScheduledInstallEveryWeek](./policy-csp-update.md#update-scheduledinstalleveryweek) -- [Update/ScheduledInstallFirstWeek](./policy-csp-update.md#update-scheduledinstallfirstweek) -- [Update/ScheduledInstallFourthWeek](./policy-csp-update.md#update-scheduledinstallfourthweek) -- [Update/ScheduledInstallSecondWeek](./policy-csp-update.md#update-scheduledinstallsecondweek) -- [Update/ScheduledInstallThirdWeek](./policy-csp-update.md#update-scheduledinstallthirdweek) -- [Update/ScheduledInstallTime](./policy-csp-update.md#update-scheduledinstalltime) -- [Update/SetAutoRestartNotificationDisable](./policy-csp-update.md#update-setautorestartnotificationdisable) -- [Update/SetDisablePauseUXAccess](./policy-csp-update.md#update-setdisablepauseuxaccess) -- [Update/SetDisableUXWUAccess](./policy-csp-update.md#update-setdisableuxwuaccess) -- [Update/SetEDURestart](./policy-csp-update.md#update-setedurestart) -- [Update/UpdateNotificationLevel](./policy-csp-update.md#update-updatenotificationlevel) -- [Update/UpdateServiceUrl](./policy-csp-update.md#update-updateserviceurl) -- [Update/UpdateServiceUrlAlternate](./policy-csp-update.md#update-updateserviceurlalternate) -- [UserRights/AccessCredentialManagerAsTrustedCaller](./policy-csp-userrights.md#userrights-accesscredentialmanagerastrustedcaller) -- [UserRights/AccessFromNetwork](./policy-csp-userrights.md#userrights-accessfromnetwork) -- [UserRights/ActAsPartOfTheOperatingSystem](./policy-csp-userrights.md#userrights-actaspartoftheoperatingsystem) -- [UserRights/AllowLocalLogOn](./policy-csp-userrights.md#userrights-allowlocallogon) -- [UserRights/BackupFilesAndDirectories](./policy-csp-userrights.md#userrights-backupfilesanddirectories) -- [UserRights/ChangeSystemTime](./policy-csp-userrights.md#userrights-changesystemtime) -- [UserRights/CreateGlobalObjects](./policy-csp-userrights.md#userrights-createglobalobjects) -- [UserRights/CreatePageFile](./policy-csp-userrights.md#userrights-createpagefile) -- [UserRights/CreatePermanentSharedObjects](./policy-csp-userrights.md#userrights-createpermanentsharedobjects) -- [UserRights/CreateSymbolicLinks](./policy-csp-userrights.md#userrights-createsymboliclinks) -- [UserRights/CreateToken](./policy-csp-userrights.md#userrights-createtoken) -- [UserRights/DebugPrograms](./policy-csp-userrights.md#userrights-debugprograms) -- [UserRights/DenyAccessFromNetwork](./policy-csp-userrights.md#userrights-denyaccessfromnetwork) -- [UserRights/DenyLocalLogOn](./policy-csp-userrights.md#userrights-denylocallogon) -- [UserRights/DenyRemoteDesktopServicesLogOn](./policy-csp-userrights.md#userrights-denyremotedesktopserviceslogon) -- [UserRights/EnableDelegation](./policy-csp-userrights.md#userrights-enabledelegation) -- [UserRights/GenerateSecurityAudits](./policy-csp-userrights.md#userrights-generatesecurityaudits) -- [UserRights/ImpersonateClient](./policy-csp-userrights.md#userrights-impersonateclient) -- [UserRights/IncreaseSchedulingPriority](./policy-csp-userrights.md#userrights-increaseschedulingpriority) -- [UserRights/LoadUnloadDeviceDrivers](./policy-csp-userrights.md#userrights-loadunloaddevicedrivers) -- [UserRights/LockMemory](./policy-csp-userrights.md#userrights-lockmemory) -- [UserRights/ManageAuditingAndSecurityLog](./policy-csp-userrights.md#userrights-manageauditingandsecuritylog) -- [UserRights/ManageVolume](./policy-csp-userrights.md#userrights-managevolume) -- [UserRights/ModifyFirmwareEnvironment](./policy-csp-userrights.md#userrights-modifyfirmwareenvironment) -- [UserRights/ModifyObjectLabel](./policy-csp-userrights.md#userrights-modifyobjectlabel) -- [UserRights/ProfileSingleProcess](./policy-csp-userrights.md#userrights-profilesingleprocess) -- [UserRights/RemoteShutdown](./policy-csp-userrights.md#userrights-remoteshutdown) -- [UserRights/RestoreFilesAndDirectories](./policy-csp-userrights.md#userrights-restorefilesanddirectories) -- [UserRights/TakeOwnership](./policy-csp-userrights.md#userrights-takeownership) -- [Wifi/AllowAutoConnectToWiFiSenseHotspots](./policy-csp-wifi.md#wifi-allowautoconnecttowifisensehotspots) -- [Wifi/AllowInternetSharing](./policy-csp-wifi.md#wifi-allowinternetsharing) -- [WindowsConnectionManager/ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork](./policy-csp-windowsconnectionmanager.md#windowsconnectionmanager-prohitconnectiontonondomainnetworkswhenconnectedtodomainauthenticatednetwork) -- [WindowsDefenderSecurityCenter/CompanyName](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-companyname) -- [WindowsDefenderSecurityCenter/DisableAccountProtectionUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disableaccountprotectionui) -- [WindowsDefenderSecurityCenter/DisableAppBrowserUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disableappbrowserui) -- [WindowsDefenderSecurityCenter/DisableClearTpmButton](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablecleartpmbutton) -- [WindowsDefenderSecurityCenter/DisableDeviceSecurityUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disabledevicesecurityui) -- [WindowsDefenderSecurityCenter/DisableEnhancedNotifications](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disableenhancednotifications) -- [WindowsDefenderSecurityCenter/DisableFamilyUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablefamilyui) -- [WindowsDefenderSecurityCenter/DisableHealthUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablehealthui) -- [WindowsDefenderSecurityCenter/DisableNetworkUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablenetworkui) -- [WindowsDefenderSecurityCenter/DisableNotifications](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablenotifications) -- [WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disabletpmfirmwareupdatewarning) -- [WindowsDefenderSecurityCenter/DisableVirusUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablevirusui) -- [WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disallowexploitprotectionoverride) -- [WindowsDefenderSecurityCenter/Email](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-email) -- [WindowsDefenderSecurityCenter/EnableCustomizedToasts](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-enablecustomizedtoasts) -- [WindowsDefenderSecurityCenter/EnableInAppCustomization](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-enableinappcustomization) -- [WindowsDefenderSecurityCenter/HideRansomwareDataRecovery](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hideransomwaredatarecovery) -- [WindowsDefenderSecurityCenter/HideSecureBoot](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hidesecureboot) -- [WindowsDefenderSecurityCenter/HideTPMTroubleshooting](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hidetpmtroubleshooting) -- [WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hidewindowssecuritynotificationareacontrol) -- [WindowsDefenderSecurityCenter/Phone](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-phone) -- [WindowsDefenderSecurityCenter/URL](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-url) -- [WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace](./policy-csp-windowsinkworkspace.md#windowsinkworkspace-allowsuggestedappsinwindowsinkworkspace) -- [WindowsInkWorkspace/AllowWindowsInkWorkspace](./policy-csp-windowsinkworkspace.md#windowsinkworkspace-allowwindowsinkworkspace) -- [WindowsLogon/AllowAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-allowautomaticrestartsignon) -- [WindowsLogon/ConfigAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-configautomaticrestartsignon) -- [WindowsLogon/DisableLockScreenAppNotifications](./policy-csp-windowslogon.md#windowslogon-disablelockscreenappnotifications) -- [WindowsLogon/DontDisplayNetworkSelectionUI](./policy-csp-windowslogon.md#windowslogon-dontdisplaynetworkselectionui) -- [WindowsLogon/EnableFirstLogonAnimation](./policy-csp-windowslogon.md#windowslogon-enablefirstlogonanimation) -- [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers](./policy-csp-windowslogon.md#windowslogon-enumeratelocalusersondomainjoinedcomputers) -- [WindowsLogon/HideFastUserSwitching](./policy-csp-windowslogon.md#windowslogon-hidefastuserswitching) -- [WindowsPowerShell/TurnOnPowerShellScriptBlockLogging](./policy-csp-windowspowershell.md#windowspowershell-turnonpowershellscriptblocklogging) -- [WirelessDisplay/AllowProjectionToPC](./policy-csp-wirelessdisplay.md#wirelessdisplay-allowprojectiontopc) -- [WirelessDisplay/RequirePinForPairing](./policy-csp-wirelessdisplay.md#wirelessdisplay-requirepinforpairing) +# Policies in Policy CSP supported by group policy -## Related topics +This article lists the policies in Policy CSP that have a group policy mapping. -[Policy CSP](policy-configuration-service-provider.md) \ No newline at end of file +## AboveLock + +- [AllowCortanaAboveLock](policy-csp-abovelock.md) + +## Accounts + +- [RestrictToEnterpriseDeviceAuthenticationOnly](policy-csp-accounts.md) + +## ApplicationDefaults + +- [DefaultAssociationsConfiguration](policy-csp-applicationdefaults.md) +- [EnableAppUriHandlers](policy-csp-applicationdefaults.md) + +## ApplicationManagement + +- [RequirePrivateStoreOnly](policy-csp-applicationmanagement.md) +- [MSIAlwaysInstallWithElevatedPrivileges](policy-csp-applicationmanagement.md) +- [AllowAllTrustedApps](policy-csp-applicationmanagement.md) +- [AllowAppStoreAutoUpdate](policy-csp-applicationmanagement.md) +- [AllowAutomaticAppArchiving](policy-csp-applicationmanagement.md) +- [AllowDeveloperUnlock](policy-csp-applicationmanagement.md) +- [AllowGameDVR](policy-csp-applicationmanagement.md) +- [AllowSharedUserAppData](policy-csp-applicationmanagement.md) +- [RequirePrivateStoreOnly](policy-csp-applicationmanagement.md) +- [MSIAlwaysInstallWithElevatedPrivileges](policy-csp-applicationmanagement.md) +- [MSIAllowUserControlOverInstall](policy-csp-applicationmanagement.md) +- [RestrictAppDataToSystemVolume](policy-csp-applicationmanagement.md) +- [RestrictAppToSystemVolume](policy-csp-applicationmanagement.md) +- [DisableStoreOriginatedApps](policy-csp-applicationmanagement.md) +- [BlockNonAdminUserInstall](policy-csp-applicationmanagement.md) + +## Audit + +- [AccountLogon_AuditCredentialValidation](policy-csp-audit.md) +- [AccountLogon_AuditKerberosAuthenticationService](policy-csp-audit.md) +- [AccountLogon_AuditKerberosServiceTicketOperations](policy-csp-audit.md) +- [AccountLogon_AuditOtherAccountLogonEvents](policy-csp-audit.md) +- [AccountManagement_AuditApplicationGroupManagement](policy-csp-audit.md) +- [AccountManagement_AuditComputerAccountManagement](policy-csp-audit.md) +- [AccountManagement_AuditDistributionGroupManagement](policy-csp-audit.md) +- [AccountManagement_AuditOtherAccountManagementEvents](policy-csp-audit.md) +- [AccountManagement_AuditSecurityGroupManagement](policy-csp-audit.md) +- [AccountManagement_AuditUserAccountManagement](policy-csp-audit.md) +- [DetailedTracking_AuditDPAPIActivity](policy-csp-audit.md) +- [DetailedTracking_AuditPNPActivity](policy-csp-audit.md) +- [DetailedTracking_AuditProcessCreation](policy-csp-audit.md) +- [DetailedTracking_AuditProcessTermination](policy-csp-audit.md) +- [DetailedTracking_AuditRPCEvents](policy-csp-audit.md) +- [DetailedTracking_AuditTokenRightAdjusted](policy-csp-audit.md) +- [DSAccess_AuditDetailedDirectoryServiceReplication](policy-csp-audit.md) +- [DSAccess_AuditDirectoryServiceAccess](policy-csp-audit.md) +- [DSAccess_AuditDirectoryServiceChanges](policy-csp-audit.md) +- [DSAccess_AuditDirectoryServiceReplication](policy-csp-audit.md) +- [AccountLogonLogoff_AuditAccountLockout](policy-csp-audit.md) +- [AccountLogonLogoff_AuditUserDeviceClaims](policy-csp-audit.md) +- [AccountLogonLogoff_AuditGroupMembership](policy-csp-audit.md) +- [AccountLogonLogoff_AuditIPsecExtendedMode](policy-csp-audit.md) +- [AccountLogonLogoff_AuditIPsecMainMode](policy-csp-audit.md) +- [AccountLogonLogoff_AuditIPsecQuickMode](policy-csp-audit.md) +- [AccountLogonLogoff_AuditLogoff](policy-csp-audit.md) +- [AccountLogonLogoff_AuditLogon](policy-csp-audit.md) +- [AccountLogonLogoff_AuditNetworkPolicyServer](policy-csp-audit.md) +- [AccountLogonLogoff_AuditOtherLogonLogoffEvents](policy-csp-audit.md) +- [AccountLogonLogoff_AuditSpecialLogon](policy-csp-audit.md) +- [ObjectAccess_AuditApplicationGenerated](policy-csp-audit.md) +- [ObjectAccess_AuditCertificationServices](policy-csp-audit.md) +- [ObjectAccess_AuditDetailedFileShare](policy-csp-audit.md) +- [ObjectAccess_AuditFileShare](policy-csp-audit.md) +- [ObjectAccess_AuditFileSystem](policy-csp-audit.md) +- [ObjectAccess_AuditFilteringPlatformConnection](policy-csp-audit.md) +- [ObjectAccess_AuditFilteringPlatformPacketDrop](policy-csp-audit.md) +- [ObjectAccess_AuditHandleManipulation](policy-csp-audit.md) +- [ObjectAccess_AuditKernelObject](policy-csp-audit.md) +- [ObjectAccess_AuditOtherObjectAccessEvents](policy-csp-audit.md) +- [ObjectAccess_AuditRegistry](policy-csp-audit.md) +- [ObjectAccess_AuditRemovableStorage](policy-csp-audit.md) +- [ObjectAccess_AuditSAM](policy-csp-audit.md) +- [ObjectAccess_AuditCentralAccessPolicyStaging](policy-csp-audit.md) +- [PolicyChange_AuditPolicyChange](policy-csp-audit.md) +- [PolicyChange_AuditAuthenticationPolicyChange](policy-csp-audit.md) +- [PolicyChange_AuditAuthorizationPolicyChange](policy-csp-audit.md) +- [PolicyChange_AuditFilteringPlatformPolicyChange](policy-csp-audit.md) +- [PolicyChange_AuditMPSSVCRuleLevelPolicyChange](policy-csp-audit.md) +- [PolicyChange_AuditOtherPolicyChangeEvents](policy-csp-audit.md) +- [PrivilegeUse_AuditNonSensitivePrivilegeUse](policy-csp-audit.md) +- [PrivilegeUse_AuditOtherPrivilegeUseEvents](policy-csp-audit.md) +- [PrivilegeUse_AuditSensitivePrivilegeUse](policy-csp-audit.md) +- [System_AuditIPsecDriver](policy-csp-audit.md) +- [System_AuditOtherSystemEvents](policy-csp-audit.md) +- [System_AuditSecurityStateChange](policy-csp-audit.md) +- [System_AuditSecuritySystemExtension](policy-csp-audit.md) +- [System_AuditSystemIntegrity](policy-csp-audit.md) + +## Authentication + +- [AllowSecondaryAuthenticationDevice](policy-csp-authentication.md) + +## BITS + +- [JobInactivityTimeout](policy-csp-bits.md) +- [BandwidthThrottlingStartTime](policy-csp-bits.md) +- [BandwidthThrottlingEndTime](policy-csp-bits.md) +- [BandwidthThrottlingTransferRate](policy-csp-bits.md) +- [CostedNetworkBehaviorForegroundPriority](policy-csp-bits.md) +- [CostedNetworkBehaviorBackgroundPriority](policy-csp-bits.md) + +## Browser + +- [AllowAddressBarDropdown](policy-csp-browser.md) +- [AllowAutofill](policy-csp-browser.md) +- [AllowCookies](policy-csp-browser.md) +- [AllowDeveloperTools](policy-csp-browser.md) +- [AllowDoNotTrack](policy-csp-browser.md) +- [AllowExtensions](policy-csp-browser.md) +- [AllowFlash](policy-csp-browser.md) +- [AllowFlashClickToRun](policy-csp-browser.md) +- [AllowFullScreenMode](policy-csp-browser.md) +- [AllowInPrivate](policy-csp-browser.md) +- [AllowMicrosoftCompatibilityList](policy-csp-browser.md) +- [ConfigureTelemetryForMicrosoft365Analytics](policy-csp-browser.md) +- [AllowPasswordManager](policy-csp-browser.md) +- [AllowPopups](policy-csp-browser.md) +- [AllowPrinting](policy-csp-browser.md) +- [AllowSavingHistory](policy-csp-browser.md) +- [AllowSearchEngineCustomization](policy-csp-browser.md) +- [AllowSearchSuggestionsinAddressBar](policy-csp-browser.md) +- [AllowSideloadingOfExtensions](policy-csp-browser.md) +- [AllowSmartScreen](policy-csp-browser.md) +- [AllowWebContentOnNewTabPage](policy-csp-browser.md) +- [AlwaysEnableBooksLibrary](policy-csp-browser.md) +- [ClearBrowsingDataOnExit](policy-csp-browser.md) +- [ConfigureAdditionalSearchEngines](policy-csp-browser.md) +- [ConfigureFavoritesBar](policy-csp-browser.md) +- [ConfigureHomeButton](policy-csp-browser.md) +- [ConfigureOpenMicrosoftEdgeWith](policy-csp-browser.md) +- [DisableLockdownOfStartPages](policy-csp-browser.md) +- [EnableExtendedBooksTelemetry](policy-csp-browser.md) +- [AllowTabPreloading](policy-csp-browser.md) +- [AllowPrelaunch](policy-csp-browser.md) +- [EnterpriseModeSiteList](policy-csp-browser.md) +- [PreventTurningOffRequiredExtensions](policy-csp-browser.md) +- [HomePages](policy-csp-browser.md) +- [LockdownFavorites](policy-csp-browser.md) +- [ConfigureKioskMode](policy-csp-browser.md) +- [ConfigureKioskResetAfterIdleTimeout](policy-csp-browser.md) +- [PreventAccessToAboutFlagsInMicrosoftEdge](policy-csp-browser.md) +- [PreventFirstRunPage](policy-csp-browser.md) +- [PreventCertErrorOverrides](policy-csp-browser.md) +- [PreventSmartScreenPromptOverride](policy-csp-browser.md) +- [PreventSmartScreenPromptOverrideForFiles](policy-csp-browser.md) +- [PreventLiveTileDataCollection](policy-csp-browser.md) +- [PreventUsingLocalHostIPAddressForWebRTC](policy-csp-browser.md) +- [ProvisionFavorites](policy-csp-browser.md) +- [SendIntranetTraffictoInternetExplorer](policy-csp-browser.md) +- [SetDefaultSearchEngine](policy-csp-browser.md) +- [SetHomeButtonURL](policy-csp-browser.md) +- [SetNewTabPageURL](policy-csp-browser.md) +- [ShowMessageWhenOpeningSitesInInternetExplorer](policy-csp-browser.md) +- [SyncFavoritesBetweenIEAndMicrosoftEdge](policy-csp-browser.md) +- [UnlockHomeButton](policy-csp-browser.md) +- [UseSharedFolderForBooks](policy-csp-browser.md) +- [AllowAddressBarDropdown](policy-csp-browser.md) +- [AllowAutofill](policy-csp-browser.md) +- [AllowCookies](policy-csp-browser.md) +- [AllowDeveloperTools](policy-csp-browser.md) +- [AllowDoNotTrack](policy-csp-browser.md) +- [AllowExtensions](policy-csp-browser.md) +- [AllowFlash](policy-csp-browser.md) +- [AllowFlashClickToRun](policy-csp-browser.md) +- [AllowFullScreenMode](policy-csp-browser.md) +- [AllowInPrivate](policy-csp-browser.md) +- [AllowMicrosoftCompatibilityList](policy-csp-browser.md) +- [ConfigureTelemetryForMicrosoft365Analytics](policy-csp-browser.md) +- [AllowPasswordManager](policy-csp-browser.md) +- [AllowPopups](policy-csp-browser.md) +- [AllowPrinting](policy-csp-browser.md) +- [AllowSavingHistory](policy-csp-browser.md) +- [AllowSearchEngineCustomization](policy-csp-browser.md) +- [AllowSearchSuggestionsinAddressBar](policy-csp-browser.md) +- [AllowSideloadingOfExtensions](policy-csp-browser.md) +- [AllowSmartScreen](policy-csp-browser.md) +- [AllowWebContentOnNewTabPage](policy-csp-browser.md) +- [AlwaysEnableBooksLibrary](policy-csp-browser.md) +- [ClearBrowsingDataOnExit](policy-csp-browser.md) +- [ConfigureAdditionalSearchEngines](policy-csp-browser.md) +- [ConfigureFavoritesBar](policy-csp-browser.md) +- [ConfigureHomeButton](policy-csp-browser.md) +- [ConfigureOpenMicrosoftEdgeWith](policy-csp-browser.md) +- [DisableLockdownOfStartPages](policy-csp-browser.md) +- [EnableExtendedBooksTelemetry](policy-csp-browser.md) +- [AllowTabPreloading](policy-csp-browser.md) +- [AllowPrelaunch](policy-csp-browser.md) +- [EnterpriseModeSiteList](policy-csp-browser.md) +- [PreventTurningOffRequiredExtensions](policy-csp-browser.md) +- [HomePages](policy-csp-browser.md) +- [LockdownFavorites](policy-csp-browser.md) +- [ConfigureKioskMode](policy-csp-browser.md) +- [ConfigureKioskResetAfterIdleTimeout](policy-csp-browser.md) +- [PreventAccessToAboutFlagsInMicrosoftEdge](policy-csp-browser.md) +- [PreventFirstRunPage](policy-csp-browser.md) +- [PreventCertErrorOverrides](policy-csp-browser.md) +- [PreventSmartScreenPromptOverride](policy-csp-browser.md) +- [PreventSmartScreenPromptOverrideForFiles](policy-csp-browser.md) +- [PreventLiveTileDataCollection](policy-csp-browser.md) +- [PreventUsingLocalHostIPAddressForWebRTC](policy-csp-browser.md) +- [ProvisionFavorites](policy-csp-browser.md) +- [SendIntranetTraffictoInternetExplorer](policy-csp-browser.md) +- [SetDefaultSearchEngine](policy-csp-browser.md) +- [SetHomeButtonURL](policy-csp-browser.md) +- [SetNewTabPageURL](policy-csp-browser.md) +- [ShowMessageWhenOpeningSitesInInternetExplorer](policy-csp-browser.md) +- [SyncFavoritesBetweenIEAndMicrosoftEdge](policy-csp-browser.md) +- [UnlockHomeButton](policy-csp-browser.md) +- [UseSharedFolderForBooks](policy-csp-browser.md) + +## Camera + +- [AllowCamera](policy-csp-camera.md) + +## Cellular + +- [LetAppsAccessCellularData](policy-csp-cellular.md) +- [LetAppsAccessCellularData_ForceAllowTheseApps](policy-csp-cellular.md) +- [LetAppsAccessCellularData_ForceDenyTheseApps](policy-csp-cellular.md) +- [LetAppsAccessCellularData_UserInControlOfTheseApps](policy-csp-cellular.md) + +## Connectivity + +- [AllowCellularDataRoaming](policy-csp-connectivity.md) +- [AllowPhonePCLinking](policy-csp-connectivity.md) +- [DisallowNetworkConnectivityActiveTests](policy-csp-connectivity.md) + +## Cryptography + +- [AllowFipsAlgorithmPolicy](policy-csp-cryptography.md) + +## Defender + +- [AllowArchiveScanning](policy-csp-defender.md) +- [AllowBehaviorMonitoring](policy-csp-defender.md) +- [AllowCloudProtection](policy-csp-defender.md) +- [AllowEmailScanning](policy-csp-defender.md) +- [AllowFullScanOnMappedNetworkDrives](policy-csp-defender.md) +- [AllowFullScanRemovableDriveScanning](policy-csp-defender.md) +- [AllowIOAVProtection](policy-csp-defender.md) +- [AllowOnAccessProtection](policy-csp-defender.md) +- [AllowRealtimeMonitoring](policy-csp-defender.md) +- [AllowScanningNetworkFiles](policy-csp-defender.md) +- [AllowUserUIAccess](policy-csp-defender.md) +- [AttackSurfaceReductionOnlyExclusions](policy-csp-defender.md) +- [AttackSurfaceReductionRules](policy-csp-defender.md) +- [AvgCPULoadFactor](policy-csp-defender.md) +- [CloudBlockLevel](policy-csp-defender.md) +- [CloudExtendedTimeout](policy-csp-defender.md) +- [ControlledFolderAccessAllowedApplications](policy-csp-defender.md) +- [CheckForSignaturesBeforeRunningScan](policy-csp-defender.md) +- [SecurityIntelligenceLocation](policy-csp-defender.md) +- [ControlledFolderAccessProtectedFolders](policy-csp-defender.md) +- [DaysToRetainCleanedMalware](policy-csp-defender.md) +- [DisableCatchupFullScan](policy-csp-defender.md) +- [DisableCatchupQuickScan](policy-csp-defender.md) +- [EnableControlledFolderAccess](policy-csp-defender.md) +- [EnableLowCPUPriority](policy-csp-defender.md) +- [EnableNetworkProtection](policy-csp-defender.md) +- [ExcludedPaths](policy-csp-defender.md) +- [ExcludedExtensions](policy-csp-defender.md) +- [ExcludedProcesses](policy-csp-defender.md) +- [PUAProtection](policy-csp-defender.md) +- [RealTimeScanDirection](policy-csp-defender.md) +- [ScanParameter](policy-csp-defender.md) +- [ScheduleQuickScanTime](policy-csp-defender.md) +- [ScheduleScanDay](policy-csp-defender.md) +- [ScheduleScanTime](policy-csp-defender.md) +- [SignatureUpdateFallbackOrder](policy-csp-defender.md) +- [SignatureUpdateFileSharesSources](policy-csp-defender.md) +- [SignatureUpdateInterval](policy-csp-defender.md) +- [SubmitSamplesConsent](policy-csp-defender.md) +- [ThreatSeverityDefaultAction](policy-csp-defender.md) + +## DeliveryOptimization + +- [DODownloadMode](policy-csp-deliveryoptimization.md) +- [DOGroupId](policy-csp-deliveryoptimization.md) +- [DOMaxCacheSize](policy-csp-deliveryoptimization.md) +- [DOAbsoluteMaxCacheSize](policy-csp-deliveryoptimization.md) +- [DOMaxCacheAge](policy-csp-deliveryoptimization.md) +- [DOMonthlyUploadDataCap](policy-csp-deliveryoptimization.md) +- [DOMinBackgroundQos](policy-csp-deliveryoptimization.md) +- [DOModifyCacheDrive](policy-csp-deliveryoptimization.md) +- [DOMaxBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md) +- [DOMaxForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md) +- [DOPercentageMaxBackgroundBandwidth](policy-csp-deliveryoptimization.md) +- [DOPercentageMaxForegroundBandwidth](policy-csp-deliveryoptimization.md) +- [DOMinFileSizeToCache](policy-csp-deliveryoptimization.md) +- [DOAllowVPNPeerCaching](policy-csp-deliveryoptimization.md) +- [DOMinRAMAllowedToPeer](policy-csp-deliveryoptimization.md) +- [DOMinDiskSizeAllowedToPeer](policy-csp-deliveryoptimization.md) +- [DOMinBatteryPercentageAllowedToUpload](policy-csp-deliveryoptimization.md) +- [DOCacheHost](policy-csp-deliveryoptimization.md) +- [DOCacheHostSource](policy-csp-deliveryoptimization.md) +- [DOGroupIdSource](policy-csp-deliveryoptimization.md) +- [DODelayBackgroundDownloadFromHttp](policy-csp-deliveryoptimization.md) +- [DODelayForegroundDownloadFromHttp](policy-csp-deliveryoptimization.md) +- [DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md) +- [DODelayCacheServerFallbackForeground](policy-csp-deliveryoptimization.md) +- [DORestrictPeerSelectionBy](policy-csp-deliveryoptimization.md) + +## DeviceGuard + +- [EnableVirtualizationBasedSecurity](policy-csp-deviceguard.md) +- [RequirePlatformSecurityFeatures](policy-csp-deviceguard.md) +- [LsaCfgFlags](policy-csp-deviceguard.md) +- [ConfigureSystemGuardLaunch](policy-csp-deviceguard.md) + +## DeviceLock + +- [MinimumPasswordAge](policy-csp-devicelock.md) +- [MaximumPasswordAge](policy-csp-devicelock.md) +- [ClearTextPassword](policy-csp-devicelock.md) +- [PasswordComplexity](policy-csp-devicelock.md) +- [PasswordHistorySize](policy-csp-devicelock.md) + +## Display + +- [EnablePerProcessDpi](policy-csp-display.md) +- [TurnOnGdiDPIScalingForApps](policy-csp-display.md) +- [TurnOffGdiDPIScalingForApps](policy-csp-display.md) +- [EnablePerProcessDpi](policy-csp-display.md) +- [EnablePerProcessDpiForApps](policy-csp-display.md) +- [DisablePerProcessDpiForApps](policy-csp-display.md) + +## DmaGuard + +- [DeviceEnumerationPolicy](policy-csp-dmaguard.md) + +## Education + +- [AllowGraphingCalculator](policy-csp-education.md) +- [PreventAddingNewPrinters](policy-csp-education.md) + +## Experience + +- [AllowSpotlightCollection](policy-csp-experience.md) +- [AllowThirdPartySuggestionsInWindowsSpotlight](policy-csp-experience.md) +- [AllowWindowsSpotlight](policy-csp-experience.md) +- [AllowWindowsSpotlightOnActionCenter](policy-csp-experience.md) +- [AllowWindowsSpotlightOnSettings](policy-csp-experience.md) +- [AllowWindowsSpotlightWindowsWelcomeExperience](policy-csp-experience.md) +- [AllowTailoredExperiencesWithDiagnosticData](policy-csp-experience.md) +- [ConfigureWindowsSpotlightOnLockScreen](policy-csp-experience.md) +- [AllowCortana](policy-csp-experience.md) +- [AllowWindowsConsumerFeatures](policy-csp-experience.md) +- [AllowWindowsTips](policy-csp-experience.md) +- [DoNotShowFeedbackNotifications](policy-csp-experience.md) +- [AllowFindMyDevice](policy-csp-experience.md) +- [AllowClipboardHistory](policy-csp-experience.md) +- [DoNotSyncBrowserSettings](policy-csp-experience.md) +- [PreventUsersFromTurningOnBrowserSyncing](policy-csp-experience.md) +- [ShowLockOnUserTile](policy-csp-experience.md) +- [DisableCloudOptimizedContent](policy-csp-experience.md) +- [DisableConsumerAccountStateContent](policy-csp-experience.md) +- [ConfigureChatIcon](policy-csp-experience.md) + +## ExploitGuard + +- [ExploitProtectionSettings](policy-csp-exploitguard.md) + +## FileExplorer + +- [DisableGraphRecentItems](policy-csp-fileexplorer.md) + +## Handwriting + +- [PanelDefaultModeDocked](policy-csp-handwriting.md) + +## HumanPresence + +- [ForceInstantWake](policy-csp-humanpresence.md) +- [ForceInstantLock](policy-csp-humanpresence.md) +- [ForceLockTimeout](policy-csp-humanpresence.md) +- [ForceInstantDim](policy-csp-humanpresence.md) + +## Kerberos + +- [PKInitHashAlgorithmConfiguration](policy-csp-kerberos.md) +- [PKInitHashAlgorithmSHA1](policy-csp-kerberos.md) +- [PKInitHashAlgorithmSHA256](policy-csp-kerberos.md) +- [PKInitHashAlgorithmSHA384](policy-csp-kerberos.md) +- [PKInitHashAlgorithmSHA512](policy-csp-kerberos.md) +- [CloudKerberosTicketRetrievalEnabled](policy-csp-kerberos.md) + +## LanmanWorkstation + +- [EnableInsecureGuestLogons](policy-csp-lanmanworkstation.md) + +## Licensing + +- [AllowWindowsEntitlementReactivation](policy-csp-licensing.md) +- [DisallowKMSClientOnlineAVSValidation](policy-csp-licensing.md) + +## LocalPoliciesSecurityOptions + +- [Accounts_EnableAdministratorAccountStatus](policy-csp-localpoliciessecurityoptions.md) +- [Accounts_BlockMicrosoftAccounts](policy-csp-localpoliciessecurityoptions.md) +- [Accounts_EnableGuestAccountStatus](policy-csp-localpoliciessecurityoptions.md) +- [Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly](policy-csp-localpoliciessecurityoptions.md) +- [Accounts_RenameAdministratorAccount](policy-csp-localpoliciessecurityoptions.md) +- [Accounts_RenameGuestAccount](policy-csp-localpoliciessecurityoptions.md) +- [Devices_AllowUndockWithoutHavingToLogon](policy-csp-localpoliciessecurityoptions.md) +- [Devices_AllowedToFormatAndEjectRemovableMedia](policy-csp-localpoliciessecurityoptions.md) +- [Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters](policy-csp-localpoliciessecurityoptions.md) +- [Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly](policy-csp-localpoliciessecurityoptions.md) +- [InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked](policy-csp-localpoliciessecurityoptions.md) +- [InteractiveLogon_DoNotRequireCTRLALTDEL](policy-csp-localpoliciessecurityoptions.md) +- [InteractiveLogon_DoNotDisplayLastSignedIn](policy-csp-localpoliciessecurityoptions.md) +- [InteractiveLogon_DoNotDisplayUsernameAtSignIn](policy-csp-localpoliciessecurityoptions.md) +- [InteractiveLogon_MachineInactivityLimit](policy-csp-localpoliciessecurityoptions.md) +- [InteractiveLogon_MessageTextForUsersAttemptingToLogOn](policy-csp-localpoliciessecurityoptions.md) +- [InteractiveLogon_MessageTitleForUsersAttemptingToLogOn](policy-csp-localpoliciessecurityoptions.md) +- [InteractiveLogon_SmartCardRemovalBehavior](policy-csp-localpoliciessecurityoptions.md) +- [MicrosoftNetworkClient_DigitallySignCommunicationsAlways](policy-csp-localpoliciessecurityoptions.md) +- [MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees](policy-csp-localpoliciessecurityoptions.md) +- [MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers](policy-csp-localpoliciessecurityoptions.md) +- [MicrosoftNetworkServer_DigitallySignCommunicationsAlways](policy-csp-localpoliciessecurityoptions.md) +- [MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees](policy-csp-localpoliciessecurityoptions.md) +- [NetworkAccess_AllowAnonymousSIDOrNameTranslation](policy-csp-localpoliciessecurityoptions.md) +- [NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts](policy-csp-localpoliciessecurityoptions.md) +- [NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares](policy-csp-localpoliciessecurityoptions.md) +- [NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares](policy-csp-localpoliciessecurityoptions.md) +- [NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM](policy-csp-localpoliciessecurityoptions.md) +- [NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM](policy-csp-localpoliciessecurityoptions.md) +- [NetworkSecurity_AllowPKU2UAuthenticationRequests](policy-csp-localpoliciessecurityoptions.md) +- [NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange](policy-csp-localpoliciessecurityoptions.md) +- [NetworkSecurity_ForceLogoffWhenLogonHoursExpire](policy-csp-localpoliciessecurityoptions.md) +- [NetworkSecurity_LANManagerAuthenticationLevel](policy-csp-localpoliciessecurityoptions.md) +- [NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients](policy-csp-localpoliciessecurityoptions.md) +- [NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers](policy-csp-localpoliciessecurityoptions.md) +- [NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication](policy-csp-localpoliciessecurityoptions.md) +- [NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic](policy-csp-localpoliciessecurityoptions.md) +- [NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic](policy-csp-localpoliciessecurityoptions.md) +- [NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers](policy-csp-localpoliciessecurityoptions.md) +- [Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn](policy-csp-localpoliciessecurityoptions.md) +- [Shutdown_ClearVirtualMemoryPageFile](policy-csp-localpoliciessecurityoptions.md) +- [UserAccountControl_UseAdminApprovalMode](policy-csp-localpoliciessecurityoptions.md) +- [UserAccountControl_AllowUIAccessApplicationsToPromptForElevation](policy-csp-localpoliciessecurityoptions.md) +- [UserAccountControl_BehaviorOfTheElevationPromptForAdministrators](policy-csp-localpoliciessecurityoptions.md) +- [UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers](policy-csp-localpoliciessecurityoptions.md) +- [UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated](policy-csp-localpoliciessecurityoptions.md) +- [UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations](policy-csp-localpoliciessecurityoptions.md) +- [UserAccountControl_RunAllAdministratorsInAdminApprovalMode](policy-csp-localpoliciessecurityoptions.md) +- [UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation](policy-csp-localpoliciessecurityoptions.md) +- [UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations](policy-csp-localpoliciessecurityoptions.md) +- [UserAccountControl_DetectApplicationInstallationsAndPromptForElevation](policy-csp-localpoliciessecurityoptions.md) + +## LocalSecurityAuthority + +- [ConfigureLsaProtectedProcess](policy-csp-lsa.md) + +## LockDown + +- [AllowEdgeSwipe](policy-csp-lockdown.md) + +## Maps + +- [EnableOfflineMapsAutoUpdate](policy-csp-maps.md) + +## Messaging + +- [AllowMessageSync](policy-csp-messaging.md) + +## Multitasking + +- [BrowserAltTabBlowout](policy-csp-multitasking.md) + +## NetworkIsolation + +- [EnterpriseCloudResources](policy-csp-networkisolation.md) +- [EnterpriseInternalProxyServers](policy-csp-networkisolation.md) +- [EnterpriseIPRange](policy-csp-networkisolation.md) +- [EnterpriseIPRangesAreAuthoritative](policy-csp-networkisolation.md) +- [EnterpriseProxyServers](policy-csp-networkisolation.md) +- [EnterpriseProxyServersAreAuthoritative](policy-csp-networkisolation.md) +- [NeutralResources](policy-csp-networkisolation.md) + +## NewsAndInterests + +- [AllowNewsAndInterests](policy-csp-newsandinterests.md) + +## Notifications + +- [DisallowNotificationMirroring](policy-csp-notifications.md) +- [DisallowTileNotification](policy-csp-notifications.md) +- [DisallowCloudNotification](policy-csp-notifications.md) +- [WnsEndpoint](policy-csp-notifications.md) + +## Power + +- [EnergySaverBatteryThresholdPluggedIn](policy-csp-power.md) +- [EnergySaverBatteryThresholdOnBattery](policy-csp-power.md) +- [SelectPowerButtonActionPluggedIn](policy-csp-power.md) +- [SelectPowerButtonActionOnBattery](policy-csp-power.md) +- [SelectSleepButtonActionPluggedIn](policy-csp-power.md) +- [SelectSleepButtonActionOnBattery](policy-csp-power.md) +- [SelectLidCloseActionPluggedIn](policy-csp-power.md) +- [SelectLidCloseActionOnBattery](policy-csp-power.md) +- [TurnOffHybridSleepPluggedIn](policy-csp-power.md) +- [TurnOffHybridSleepOnBattery](policy-csp-power.md) +- [UnattendedSleepTimeoutPluggedIn](policy-csp-power.md) +- [UnattendedSleepTimeoutOnBattery](policy-csp-power.md) + +## Privacy + +- [DisablePrivacyExperience](policy-csp-privacy.md) +- [DisableAdvertisingId](policy-csp-privacy.md) +- [LetAppsGetDiagnosticInfo](policy-csp-privacy.md) +- [LetAppsGetDiagnosticInfo_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsGetDiagnosticInfo_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsRunInBackground](policy-csp-privacy.md) +- [LetAppsRunInBackground_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsRunInBackground_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsRunInBackground_UserInControlOfTheseApps](policy-csp-privacy.md) +- [AllowInputPersonalization](policy-csp-privacy.md) +- [LetAppsAccessAccountInfo](policy-csp-privacy.md) +- [LetAppsAccessAccountInfo_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsAccessAccountInfo_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsAccessAccountInfo_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsAccessCalendar](policy-csp-privacy.md) +- [LetAppsAccessCalendar_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsAccessCalendar_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsAccessCalendar_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsAccessCallHistory](policy-csp-privacy.md) +- [LetAppsAccessCallHistory_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsAccessCallHistory_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsAccessCallHistory_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsAccessCamera](policy-csp-privacy.md) +- [LetAppsAccessCamera_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsAccessCamera_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsAccessCamera_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsAccessContacts](policy-csp-privacy.md) +- [LetAppsAccessContacts_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsAccessContacts_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsAccessContacts_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsAccessEmail](policy-csp-privacy.md) +- [LetAppsAccessEmail_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsAccessEmail_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsAccessEmail_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsAccessGraphicsCaptureProgrammatic](policy-csp-privacy.md) +- [LetAppsAccessGraphicsCaptureProgrammatic_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsAccessGraphicsCaptureProgrammatic_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsAccessGraphicsCaptureProgrammatic_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsAccessGraphicsCaptureWithoutBorder](policy-csp-privacy.md) +- [LetAppsAccessGraphicsCaptureWithoutBorder_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsAccessGraphicsCaptureWithoutBorder_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsAccessGraphicsCaptureWithoutBorder_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsAccessLocation](policy-csp-privacy.md) +- [LetAppsAccessLocation_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsAccessLocation_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsAccessLocation_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsAccessMessaging](policy-csp-privacy.md) +- [LetAppsAccessMessaging_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsAccessMessaging_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsAccessMessaging_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsAccessMicrophone](policy-csp-privacy.md) +- [LetAppsAccessMicrophone_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsAccessMicrophone_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsAccessMicrophone_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsAccessMotion](policy-csp-privacy.md) +- [LetAppsAccessMotion_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsAccessMotion_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsAccessMotion_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsAccessNotifications](policy-csp-privacy.md) +- [LetAppsAccessNotifications_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsAccessNotifications_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsAccessNotifications_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsAccessPhone](policy-csp-privacy.md) +- [LetAppsAccessPhone_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsAccessPhone_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsAccessPhone_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsAccessRadios](policy-csp-privacy.md) +- [LetAppsAccessRadios_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsAccessRadios_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsAccessRadios_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsAccessTasks](policy-csp-privacy.md) +- [LetAppsAccessTasks_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsAccessTasks_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsAccessTasks_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsAccessTrustedDevices](policy-csp-privacy.md) +- [LetAppsAccessTrustedDevices_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsAccessTrustedDevices_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsAccessTrustedDevices_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsSyncWithDevices](policy-csp-privacy.md) +- [LetAppsSyncWithDevices_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsSyncWithDevices_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsSyncWithDevices_UserInControlOfTheseApps](policy-csp-privacy.md) +- [EnableActivityFeed](policy-csp-privacy.md) +- [PublishUserActivities](policy-csp-privacy.md) +- [UploadUserActivities](policy-csp-privacy.md) +- [AllowCrossDeviceClipboard](policy-csp-privacy.md) +- [DisablePrivacyExperience](policy-csp-privacy.md) +- [LetAppsActivateWithVoice](policy-csp-privacy.md) +- [LetAppsActivateWithVoiceAboveLock](policy-csp-privacy.md) + +## RemoteDesktop + +- [AutoSubscription](policy-csp-remotedesktop.md) + +## Search + +- [AllowIndexingEncryptedStoresOrItems](policy-csp-search.md) +- [AllowSearchToUseLocation](policy-csp-search.md) +- [AllowUsingDiacritics](policy-csp-search.md) +- [AlwaysUseAutoLangDetection](policy-csp-search.md) +- [DisableBackoff](policy-csp-search.md) +- [DisableRemovableDriveIndexing](policy-csp-search.md) +- [DisableSearch](policy-csp-search.md) +- [PreventIndexingLowDiskSpaceMB](policy-csp-search.md) +- [PreventRemoteQueries](policy-csp-search.md) +- [AllowCloudSearch](policy-csp-search.md) +- [DoNotUseWebResults](policy-csp-search.md) +- [AllowCortanaInAAD](policy-csp-search.md) +- [AllowFindMyFiles](policy-csp-search.md) +- [AllowSearchHighlights](policy-csp-search.md) + +## Security + +- [ClearTPMIfNotReady](policy-csp-security.md) + +## Settings + +- [ConfigureTaskbarCalendar](policy-csp-settings.md) +- [PageVisibilityList](policy-csp-settings.md) +- [PageVisibilityList](policy-csp-settings.md) +- [AllowOnlineTips](policy-csp-settings.md) + +## SmartScreen + +- [EnableSmartScreenInShell](policy-csp-smartscreen.md) +- [PreventOverrideForFilesInShell](policy-csp-smartscreen.md) +- [EnableAppInstallControl](policy-csp-smartscreen.md) + +## Speech + +- [AllowSpeechModelUpdate](policy-csp-speech.md) + +## Start + +- [ForceStartSize](policy-csp-start.md) +- [DisableContextMenus](policy-csp-start.md) +- [ShowOrHideMostUsedApps](policy-csp-start.md) +- [HideFrequentlyUsedApps](policy-csp-start.md) +- [HideRecentlyAddedApps](policy-csp-start.md) +- [HidePeopleBar](policy-csp-start.md) +- [StartLayout](policy-csp-start.md) +- [ConfigureStartPins](policy-csp-start.md) +- [HideRecommendedSection](policy-csp-start.md) +- [HideTaskViewButton](policy-csp-start.md) +- [DisableControlCenter](policy-csp-start.md) +- [ForceStartSize](policy-csp-start.md) +- [DisableContextMenus](policy-csp-start.md) +- [ShowOrHideMostUsedApps](policy-csp-start.md) +- [HideFrequentlyUsedApps](policy-csp-start.md) +- [HideRecentlyAddedApps](policy-csp-start.md) +- [StartLayout](policy-csp-start.md) +- [ConfigureStartPins](policy-csp-start.md) +- [HideRecommendedSection](policy-csp-start.md) +- [SimplifyQuickSettings](policy-csp-start.md) +- [DisableEditingQuickSettings](policy-csp-start.md) +- [HideTaskViewButton](policy-csp-start.md) + +## Storage + +- [AllowDiskHealthModelUpdates](policy-csp-storage.md) +- [RemovableDiskDenyWriteAccess](policy-csp-storage.md) +- [AllowStorageSenseGlobal](policy-csp-storage.md) +- [ConfigStorageSenseGlobalCadence](policy-csp-storage.md) +- [AllowStorageSenseTemporaryFilesCleanup](policy-csp-storage.md) +- [ConfigStorageSenseRecycleBinCleanupThreshold](policy-csp-storage.md) +- [ConfigStorageSenseDownloadsCleanupThreshold](policy-csp-storage.md) +- [ConfigStorageSenseCloudContentDehydrationThreshold](policy-csp-storage.md) + +## System + +- [AllowTelemetry](policy-csp-system.md) +- [AllowBuildPreview](policy-csp-system.md) +- [AllowFontProviders](policy-csp-system.md) +- [AllowLocation](policy-csp-system.md) +- [AllowTelemetry](policy-csp-system.md) +- [TelemetryProxy](policy-csp-system.md) +- [DisableOneDriveFileSync](policy-csp-system.md) +- [AllowWUfBCloudProcessing](policy-csp-system.md) +- [AllowUpdateComplianceProcessing](policy-csp-system.md) +- [AllowDesktopAnalyticsProcessing](policy-csp-system.md) +- [DisableEnterpriseAuthProxy](policy-csp-system.md) +- [LimitEnhancedDiagnosticDataWindowsAnalytics](policy-csp-system.md) +- [AllowDeviceNameInDiagnosticData](policy-csp-system.md) +- [ConfigureTelemetryOptInSettingsUx](policy-csp-system.md) +- [ConfigureTelemetryOptInChangeNotification](policy-csp-system.md) +- [DisableDeviceDelete](policy-csp-system.md) +- [DisableDiagnosticDataViewer](policy-csp-system.md) +- [ConfigureMicrosoft365UploadEndpoint](policy-csp-system.md) +- [TurnOffFileHistory](policy-csp-system.md) +- [DisableDirectXDatabaseUpdate](policy-csp-system.md) +- [AllowCommercialDataPipeline](policy-csp-system.md) +- [LimitDiagnosticLogCollection](policy-csp-system.md) +- [LimitDumpCollection](policy-csp-system.md) +- [EnableOneSettingsAuditing](policy-csp-system.md) +- [DisableOneSettingsDownloads](policy-csp-system.md) +- [HideUnsupportedHardwareNotifications](policy-csp-system.md) + +## SystemServices + +- [ConfigureHomeGroupListenerServiceStartupMode](policy-csp-systemservices.md) +- [ConfigureHomeGroupProviderServiceStartupMode](policy-csp-systemservices.md) +- [ConfigureXboxAccessoryManagementServiceStartupMode](policy-csp-systemservices.md) +- [ConfigureXboxLiveAuthManagerServiceStartupMode](policy-csp-systemservices.md) +- [ConfigureXboxLiveGameSaveServiceStartupMode](policy-csp-systemservices.md) +- [ConfigureXboxLiveNetworkingServiceStartupMode](policy-csp-systemservices.md) + +## TextInput + +- [AllowLanguageFeaturesUninstall](policy-csp-textinput.md) +- [AllowLinguisticDataCollection](policy-csp-textinput.md) +- [ConfigureSimplifiedChineseIMEVersion](policy-csp-textinput.md) +- [ConfigureTraditionalChineseIMEVersion](policy-csp-textinput.md) +- [ConfigureJapaneseIMEVersion](policy-csp-textinput.md) +- [ConfigureKoreanIMEVersion](policy-csp-textinput.md) + +## TimeLanguageSettings + +- [RestrictLanguagePacksAndFeaturesInstall](policy-csp-timelanguagesettings.md) +- [BlockCleanupOfUnusedPreinstalledLangPacks](policy-csp-timelanguagesettings.md) +- [MachineUILanguageOverwrite](policy-csp-timelanguagesettings.md) +- [RestrictLanguagePacksAndFeaturesInstall](policy-csp-timelanguagesettings.md) + +## Troubleshooting + +- [AllowRecommendations](policy-csp-troubleshooting.md) + +## Update + +- [ActiveHoursEnd](policy-csp-update.md) +- [ActiveHoursStart](policy-csp-update.md) +- [ActiveHoursMaxRange](policy-csp-update.md) +- [AutoRestartRequiredNotificationDismissal](policy-csp-update.md) +- [AutoRestartNotificationSchedule](policy-csp-update.md) +- [SetAutoRestartNotificationDisable](policy-csp-update.md) +- [ScheduleRestartWarning](policy-csp-update.md) +- [ScheduleImminentRestartWarning](policy-csp-update.md) +- [AllowAutoUpdate](policy-csp-update.md) +- [AutoRestartDeadlinePeriodInDays](policy-csp-update.md) +- [AutoRestartDeadlinePeriodInDaysForFeatureUpdates](policy-csp-update.md) +- [EngagedRestartTransitionSchedule](policy-csp-update.md) +- [EngagedRestartSnoozeSchedule](policy-csp-update.md) +- [EngagedRestartDeadline](policy-csp-update.md) +- [EngagedRestartTransitionScheduleForFeatureUpdates](policy-csp-update.md) +- [EngagedRestartSnoozeScheduleForFeatureUpdates](policy-csp-update.md) +- [EngagedRestartDeadlineForFeatureUpdates](policy-csp-update.md) +- [DetectionFrequency](policy-csp-update.md) +- [ManagePreviewBuilds](policy-csp-update.md) +- [BranchReadinessLevel](policy-csp-update.md) +- [ProductVersion](policy-csp-update.md) +- [TargetReleaseVersion](policy-csp-update.md) +- [AllowUpdateService](policy-csp-update.md) +- [DeferFeatureUpdatesPeriodInDays](policy-csp-update.md) +- [DeferQualityUpdatesPeriodInDays](policy-csp-update.md) +- [DeferUpdatePeriod](policy-csp-update.md) +- [DeferUpgradePeriod](policy-csp-update.md) +- [ExcludeWUDriversInQualityUpdate](policy-csp-update.md) +- [PauseDeferrals](policy-csp-update.md) +- [PauseFeatureUpdates](policy-csp-update.md) +- [PauseQualityUpdates](policy-csp-update.md) +- [PauseFeatureUpdatesStartTime](policy-csp-update.md) +- [PauseQualityUpdatesStartTime](policy-csp-update.md) +- [RequireDeferUpgrade](policy-csp-update.md) +- [AllowMUUpdateService](policy-csp-update.md) +- [ScheduledInstallDay](policy-csp-update.md) +- [ScheduledInstallTime](policy-csp-update.md) +- [ScheduledInstallEveryWeek](policy-csp-update.md) +- [ScheduledInstallFirstWeek](policy-csp-update.md) +- [ScheduledInstallSecondWeek](policy-csp-update.md) +- [ScheduledInstallThirdWeek](policy-csp-update.md) +- [ScheduledInstallFourthWeek](policy-csp-update.md) +- [UpdateServiceUrl](policy-csp-update.md) +- [UpdateServiceUrlAlternate](policy-csp-update.md) +- [FillEmptyContentUrls](policy-csp-update.md) +- [SetProxyBehaviorForUpdateDetection](policy-csp-update.md) +- [DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection](policy-csp-update.md) +- [SetPolicyDrivenUpdateSourceForFeatureUpdates](policy-csp-update.md) +- [SetPolicyDrivenUpdateSourceForQualityUpdates](policy-csp-update.md) +- [SetPolicyDrivenUpdateSourceForDriverUpdates](policy-csp-update.md) +- [SetPolicyDrivenUpdateSourceForOtherUpdates](policy-csp-update.md) +- [SetEDURestart](policy-csp-update.md) +- [AllowAutoWindowsUpdateDownloadOverMeteredNetwork](policy-csp-update.md) +- [SetDisableUXWUAccess](policy-csp-update.md) +- [SetDisablePauseUXAccess](policy-csp-update.md) +- [UpdateNotificationLevel](policy-csp-update.md) +- [NoUpdateNotificationsDuringActiveHours](policy-csp-update.md) +- [DisableDualScan](policy-csp-update.md) +- [AutomaticMaintenanceWakeUp](policy-csp-update.md) +- [ConfigureDeadlineForQualityUpdates](policy-csp-update.md) +- [ConfigureDeadlineForFeatureUpdates](policy-csp-update.md) +- [ConfigureDeadlineGracePeriod](policy-csp-update.md) +- [ConfigureDeadlineGracePeriodForFeatureUpdates](policy-csp-update.md) +- [ConfigureDeadlineNoAutoReboot](policy-csp-update.md) +- [ConfigureDeadlineNoAutoRebootForFeatureUpdates](policy-csp-update.md) +- [ConfigureDeadlineNoAutoRebootForQualityUpdates](policy-csp-update.md) + +## UserRights + +- [AccessCredentialManagerAsTrustedCaller](policy-csp-userrights.md) +- [AccessFromNetwork](policy-csp-userrights.md) +- [ActAsPartOfTheOperatingSystem](policy-csp-userrights.md) +- [AllowLocalLogOn](policy-csp-userrights.md) +- [BackupFilesAndDirectories](policy-csp-userrights.md) +- [ChangeSystemTime](policy-csp-userrights.md) +- [CreatePageFile](policy-csp-userrights.md) +- [CreateToken](policy-csp-userrights.md) +- [CreateGlobalObjects](policy-csp-userrights.md) +- [CreatePermanentSharedObjects](policy-csp-userrights.md) +- [CreateSymbolicLinks](policy-csp-userrights.md) +- [DebugPrograms](policy-csp-userrights.md) +- [DenyAccessFromNetwork](policy-csp-userrights.md) +- [DenyLocalLogOn](policy-csp-userrights.md) +- [DenyRemoteDesktopServicesLogOn](policy-csp-userrights.md) +- [EnableDelegation](policy-csp-userrights.md) +- [RemoteShutdown](policy-csp-userrights.md) +- [GenerateSecurityAudits](policy-csp-userrights.md) +- [ImpersonateClient](policy-csp-userrights.md) +- [IncreaseSchedulingPriority](policy-csp-userrights.md) +- [LoadUnloadDeviceDrivers](policy-csp-userrights.md) +- [LockMemory](policy-csp-userrights.md) +- [ManageAuditingAndSecurityLog](policy-csp-userrights.md) +- [ModifyObjectLabel](policy-csp-userrights.md) +- [ModifyFirmwareEnvironment](policy-csp-userrights.md) +- [ManageVolume](policy-csp-userrights.md) +- [ProfileSingleProcess](policy-csp-userrights.md) +- [RestoreFilesAndDirectories](policy-csp-userrights.md) +- [TakeOwnership](policy-csp-userrights.md) +- [BypassTraverseChecking](policy-csp-userrights.md) +- [ReplaceProcessLevelToken](policy-csp-userrights.md) +- [ChangeTimeZone](policy-csp-userrights.md) +- [ShutDownTheSystem](policy-csp-userrights.md) +- [LogOnAsBatchJob](policy-csp-userrights.md) +- [ProfileSystemPerformance](policy-csp-userrights.md) +- [DenyLogOnAsBatchJob](policy-csp-userrights.md) +- [LogOnAsService](policy-csp-userrights.md) +- [IncreaseProcessWorkingSet](policy-csp-userrights.md) + +## VirtualizationBasedTechnology + +- [HypervisorEnforcedCodeIntegrity](policy-csp-virtualizationbasedtechnology.md) +- [RequireUEFIMemoryAttributesTable](policy-csp-virtualizationbasedtechnology.md) + +## WebThreatDefense + +- [ServiceEnabled](policy-csp-webthreatdefense.md) +- [NotifyMalicious](policy-csp-webthreatdefense.md) +- [NotifyPasswordReuse](policy-csp-webthreatdefense.md) +- [NotifyUnsafeApp](policy-csp-webthreatdefense.md) + +## Wifi + +- [AllowAutoConnectToWiFiSenseHotspots](policy-csp-wifi.md) +- [AllowInternetSharing](policy-csp-wifi.md) + +## WindowsDefenderSecurityCenter + +- [CompanyName](policy-csp-windowsdefendersecuritycenter.md) +- [DisableAppBrowserUI](policy-csp-windowsdefendersecuritycenter.md) +- [DisableEnhancedNotifications](policy-csp-windowsdefendersecuritycenter.md) +- [DisableFamilyUI](policy-csp-windowsdefendersecuritycenter.md) +- [DisableAccountProtectionUI](policy-csp-windowsdefendersecuritycenter.md) +- [DisableClearTpmButton](policy-csp-windowsdefendersecuritycenter.md) +- [DisableDeviceSecurityUI](policy-csp-windowsdefendersecuritycenter.md) +- [DisableHealthUI](policy-csp-windowsdefendersecuritycenter.md) +- [DisableNetworkUI](policy-csp-windowsdefendersecuritycenter.md) +- [DisableNotifications](policy-csp-windowsdefendersecuritycenter.md) +- [DisableTpmFirmwareUpdateWarning](policy-csp-windowsdefendersecuritycenter.md) +- [DisableVirusUI](policy-csp-windowsdefendersecuritycenter.md) +- [DisallowExploitProtectionOverride](policy-csp-windowsdefendersecuritycenter.md) +- [Email](policy-csp-windowsdefendersecuritycenter.md) +- [EnableCustomizedToasts](policy-csp-windowsdefendersecuritycenter.md) +- [EnableInAppCustomization](policy-csp-windowsdefendersecuritycenter.md) +- [HideRansomwareDataRecovery](policy-csp-windowsdefendersecuritycenter.md) +- [HideSecureBoot](policy-csp-windowsdefendersecuritycenter.md) +- [HideTPMTroubleshooting](policy-csp-windowsdefendersecuritycenter.md) +- [HideWindowsSecurityNotificationAreaControl](policy-csp-windowsdefendersecuritycenter.md) +- [Phone](policy-csp-windowsdefendersecuritycenter.md) +- [URL](policy-csp-windowsdefendersecuritycenter.md) + +## WindowsInkWorkspace + +- [AllowWindowsInkWorkspace](policy-csp-windowsinkworkspace.md) +- [AllowSuggestedAppsInWindowsInkWorkspace](policy-csp-windowsinkworkspace.md) + +## WindowsLogon + +- [HideFastUserSwitching](policy-csp-windowslogon.md) +- [EnableFirstLogonAnimation](policy-csp-windowslogon.md) + +## WindowsSandbox + +- [AllowVGPU](policy-csp-windowssandbox.md) +- [AllowNetworking](policy-csp-windowssandbox.md) +- [AllowAudioInput](policy-csp-windowssandbox.md) +- [AllowVideoInput](policy-csp-windowssandbox.md) +- [AllowPrinterRedirection](policy-csp-windowssandbox.md) +- [AllowClipboardRedirection](policy-csp-windowssandbox.md) + +## WirelessDisplay + +- [AllowProjectionToPC](policy-csp-wirelessdisplay.md) +- [RequirePinForPairing](policy-csp-wirelessdisplay.md) + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md index 6aa5459e4a..62ead15ae0 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md @@ -18,6 +18,7 @@ ms.date: 08/01/2022 - [ApplicationManagement/AllowAllTrustedApps](policy-csp-applicationmanagement.md#applicationmanagement-allowalltrustedapps) - [ApplicationManagement/AllowAppStoreAutoUpdate](policy-csp-applicationmanagement.md#applicationmanagement-allowappstoreautoupdate) - [ApplicationManagement/AllowDeveloperUnlock](policy-csp-applicationmanagement.md#applicationmanagement-allowdeveloperunlock) +- [ApplicationManagement/RequirePrivateStoreOnly](policy-csp-applicationmanagement.md#applicationmanagement-requireprivatestoreonly) 11 - [Authentication/AllowFastReconnect](policy-csp-authentication.md#authentication-allowfastreconnect) - [Authentication/PreferredAadTenantDomainName](policy-csp-authentication.md#authentication-preferredaadtenantdomainname) - [Bluetooth/AllowDiscoverableMode](policy-csp-bluetooth.md#bluetooth-allowdiscoverablemode) @@ -45,20 +46,20 @@ ms.date: 08/01/2022 - [Experience/AllowManualMDMUnenrollment](policy-csp-experience.md#experience-allowmanualmdmunenrollment) - [MixedReality/AADGroupMembershipCacheValidityInDays](policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays) - [MixedReality/AADGroupMembershipCacheValidityInDays](./policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays) 9 -- [MixedReality/AllowCaptivePortalBeforeLogon](./policy-csp-mixedreality.md#mixedreality-allowcaptiveportalpeforelogon) Insider +- [MixedReality/AllowCaptivePortalBeforeLogon](./policy-csp-mixedreality.md#mixedreality-allowcaptiveportalpeforelogon) 12 - [MixedReality/AllowLaunchUriInSingleAppKiosk](./policy-csp-mixedreality.md#mixedreality-allowlaunchuriinsingleappkiosk)10 - [MixedReality/AutoLogonUser](./policy-csp-mixedreality.md#mixedreality-autologonuser) 11 - [MixedReality/BrightnessButtonDisabled](./policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled) 9 - [MixedReality/ConfigureMovingPlatform](policy-csp-mixedreality.md#mixedreality-configuremovingplatform) *[Feb. 2022 Servicing release](/hololens/hololens-release-notes#windows-holographic-version-21h2---february-2022-update) -- [MixedReality/ConfigureNtpClient](./policy-csp-mixedreality.md#mixedreality-configurentpclient) Insider -- [MixedReality/DisallowNetworkConnectivityPassivePolling](./policy-csp-mixedreality.md#mixedreality-disablesisallownetworkconnectivitypassivepolling) Insider +- [MixedReality/ConfigureNtpClient](./policy-csp-mixedreality.md#mixedreality-configurentpclient) 12 +- [MixedReality/DisallowNetworkConnectivityPassivePolling](./policy-csp-mixedreality.md#mixedreality-disablesisallownetworkconnectivitypassivepolling) 12 - [MixedReality/FallbackDiagnostics](./policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics) 9 - [MixedReality/HeadTrackingMode](policy-csp-mixedreality.md#mixedreality-headtrackingmode) 9 - [MixedReality/ManualDownDirectionDisabled](policy-csp-mixedreality.md#mixedreality-manualdowndirectiondisabled) *[Feb. 2022 Servicing release](/hololens/hololens-release-notes#windows-holographic-version-21h2---february-2022-update) - [MixedReality/MicrophoneDisabled](./policy-csp-mixedreality.md#mixedreality-microphonedisabled) 9 -- [MixedReality/NtpClientEnabled](./policy-csp-mixedreality.md#mixedreality-ntpclientenabled) Insider -- [MixedReality/SkipCalibrationDuringSetup](./policy-csp-mixedreality.md#mixedreality-skipcalibrationduringsetup) Insider -- [MixedReality/SkipTrainingDuringSetup](./policy-csp-mixedreality.md#mixedreality-skiptrainingduringsetup) Insider +- [MixedReality/NtpClientEnabled](./policy-csp-mixedreality.md#mixedreality-ntpclientenabled) 12 +- [MixedReality/SkipCalibrationDuringSetup](./policy-csp-mixedreality.md#mixedreality-skipcalibrationduringsetup) 12 +- [MixedReality/SkipTrainingDuringSetup](./policy-csp-mixedreality.md#mixedreality-skiptrainingduringsetup) 12 - [MixedReality/VisitorAutoLogon](policy-csp-mixedreality.md#mixedreality-visitorautologon) 10 - [MixedReality/VolumeButtonDisabled](./policy-csp-mixedreality.md#mixedreality-volumebuttondisabled) 9 - [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery) 9 @@ -98,11 +99,11 @@ ms.date: 08/01/2022 - [Settings/AllowVPN](policy-csp-settings.md#settings-allowvpn) - [Settings/PageVisibilityList](./policy-csp-settings.md#settings-pagevisibilitylist) 9 - [Speech/AllowSpeechModelUpdate](policy-csp-speech.md#speech-allowspeechmodelupdate) -- [Storage/AllowStorageSenseGlobal](policy-csp-storage.md#storage-allowstoragesenseglobal) Insider -- [Storage/AllowStorageSenseTemporaryFilesCleanup](policy-csp-storage.md#storage-allowstoragesensetemporaryfilescleanup) Insider -- [Storage/ConfigStorageSenseCloudContentDehydrationThreshold](policy-csp-storage.md#storage-configstoragesensecloudcontentdehydrationthreshold) Insider -- [Storage/ConfigStorageSenseDownloadsCleanupThreshold](policy-csp-storage.md#storage-configstoragesensedownloadscleanupthreshold) Insider -- [Storage/ConfigStorageSenseGlobalCadence](policy-csp-storage.md#storage-configstoragesenseglobalcadence) Insider +- [Storage/AllowStorageSenseGlobal](policy-csp-storage.md#storage-allowstoragesenseglobal) 12 +- [Storage/AllowStorageSenseTemporaryFilesCleanup](policy-csp-storage.md#storage-allowstoragesensetemporaryfilescleanup) 12 +- [Storage/ConfigStorageSenseCloudContentDehydrationThreshold](policy-csp-storage.md#storage-configstoragesensecloudcontentdehydrationthreshold) 12 +- [Storage/ConfigStorageSenseDownloadsCleanupThreshold](policy-csp-storage.md#storage-configstoragesensedownloadscleanupthreshold) 12 +- [Storage/ConfigStorageSenseGlobalCadence](policy-csp-storage.md#storage-configstoragesenseglobalcadence) 12 - [System/AllowCommercialDataPipeline](policy-csp-system.md#system-allowcommercialdatapipeline) - [System/AllowLocation](policy-csp-system.md#system-allowlocation) - [System/AllowStorageCard](policy-csp-system.md#system-allowstoragecard) @@ -147,6 +148,7 @@ Footnotes: - 9 - Available in [Windows Holographic, version 20H2](/hololens/hololens-release-notes-2004#windows-holographic-version-20h2) - 10 - Available in [Windows Holographic, version 21H1](/hololens/hololens-release-notes#windows-holographic-version-21h1) - 11 - Available in [Windows Holographic, version 21H2](/hololens/hololens-release-notes#windows-holographic-version-21h2) +- 12 - Available in [Windows Holographic, version 22H2](/hololens/hololens-release-notes#windows-holographic-version-22h2) - Insider - Available in our current [HoloLens Insider builds](/hololens/hololens-insider). ## Related topics diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md index 94bb7192fa..bcc22cc6cb 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md @@ -1,7 +1,7 @@ --- title: Policies in Policy CSP supported by Microsoft Surface Hub description: Learn about the policies in Policy CSP supported by Microsoft Surface Hub. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -21,32 +21,32 @@ ms.date: 07/22/2020 - [Cellular/ShowAppCellularAccessUI](policy-csp-cellular.md#cellular-showappcellularaccessui) - [Cryptography/AllowFipsAlgorithmPolicy](policy-csp-cryptography.md#cryptography-allowfipsalgorithmpolicy) - [Cryptography/TLSCipherSuites](policy-csp-cryptography.md#cryptography-tlsciphersuites) -- [Defender/AllowArchiveScanning](policy-csp-defender.md#defender-allowarchivescanning) -- [Defender/AllowBehaviorMonitoring](policy-csp-defender.md#defender-allowbehaviormonitoring) -- [Defender/AllowCloudProtection](policy-csp-defender.md#defender-allowcloudprotection) -- [Defender/AllowEmailScanning](policy-csp-defender.md#defender-allowemailscanning) -- [Defender/AllowFullScanOnMappedNetworkDrives](policy-csp-defender.md#defender-allowfullscanonmappednetworkdrives) -- [Defender/AllowFullScanRemovableDriveScanning](policy-csp-defender.md#defender-allowfullscanremovabledrivescanning) -- [Defender/AllowIOAVProtection](policy-csp-defender.md#defender-allowioavprotection) -- [Defender/AllowOnAccessProtection](policy-csp-defender.md#defender-allowonaccessprotection) -- [Defender/AllowRealtimeMonitoring](policy-csp-defender.md#defender-allowrealtimemonitoring) -- [Defender/AllowScanningNetworkFiles](policy-csp-defender.md#defender-allowscanningnetworkfiles) -- [Defender/AllowScriptScanning](policy-csp-defender.md#defender-allowscriptscanning) -- [Defender/AllowUserUIAccess](policy-csp-defender.md#defender-allowuseruiaccess) -- [Defender/AvgCPULoadFactor](policy-csp-defender.md#defender-avgcpuloadfactor) -- [Defender/DaysToRetainCleanedMalware](policy-csp-defender.md#defender-daystoretaincleanedmalware) -- [Defender/ExcludedExtensions](policy-csp-defender.md#defender-excludedextensions) -- [Defender/ExcludedPaths](policy-csp-defender.md#defender-excludedpaths) -- [Defender/ExcludedProcesses](policy-csp-defender.md#defender-excludedprocesses) -- [Defender/PUAProtection](policy-csp-defender.md#defender-puaprotection) -- [Defender/RealTimeScanDirection](policy-csp-defender.md#defender-realtimescandirection) -- [Defender/ScanParameter](policy-csp-defender.md#defender-scanparameter) -- [Defender/ScheduleQuickScanTime](policy-csp-defender.md#defender-schedulequickscantime) -- [Defender/ScheduleScanDay](policy-csp-defender.md#defender-schedulescanday) -- [Defender/ScheduleScanTime](policy-csp-defender.md#defender-schedulescantime) -- [Defender/SignatureUpdateInterval](policy-csp-defender.md#defender-signatureupdateinterval) -- [Defender/SubmitSamplesConsent](policy-csp-defender.md#defender-submitsamplesconsent) -- [Defender/ThreatSeverityDefaultAction](policy-csp-defender.md#defender-threatseveritydefaultaction) +- [Defender/AllowArchiveScanning](policy-csp-defender.md#allowarchivescanning) +- [Defender/AllowBehaviorMonitoring](policy-csp-defender.md#allowbehaviormonitoring) +- [Defender/AllowCloudProtection](policy-csp-defender.md#allowcloudprotection) +- [Defender/AllowEmailScanning](policy-csp-defender.md#allowemailscanning) +- [Defender/AllowFullScanOnMappedNetworkDrives](policy-csp-defender.md#allowfullscanonmappednetworkdrives) +- [Defender/AllowFullScanRemovableDriveScanning](policy-csp-defender.md#allowfullscanremovabledrivescanning) +- [Defender/AllowIOAVProtection](policy-csp-defender.md#allowioavprotection) +- [Defender/AllowOnAccessProtection](policy-csp-defender.md#allowonaccessprotection) +- [Defender/AllowRealtimeMonitoring](policy-csp-defender.md#allowrealtimemonitoring) +- [Defender/AllowScanningNetworkFiles](policy-csp-defender.md#allowscanningnetworkfiles) +- [Defender/AllowScriptScanning](policy-csp-defender.md#allowscriptscanning) +- [Defender/AllowUserUIAccess](policy-csp-defender.md#allowuseruiaccess) +- [Defender/AvgCPULoadFactor](policy-csp-defender.md#avgcpuloadfactor) +- [Defender/DaysToRetainCleanedMalware](policy-csp-defender.md#daystoretaincleanedmalware) +- [Defender/ExcludedExtensions](policy-csp-defender.md#excludedextensions) +- [Defender/ExcludedPaths](policy-csp-defender.md#excludedpaths) +- [Defender/ExcludedProcesses](policy-csp-defender.md#excludedprocesses) +- [Defender/PUAProtection](policy-csp-defender.md#puaprotection) +- [Defender/RealTimeScanDirection](policy-csp-defender.md#realtimescandirection) +- [Defender/ScanParameter](policy-csp-defender.md#scanparameter) +- [Defender/ScheduleQuickScanTime](policy-csp-defender.md#schedulequickscantime) +- [Defender/ScheduleScanDay](policy-csp-defender.md#schedulescanday) +- [Defender/ScheduleScanTime](policy-csp-defender.md#schedulescantime) +- [Defender/SignatureUpdateInterval](policy-csp-defender.md#signatureupdateinterval) +- [Defender/SubmitSamplesConsent](policy-csp-defender.md#submitsamplesconsent) +- [Defender/ThreatSeverityDefaultAction](policy-csp-defender.md#threatseveritydefaultaction) - [DeliveryOptimization/DOAbsoluteMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize) - [DeliveryOptimization/DOAllowVPNPeerCaching](policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching) - [DeliveryOptimization/DODownloadMode](policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index e771422d71..283417da87 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -1,30 +1,33 @@ --- title: Policy CSP -description: Learn how the Policy configuration service provider (CSP) enables the enterprise to configure policies on Windows 10 and Windows 11. -ms.reviewer: +description: Learn more about the Policy CSP +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 11/22/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 07/18/2019 -ms.collection: highpri +ms.topic: reference --- + + + # Policy CSP + + The Policy configuration service provider enables the enterprise to configure policies on Windows 10 and Windows 11. Use this configuration service provider to configure any company policies. The Policy configuration service provider has the following sub-categories: -- Policy/Config/*AreaName* – Handles the policy configuration request from the server. -- Policy/Result/*AreaName* – Provides a read-only path to policies enforced on the device. +- Policy/Config/**AreaName** - Handles the policy configuration request from the server. +- Policy/Result/**AreaName** - Provides a read-only path to policies enforced on the device. -> [!Important] +> [!IMPORTANT] > Policy scope is the level at which a policy can be configured. Some policies can only be configured at the device level, meaning the policy will take effect independent of who is logged into the device. Other policies can be configured at the user level, meaning the policy will only take effect for that user. > > The allowed scope of a specific policy is represented below its table of supported Windows editions. To configure a policy under a specific scope (user vs. device), please use the following paths: @@ -43,9490 +46,1133 @@ The Policy configuration service provider has the following sub-categories: > > - **./Vendor/MSFT/Policy/Config/_AreaName/PolicyName_** to configure the policy. > - **./Vendor/MSFT/Policy/Result/_AreaName/PolicyName_** to get the result. + -The following shows the Policy configuration service provider in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning. + +The following example shows the Policy configuration service provider in tree format. -```console -./Vendor/MSFT -Policy --------Config -----------AreaName --------------PolicyName --------Result -----------AreaName --------------PolicyName --------ConfigOperations -----------ADMXInstall --------------AppName -----------------Policy -------------------UniqueID -----------------Preference -------------------UniqueID +```text +./Device/Vendor/MSFT/Policy +--- Config +------ {AreaName} +--------- {PolicyName} +--- ConfigOperations +------ ADMXInstall +--------- {AppName} +------------ {SettingsType} +--------------- {AdmxFileId} +------------ Properties +--------------- {SettingsType} +------------------ {AdmxFileId} +--------------------- Version +--- Result +------ {AreaName} +--------- {PolicyName} +./User/Vendor/MSFT/Policy +--- Config +------ {AreaName} +--------- {PolicyName} +--- Result +------ {AreaName} +--------- {PolicyName} ``` + + +## Device/Config -**./Vendor/MSFT/Policy** -The root node for the Policy configuration service provider. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -Supported operation is Get. + +```Device +./Device/Vendor/MSFT/Policy/Config +``` + -**Policy/Config** -Node for grouping all policies configured by one source. The configuration source can use this path to set policy values and later query any policy value that it previously set. One policy can be configured by multiple configuration sources. If a configuration source wants to query the result of conflict resolution (for example, if Exchange and MDM both attempt to set a value) the configuration source can use the Policy/Result path to retrieve the resulting value. + +Node for grouping all policies configured by one source. The configuration source can use this path to set policy values and later query any policy value that it previously set. One policy can be configured by multiple configuration sources. If a configuration source wants to query the result of conflict resolution (for example, if Exchange and MDM both attempt to set a value,) the configuration source can use the Policy/Result path to retrieve the resulting value. + -Supported operation is Get. + + + -**Policy/Config/_AreaName_** -The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value. + +**Description framework properties**: -Supported operations are Add, Get, and Delete. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | + -**Policy/Config/_AreaName/PolicyName_** -Specifies the name/value pair used in the policy. + + + + + + +### Device/Config/{AreaName} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/{AreaName} +``` + + + +The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value. See the individual Area DDFs for Policy CSP for a list of Areas that can be configured. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | ClientInventory | + + + + + + + + + +#### Device/Config/{AreaName}/{PolicyName} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/{AreaName}/{PolicyName} +``` + + + +Specifies the name/value pair used in the policy. See the individual Area DDFs for more information about the policies available to configure. + + + + The following list shows some tips to help you when configuring policies: -- Separate substring values by the Unicode &\#xF000; in the XML file. - +- Separate substring values by Unicode `0xF000` in the XML file. > [!NOTE] > A query from a different caller could provide a different value as each caller could have different values for a named policy. - - In SyncML, wrap this policy with the Atomic command so that the policy settings are treated as a single transaction. - Supported operations are Add, Get, Delete, and Replace. - Value type is string. + -**Policy/Result** -Groups the evaluated policies from all providers that can be configured. + +**Description framework properties**: -Supported operation is Get. +| Property name | Property value | +|:--|:--| +| Format | null | +| Access Type | Add, Delete, Get, Replace | +| Dynamic Node Naming | ClientInventory | + -**Policy/Result/_AreaName_** -The area group that can be configured by a single technology independent of the providers. + + + -Supported operation is Get. + -**Policy/Result/_AreaName/PolicyName_** -Specifies the name/value pair used in the policy. + +## Device/ConfigOperations -Supported operation is Get. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -**Policy/ConfigOperations** -Added in Windows 10, version 1703. The root node for grouping different configuration operations. + +```Device +./Device/Vendor/MSFT/Policy/ConfigOperations +``` + -Supported operations are Add, Get, and Delete. + +The root node for grouping different configuration operations. + -**Policy/ConfigOperations/ADMXInstall** -Added in Windows 10, version 1703. Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed policies for those Win32 or Desktop Bridge apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall. Each ADMX-backed policy or preference that is added is assigned a unique ID. For more information about using Policy CSP to configure Win32 and Desktop Bridge app policies, see [Win32 and Desktop Bridge app policy configuration](../win32-and-centennial-app-policy-configuration.md). + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | + + + + + + + + + +### Device/ConfigOperations/ADMXInstall + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall +``` + + + +Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed policies for those Win32 or Desktop Bridge apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall. Each ADMX-backed policy or preference that is added is assigned a unique ID. ADMX files that have been installed by using ConfigOperations/ADMXInstall can later be deleted by using the URI delete operation. Deleting an ADMX file will delete the ADMX file from disk, remove the metadata from the ADMXdefault registry hive, and delete all the policies that were set from the file. The MDM server can also delete all ADMX policies that are tied to a particular app by calling delete on the URI, ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}. + + + + + For more information about using Policy CSP to configure Win32 and Desktop Bridge app policies, see [Win32 and Desktop Bridge app policy configuration](../win32-and-centennial-app-policy-configuration.md). > [!NOTE] > The OPAX settings that are managed by the Microsoft Office Customization Tool are not supported by MDM. For more information about this tool, see [Office Customization Tool](/previous-versions/office/office-2013-resource-kit/cc179097(v=office.15)). - -ADMX files that have been installed by using **ConfigOperations/ADMXInstall** can later be deleted by using the URI delete operation. Deleting an ADMX file will delete the ADMX file from disk, remove the metadata from the ADMXdefault registry hive, and delete all the policies that were set from the file. The MDM server can also delete all ADMX policies that are tied to a particular app by calling delete on the URI, ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}. - -Supported operations are Add, Get, and Delete. - -**Policy/ConfigOperations/ADMXInstall/_AppName_** -Added in Windows 10, version 1703. Specifies the name of the Win32 or Desktop Bridge app associated with the ADMX file. - -Supported operations are Add, Get, and Delete. - -**Policy/ConfigOperations/ADMXInstall/_AppName_/Policy** -Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app policy is to be imported. - -Supported operations are Add, Get, and Delete. - -**Policy/ConfigOperations/ADMXInstall/_AppName_/Policy/_UniqueID_** -Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the policy to import. - -Supported operations are Add and Get. Does not support Delete. - -**Policy/ConfigOperations/ADMXInstall/_AppName_/Preference** -Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app preference is to be imported. - -Supported operations are Add, Get, and Delete. - -**Policy/ConfigOperations/ADMXInstall/_AppName_/Preference/_UniqueID_** -Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the preference to import. - -Supported operations are Add and Get. Does not support Delete. - -## Policies - -### AboveLock policies - -
    -
    - AboveLock/AllowCortanaAboveLock -
    -
    - AboveLock/AllowToasts -
    -
    - -### Accounts policies - -
    -
    - Accounts/AllowAddingNonMicrosoftAccountsManually -
    -
    - Accounts/AllowMicrosoftAccountConnection -
    -
    - Accounts/AllowMicrosoftAccountSignInAssistant -
    - -
    - -### ActiveXControls policies - -
    -
    - ActiveXControls/ApprovedInstallationSites -
    -
    - -### ADMX_ActiveXInstallService policies - -
    -
    - ADMX_ActiveXInstallService/AxISURLZonePolicies -
    -
    - -### ADMX_AddRemovePrograms policies -
    -
    - ADMX_AddRemovePrograms/DefaultCategory -
    -
    - ADMX_AddRemovePrograms/NoAddFromCDorFloppy -
    -
    - ADMX_AddRemovePrograms/NoAddFromInternet -
    -
    - ADMX_AddRemovePrograms/NoAddFromNetwork -
    -
    - ADMX_AddRemovePrograms/NoAddPage -
    -
    - ADMX_AddRemovePrograms/NoAddRemovePrograms -
    -
    - ADMX_AddRemovePrograms/NoChooseProgramsPage -
    -
    - ADMX_AddRemovePrograms/NoRemovePage -
    -
    - ADMX_AddRemovePrograms/NoServices -
    -
    - ADMX_AddRemovePrograms/NoSupportInfo -
    -
    - ADMX_AddRemovePrograms/NoWindowsSetupPage -
    -
    - -### ADMX_AdmPwd policies - -
    -
    - ADMX_AdmPwd/POL_AdmPwd_DontAllowPwdExpirationBehindPolicy -
    -
    - ADMX_AdmPwd/POL_AdmPwd_Enabled -
    -
    - ADMX_AdmPwd/POL_AdmPwd_AdminName -
    -
    - ADMX_AdmPwd/POL_AdmPwd -
    -
    - -### ADMX_AppCompat policies - -
    -
    - ADMX_AppCompat/AppCompatPrevent16BitMach -
    -
    - ADMX_AppCompat/AppCompatRemoveProgramCompatPropPage -
    -
    - ADMX_AppCompat/AppCompatTurnOffApplicationImpactTelemetry -
    -
    - ADMX_AppCompat/AppCompatTurnOffSwitchBack -
    -
    - ADMX_AppCompat/AppCompatTurnOffEngine -
    -
    - ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_1 -
    -
    - ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_2 -
    -
    - ADMX_AppCompat/AppCompatTurnOffUserActionRecord -
    -
    - ADMX_AppCompat/AppCompatTurnOffProgramInventory -
    -
    - -### ADMX_AppxPackageManager policies - -
    -
    - ADMX_AppxPackageManager/AllowDeploymentInSpecialProfiles -
    -
    - -### ADMX_AppXRuntime policies - -
    -
    - ADMX_AppXRuntime/AppxRuntimeApplicationContentUriRules -
    -
    - ADMX_AppXRuntime/AppxRuntimeBlockFileElevation -
    -
    - ADMX_AppXRuntime/AppxRuntimeBlockHostedAppAccessWinRT -
    -
    - ADMX_AppXRuntime/AppxRuntimeBlockProtocolElevation -
    -
    - -### ADMX_AttachmentManager policies - -
    -
    - ADMX_AttachmentManager/AM_EstimateFileHandlerRisk -
    -
    - ADMX_AttachmentManager/AM_SetFileRiskLevel -
    -
    - ADMX_AttachmentManager/AM_SetHighRiskInclusion -
    -
    - ADMX_AttachmentManager/AM_SetLowRiskInclusion -
    -
    - ADMX_AttachmentManager/AM_SetModRiskInclusion -
    -
    - -### ADMX_AuditSettings policies - -
    -
    - ADMX_AuditSettings/IncludeCmdLine -
    -
    - - -### ADMX_Bits policies - -
    -
    - ADMX_Bits/BITS_DisableBranchCache -
    -
    - ADMX_Bits/BITS_DisablePeercachingClient -
    -
    - ADMX_Bits/BITS_DisablePeercachingServer -
    -
    - ADMX_Bits/BITS_EnablePeercaching -
    -
    - ADMX_Bits/BITS_MaxBandwidthServedForPeers -
    -
    - ADMX_Bits/BITS_MaxBandwidthV2_Maintenance -
    -
    - ADMX_Bits/BITS_MaxBandwidthV2_Work -
    -
    - ADMX_Bits/BITS_MaxCacheSize -
    -
    - ADMX_Bits/BITS_MaxContentAge -
    -
    - ADMX_Bits/BITS_MaxDownloadTime -
    -
    - ADMX_Bits/BITS_MaxFilesPerJob -
    -
    - ADMX_Bits/BITS_MaxJobsPerMachine -
    -
    - ADMX_Bits/BITS_MaxJobsPerUser -
    -
    - ADMX_Bits/BITS_MaxRangesPerFile -
    -
    - -### ADMX_CipherSuiteOrder policies - -
    -
    - ADMX_CipherSuiteOrder/SSLCipherSuiteOrder -
    -
    - ADMX_CipherSuiteOrder/SSLCurveOrder -
    -
    - -### ADMX_COM policies - -
    -
    - ADMX_COM/AppMgmt_COM_SearchForCLSID_1 -
    -
    - ADMX_COM/AppMgmt_COM_SearchForCLSID_2 -
    -
    - -### ADMX_ControlPanel policies - -
    -
    - ADMX_ControlPanel/DisallowCpls -
    -
    - ADMX_ControlPanel/ForceClassicControlPanel -
    -
    - ADMX_ControlPanel/NoControlPanel -
    -
    - ADMX_ControlPanel/RestrictCpls -
    -
    - -### ADMX_ControlPanelDisplay policies - -
    -
    - ADMX_ControlPanelDisplay/CPL_Display_Disable -
    -
    - ADMX_ControlPanelDisplay/CPL_Display_HideSettings -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_DisableColorSchemeChoice -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_DisableThemeChange -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_DisableVisualStyle -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_EnableScreenSaver -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_ForceDefaultLockScreen -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_LockFontSize -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingLockScreen -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingStartMenuBackground -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_NoColorAppearanceUI -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopBackgroundUI -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopIconsUI -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_NoLockScreen -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_NoMousePointersUI -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_NoScreenSaverUI -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_NoSoundSchemeUI -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_PersonalColors -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverIsSecure -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverTimeOut -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_SetScreenSaver -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_SetTheme -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_SetVisualStyle -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_StartBackground -
    -
    - -### ADMX_Cpls policies - -
    -
    - ADMX_CtrlAltDel/DisableChangePassword -
    -
    - ADMX_CtrlAltDel/DisableLockComputer -
    -
    - ADMX_CtrlAltDel/DisableTaskMgr -
    -
    - ADMX_CtrlAltDel/NoLogoff -
    -
    - -### ADMX_CredentialProviders policies - -
    -
    - ADMX_CredentialProviders/AllowDomainDelayLock -
    -
    - ADMX_CredentialProviders/DefaultCredentialProvider -
    -
    - ADMX_CredentialProviders/ExcludedCredentialProviders -
    -
    - -### ADMX_CredSsp policies - -
    -
    - ADMX_CredSsp/AllowDefCredentialsWhenNTLMOnly -
    -
    - ADMX_CredSsp/AllowDefaultCredentials -
    -
    - ADMX_CredSsp/AllowEncryptionOracle -
    -
    - ADMX_CredSsp/AllowFreshCredentials -
    -
    - ADMX_CredSsp/AllowFreshCredentialsWhenNTLMOnly -
    -
    - ADMX_CredSsp/AllowSavedCredentials -
    -
    - ADMX_CredSsp/AllowSavedCredentialsWhenNTLMOnly -
    -
    - ADMX_CredSsp/DenyDefaultCredentials -
    -
    - ADMX_CredSsp/DenyFreshCredentials -
    -
    - ADMX_CredSsp/DenySavedCredentials -
    -
    - ADMX_CredSsp/RestrictedRemoteAdministration - -### ADMX_CredUI policies - -
    -
    - ADMX_CredUI/EnableSecureCredentialPrompting -
    -
    - ADMX_CredUI/NoLocalPasswordResetQuestions -
    -
    - -### ADMX_CtrlAltDel policies -
    -
    - ADMX_Cpls/UseDefaultTile -
    -
    - -### ADMX_DataCollection policies - -
    -
    - ADMX_DataCollection/CommercialIdPolicy -
    -
    - -### ADMX_DCOM policies - -
    -
    - ADMX_DCOM/DCOMActivationSecurityCheckAllowLocalList -
    -
    - ADMX_DCOM/DCOMActivationSecurityCheckExemptionList -
    -
    - -### ADMX_Desktop policies - -
    -
    - ADMX_Desktop/AD_EnableFilter -
    -
    - ADMX_Desktop/AD_HideDirectoryFolder -
    -
    - ADMX_Desktop/AD_QueryLimit -
    -
    - ADMX_Desktop/ForceActiveDesktopOn -
    -
    - ADMX_Desktop/NoActiveDesktop -
    -
    - ADMX_Desktop/NoActiveDesktopChanges -
    -
    - ADMX_Desktop/NoDesktop -
    -
    - ADMX_Desktop/NoDesktopCleanupWizard -
    -
    - ADMX_Desktop/NoInternetIcon -
    -
    - ADMX_Desktop/NoMyComputerIcon -
    -
    - ADMX_Desktop/NoMyDocumentsIcon -
    -
    - ADMX_Desktop/NoNetHood -
    -
    - ADMX_Desktop/NoPropertiesMyComputer -
    -
    - ADMX_Desktop/NoPropertiesMyDocuments -
    -
    - ADMX_Desktop/NoRecentDocsNetHood -
    -
    - ADMX_Desktop/NoRecycleBinIcon -
    -
    - ADMX_Desktop/NoRecycleBinProperties -
    -
    - ADMX_Desktop/NoSaveSettings -
    -
    - ADMX_Desktop/NoWindowMinimizingShortcuts -
    -
    - ADMX_Desktop/Wallpaper -
    -
    - ADMX_Desktop/sz_ATC_DisableAdd -
    -
    - ADMX_Desktop/sz_ATC_DisableClose -
    -
    - ADMX_Desktop/sz_ATC_DisableDel -
    -
    - ADMX_Desktop/sz_ATC_DisableEdit -
    -
    - ADMX_Desktop/sz_ATC_NoComponents -
    -
    - ADMX_Desktop/sz_AdminComponents_Title -
    -
    - ADMX_Desktop/sz_DB_DragDropClose -
    -
    - ADMX_Desktop/sz_DB_Moving -
    -
    - ADMX_Desktop/sz_DWP_NoHTMLPaper -
    -
    - -### ADMX_DeviceCompat policies - -
    -
    - ADMX_DeviceCompat/DeviceFlags -
    -
    - ADMX_DeviceCompat/DriverShims -
    -
    - -### ADMX_DeviceGuard policies - -
    - ADMX_DeviceGuard/ConfigCIPolicy -
    -
    - -### ADMX_DeviceInstallation policies - -
    -
    - ADMX_DeviceInstallation/DeviceInstall_AllowAdminInstall -
    -
    - ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_DetailText -
    -
    - ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_SimpleText -
    -
    - ADMX_DeviceInstallation/DeviceInstall_InstallTimeout -
    -
    - ADMX_DeviceInstallation/DeviceInstall_Policy_RebootTime -
    -
    - ADMX_DeviceInstallation/DeviceInstall_Removable_Deny -
    -
    - ADMX_DeviceInstallation/DeviceInstall_SystemRestore -
    -
    - ADMX_DeviceInstallation/DriverInstall_Classes_AllowUser -
    -
    - -### ADMX_DeviceSetup policies - -
    -
    - ADMX_DeviceSetup/DeviceInstall_BalloonTips -
    -
    - ADMX_DeviceSetup/DriverSearchPlaces_SearchOrderConfiguration -
    -
    - -### ADMX_DFS policies - -
    -
    - ADMX_DFS/DFSDiscoverDC -
    -
    - -### ADMX_DigitalLocker policies - -
    -
    - ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_1 -
    -
    - ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_2 -
    -
    - -### ADMX_DiskDiagnostic policies - -
    -
    - ADMX_DiskDiagnostic/DfdAlertPolicy -
    -
    - ADMX_DiskDiagnostic/WdiScenarioExecutionPolicy -
    -
    - -### ADMX_DiskNVCache policies - -
    -
    - ADMX_DiskNVCache/BootResumePolicy -
    -
    - ADMX_DiskNVCache/FeatureOffPolicy -
    -
    - ADMX_DiskNVCache/SolidStatePolicy -
    -
    - -### ADMX_DiskQuota policies - -
    -
    - ADMX_DiskQuota/DQ_RemovableMedia -
    -
    - ADMX_DiskQuota/DQ_Enable -
    -
    - ADMX_DiskQuota/DQ_Enforce -
    -
    - ADMX_DiskQuota/DQ_LogEventOverLimit -
    -
    - ADMX_DiskQuota/DQ_LogEventOverThreshold -
    -
    - ADMX_DiskQuota/DQ_Limit -
    -
    - -### ADMX_DistributedLinkTracking policies - -
    -
    - ADMX_DistributedLinkTracking/DLT_AllowDomainMode -
    -
    - - -### ADMX_DnsClient policies - -
    -
    - ADMX_DnsClient/DNS_AllowFQDNNetBiosQueries -
    -
    - ADMX_DnsClient/DNS_AppendToMultiLabelName -
    -
    - ADMX_DnsClient/DNS_Domain -
    -
    - ADMX_DnsClient/DNS_DomainNameDevolutionLevel -
    -
    - ADMX_DnsClient/DNS_IdnEncoding -
    -
    - ADMX_DnsClient/DNS_IdnMapping -
    -
    - ADMX_DnsClient/DNS_NameServer -
    -
    - ADMX_DnsClient/DNS_PreferLocalResponsesOverLowerOrderDns -
    -
    - ADMX_DnsClient/DNS_PrimaryDnsSuffix -
    -
    - ADMX_DnsClient/DNS_RegisterAdapterName -
    -
    - ADMX_DnsClient/DNS_RegisterReverseLookup -
    -
    - ADMX_DnsClient/DNS_RegistrationEnabled -
    -
    - ADMX_DnsClient/DNS_RegistrationOverwritesInConflict -
    -
    - ADMX_DnsClient/DNS_RegistrationRefreshInterval -
    -
    - ADMX_DnsClient/DNS_RegistrationTtl -
    -
    - ADMX_DnsClient/DNS_SearchList -
    -
    - ADMX_DnsClient/DNS_SmartMultiHomedNameResolution -
    -
    - ADMX_DnsClient/DNS_SmartProtocolReorder -
    -
    - ADMX_DnsClient/DNS_UpdateSecurityLevel -
    -
    - ADMX_DnsClient/DNS_UpdateTopLevelDomainZones -
    -
    - ADMX_DnsClient/DNS_UseDomainNameDevolution -
    -
    - ADMX_DnsClient/Turn_Off_Multicast -
    -
    - -### ADMX_DWM policies -
    -
    - ADMX_DWM/DwmDefaultColorizationColor_1 -
    -
    - ADMX_DWM/DwmDefaultColorizationColor_2 -
    -
    - ADMX_DWM/DwmDisallowAnimations_1 -
    -
    - ADMX_DWM/DwmDisallowAnimations_2 -
    -
    - ADMX_DWM/DwmDisallowColorizationColorChanges_1 -
    -
    - ADMX_DWM/DwmDisallowColorizationColorChanges_2 -
    -
    - -### ADMX_EAIME policies - -
    -
    - ADMX_EAIME/L_DoNotIncludeNonPublishingStandardGlyphInTheCandidateList -
    -
    - ADMX_EAIME/L_RestrictCharacterCodeRangeOfConversion -
    -
    - ADMX_EAIME/L_TurnOffCustomDictionary -
    -
    - ADMX_EAIME/L_TurnOffHistorybasedPredictiveInput -
    -
    - ADMX_EAIME/L_TurnOffInternetSearchIntegration -
    -
    - ADMX_EAIME/L_TurnOffOpenExtendedDictionary -
    -
    - ADMX_EAIME/L_TurnOffSavingAutoTuningDataToFile -
    -
    - ADMX_EAIME/L_TurnOnCloudCandidate -
    -
    - ADMX_EAIME/L_TurnOnCloudCandidateCHS -
    -
    - ADMX_EAIME/L_TurnOnLexiconUpdate -
    -
    - ADMX_EAIME/L_TurnOnLiveStickers -
    -
    - ADMX_EAIME/L_TurnOnMisconversionLoggingForMisconversionReport -
    -
    - -### ADMX_EncryptFilesonMove policies -
    -
    - ADMX_EncryptFilesonMove/NoEncryptOnMove -
    -
    - -### ADMX_EventLogging policies -
    -
    - ADMX_EventLogging/EnableProtectedEventLogging -
    -
    - -### ADMX_EnhancedStorage policies - -
    -
    - ADMX_EnhancedStorage/ApprovedEnStorDevices -
    -
    - ADMX_EnhancedStorage/ApprovedSilos -
    -
    - ADMX_EnhancedStorage/DisablePasswordAuthentication -
    -
    - ADMX_EnhancedStorage/DisallowLegacyDiskDevices -
    -
    - ADMX_EnhancedStorage/LockDeviceOnMachineLock -
    -
    - ADMX_EnhancedStorage/RootHubConnectedEnStorDevices -
    -
    - -### ADMX_ErrorReporting policies - -
    -
    - ADMX_ErrorReporting/PCH_AllOrNoneDef -
    -
    - ADMX_ErrorReporting/PCH_AllOrNoneEx -
    -
    - ADMX_ErrorReporting/PCH_AllOrNoneInc -
    -
    - ADMX_ErrorReporting/PCH_ConfigureReport -
    -
    - ADMX_ErrorReporting/PCH_ReportOperatingSystemFaults -
    -
    - ADMX_ErrorReporting/WerArchive_1 -
    -
    - ADMX_ErrorReporting/WerArchive_2 -
    -
    - ADMX_ErrorReporting/WerAutoApproveOSDumps_1 -
    -
    - ADMX_ErrorReporting/WerAutoApproveOSDumps_2 -
    -
    - ADMX_ErrorReporting/WerBypassDataThrottling_1 -
    -
    - ADMX_ErrorReporting/WerBypassDataThrottling_2 -
    -
    - ADMX_ErrorReporting/WerBypassNetworkCostThrottling_1 -
    -
    - ADMX_ErrorReporting/WerBypassNetworkCostThrottling_2 -
    -
    - ADMX_ErrorReporting/WerBypassPowerThrottling_1 -
    -
    - ADMX_ErrorReporting/WerBypassPowerThrottling_2 -
    -
    - ADMX_ErrorReporting/WerCER -
    -
    - ADMX_ErrorReporting/WerConsentCustomize_1 -
    -
    - ADMX_ErrorReporting/WerConsentOverride_1 -
    -
    - ADMX_ErrorReporting/WerConsentOverride_2 -
    -
    - ADMX_ErrorReporting/WerDefaultConsent_1 -
    -
    - ADMX_ErrorReporting/WerDefaultConsent_2 -
    -
    - ADMX_ErrorReporting/WerDisable_1 -
    -
    - ADMX_ErrorReporting/WerExlusion_1 -
    -
    - ADMX_ErrorReporting/WerExlusion_2 -
    -
    - ADMX_ErrorReporting/WerNoLogging_1 -
    -
    - ADMX_ErrorReporting/WerNoLogging_2 -
    -
    - ADMX_ErrorReporting/WerNoSecondLevelData_1 -
    -
    - ADMX_ErrorReporting/WerQueue_1 -
    -
    - ADMX_ErrorReporting/WerQueue_2 -
    -
    - -### ADMX_EventForwarding policies - -
    -
    - ADMX_EventForwarding/ForwarderResourceUsage -
    -
    - ADMX_EventForwarding/SubscriptionManager -
    -
    - -### ADMX_EventLog policies - -
    -
    - ADMX_EventLog/Channel_LogEnabled -
    -
    - ADMX_EventLog/Channel_LogFilePath_1 -
    -
    - ADMX_EventLog/Channel_LogFilePath_2 -
    -
    - ADMX_EventLog/Channel_LogFilePath_3 -
    -
    - ADMX_EventLog/Channel_LogFilePath_4 -
    -
    - ADMX_EventLog/Channel_LogMaxSize_3 -
    -
    - ADMX_EventLog/Channel_Log_AutoBackup_1 -
    -
    - ADMX_EventLog/Channel_Log_AutoBackup_2 -
    -
    - ADMX_EventLog/Channel_Log_AutoBackup_3 -
    -
    - ADMX_EventLog/Channel_Log_AutoBackup_4 -
    -
    - ADMX_EventLog/Channel_Log_FileLogAccess_1 -
    -
    - ADMX_EventLog/Channel_Log_FileLogAccess_2 -
    -
    - ADMX_EventLog/Channel_Log_FileLogAccess_3 -
    -
    - ADMX_EventLog/Channel_Log_FileLogAccess_4 -
    -
    - ADMX_EventLog/Channel_Log_FileLogAccess_5 -
    -
    - ADMX_EventLog/Channel_Log_FileLogAccess_6 -
    -
    - ADMX_EventLog/Channel_Log_FileLogAccess_7 -
    -
    - ADMX_EventLog/Channel_Log_FileLogAccess_8 -
    -
    - ADMX_EventLog/Channel_Log_Retention_2 -
    -
    - ADMX_EventLog/Channel_Log_Retention_3 -
    -
    - ADMX_EventLog/Channel_Log_Retention_4 -
    -
    - -### ADMX_EventViewer policies - -
    -
    - ADMX_EventViewer/EventViewer_RedirectionProgram -
    -
    - ADMX_EventViewer/EventViewer_RedirectionProgramCommandLineParameters -
    -
    - ADMX_EventViewer/EventViewer_RedirectionURL -
    - -### ADMX_Explorer policies - -
    -
    - ADMX_Explorer/AdminInfoUrl -
    -
    - ADMX_Explorer/AlwaysShowClassicMenu -
    -
    - ADMX_Explorer/DisableRoamedProfileInit -
    -
    - ADMX_Explorer/PreventItemCreationInUsersFilesFolder -
    -
    - ADMX_Explorer/TurnOffSPIAnimations -
    -
    - -### ADMX_ExternalBoot policies - -
    -
    - ADMX_ExternalBoot/PortableOperatingSystem_Hibernate -
    - ADMX_ExternalBoot/PortableOperatingSystem_Sleep -
    - - ADMX_ExternalBoot/PortableOperatingSystem_Launcher - -
    - -### ADMX_FileRecovery policies -
    -
    - ADMX_FileRecovery/WdiScenarioExecutionPolicy -
    -
    - -### ADMX_FileRevocation policies -
    -
    - ADMX_FileRevocation/DelegatedPackageFamilyNames -
    -
    - -### ADMX_FileServerVSSProvider policies -
    -
    - ADMX_FileServerVSSProvider/Pol_EncryptProtocol -
    -
    - -### ADMX_FileSys policies -
    -
    - ADMX_FileSys/DisableCompression -
    -
    - ADMX_FileSys/DisableDeleteNotification -
    -
    - ADMX_FileSys/DisableEncryption -
    -
    - ADMX_FileSys/EnablePagefileEncryption -
    -
    - ADMX_FileSys/LongPathsEnabled -
    -
    - ADMX_FileSys/ShortNameCreationSettings -
    -
    - ADMX_FileSys/SymlinkEvaluation -
    -
    - ADMX_FileSys/TxfDeprecatedFunctionality -
    -
    - -### ADMX_FolderRedirection policies -
    -
    - ADMX_FolderRedirection/DisableFRAdminPin -
    -
    - ADMX_FolderRedirection/DisableFRAdminPinByFolder -
    -
    - ADMX_FolderRedirection/FolderRedirectionEnableCacheRename -
    -
    - ADMX_FolderRedirection/LocalizeXPRelativePaths_1 -
    -
    - ADMX_FolderRedirection/LocalizeXPRelativePaths_2 -
    -
    - ADMX_FolderRedirection/PrimaryComputer_FR_1 -
    -
    - ADMX_FolderRedirection/PrimaryComputer_FR_2 -
    -
    - -### ADMX_FramePanes policies -
    -
    - ADMX_FramePanes/NoReadingPane -
    -
    - ADMX_FramePanes/NoPreviewPane -
    -
    - -### ADMX_FTHSVC policies -
    -
    - ADMX_FTHSVC/WdiScenarioExecutionPolicy -
    -
    - -### ADMX_Help policies -
    -
    - ADMX_Help/DisableHHDEP -
    -
    - ADMX_Help/HelpQualifiedRootDir_Comp -
    -
    - ADMX_Help/RestrictRunFromHelp -
    -
    - ADMX_Help/RestrictRunFromHelp_Comp -
    -
    - -### ADMX_HotSpotAuth policies -
    -
    - ADMX_HotSpotAuth/HotspotAuth_Enable -
    -
    - -### ADMX_Globalization policies - -
    -
    - ADMX_Globalization/BlockUserInputMethodsForSignIn -
    -
    - ADMX_Globalization/CustomLocalesNoSelect_1 -
    -
    - ADMX_Globalization/CustomLocalesNoSelect_2 -
    -
    - ADMX_Globalization/HideAdminOptions -
    -
    - ADMX_Globalization/HideCurrentLocation -
    -
    - ADMX_Globalization/HideLanguageSelection -
    -
    - ADMX_Globalization/HideLocaleSelectAndCustomize -
    -
    - ADMX_Globalization/ImplicitDataCollectionOff_1 -
    -
    - ADMX_Globalization/ImplicitDataCollectionOff_2 -
    -
    - ADMX_Globalization/LocaleSystemRestrict -
    -
    - ADMX_Globalization/LocaleUserRestrict_1 -
    -
    - ADMX_Globalization/LocaleUserRestrict_2 -
    -
    - ADMX_Globalization/LockMachineUILanguage -
    -
    - ADMX_Globalization/LockUserUILanguage -
    -
    - ADMX_Globalization/PreventGeoIdChange_1 -
    -
    - ADMX_Globalization/PreventGeoIdChange_2 -
    -
    - ADMX_Globalization/PreventUserOverrides_1 -
    -
    - ADMX_Globalization/PreventUserOverrides_2 -
    -
    - ADMX_Globalization/RestrictUILangSelect -
    -
    - ADMX_Globalization/TurnOffAutocorrectMisspelledWords -
    -
    - ADMX_Globalization/TurnOffHighlightMisspelledWords -
    -
    - ADMX_Globalization/TurnOffInsertSpace -
    -
    - ADMX_Globalization/TurnOffOfferTextPredictions -
    -
    - ADMX_Globalization/Y2K -
    -
    - -### ADMX_GroupPolicy policies - -
    -
    - ADMX_GroupPolicy/AllowX-ForestPolicy-and-RUP -
    -
    - ADMX_GroupPolicy/CSE_AppMgmt -
    -
    - ADMX_GroupPolicy/CSE_DiskQuota -
    -
    - ADMX_GroupPolicy/CSE_EFSRecovery -
    -
    - ADMX_GroupPolicy/CSE_FolderRedirection -
    -
    - ADMX_GroupPolicy/CSE_IEM -
    -
    - ADMX_GroupPolicy/CSE_IPSecurity -
    -
    - ADMX_GroupPolicy/CSE_Registry -
    -
    - ADMX_GroupPolicy/CSE_Scripts -
    -
    - ADMX_GroupPolicy/CSE_Security -
    -
    - ADMX_GroupPolicy/CSE_Wired -
    -
    - ADMX_GroupPolicy/CSE_Wireless -
    -
    - ADMX_GroupPolicy/CorpConnSyncWaitTime -
    -
    - ADMX_GroupPolicy/DenyRsopToInteractiveUser_1 -
    -
    - ADMX_GroupPolicy/DenyRsopToInteractiveUser_2 -
    -
    - ADMX_GroupPolicy/DisableAOACProcessing -
    -
    - ADMX_GroupPolicy/DisableAutoADMUpdate -
    -
    - ADMX_GroupPolicy/DisableBackgroundPolicy -
    -
    - ADMX_GroupPolicy/DisableLGPOProcessing -
    -
    - ADMX_GroupPolicy/DisableUsersFromMachGP -
    -
    - ADMX_GroupPolicy/EnableCDP -
    -
    - ADMX_GroupPolicy/EnableLogonOptimization -
    -
    - ADMX_GroupPolicy/EnableLogonOptimizationOnServerSKU -
    -
    - ADMX_GroupPolicy/EnableMMX -
    -
    - ADMX_GroupPolicy/EnforcePoliciesOnly -
    -
    - ADMX_GroupPolicy/FontMitigation -
    -
    - ADMX_GroupPolicy/GPDCOptions -
    -
    - ADMX_GroupPolicy/GPTransferRate_1 -
    -
    - ADMX_GroupPolicy/GPTransferRate_2 -
    -
    - ADMX_GroupPolicy/GroupPolicyRefreshRate -
    -
    - ADMX_GroupPolicy/GroupPolicyRefreshRateDC -
    -
    - ADMX_GroupPolicy/GroupPolicyRefreshRateUser -
    -
    - ADMX_GroupPolicy/LogonScriptDelay -
    -
    - ADMX_GroupPolicy/NewGPODisplayName -
    -
    - ADMX_GroupPolicy/NewGPOLinksDisabled -
    -
    - ADMX_GroupPolicy/OnlyUseLocalAdminFiles -
    -
    - ADMX_GroupPolicy/ProcessMitigationOptions -
    -
    - ADMX_GroupPolicy/RSoPLogging -
    -
    - ADMX_GroupPolicy/ResetDfsClientInfoDuringRefreshPolicy -
    -
    - ADMX_GroupPolicy/SlowLinkDefaultForDirectAccess -
    -
    - ADMX_GroupPolicy/SlowlinkDefaultToAsync -
    -
    - ADMX_GroupPolicy/SyncWaitTime -
    -
    - ADMX_GroupPolicy/UserPolicyMode -
    -
    - -### ADMX_HelpAndSupport policies -
    -
    - ADMX_HelpAndSupport/ActiveHelp -
    -
    - ADMX_HelpAndSupport/HPExplicitFeedback -
    -
    - ADMX_HelpAndSupport/HPImplicitFeedback -
    -
    - ADMX_HelpAndSupport/HPOnlineAssistance -
    -
    - - -## ADMX_ICM policies - -
    -
    - ADMX_ICM/CEIPEnable -
    -
    - ADMX_ICM/CertMgr_DisableAutoRootUpdates -
    -
    - ADMX_ICM/DisableHTTPPrinting_1 -
    -
    - ADMX_ICM/DisableWebPnPDownload_1 -
    -
    - ADMX_ICM/DriverSearchPlaces_DontSearchWindowsUpdate -
    -
    - ADMX_ICM/EventViewer_DisableLinks -
    -
    - ADMX_ICM/HSS_HeadlinesPolicy -
    -
    - ADMX_ICM/HSS_KBSearchPolicy -
    -
    - ADMX_ICM/InternetManagement_RestrictCommunication_1 -
    -
    - ADMX_ICM/InternetManagement_RestrictCommunication_2 -
    -
    - ADMX_ICM/NC_ExitOnISP -
    -
    - ADMX_ICM/NC_NoRegistration -
    -
    - ADMX_ICM/PCH_DoNotReport -
    -
    - ADMX_ICM/RemoveWindowsUpdate_ICM -
    -
    - ADMX_ICM/SearchCompanion_DisableFileUpdates -
    -
    - ADMX_ICM/ShellNoUseInternetOpenWith_1 -
    -
    - ADMX_ICM/ShellNoUseInternetOpenWith_2 -
    -
    - ADMX_ICM/ShellNoUseStoreOpenWith_1 -
    -
    - ADMX_ICM/ShellNoUseStoreOpenWith_2 -
    -
    - ADMX_ICM/ShellPreventWPWDownload_1 -
    -
    - ADMX_ICM/ShellRemoveOrderPrints_1 -
    -
    - ADMX_ICM/ShellRemoveOrderPrints_2 -
    -
    - ADMX_ICM/ShellRemovePublishToWeb_1 -
    -
    - ADMX_ICM/ShellRemovePublishToWeb_2 -
    -
    - ADMX_ICM/WinMSG_NoInstrumentation_1 -
    -
    - ADMX_ICM/WinMSG_NoInstrumentation_2 -
    -
    - -### ADMX_IIS policies -
    -
    - ADMX_IIS/PreventIISInstall -
    -
    - -### ADMX_iSCSI policies - -
    -
    - ADMX_iSCSI/iSCSIGeneral_RestrictAdditionalLogins -
    -
    - ADMX_iSCSI/iSCSIGeneral_ChangeIQNName -
    -
    - ADMX_iSCSI/iSCSISecurity_ChangeCHAPSecret -
    -
    - -### ADMX_kdc policies -
    -
    - ADMX_kdc/CbacAndArmor -
    -
    - ADMX_kdc/ForestSearch -
    -
    - ADMX_kdc/PKINITFreshness -
    -
    - ADMX_kdc/RequestCompoundId -
    -
    - ADMX_kdc/TicketSizeThreshold -
    -
    - ADMX_kdc/emitlili -
    -
    - -### ADMX_Kerberos policies - -
    -
    - ADMX_Kerberos/AlwaysSendCompoundId -
    -
    - ADMX_Kerberos/DevicePKInitEnabled -
    -
    - ADMX_Kerberos/HostToRealm -
    -
    - ADMX_Kerberos/KdcProxyDisableServerRevocationCheck -
    -
    - ADMX_Kerberos/KdcProxyServer -
    -
    - ADMX_Kerberos/MitRealms -
    -
    - ADMX_Kerberos/ServerAcceptsCompound -
    -
    - ADMX_Kerberos/StrictTarget -
    -
    - -### ADMX_LanmanServer policies -
    -
    - ADMX_LanmanServer/Pol_CipherSuiteOrder -
    -
    - ADMX_LanmanServer/Pol_HashPublication -
    -
    - ADMX_LanmanServer/Pol_HashSupportVersion -
    -
    - ADMX_LanmanServer/Pol_HonorCipherSuiteOrder -
    -
    - -### ADMX_LanmanWorkstation policies - -
    -
    - ADMX_LanmanWorkstation/Pol_CipherSuiteOrder -
    -
    - ADMX_LanmanWorkstation/Pol_EnableHandleCachingForCAFiles -
    -
    - ADMX_LanmanWorkstation/Pol_EnableOfflineFilesforCAShares -
    -
    - -### ADMX_LeakDiagnostic policies -
    -
    - ADMX_LeakDiagnostic/WdiScenarioExecutionPolicy -
    -
    - -### ADMX_LinkLayerTopologyDiscovery policies -
    -
    - ADMX_LinkLayerTopologyDiscovery/LLTD_EnableLLTDIO -
    -
    - ADMX_LinkLayerTopologyDiscovery/LLTD_EnableRspndr -
    -
    - -### ADMX_LocationProviderAdm policies - -
    -
    - ADMX_LocationProviderAdm/BlockUserFromShowingAccountDetailsOnSignin -
    -
    - -### ADMX_Logon policies - -
    -
    - ADMX_Logon/BlockUserFromShowingAccountDetailsOnSignin -
    -
    - ADMX_Logon/DisableAcrylicBackgroundOnLogon -
    -
    - ADMX_Logon/DisableExplorerRunLegacy_1 -
    -
    - ADMX_Logon/DisableExplorerRunLegacy_2 -
    -
    - ADMX_Logon/DisableExplorerRunOnceLegacy_1 -
    -
    - ADMX_Logon/DisableExplorerRunOnceLegacy_2 -
    -
    - ADMX_Logon/DisableStatusMessages -
    -
    - ADMX_Logon/DontEnumerateConnectedUsers -
    -
    - ADMX_Logon/NoWelcomeTips_1 -
    -
    - ADMX_Logon/NoWelcomeTips_2 -
    -
    - ADMX_Logon/Run_1 -
    -
    - ADMX_Logon/Run_2 -
    -
    - ADMX_Logon/SyncForegroundPolicy -
    -
    - ADMX_Logon/UseOEMBackground -
    -
    - ADMX_Logon/VerboseStatus -
    -
    - -### ADMX_MicrosoftDefenderAntivirus policies - -
    -
    - ADMX_MicrosoftDefenderAntivirus/AllowFastServiceStartup -
    -
    - ADMX_MicrosoftDefenderAntivirus/DisableAntiSpywareDefender -
    -
    - ADMX_MicrosoftDefenderAntivirus/DisableAutoExclusions -
    -
    - ADMX_MicrosoftDefenderAntivirus/DisableBlockAtFirstSeen -
    -
    - ADMX_MicrosoftDefenderAntivirus/DisableLocalAdminMerge -
    -
    - ADMX_MicrosoftDefenderAntivirus/DisableRealtimeMonitoring -
    -
    - ADMX_MicrosoftDefenderAntivirus/DisableRoutinelyTakingAction -
    -
    - ADMX_MicrosoftDefenderAntivirus/Exclusions_Extensions -
    -
    - ADMX_MicrosoftDefenderAntivirus/Exclusions_Paths -
    -
    - ADMX_MicrosoftDefenderAntivirus/Exclusions_Processes -
    -
    - ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_ASROnlyExclusions -
    -
    - ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_Rules -
    -
    - ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_AllowedApplications -
    -
    - ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_ProtectedFolders -
    -
    - ADMX_MicrosoftDefenderAntivirus/MpEngine_EnableFileHashComputation -
    -
    - ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_DisableSignatureRetirement -
    -
    - ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_sku_differentiation_Signature_Set_Guid -
    -
    - ADMX_MicrosoftDefenderAntivirus/Nis_DisableProtocolRecognition -
    -
    - ADMX_MicrosoftDefenderAntivirus/ProxyBypass -
    -
    - ADMX_MicrosoftDefenderAntivirus/ProxyPacUrl -
    -
    - ADMX_MicrosoftDefenderAntivirus/ProxyServer -
    -
    - ADMX_MicrosoftDefenderAntivirus/Quarantine_LocalSettingOverridePurgeItemsAfterDelay -
    -
    - ADMX_MicrosoftDefenderAntivirus/Quarantine_PurgeItemsAfterDelay -
    -
    - ADMX_MicrosoftDefenderAntivirus/RandomizeScheduleTaskTimes -
    -
    - ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableBehaviorMonitoring -
    -
    - ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableIOAVProtection -
    -
    - ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableOnAccessProtection -
    -
    - ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableRawWriteNotification -
    -
    - ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableScanOnRealtimeEnable -
    -
    - ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_IOAVMaxSize -
    -
    - ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableBehaviorMonitoring -
    -
    - ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableIOAVProtection -
    -
    - ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableOnAccessProtection -
    -
    - ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableRealtimeMonitoring -
    -
    - ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideRealtimeScanDirection -
    -
    - ADMX_MicrosoftDefenderAntivirus/Remediation_LocalSettingOverrideScan_ScheduleTime -
    -
    - ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleDay -
    -
    - ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleTime -
    -
    - ADMX_MicrosoftDefenderAntivirus/Reporting_AdditionalActionTimeout -
    -
    - ADMX_MicrosoftDefenderAntivirus/Reporting_CriticalFailureTimeout -
    -
    - ADMX_MicrosoftDefenderAntivirus/Reporting_DisableEnhancedNotifications -
    -
    - ADMX_MicrosoftDefenderAntivirus/Reporting_Disablegenericreports -
    -
    - ADMX_MicrosoftDefenderAntivirus/Reporting_NonCriticalTimeout -
    -
    - ADMX_MicrosoftDefenderAntivirus/Reporting_RecentlyCleanedTimeout -
    -
    - ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingComponents -
    -
    - ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingLevel -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_AllowPause -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxDepth -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxSize -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_DisableArchiveScanning -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_DisableEmailScanning -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_DisableHeuristics -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_DisablePackedExeScanning -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_DisableRemovableDriveScanning -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_DisableReparsePointScanning -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_DisableRestorePoint -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningMappedNetworkDrivesForFullScan -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningNetworkFiles -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideAvgCPULoadFactor -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScanParameters -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleDay -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleQuickScantime -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleTime -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_LowCpuPriority -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_MissedScheduledScanCountBeforeCatchup -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_PurgeItemsAfterDelay -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_QuickScanInterval -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_ScanOnlyIfIdle -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleDay -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleTime -
    -
    - ADMX_MicrosoftDefenderAntivirus/ServiceKeepAlive -
    -
    - ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ASSignatureDue -
    -
    - ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_AVSignatureDue -
    -
    - ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DefinitionUpdateFileSharesSources -
    -
    - ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScanOnUpdate -
    -
    - ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScheduledSignatureUpdateonBattery -
    -
    - ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableUpdateOnStartupWithoutEngine -
    -
    - ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_FallbackOrder -
    -
    - ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ForceUpdateFromMU -
    -
    - ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_RealtimeSignatureDelivery -
    -
    - ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleDay -
    -
    - ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleTime -
    -
    - ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SharedSignaturesLocation -
    -
    - ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureDisableNotification -
    -
    - ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureUpdateCatchupInterval -
    -
    - ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_UpdateOnStartup -
    -
    - ADMX_MicrosoftDefenderAntivirus/SpynetReporting -
    -
    - ADMX_MicrosoftDefenderAntivirus/Spynet_LocalSettingOverrideSpynetReporting -
    -
    - ADMX_MicrosoftDefenderAntivirus/Threats_ThreatIdDefaultAction -
    -
    - ADMX_MicrosoftDefenderAntivirus/UX_Configuration_CustomDefaultActionToastString -
    -
    - ADMX_MicrosoftDefenderAntivirus/UX_Configuration_Notification_Suppress -
    -
    - ADMX_MicrosoftDefenderAntivirus/UX_Configuration_SuppressRebootNotification -
    -
    - ADMX_MicrosoftDefenderAntivirus/UX_Configuration_UILockdown -
    -
    - -### ADMX_MMC policies -
    -
    - ADMX_MMC/MMC_ActiveXControl -
    -
    - ADMX_MMC/MMC_ExtendView -
    -
    - ADMX_MMC/MMC_LinkToWeb -
    -
    - ADMX_MMC/MMC_Restrict_Author -
    -
    - ADMX_MMC/MMC_Restrict_To_Permitted_Snapins -
    -
    - -### ADMX_MMCSnapins policies - -
    -
    - ADMX_MMCSnapins/MMC_ADMComputers_1 -
    -
    - ADMX_MMCSnapins/MMC_ADMComputers_2 -
    -
    - ADMX_MMCSnapins/MMC_ADMUsers_1 -
    -
    - ADMX_MMCSnapins/MMC_ADMUsers_2 -
    -
    - ADMX_MMCSnapins/MMC_ADSI -
    -
    - ADMX_MMCSnapins/MMC_ActiveDirDomTrusts -
    -
    - ADMX_MMCSnapins/MMC_ActiveDirSitesServices -
    -
    - ADMX_MMCSnapins/MMC_ActiveDirUsersComp -
    -
    - ADMX_MMCSnapins/MMC_AppleTalkRouting -
    -
    - ADMX_MMCSnapins/MMC_AuthMan -
    -
    - ADMX_MMCSnapins/MMC_CertAuth -
    -
    - ADMX_MMCSnapins/MMC_CertAuthPolSet -
    -
    - ADMX_MMCSnapins/MMC_Certs -
    -
    - ADMX_MMCSnapins/MMC_CertsTemplate -
    -
    - ADMX_MMCSnapins/MMC_ComponentServices -
    -
    - ADMX_MMCSnapins/MMC_ComputerManagement -
    -
    - ADMX_MMCSnapins/MMC_ConnectionSharingNAT -
    -
    - ADMX_MMCSnapins/MMC_DCOMCFG -
    -
    - ADMX_MMCSnapins/MMC_DFS -
    -
    - ADMX_MMCSnapins/MMC_DHCPRelayMgmt -
    -
    - ADMX_MMCSnapins/MMC_DeviceManager_1 -
    -
    - ADMX_MMCSnapins/MMC_DeviceManager_2 -
    -
    - ADMX_MMCSnapins/MMC_DiskDefrag -
    -
    - ADMX_MMCSnapins/MMC_DiskMgmt -
    -
    - ADMX_MMCSnapins/MMC_EnterprisePKI -
    -
    - ADMX_MMCSnapins/MMC_EventViewer_1 -
    -
    - ADMX_MMCSnapins/MMC_EventViewer_2 -
    -
    - ADMX_MMCSnapins/MMC_EventViewer_3 -
    -
    - ADMX_MMCSnapins/MMC_EventViewer_4 -
    -
    - ADMX_MMCSnapins/MMC_FAXService -
    -
    - ADMX_MMCSnapins/MMC_FailoverClusters -
    -
    - ADMX_MMCSnapins/MMC_FolderRedirection_1 -
    -
    - ADMX_MMCSnapins/MMC_FolderRedirection_2 -
    -
    - ADMX_MMCSnapins/MMC_FrontPageExt -
    -
    - ADMX_MMCSnapins/MMC_GroupPolicyManagementSnapIn -
    -
    - ADMX_MMCSnapins/MMC_GroupPolicySnapIn -
    -
    - ADMX_MMCSnapins/MMC_GroupPolicyTab -
    -
    - ADMX_MMCSnapins/MMC_HRA -
    -
    - ADMX_MMCSnapins/MMC_IAS -
    -
    - ADMX_MMCSnapins/MMC_IASLogging -
    -
    - ADMX_MMCSnapins/MMC_IEMaintenance_1 -
    -
    - ADMX_MMCSnapins/MMC_IEMaintenance_2 -
    -
    - ADMX_MMCSnapins/MMC_IGMPRouting -
    -
    - ADMX_MMCSnapins/MMC_IIS -
    -
    - ADMX_MMCSnapins/MMC_IPRouting -
    -
    - ADMX_MMCSnapins/MMC_IPSecManage_GP -
    -
    - ADMX_MMCSnapins/MMC_IPXRIPRouting -
    -
    - ADMX_MMCSnapins/MMC_IPXRouting -
    -
    - ADMX_MMCSnapins/MMC_IPXSAPRouting -
    -
    - ADMX_MMCSnapins/MMC_IndexingService -
    -
    - ADMX_MMCSnapins/MMC_IpSecManage -
    -
    - ADMX_MMCSnapins/MMC_IpSecMonitor -
    -
    - ADMX_MMCSnapins/MMC_LocalUsersGroups -
    -
    - ADMX_MMCSnapins/MMC_LogicalMappedDrives -
    -
    - ADMX_MMCSnapins/MMC_NPSUI -
    -
    - ADMX_MMCSnapins/MMC_NapSnap -
    -
    - ADMX_MMCSnapins/MMC_NapSnap_GP -
    -
    - ADMX_MMCSnapins/MMC_Net_Framework -
    -
    - ADMX_MMCSnapins/MMC_OCSP -
    -
    - ADMX_MMCSnapins/MMC_OSPFRouting -
    -
    - ADMX_MMCSnapins/MMC_PerfLogsAlerts -
    -
    - ADMX_MMCSnapins/MMC_PublicKey -
    -
    - ADMX_MMCSnapins/MMC_QoSAdmission -
    -
    - ADMX_MMCSnapins/MMC_RAS_DialinUser -
    -
    - ADMX_MMCSnapins/MMC_RIPRouting -
    -
    - ADMX_MMCSnapins/MMC_RIS -
    -
    - ADMX_MMCSnapins/MMC_RRA -
    -
    - ADMX_MMCSnapins/MMC_RSM -
    -
    - ADMX_MMCSnapins/MMC_RemStore -
    -
    - ADMX_MMCSnapins/MMC_RemoteAccess -
    -
    - ADMX_MMCSnapins/MMC_RemoteDesktop -
    -
    - ADMX_MMCSnapins/MMC_ResultantSetOfPolicySnapIn -
    -
    - ADMX_MMCSnapins/MMC_Routing -
    -
    - ADMX_MMCSnapins/MMC_SCA -
    -
    - ADMX_MMCSnapins/MMC_SMTPProtocol -
    -
    - ADMX_MMCSnapins/MMC_SNMP -
    -
    - ADMX_MMCSnapins/MMC_ScriptsMachine_1 -
    -
    - ADMX_MMCSnapins/MMC_ScriptsMachine_2 -
    -
    - ADMX_MMCSnapins/MMC_ScriptsUser_1 -
    -
    - ADMX_MMCSnapins/MMC_ScriptsUser_2 -
    -
    - ADMX_MMCSnapins/MMC_SecuritySettings_1 -
    -
    - ADMX_MMCSnapins/MMC_SecuritySettings_2 -
    -
    - ADMX_MMCSnapins/MMC_SecurityTemplates -
    -
    - ADMX_MMCSnapins/MMC_SendConsoleMessage -
    -
    - ADMX_MMCSnapins/MMC_ServerManager -
    -
    - ADMX_MMCSnapins/MMC_ServiceDependencies -
    -
    - ADMX_MMCSnapins/MMC_Services -
    -
    - ADMX_MMCSnapins/MMC_SharedFolders -
    -
    - ADMX_MMCSnapins/MMC_SharedFolders_Ext -
    -
    - ADMX_MMCSnapins/MMC_SoftwareInstalationComputers_1 -
    -
    - ADMX_MMCSnapins/MMC_SoftwareInstalationComputers_2 -
    -
    - ADMX_MMCSnapins/MMC_SoftwareInstallationUsers_1 -
    -
    - ADMX_MMCSnapins/MMC_SoftwareInstallationUsers_2 -
    -
    - ADMX_MMCSnapins/MMC_SysInfo -
    -
    - ADMX_MMCSnapins/MMC_SysProp -
    -
    - ADMX_MMCSnapins/MMC_TPMManagement -
    -
    - ADMX_MMCSnapins/MMC_Telephony -
    -
    - ADMX_MMCSnapins/MMC_TerminalServices -
    -
    - ADMX_MMCSnapins/MMC_WMI -
    -
    - ADMX_MMCSnapins/MMC_WindowsFirewall -
    -
    - ADMX_MMCSnapins/MMC_WindowsFirewall_GP -
    -
    - ADMX_MMCSnapins/MMC_WiredNetworkPolicy -
    -
    - ADMX_MMCSnapins/MMC_WirelessMon -
    -
    - ADMX_MMCSnapins/MMC_WirelessNetworkPolicy -
    -
    - -### ADMX_MobilePCMobilityCenter policies -
    -
    - ADMX_MobilePCMobilityCenter/MobilityCenterEnable_1 -
    -
    - ADMX_MobilePCMobilityCenter/MobilityCenterEnable_2 -
    -
    - -### ADMX_MobilePCPresentationSettings policies -
    -
    - ADMX_MobilePCPresentationSettings/PresentationSettingsEnable_1 -
    -
    - ADMX_MobilePCPresentationSettings/PresentationSettingsEnable_2 -
    -
    - -### ADMX_MSAPolicy policies -
    -
    - ADMX_MSAPolicy/IncludeMicrosoftAccount_DisableUserAuthCmdLine -
    -
    - -### ADMX_msched policies - -
    -
    - ADMX_msched/ActivationBoundaryPolicy -
    -
    - ADMX_msched/RandomDelayPolicy -
    -
    - -### ADMX_MSDT policies - -
    -
    - ADMX_MSDT/MsdtSupportProvider -
    -
    - ADMX_MSDT/MsdtToolDownloadPolicy -
    -
    - ADMX_MSDT/WdiScenarioExecutionPolicy -
    -
    - -### ADMX_MSI policies - -
    -
    - ADMX_MSI/AllowLockdownBrowse -
    -
    - ADMX_MSI/AllowLockdownMedia -
    -
    - ADMX_MSI/AllowLockdownPatch -
    -
    - ADMX_MSI/DisableAutomaticApplicationShutdown -
    -
    - ADMX_MSI/DisableBrowse -
    -
    - ADMX_MSI/DisableFlyweightPatching -
    -
    - ADMX_MSI/DisableLoggingFromPackage -
    -
    - ADMX_MSI/DisableMSI -
    -
    - ADMX_MSI/DisableMedia -
    -
    - ADMX_MSI/DisablePatch -
    -
    - ADMX_MSI/DisableRollback_1 -
    -
    - ADMX_MSI/DisableRollback_2 -
    -
    - ADMX_MSI/DisableSharedComponent -
    -
    - ADMX_MSI/MSILogging -
    -
    - ADMX_MSI/MSI_DisableLUAPatching -
    -
    - ADMX_MSI/MSI_DisablePatchUninstall -
    -
    - ADMX_MSI/MSI_DisableSRCheckPoints -
    -
    - ADMX_MSI/MSI_DisableUserInstalls -
    -
    - ADMX_MSI/MSI_EnforceUpgradeComponentRules -
    -
    - ADMX_MSI/MSI_MaxPatchCacheSize -
    -
    - ADMX_MSI/MsiDisableEmbeddedUI -
    -
    - ADMX_MSI/SafeForScripting -
    -
    - ADMX_MSI/SearchOrder -
    -
    - ADMX_MSI/TransformsSecure -
    -
    - -### ADMX_MsiFileRecovery policies -
    -
    - ADMX_MsiFileRecovery/WdiScenarioExecutionPolicy -
    -
    - -### ADMX_nca policies -
    -
    - ADMX_nca/CorporateResources -
    -
    - ADMX_nca/CustomCommands -
    -
    - ADMX_nca/DTEs -
    -
    - ADMX_nca/FriendlyName -
    -
    - ADMX_nca/LocalNamesOn -
    -
    - ADMX_nca/PassiveMode -
    -
    - ADMX_nca/ShowUI -
    -
    - ADMX_nca/SupportEmail -
    -
    - -### ADMX_NCSI policies -
    -
    - ADMX_NCSI/NCSI_CorpDnsProbeContent -
    -
    - ADMX_NCSI/NCSI_CorpDnsProbeHost -
    -
    - ADMX_NCSI/NCSI_CorpSitePrefixes -
    -
    - ADMX_NCSI/NCSI_CorpWebProbeUrl -
    -
    - ADMX_NCSI/NCSI_DomainLocationDeterminationUrl -
    -
    - ADMX_NCSI/NCSI_GlobalDns -
    -
    - ADMX_NCSI/NCSI_PassivePolling -
    -
    - -### ADMX_Netlogon policies - -
    -
    - ADMX_Netlogon/Netlogon_AddressLookupOnPingBehavior -
    -
    - ADMX_Netlogon/Netlogon_AddressTypeReturned -
    -
    - ADMX_Netlogon/Netlogon_AllowDnsSuffixSearch -
    -
    - ADMX_Netlogon/Netlogon_AllowNT4Crypto -
    -
    - ADMX_Netlogon/Netlogon_AllowSingleLabelDnsDomain -
    -
    - ADMX_Netlogon/Netlogon_AutoSiteCoverage -
    -
    - ADMX_Netlogon/Netlogon_AvoidFallbackNetbiosDiscovery -
    -
    - ADMX_Netlogon/Netlogon_AvoidPdcOnWan -
    -
    - ADMX_Netlogon/Netlogon_BackgroundRetryInitialPeriod -
    -
    - ADMX_Netlogon/Netlogon_BackgroundRetryMaximumPeriod -
    -
    - ADMX_Netlogon/Netlogon_BackgroundRetryQuitTime -
    -
    - ADMX_Netlogon/Netlogon_BackgroundSuccessfulRefreshPeriod -
    -
    - ADMX_Netlogon/Netlogon_DebugFlag -
    -
    - ADMX_Netlogon/Netlogon_DnsAvoidRegisterRecords -
    -
    - ADMX_Netlogon/Netlogon_DnsRefreshInterval -
    -
    - ADMX_Netlogon/Netlogon_DnsSrvRecordUseLowerCaseHostNames -
    -
    - ADMX_Netlogon/Netlogon_DnsTtl -
    -
    - ADMX_Netlogon/Netlogon_ExpectedDialupDelay -
    -
    - ADMX_Netlogon/Netlogon_ForceRediscoveryInterval -
    -
    - ADMX_Netlogon/Netlogon_GcSiteCoverage -
    -
    - ADMX_Netlogon/Netlogon_IgnoreIncomingMailslotMessages -
    -
    - ADMX_Netlogon/Netlogon_LdapSrvPriority -
    -
    - ADMX_Netlogon/Netlogon_LdapSrvWeight -
    -
    - ADMX_Netlogon/Netlogon_MaximumLogFileSize -
    -
    - ADMX_Netlogon/Netlogon_NdncSiteCoverage -
    -
    - ADMX_Netlogon/Netlogon_NegativeCachePeriod -
    -
    - ADMX_Netlogon/Netlogon_NetlogonShareCompatibilityMode -
    -
    - ADMX_Netlogon/Netlogon_NonBackgroundSuccessfulRefreshPeriod -
    -
    - ADMX_Netlogon/Netlogon_PingUrgencyMode -
    -
    - ADMX_Netlogon/Netlogon_ScavengeInterval -
    -
    - ADMX_Netlogon/Netlogon_SiteCoverage -
    -
    - ADMX_Netlogon/Netlogon_SiteName -
    -
    - ADMX_Netlogon/Netlogon_SysvolShareCompatibilityMode -
    -
    - ADMX_Netlogon/Netlogon_TryNextClosestSite -
    -
    - ADMX_Netlogon/Netlogon_UseDynamicDns -
    -
    - -### ADMX_NetworkConnections policies - -
    -
    - ADMX_NetworkConnections/NC_AddRemoveComponents -
    -
    - ADMX_NetworkConnections/NC_AdvancedSettings -
    -
    - ADMX_NetworkConnections/NC_AllowAdvancedTCPIPConfig -
    -
    - ADMX_NetworkConnections/NC_ChangeBindState -
    -
    - ADMX_NetworkConnections/NC_DeleteAllUserConnection -
    -
    - ADMX_NetworkConnections/NC_DeleteConnection -
    -
    - ADMX_NetworkConnections/NC_DialupPrefs -
    -
    - ADMX_NetworkConnections/NC_DoNotShowLocalOnlyIcon -
    -
    - ADMX_NetworkConnections/NC_EnableAdminProhibits -
    -
    - ADMX_NetworkConnections/NC_ForceTunneling -
    -
    - ADMX_NetworkConnections/NC_IpStateChecking -
    -
    - ADMX_NetworkConnections/NC_LanChangeProperties -
    -
    - ADMX_NetworkConnections/NC_LanConnect -
    -
    - ADMX_NetworkConnections/NC_LanProperties -
    -
    - ADMX_NetworkConnections/NC_NewConnectionWizard -
    -
    - ADMX_NetworkConnections/NC_PersonalFirewallConfig -
    -
    - ADMX_NetworkConnections/NC_RasAllUserProperties -
    -
    - ADMX_NetworkConnections/NC_RasChangeProperties -
    -
    - ADMX_NetworkConnections/NC_RasConnect -
    -
    - ADMX_NetworkConnections/NC_RasMyProperties -
    -
    - ADMX_NetworkConnections/NC_RenameAllUserRasConnection -
    -
    - ADMX_NetworkConnections/NC_RenameConnection -
    -
    - ADMX_NetworkConnections/NC_RenameLanConnection -
    -
    - ADMX_NetworkConnections/NC_RenameMyRasConnection -
    -
    - ADMX_NetworkConnections/NC_ShowSharedAccessUI -
    -
    - ADMX_NetworkConnections/NC_Statistics -
    -
    - ADMX_NetworkConnections/NC_StdDomainUserSetLocation -
    -
    - -### ADMX_OfflineFiles policies - -
    - ADMX_OfflineFiles/Pol_AlwaysPinSubFolders -
    -
    - ADMX_OfflineFiles/Pol_AssignedOfflineFiles_1 -
    -
    - ADMX_OfflineFiles/Pol_AssignedOfflineFiles_2 -
    -
    - ADMX_OfflineFiles/Pol_BackgroundSyncSettings -
    -
    - ADMX_OfflineFiles/Pol_CacheSize -
    -
    - ADMX_OfflineFiles/Pol_CustomGoOfflineActions_1 -
    -
    - ADMX_OfflineFiles/Pol_CustomGoOfflineActions_2 -
    -
    - ADMX_OfflineFiles/Pol_DefCacheSize -
    -
    - ADMX_OfflineFiles/Pol_Enabled -
    -
    - ADMX_OfflineFiles/Pol_EncryptOfflineFiles -
    -
    - ADMX_OfflineFiles/Pol_EventLoggingLevel_1 -
    -
    - ADMX_OfflineFiles/Pol_EventLoggingLevel_2 -
    -
    - ADMX_OfflineFiles/Pol_ExclusionListSettings -
    -
    - ADMX_OfflineFiles/Pol_ExtExclusionList -
    -
    - ADMX_OfflineFiles/Pol_GoOfflineAction_1 -
    -
    - ADMX_OfflineFiles/Pol_GoOfflineAction_2 -
    -
    - ADMX_OfflineFiles/Pol_NoCacheViewer_1 -
    -
    - ADMX_OfflineFiles/Pol_NoCacheViewer_2 -
    -
    - ADMX_OfflineFiles/Pol_NoConfigCache_1 -
    -
    - ADMX_OfflineFiles/Pol_NoConfigCache_2 -
    -
    - ADMX_OfflineFiles/Pol_NoMakeAvailableOffline_1 -
    -
    - ADMX_OfflineFiles/Pol_NoMakeAvailableOffline_2 -
    -
    - ADMX_OfflineFiles/Pol_NoPinFiles_1 -
    -
    - ADMX_OfflineFiles/Pol_NoPinFiles_2 -
    -
    - ADMX_OfflineFiles/Pol_NoReminders_1 -
    -
    - ADMX_OfflineFiles/Pol_NoReminders_2 -
    -
    - ADMX_OfflineFiles/Pol_OnlineCachingSettings -
    -
    - ADMX_OfflineFiles/Pol_PurgeAtLogoff -
    -
    - ADMX_OfflineFiles/Pol_QuickAdimPin -
    -
    - ADMX_OfflineFiles/Pol_ReminderFreq_1 -
    -
    - ADMX_OfflineFiles/Pol_ReminderFreq_2 -
    -
    - ADMX_OfflineFiles/Pol_ReminderInitTimeout_1 -
    -
    - ADMX_OfflineFiles/Pol_ReminderInitTimeout_2 -
    -
    - ADMX_OfflineFiles/Pol_ReminderTimeout_1 -
    -
    - ADMX_OfflineFiles/Pol_ReminderTimeout_2 -
    -
    - ADMX_OfflineFiles/Pol_SlowLinkSettings -
    -
    - ADMX_OfflineFiles/Pol_SlowLinkSpeed -
    -
    - ADMX_OfflineFiles/Pol_SyncAtLogoff_1 -
    -
    - ADMX_OfflineFiles/Pol_SyncAtLogoff_2 -
    -
    - ADMX_OfflineFiles/Pol_SyncAtLogon_1 -
    -
    - ADMX_OfflineFiles/Pol_SyncAtLogon_2 -
    -
    - ADMX_OfflineFiles/Pol_SyncAtSuspend_1 -
    -
    - ADMX_OfflineFiles/Pol_SyncAtSuspend_2 -
    -
    - ADMX_OfflineFiles/Pol_SyncOnCostedNetwork -
    -
    - ADMX_OfflineFiles/Pol_WorkOfflineDisabled_1 -
    -
    - ADMX_OfflineFiles/Pol_WorkOfflineDisabled_2 -
    -
    - -### ADMX_pca policies - -
    -
    - ADMX_pca/DetectDeprecatedCOMComponentFailuresPolicy -
    -
    - ADMX_pca/DetectDeprecatedComponentFailuresPolicy -
    -
    - ADMX_pca/DetectInstallFailuresPolicy -
    -
    - ADMX_pca/DetectUndetectedInstallersPolicy -
    -
    - ADMX_pca/DetectUpdateFailuresPolicy -
    -
    - ADMX_pca/DisablePcaUIPolicy -
    -
    - ADMX_pca/DetectBlockedDriversPolicy -
    -
    - -### ADMX_PeerToPeerCaching policies - -
    -
    - ADMX_PeerToPeerCaching/EnableWindowsBranchCache -
    -
    - ADMX_PeerToPeerCaching/EnableWindowsBranchCache_Distributed -
    -
    - ADMX_PeerToPeerCaching/EnableWindowsBranchCache_Hosted -
    -
    - ADMX_PeerToPeerCaching/EnableWindowsBranchCache_HostedCacheDiscovery -
    -
    - ADMX_PeerToPeerCaching/EnableWindowsBranchCache_HostedMultipleServers -
    -
    - ADMX_PeerToPeerCaching/EnableWindowsBranchCache_SMB -
    -
    - ADMX_PeerToPeerCaching/SetCachePercent -
    -
    - ADMX_PeerToPeerCaching/SetDataCacheEntryMaxAge -
    -
    - ADMX_PeerToPeerCaching/SetDowngrading -
    -
    - -### ADMX_PenTraining policies - -
    -
    - ADMX_PenTraining/PenTrainingOff_1 -
    -
    - ADMX_PenTraining/PenTrainingOff_2 -
    -
    - -### ADMX_PerformanceDiagnostics policies - -
    -
    - ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_1 -
    -
    - ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_2 -
    -
    - ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_3 -
    -
    - ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_4 -
    -
    - -### ADMX_Power policies - -
    -
    - ADMX_Power/ACConnectivityInStandby_2 -
    -
    - ADMX_Power/ACCriticalSleepTransitionsDisable_2 -
    -
    - ADMX_Power/ACStartMenuButtonAction_2 -
    -
    - ADMX_Power/AllowSystemPowerRequestAC -
    -
    - ADMX_Power/AllowSystemPowerRequestDC -
    -
    - ADMX_Power/AllowSystemSleepWithRemoteFilesOpenAC -
    -
    - ADMX_Power/AllowSystemSleepWithRemoteFilesOpenDC -
    -
    - ADMX_Power/CustomActiveSchemeOverride_2 -
    -
    - ADMX_Power/DCBatteryDischargeAction0_2 -
    -
    - ADMX_Power/DCBatteryDischargeAction1_2 -
    -
    - ADMX_Power/DCBatteryDischargeLevel0_2 -
    -
    - ADMX_Power/DCBatteryDischargeLevel1UINotification_2 -
    -
    - ADMX_Power/DCBatteryDischargeLevel1_2 -
    -
    - ADMX_Power/DCConnectivityInStandby_2 -
    -
    - ADMX_Power/DCCriticalSleepTransitionsDisable_2 -
    -
    - ADMX_Power/DCStartMenuButtonAction_2 -
    -
    - ADMX_Power/DiskACPowerDownTimeOut_2 -
    -
    - ADMX_Power/DiskDCPowerDownTimeOut_2 -
    -
    - ADMX_Power/Dont_PowerOff_AfterShutdown -
    -
    - ADMX_Power/EnableDesktopSlideShowAC -
    -
    - ADMX_Power/EnableDesktopSlideShowDC -
    -
    - ADMX_Power/InboxActiveSchemeOverride_2 -
    -
    - ADMX_Power/PW_PromptPasswordOnResume -
    -
    - ADMX_Power/PowerThrottlingTurnOff -
    -
    - ADMX_Power/ReserveBatteryNotificationLevel -
    -
    - -### ADMX_PowerShellExecutionPolicy policies - -
    -
    - ADMX_PowerShellExecutionPolicy/EnableModuleLogging -
    -
    - ADMX_PowerShellExecutionPolicy/EnableScripts -
    -
    - ADMX_PowerShellExecutionPolicy/EnableTranscripting -
    -
    - ADMX_PowerShellExecutionPolicy/EnableUpdateHelpDefaultSourcePath -
    -
    - -### ADMX_PreviousVersions policies - -
    -
    - ADMX_PreviousVersions/DisableLocalPage_1 -
    -
    - ADMX_PreviousVersions/DisableLocalPage_2 -
    -
    - ADMX_PreviousVersions/DisableRemotePage_1 -
    -
    - ADMX_PreviousVersions/DisableRemotePage_2 -
    -
    - ADMX_PreviousVersions/HideBackupEntries_1 -
    -
    - ADMX_PreviousVersions/HideBackupEntries_2 -
    -
    - ADMX_PreviousVersions/DisableLocalRestore_1 -
    -
    - ADMX_PreviousVersions/DisableLocalRestore_2 -
    -
    - -### ADMX_Printing policies - -
    -
    - ADMX_Printing/AllowWebPrinting -
    -
    - ADMX_Printing/ApplicationDriverIsolation -
    -
    - ADMX_Printing/CustomizedSupportUrl -
    -
    - ADMX_Printing/DoNotInstallCompatibleDriverFromWindowsUpdate -
    -
    - ADMX_Printing/DomainPrinters -
    -
    - ADMX_Printing/DownlevelBrowse -
    -
    - ADMX_Printing/EMFDespooling -
    -
    - ADMX_Printing/ForceSoftwareRasterization -
    -
    - ADMX_Printing/IntranetPrintersUrl -
    -
    - ADMX_Printing/KMPrintersAreBlocked -
    -
    - ADMX_Printing/LegacyDefaultPrinterMode -
    -
    - ADMX_Printing/MXDWUseLegacyOutputFormatMSXPS -
    -
    - ADMX_Printing/NoDeletePrinter -
    -
    - ADMX_Printing/NonDomainPrinters -
    -
    - ADMX_Printing/PackagePointAndPrintOnly -
    -
    - ADMX_Printing/PackagePointAndPrintOnly_Win7 -
    -
    - ADMX_Printing/PackagePointAndPrintServerList -
    -
    - ADMX_Printing/PackagePointAndPrintServerList_Win7 -
    -
    - ADMX_Printing/PhysicalLocation -
    -
    - ADMX_Printing/PhysicalLocationSupport -
    -
    - ADMX_Printing/PrintDriverIsolationExecutionPolicy -
    -
    - ADMX_Printing/PrintDriverIsolationOverrideCompat -
    -
    - ADMX_Printing/PrinterDirectorySearchScope -
    -
    - ADMX_Printing/PrinterServerThread -
    -
    - ADMX_Printing/ShowJobTitleInEventLogs -
    -
    - ADMX_Printing/V4DriverDisallowPrinterExtension -
    -
    - -### ADMX_Printing2 policies - -
    -
    - ADMX_Printing2/AutoPublishing -
    -
    - ADMX_Printing2/ImmortalPrintQueue -
    -
    - ADMX_Printing2/PruneDownlevel -
    -
    - ADMX_Printing2/PruningInterval -
    -
    - ADMX_Printing2/PruningPriority -
    -
    - ADMX_Printing2/PruningRetries -
    -
    - ADMX_Printing2/PruningRetryLog -
    -
    - ADMX_Printing2/RegisterSpoolerRemoteRpcEndPoint -
    -
    - ADMX_Printing2/VerifyPublishedState -
    -
    - -### ADMX_Programs policies - -
    -
    - ADMX_Programs/NoDefaultPrograms -
    -
    - ADMX_Programs/NoGetPrograms -
    -
    - ADMX_Programs/NoInstalledUpdates -
    -
    - ADMX_Programs/NoProgramsAndFeatures -
    -
    - ADMX_Programs/NoProgramsCPL -
    -
    - ADMX_Programs/NoWindowsFeatures -
    -
    - ADMX_Programs/NoWindowsMarketplace -
    -
    - -### ADMX_Reliability policies - -
    -
    - ADMX_Reliability/EE_EnablePersistentTimeStamp -
    -
    - ADMX_Reliability/PCH_ReportShutdownEvents -
    -
    - ADMX_Reliability/ShutdownEventTrackerStateFile -
    -
    - ADMX_Reliability/ShutdownReason -
    -
    - -### ADMX_RemoteAssistance policies - -
    -
    - ADMX_RemoteAssistance/RA_EncryptedTicketOnly -
    -
    - ADMX_RemoteAssistance/RA_Optimize_Bandwidth -
    -
    - -### ADMX_RemovableStorage policies - -
    -
    - ADMX_RemovableStorage/AccessRights_RebootTime_1 -
    -
    - ADMX_RemovableStorage/AccessRights_RebootTime_2 -
    -
    - ADMX_RemovableStorage/CDandDVD_DenyExecute_Access_2 -
    -
    - ADMX_RemovableStorage/CDandDVD_DenyRead_Access_1 -
    -
    - ADMX_RemovableStorage/CDandDVD_DenyRead_Access_2 -
    -
    - ADMX_RemovableStorage/CDandDVD_DenyWrite_Access_1 -
    -
    - ADMX_RemovableStorage/CDandDVD_DenyWrite_Access_2 -
    -
    - ADMX_RemovableStorage/CustomClasses_DenyRead_Access_1 -
    -
    - ADMX_RemovableStorage/CustomClasses_DenyRead_Access_2 -
    -
    - ADMX_RemovableStorage/CustomClasses_DenyWrite_Access_1 -
    -
    - ADMX_RemovableStorage/CustomClasses_DenyWrite_Access_2 -
    -
    - ADMX_RemovableStorage/FloppyDrives_DenyExecute_Access_2 -
    -
    - ADMX_RemovableStorage/FloppyDrives_DenyRead_Access_1 -
    -
    - ADMX_RemovableStorage/FloppyDrives_DenyRead_Access_2 -
    -
    - ADMX_RemovableStorage/FloppyDrives_DenyWrite_Access_1 -
    -
    - ADMX_RemovableStorage/FloppyDrives_DenyWrite_Access_2 -
    -
    - ADMX_RemovableStorage/RemovableDisks_DenyExecute_Access_2 -
    -
    - ADMX_RemovableStorage/RemovableDisks_DenyRead_Access_1 -
    -
    - ADMX_RemovableStorage/RemovableDisks_DenyRead_Access_2 -
    -
    - ADMX_RemovableStorage/RemovableDisks_DenyWrite_Access_1 -
    -
    - ADMX_RemovableStorage/RemovableStorageClasses_DenyAll_Access_1 -
    -
    - ADMX_RemovableStorage/RemovableStorageClasses_DenyAll_Access_2 -
    -
    - ADMX_RemovableStorage/Removable_Remote_Allow_Access -
    -
    - ADMX_RemovableStorage/TapeDrives_DenyExecute_Access_2 -
    -
    - ADMX_RemovableStorage/TapeDrives_DenyRead_Access_1 -
    -
    - ADMX_RemovableStorage/TapeDrives_DenyRead_Access_2 -
    -
    - ADMX_RemovableStorage/TapeDrives_DenyWrite_Access_1 -
    -
    - ADMX_RemovableStorage/TapeDrives_DenyWrite_Access_2 -
    -
    - ADMX_RemovableStorage/WPDDevices_DenyRead_Access_1 -
    -
    - ADMX_RemovableStorage/WPDDevices_DenyRead_Access_2 -
    -
    - ADMX_RemovableStorage/WPDDevices_DenyWrite_Access_1 -
    -
    - ADMX_RemovableStorage/WPDDevices_DenyWrite_Access_2 -
    -
    - -### ADMX_RPC policies - -
    -
    - ADMX_RPC/RpcExtendedErrorInformation -
    -
    - ADMX_RPC/RpcIgnoreDelegationFailure -
    -
    - ADMX_RPC/RpcMinimumHttpConnectionTimeout -
    -
    - ADMX_RPC/RpcStateInformation -
    -
    - -### ADMX_Scripts policies - -
    -
    - ADMX_Scripts/Allow_Logon_Script_NetbiosDisabled -
    -
    - ADMX_Scripts/MaxGPOScriptWaitPolicy -
    -
    - ADMX_Scripts/Run_Computer_PS_Scripts_First -
    -
    - ADMX_Scripts/Run_Legacy_Logon_Script_Hidden -
    -
    - ADMX_Scripts/Run_Logoff_Script_Visible -
    -
    - ADMX_Scripts/Run_Logon_Script_Sync_1 -
    -
    - ADMX_Scripts/Run_Logon_Script_Sync_2 -
    -
    - ADMX_Scripts/Run_Logon_Script_Visible -
    -
    - ADMX_Scripts/Run_Shutdown_Script_Visible -
    -
    - ADMX_Scripts/Run_Startup_Script_Sync -
    -
    - ADMX_Scripts/Run_Startup_Script_Visible -
    -
    - ADMX_Scripts/Run_User_PS_Scripts_First -
    -
    - -### ADMX_sdiagschd policies - -
    -
    - ADMX_sdiagschd/ScheduledDiagnosticsExecutionPolicy -
    -
    - -### ADMX_sdiageng policies - -
    -
    - ADMX_sdiageng/BetterWhenConnected -
    -
    - ADMX_sdiageng/ScriptedDiagnosticsExecutionPolicy -
    -
    - ADMX_sdiageng/ScriptedDiagnosticsSecurityPolicy -
    -
    - -### ADMX_Securitycenter policies - -
    -
    - ADMX_Securitycenter/SecurityCenter_SecurityCenterInDomain -
    -
    - -### ADMX_Sensors policies - -
    -
    - ADMX_Sensors/DisableLocationScripting_1 -
    -
    - ADMX_Sensors/DisableLocationScripting_2 -
    -
    - ADMX_Sensors/DisableLocation_1 -
    -
    - ADMX_Sensors/DisableSensors_1 -
    -
    - ADMX_Sensors/DisableSensors_2 -
    -
    - -### ADMX_ServerManager policies - -
    -
    - ADMX_ServerManager/Do_not_display_Manage_Your_Server_page -
    -
    - ADMX_ServerManager/ServerManagerAutoRefreshRate -
    -
    - ADMX_ServerManager/DoNotLaunchInitialConfigurationTasks -
    -
    - ADMX_ServerManager/DoNotLaunchServerManager -
    -
    - -### ADMX_Servicing policies - -
    -
    - ADMX_Servicing/Servicing -
    -
    - -### ADMX_SettingSync policies - -
    -
    - ADMX_SettingSync/DisableAppSyncSettingSync -
    -
    - ADMX_SettingSync/DisableApplicationSettingSync -
    -
    - ADMX_SettingSync/DisableCredentialsSettingSync -
    -
    - ADMX_SettingSync/DisableDesktopThemeSettingSync -
    -
    - ADMX_SettingSync/DisablePersonalizationSettingSync -
    -
    - ADMX_SettingSync/DisableSettingSync -
    -
    - ADMX_SettingSync/DisableStartLayoutSettingSync -
    -
    - ADMX_SettingSync/DisableSyncOnPaidNetwork -
    -
    - ADMX_SettingSync/DisableWindowsSettingSync -
    -
    - -### ADMX_SharedFolders policies - -
    -
    - ADMX_SharedFolders/PublishDfsRoots -
    -
    - ADMX_SharedFolders/PublishSharedFolders -
    -
    - -### ADMX_Sharing policies - -
    -
    - ADMX_Sharing/NoInplaceSharing -
    -
    - -### ADMX_ShellCommandPromptRegEditTools policies - -
    -
    - ADMX_ShellCommandPromptRegEditTools/DisallowApps -
    -
    - ADMX_ShellCommandPromptRegEditTools/DisableRegedit -
    -
    - ADMX_ShellCommandPromptRegEditTools/DisableCMD -
    -
    - ADMX_ShellCommandPromptRegEditTools/RestrictApps -
    -
    - -### ADMX_Smartcard policies - -
    -
    - ADMX_Smartcard/AllowCertificatesWithNoEKU -
    -
    - ADMX_Smartcard/AllowIntegratedUnblock -
    -
    - ADMX_Smartcard/AllowSignatureOnlyKeys -
    -
    - ADMX_Smartcard/AllowTimeInvalidCertificates -
    -
    - ADMX_Smartcard/CertPropEnabledString -
    -
    - ADMX_Smartcard/CertPropRootCleanupString -
    -
    - ADMX_Smartcard/CertPropRootEnabledString -
    -
    - ADMX_Smartcard/DisallowPlaintextPin -
    -
    - ADMX_Smartcard/EnumerateECCCerts -
    -
    - ADMX_Smartcard/FilterDuplicateCerts -
    -
    - ADMX_Smartcard/ForceReadingAllCertificates -
    -
    - ADMX_Smartcard/IntegratedUnblockPromptString -
    -
    - ADMX_Smartcard/ReverseSubject -
    -
    - ADMX_Smartcard/SCPnPEnabled -
    -
    - ADMX_Smartcard/SCPnPNotification -
    -
    - ADMX_Smartcard/X509HintsNeeded -
    -
    - -### ADMX_Snmp policies - -
    -
    - ADMX_Snmp/SNMP_Communities -
    -
    - ADMX_Snmp/SNMP_PermittedManagers -
    -
    - ADMX_Snmp/SNMP_Traps_Public -
    -
    -
    -
    - -### ADMX_StartMenu policies - -
    -
    - ADMX_StartMenu/AddSearchInternetLinkInStartMenu -
    -
    - ADMX_StartMenu/ClearRecentDocsOnExit -
    -
    - ADMX_StartMenu/ClearRecentProgForNewUserInStartMenu -
    -
    - ADMX_StartMenu/ClearTilesOnExit -
    -
    - ADMX_StartMenu/DesktopAppsFirstInAppsView -
    -
    - ADMX_StartMenu/DisableGlobalSearchOnAppsView -
    -
    - ADMX_StartMenu/ForceStartMenuLogOff -
    -
    - ADMX_StartMenu/GoToDesktopOnSignIn -
    -
    - ADMX_StartMenu/GreyMSIAds -
    -
    - ADMX_StartMenu/HidePowerOptions -
    -
    - ADMX_StartMenu/Intellimenus -
    -
    - ADMX_StartMenu/LockTaskbar -
    -
    - ADMX_StartMenu/MemCheckBoxInRunDlg -
    -
    - ADMX_StartMenu/NoAutoTrayNotify -
    -
    - ADMX_StartMenu/NoBalloonTip -
    -
    - ADMX_StartMenu/NoChangeStartMenu -
    -
    - ADMX_StartMenu/NoClose -
    -
    - ADMX_StartMenu/NoCommonGroups -
    -
    - ADMX_StartMenu/NoFavoritesMenu -
    -
    - ADMX_StartMenu/NoFind -
    -
    - ADMX_StartMenu/NoGamesFolderOnStartMenu -
    -
    - ADMX_StartMenu/NoHelp -
    -
    - ADMX_StartMenu/NoInstrumentation -
    -
    - ADMX_StartMenu/NoMoreProgramsList -
    -
    - ADMX_StartMenu/NoNetAndDialupConnect -
    -
    - ADMX_StartMenu/NoPinnedPrograms -
    -
    - ADMX_StartMenu/NoRecentDocsMenu -
    -
    - ADMX_StartMenu/NoResolveSearch -
    -
    - ADMX_StartMenu/NoResolveTrack -
    -
    - ADMX_StartMenu/NoRun -
    -
    - ADMX_StartMenu/NoSMConfigurePrograms -
    -
    - ADMX_StartMenu/NoSMMyDocuments -
    -
    - ADMX_StartMenu/NoSMMyMusic -
    -
    - ADMX_StartMenu/NoSMMyNetworkPlaces -
    -
    - ADMX_StartMenu/NoSMMyPictures -
    -
    - ADMX_StartMenu/NoSearchCommInStartMenu -
    -
    - ADMX_StartMenu/NoSearchComputerLinkInStartMenu -
    -
    - ADMX_StartMenu/NoSearchEverywhereLinkInStartMenu -
    -
    - ADMX_StartMenu/NoSearchFilesInStartMenu -
    -
    - ADMX_StartMenu/NoSearchInternetInStartMenu -
    -
    - ADMX_StartMenu/NoSearchProgramsInStartMenu -
    -
    - ADMX_StartMenu/NoSetFolders -
    -
    - ADMX_StartMenu/NoSetTaskbar -
    -
    - ADMX_StartMenu/NoStartMenuDownload -
    -
    - ADMX_StartMenu/NoStartMenuHomegroup -
    -
    - ADMX_StartMenu/NoStartMenuRecordedTV -
    -
    - ADMX_StartMenu/NoStartMenuSubFolders -
    -
    - ADMX_StartMenu/NoStartMenuVideos -
    -
    - ADMX_StartMenu/NoStartPage -
    -
    - ADMX_StartMenu/NoTaskBarClock -
    -
    - ADMX_StartMenu/NoTaskGrouping -
    -
    - ADMX_StartMenu/NoToolbarsOnTaskbar -
    -
    - ADMX_StartMenu/NoTrayContextMenu -
    -
    - ADMX_StartMenu/NoTrayItemsDisplay -
    -
    - ADMX_StartMenu/NoUninstallFromStart -
    -
    - ADMX_StartMenu/NoUserFolderOnStartMenu -
    -
    - ADMX_StartMenu/NoUserNameOnStartMenu -
    -
    - ADMX_StartMenu/NoWindowsUpdate -
    -
    - ADMX_StartMenu/PowerButtonAction -
    -
    - ADMX_StartMenu/QuickLaunchEnabled -
    -
    - ADMX_StartMenu/RemoveUnDockPCButton -
    -
    - ADMX_StartMenu/ShowAppsViewOnStart -
    -
    - ADMX_StartMenu/ShowRunAsDifferentUserInStart -
    -
    - ADMX_StartMenu/ShowRunInStartMenu -
    -
    - ADMX_StartMenu/ShowStartOnDisplayWithForegroundOnWinKey -
    -
    - ADMX_StartMenu/StartMenuLogOff -
    -
    - ADMX_StartMenu/StartPinAppsWhenInstalled -
    -
    - -### ADMX_SystemRestore policies - -
    -
    - ADMX_SystemRestore/SR_DisableConfig -
    -
    - -### ADMX_TabletShell policies - -
    -
    - ADMX_TabletShell/DisableInkball_1 -
    -
    - ADMX_TabletShell/DisableNoteWriterPrinting_1 -
    -
    - -### ADMX_Taskbar policies - -
    -
    - ADMX_Taskbar/DisableNotificationCenter -
    -
    - ADMX_Taskbar/EnableLegacyBalloonNotifications -
    -
    - ADMX_Taskbar/HideSCAHealth -
    -
    - ADMX_Taskbar/HideSCANetwork -
    -
    - ADMX_Taskbar/HideSCAPower -
    -
    - ADMX_Taskbar/HideSCAVolume -
    -
    - ADMX_Taskbar/NoBalloonFeatureAdvertisements -
    -
    - ADMX_Taskbar/NoPinningStoreToTaskbar -
    -
    - ADMX_Taskbar/NoPinningToDestinations -
    -
    - ADMX_Taskbar/NoPinningToTaskbar -
    -
    - ADMX_Taskbar/NoRemoteDestinations -
    -
    - ADMX_Taskbar/NoSystraySystemPromotion -
    -
    - ADMX_Taskbar/ShowWindowsStoreAppsOnTaskbar -
    -
    - ADMX_Taskbar/TaskbarLockAll -
    -
    - ADMX_Taskbar/TaskbarNoAddRemoveToolbar -
    -
    - ADMX_Taskbar/TaskbarNoDragToolbar -
    -
    - ADMX_Taskbar/TaskbarNoMultimon -
    -
    - ADMX_Taskbar/TaskbarNoNotification -
    -
    - ADMX_Taskbar/TaskbarNoPinnedList -
    -
    - ADMX_Taskbar/TaskbarNoRedock -
    -
    - ADMX_Taskbar/TaskbarNoResize -
    -
    - ADMX_Taskbar/TaskbarNoThumbnail -
    -
    - -### ADMX_tcpip policies - -
    -
    - ADMX_tcpip/6to4_Router_Name -
    -
    - ADMX_tcpip/6to4_Router_Name_Resolution_Interval -
    -
    - ADMX_tcpip/6to4_State -
    -
    - ADMX_tcpip/IPHTTPS_ClientState -
    -
    - ADMX_tcpip/IP_Stateless_Autoconfiguration_Limits_State -
    -
    - ADMX_tcpip/ISATAP_Router_Name -
    -
    - ADMX_tcpip/ISATAP_State -
    -
    - ADMX_tcpip/Teredo_Client_Port -
    -
    - ADMX_tcpip/Teredo_Default_Qualified -
    -
    - ADMX_tcpip/Teredo_Refresh_Rate -
    -
    - ADMX_tcpip/Teredo_Server_Name -
    -
    - ADMX_tcpip/Teredo_State -
    -
    - ADMX_tcpip/Windows_Scaling_Heuristics_State -
    -
    - -### ADMX_TerminalServer policies - -
    -
    - ADMX_TerminalServer/TS_AUTO_RECONNECT -
    -
    - ADMX_TerminalServer/TS_CAMERA_REDIRECTION -
    -
    - ADMX_TerminalServer/TS_CERTIFICATE_TEMPLATE_POLICY -
    -
    - ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_1 -
    -
    - ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_2 -
    -
    - ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_1 -
    -
    - ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_2 -
    -
    - ADMX_TerminalServer/TS_CLIENT_AUDIO -
    -
    - ADMX_TerminalServer/TS_CLIENT_AUDIO_CAPTURE -
    -
    - ADMX_TerminalServer/TS_CLIENT_AUDIO_QUALITY -
    -
    - ADMX_TerminalServer/TS_CLIENT_CLIPBOARD -
    -
    - ADMX_TerminalServer/TS_CLIENT_COM -
    -
    - ADMX_TerminalServer/TS_CLIENT_DEFAULT_M -
    -
    - ADMX_TerminalServer/TS_CLIENT_DISABLE_HARDWARE_MODE -
    -
    - ADMX_TerminalServer/TS_CLIENT_DISABLE_PASSWORD_SAVING_1 -
    -
    - ADMX_TerminalServer/TS_CLIENT_LPT -
    -
    - ADMX_TerminalServer/TS_CLIENT_PNP -
    -
    - ADMX_TerminalServer/TS_CLIENT_PRINTER -
    -
    - ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_1 -
    -
    - ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_2 -
    -
    - ADMX_TerminalServer/TS_CLIENT_TURN_OFF_UDP -
    -
    - ADMX_TerminalServer/TS_COLORDEPTH -
    -
    - ADMX_TerminalServer/TS_DELETE_ROAMING_USER_PROFILES -
    -
    - ADMX_TerminalServer/TS_DISABLE_REMOTE_DESKTOP_WALLPAPER -
    -
    - ADMX_TerminalServer/TS_DX_USE_FULL_HWGPU -
    -
    - ADMX_TerminalServer/TS_EASY_PRINT -
    -
    - ADMX_TerminalServer/TS_EASY_PRINT_User -
    -
    - ADMX_TerminalServer/TS_EnableVirtualGraphics -
    -
    - ADMX_TerminalServer/TS_FALLBACKPRINTDRIVERTYPE -
    -
    - ADMX_TerminalServer/TS_FORCIBLE_LOGOFF -
    -
    - ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE -
    -
    - ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD -
    -
    - ADMX_TerminalServer/TS_GATEWAY_POLICY_SERVER -
    -
    - ADMX_TerminalServer/TS_JOIN_SESSION_DIRECTORY -
    -
    - ADMX_TerminalServer/TS_KEEP_ALIVE -
    -
    - ADMX_TerminalServer/TS_LICENSE_SECGROUP -
    -
    - ADMX_TerminalServer/TS_LICENSE_SERVERS -
    -
    - ADMX_TerminalServer/TS_LICENSE_TOOLTIP -
    -
    - ADMX_TerminalServer/TS_LICENSING_MODE -
    -
    - ADMX_TerminalServer/TS_MAX_CON_POLICY -
    -
    - ADMX_TerminalServer/TS_MAXDISPLAYRES -
    -
    - ADMX_TerminalServer/TS_MAXMONITOR -
    -
    - ADMX_TerminalServer/TS_NoDisconnectMenu -
    -
    - ADMX_TerminalServer/TS_NoSecurityMenu -
    -
    - ADMX_TerminalServer/TS_PreventLicenseUpgrade -
    -
    - ADMX_TerminalServer/TS_PROMT_CREDS_CLIENT_COMP -
    -
    - ADMX_TerminalServer/TS_RADC_DefaultConnection -
    -
    - ADMX_TerminalServer/TS_RDSAppX_WaitForRegistration -
    -
    - ADMX_TerminalServer/TS_RemoteControl_1 -
    -
    - ADMX_TerminalServer/TS_RemoteControl_2 -
    -
    - ADMX_TerminalServer/TS_RemoteDesktopVirtualGraphics -
    -
    - ADMX_TerminalServer/TS_SD_ClustName -
    -
    - ADMX_TerminalServer/TS_SD_EXPOSE_ADDRESS -
    -
    - ADMX_TerminalServer/TS_SD_Loc -
    -
    - ADMX_TerminalServer/TS_SECURITY_LAYER_POLICY -
    -
    - ADMX_TerminalServer/TS_SELECT_NETWORK_DETECT -
    -
    - ADMX_TerminalServer/TS_SELECT_TRANSPORT -
    -
    - ADMX_TerminalServer/TS_SERVER_ADVANCED_REMOTEFX_REMOTEAPP -
    -
    - ADMX_TerminalServer/TS_SERVER_AUTH -
    -
    - ADMX_TerminalServer/TS_SERVER_AVC_HW_ENCODE_PREFERRED -
    -
    - ADMX_TerminalServer/TS_SERVER_AVC444_MODE_PREFERRED -
    -
    - ADMX_TerminalServer/TS_SERVER_COMPRESSOR -
    -
    - ADMX_TerminalServer/TS_SERVER_IMAGE_QUALITY -
    -
    - ADMX_TerminalServer/TS_SERVER_LEGACY_RFX -
    -
    - ADMX_TerminalServer/TS_SERVER_PROFILE -
    -
    - ADMX_TerminalServer/TS_SERVER_VISEXP -
    -
    - ADMX_TerminalServer/TS_SERVER_WDDM_GRAPHICS_DRIVER -
    -
    - ADMX_TerminalServer/TS_Session_End_On_Limit_1 -
    -
    - ADMX_TerminalServer/TS_Session_End_On_Limit_2 -
    -
    - ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_1 -
    -
    - ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_2 -
    - ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_1 - -
    - ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_2 -
    -
    - ADMX_TerminalServer/TS_SINGLE_SESSION -
    -
    - ADMX_TerminalServer/TS_SMART_CARD -
    -
    - ADMX_TerminalServer/TS_START_PROGRAM_1 -
    -
    - ADMX_TerminalServer/TS_START_PROGRAM_2 -
    -
    - ADMX_TerminalServer/TS_TEMP_DELETE -
    -
    - ADMX_TerminalServer/TS_TEMP_PER_SESSION -
    -
    - ADMX_TerminalServer/TS_TIME_ZONE -
    -
    - ADMX_TerminalServer/TS_TSCC_PERMISSIONS_POLICY -
    -
    - ADMX_TerminalServer/TS_TURNOFF_SINGLEAPP -
    -
    - ADMX_TerminalServer/TS_UIA -
    -
    - ADMX_TerminalServer/TS_USB_REDIRECTION_DISABLE -
    -
    - ADMX_TerminalServer/TS_USER_AUTHENTICATION_POLICY -
    -
    - ADMX_TerminalServer/TS_USER_HOME -
    -
    - ADMX_TerminalServer/TS_USER_MANDATORY_PROFILES -
    -
    - ADMX_TerminalServer/TS_USER_PROFILES -
    -
    - -### ADMX_Thumbnails policies - -
    -
    - ADMX_Thumbnails/DisableThumbnails -
    -
    - ADMX_Thumbnails/DisableThumbnailsOnNetworkFolders -
    -
    - ADMX_Thumbnails/DisableThumbsDBOnNetworkFolders -
    -
    - -### ADMX_TouchInput policies - -
    -
    - ADMX_TouchInput/TouchInputOff_1 -
    -
    - ADMX_TouchInput/TouchInputOff_2 -
    -
    - ADMX_TouchInput/PanningEverywhereOff_1 -
    -
    - ADMX_TouchInput/PanningEverywhereOff_2 -
    -
    - -### ADMX_TPM policies - -
    -
    - ADMX_TPM/BlockedCommandsList_Name -
    -
    - ADMX_TPM/ClearTPMIfNotReady_Name -
    -
    - ADMX_TPM/IgnoreDefaultList_Name -
    -
    - ADMX_TPM/IgnoreLocalList_Name -
    -
    - ADMX_TPM/OSManagedAuth_Name -
    -
    - ADMX_TPM/OptIntoDSHA_Name -
    -
    - ADMX_TPM/StandardUserAuthorizationFailureDuration_Name -
    -
    - ADMX_TPM/StandardUserAuthorizationFailureIndividualThreshold_Name -
    -
    - ADMX_TPM/StandardUserAuthorizationFailureTotalThreshold_Name -
    -
    - ADMX_TPM/UseLegacyDAP_Name -
    -
    - -### ADMX_UserExperienceVirtualization policies - -
    -
    - ADMX_UserExperienceVirtualization/Calculator -
    -
    - ADMX_UserExperienceVirtualization/ConfigureSyncMethod -
    -
    - ADMX_UserExperienceVirtualization/ConfigureVdi -
    -
    - ADMX_UserExperienceVirtualization/ContactITDescription -
    -
    - ADMX_UserExperienceVirtualization/ContactITUrl -
    -
    - ADMX_UserExperienceVirtualization/DisableWin8Sync -
    -
    - ADMX_UserExperienceVirtualization/DisableWindowsOSSettings -
    -
    - ADMX_UserExperienceVirtualization/EnableUEV -
    -
    - ADMX_UserExperienceVirtualization/Finance -
    -
    - ADMX_UserExperienceVirtualization/FirstUseNotificationEnabled -
    -
    - ADMX_UserExperienceVirtualization/Games -
    -
    - ADMX_UserExperienceVirtualization/InternetExplorer8 -
    -
    - ADMX_UserExperienceVirtualization/InternetExplorer9 -
    -
    - ADMX_UserExperienceVirtualization/InternetExplorer10 -
    -
    - ADMX_UserExperienceVirtualization/InternetExplorer11 -
    -
    - ADMX_UserExperienceVirtualization/InternetExplorerCommon -
    -
    - ADMX_UserExperienceVirtualization/Maps -
    -
    - ADMX_UserExperienceVirtualization/MaxPackageSizeInBytes -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2010Access -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2010Common -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2010Excel -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2010InfoPath -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2010Lync -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2010OneNote -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2010Outlook -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2010PowerPoint -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2010Project -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2010Publisher -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2010SharePointDesigner -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2010SharePointWorkspace -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2010Visio -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2010Word -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013Access -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013AccessBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013Common -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013CommonBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013Excel -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013ExcelBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013InfoPath -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013InfoPathBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013Lync -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013LyncBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013OneDriveForBusiness -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013OneNote -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013OneNoteBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013Outlook -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013OutlookBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013PowerPoint -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013PowerPointBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013Project -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013ProjectBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013Publisher -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013PublisherBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013SharePointDesigner -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013SharePointDesignerBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013UploadCenter -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013Visio -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013VisioBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013Word -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013WordBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016Access -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016AccessBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016Common -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016CommonBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016Excel -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016ExcelBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016Lync -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016LyncBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016OneDriveForBusiness -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016OneNote -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016OneNoteBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016Outlook -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016OutlookBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016PowerPoint -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016PowerPointBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016Project -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016ProjectBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016Publisher -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016PublisherBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016UploadCenter -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016Visio -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016VisioBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016Word -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016WordBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Access2013 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Access2016 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Common2013 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Common2016 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Excel2013 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Excel2016 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365InfoPath2013 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Lync2013 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Lync2016 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365OneNote2013 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365OneNote2016 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Outlook2013 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Outlook2016 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365PowerPoint2013 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365PowerPoint2016 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Project2013 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Project2016 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Publisher2013 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Publisher2016 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365SharePointDesigner2013 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Visio2013 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Visio2016 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Word2013 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Word2016 -
    -
    - ADMX_UserExperienceVirtualization/Music -
    -
    - ADMX_UserExperienceVirtualization/News -
    -
    - ADMX_UserExperienceVirtualization/Notepad -
    -
    - ADMX_UserExperienceVirtualization/Reader -
    -
    - ADMX_UserExperienceVirtualization/RepositoryTimeout -
    -
    - ADMX_UserExperienceVirtualization/SettingsStoragePath -
    -
    - ADMX_UserExperienceVirtualization/SettingsTemplateCatalogPath -
    -
    - ADMX_UserExperienceVirtualization/Sports -
    -
    - ADMX_UserExperienceVirtualization/SyncEnabled -
    -
    - ADMX_UserExperienceVirtualization/SyncOverMeteredNetwork -
    -
    - ADMX_UserExperienceVirtualization/SyncOverMeteredNetworkWhenRoaming -
    -
    - ADMX_UserExperienceVirtualization/SyncProviderPingEnabled -
    -
    - ADMX_UserExperienceVirtualization/SyncUnlistedWindows8Apps -
    -
    - ADMX_UserExperienceVirtualization/Travel -
    -
    - ADMX_UserExperienceVirtualization/TrayIconEnabled -
    -
    - ADMX_UserExperienceVirtualization/Video -
    -
    - ADMX_UserExperienceVirtualization/Weather -
    -
    - ADMX_UserExperienceVirtualization/Wordpad -
    -
    - -### ADMX_UserProfiles policies - -
    -
    - ADMX_UserProfiles/CleanupProfiles -
    -
    - ADMX_UserProfiles/DontForceUnloadHive -
    -
    - ADMX_UserProfiles/LeaveAppMgmtData -
    -
    - ADMX_UserProfiles/LimitSize -
    -
    - ADMX_UserProfiles/ProfileErrorAction -
    -
    - ADMX_UserProfiles/SlowLinkTimeOut -
    -
    - ADMX_UserProfiles/USER_HOME -
    -
    - ADMX_UserProfiles/UserInfoAccessAction -
    -
    - -### ADMX_W32Time policies - -
    -
    - ADMX_W32Time/W32TIME_POLICY_CONFIG -
    -
    - ADMX_W32Time/W32TIME_POLICY_CONFIGURE_NTPCLIENT -
    -
    - ADMX_W32Time/W32TIME_POLICY_ENABLE_NTPCLIENT -
    -
    - ADMX_W32Time/W32TIME_POLICY_ENABLE_NTPSERVER -
    -
    - -### ADMX_WCM policies - -
    -
    - ADMX_WCM/WCM_DisablePowerManagement -
    -
    - ADMX_WCM/WCM_EnableSoftDisconnect -
    -
    - ADMX_WCM/WCM_MinimizeConnections -
    -
    - -### ADMX_WDI Policies - -
    -
    - ADMX_WDI/WdiDpsScenarioExecutionPolicy -
    -
    - ADMX_WDI/WdiDpsScenarioDataSizeLimitPolicy -
    -
    - -### ADMX_WinCal policies - -
    -
    - ADMX_WinCal/TurnOffWinCal_1 -
    -
    - ADMX_WinCal/TurnOffWinCal_2 -
    -
    - -### ADMX_WindowsConnectNow policies - -
    -
    - ADMX_WindowsConnectNow/WCN_DisableWcnUi_1 -
    -
    - ADMX_WindowsConnectNow/WCN_DisableWcnUi_2 -
    -
    - ADMX_WindowsConnectNow/WCN_EnableRegistrar -
    -
    - - -### ADMX_WindowsExplorer policies - -
    -
    - ADMX_WindowsExplorer/CheckSameSourceAndTargetForFRAndDFS -
    -
    - ADMX_WindowsExplorer/ClassicShell -
    -
    - ADMX_WindowsExplorer/ConfirmFileDelete -
    -
    - ADMX_WindowsExplorer/DefaultLibrariesLocation -
    -
    - ADMX_WindowsExplorer/DisableBindDirectlyToPropertySetStorage -
    -
    - ADMX_WindowsExplorer/DisableIndexedLibraryExperience -
    -
    - ADMX_WindowsExplorer/DisableKnownFolders -
    -
    - ADMX_WindowsExplorer/DisableSearchBoxSuggestions -
    -
    - ADMX_WindowsExplorer/EnableShellShortcutIconRemotePath -
    -
    - ADMX_WindowsExplorer/EnableSmartScreen -
    -
    - ADMX_WindowsExplorer/EnforceShellExtensionSecurity -
    -
    - ADMX_WindowsExplorer/ExplorerRibbonStartsMinimized -
    -
    - ADMX_WindowsExplorer/HideContentViewModeSnippets -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Internet -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_InternetLockdown -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Intranet -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_IntranetLockdown -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_LocalMachine -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_LocalMachineLockdown -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Restricted -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_RestrictedLockdown -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Trusted -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_TrustedLockdown -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Internet -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_InternetLockdown -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Intranet -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_IntranetLockdown -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_LocalMachine -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_LocalMachineLockdown -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Restricted -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_RestrictedLockdown -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Trusted -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_TrustedLockdown -
    -
    - ADMX_WindowsExplorer/LinkResolveIgnoreLinkInfo -
    -
    - ADMX_WindowsExplorer/MaxRecentDocs -
    -
    - ADMX_WindowsExplorer/NoBackButton -
    -
    - ADMX_WindowsExplorer/NoCDBurning -
    -
    - ADMX_WindowsExplorer/NoCacheThumbNailPictures -
    -
    - ADMX_WindowsExplorer/NoChangeAnimation -
    -
    - ADMX_WindowsExplorer/NoChangeKeyboardNavigationIndicators -
    -
    - ADMX_WindowsExplorer/NoDFSTab -
    -
    - ADMX_WindowsExplorer/NoDrives -
    -
    - ADMX_WindowsExplorer/NoEntireNetwork -
    -
    - ADMX_WindowsExplorer/NoFileMRU -
    -
    - ADMX_WindowsExplorer/NoFileMenu -
    -
    - ADMX_WindowsExplorer/NoFolderOptions -
    -
    - ADMX_WindowsExplorer/NoHardwareTab -
    -
    - ADMX_WindowsExplorer/NoManageMyComputerVerb -
    -
    - ADMX_WindowsExplorer/NoMyComputerSharedDocuments -
    -
    - ADMX_WindowsExplorer/NoNetConnectDisconnect -
    -
    - ADMX_WindowsExplorer/NoNewAppAlert -
    -
    - ADMX_WindowsExplorer/NoPlacesBar -
    -
    - ADMX_WindowsExplorer/NoRecycleFiles -
    -
    - ADMX_WindowsExplorer/NoRunAsInstallPrompt -
    -
    - ADMX_WindowsExplorer/NoSearchInternetTryHarderButton -
    -
    - ADMX_WindowsExplorer/NoSecurityTab -
    -
    - ADMX_WindowsExplorer/NoShellSearchButton -
    -
    - ADMX_WindowsExplorer/NoStrCmpLogical -
    -
    - ADMX_WindowsExplorer/NoViewContextMenu -
    -
    - ADMX_WindowsExplorer/NoViewOnDrive -
    -
    - ADMX_WindowsExplorer/NoWindowsHotKeys -
    -
    - ADMX_WindowsExplorer/NoWorkgroupContents -
    -
    - ADMX_WindowsExplorer/PlacesBar -
    -
    - ADMX_WindowsExplorer/PromptRunasInstallNetPath -
    -
    - ADMX_WindowsExplorer/RecycleBinSize -
    -
    - ADMX_WindowsExplorer/ShellProtocolProtectedModeTitle_1 -
    -
    - ADMX_WindowsExplorer/ShellProtocolProtectedModeTitle_2 -
    -
    - ADMX_WindowsExplorer/ShowHibernateOption -
    -
    - ADMX_WindowsExplorer/ShowSleepOption -
    -
    - ADMX_WindowsExplorer/TryHarderPinnedLibrary -
    -
    - ADMX_WindowsExplorer/TryHarderPinnedOpenSearch -
    -
    - -### ADMX_WindowsMediaDRM policies - -
    -
    - ADMX_WindowsMediaDRM/DisableOnline -
    -
    - -### ADMX_WindowsMediaPlayer policies - -
    -
    - ADMX_WindowsMediaPlayer/ConfigureHTTPProxySettings -
    -
    - ADMX_WindowsMediaPlayer/ConfigureMMSProxySettings -
    -
    - ADMX_WindowsMediaPlayer/ConfigureRTSPProxySettings -
    -
    - ADMX_WindowsMediaPlayer/DisableAutoUpdate -
    -
    - ADMX_WindowsMediaPlayer/DisableNetworkSettings -
    -
    - ADMX_WindowsMediaPlayer/DisableSetupFirstUseConfiguration -
    -
    - ADMX_WindowsMediaPlayer/DoNotShowAnchor -
    -
    - ADMX_WindowsMediaPlayer/DontUseFrameInterpolation -
    -
    - ADMX_WindowsMediaPlayer/EnableScreenSaver -
    -
    - ADMX_WindowsMediaPlayer/HidePrivacyTab -
    -
    - ADMX_WindowsMediaPlayer/HideSecurityTab -
    -
    - ADMX_WindowsMediaPlayer/NetworkBuffering -
    -
    - ADMX_WindowsMediaPlayer/PolicyCodecUpdate -
    -
    - ADMX_WindowsMediaPlayer/PreventCDDVDMetadataRetrieval -
    -
    - ADMX_WindowsMediaPlayer/PreventLibrarySharing -
    -
    - ADMX_WindowsMediaPlayer/PreventMusicFileMetadataRetrieval -
    -
    - ADMX_WindowsMediaPlayer/PreventQuickLaunchShortcut -
    -
    - ADMX_WindowsMediaPlayer/PreventRadioPresetsRetrieval -
    -
    - ADMX_WindowsMediaPlayer/PreventWMPDeskTopShortcut -
    -
    - ADMX_WindowsMediaPlayer/SkinLockDown -
    -
    - ADMX_WindowsMediaPlayer/WindowsStreamingMediaProtocols -
    -
    - - -### ADMX_WindowsRemoteManagement policies - -
    -
    - ADMX_WindowsRemoteManagement/DisallowKerberos_1 -
    -
    - ADMX_WindowsRemoteManagement/DisallowKerberos_2 -
    -
    - -### ADMX_WindowsStore policies - -
    -
    - ADMX_WindowsStore/DisableAutoDownloadWin8 -
    -
    - ADMX_WindowsStore/DisableOSUpgrade_1 -
    -
    - ADMX_WindowsStore/DisableOSUpgrade_2 -
    -
    - ADMX_WindowsStore/RemoveWindowsStore_1 -
    -
    - ADMX_WindowsStore/RemoveWindowsStore_2 -
    -
    - -### ADMX_WinInit policies - -
    -
    - ADMX_WinInit/DisableNamedPipeShutdownPolicyDescription -
    -
    - ADMX_WinInit/Hiberboot -
    -
    - ADMX_WinInit/ShutdownTimeoutHungSessionsDescription -
    -
    - -### ADMX_WinLogon policies - -
    -
    - ADMX_WinLogon/CustomShell -
    -
    - ADMX_WinLogon/DisplayLastLogonInfoDescription -
    -
    - ADMX_WinLogon/LogonHoursNotificationPolicyDescription -
    -
    - ADMX_WinLogon/LogonHoursPolicyDescription -
    -
    - ADMX_WinLogon/ReportCachedLogonPolicyDescription -
    -
    - ADMX_WinLogon/SoftwareSASGeneration -
    -
    - -### ADMX_Winsrv policies - -
    -
    - ADMX_Winsrv/AllowBlockingAppsAtShutdown -
    -
    - -### ADMX_wlansvc policies - -
    -
    - ADMX_wlansvc/SetCost -
    -
    - ADMX_wlansvc/SetPINEnforced -
    -
    - ADMX_wlansvc/SetPINPreferred -
    -
    - -### ADMX_WordWheel policies - -
    -
    - ADMX_WordWheel/CustomSearch -
    -
    - -### ADMX_WorkFoldersClient policies - -
    -
    - ADMX_WorkFoldersClient/Pol_UserEnableTokenBroker -
    -
    - ADMX_WorkFoldersClient/Pol_UserEnableWorkFolders -
    -
    - ADMX_WorkFoldersClient/Pol_MachineEnableWorkFolders -
    -
    - -### ADMX_WPN policies - -
    -
    - ADMX_WPN/NoCallsDuringQuietHours -
    -
    - ADMX_WPN/NoLockScreenToastNotification -
    -
    - ADMX_WPN/NoQuietHours -
    -
    - ADMX_WPN/NoToastNotification -
    -
    - ADMX_WPN/QuietHoursDailyBeginMinute -
    -
    - ADMX_WPN/QuietHoursDailyEndMinute -
    -
    - -### ApplicationDefaults policies - -
    -
    - ApplicationDefaults/DefaultAssociationsConfiguration -
    -
    - ApplicationDefaults/EnableAppUriHandlers -
    -
    - -### ApplicationManagement policies - -
    -
    - ApplicationManagement/AllowAllTrustedApps -
    -
    - ApplicationManagement/AllowAppStoreAutoUpdate -
    -
    - ApplicationManagement/AllowDeveloperUnlock -
    -
    - ApplicationManagement/AllowGameDVR -
    -
    - ApplicationManagement/AllowSharedUserAppData -
    -
    - ApplicationManagement/BlockNonAdminUserInstall -
    -
    - ApplicationManagement/DisableStoreOriginatedApps -
    -
    - ApplicationManagement/LaunchAppAfterLogOn -
    -
    - ApplicationManagement/MSIAllowUserControlOverInstall -
    -
    - ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges -
    -
    - ApplicationManagement/RequirePrivateStoreOnly -
    -
    - ApplicationManagement/RestrictAppDataToSystemVolume -
    -
    - ApplicationManagement/RestrictAppToSystemVolume -
    -
    - ApplicationManagement/ScheduleForceRestartForUpdateFailures -
    -
    - -### AppRuntime policies - -
    -
    - AppRuntime/AllowMicrosoftAccountsToBeOptional -
    -
    - -### AppVirtualization policies - -
    -
    - AppVirtualization/AllowAppVClient -
    -
    - AppVirtualization/AllowDynamicVirtualization -
    -
    - AppVirtualization/AllowPackageCleanup -
    -
    - AppVirtualization/AllowPackageScripts -
    -
    - AppVirtualization/AllowPublishingRefreshUX -
    -
    - AppVirtualization/AllowReportingServer -
    -
    - AppVirtualization/AllowRoamingFileExclusions -
    -
    - AppVirtualization/AllowRoamingRegistryExclusions -
    -
    - AppVirtualization/AllowStreamingAutoload -
    -
    - AppVirtualization/ClientCoexistenceAllowMigrationmode -
    -
    - AppVirtualization/IntegrationAllowRootGlobal -
    -
    - AppVirtualization/IntegrationAllowRootUser -
    -
    - AppVirtualization/PublishingAllowServer1 -
    -
    - AppVirtualization/PublishingAllowServer2 -
    -
    - AppVirtualization/PublishingAllowServer3 -
    -
    - AppVirtualization/PublishingAllowServer4 -
    -
    - AppVirtualization/PublishingAllowServer5 -
    -
    - AppVirtualization/StreamingAllowCertificateFilterForClient_SSL -
    -
    - AppVirtualization/StreamingAllowHighCostLaunch -
    -
    - AppVirtualization/StreamingAllowLocationProvider -
    -
    - AppVirtualization/StreamingAllowPackageInstallationRoot -
    -
    - AppVirtualization/StreamingAllowPackageSourceRoot -
    -
    - AppVirtualization/StreamingAllowReestablishmentInterval -
    -
    - AppVirtualization/StreamingAllowReestablishmentRetries -
    -
    - AppVirtualization/StreamingSharedContentStoreMode -
    -
    - AppVirtualization/StreamingSupportBranchCache -
    -
    - AppVirtualization/StreamingVerifyCertificateRevocationList -
    -
    - AppVirtualization/VirtualComponentsAllowList -
    -
    - -### AttachmentManager policies - -
    -
    - AttachmentManager/DoNotPreserveZoneInformation -
    -
    - AttachmentManager/HideZoneInfoMechanism -
    -
    - AttachmentManager/NotifyAntivirusPrograms -
    -
    - -### Audit policies - -
    -
    - Audit/AccountLogonLogoff_AuditAccountLockout -
    -
    - Audit/AccountLogonLogoff_AuditGroupMembership -
    -
    - Audit/AccountLogonLogoff_AuditIPsecExtendedMode -
    -
    - Audit/AccountLogonLogoff_AuditIPsecMainMode -
    -
    - Audit/AccountLogonLogoff_AuditIPsecQuickMode -
    -
    - Audit/AccountLogonLogoff_AuditLogoff -
    -
    - Audit/AccountLogonLogoff_AuditLogon -
    -
    - Audit/AccountLogonLogoff_AuditNetworkPolicyServer -
    -
    - Audit/AccountLogonLogoff_AuditOtherLogonLogoffEvents -
    -
    - Audit/AccountLogonLogoff_AuditSpecialLogon -
    -
    - Audit/AccountLogonLogoff_AuditUserDeviceClaims -
    -
    - Audit/AccountLogon_AuditCredentialValidation -
    -
    - Audit/AccountLogon_AuditKerberosAuthenticationService -
    -
    - Audit/AccountLogon_AuditKerberosServiceTicketOperations -
    -
    - Audit/AccountLogon_AuditOtherAccountLogonEvents -
    -
    - Audit/AccountManagement_AuditApplicationGroupManagement -
    -
    - Audit/AccountManagement_AuditComputerAccountManagement -
    -
    - Audit/AccountManagement_AuditDistributionGroupManagement -
    -
    - Audit/AccountManagement_AuditOtherAccountManagementEvents -
    -
    - Audit/AccountManagement_AuditSecurityGroupManagement -
    -
    - Audit/AccountManagement_AuditUserAccountManagement -
    -
    - Audit/DSAccess_AuditDetailedDirectoryServiceReplication -
    -
    - Audit/DSAccess_AuditDirectoryServiceAccess -
    -
    - Audit/DSAccess_AuditDirectoryServiceChanges -
    -
    - Audit/DSAccess_AuditDirectoryServiceReplication -
    -
    - Audit/DetailedTracking_AuditDPAPIActivity -
    -
    - Audit/DetailedTracking_AuditPNPActivity -
    -
    - Audit/DetailedTracking_AuditProcessCreation -
    -
    - Audit/DetailedTracking_AuditProcessTermination -
    -
    - Audit/DetailedTracking_AuditRPCEvents -
    -
    - Audit/DetailedTracking_AuditTokenRightAdjusted -
    -
    - Audit/ObjectAccess_AuditApplicationGenerated -
    -
    - Audit/ObjectAccess_AuditCentralAccessPolicyStaging -
    -
    - Audit/ObjectAccess_AuditCertificationServices -
    -
    - Audit/ObjectAccess_AuditDetailedFileShare -
    -
    - Audit/ObjectAccess_AuditFileShare -
    -
    - Audit/ObjectAccess_AuditFileSystem -
    -
    - Audit/ObjectAccess_AuditFilteringPlatformConnection -
    -
    - Audit/ObjectAccess_AuditFilteringPlatformPacketDrop -
    -
    - Audit/ObjectAccess_AuditHandleManipulation -
    -
    - Audit/ObjectAccess_AuditKernelObject -
    -
    - Audit/ObjectAccess_AuditOtherObjectAccessEvents -
    -
    - Audit/ObjectAccess_AuditRegistry -
    -
    - Audit/ObjectAccess_AuditRemovableStorage -
    -
    - Audit/ObjectAccess_AuditSAM -
    -
    - Audit/PolicyChange_AuditAuthenticationPolicyChange -
    -
    - Audit/PolicyChange_AuditAuthorizationPolicyChange -
    -
    - Audit/PolicyChange_AuditFilteringPlatformPolicyChange -
    -
    - Audit/PolicyChange_AuditMPSSVCRuleLevelPolicyChange -
    -
    - Audit/PolicyChange_AuditOtherPolicyChangeEvents -
    -
    - Audit/PolicyChange_AuditPolicyChange -
    -
    - Audit/PrivilegeUse_AuditNonSensitivePrivilegeUse -
    -
    - Audit/PrivilegeUse_AuditOtherPrivilegeUseEvents -
    -
    - Audit/PrivilegeUse_AuditSensitivePrivilegeUse -
    -
    - Audit/System_AuditIPsecDriver -
    -
    - Audit/System_AuditOtherSystemEvents -
    -
    - Audit/System_AuditSecurityStateChange -
    -
    - Audit/System_AuditSecuritySystemExtension -
    -
    - Audit/System_AuditSystemIntegrity -
    -
    - -### Authentication policies - -
    -
    - Authentication/AllowAadPasswordReset -
    -
    - Authentication/AllowEAPCertSSO -
    -
    - Authentication/AllowFastReconnect -
    -
    - Authentication/AllowFidoDeviceSignon -
    -
    - Authentication/AllowSecondaryAuthenticationDevice -
    -
    - Authentication/EnableFastFirstSignIn (Preview mode only) -
    -
    - Authentication/EnableWebSignIn (Preview mode only) -
    -
    - Authentication/PreferredAadTenantDomainName -
    -
    - -### Autoplay policies - -
    -
    - Autoplay/DisallowAutoplayForNonVolumeDevices -
    -
    - Autoplay/SetDefaultAutoRunBehavior -
    -
    - Autoplay/TurnOffAutoPlay -
    -
    - -### BitLocker policies - -
    -
    - BitLocker/EncryptionMethod -
    -
    - -### BITS policies - -
    -
    - BITS/BandwidthThrottlingEndTime -
    -
    - BITS/BandwidthThrottlingStartTime -
    -
    - BITS/BandwidthThrottlingTransferRate -
    -
    - BITS/CostedNetworkBehaviorBackgroundPriority -
    -
    - BITS/CostedNetworkBehaviorForegroundPriority -
    -
    - BITS/JobInactivityTimeout -
    -
    - -### Bluetooth policies - -
    -
    - Bluetooth/AllowAdvertising -
    -
    - Bluetooth/AllowDiscoverableMode -
    -
    - Bluetooth/AllowPrepairing -
    -
    - Bluetooth/AllowPromptedProximalConnections -
    -
    - Bluetooth/LocalDeviceName -
    -
    - Bluetooth/ServicesAllowedList -
    -
    - Bluetooth/SetMinimumEncryptionKeySize -
    -
    - -### Browser policies - -
    -
    - Browser/AllowAddressBarDropdown -
    -
    - Browser/AllowAutofill -
    -
    - Browser/AllowConfigurationUpdateForBooksLibrary -
    -
    - Browser/AllowCookies -
    -
    - Browser/AllowDeveloperTools -
    -
    - Browser/AllowDoNotTrack -
    -
    - Browser/AllowExtensions -
    -
    - Browser/AllowFlash -
    -
    - Browser/AllowFlashClickToRun -
    -
    - Browser/AllowFullScreenMode -
    -
    - Browser/AllowInPrivate -
    -
    - Browser/AllowMicrosoftCompatibilityList -
    -
    - Browser/AllowPasswordManager -
    -
    - Browser/AllowPopups -
    -
    - Browser/AllowPrelaunch -
    -
    - Browser/AllowPrinting -
    -
    - Browser/AllowSavingHistory -
    -
    - Browser/AllowSearchEngineCustomization -
    -
    - Browser/AllowSearchSuggestionsinAddressBar -
    -
    - Browser/AllowSideloadingOfExtensions -
    -
    - Browser/AllowSmartScreen -
    -
    - Browser/AllowTabPreloading -
    -
    - Browser/AllowWebContentOnNewTabPage -
    -
    - Browser/AlwaysEnableBooksLibrary -
    -
    - Browser/ClearBrowsingDataOnExit -
    -
    - Browser/ConfigureAdditionalSearchEngines -
    -
    - Browser/ConfigureFavoritesBar -
    -
    - Browser/ConfigureHomeButton -
    -
    - Browser/ConfigureKioskMode -
    -
    - Browser/ConfigureKioskResetAfterIdleTimeout -
    -
    - Browser/ConfigureOpenMicrosoftEdgeWith -
    -
    - Browser/ConfigureTelemetryForMicrosoft365Analytics -
    -
    - Browser/DisableLockdownOfStartPages -
    -
    - Browser/EnableExtendedBooksTelemetry -
    -
    - Browser/EnterpriseModeSiteList -
    -
    - Browser/EnterpriseSiteListServiceUrl -
    -
    - Browser/HomePages -
    -
    - Browser/LockdownFavorites -
    -
    - Browser/PreventAccessToAboutFlagsInMicrosoftEdge -
    -
    - Browser/PreventCertErrorOverrides -
    -
    - Browser/PreventFirstRunPage -
    -
    - Browser/PreventLiveTileDataCollection -
    -
    - Browser/PreventSmartScreenPromptOverride -
    -
    - Browser/PreventSmartScreenPromptOverrideForFiles -
    -
    - Browser/PreventUsingLocalHostIPAddressForWebRTC -
    -
    - Browser/ProvisionFavorites -
    -
    - Browser/SendIntranetTraffictoInternetExplorer -
    -
    - Browser/SetDefaultSearchEngine -
    -
    - Browser/SetHomeButtonURL -
    -
    - Browser/SetNewTabPageURL -
    -
    - Browser/ShowMessageWhenOpeningSitesInInternetExplorer -
    -
    - Browser/SyncFavoritesBetweenIEAndMicrosoftEdge -
    -
    - Browser/UnlockHomeButton -
    -
    - Browser/UseSharedFolderForBooks -
    -
    - -### Camera policies - -
    -
    - Camera/AllowCamera -
    -
    - -### Cellular policies - -
    -
    - Cellular/LetAppsAccessCellularData -
    -
    - Cellular/LetAppsAccessCellularData_ForceAllowTheseApps -
    -
    - Cellular/LetAppsAccessCellularData_ForceDenyTheseApps -
    -
    - Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps -
    -
    - Cellular/ShowAppCellularAccessUI -
    -
    - -### Connectivity policies - -
    -
    - Connectivity/AllowBluetooth -
    -
    - Connectivity/AllowCellularData -
    -
    - Connectivity/AllowCellularDataRoaming -
    -
    - Connectivity/AllowConnectedDevices -
    -
    - Connectivity/AllowPhonePCLinking -
    -
    - Connectivity/AllowUSBConnection -
    -
    - Connectivity/AllowVPNOverCellular -
    -
    - Connectivity/AllowVPNRoamingOverCellular -
    -
    - Connectivity/DiablePrintingOverHTTP -
    -
    - Connectivity/DisableDownloadingOfPrintDriversOverHTTP -
    -
    - Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards -
    -
    - Connectivity/DisallowNetworkConnectivityActiveTests -
    -
    - Connectivity/HardenedUNCPaths -
    -
    - Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge -
    -
    - -### ControlPolicyConflict policies - -
    -
    - ControlPolicyConflict/MDMWinsOverGP -
    -
    - -### CredentialProviders policies - -
    -
    - CredentialProviders/AllowPINLogon -
    -
    - CredentialProviders/BlockPicturePassword -
    -
    - CredentialProviders/DisableAutomaticReDeploymentCredentials -
    -
    - -### CredentialsDelegation policies - -
    -
    - CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials -
    -
    - -### CredentialsUI policies - -
    -
    - CredentialsUI/DisablePasswordReveal -
    -
    - CredentialsUI/EnumerateAdministrators -
    -
    - -### Cryptography policies - -
    -
    - Cryptography/AllowFipsAlgorithmPolicy -
    -
    - Cryptography/TLSCipherSuites -
    -
    - -### DataProtection policies - -
    -
    - DataProtection/AllowDirectMemoryAccess -
    -
    - DataProtection/LegacySelectiveWipeID -
    -
    - -### DataUsage policies - -
    -
    - DataUsage/SetCost3G -
    -
    - DataUsage/SetCost4G -
    -
    - -### Defender policies - -
    -
    - Defender/AllowArchiveScanning -
    -
    - Defender/AllowBehaviorMonitoring -
    -
    - Defender/AllowCloudProtection -
    -
    - Defender/AllowEmailScanning -
    -
    - Defender/AllowFullScanOnMappedNetworkDrives -
    -
    - Defender/AllowFullScanRemovableDriveScanning -
    -
    - Defender/AllowIOAVProtection -
    -
    - Defender/AllowOnAccessProtection -
    -
    - Defender/AllowRealtimeMonitoring -
    -
    - Defender/AllowScanningNetworkFiles -
    -
    - Defender/AllowScriptScanning -
    -
    - Defender/AllowUserUIAccess -
    -
    - Defender/AttackSurfaceReductionOnlyExclusions -
    -
    - Defender/AttackSurfaceReductionRules -
    -
    - Defender/AvgCPULoadFactor -
    -
    - Defender/CheckForSignaturesBeforeRunningScan -
    -
    - Defender/CloudBlockLevel -
    -
    - Defender/CloudExtendedTimeout -
    -
    - Defender/ControlledFolderAccessAllowedApplications -
    -
    - Defender/ControlledFolderAccessProtectedFolders -
    -
    - Defender/DaysToRetainCleanedMalware -
    -
    - Defender/DisableCatchupFullScan -
    -
    - Defender/DisableCatchupQuickScan -
    -
    - Defender/EnableControlledFolderAccess -
    -
    - Defender/EnableLowCPUPriority -
    -
    - Defender/EnableNetworkProtection -
    -
    - Defender/ExcludedExtensions -
    -
    - Defender/ExcludedPaths -
    -
    - Defender/ExcludedProcesses -
    -
    - Defender/PUAProtection -
    -
    - Defender/RealTimeScanDirection -
    -
    - Defender/ScanParameter -
    -
    - Defender/ScheduleQuickScanTime -
    -
    - Defender/ScheduleScanDay -
    -
    - Defender/ScheduleScanTime -
    -
    - Defender/SignatureUpdateFallbackOrder -
    -
    - Defender/SignatureUpdateFileSharesSources -
    -
    - Defender/SignatureUpdateInterval -
    -
    - Defender/SubmitSamplesConsent -
    -
    - Defender/ThreatSeverityDefaultAction -
    -
    - -### DeliveryOptimization policies - -
    -
    - DeliveryOptimization/DOAbsoluteMaxCacheSize -
    -
    - DeliveryOptimization/DOAllowVPNPeerCaching -
    -
    - DeliveryOptimization/DOCacheHost -
    -
    - DeliveryOptimization/DOCacheHostSource -
    -
    - DeliveryOptimization/DODelayBackgroundDownloadFromHttp -
    -
    - DeliveryOptimization/DODelayForegroundDownloadFromHttp -
    -
    - DeliveryOptimization/DODelayCacheServerFallbackBackground -
    -
    - DeliveryOptimization/DODelayCacheServerFallbackForeground -
    -
    - DeliveryOptimization/DODownloadMode -
    -
    - DeliveryOptimization/DOGroupId -
    -
    - DeliveryOptimization/DOGroupIdSource -
    -
    - DeliveryOptimization/DOMaxBackgroundDownloadBandwidth -
    -
    - DeliveryOptimization/DOMaxCacheAge -
    -
    - DeliveryOptimization/DOMaxCacheSize -
    -
    - DeliveryOptimization/DOMaxDownloadBandwidth (deprecated) -
    -
    - DeliveryOptimization/DOMaxForegroundDownloadBandwidth -
    -
    - DeliveryOptimization/DOMaxUploadBandwidth (deprecated) -
    -
    - DeliveryOptimization/DOMinBackgroundQos -
    -
    - DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload -
    -
    - DeliveryOptimization/DOMinDiskSizeAllowedToPeer -
    -
    - DeliveryOptimization/DOMinFileSizeToCache -
    -
    - DeliveryOptimization/DOMinRAMAllowedToPeer -
    -
    - DeliveryOptimization/DOModifyCacheDrive -
    -
    - DeliveryOptimization/DOMonthlyUploadDataCap -
    -
    - DeliveryOptimization/DOPercentageMaxBackgroundBandwidth -
    -
    - DeliveryOptimization/DOPercentageMaxDownloadBandwidth (deprecated) -
    -
    - DeliveryOptimization/DOPercentageMaxForegroundBandwidth -
    -
    - DeliveryOptimization/DORestrictPeerSelectionBy -
    -
    - DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth -
    -
    - DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth -
    -
    - -### Desktop policies - -
    -
    - Desktop/PreventUserRedirectionOfProfileFolders -
    -
    - -### DesktopAppInstaller policies -
    -
    - DesktopAppInstaller/EnableAdditionalSources -
    -
    - DesktopAppInstaller/EnableAppInstaller -
    -
    - DesktopAppInstaller/EnableDefaultSource -
    -
    - DesktopAppInstaller/EnableLocalManifestFiles -
    -
    - DesktopAppInstaller/EnableHashOverride -
    -
    - DesktopAppInstaller/EnableMicrosoftStoreSource -
    -
    - DesktopAppInstaller/EnableMSAppInstallerProtocol -
    -
    - DesktopAppInstaller/EnableSettings -
    -
    - DesktopAppInstaller/EnableAllowedSources -
    -
    - DesktopAppInstaller/EnableExperimentalFeatures -
    -
    - DesktopAppInstaller/SourceAutoUpdateInterval -
    -
    - -### DeviceGuard policies - -
    -
    - DeviceGuard/ConfigureSystemGuardLaunch -
    -
    - DeviceGuard/EnableVirtualizationBasedSecurity -
    -
    - DeviceGuard/LsaCfgFlags -
    -
    - DeviceGuard/RequirePlatformSecurityFeatures -
    -
    - -### DeviceHealthMonitoring policies - -
    -
    - DeviceHealthMonitoring/AllowDeviceHealthMonitoring -
    -
    - DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope -
    -
    - DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination -
    -
    - -### DeviceInstallation policies - -
    -
    - DeviceInstallation/AllowInstallationOfMatchingDeviceIDs -
    -
    - DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses -
    -
    - DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs -
    -
    - DeviceInstallation/PreventDeviceMetadataFromNetwork -
    -
    - DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings -
    -
    - DeviceInstallation/PreventInstallationOfMatchingDeviceIDs -
    -
    - DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs -
    -
    - DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses -
    -
    - -### DeviceLock policies - -
    -
    - DeviceLock/AllowIdleReturnWithoutPassword -
    -
    - DeviceLock/AllowSimpleDevicePassword -
    -
    - DeviceLock/AlphanumericDevicePasswordRequired -
    -
    - DeviceLock/DevicePasswordEnabled -
    -
    - DeviceLock/DevicePasswordExpiration -
    -
    - DeviceLock/DevicePasswordHistory -
    -
    - DeviceLock/EnforceLockScreenAndLogonImage -
    -
    - DeviceLock/MaxDevicePasswordFailedAttempts -
    -
    - DeviceLock/MaxInactivityTimeDeviceLock -
    -
    - DeviceLock/MinDevicePasswordComplexCharacters -
    -
    - DeviceLock/MinDevicePasswordLength -
    -
    - DeviceLock/MinimumPasswordAge -
    -
    - DeviceLock/PreventEnablingLockScreenCamera -
    -
    - DeviceLock/PreventLockScreenSlideShow -
    -
    - -### Display policies - -
    -
    - Display/DisablePerProcessDpiForApps -
    -
    - Display/EnablePerProcessDpi -
    -
    - Display/EnablePerProcessDpiForApps -
    -
    - Display/TurnOffGdiDPIScalingForApps -
    -
    - Display/TurnOnGdiDPIScalingForApps -
    -
    - -### DmaGuard policies - -
    -
    - DmaGuard/DeviceEnumerationPolicy -
    -
    - -### EAP policies - -
    -
    - EAP/AllowTLS1_3 -
    -
    - -### Education policies - -
    -
    - Education/AllowGraphingCalculator -
    -
    - Education/DefaultPrinterName -
    -
    - Education/PreventAddingNewPrinters -
    -
    - Education/PrinterNames -
    -
    - -### EnterpriseCloudPrint policies - -
    -
    - EnterpriseCloudPrint/CloudPrintOAuthAuthority -
    -
    - EnterpriseCloudPrint/CloudPrintOAuthClientId -
    -
    - EnterpriseCloudPrint/CloudPrintResourceId -
    -
    - EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint -
    -
    - EnterpriseCloudPrint/DiscoveryMaxPrinterLimit -
    -
    - EnterpriseCloudPrint/MopriaDiscoveryResourceId -
    -
    - -### ErrorReporting policies - -
    -
    - ErrorReporting/CustomizeConsentSettings -
    -
    - ErrorReporting/DisableWindowsErrorReporting -
    -
    - ErrorReporting/DisplayErrorNotification -
    -
    - ErrorReporting/DoNotSendAdditionalData -
    -
    - ErrorReporting/PreventCriticalErrorDisplay -
    -
    - -### EventLogService policies - -
    -
    - EventLogService/ControlEventLogBehavior -
    -
    - EventLogService/SpecifyMaximumFileSizeApplicationLog -
    -
    - EventLogService/SpecifyMaximumFileSizeSecurityLog -
    -
    - EventLogService/SpecifyMaximumFileSizeSystemLog -
    -
    - -### Experience policies - -
    -
    - Experience/AllowClipboardHistory -
    -
    - Experience/AllowCortana -
    -
    - Experience/AllowDeviceDiscovery -
    -
    - Experience/AllowFindMyDevice -
    -
    - Experience/AllowManualMDMUnenrollment -
    -
    - Experience/AllowSaveAsOfOfficeFiles -
    -
    - Experience/AllowSharingOfOfficeFiles -
    -
    - Experience/AllowSyncMySettings -
    -
    - Experience/AllowSpotlightCollection -
    -
    - Experience/AllowTailoredExperiencesWithDiagnosticData -
    -
    - Experience/AllowThirdPartySuggestionsInWindowsSpotlight -
    -
    - Experience/AllowWindowsConsumerFeatures -
    -
    - Experience/AllowWindowsSpotlight -
    -
    - Experience/AllowWindowsSpotlightOnActionCenter -
    -
    - Experience/AllowWindowsSpotlightOnSettings -
    -
    - Experience/AllowWindowsSpotlightWindowsWelcomeExperience -
    -
    - Experience/AllowWindowsTips -
    -
    - Experience/ConfigureWindowsSpotlightOnLockScreen -
    -
    - Experience/DisableCloudOptimizedContent -
    -
    - Experience/DoNotShowFeedbackNotifications -
    -
    - Experience/DoNotSyncBrowserSettings -
    -
    - Experience/PreventUsersFromTurningOnBrowserSyncing -
    -
    - Experience/ShowLockOnUserTile -
    -
    - -### ExploitGuard policies - -
    -
    - ExploitGuard/ExploitProtectionSettings -
    -
    - -### FederatedAuthentication policies - -
    -
    - FederatedAuthentication/EnableWebSignInForPrimaryUser -
    -
    - -### Feeds policies -
    -
    - Feeds/FeedsEnabled -
    -
    - -### FileExplorer policies - -
    -
    - FileExplorer/TurnOffDataExecutionPreventionForExplorer -
    -
    - FileExplorer/TurnOffHeapTerminationOnCorruption -
    -
    - -### Games policies - -
    -
    - Games/AllowAdvancedGamingServices -
    -
    - -### Handwriting policies - -
    -
    - Handwriting/PanelDefaultModeDocked -
    -
    - -### HumanPresence policies - -
    -
    - HumanPresence/ForceInstantLock -
    -
    - HumanPresence/ForceInstantWake -
    -
    - HumanPresence/ForceLockTimeout -
    -
    - -### InternetExplorer policies - -
    -
    - InternetExplorer/AddSearchProvider -
    -
    - InternetExplorer/AllowActiveXFiltering -
    -
    - InternetExplorer/AllowAddOnList -
    -
    - InternetExplorer/AllowAutoComplete -
    -
    - InternetExplorer/AllowCertificateAddressMismatchWarning -
    -
    - InternetExplorer/AllowDeletingBrowsingHistoryOnExit -
    -
    - InternetExplorer/AllowEnhancedProtectedMode -
    -
    - InternetExplorer/AllowEnhancedSuggestionsInAddressBar -
    -
    - InternetExplorer/AllowEnterpriseModeFromToolsMenu -
    -
    - InternetExplorer/AllowEnterpriseModeSiteList -
    -
    - InternetExplorer/AllowFallbackToSSL3 -
    -
    - InternetExplorer/AllowInternetExplorer7PolicyList -
    -
    - InternetExplorer/AllowInternetExplorerStandardsMode -
    -
    - InternetExplorer/AllowInternetZoneTemplate -
    -
    - InternetExplorer/AllowIntranetZoneTemplate -
    -
    - InternetExplorer/AllowLocalMachineZoneTemplate -
    -
    - InternetExplorer/AllowLockedDownInternetZoneTemplate -
    -
    - InternetExplorer/AllowLockedDownIntranetZoneTemplate -
    -
    - InternetExplorer/AllowLockedDownLocalMachineZoneTemplate -
    -
    - InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate -
    -
    - InternetExplorer/AllowOneWordEntry -
    -
    - InternetExplorer/AllowSiteToZoneAssignmentList -
    -
    - InternetExplorer/AllowSoftwareWhenSignatureIsInvalid -
    -
    - InternetExplorer/AllowSuggestedSites -
    -
    - InternetExplorer/AllowTrustedSitesZoneTemplate -
    -
    - InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate -
    -
    - InternetExplorer/AllowsRestrictedSitesZoneTemplate -
    -
    - InternetExplorer/CheckServerCertificateRevocation -
    -
    - InternetExplorer/CheckSignaturesOnDownloadedPrograms -
    -
    - InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses -
    -
    - InternetExplorer/DisableActiveXVersionListAutoDownload -

    - InternetExplorer/DisableAdobeFlash -
    -
    - InternetExplorer/DisableBypassOfSmartScreenWarnings -
    -
    - InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles -
    -
    - InternetExplorer/DisableCompatView -
    -
    - InternetExplorer/DisableConfiguringHistory -
    -
    - InternetExplorer/DisableCrashDetection -
    -
    - InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation -
    -
    - InternetExplorer/DisableDeletingUserVisitedWebsites -
    -
    - InternetExplorer/DisableEnclosureDownloading -
    -
    - InternetExplorer/DisableEncryptionSupport -
    -
    - InternetExplorer/DisableFeedsBackgroundSync -
    -
    - InternetExplorer/DisableFirstRunWizard -
    -
    - InternetExplorer/DisableFlipAheadFeature -
    -
    - InternetExplorer/DisableGeolocation -
    -
    - InternetExplorer/DisableHomePageChange -
    -
    - InternetExplorer/DisableIgnoringCertificateErrors -
    -
    - InternetExplorer/DisableInPrivateBrowsing -
    -
    - InternetExplorer/DisableProcessesInEnhancedProtectedMode -
    -
    - InternetExplorer/DisableProxyChange -
    -
    - InternetExplorer/DisableSearchProviderChange -
    -
    - InternetExplorer/DisableSecondaryHomePageChange -
    -
    - InternetExplorer/DisableSecuritySettingsCheck -
    -
    - InternetExplorer/DisableUpdateCheck -
    -
    - InternetExplorer/DisableWebAddressAutoComplete -
    -
    - InternetExplorer/DoNotAllowActiveXControlsInProtectedMode -
    -
    - InternetExplorer/DoNotAllowUsersToAddSites -
    -
    - InternetExplorer/DoNotAllowUsersToChangePolicies -
    -
    - InternetExplorer/DoNotBlockOutdatedActiveXControls -
    -
    - InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains -
    -
    - InternetExplorer/IncludeAllLocalSites -
    -
    - InternetExplorer/IncludeAllNetworkPaths -
    -
    - InternetExplorer/InternetZoneAllowAccessToDataSources -
    -
    - InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls -
    -
    - InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads -
    -
    - InternetExplorer/InternetZoneAllowCopyPasteViaScript -
    -
    - InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles -
    -
    - InternetExplorer/InternetZoneAllowFontDownloads -
    -
    - InternetExplorer/InternetZoneAllowLessPrivilegedSites -
    -
    - InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles -
    -
    - InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents -
    -
    - InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls -
    -
    - InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl -
    -
    - InternetExplorer/InternetZoneAllowScriptInitiatedWindows -
    -
    - InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls -
    -
    - InternetExplorer/InternetZoneAllowScriptlets -
    -
    - InternetExplorer/InternetZoneAllowSmartScreenIE -
    -
    - InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript -
    -
    - InternetExplorer/InternetZoneAllowUserDataPersistence -
    -
    - InternetExplorer/InternetZoneAllowVBScriptToRunInInternetExplorer -
    -
    - InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls -
    -
    - InternetExplorer/InternetZoneDownloadSignedActiveXControls -
    -
    - InternetExplorer/InternetZoneDownloadUnsignedActiveXControls -
    -
    - InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter -
    -
    - InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows -
    -
    - InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows -
    -
    - InternetExplorer/InternetZoneEnableMIMESniffing -
    -
    - InternetExplorer/InternetZoneEnableProtectedMode -
    -
    - InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer -
    -
    - InternetExplorer/InternetZoneInitializeAndScriptActiveXControls -
    -
    - InternetExplorer/InternetZoneInitializeAndScriptActiveXControlsNotMarkedSafe -
    -
    - InternetExplorer/InternetZoneJavaPermissions -
    -
    - InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME -
    -
    - InternetExplorer/InternetZoneLogonOptions -
    -
    - InternetExplorer/InternetZoneNavigateWindowsAndFrames -
    -
    - InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode -
    -
    - InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles -
    -
    - InternetExplorer/InternetZoneUsePopupBlocker -
    -
    - InternetExplorer/IntranetZoneAllowAccessToDataSources -
    -
    - InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls -
    -
    - InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads -
    -
    - InternetExplorer/IntranetZoneAllowFontDownloads -
    -
    - InternetExplorer/IntranetZoneAllowLessPrivilegedSites -
    -
    - InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents -
    -
    - InternetExplorer/IntranetZoneAllowScriptlets -
    -
    - InternetExplorer/IntranetZoneAllowSmartScreenIE -
    -
    - InternetExplorer/IntranetZoneAllowUserDataPersistence -
    -
    - InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls -
    -
    - InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls -
    -
    - InternetExplorer/IntranetZoneJavaPermissions -
    -
    - InternetExplorer/IntranetZoneNavigateWindowsAndFrames -
    -
    - InternetExplorer/LocalMachineZoneAllowAccessToDataSources -
    -
    - InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls -
    -
    - InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads -
    -
    - InternetExplorer/LocalMachineZoneAllowFontDownloads -
    -
    - InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites -
    -
    - InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents -
    -
    - InternetExplorer/LocalMachineZoneAllowScriptlets -
    -
    - InternetExplorer/LocalMachineZoneAllowSmartScreenIE -
    -
    - InternetExplorer/LocalMachineZoneAllowUserDataPersistence -
    -
    - InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls -
    -
    - InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls -
    -
    - InternetExplorer/LocalMachineZoneJavaPermissions -
    -
    - InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames -
    -
    - InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources -
    -
    - InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls -
    -
    - InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads -
    -
    - InternetExplorer/LockedDownInternetZoneAllowFontDownloads -
    -
    - InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites -
    -
    - InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents -
    -
    - InternetExplorer/LockedDownInternetZoneAllowScriptlets -
    -
    - InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE -
    -
    - InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence -
    -
    - InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls -
    -
    - InternetExplorer/LockedDownInternetZoneJavaPermissions -
    -
    - InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames -
    -
    - InternetExplorer/LockedDownIntranetJavaPermissions -
    -
    - InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources -
    -
    - InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls -
    -
    - InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads -
    -
    - InternetExplorer/LockedDownIntranetZoneAllowFontDownloads -
    -
    - InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites -
    -
    - InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents -
    -
    - InternetExplorer/LockedDownIntranetZoneAllowScriptlets -
    -
    - InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE -
    -
    - InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence -
    -
    - InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls -
    -
    - InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames -
    -
    - InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources -
    -
    - InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls -
    -
    - InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads -
    -
    - InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads -
    -
    - InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites -
    -
    - InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents -
    -
    - InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets -
    -
    - InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE -
    -
    - InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence -
    -
    - InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls -
    -
    - InternetExplorer/LockedDownLocalMachineZoneJavaPermissions -
    -
    - InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames -
    -
    - InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources -
    -
    - InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls -
    -
    - InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads -
    -
    - InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads -
    -
    - InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites -
    -
    - InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents -
    -
    - InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets -
    -
    - InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE -
    -
    - InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence -
    -
    - InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls -
    -
    - InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions -
    -
    - InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames -
    -
    - InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources -
    -
    - InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls -
    -
    - InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads -
    -
    - InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads -
    -
    - InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites -
    -
    - InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents -
    -
    - InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets -
    -
    - InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE -
    -
    - InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence -
    -
    - InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls -
    -
    - InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions -
    -
    - InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames -
    -
    - InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses -
    -
    - InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses -
    -
    - InternetExplorer/NewTabDefaultPage -
    -
    - InternetExplorer/NotificationBarInternetExplorerProcesses -
    -
    - InternetExplorer/PreventManagingSmartScreenFilter -
    -
    - InternetExplorer/PreventPerUserInstallationOfActiveXControls -
    -
    - InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses -
    -
    - InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls -
    -
    - InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses -
    -
    - InternetExplorer/RestrictFileDownloadInternetExplorerProcesses -
    -
    - InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources -
    -
    - InternetExplorer/RestrictedSitesZoneAllowActiveScripting -
    -
    - InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls -
    -
    - InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads -
    -
    - InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors -
    -
    - InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript -
    -
    - InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles -
    -
    - InternetExplorer/RestrictedSitesZoneAllowFileDownloads -
    -
    - InternetExplorer/RestrictedSitesZoneAllowFontDownloads -
    -
    - InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites -
    -
    - InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles -
    -
    - InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH -
    -
    - InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents -
    -
    - InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls -
    -
    - InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl -
    -
    - InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows -
    -
    - InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls -
    -
    - InternetExplorer/RestrictedSitesZoneAllowScriptlets -
    -
    - InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE -
    -
    - InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript -
    -
    - InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence -
    -
    - InternetExplorer/RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer -
    -
    - InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls -
    -
    - InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls -
    -
    - InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls -
    -
    - InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter -
    -
    - InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows -
    -
    - InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows -
    -
    - InternetExplorer/RestrictedSitesZoneEnableMIMESniffing -
    -
    - InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer -
    -
    - InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls -
    -
    - InternetExplorer/RestrictedSitesZoneJavaPermissions -
    -
    - InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME -
    -
    - InternetExplorer/RestrictedSitesZoneLogonOptions -
    -
    - InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames -
    -
    - InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins -
    -
    - InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode -
    -
    - InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting -
    -
    - InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets -
    -
    - InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles -
    -
    - InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode -
    -
    - InternetExplorer/RestrictedSitesZoneUsePopupBlocker -
    -
    - InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses -
    -
    - InternetExplorer/SearchProviderList -
    -
    - InternetExplorer/SecurityZonesUseOnlyMachineSettings -
    -
    - InternetExplorer/SpecifyUseOfActiveXInstallerService -
    -
    - InternetExplorer/TrustedSitesZoneAllowAccessToDataSources -
    -
    - InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls -
    -
    - InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads -
    -
    - InternetExplorer/TrustedSitesZoneAllowFontDownloads -
    -
    - InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites -
    -
    - InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents -
    -
    - InternetExplorer/TrustedSitesZoneAllowScriptlets -
    -
    - InternetExplorer/TrustedSitesZoneAllowSmartScreenIE -
    -
    - InternetExplorer/TrustedSitesZoneAllowUserDataPersistence -
    -
    - InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls -
    -
    - InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls -
    -
    - InternetExplorer/TrustedSitesZoneJavaPermissions -
    -
    - InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames -
    -
    - -### Kerberos policies - -
    -
    - Kerberos/AllowForestSearchOrder -
    -
    - Kerberos/KerberosClientSupportsClaimsCompoundArmor -
    -
    - Kerberos/RequireKerberosArmoring -
    -
    - Kerberos/RequireStrictKDCValidation -
    -
    - Kerberos/SetMaximumContextTokenSize -
    -
    - Kerberos/UPNNameHints -
    -
    - -### KioskBrowser policies - -
    -
    - KioskBrowser/BlockedUrlExceptions -
    -
    - KioskBrowser/BlockedUrls -
    -
    - KioskBrowser/DefaultURL -
    -
    - KioskBrowser/EnableEndSessionButton -
    -
    - KioskBrowser/EnableHomeButton -
    -
    - KioskBrowser/EnableNavigationButtons -
    -
    - KioskBrowser/RestartOnIdleTime -
    -
    - -### LanmanWorkstation policies - -
    -
    - LanmanWorkstation/EnableInsecureGuestLogons -
    -
    - -### Language Pack Management CSP policies - -
    -
    - LanmanWorkstation/EnableInsecureGuestLogons -
    -
    - -### Licensing policies - -
    -
    - Licensing/AllowWindowsEntitlementReactivation -
    -
    - Licensing/DisallowKMSClientOnlineAVSValidation -
    -
    - -### LocalPoliciesSecurityOptions policies - -
    -
    - LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts -
    -
    - LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly -
    -
    - LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount -
    -
    - LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount -
    -
    - LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon -
    -
    - LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia -
    -
    - LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters -
    -
    - LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly -
    -
    - LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked -
    -
    - LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn -
    -
    - LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn -
    -
    - LocalPoliciesSecurityOptions/InteractiveLogon_DoNotRequireCTRLALTDEL -
    -
    - LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit -
    -
    - LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn -
    -
    - LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn -
    -
    - LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior -
    -
    - LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees -
    -
    - LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers -
    -
    - LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways -
    -
    - LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees -
    -
    - LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts -
    -
    - LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares -
    -
    - LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares -
    -
    - LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM -
    -
    - LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM -
    -
    - LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests -
    -
    - LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange -
    -
    - LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel -
    -
    - LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients -
    -
    - LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers -
    -
    - LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication -
    -
    - LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic -
    -
    - LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic -
    -
    - LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers -
    -
    - LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn -
    -
    - LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile -
    -
    - LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation -
    -
    - LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators -
    -
    - LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers -
    -
    - LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation -
    -
    - LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated -
    -
    - LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations -
    -
    - LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode -
    -
    - LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation -
    -
    - LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode -
    -
    - LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations -
    -
    - -### LocalUsersAndGroups policies - -
    -
    - LocalUsersAndGroups/Configure -
    -
    - -### LockDown policies - -
    -
    - LockDown/AllowEdgeSwipe -
    -
    - -### Maps policies - -
    -
    - Maps/AllowOfflineMapsDownloadOverMeteredConnection -
    -
    - Maps/EnableOfflineMapsAutoUpdate -
    -
    - -### MemoryDump policies - -
    -
    - MemoryDump/AllowCrashDump -
    -
    - MemoryDump/AllowLiveDump -
    -
    - -### Messaging policies - -
    -
    - Messaging/AllowMessageSync -
    -
    - -### MixedReality policies - -
    -
    - MixedReality/AADGroupMembershipCacheValidityInDays -
    -
    - MixedReality/BrightnessButtonDisabled -
    -
    - MixedReality/FallbackDiagnostics -
    -
    - MixedReality/MicrophoneDisabled -
    -
    - MixedReality/VolumeButtonDisabled -
    -
    - -### MSSecurityGuide policies - -
    -
    - MSSecurityGuide/ApplyUACRestrictionsToLocalAccountsOnNetworkLogon -
    -
    - MSSecurityGuide/ConfigureSMBV1ClientDriver -
    -
    - MSSecurityGuide/ConfigureSMBV1Server -
    -
    - MSSecurityGuide/EnableStructuredExceptionHandlingOverwriteProtection -
    -
    - MSSecurityGuide/TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications -
    -
    - MSSecurityGuide/WDigestAuthentication -
    -
    - -### MSSLegacy policies - -
    -
    - MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes -
    -
    - MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers -
    -
    - MSSLegacy/IPSourceRoutingProtectionLevel -
    -
    - MSSLegacy/IPv6SourceRoutingProtectionLevel -
    -
    - -### Multitasking policies - -
    -
    - Multitasking/BrowserAltTabBlowout -
    -
    - -### NetworkIsolation policies - -
    -
    - NetworkIsolation/EnterpriseCloudResources -
    -
    - NetworkIsolation/EnterpriseIPRange -
    -
    - NetworkIsolation/EnterpriseIPRangesAreAuthoritative -
    -
    - NetworkIsolation/EnterpriseInternalProxyServers -
    -
    - NetworkIsolation/EnterpriseNetworkDomainNames -
    -
    - NetworkIsolation/EnterpriseProxyServers -
    -
    - NetworkIsolation/EnterpriseProxyServersAreAuthoritative -
    -
    - NetworkIsolation/NeutralResources -
    -
    - -### NetworkListManager policies - -
    -
    - NetworkListManager/AllowedTlsAuthenticationEndpoints -
    -
    - NetworkListManager/ConfiguredTLSAuthenticationNetworkName -
    -
    -
    - -### NewsAndInterests policies - -
    -
    - NewsAndInterests/AllowNewsAndInterests -
    -
    - -### Notifications policies - -
    -
    - Notifications/DisallowCloudNotification -
    -
    - Notifications/DisallowNotificationMirroring -
    -
    - Notifications/DisallowTileNotification -
    -
    - -### Power policies - -
    -
    - Power/AllowStandbyStatesWhenSleepingOnBattery -
    -
    - Power/AllowStandbyWhenSleepingPluggedIn -
    -
    - Power/DisplayOffTimeoutOnBattery -
    -
    - Power/DisplayOffTimeoutPluggedIn -
    -
    - Power/EnergySaverBatteryThresholdOnBattery -
    -
    - Power/EnergySaverBatteryThresholdPluggedIn -
    -
    - Power/HibernateTimeoutOnBattery -
    -
    - Power/HibernateTimeoutPluggedIn -
    -
    - Power/RequirePasswordWhenComputerWakesOnBattery -
    -
    - Power/RequirePasswordWhenComputerWakesPluggedIn -
    -
    - Power/SelectLidCloseActionOnBattery -
    -
    - Power/SelectLidCloseActionPluggedIn -
    -
    - Power/SelectPowerButtonActionOnBattery -
    -
    - Power/SelectPowerButtonActionPluggedIn -
    -
    - Power/SelectSleepButtonActionOnBattery -
    -
    - Power/SelectSleepButtonActionPluggedIn -
    -
    - Power/StandbyTimeoutOnBattery -
    -
    - Power/StandbyTimeoutPluggedIn -
    -
    - Power/TurnOffHybridSleepOnBattery -
    -
    - Power/TurnOffHybridSleepPluggedIn -
    -
    - Power/UnattendedSleepTimeoutOnBattery -
    -
    - Power/UnattendedSleepTimeoutPluggedIn -
    -
    - -### Printers policies - -
    -
    - Printers/ApprovedUsbPrintDevices -
    -
    - Printers/ApprovedUsbPrintDevicesUser -
    -
    - Printers/ConfigureCopyFilesPolicy -
    -
    - Printers/ConfigureDriverValidationLevel -
    -
    - Printers/ConfigureIppPageCountsPolicy -
    -
    - Printers/ConfigureRedirectionGuardPolicy -
    -
    - Printers/ConfigureRpcConnectionPolicy -
    -
    - Printers/ConfigureRpcListenerPolicy -
    -
    - Printers/ConfigureRpcTcpPort -
    -
    - Printers/EnableDeviceControl -
    -
    - Printers/EnableDeviceControlUser -
    -
    - Printers/ManageDriverExclusionList -
    -
    - Printers/PointAndPrintRestrictions -
    -
    - Printers/PointAndPrintRestrictions_User -
    -
    - Printers/PublishPrinters -
    -
    - Printers/RestrictDriverInstallationToAdministrators -
    -
    - -### Privacy policies - -
    -
    - Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts -
    -
    - Privacy/AllowCrossDeviceClipboard -
    -
    - Privacy/AllowInputPersonalization -
    -
    - Privacy/DisableAdvertisingId -
    -
    - Privacy/DisablePrivacyExperience -
    -
    - Privacy/EnableActivityFeed -
    -
    - Privacy/LetAppsAccessAccountInfo -
    -
    - Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessBackgroundSpatialPerception -
    -
    - Privacy/LetAppsAccessBackgroundSpatialPerception_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessBackgroundSpatialPerception_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessBackgroundSpatialPerception_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessCalendar -
    -
    - Privacy/LetAppsAccessCalendar_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessCalendar_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessCallHistory -
    -
    - Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessCamera -
    -
    - Privacy/LetAppsAccessCamera_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessCamera_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessCamera_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessContacts -
    -
    - Privacy/LetAppsAccessContacts_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessContacts_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessContacts_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessEmail -
    -
    - Privacy/LetAppsAccessEmail_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessEmail_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessEmail_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessGazeInput -
    -
    - Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessLocation -
    -
    - Privacy/LetAppsAccessLocation_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessLocation_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessLocation_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessMessaging -
    -
    - Privacy/LetAppsAccessMessaging_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessMessaging_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessMicrophone -
    -
    - Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessMotion -
    -
    - Privacy/LetAppsAccessMotion_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessMotion_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessMotion_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessNotifications -
    -
    - Privacy/LetAppsAccessNotifications_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessNotifications_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessPhone -
    -
    - Privacy/LetAppsAccessPhone_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessPhone_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessPhone_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessRadios -
    -
    - Privacy/LetAppsAccessRadios_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessRadios_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessRadios_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessTasks -
    -
    - Privacy/LetAppsAccessTasks_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessTasks_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessTasks_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessTrustedDevices -
    -
    - Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsActivateWithVoice -
    -
    - Privacy/LetAppsActivateWithVoiceAboveLock -
    -
    - Privacy/LetAppsGetDiagnosticInfo -
    -
    - Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps -
    -
    - Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps -
    -
    - Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsRunInBackground -
    -
    - Privacy/LetAppsRunInBackground_ForceAllowTheseApps -
    -
    - Privacy/LetAppsRunInBackground_ForceDenyTheseApps -
    -
    - Privacy/LetAppsRunInBackground_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsSyncWithDevices -
    -
    - Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps -
    -
    - Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps -
    -
    - Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps -
    -
    - Privacy/PublishUserActivities -
    -
    - Privacy/UploadUserActivities -
    -
    - -### RemoteAssistance policies - -
    -
    - RemoteAssistance/CustomizeWarningMessages -
    -
    - RemoteAssistance/SessionLogging -
    -
    - RemoteAssistance/SolicitedRemoteAssistance -
    -
    - RemoteAssistance/UnsolicitedRemoteAssistance -
    -
    - -### RemoteDesktop policies - -
    -
    - RemoteDesktop/AutoSubscription -
    -
    - RemoteDesktop/LoadAadCredKeyFromProfile -
    -
    - -### RemoteDesktopServices policies - -
    -
    - RemoteDesktopServices/AllowUsersToConnectRemotely -
    -
    - RemoteDesktopServices/ClientConnectionEncryptionLevel -
    -
    - RemoteDesktopServices/DoNotAllowDriveRedirection -
    -
    - RemoteDesktopServices/DoNotAllowPasswordSaving -
    -
    - RemoteDesktopServices/PromptForPasswordUponConnection -
    -
    - RemoteDesktopServices/RequireSecureRPCCommunication -
    -
    - -### RemoteManagement policies - -
    -
    - RemoteManagement/AllowBasicAuthentication_Client -
    -
    - RemoteManagement/AllowBasicAuthentication_Service -
    -
    - RemoteManagement/AllowCredSSPAuthenticationClient -
    -
    - RemoteManagement/AllowCredSSPAuthenticationService -
    -
    - RemoteManagement/AllowRemoteServerManagement -
    -
    - RemoteManagement/AllowUnencryptedTraffic_Client -
    -
    - RemoteManagement/AllowUnencryptedTraffic_Service -
    -
    - RemoteManagement/DisallowDigestAuthentication -
    -
    - RemoteManagement/DisallowNegotiateAuthenticationClient -
    -
    - RemoteManagement/DisallowNegotiateAuthenticationService -
    -
    - RemoteManagement/DisallowStoringOfRunAsCredentials -
    -
    - RemoteManagement/SpecifyChannelBindingTokenHardeningLevel -
    -
    - RemoteManagement/TrustedHosts -
    -
    - RemoteManagement/TurnOnCompatibilityHTTPListener -
    -
    - RemoteManagement/TurnOnCompatibilityHTTPSListener -
    -
    - -### RemoteProcedureCall policies - -
    -
    - RemoteProcedureCall/RPCEndpointMapperClientAuthentication -
    -
    - RemoteProcedureCall/RestrictUnauthenticatedRPCClients -
    -
    - -### RemoteShell policies - -
    -
    - RemoteShell/AllowRemoteShellAccess -
    -
    - RemoteShell/MaxConcurrentUsers -
    -
    - RemoteShell/SpecifyIdleTimeout -
    -
    - RemoteShell/SpecifyMaxMemory -
    -
    - RemoteShell/SpecifyMaxProcesses -
    -
    - RemoteShell/SpecifyMaxRemoteShells -
    -
    - RemoteShell/SpecifyShellTimeout -
    -
    - -### RestrictedGroups policies - -
    -
    - RestrictedGroups/ConfigureGroupMembership -
    -
    - -### Search policies - -
    -
    - Search/AllowCloudSearch -
    -
    - Search/AllowFindMyFiles -
    -
    - Search/AllowIndexingEncryptedStoresOrItems -
    -
    - Search/AllowSearchToUseLocation -
    -
    - Search/AllowStoringImagesFromVisionSearch -
    -
    - Search/AllowUsingDiacritics -
    -
    - Search/AllowWindowsIndexer -
    -
    - Search/AlwaysUseAutoLangDetection -
    -
    - Search/DisableBackoff -
    -
    - Search/DisableRemovableDriveIndexing -
    -
    - Search/DisableSearch -
    -
    - Search/DoNotUseWebResults -
    -
    - Search/PreventIndexingLowDiskSpaceMB -
    -
    - Search/PreventRemoteQueries -
    -
    - -### Security policies - -
    -
    - Security/AllowAddProvisioningPackage -
    -
    - Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices -
    -
    - Security/AllowRemoveProvisioningPackage -
    -
    - Security/ClearTPMIfNotReady -
    -
    - Security/ConfigureWindowsPasswords -
    -
    - Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices -
    -
    - Security/RecoveryEnvironmentAuthentication -
    -
    - Security/RequireDeviceEncryption -
    -
    - Security/RequireProvisioningPackageSignature -
    -
    - Security/RequireRetrieveHealthCertificateOnBoot -
    -
    - -### ServiceControlManager policies -
    -
    - ServiceControlManager/SvchostProcessMitigation -
    -
    - -### Settings policies - -
    -
    - Settings/AllowAutoPlay -
    -
    - Settings/AllowDataSense -
    -
    - Settings/AllowDateTime -
    -
    - Settings/AllowLanguage -
    -
    - Settings/AllowOnlineTips -
    -
    - Settings/AllowPowerSleep -
    -
    - Settings/AllowRegion -
    -
    - Settings/AllowSignInOptions -
    -
    - Settings/AllowVPN -
    -
    - Settings/AllowWorkplace -
    -
    - Settings/AllowYourAccount -
    -
    - Settings/ConfigureTaskbarCalendar -
    -
    - Settings/PageVisibilityList -
    -
    - -### Windows Defender SmartScreen policies - -
    -
    - SmartScreen/EnableAppInstallControl -
    -
    - SmartScreen/EnableSmartScreenInShell -
    -
    - SmartScreen/PreventOverrideForFilesInShell -
    -
    - -### Speech policies - -
    -
    - Speech/AllowSpeechModelUpdate -
    -
    - -### Start policies - -
    -
    - Start/AllowPinnedFolderDocuments -
    -
    - Start/AllowPinnedFolderDownloads -
    -
    - Start/AllowPinnedFolderFileExplorer -
    -
    - Start/AllowPinnedFolderHomeGroup -
    -
    - Start/AllowPinnedFolderMusic -
    -
    - Start/AllowPinnedFolderNetwork -
    -
    - Start/AllowPinnedFolderPersonalFolder -
    -
    - Start/AllowPinnedFolderPictures -
    -
    - Start/AllowPinnedFolderSettings -
    -
    - Start/AllowPinnedFolderVideos -
    -
    - Start/DisableContextMenus -
    -
    - Start/DisableControlCenter -
    -
    - Start/DisableEditingQuickSettings -
    -
    - Start/ForceStartSize -
    -
    - Start/HideAppList -
    -
    - Start/HideChangeAccountSettings -
    -
    - Start/HideFrequentlyUsedApps -
    -
    - Start/HideHibernate -
    -
    - Start/HideLock -
    -
    - Start/HidePeopleBar -
    -
    - Start/HidePowerButton -
    -
    - Start/HideRecentJumplists -
    -
    - Start/HideRecentlyAddedApps -
    -
    - Start/HideRecommendedSection -
    -
    - Start/HideRestart -
    -
    - Start/HideShutDown -
    -
    - Start/HideSignOut -
    -
    - Start/HideSleep -
    -
    - Start/HideSwitchAccount -
    -
    - Start/HideTaskViewButton -
    -
    - Start/HideUserTile -
    -
    - Start/ImportEdgeAssets -
    -
    - Start/NoPinningToTaskbar -
    -
    - Start/SimplifyQuickSettings -
    -
    - Start/StartLayout -
    -
    - -### Storage policies - -
    -
    - Storage/AllowDiskHealthModelUpdates -
    -
    - Storage/AllowStorageSenseGlobal -
    -
    - Storage/AllowStorageSenseTemporaryFilesCleanup -
    -
    - Storage/ConfigStorageSenseCloudContentDehydrationThreshold -
    -
    - Storage/ConfigStorageSenseDownloadsCleanupThreshold -
    -
    - Storage/ConfigStorageSenseGlobalCadence -
    -
    - Storage/ConfigStorageSenseRecycleBinCleanupThreshold -
    - Storage/EnhancedStorageDevices -
    -
    - Storage/RemovableDiskDenyWriteAccess -
    -
    - Storage/WPDDevicesDenyReadAccessPerDevice -
    -
    - Storage/WPDDevicesDenyReadAccessPerUser -
    -
    - Storage/WPDDevicesDenyWriteAccessPerDevice -
    -
    - Storage/WPDDevicesDenyWriteAccessPerUser -
    -
    - -### System policies - -
    -
    - System/AllowBuildPreview -
    -
    - System/AllowCommercialDataPipeline -
    -
    - System/AllowDeviceNameInDiagnosticData -
    -
    - System/AllowEmbeddedMode -
    -
    - System/AllowExperimentation -
    -
    - System/AllowFontProviders -
    -
    - System/AllowLocation -
    -
    - System/AllowStorageCard -
    -
    - System/AllowTelemetry -
    -
    - System/AllowUserToResetPhone -
    -
    - System/BootStartDriverInitialization -
    -
    - System/ConfigureMicrosoft365UploadEndpoint -
    -
    - System/ConfigureTelemetryOptInChangeNotification -
    -
    - System/ConfigureTelemetryOptInSettingsUx -
    -
    - System/DisableDeviceDelete -
    -
    - System/DisableDiagnosticDataViewer -
    -
    - System/DisableEnterpriseAuthProxy -
    -
    - System/DisableOneDriveFileSync -
    -
    - System/DisableSystemRestore -
    -
    - System/FeedbackHubAlwaysSaveDiagnosticsLocally -
    -
    - System/LimitDiagnosticLogCollection -
    -
    - System/LimitDumpCollection -
    -
    - System/LimitEnhancedDiagnosticDataWindowsAnalytics -
    -
    - System/TelemetryProxy -
    -
    - System/TurnOffFileHistory -
    -
    - -### SystemServices policies - -
    -
    - SystemServices/ConfigureHomeGroupListenerServiceStartupMode -
    -
    - SystemServices/ConfigureHomeGroupProviderServiceStartupMode -
    -
    - SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode -
    -
    - SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode -
    -
    - SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode -
    -
    - SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode -
    -
    - -### TaskManager policies - -
    -
    - TaskManager/AllowEndTask -
    -
    - -### TaskScheduler policies - -
    -
    - TaskScheduler/EnableXboxGameSaveTask -
    -
    - -### TextInput policies - -
    -
    - TextInput/AllowHardwareKeyboardTextSuggestions -
    -
    - TextInput/AllowIMELogging -
    -
    - TextInput/AllowIMENetworkAccess -
    -
    - TextInput/AllowInputPanel -
    -
    - TextInput/AllowJapaneseIMESurrogatePairCharacters -
    -
    - TextInput/AllowJapaneseIVSCharacters -
    -
    - TextInput/AllowJapaneseNonPublishingStandardGlyph -
    -
    - TextInput/AllowJapaneseUserDictionary -
    -
    - TextInput/AllowKeyboardTextSuggestions -
    -
    - TextInput/AllowKoreanExtendedHanja -
    -
    - TextInput/AllowLanguageFeaturesUninstall -
    -
    - TextInput/AllowLinguisticDataCollection -
    -
    - TextInput/AllowTextInputSuggestionUpdate -
    -
    - TextInput/ConfigureJapaneseIMEVersion -
    -
    - TextInput/ConfigureSimplifiedChineseIMEVersion -
    -
    - TextInput/ConfigureTraditionalChineseIMEVersion -
    -
    - TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode -
    -
    - TextInput/ExcludeJapaneseIMEExceptJIS0208 -
    -
    - TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC -
    -
    - TextInput/ExcludeJapaneseIMEExceptShiftJIS -
    -
    - TextInput/ForceTouchKeyboardDockedState -
    -
    - TextInput/TouchKeyboardDictationButtonAvailability -
    -
    - TextInput/TouchKeyboardEmojiButtonAvailability -
    -
    - TextInput/TouchKeyboardFullModeAvailability -
    -
    - TextInput/TouchKeyboardHandwritingModeAvailability -
    -
    - TextInput/TouchKeyboardNarrowModeAvailability -
    -
    - TextInput/TouchKeyboardSplitModeAvailability -
    -
    - TextInput/TouchKeyboardWideModeAvailability -
    -
    - -### TimeLanguageSettings policies - -
    -
    - TimeLanguageSettings/BlockCleanupOfUnusedPreinstalledLangPacks -
    -
    - TimeLanguageSettings/ConfigureTimeZone -
    -
    - TimeLanguageSettings/MachineUILanguageOverwrite -
    -
    - TimeLanguageSettings/RestrictLanguagePacksAndFeaturesInstall -
    -
    - -### Troubleshooting policies - -
    -
    - Troubleshooting/AllowRecommendations -
    -
    - -### Update policies - -
    -
    - Update/ActiveHoursEnd -
    -
    - Update/ActiveHoursMaxRange -
    -
    - Update/ActiveHoursStart -
    -
    - Update/AllowAutoUpdate -
    -
    - Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork -
    -
    - Update/AllowMUUpdateService -
    -
    - Update/AllowNonMicrosoftSignedUpdate -
    -
    - Update/AllowUpdateService -
    -
    - Update/AutoRestartDeadlinePeriodInDays -
    -
    - Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates -
    -
    - Update/AutoRestartNotificationSchedule -
    -
    - Update/AutoRestartRequiredNotificationDismissal -
    -
    - Update/AutomaticMaintenanceWakeUp -
    -
    - Update/BranchReadinessLevel -
    -
    - Update/ConfigureDeadlineForFeatureUpdates -
    -
    - Update/ConfigureDeadlineForQualityUpdates -
    -
    - Update/ConfigureDeadlineGracePeriod -
    -
    - Update/ConfigureDeadlineGracePeriodForFeatureUpdates -
    -
    - Update/ConfigureDeadlineNoAutoReboot -
    -
    - Update/ConfigureFeatureUpdateUninstallPeriod -
    -
    - Update/DeferFeatureUpdatesPeriodInDays -
    -
    - Update/DeferQualityUpdatesPeriodInDays -
    -
    - Update/DeferUpdatePeriod -
    -
    - Update/DeferUpgradePeriod -
    -
    - Update/DetectionFrequency -
    -
    - Update/DisableDualScan -
    -
    - Update/DisableWUfBSafeguards -
    -
    - Update/DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection -
    -
    - Update/EngagedRestartDeadline -
    -
    - Update/EngagedRestartDeadlineForFeatureUpdates -
    -
    - Update/EngagedRestartSnoozeSchedule -
    -
    - Update/EngagedRestartSnoozeScheduleForFeatureUpdates -
    -
    - Update/EngagedRestartTransitionSchedule -
    -
    - Update/EngagedRestartTransitionScheduleForFeatureUpdates -
    -
    - Update/ExcludeWUDriversInQualityUpdate -
    -
    - Update/FillEmptyContentUrls -
    -
    - Update/IgnoreMOAppDownloadLimit -
    -
    - Update/IgnoreMOUpdateDownloadLimit -
    -
    - Update/ManagePreviewBuilds -
    -
    - Update/PauseDeferrals -
    -
    - Update/PauseFeatureUpdates -
    -
    - Update/PauseFeatureUpdatesStartTime -
    -
    - Update/PauseQualityUpdates -
    -
    - Update/PauseQualityUpdatesStartTime -
    -
    - Update/PhoneUpdateRestrictions -
    -
    - Update/RequireDeferUpgrade -
    -
    - Update/RequireUpdateApproval -
    -
    - Update/ScheduleImminentRestartWarning -
    -
    - Update/ScheduleRestartWarning -
    -
    - Update/ScheduledInstallDay -
    -
    - Update/ScheduledInstallEveryWeek -
    -
    - Update/ScheduledInstallFirstWeek -
    -
    - Update/ScheduledInstallFourthWeek -
    -
    - Update/ScheduledInstallSecondWeek -
    -
    - Update/ScheduledInstallThirdWeek -
    -
    - Update/ScheduledInstallTime -
    -
    - Update/SetAutoRestartNotificationDisable -
    -
    - Update/SetDisablePauseUXAccess -
    -
    - Update/SetDisableUXWUAccess -
    -
    - Update/SetEDURestart -
    -
    - Update/SetPolicyDrivenUpdateSourceForDriverUpdates -
    -
    - Update/SetPolicyDrivenUpdateSourceForFeatureUpdates -
    -
    - Update/SetPolicyDrivenUpdateSourceForOtherUpdates -
    -
    - Update/SetPolicyDrivenUpdateSourceForQualityUpdates -
    -
    - Update/SetProxyBehaviorForUpdateDetection -
    -
    - Update/TargetReleaseVersion -
    -
    -
    - Update/UpdateNotificationLevel -
    -
    - Update/UpdateServiceUrl -
    -
    - Update/UpdateServiceUrlAlternate -
    -
    - -### UserRights policies - -
    -
    - UserRights/AccessCredentialManagerAsTrustedCaller -
    -
    - UserRights/AccessFromNetwork -
    -
    - UserRights/ActAsPartOfTheOperatingSystem -
    -
    - UserRights/AllowLocalLogOn -
    -
    - UserRights/BackupFilesAndDirectories -
    -
    - UserRights/ChangeSystemTime -
    -
    - UserRights/CreateGlobalObjects -
    -
    - UserRights/CreatePageFile -
    -
    - UserRights/CreatePermanentSharedObjects -
    -
    - UserRights/CreateSymbolicLinks -
    -
    - UserRights/CreateToken -
    -
    - UserRights/DebugPrograms -
    -
    - UserRights/DenyAccessFromNetwork -
    -
    - UserRights/DenyLocalLogOn -
    -
    - UserRights/DenyRemoteDesktopServicesLogOn -
    -
    - UserRights/EnableDelegation -
    -
    - UserRights/GenerateSecurityAudits -
    -
    - UserRights/ImpersonateClient -
    -
    - UserRights/IncreaseSchedulingPriority -
    -
    - UserRights/LoadUnloadDeviceDrivers -
    -
    - UserRights/LockMemory -
    -
    - UserRights/ManageAuditingAndSecurityLog -
    -
    - UserRights/ManageVolume -
    -
    - UserRights/ModifyFirmwareEnvironment -
    -
    - UserRights/ModifyObjectLabel -
    -
    - UserRights/ProfileSingleProcess -
    -
    - UserRights/RemoteShutdown -
    -
    - UserRights/RestoreFilesAndDirectories -
    -
    - UserRights/TakeOwnership -
    -
    - -### VirtualizationBasedTechnology policies - -
    -
    - VirtualizationBasedTechnology/HypervisorEnforcedCodeIntegrity -
    -
    - VirtualizationBasedTechnology/RequireUEFIMemoryAttributesTable -
    -
    - -### WebThreatDefense policies - -
    -
    - WebThreatDefense/EnableService -
    -
    - WebThreatDefense/NotifyMalicious -
    -
    - WebThreatDefense/NotifyPasswordReuse -
    -
    - WebThreatDefense/NotifyUnsafeApp -
    -
    - -### Wifi policies - -
    -
    - WiFi/AllowWiFiHotSpotReporting -
    -
    - Wifi/AllowAutoConnectToWiFiSenseHotspots -
    -
    - Wifi/AllowInternetSharing -
    -
    - Wifi/AllowManualWiFiConfiguration -
    -
    - Wifi/AllowWiFi -
    -
    - Wifi/AllowWiFiDirect -
    -
    - Wifi/WLANScanMode -
    -
    - -### WindowsAutoPilot policies - -
    -
    - WindowsAutoPilot/EnableAgilityPostEnrollment -
    -
    - -### WindowsConnectionManager policies - -
    -
    - WindowsConnectionManager/ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork -
    -
    - -### WindowsDefenderSecurityCenter policies - -
    -
    - WindowsDefenderSecurityCenter/CompanyName -
    -
    - WindowsDefenderSecurityCenter/DisableAccountProtectionUI -
    -
    - WindowsDefenderSecurityCenter/DisableAppBrowserUI -
    -
    - WindowsDefenderSecurityCenter/DisableClearTpmButton -
    -
    - WindowsDefenderSecurityCenter/DisableDeviceSecurityUI -
    -
    - WindowsDefenderSecurityCenter/DisableEnhancedNotifications -
    -
    - WindowsDefenderSecurityCenter/DisableFamilyUI -
    -
    - WindowsDefenderSecurityCenter/DisableHealthUI -
    -
    - WindowsDefenderSecurityCenter/DisableNetworkUI -
    -
    - WindowsDefenderSecurityCenter/DisableNotifications -
    -
    - WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning -
    -
    - WindowsDefenderSecurityCenter/DisableVirusUI -
    -
    - WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride -
    -
    - WindowsDefenderSecurityCenter/Email -
    -
    - WindowsDefenderSecurityCenter/EnableCustomizedToasts -
    -
    - WindowsDefenderSecurityCenter/EnableInAppCustomization -
    -
    - WindowsDefenderSecurityCenter/HideRansomwareDataRecovery -
    -
    - WindowsDefenderSecurityCenter/HideSecureBoot -
    -
    - WindowsDefenderSecurityCenter/HideTPMTroubleshooting -
    -
    - WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl -
    -
    - WindowsDefenderSecurityCenter/Phone -
    -
    - WindowsDefenderSecurityCenter/URL -
    -
    - -### WindowsInkWorkspace policies - -
    -
    - WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace -
    -
    - WindowsInkWorkspace/AllowWindowsInkWorkspace -
    -
    - -### WindowsLogon policies - -
    -
    - WindowsLogon/AllowAutomaticRestartSignOn -
    -
    - WindowsLogon/ConfigAutomaticRestartSignOn -
    -
    - WindowsLogon/DisableLockScreenAppNotifications -
    -
    - WindowsLogon/DontDisplayNetworkSelectionUI -
    -
    - WindowsLogon/EnableFirstLogonAnimation -
    -
    - WindowsLogon/EnableMPRNotifications -
    -
    - WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers -
    -
    - WindowsLogon/HideFastUserSwitching -
    -
    - -### WindowsPowerShell policies - -
    -
    - WindowsPowerShell/TurnOnPowerShellScriptBlockLogging -
    -
    - -### WindowsSandbox policies - -
    -
    - WindowsSandbox/AllowAudioInput -
    -
    - WindowsSandbox/AllowClipboardRedirection -
    -
    - WindowsSandbox/AllowNetworking -
    -
    - WindowsSandbox/AllowPrinterRedirection -
    -
    - WindowsSandbox/AllowVGPU -
    -
    - WindowsSandbox/AllowVideoInput -
    -
    - -### WirelessDisplay policies - -
    -
    - WirelessDisplay/AllowMdnsAdvertisement -
    -
    - WirelessDisplay/AllowMdnsDiscovery -
    -
    - WirelessDisplay/AllowMovementDetectionOnInfrastructure -
    -
    - WirelessDisplay/AllowProjectionFromPC -
    -
    - WirelessDisplay/AllowProjectionFromPCOverInfrastructure -
    -
    - WirelessDisplay/AllowProjectionToPC -
    -
    - WirelessDisplay/AllowProjectionToPCOverInfrastructure -
    -
    - WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver -
    -
    - WirelessDisplay/RequirePinForPairing -
    -
    - - -## Policies in Policy CSP supported by Group Policy and ADMX-backed policies in Policy CSP -- [Policies in Policy CSP supported by Group Policy](./policies-in-policy-csp-supported-by-group-policy.md) -- [ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) - -> [!NOTE] -> Not all Policies in Policy CSP supported by Group Policy are ADMX-backed. For more details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). - -## Policies in Policy CSP supported by HoloLens devices -- [Policies in Policy CSP supported by HoloLens 2](./policies-in-policy-csp-supported-by-hololens2.md) -- [Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite](./policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md) -- [Policies in Policy CSP supported by HoloLens (1st gen) Development Edition](./policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md) - -## Policies in Policy CSP supported by Windows 10 IoT -- [Policies in Policy CSP supported by Windows 10 IoT Core](./policies-in-policy-csp-supported-by-iot-core.md) - -## Policies in Policy CSP supported by Microsoft Surface Hub -- [Policies in Policy CSP supported by Microsoft Surface Hub](./policies-in-policy-csp-supported-by-surface-hub.md) - -## Policies in Policy CSP that can be set using Exchange ActiveSync (EAS) -- [Policies in Policy CSP that can be set using Exchange ActiveSync (EAS)](./policies-in-policy-csp-that-can-be-set-using-eas.md) - -## Related topics - -[Configuration service provider reference](index.yml) + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | + + + + + + + + + +#### Device/ConfigOperations/ADMXInstall/{AppName} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName} +``` + + + +Specifies the name of the Win32 or Desktop Bridge app associated with the ADMX file. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | UniqueName: Specifies the name of the Win32 or Desktop Bridge app associated with the ADMX file. | + + + + + + + + + +##### Device/ConfigOperations/ADMXInstall/{AppName}/{SettingsType} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}/{SettingsType} +``` + + + +Setting Type of Win32 App. Policy Or Preference + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | UniqueName: Setting Type of Win32 App. Policy Or Preference | + + + + + + + + + +###### Device/ConfigOperations/ADMXInstall/{AppName}/{SettingsType}/{AdmxFileId} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}/{SettingsType}/{AdmxFileId} +``` + + + +Unique ID of ADMX file + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Dynamic Node Naming | ServerGeneratedUniqueIdentifier | + + + + + + + + + +##### Device/ConfigOperations/ADMXInstall/{AppName}/Properties + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299.1481] and later
    :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1099] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.832] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.387] and later
    :heavy_check_mark: Windows 10, version 1909 [10.0.18363] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}/Properties +``` + + + +Properties of Win32 App ADMX Ingestion + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | + + + + + + + + + +###### Device/ConfigOperations/ADMXInstall/{AppName}/Properties/{SettingsType} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299.1481] and later
    :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1099] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.832] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.387] and later
    :heavy_check_mark: Windows 10, version 1909 [10.0.18363] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}/Properties/{SettingsType} +``` + + + +Setting Type of Win32 App. Policy Or Preference + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | UniqueName: Setting Type of Win32 App. Policy Or Preference | + + + + + + + + + +###### Device/ConfigOperations/ADMXInstall/{AppName}/Properties/{SettingsType}/{AdmxFileId} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299.1481] and later
    :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1099] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.832] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.387] and later
    :heavy_check_mark: Windows 10, version 1909 [10.0.18363] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}/Properties/{SettingsType}/{AdmxFileId} +``` + + + +Unique ID of ADMX file + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | ServerGeneratedUniqueIdentifier | + + + + + + + + + +###### Device/ConfigOperations/ADMXInstall/{AppName}/Properties/{SettingsType}/{AdmxFileId}/Version + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299.1481] and later
    :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1099] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.832] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.387] and later
    :heavy_check_mark: Windows 10, version 1909 [10.0.18363] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}/Properties/{SettingsType}/{AdmxFileId}/Version +``` + + + +Version of ADMX file. This can be set by the server to keep a record of the versioning of the ADMX file ingested by the device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +## Device/Result + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Result +``` + + + +Groups the evaluated policies from all providers that can be configured. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### Device/Result/{AreaName} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Result/{AreaName} +``` + + + +The area group that can be configured by a single technology independent of the providers. See the individual Area DDFs for Policy CSP for a list of Areas that can be configured. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | +| Dynamic Node Naming | ClientInventory | + + + + + + + + + +#### Device/Result/{AreaName}/{PolicyName} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Result/{AreaName}/{PolicyName} +``` + + + +Specifies the name/value pair used in the policy. See the individual Area DDFs for more information about the policies available to configure. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | null | +| Access Type | Get | +| Dynamic Node Naming | ClientInventory | + + + + + + + + + +## User/Config + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | | + + + +```User +./User/Vendor/MSFT/Policy/Config +``` + + + +Node for grouping all policies configured by one source. The configuration source can use this path to set policy values and later query any policy value that it previously set. One policy can be configured by multiple configuration sources. If a configuration source wants to query the result of conflict resolution (for example, if Exchange and MDM both attempt to set a value,) the configuration source can use the Policy/Result path to retrieve the resulting value. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | + + + + + + + + + +### User/Config/{AreaName} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | | + + + +```User +./User/Vendor/MSFT/Policy/Config/{AreaName} +``` + + + +The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value. See the individual Area DDFs for Policy CSP for a list of Areas that can be configured. + + + + +The following list shows some tips to help you when configuring policies: + +- Separate substring values by Unicode `0xF000` in the XML file. + > [!NOTE] + > A query from a different caller could provide a different value as each caller could have different values for a named policy. +- In SyncML, wrap this policy with the Atomic command so that the policy settings are treated as a single transaction. +- Supported operations are Add, Get, Delete, and Replace. +- Value type is string. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | ClientInventory | + + + + + + + + + +#### User/Config/{AreaName}/{PolicyName} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | | + + + +```User +./User/Vendor/MSFT/Policy/Config/{AreaName}/{PolicyName} +``` + + + +Specifies the name/value pair used in the policy. See the individual Area DDFs for more information about the policies available to configure. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | null | +| Access Type | Add, Delete, Get, Replace | +| Dynamic Node Naming | ClientInventory | + + + + + + + + + +## User/Result + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | | + + + +```User +./User/Vendor/MSFT/Policy/Result +``` + + + +Groups the evaluated policies from all providers that can be configured. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### User/Result/{AreaName} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | | + + + +```User +./User/Vendor/MSFT/Policy/Result/{AreaName} +``` + + + +The area group that can be configured by a single technology independent of the providers. See the individual Area DDFs for Policy CSP for a list of Areas that can be configured. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | +| Dynamic Node Naming | ClientInventory | + + + + + + + + + +#### User/Result/{AreaName}/{PolicyName} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | | + + + +```User +./User/Vendor/MSFT/Policy/Result/{AreaName}/{PolicyName} +``` + + + +Specifies the name/value pair used in the policy. See the individual Area DDFs for more information about the policies available to configure. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | null | +| Access Type | Get | +| Dynamic Node Naming | ServerGeneratedUniqueIdentifier | + + + + + + + + +## Policy Areas + +- [AboveLock](policy-csp-abovelock.md) +- [Accounts](policy-csp-accounts.md) +- [ActiveXControls](policy-csp-activexcontrols.md) +- [ADMX_ActiveXInstallService](policy-csp-admx-activexinstallservice.md) +- [ADMX_AddRemovePrograms](policy-csp-admx-addremoveprograms.md) +- [ADMX_AdmPwd](policy-csp-admx-admpwd.md) +- [ADMX_AppCompat](policy-csp-admx-appcompat.md) +- [ADMX_AppxPackageManager](policy-csp-admx-appxpackagemanager.md) +- [ADMX_AppXRuntime](policy-csp-admx-appxruntime.md) +- [ADMX_AttachmentManager](policy-csp-admx-attachmentmanager.md) +- [ADMX_AuditSettings](policy-csp-admx-auditsettings.md) +- [ADMX_Bits](policy-csp-admx-bits.md) +- [ADMX_CipherSuiteOrder](policy-csp-admx-ciphersuiteorder.md) +- [ADMX_COM](policy-csp-admx-com.md) +- [ADMX_ControlPanel](policy-csp-admx-controlpanel.md) +- [ADMX_ControlPanelDisplay](policy-csp-admx-controlpaneldisplay.md) +- [ADMX_Cpls](policy-csp-admx-cpls.md) +- [ADMX_CredentialProviders](policy-csp-admx-credentialproviders.md) +- [ADMX_CredSsp](policy-csp-admx-credssp.md) +- [ADMX_CredUI](policy-csp-admx-credui.md) +- [ADMX_CtrlAltDel](policy-csp-admx-ctrlaltdel.md) +- [ADMX_DataCollection](policy-csp-admx-datacollection.md) +- [ADMX_DCOM](policy-csp-admx-dcom.md) +- [ADMX_Desktop](policy-csp-admx-desktop.md) +- [ADMX_DeviceCompat](policy-csp-admx-devicecompat.md) +- [ADMX_DeviceGuard](policy-csp-admx-deviceguard.md) +- [ADMX_DeviceInstallation](policy-csp-admx-deviceinstallation.md) +- [ADMX_DeviceSetup](policy-csp-admx-devicesetup.md) +- [ADMX_DFS](policy-csp-admx-dfs.md) +- [ADMX_DigitalLocker](policy-csp-admx-digitallocker.md) +- [ADMX_DiskDiagnostic](policy-csp-admx-diskdiagnostic.md) +- [ADMX_DiskNVCache](policy-csp-admx-disknvcache.md) +- [ADMX_DiskQuota](policy-csp-admx-diskquota.md) +- [ADMX_DistributedLinkTracking](policy-csp-admx-distributedlinktracking.md) +- [ADMX_DnsClient](policy-csp-admx-dnsclient.md) +- [ADMX_DWM](policy-csp-admx-dwm.md) +- [ADMX_EAIME](policy-csp-admx-eaime.md) +- [ADMX_EncryptFilesonMove](policy-csp-admx-encryptfilesonmove.md) +- [ADMX_EnhancedStorage](policy-csp-admx-enhancedstorage.md) +- [ADMX_ErrorReporting](policy-csp-admx-errorreporting.md) +- [ADMX_EventForwarding](policy-csp-admx-eventforwarding.md) +- [ADMX_EventLog](policy-csp-admx-eventlog.md) +- [ADMX_EventLogging](policy-csp-admx-eventlogging.md) +- [ADMX_EventViewer](policy-csp-admx-eventviewer.md) +- [ADMX_Explorer](policy-csp-admx-explorer.md) +- [ADMX_ExternalBoot](policy-csp-admx-externalboot.md) +- [ADMX_FileRecovery](policy-csp-admx-filerecovery.md) +- [ADMX_FileRevocation](policy-csp-admx-filerevocation.md) +- [ADMX_FileServerVSSProvider](policy-csp-admx-fileservervssprovider.md) +- [ADMX_FileSys](policy-csp-admx-filesys.md) +- [ADMX_FolderRedirection](policy-csp-admx-folderredirection.md) +- [ADMX_FramePanes](policy-csp-admx-framepanes.md) +- [ADMX_fthsvc](policy-csp-admx-fthsvc.md) +- [ADMX_Globalization](policy-csp-admx-globalization.md) +- [ADMX_GroupPolicy](policy-csp-admx-grouppolicy.md) +- [ADMX_Help](policy-csp-admx-help.md) +- [ADMX_HelpAndSupport](policy-csp-admx-helpandsupport.md) +- [ADMX_hotspotauth](policy-csp-admx-hotspotauth.md) +- [ADMX_ICM](policy-csp-admx-icm.md) +- [ADMX_IIS](policy-csp-admx-iis.md) +- [ADMX_iSCSI](policy-csp-admx-iscsi.md) +- [ADMX_kdc](policy-csp-admx-kdc.md) +- [ADMX_Kerberos](policy-csp-admx-kerberos.md) +- [ADMX_LanmanServer](policy-csp-admx-lanmanserver.md) +- [ADMX_LanmanWorkstation](policy-csp-admx-lanmanworkstation.md) +- [ADMX_LeakDiagnostic](policy-csp-admx-leakdiagnostic.md) +- [ADMX_LinkLayerTopologyDiscovery](policy-csp-admx-linklayertopologydiscovery.md) +- [ADMX_LocationProviderAdm](policy-csp-admx-locationprovideradm.md) +- [ADMX_Logon](policy-csp-admx-logon.md) +- [ADMX_MicrosoftDefenderAntivirus](policy-csp-admx-microsoftdefenderantivirus.md) +- [ADMX_MMC](policy-csp-admx-mmc.md) +- [ADMX_MMCSnapins](policy-csp-admx-mmcsnapins.md) +- [ADMX_MobilePCMobilityCenter](policy-csp-admx-mobilepcmobilitycenter.md) +- [ADMX_MobilePCPresentationSettings](policy-csp-admx-mobilepcpresentationsettings.md) +- [ADMX_MSAPolicy](policy-csp-admx-msapolicy.md) +- [ADMX_msched](policy-csp-admx-msched.md) +- [ADMX_MSDT](policy-csp-admx-msdt.md) +- [ADMX_MSI](policy-csp-admx-msi.md) +- [ADMX_MsiFileRecovery](policy-csp-admx-msifilerecovery.md) +- [ADMX_MSS-legacy](policy-csp-admx-mss-legacy.md) +- [ADMX_nca](policy-csp-admx-nca.md) +- [ADMX_NCSI](policy-csp-admx-ncsi.md) +- [ADMX_Netlogon](policy-csp-admx-netlogon.md) +- [ADMX_NetworkConnections](policy-csp-admx-networkconnections.md) +- [ADMX_OfflineFiles](policy-csp-admx-offlinefiles.md) +- [ADMX_pca](policy-csp-admx-pca.md) +- [ADMX_PeerToPeerCaching](policy-csp-admx-peertopeercaching.md) +- [ADMX_PenTraining](policy-csp-admx-pentraining.md) +- [ADMX_PerformanceDiagnostics](policy-csp-admx-performancediagnostics.md) +- [ADMX_Power](policy-csp-admx-power.md) +- [ADMX_PowerShellExecutionPolicy](policy-csp-admx-powershellexecutionpolicy.md) +- [ADMX_PreviousVersions](policy-csp-admx-previousversions.md) +- [ADMX_Printing](policy-csp-admx-printing.md) +- [ADMX_Printing2](policy-csp-admx-printing2.md) +- [ADMX_Programs](policy-csp-admx-programs.md) +- [ADMX_PushToInstall](policy-csp-admx-pushtoinstall.md) +- [ADMX_QOS](policy-csp-admx-qos.md) +- [ADMX_Radar](policy-csp-admx-radar.md) +- [ADMX_Reliability](policy-csp-admx-reliability.md) +- [ADMX_RemoteAssistance](policy-csp-admx-remoteassistance.md) +- [ADMX_RemovableStorage](policy-csp-admx-removablestorage.md) +- [ADMX_RPC](policy-csp-admx-rpc.md) +- [ADMX_sam](policy-csp-admx-sam.md) +- [ADMX_Scripts](policy-csp-admx-scripts.md) +- [ADMX_sdiageng](policy-csp-admx-sdiageng.md) +- [ADMX_sdiagschd](policy-csp-admx-sdiagschd.md) +- [ADMX_Securitycenter](policy-csp-admx-securitycenter.md) +- [ADMX_Sensors](policy-csp-admx-sensors.md) +- [ADMX_ServerManager](policy-csp-admx-servermanager.md) +- [ADMX_Servicing](policy-csp-admx-servicing.md) +- [ADMX_SettingSync](policy-csp-admx-settingsync.md) +- [ADMX_SharedFolders](policy-csp-admx-sharedfolders.md) +- [ADMX_Sharing](policy-csp-admx-sharing.md) +- [ADMX_ShellCommandPromptRegEditTools](policy-csp-admx-shellcommandpromptregedittools.md) +- [ADMX_Smartcard](policy-csp-admx-smartcard.md) +- [ADMX_Snmp](policy-csp-admx-snmp.md) +- [ADMX_SoundRec](policy-csp-admx-soundrec.md) +- [ADMX_srmfci](policy-csp-admx-srmfci.md) +- [ADMX_StartMenu](policy-csp-admx-startmenu.md) +- [ADMX_SystemRestore](policy-csp-admx-systemrestore.md) +- [ADMX_TabletPCInputPanel](policy-csp-admx-tabletpcinputpanel.md) +- [ADMX_TabletShell](policy-csp-admx-tabletshell.md) +- [ADMX_Taskbar](policy-csp-admx-taskbar.md) +- [ADMX_tcpip](policy-csp-admx-tcpip.md) +- [ADMX_TerminalServer](policy-csp-admx-terminalserver.md) +- [ADMX_Thumbnails](policy-csp-admx-thumbnails.md) +- [ADMX_TouchInput](policy-csp-admx-touchinput.md) +- [ADMX_TPM](policy-csp-admx-tpm.md) +- [ADMX_UserExperienceVirtualization](policy-csp-admx-userexperiencevirtualization.md) +- [ADMX_UserProfiles](policy-csp-admx-userprofiles.md) +- [ADMX_W32Time](policy-csp-admx-w32time.md) +- [ADMX_WCM](policy-csp-admx-wcm.md) +- [ADMX_WDI](policy-csp-admx-wdi.md) +- [ADMX_WinCal](policy-csp-admx-wincal.md) +- [ADMX_WindowsColorSystem](policy-csp-admx-windowscolorsystem.md) +- [ADMX_WindowsConnectNow](policy-csp-admx-windowsconnectnow.md) +- [ADMX_WindowsExplorer](policy-csp-admx-windowsexplorer.md) +- [ADMX_WindowsMediaDRM](policy-csp-admx-windowsmediadrm.md) +- [ADMX_WindowsMediaPlayer](policy-csp-admx-windowsmediaplayer.md) +- [ADMX_WindowsRemoteManagement](policy-csp-admx-windowsremotemanagement.md) +- [ADMX_WindowsStore](policy-csp-admx-windowsstore.md) +- [ADMX_WinInit](policy-csp-admx-wininit.md) +- [ADMX_WinLogon](policy-csp-admx-winlogon.md) +- [ADMX_Winsrv](policy-csp-admx-winsrv.md) +- [ADMX_wlansvc](policy-csp-admx-wlansvc.md) +- [ADMX_WordWheel](policy-csp-admx-wordwheel.md) +- [ADMX_WorkFoldersClient](policy-csp-admx-workfoldersclient.md) +- [ADMX_WPN](policy-csp-admx-wpn.md) +- [ApplicationDefaults](policy-csp-applicationdefaults.md) +- [ApplicationManagement](policy-csp-applicationmanagement.md) +- [AppRuntime](policy-csp-appruntime.md) +- [AppVirtualization](policy-csp-appvirtualization.md) +- [AttachmentManager](policy-csp-attachmentmanager.md) +- [Audit](policy-csp-audit.md) +- [Authentication](policy-csp-authentication.md) +- [Autoplay](policy-csp-autoplay.md) +- [Bitlocker](policy-csp-bitlocker.md) +- [BITS](policy-csp-bits.md) +- [Bluetooth](policy-csp-bluetooth.md) +- [Browser](policy-csp-browser.md) +- [Camera](policy-csp-camera.md) +- [Cellular](policy-csp-cellular.md) +- [CloudDesktop](policy-csp-clouddesktop.md) +- [CloudPC](policy-csp-cloudpc.md) +- [Connectivity](policy-csp-connectivity.md) +- [ControlPolicyConflict](policy-csp-controlpolicyconflict.md) +- [CredentialProviders](policy-csp-credentialproviders.md) +- [CredentialsDelegation](policy-csp-credentialsdelegation.md) +- [CredentialsUI](policy-csp-credentialsui.md) +- [Cryptography](policy-csp-cryptography.md) +- [DataProtection](policy-csp-dataprotection.md) +- [DataUsage](policy-csp-datausage.md) +- [Defender](policy-csp-defender.md) +- [DeliveryOptimization](policy-csp-deliveryoptimization.md) +- [Desktop](policy-csp-desktop.md) +- [DesktopAppInstaller](policy-csp-desktopappinstaller.md) +- [DeviceGuard](policy-csp-deviceguard.md) +- [DeviceHealthMonitoring](policy-csp-devicehealthmonitoring.md) +- [DeviceInstallation](policy-csp-deviceinstallation.md) +- [DeviceLock](policy-csp-devicelock.md) +- [Display](policy-csp-display.md) +- [DmaGuard](policy-csp-dmaguard.md) +- [Eap](policy-csp-eap.md) +- [Education](policy-csp-education.md) +- [EnterpriseCloudPrint](policy-csp-enterprisecloudprint.md) +- [ErrorReporting](policy-csp-errorreporting.md) +- [EventLogService](policy-csp-eventlogservice.md) +- [Experience](policy-csp-experience.md) +- [ExploitGuard](policy-csp-exploitguard.md) +- [FederatedAuthentication](policy-csp-federatedauthentication.md) +- [FileExplorer](policy-csp-fileexplorer.md) +- [Games](policy-csp-games.md) +- [Handwriting](policy-csp-handwriting.md) +- [HumanPresence](policy-csp-humanpresence.md) +- [InternetExplorer](policy-csp-internetexplorer.md) +- [Kerberos](policy-csp-kerberos.md) +- [KioskBrowser](policy-csp-kioskbrowser.md) +- [LanmanWorkstation](policy-csp-lanmanworkstation.md) +- [Licensing](policy-csp-licensing.md) +- [LocalPoliciesSecurityOptions](policy-csp-localpoliciessecurityoptions.md) +- [LocalSecurityAuthority](policy-csp-lsa.md) +- [LocalUsersAndGroups](policy-csp-localusersandgroups.md) +- [LockDown](policy-csp-lockdown.md) +- [Maps](policy-csp-maps.md) +- [MemoryDump](policy-csp-memorydump.md) +- [Messaging](policy-csp-messaging.md) +- [MixedReality](policy-csp-mixedreality.md) +- [MSSecurityGuide](policy-csp-mssecurityguide.md) +- [MSSLegacy](policy-csp-msslegacy.md) +- [Multitasking](policy-csp-multitasking.md) +- [NetworkIsolation](policy-csp-networkisolation.md) +- [NetworkListManager](policy-csp-networklistmanager.md) +- [NewsAndInterests](policy-csp-newsandinterests.md) +- [Notifications](policy-csp-notifications.md) +- [Power](policy-csp-power.md) +- [Printers](policy-csp-printers.md) +- [Privacy](policy-csp-privacy.md) +- [RemoteAssistance](policy-csp-remoteassistance.md) +- [RemoteDesktop](policy-csp-remotedesktop.md) +- [RemoteDesktopServices](policy-csp-remotedesktopservices.md) +- [RemoteManagement](policy-csp-remotemanagement.md) +- [RemoteProcedureCall](policy-csp-remoteprocedurecall.md) +- [RemoteShell](policy-csp-remoteshell.md) +- [RestrictedGroups](policy-csp-restrictedgroups.md) +- [Search](policy-csp-search.md) +- [Security](policy-csp-security.md) +- [ServiceControlManager](policy-csp-servicecontrolmanager.md) +- [Settings](policy-csp-settings.md) +- [SettingsSync](policy-csp-settingssync.md) +- [SmartScreen](policy-csp-smartscreen.md) +- [Speech](policy-csp-speech.md) +- [Start](policy-csp-start.md) +- [Stickers](policy-csp-stickers.md) +- [Storage](policy-csp-storage.md) +- [System](policy-csp-system.md) +- [SystemServices](policy-csp-systemservices.md) +- [TaskManager](policy-csp-taskmanager.md) +- [TaskScheduler](policy-csp-taskscheduler.md) +- [TenantDefinedTelemetry](policy-csp-tenantdefinedtelemetry.md) +- [TenantRestrictions](policy-csp-tenantrestrictions.md) +- [TextInput](policy-csp-textinput.md) +- [TimeLanguageSettings](policy-csp-timelanguagesettings.md) +- [Troubleshooting](policy-csp-troubleshooting.md) +- [Update](policy-csp-update.md) +- [UserRights](policy-csp-userrights.md) +- [VirtualizationBasedTechnology](policy-csp-virtualizationbasedtechnology.md) +- [WebThreatDefense](policy-csp-webthreatdefense.md) +- [Wifi](policy-csp-wifi.md) +- [WindowsAutopilot](policy-csp-windowsautopilot.md) +- [WindowsConnectionManager](policy-csp-windowsconnectionmanager.md) +- [WindowsDefenderSecurityCenter](policy-csp-windowsdefendersecuritycenter.md) +- [WindowsInkWorkspace](policy-csp-windowsinkworkspace.md) +- [WindowsLogon](policy-csp-windowslogon.md) +- [WindowsPowerShell](policy-csp-windowspowershell.md) +- [WindowsSandbox](policy-csp-windowssandbox.md) +- [WirelessDisplay](policy-csp-wirelessdisplay.md) + + + + + + +## Related articles + +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/policy-csp-admx-mss-legacy.md b/windows/client-management/mdm/policy-csp-admx-mss-legacy.md new file mode 100644 index 0000000000..a22c707db1 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-mss-legacy.md @@ -0,0 +1,812 @@ +--- +title: ADMX_MSS-legacy Policy CSP +description: Learn more about the ADMX_MSS-legacy Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz +ms.author: vinpa +ms.date: 11/29/2022 +ms.localizationpriority: medium +ms.prod: windows-client +ms.technology: itpro-manage +ms.topic: reference +--- + + + + +# Policy CSP - ADMX_MSS-legacy + +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + + + + +## Pol_MSS_AutoAdminLogon + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_AutoAdminLogon +``` + + + + + + + + +Enable Automatic Logon (not recommended). + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + + + + + +## Pol_MSS_AutoReboot + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_AutoReboot +``` + + + + + + + + +Allow Windows to automatically restart after a system crash (recommended except for highly secure environments). + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + + + + + +## Pol_MSS_AutoShareServer + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_AutoShareServer +``` + + + + + + + + +Enable administrative shares on servers (recommended except for highly secure environments). + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + + + + + +## Pol_MSS_AutoShareWks + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_AutoShareWks +``` + + + + + + + + +Enable administrative shares on workstations (recommended except for highly secure environments). + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + + + + + +## Pol_MSS_DisableSavePassword + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_DisableSavePassword +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + +Prevent the dial-up password from being saved (recommended). + + + + + +## Pol_MSS_EnableDeadGWDetect + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_EnableDeadGWDetect +``` + + + + + + + + +Allow automatic detection of dead network gateways (could lead to DoS). + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + + + + + +## Pol_MSS_HideFromBrowseList + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_HideFromBrowseList +``` + + + + + + + + +Hide Computer From the Browse List (not recommended except for highly secure environments). + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + + + + + +## Pol_MSS_KeepAliveTime + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_KeepAliveTime +``` + + + + + + + + +Define how often keep-alive packets are sent in milliseconds. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + + + + + +## Pol_MSS_NoDefaultExempt + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_NoDefaultExempt +``` + + + + + + + + +Configure IPSec exemptions for various types of network traffic. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + + + + + +## Pol_MSS_NtfsDisable8dot3NameCreation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_NtfsDisable8dot3NameCreation +``` + + + + + + + + +Enable the computer to stop generating 8.3 style filenames. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + + + + + +## Pol_MSS_PerformRouterDiscovery + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_PerformRouterDiscovery +``` + + + + + + + + + Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS). + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + + + + + +## Pol_MSS_SafeDllSearchMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_SafeDllSearchMode +``` + + + + + + + + +Enable Safe DLL search mode (recommended). + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + + + + + +## Pol_MSS_ScreenSaverGracePeriod + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_ScreenSaverGracePeriod +``` + + + + + + + + +he time in seconds before the screen saver grace period expires (0 recommended). + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + + + + + +## Pol_MSS_SynAttackProtect + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_SynAttackProtect +``` + + + + + + + + +Syn attack protection level (protects against DoS). + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + + + + + +## Pol_MSS_TcpMaxConnectResponseRetransmissions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_TcpMaxConnectResponseRetransmissions +``` + + + + + + + + +SYN-ACK retransmissions when a connection request is not acknowledged. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + + + + + +## Pol_MSS_TcpMaxDataRetransmissions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_TcpMaxDataRetransmissions +``` + + + + + + + + +Define how many times unacknowledged data is retransmitted (3 recommended, 5 is default). + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + + + + + +## Pol_MSS_TcpMaxDataRetransmissionsIPv6 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_TcpMaxDataRetransmissionsIPv6 +``` + + + + + + + + +Define how many times unacknowledged data is retransmitted (3 recommended, 5 is default). + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + + + + + +## Pol_MSS_WarningLevel + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_WarningLevel +``` + + + + + + + + +Percentage threshold for the security event log at which the system will generate a warning. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-qos.md b/windows/client-management/mdm/policy-csp-admx-qos.md new file mode 100644 index 0000000000..615fe1f468 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-qos.md @@ -0,0 +1,1145 @@ +--- +title: ADMX_QOS Policy CSP +description: Learn more about the ADMX_QOS Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz +ms.author: vinpa +ms.date: 11/29/2022 +ms.localizationpriority: medium +ms.prod: windows-client +ms.technology: itpro-manage +ms.topic: reference +--- + + + + +# Policy CSP - ADMX_QOS + +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + + + + +## QosMaxOutstandingSends + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosMaxOutstandingSends +``` + + + +Specifies the maximum number of outstanding packets permitted on the system. When the number of outstanding packets reaches this limit, the Packet Scheduler postpones all submissions to network adapters until the number falls below this limit. + +"Outstanding packets" are packets that the Packet Scheduler has submitted to a network adapter for transmission, but which have not yet been sent. + +If you enable this setting, you can limit the number of outstanding packets. + +If you disable this setting or do not configure it, then the setting has no effect on the system. + +Important: If the maximum number of outstanding packets is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | QosMaxOutstandingSends | +| Friendly Name | Limit outstanding packets | +| Location | Computer Configuration | +| Path | Network > QoS Packet Scheduler | +| Registry Key Name | Software\Policies\Microsoft\Windows\Psched | +| ADMX File Name | QOS.admx | + + + + + + + + + +## QosNonBestEffortLimit + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosNonBestEffortLimit +``` + + + +Determines the percentage of connection bandwidth that the system can reserve. This value limits the combined bandwidth reservations of all programs running on the system. + +By default, the Packet Scheduler limits the system to 80 percent of the bandwidth of a connection, but you can use this setting to override the default. + +If you enable this setting, you can use the "Bandwidth limit" box to adjust the amount of bandwidth the system can reserve. + +If you disable this setting or do not configure it, the system uses the default value of 80 percent of the connection. + +Important: If a bandwidth limit is set for a particular network adapter in the registry, this setting is ignored when configuring that network adapter. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | QosNonBestEffortLimit | +| Friendly Name | Limit reservable bandwidth | +| Location | Computer Configuration | +| Path | Network > QoS Packet Scheduler | +| Registry Key Name | Software\Policies\Microsoft\Windows\Psched | +| ADMX File Name | QOS.admx | + + + + + + + + + +## QosServiceTypeBestEffort_C + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosServiceTypeBestEffort_C +``` + + + +Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Best Effort service type (ServiceTypeBestEffort). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets. + +This setting applies only to packets that conform to the flow specification. + +If you enable this setting, you can change the default DSCP value associated with the Best Effort service type. + +If you disable this setting, the system uses the default DSCP value of 0. + +Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | QosServiceTypeBestEffort_C | +| Friendly Name | Best effort service type | +| Location | Computer Configuration | +| Path | Network > QoS Packet Scheduler > DSCP value of conforming packets | +| Registry Key Name | Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingConforming | +| ADMX File Name | QOS.admx | + + + + + + + + + +## QosServiceTypeBestEffort_NC + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosServiceTypeBestEffort_NC +``` + + + +Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Best Effort service type (ServiceTypeBestEffort). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets. + +This setting applies only to packets that do not conform to the flow specification. + +If you enable this setting, you can change the default DSCP value associated with the Best Effort service type. + +If you disable this setting, the system uses the default DSCP value of 0. + +Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | QosServiceTypeBestEffort_NC | +| Friendly Name | Best effort service type | +| Location | Computer Configuration | +| Path | Network > QoS Packet Scheduler > DSCP value of non-conforming packets | +| Registry Key Name | Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingNonConforming | +| ADMX File Name | QOS.admx | + + + + + + + + + +## QosServiceTypeBestEffort_PV + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosServiceTypeBestEffort_PV +``` + + + +Specifies an alternate link layer (Layer-2) priority value for packets with the Best Effort service type (ServiceTypeBestEffort). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets. + +If you enable this setting, you can change the default priority value associated with the Best Effort service type. + +If you disable this setting, the system uses the default priority value of 0. + +Important: If the Layer-2 priority value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | QosServiceTypeBestEffort_PV | +| Friendly Name | Best effort service type | +| Location | Computer Configuration | +| Path | Network > QoS Packet Scheduler > Layer-2 priority value | +| Registry Key Name | Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping | +| ADMX File Name | QOS.admx | + + + + + + + + + +## QosServiceTypeControlledLoad_C + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosServiceTypeControlledLoad_C +``` + + + +Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Controlled Load service type (ServiceTypeControlledLoad). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets. + +This setting applies only to packets that conform to the flow specification. + +If you enable this setting, you can change the default DSCP value associated with the Controlled Load service type. + +If you disable this setting, the system uses the default DSCP value of 24 (0x18). + +Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | QosServiceTypeControlledLoad_C | +| Friendly Name | Controlled load service type | +| Location | Computer Configuration | +| Path | Network > QoS Packet Scheduler > DSCP value of conforming packets | +| Registry Key Name | Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingConforming | +| ADMX File Name | QOS.admx | + + + + + + + + + +## QosServiceTypeControlledLoad_NC + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosServiceTypeControlledLoad_NC +``` + + + +Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Controlled Load service type (ServiceTypeControlledLoad). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets. + +This setting applies only to packets that do not conform to the flow specification. + +If you enable this setting, you can change the default DSCP value associated with the Controlled Load service type. + +If you disable this setting, the system uses the default DSCP value of 0. + +Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | QosServiceTypeControlledLoad_NC | +| Friendly Name | Controlled load service type | +| Location | Computer Configuration | +| Path | Network > QoS Packet Scheduler > DSCP value of non-conforming packets | +| Registry Key Name | Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingNonConforming | +| ADMX File Name | QOS.admx | + + + + + + + + + +## QosServiceTypeControlledLoad_PV + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosServiceTypeControlledLoad_PV +``` + + + +Specifies an alternate link layer (Layer-2) priority value for packets with the Controlled Load service type (ServiceTypeControlledLoad). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets. + +If you enable this setting, you can change the default priority value associated with the Controlled Load service type. + +If you disable this setting, the system uses the default priority value of 0. + +Important: If the Layer-2 priority value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | QosServiceTypeControlledLoad_PV | +| Friendly Name | Controlled load service type | +| Location | Computer Configuration | +| Path | Network > QoS Packet Scheduler > Layer-2 priority value | +| Registry Key Name | Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping | +| ADMX File Name | QOS.admx | + + + + + + + + + +## QosServiceTypeGuaranteed_C + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosServiceTypeGuaranteed_C +``` + + + +Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Guaranteed service type (ServiceTypeGuaranteed). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets. + +This setting applies only to packets that conform to the flow specification. + +If you enable this setting, you can change the default DSCP value associated with the Guaranteed service type. + +If you disable this setting, the system uses the default DSCP value of 40 (0x28). + +Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | QosServiceTypeGuaranteed_C | +| Friendly Name | Guaranteed service type | +| Location | Computer Configuration | +| Path | Network > QoS Packet Scheduler > DSCP value of conforming packets | +| Registry Key Name | Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingConforming | +| ADMX File Name | QOS.admx | + + + + + + + + + +## QosServiceTypeGuaranteed_NC + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosServiceTypeGuaranteed_NC +``` + + + +Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Guaranteed service type (ServiceTypeGuaranteed). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets. + +This setting applies only to packets that do not conform to the flow specification. + +If you enable this setting, you can change the default DSCP value associated with the Guaranteed service type. + +If you disable this setting, the system uses the default DSCP value of 0. + +Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | QosServiceTypeGuaranteed_NC | +| Friendly Name | Guaranteed service type | +| Location | Computer Configuration | +| Path | Network > QoS Packet Scheduler > DSCP value of non-conforming packets | +| Registry Key Name | Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingNonConforming | +| ADMX File Name | QOS.admx | + + + + + + + + + +## QosServiceTypeGuaranteed_PV + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosServiceTypeGuaranteed_PV +``` + + + +Specifies an alternate link layer (Layer-2) priority value for packets with the Guaranteed service type (ServiceTypeGuaranteed). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets. + +If you enable this setting, you can change the default priority value associated with the Guaranteed service type. + +If you disable this setting, the system uses the default priority value of 0. + +Important: If the Layer-2 priority value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | QosServiceTypeGuaranteed_PV | +| Friendly Name | Guaranteed service type | +| Location | Computer Configuration | +| Path | Network > QoS Packet Scheduler > Layer-2 priority value | +| Registry Key Name | Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping | +| ADMX File Name | QOS.admx | + + + + + + + + + +## QosServiceTypeNetworkControl_C + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosServiceTypeNetworkControl_C +``` + + + +Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Network Control service type (ServiceTypeNetworkControl). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets. + +This setting applies only to packets that conform to the flow specification. + +If you enable this setting, you can change the default DSCP value associated with the Network Control service type. + +If you disable this setting, the system uses the default DSCP value of 48 (0x30). + +Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | QosServiceTypeNetworkControl_C | +| Friendly Name | Network control service type | +| Location | Computer Configuration | +| Path | Network > QoS Packet Scheduler > DSCP value of conforming packets | +| Registry Key Name | Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingConforming | +| ADMX File Name | QOS.admx | + + + + + + + + + +## QosServiceTypeNetworkControl_NC + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosServiceTypeNetworkControl_NC +``` + + + +Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Network Control service type (ServiceTypeNetworkControl). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets. + +This setting applies only to packets that do not conform to the flow specification. + +If you enable this setting, you can change the default DSCP value associated with the Network Control service type. + +If you disable this setting, the system uses the default DSCP value of 0. + +Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | QosServiceTypeNetworkControl_NC | +| Friendly Name | Network control service type | +| Location | Computer Configuration | +| Path | Network > QoS Packet Scheduler > DSCP value of non-conforming packets | +| Registry Key Name | Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingNonConforming | +| ADMX File Name | QOS.admx | + + + + + + + + + +## QosServiceTypeNetworkControl_PV + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosServiceTypeNetworkControl_PV +``` + + + +Specifies an alternate link layer (Layer-2) priority value for packets with the Network Control service type (ServiceTypeNetworkControl). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets. + +If you enable this setting, you can change the default priority value associated with the Network Control service type. + +If you disable this setting, the system uses the default priority value of 0. + +Important: If the Layer-2 priority value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | QosServiceTypeNetworkControl_PV | +| Friendly Name | Network control service type | +| Location | Computer Configuration | +| Path | Network > QoS Packet Scheduler > Layer-2 priority value | +| Registry Key Name | Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping | +| ADMX File Name | QOS.admx | + + + + + + + + + +## QosServiceTypeNonConforming + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosServiceTypeNonConforming +``` + + + +Specifies an alternate link layer (Layer-2) priority value for packets that do not conform to the flow specification. The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets. + +If you enable this setting, you can change the default priority value associated with nonconforming packets. + +If you disable this setting, the system uses the default priority value of 0. + +Important: If the Layer-2 priority value for nonconforming packets is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | QosServiceTypeNonConforming | +| Friendly Name | Non-conforming packets | +| Location | Computer Configuration | +| Path | Network > QoS Packet Scheduler > Layer-2 priority value | +| Registry Key Name | Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping | +| ADMX File Name | QOS.admx | + + + + + + + + + +## QosServiceTypeQualitative_C + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosServiceTypeQualitative_C +``` + + + +Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Qualitative service type (ServiceTypeQualitative). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets. + +This setting applies only to packets that conform to the flow specification. + +If you enable this setting, you can change the default DSCP value associated with the Qualitative service type. + +If you disable this setting, the system uses the default DSCP value of 0. + +Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | QosServiceTypeQualitative_C | +| Friendly Name | Qualitative service type | +| Location | Computer Configuration | +| Path | Network > QoS Packet Scheduler > DSCP value of conforming packets | +| Registry Key Name | Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingConforming | +| ADMX File Name | QOS.admx | + + + + + + + + + +## QosServiceTypeQualitative_NC + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosServiceTypeQualitative_NC +``` + + + +Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Qualitative service type (ServiceTypeQualitative). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets. + +This setting applies only to packets that do not conform to the flow specification. + +If you enable this setting, you can change the default DSCP value associated with the Qualitative service type. + +If you disable this setting, the system uses the default DSCP value of 0. + +Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | QosServiceTypeQualitative_NC | +| Friendly Name | Qualitative service type | +| Location | Computer Configuration | +| Path | Network > QoS Packet Scheduler > DSCP value of non-conforming packets | +| Registry Key Name | Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingNonConforming | +| ADMX File Name | QOS.admx | + + + + + + + + + +## QosServiceTypeQualitative_PV + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosServiceTypeQualitative_PV +``` + + + +Specifies an alternate link layer (Layer-2) priority value for packets with the Qualitative service type (ServiceTypeQualitative). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets. + +If you enable this setting, you can change the default priority value associated with the Qualitative service type. + +If you disable this setting, the system uses the default priority value of 0. + +Important: If the Layer-2 priority value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | QosServiceTypeQualitative_PV | +| Friendly Name | Qualitative service type | +| Location | Computer Configuration | +| Path | Network > QoS Packet Scheduler > Layer-2 priority value | +| Registry Key Name | Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping | +| ADMX File Name | QOS.admx | + + + + + + + + + +## QosTimerResolution + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosTimerResolution +``` + + + +Determines the smallest unit of time that the Packet Scheduler uses when scheduling packets for transmission. The Packet Scheduler cannot schedule packets for transmission more frequently than permitted by the value of this entry. + +If you enable this setting, you can override the default timer resolution established for the system, usually units of 10 microseconds. + +If you disable this setting or do not configure it, the setting has no effect on the system. + +Important: If a timer resolution is specified in the registry for a particular network adapter, then this setting is ignored when configuring that network adapter. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | QosTimerResolution | +| Friendly Name | Set timer resolution | +| Location | Computer Configuration | +| Path | Network > QoS Packet Scheduler | +| Registry Key Name | Software\Policies\Microsoft\Windows\Psched | +| ADMX File Name | QOS.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-sam.md b/windows/client-management/mdm/policy-csp-admx-sam.md new file mode 100644 index 0000000000..16f8928707 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-sam.md @@ -0,0 +1,113 @@ +--- +title: ADMX_sam Policy CSP +description: Learn more about the ADMX_sam Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz +ms.author: vinpa +ms.date: 11/29/2022 +ms.localizationpriority: medium +ms.prod: windows-client +ms.technology: itpro-manage +ms.topic: reference +--- + + + + +# Policy CSP - ADMX_sam + +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + + + + +## SamNGCKeyROCAValidation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_sam/SamNGCKeyROCAValidation +``` + + + +This policy setting allows you to configure how domain controllers handle Windows Hello for Business (WHfB) keys that are vulnerable to the "Return of Coppersmith's attack" (ROCA) vulnerability. + +For more information on the ROCA vulnerability, please see: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15361 + +https://en.wikipedia.org/wiki/ROCA_vulnerability + +If you enable this policy setting the following options are supported: + +Ignore: during authentication the domain controller will not probe any WHfB keys for the ROCA vulnerability. + +Audit: during authentication the domain controller will emit audit events for WHfB keys that are subject to the ROCA vulnerability (authentications will still succeed). + +Block: during authentication the domain controller will block the use of WHfB keys that are subject to the ROCA vulnerability (authentications will fail). + +This setting only takes effect on domain controllers. + +If not configured, domain controllers will default to using their local configuration. The default local configuration is Audit. + +A reboot is not required for changes to this setting to take effect. + +Note: to avoid unexpected disruptions this setting should not be set to Block until appropriate mitigations have been performed, for example patching of vulnerable TPMs. + +More information is available at https://go.microsoft.com/fwlink/?linkid=2116430. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | SamNGCKeyROCAValidation | +| Friendly Name | Configure validation of ROCA-vulnerable WHfB keys during authentication | +| Location | Computer Configuration | +| Path | System > Security Account Manager | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\SAM | +| ADMX File Name | sam.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-tabletpcinputpanel.md b/windows/client-management/mdm/policy-csp-admx-tabletpcinputpanel.md new file mode 100644 index 0000000000..b8297ea689 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-tabletpcinputpanel.md @@ -0,0 +1,1038 @@ +--- +title: ADMX_TabletPCInputPanel Policy CSP +description: Learn more about the ADMX_TabletPCInputPanel Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz +ms.author: vinpa +ms.date: 11/29/2022 +ms.localizationpriority: medium +ms.prod: windows-client +ms.technology: itpro-manage +ms.topic: reference +--- + + + + +# Policy CSP - ADMX_TabletPCInputPanel + +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + + + + +## AutoComplete_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/AutoComplete_2 +``` + + + +Turns off the integration of application auto complete lists with Tablet PC Input Panel in applications where this behavior is available. + +Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. + +If you enable this policy, application auto complete lists will never appear next to Input Panel. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you disable this policy, application auto complete lists will appear next to Input Panel in applications where the functionality is available. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you do not configure this policy, application auto complete lists will appear next to Input Panel in applications where the functionality is available. Users will be able to configure this setting on the Text completion tab in Input Panel Options. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | AutoComplete | +| Friendly Name | Turn off AutoComplete integration with Input Panel | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Input Panel | +| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | +| Registry Value Name | DisableACIntegration | +| ADMX File Name | TabletPCInputPanel.admx | + + + + + + + + + +## EdgeTarget_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/EdgeTarget_2 +``` + + + +Prevents Input Panel tab from appearing on the edge of the Tablet PC screen. + +Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. + +If you enable this policy, Input Panel tab will not appear on the edge of the Tablet PC screen. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you disable this policy, Input Panel tab will appear on the edge of the Tablet PC screen. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you do not configure this policy, Input Panel tab will appear on the edge of the Tablet PC screen. Users will be able to configure this setting on the Opening tab in Input Panel Options. + +Caution: If you enable both the “Prevent Input Panel from appearing next to text entry areas” policy and the “Prevent Input Panel tab from appearing” policy, and disable the “Show Input Panel taskbar icon” policy, the user will then have no way to access Input Panel. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | EdgeTarget | +| Friendly Name | Prevent Input Panel tab from appearing | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Input Panel | +| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | +| Registry Value Name | DisableEdgeTarget | +| ADMX File Name | TabletPCInputPanel.admx | + + + + + + + + + +## IPTIPTarget_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/IPTIPTarget_2 +``` + + + +Prevents the Tablet PC Input Panel icon from appearing next to any text entry area in applications where this behavior is available. This policy applies only when using a tablet pen as an input device. + +Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. + +If you enable this policy, Input Panel will never appear next to text entry areas when using a tablet pen as an input device. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you disable this policy, Input Panel will appear next to any text entry area in applications where this behavior is available. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you do not configure this policy, Input Panel will appear next to text entry areas in applications where this behavior is available. Users will be able to configure this setting on the Opening tab in Input Panel Options. + +Caution: If you enable both the “Prevent Input Panel from appearing next to text entry areas” policy and the “Prevent Input Panel tab from appearing” policy, and disable the “Show Input Panel taskbar icon” policy, the user will then have no way to access Input Panel. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IPTIPTarget | +| Friendly Name | For tablet pen input, don’t show the Input Panel icon | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Input Panel | +| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | +| Registry Value Name | HideIPTIPTarget | +| ADMX File Name | TabletPCInputPanel.admx | + + + + + + + + + +## IPTIPTouchTarget_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/IPTIPTouchTarget_2 +``` + + + +Prevents the Tablet PC Input Panel icon from appearing next to any text entry area in applications where this behavior is available. This policy applies only when a user is using touch input. + +Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. + +If you enable this policy, Input Panel will never appear next to any text entry area when a user is using touch input. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you disable this policy, Input Panel will appear next to text entry areas in applications where this behavior is available. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you do not configure this policy, Input Panel will appear next to text entry areas in applications where this behavior is available. Users will be able to configure this setting on the Opening tab in Input Panel Options. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IPTIPTouchTarget | +| Friendly Name | For touch input, don’t show the Input Panel icon | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Input Panel | +| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | +| Registry Value Name | HideIPTIPTouchTarget | +| ADMX File Name | TabletPCInputPanel.admx | + + + + + + + + + +## PasswordSecurity_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/PasswordSecurity_2 +``` + + + +Adjusts password security settings in Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and Windows Vista). These settings include using the on-screen keyboard by default, preventing users from switching to another Input Panel skin (the writing pad or character pad), and not showing what keys are tapped when entering a password. + +Touch Keyboard and Handwriting panel enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. + +If you enable this policy and choose “Low” from the drop-down box, password security is set to “Low.” At this setting, all password security settings are turned off. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you enable this policy and choose “Medium-Low” from the drop-down box, password security is set to “Medium-Low.” At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel displays the cursor and which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you enable this policy and choose “Medium” from the drop-down box, password security is set to “Medium.” At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is not allowed, and Input Panel displays the cursor and which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you enable this policy and choose to “Medium-High” from the drop-down box, password security is set to “Medium-High.” At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel does not display the cursor or which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you enable this policy and choose “High” from the drop-down box, password security is set to “High.” At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is not allowed, and Input Panel does not display the cursor or which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you disable this policy, password security is set to “Medium-High.” At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel does not display the cursor or which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you do not configure this policy, password security is set to “Medium-High” by default. At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel does not display the cursor or which keys are tapped. Users will be able to configure this setting on the Advanced tab in Input Panel Options in Windows 7 and Windows Vista. + +Caution: If you lower password security settings, people who can see the user’s screen might be able to see their passwords. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PasswordSecurity | +| Friendly Name | Turn off password security in Input Panel | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Input Panel | +| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | +| Registry Value Name | PasswordSecurityState | +| ADMX File Name | TabletPCInputPanel.admx | + + + + + + + + + +## Prediction_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/Prediction_2 +``` + + + +Prevents the Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and Windows Vista) from providing text prediction suggestions. This policy applies for both the on-screen keyboard and the handwriting tab when the feature is available for the current input area and input language. + +Touch Keyboard and Handwriting panel enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. + +If you enable this policy, Input Panel will not provide text prediction suggestions. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you disable this policy, Input Panel will provide text prediction suggestions. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you do not configure this policy, Input Panel will provide text prediction suggestions. Users will be able to configure this setting on the Text Completion tab in Input Panel Options in Windows 7 and Windows Vista. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | EnablePrediction | +| Friendly Name | Disable text prediction | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Input Panel | +| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | +| Registry Value Name | DisablePrediction | +| ADMX File Name | TabletPCInputPanel.admx | + + + + + + + + + +## RareChar_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/RareChar_2 +``` + + + +Includes rarely used Chinese, Kanji, and Hanja characters when handwriting is converted to typed text. This policy applies only to the use of the Microsoft recognizers for Chinese (Simplified), Chinese (Traditional), Japanese, and Korean. This setting appears in Input Panel Options (in Windows 7 and Windows Vista only) only when these input languages or keyboards are installed. + +Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and Windows Vista) enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. + +If you enable this policy, rarely used Chinese, Kanji, and Hanja characters will be included in recognition results when handwriting is converted to typed text. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you disable this policy, rarely used Chinese, Kanji, and Hanja characters will not be included in recognition results when handwriting is converted to typed text. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you do not configure this policy, rarely used Chinese, Kanji, and Hanja characters will not be included in recognition results when handwriting is converted to typed text. Users will be able to configure this setting on the Ink to text conversion tab in Input Panel Options (in Windows 7 and Windows Vista). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | RareChar | +| Friendly Name | Include rarely used Chinese, Kanji, or Hanja characters | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Input Panel | +| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | +| Registry Value Name | IncludeRareChar | +| ADMX File Name | TabletPCInputPanel.admx | + + + + + + + + + +## ScratchOut_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/ScratchOut_2 +``` + + + +Turns off both the more tolerant scratch-out gestures that were added in Windows Vista and the Z-shaped scratch-out gesture that was available in Microsoft Windows XP Tablet PC Edition. + +The tolerant gestures let users scratch out ink in Input Panel by using strikethrough and other scratch-out gesture shapes. + +Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. + +If you enable this policy and choose “All” from the drop-down menu, no scratch-out gestures will be available in Input Panel. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you enable this policy and choose “Tolerant," users will be able to use the Z-shaped scratch-out gesture that was available in Microsoft Windows XP Tablet PC Edition. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you enable this policy and choose “None,” users will be able to use both the tolerant scratch-out gestures and the Z-shaped scratch-out gesture. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you disable this policy, users will be able to use both the tolerant scratch-out gestures and the Z-shaped scratch-out gesture. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you do not configure this policy, users will be able to use both the tolerant scratch-out gestures and the Z-shaped scratch-out gesture. Users will be able to configure this setting on the Gestures tab in Input Panel Options. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ScratchOut | +| Friendly Name | Turn off tolerant and Z-shaped scratch-out gestures | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Input Panel | +| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | +| Registry Value Name | ScratchOutState | +| ADMX File Name | TabletPCInputPanel.admx | + + + + + + + + + +## AutoComplete_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/AutoComplete_1 +``` + + + +Turns off the integration of application auto complete lists with Tablet PC Input Panel in applications where this behavior is available. + +Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. + +If you enable this policy, application auto complete lists will never appear next to Input Panel. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you disable this policy, application auto complete lists will appear next to Input Panel in applications where the functionality is available. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you do not configure this policy, application auto complete lists will appear next to Input Panel in applications where the functionality is available. Users will be able to configure this setting on the Text completion tab in Input Panel Options. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | AutoComplete | +| Friendly Name | Turn off AutoComplete integration with Input Panel | +| Location | User Configuration | +| Path | WindowsComponents > Tablet PC > Input Panel | +| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | +| Registry Value Name | DisableACIntegration | +| ADMX File Name | TabletPCInputPanel.admx | + + + + + + + + + +## EdgeTarget_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/EdgeTarget_1 +``` + + + +Prevents Input Panel tab from appearing on the edge of the Tablet PC screen. + +Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. + +If you enable this policy, Input Panel tab will not appear on the edge of the Tablet PC screen. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you disable this policy, Input Panel tab will appear on the edge of the Tablet PC screen. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you do not configure this policy, Input Panel tab will appear on the edge of the Tablet PC screen. Users will be able to configure this setting on the Opening tab in Input Panel Options. + +Caution: If you enable both the “Prevent Input Panel from appearing next to text entry areas” policy and the “Prevent Input Panel tab from appearing” policy, and disable the “Show Input Panel taskbar icon” policy, the user will then have no way to access Input Panel. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | EdgeTarget | +| Friendly Name | Prevent Input Panel tab from appearing | +| Location | User Configuration | +| Path | WindowsComponents > Tablet PC > Input Panel | +| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | +| Registry Value Name | DisableEdgeTarget | +| ADMX File Name | TabletPCInputPanel.admx | + + + + + + + + + +## IPTIPTarget_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/IPTIPTarget_1 +``` + + + +Prevents the Tablet PC Input Panel icon from appearing next to any text entry area in applications where this behavior is available. This policy applies only when using a tablet pen as an input device. + +Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. + +If you enable this policy, Input Panel will never appear next to text entry areas when using a tablet pen as an input device. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you disable this policy, Input Panel will appear next to any text entry area in applications where this behavior is available. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you do not configure this policy, Input Panel will appear next to text entry areas in applications where this behavior is available. Users will be able to configure this setting on the Opening tab in Input Panel Options. + +Caution: If you enable both the “Prevent Input Panel from appearing next to text entry areas” policy and the “Prevent Input Panel tab from appearing” policy, and disable the “Show Input Panel taskbar icon” policy, the user will then have no way to access Input Panel. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IPTIPTarget | +| Friendly Name | For tablet pen input, don’t show the Input Panel icon | +| Location | User Configuration | +| Path | WindowsComponents > Tablet PC > Input Panel | +| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | +| Registry Value Name | HideIPTIPTarget | +| ADMX File Name | TabletPCInputPanel.admx | + + + + + + + + + +## IPTIPTouchTarget_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/IPTIPTouchTarget_1 +``` + + + +Prevents the Tablet PC Input Panel icon from appearing next to any text entry area in applications where this behavior is available. This policy applies only when a user is using touch input. + +Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. + +If you enable this policy, Input Panel will never appear next to any text entry area when a user is using touch input. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you disable this policy, Input Panel will appear next to text entry areas in applications where this behavior is available. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you do not configure this policy, Input Panel will appear next to text entry areas in applications where this behavior is available. Users will be able to configure this setting on the Opening tab in Input Panel Options. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IPTIPTouchTarget | +| Friendly Name | For touch input, don’t show the Input Panel icon | +| Location | User Configuration | +| Path | WindowsComponents > Tablet PC > Input Panel | +| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | +| Registry Value Name | HideIPTIPTouchTarget | +| ADMX File Name | TabletPCInputPanel.admx | + + + + + + + + + +## PasswordSecurity_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/PasswordSecurity_1 +``` + + + +Adjusts password security settings in Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and Windows Vista). These settings include using the on-screen keyboard by default, preventing users from switching to another Input Panel skin (the writing pad or character pad), and not showing what keys are tapped when entering a password. + +Touch Keyboard and Handwriting panel enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. + +If you enable this policy and choose “Low” from the drop-down box, password security is set to “Low.” At this setting, all password security settings are turned off. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you enable this policy and choose “Medium-Low” from the drop-down box, password security is set to “Medium-Low.” At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel displays the cursor and which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you enable this policy and choose “Medium” from the drop-down box, password security is set to “Medium.” At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is not allowed, and Input Panel displays the cursor and which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you enable this policy and choose to “Medium-High” from the drop-down box, password security is set to “Medium-High.” At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel does not display the cursor or which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you enable this policy and choose “High” from the drop-down box, password security is set to “High.” At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is not allowed, and Input Panel does not display the cursor or which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you disable this policy, password security is set to “Medium-High.” At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel does not display the cursor or which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you do not configure this policy, password security is set to “Medium-High” by default. At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel does not display the cursor or which keys are tapped. Users will be able to configure this setting on the Advanced tab in Input Panel Options in Windows 7 and Windows Vista. + +Caution: If you lower password security settings, people who can see the user’s screen might be able to see their passwords. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PasswordSecurity | +| Friendly Name | Turn off password security in Input Panel | +| Location | User Configuration | +| Path | WindowsComponents > Tablet PC > Input Panel | +| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | +| Registry Value Name | PasswordSecurityState | +| ADMX File Name | TabletPCInputPanel.admx | + + + + + + + + + +## Prediction_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/Prediction_1 +``` + + + +Prevents the Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and Windows Vista) from providing text prediction suggestions. This policy applies for both the on-screen keyboard and the handwriting tab when the feature is available for the current input area and input language. + +Touch Keyboard and Handwriting panel enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. + +If you enable this policy, Input Panel will not provide text prediction suggestions. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you disable this policy, Input Panel will provide text prediction suggestions. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you do not configure this policy, Input Panel will provide text prediction suggestions. Users will be able to configure this setting on the Text Completion tab in Input Panel Options in Windows 7 and Windows Vista. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | EnablePrediction | +| Friendly Name | Disable text prediction | +| Location | User Configuration | +| Path | WindowsComponents > Tablet PC > Input Panel | +| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | +| Registry Value Name | DisablePrediction | +| ADMX File Name | TabletPCInputPanel.admx | + + + + + + + + + +## RareChar_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/RareChar_1 +``` + + + +Includes rarely used Chinese, Kanji, and Hanja characters when handwriting is converted to typed text. This policy applies only to the use of the Microsoft recognizers for Chinese (Simplified), Chinese (Traditional), Japanese, and Korean. This setting appears in Input Panel Options (in Windows 7 and Windows Vista only) only when these input languages or keyboards are installed. + +Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and Windows Vista) enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. + +If you enable this policy, rarely used Chinese, Kanji, and Hanja characters will be included in recognition results when handwriting is converted to typed text. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you disable this policy, rarely used Chinese, Kanji, and Hanja characters will not be included in recognition results when handwriting is converted to typed text. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you do not configure this policy, rarely used Chinese, Kanji, and Hanja characters will not be included in recognition results when handwriting is converted to typed text. Users will be able to configure this setting on the Ink to text conversion tab in Input Panel Options (in Windows 7 and Windows Vista). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | RareChar | +| Friendly Name | Include rarely used Chinese, Kanji, or Hanja characters | +| Location | User Configuration | +| Path | WindowsComponents > Tablet PC > Input Panel | +| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | +| Registry Value Name | IncludeRareChar | +| ADMX File Name | TabletPCInputPanel.admx | + + + + + + + + + +## ScratchOut_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/ScratchOut_1 +``` + + + +Turns off both the more tolerant scratch-out gestures that were added in Windows Vista and the Z-shaped scratch-out gesture that was available in Microsoft Windows XP Tablet PC Edition. + +The tolerant gestures let users scratch out ink in Input Panel by using strikethrough and other scratch-out gesture shapes. + +Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. + +If you enable this policy and choose “All” from the drop-down menu, no scratch-out gestures will be available in Input Panel. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you enable this policy and choose “Tolerant," users will be able to use the Z-shaped scratch-out gesture that was available in Microsoft Windows XP Tablet PC Edition. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you enable this policy and choose “None,” users will be able to use both the tolerant scratch-out gestures and the Z-shaped scratch-out gesture. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you disable this policy, users will be able to use both the tolerant scratch-out gestures and the Z-shaped scratch-out gesture. Users will not be able to configure this setting in the Input Panel Options dialog box. + +If you do not configure this policy, users will be able to use both the tolerant scratch-out gestures and the Z-shaped scratch-out gesture. Users will be able to configure this setting on the Gestures tab in Input Panel Options. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ScratchOut | +| Friendly Name | Turn off tolerant and Z-shaped scratch-out gestures | +| Location | User Configuration | +| Path | WindowsComponents > Tablet PC > Input Panel | +| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | +| Registry Value Name | ScratchOutState | +| ADMX File Name | TabletPCInputPanel.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md index 9507fbe7e9..df32a610d3 100644 --- a/windows/client-management/mdm/policy-csp-authentication.md +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -9,6 +9,7 @@ author: vinaypamnani-msft ms.localizationpriority: medium ms.reviewer: bobgil manager: aaroncz +ms.date: 12/31/2017 --- # Policy CSP - Authentication diff --git a/windows/client-management/mdm/policy-csp-clouddesktop.md b/windows/client-management/mdm/policy-csp-clouddesktop.md new file mode 100644 index 0000000000..f8bcc48c1b --- /dev/null +++ b/windows/client-management/mdm/policy-csp-clouddesktop.md @@ -0,0 +1,85 @@ +--- +title: CloudDesktop Policy CSP +description: Learn more about the CloudDesktop Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz +ms.author: vinpa +ms.date: 12/09/2022 +ms.localizationpriority: medium +ms.prod: windows-client +ms.technology: itpro-manage +ms.topic: reference +--- + + + + +# Policy CSP - CloudDesktop + + + + + + +## BootToCloudMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/CloudDesktop/BootToCloudMode +``` + + + + +This policy allows the user to configure the boot to cloud mode. Boot to Cloud mode enables users to seamlessly sign-in to a Cloud PC that is provisioned for them by an IT Admin. For using boot to cloud mode, users need to install and configure a Cloud Provider application (eg: Win365) on their PC and need to have a Cloud PC provisioned to them. For successful use of this policy, OverrideShellProgram policy needs to be configured as well. + +This policy supports the below options: + +1. Not Configured: Machine will not trigger the Cloud PC connection automatically. +2. Enable Boot to Cloud Desktop: The user will see that configured Cloud PC Provider application launches automatically. Once the sign-in operation finishes, the user is seamlessly connected to a provisioned Cloud PC. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Not Configured | +| 1 | Enable Boot to Cloud Desktop | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-cloudpc.md b/windows/client-management/mdm/policy-csp-cloudpc.md new file mode 100644 index 0000000000..0c497a0c4e --- /dev/null +++ b/windows/client-management/mdm/policy-csp-cloudpc.md @@ -0,0 +1,79 @@ +--- +title: CloudPC Policy CSP +description: Learn more about the CloudPC Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz +ms.author: vinpa +ms.date: 11/02/2022 +ms.localizationpriority: medium +ms.prod: windows-client +ms.technology: itpro-manage +ms.topic: reference +--- + + + + +# Policy CSP - CloudPC + + + + + + +## CloudPCConfiguration + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/CloudPC/CloudPCConfiguration +``` + + + +This policy is used by IT admin to set the configuration mode of cloud PC. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Fast Switching Configuration. | +| 1 | Boot to cloud PC Configuration. | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md index 0a98ca8f3a..e8769b8986 100644 --- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md +++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md @@ -9,6 +9,7 @@ author: vinaypamnani-msft ms.localizationpriority: medium ms.reviewer: manager: aaroncz +ms.date: 12/31/2017 --- # Policy CSP - ControlPolicyConflict @@ -20,25 +21,16 @@ manager: aaroncz ## ControlPolicyConflict policies -
    -
    - ControlPolicyConflict/MDMWinsOverGP -
    -
    - - -
    - **ControlPolicyConflict/MDMWinsOverGP** > [!NOTE] > This setting doesn't apply to the following types of group policies: > -> - If they don't map to an MDM policy. For example, firewall policies and account lockout policies. -> - If they aren't defined by an ADMX. For example, Password policy - minimum password age. -> - If they're in the Windows Update category. -> - If they have list entries. For example, the Microsoft Edge CookiesAllowedForUrls policy. +> - If they don't map to an MDM policy. For example, Windows Settings > Security Settings > Public Key Policies. +> - If they are group policies that aren't defined by an ADMX template. For example, Windows Settings > Scripts. +> - If they have list entries. For example, Administrative Templates > Windows Components > ActiveX Installer Service > Approved Installation Sites for ActiveX Controls. +> - If they are in the Windows Update category. diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index c23b7be9a8..efc7a8a312 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -1,2439 +1,2794 @@ --- -title: Policy CSP - Defender -description: Learn how to use the Policy CSP - Defender setting so you can allow or disallow scanning of archives. +title: Defender Policy CSP +description: Learn more about the Defender Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 11/02/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 05/12/2022 -ms.reviewer: -manager: aaroncz -ms.collection: highpri +ms.topic: reference --- + + + # Policy CSP - Defender + + + + + +## AllowArchiveScanning + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/AllowArchiveScanning +``` + + + +This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as .ZIP or .CAB files. + +If you enable or do not configure this setting, archive files will be scanned. + +If you disable this setting, archive files will not be scanned. However, archives are always scanned during directed scans. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. Turns off scanning on archived files. | +| 1 (Default) | Allowed. Scans the archive files. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_DisableArchiveScanning | +| Friendly Name | Scan archive files | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | DisableArchiveScanning | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## AllowBehaviorMonitoring + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + - -
    - - -## Defender policies - -
    -
    - Defender/AllowArchiveScanning -
    -
    - Defender/AllowBehaviorMonitoring -
    -
    - Defender/AllowCloudProtection -
    -
    - Defender/AllowEmailScanning -
    -
    - Defender/AllowFullScanOnMappedNetworkDrives -
    -
    - Defender/AllowFullScanRemovableDriveScanning -
    -
    - Defender/AllowIOAVProtection -
    -
    - Defender/AllowOnAccessProtection -
    -
    - Defender/AllowRealtimeMonitoring -
    -
    - Defender/AllowScanningNetworkFiles -
    -
    - Defender/AllowScriptScanning -
    -
    - Defender/AllowUserUIAccess -
    -
    - Defender/AttackSurfaceReductionOnlyExclusions -
    -
    - Defender/AttackSurfaceReductionRules -
    -
    - Defender/AvgCPULoadFactor -
    -
    - Defender/CheckForSignaturesBeforeRunningScan -
    -
    - Defender/CloudBlockLevel -
    -
    - Defender/CloudExtendedTimeout -
    -
    - Defender/ControlledFolderAccessAllowedApplications -
    -
    - Defender/ControlledFolderAccessProtectedFolders -
    -
    - Defender/DaysToRetainCleanedMalware -
    -
    - Defender/DisableCatchupFullScan -
    -
    - Defender/DisableCatchupQuickScan -
    -
    - Defender/EnableControlledFolderAccess -
    -
    - Defender/EnableLowCPUPriority -
    -
    - Defender/EnableNetworkProtection -
    -
    - Defender/ExcludedExtensions -
    -
    - Defender/ExcludedPaths -
    -
    - Defender/ExcludedProcesses -
    -
    - Defender/PUAProtection -
    -
    - Defender/RealTimeScanDirection -
    -
    - Defender/ScanParameter -
    -
    - Defender/ScheduleQuickScanTime -
    -
    - Defender/ScheduleScanDay -
    -
    - Defender/ScheduleScanTime -
    -
    - Defender/SecurityIntelligenceLocation -
    -
    - Defender/SignatureUpdateFallbackOrder -
    -
    - Defender/SignatureUpdateFileSharesSources -
    -
    - Defender/SignatureUpdateInterval -
    -
    - Defender/SubmitSamplesConsent -
    -
    - Defender/ThreatSeverityDefaultAction -
    -
    - - -
    - - -**Defender/AllowArchiveScanning** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - - -Allows or disallows scanning of archives. - - - -ADMX Info: -- GP Friendly name: *Scan archive files* -- GP name: *Scan_DisableArchiveScanning* -- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - -The following list shows the supported values: - -- 0 – Not allowed. Turns off scanning on archived files. -- 1 (default) – Allowed. Scans the archive files. - - - - -
    - - -**Defender/AllowBehaviorMonitoring** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - - -Allows or disallows Windows Defender Behavior Monitoring functionality. - - - -ADMX Info: -- GP Friendly name: *Turn on behavior monitoring* -- GP name: *RealtimeProtection_DisableBehaviorMonitoring* -- GP path: *Windows Components/Microsoft Defender Antivirus/Real-time Protection* -- GP ADMX file name: *WindowsDefender.admx* - - - -The following list shows the supported values: - -- 0 – Not allowed. Turns off behavior monitoring. -- 1 (default) – Allowed. Turns on real-time behavior monitoring. - - - - -
    - - -**Defender/AllowCloudProtection** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -To best protect your PC, Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information, learn more about problems affecting you and other customers, and offer improved solutions. - - - -ADMX Info: -- GP Friendly name: *Join Microsoft MAPS* -- GP name: *SpynetReporting* -- GP element: *SpynetReporting* -- GP path: *Windows Components/Microsoft Defender Antivirus/MAPS* -- GP ADMX file name: *WindowsDefender.admx* - - - -The following list shows the supported values: - -- 0 – Not allowed. Turns off the Microsoft Active Protection Service. -- 1 (default) – Allowed. Turns on the Microsoft Active Protection Service. - - - - -
    - - -**Defender/AllowEmailScanning** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -Allows or disallows scanning of email. - - - -ADMX Info: -- GP Friendly name: *Turn on e-mail scanning* -- GP name: *Scan_DisableEmailScanning* -- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - -The following list shows the supported values: - -- 0 (default) – Not allowed. Turns off email scanning. -- 1 – Allowed. Turns on email scanning. - - - - -
    - - -**Defender/AllowFullScanOnMappedNetworkDrives** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -Allows or disallows a full scan of mapped network drives. - - - -ADMX Info: -- GP Friendly name: *Run full scan on mapped network drives* -- GP name: *Scan_DisableScanningMappedNetworkDrivesForFullScan* -- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - -The following list shows the supported values: - -- 0 (default) – Not allowed. Disables scanning on mapped network drives. -- 1 – Allowed. Scans mapped network drives. - - - - -
    - - -**Defender/AllowFullScanRemovableDriveScanning** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -Allows or disallows a full scan of removable drives. During a quick scan, removable drives may still be scanned. - - - -ADMX Info: -- GP Friendly name: *Scan removable drives* -- GP name: *Scan_DisableRemovableDriveScanning* -- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - -The following list shows the supported values: - -- 0 – Not allowed. Turns off scanning on removable drives. -- 1 (default) – Allowed. Scans removable drives. - - - - -
    - - -**Defender/AllowIOAVProtection** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -Allows or disallows Windows Defender IOAVP Protection functionality. - - - -ADMX Info: -- GP Friendly name: *Scan all downloaded files and attachments* -- GP name: *RealtimeProtection_DisableIOAVProtection* -- GP path: *Windows Components/Microsoft Defender Antivirus/Real-time Protection* -- GP ADMX file name: *WindowsDefender.admx* - - - -The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -
    - - -**Defender/AllowOnAccessProtection** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -Allows or disallows Windows Defender On Access Protection functionality. - - - -ADMX Info: -- GP Friendly name: *Monitor file and program activity on your computer* -- GP name: *RealtimeProtection_DisableOnAccessProtection* -- GP path: *Windows Components/Microsoft Defender Antivirus/Real-time Protection* -- GP ADMX file name: *WindowsDefender.admx* - - - -The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -> [!IMPORTANT] -> AllowOnAccessProtection is officially being deprecated. - -
    - - -**Defender/AllowRealtimeMonitoring** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -Allows or disallows Windows Defender real-time Monitoring functionality. - - - -ADMX Info: -- GP Friendly name: *Turn off real-time protection* -- GP name: *DisableRealtimeMonitoring* -- GP path: *Windows Components/Microsoft Defender Antivirus/Real-time Protection* -- GP ADMX file name: *WindowsDefender.admx* - - - -The following list shows the supported values: - -- 0 – Not allowed. Turns off the real-time monitoring service. -- 1 (default) – Allowed. Turns on and runs the real-time monitoring service. - - - - -
    - - -**Defender/AllowScanningNetworkFiles** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -Allows or disallows a scanning of network files. - - - -ADMX Info: -- GP Friendly name: *Scan network files* -- GP name: *Scan_DisableScanningNetworkFiles* -- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - -The following list shows the supported values: - -- 0 – Not allowed. Turns off scanning of network files. -- 1 (default) – Allowed. Scans network files. - - - - -
    - - -**Defender/AllowScriptScanning** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/AllowBehaviorMonitoring +``` + + + +This policy setting allows you to configure behavior monitoring. + +If you enable or do not configure this setting, behavior monitoring will be enabled. + +If you disable this setting, behavior monitoring will be disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. Turns off behavior monitoring. | +| 1 (Default) | Allowed. Turns on real-time behavior monitoring. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | RealtimeProtection_DisableBehaviorMonitoring | +| Friendly Name | Turn on behavior monitoring | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Real-time Protection | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Real-Time Protection | +| Registry Value Name | DisableBehaviorMonitoring | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## AllowCloudProtection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/AllowCloudProtection +``` + + + +This policy setting allows you to join Microsoft MAPS. Microsoft MAPS is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. + +You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new security intelligence and help it to protect your computer. This information can include things like location of detected items on your computer if harmful software was removed. The information will be automatically collected and sent. In some instances, personal information might unintentionally be sent to Microsoft. However, Microsoft will not use this information to identify you or contact you. + +Possible options are: +(0x0) Disabled (default) +(0x1) Basic membership +(0x2) Advanced membership + +Basic membership will send basic information to Microsoft about software that has been detected, including where the software came from, the actions that you apply or that are applied automatically, and whether the actions were successful. + +Advanced membership, in addition to basic information, will send more information to Microsoft about malicious software, spyware, and potentially unwanted software, including the location of the software, file names, how the software operates, and how it has impacted your computer. + +If you enable this setting, you will join Microsoft MAPS with the membership specified. + +If you disable or do not configure this setting, you will not join Microsoft MAPS. + +In Windows 10, Basic membership is no longer available, so setting the value to 1 or 2 enrolls the device into Advanced membership. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. Turns off the Microsoft Active Protection Service. | +| 1 (Default) | Allowed. Turns on the Microsoft Active Protection Service. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | SpynetReporting | +| Friendly Name | Join Microsoft MAPS | +| Element Name | Join Microsoft MAPS | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > MAPS | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Spynet | +| Registry Value Name | SpynetReporting | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## AllowEmailScanning + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/AllowEmailScanning +``` + + + +This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments. Several e-mail formats are currently supported, for example: pst (Outlook), dbx, mbx, mime (Outlook Express), binhex (Mac). Email scanning is not supported on modern email clients. + +If you enable this setting, e-mail scanning will be enabled. + +If you disable or do not configure this setting, e-mail scanning will be disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Not allowed. Turns off email scanning. | +| 1 | Allowed. Turns on email scanning. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_DisableEmailScanning | +| Friendly Name | Turn on e-mail scanning | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | DisableEmailScanning | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## AllowFullScanOnMappedNetworkDrives + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/AllowFullScanOnMappedNetworkDrives +``` + + + +This policy setting allows you to configure scanning mapped network drives. + +If you enable this setting, mapped network drives will be scanned. + +If you disable or do not configure this setting, mapped network drives will not be scanned. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Not allowed. Disables scanning on mapped network drives. | +| 1 | Allowed. Scans mapped network drives. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_DisableScanningMappedNetworkDrivesForFullScan | +| Friendly Name | Run full scan on mapped network drives | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | DisableScanningMappedNetworkDrivesForFullScan | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## AllowFullScanRemovableDriveScanning + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/AllowFullScanRemovableDriveScanning +``` + + + +This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan. + +If you enable this setting, removable drives will be scanned during any type of scan. + +If you disable or do not configure this setting, removable drives will not be scanned during a full scan. Removable drives may still be scanned during quick scan and custom scan. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. Turns off scanning on removable drives. | +| 1 (Default) | Allowed. Scans removable drives. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_DisableRemovableDriveScanning | +| Friendly Name | Scan removable drives | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | DisableRemovableDriveScanning | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## AllowIntrusionPreventionSystem + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/AllowIntrusionPreventionSystem +``` + + + +Allows or disallows Windows Defender Intrusion Prevention functionality. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + + + + + + + +## AllowIOAVProtection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/AllowIOAVProtection +``` + + + +This policy setting allows you to configure scanning for all downloaded files and attachments. + +If you enable or do not configure this setting, scanning for all downloaded files and attachments will be enabled. + +If you disable this setting, scanning for all downloaded files and attachments will be disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | RealtimeProtection_DisableIOAVProtection | +| Friendly Name | Scan all downloaded files and attachments | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Real-time Protection | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Real-Time Protection | +| Registry Value Name | DisableIOAVProtection | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## AllowOnAccessProtection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/AllowOnAccessProtection +``` + + + +This policy setting allows you to configure monitoring for file and program activity. + +If you enable or do not configure this setting, monitoring for file and program activity will be enabled. + +If you disable this setting, monitoring for file and program activity will be disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | RealtimeProtection_DisableOnAccessProtection | +| Friendly Name | Monitor file and program activity on your computer | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Real-time Protection | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Real-Time Protection | +| Registry Value Name | DisableOnAccessProtection | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## AllowRealtimeMonitoring + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/AllowRealtimeMonitoring +``` + + + +This policy turns off real-time protection in Microsoft Defender Antivirus. + +Real-time protection consists of always-on scanning with file and process behavior monitoring and heuristics. When real-time protection is on, Microsoft Defender Antivirus detects malware and potentially unwanted software that attempts to install itself or run on your device, and prompts you to take action on malware detections. + +If you enable this policy setting, real-time protection is turned off. + +If you either disable or do not configure this policy setting, real-time protection is turned on. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. Turns off the real-time monitoring service. | +| 1 (Default) | Allowed. Turns on and runs the real-time monitoring service. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableRealtimeMonitoring | +| Friendly Name | Turn off real-time protection | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Real-time Protection | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Real-Time Protection | +| Registry Value Name | DisableRealtimeMonitoring | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## AllowScanningNetworkFiles + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/AllowScanningNetworkFiles +``` + + + +This policy setting allows you to configure scanning for network files. It is recommended that you do not enable this setting. + +If you enable this setting, network files will be scanned. + +If you disable or do not configure this setting, network files will not be scanned. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Not allowed. Turns off scanning of network files. | +| 1 | Allowed. Scans network files. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_DisableScanningNetworkFiles | +| Friendly Name | Scan network files | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | DisableScanningNetworkFiles | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## AllowScriptScanning + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/AllowScriptScanning +``` + + + Allows or disallows Windows Defender Script Scanning functionality. - - - -The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -
    - - -**Defender/AllowUserUIAccess** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -Allows or disallows user access to the Windows Defender UI. I disallowed, all Windows Defender notifications will also be suppressed. - - - -ADMX Info: -- GP Friendly name: *Enable headless UI mode* -- GP name: *UX_Configuration_UILockdown* -- GP path: *Windows Components/Microsoft Defender Antivirus/Client Interface* -- GP ADMX file name: *WindowsDefender.admx* - - - -The following list shows the supported values: - -- 0 – Not allowed. Prevents users from accessing UI. -- 1 (default) – Allowed. Lets users access UI. - - - - -
    - - -**Defender/AttackSurfaceReductionOnlyExclusions** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -This policy setting allows you to prevent Attack Surface reduction rules from matching on files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a path or a fully qualified resource name. As an example, a path might be defined as: "c:\Windows" to exclude all files in this directory. A fully qualified resource name might be defined as: "C:\Windows\App.exe". - -Value type is string. - - - -ADMX Info: -- GP Friendly name: *Exclude files and paths from Attack Surface Reduction Rules* -- GP name: *ExploitGuard_ASR_ASROnlyExclusions* -- GP element: *ExploitGuard_ASR_ASROnlyExclusions* -- GP path: *Windows Components/Microsoft Defender Antivirus/Windows Defender Exploit Guard/Attack Surface Reduction* -- GP ADMX file name: *WindowsDefender.admx* - - - - -
    - - -**Defender/AttackSurfaceReductionRules** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -This policy setting enables setting the state (Block/Audit/Off) for each attack surface reduction (ASR) rule. Each ASR rule listed can be set to one of the following states (Block/Audit/Off). The ASR rule ID and state should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid ASR rule ID, while the value contains the status ID indicating the status of the rule. - -For more information about ASR rule ID and status ID, see [Enable Attack Surface Reduction](/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction). - -Value type is string. - - - -ADMX Info: -- GP Friendly name: *Configure Attack Surface Reduction rules* -- GP name: *ExploitGuard_ASR_Rules* -- GP element: *ExploitGuard_ASR_Rules* -- GP path: *Windows Components/Microsoft Defender Antivirus/Windows Defender Exploit Guard/Attack Surface Reduction* -- GP ADMX file name: *WindowsDefender.admx* - - - - -
    - - -**Defender/AvgCPULoadFactor** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -Represents the average CPU load factor for the Windows Defender scan (in percent). - -The default value is 50. - - - -ADMX Info: -- GP Friendly name: *Specify the maximum percentage of CPU utilization during a scan* -- GP name: *Scan_AvgCPULoadFactor* -- GP element: *Scan_AvgCPULoadFactor* -- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - -Valid values: 0–100 - - - - -
    - - -**Defender/CheckForSignaturesBeforeRunningScan** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to manage whether a check for new virus and spyware definitions will occur before running a scan. - -This setting applies to scheduled scans and the command line "mpcmdrun -SigUpdate", but it has no effect on scans initiated manually from the user interface. - -If you enable this setting, a check for new definitions will occur before running a scan. - -If you disable this setting or don't configure this setting, the scan will start using the existing definitions. - -Supported values: - -- 0 (default) - Disabled -- 1 - Enabled - -OMA-URI Path: ./Vendor/MSFT/Policy/Config/Defender/CheckForSignaturesBeforeRunningScan - - - -ADMX Info: -- GP Friendly name: *Check for the latest virus and spyware definitions before running a scheduled scan* -- GP name: *CheckForSignaturesBeforeRunningScan* -- GP element: *CheckForSignaturesBeforeRunningScan* -- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - - - - - - - - - - - -
    - - -**Defender/CloudBlockLevel** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -This policy setting determines how aggressive Microsoft Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer. - -If this setting is on, Microsoft Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency. - -For more information about specific values that are supported, see the Microsoft Defender Antivirus documentation site. - -> [!NOTE] -> This feature requires the "Join Microsoft MAPS" setting enabled in order to function. - - - -ADMX Info: -- GP Friendly name: *Select cloud protection level* -- GP name: *MpEngine_MpCloudBlockLevel* -- GP element: *MpCloudBlockLevel* -- GP path: *Windows Components/Microsoft Defender Antivirus/MpEngine* -- GP ADMX file name: *WindowsDefender.admx* - - - -The following list shows the supported values: - -- 0x0 - Default windows defender blocking level -- 0x2 - High blocking level - aggressively block unknowns while optimizing client performance (greater chance of false positives)       -- 0x4 - High+ blocking level – aggressively block unknowns and apply more protection measures (may impact  client performance) -- 0x6 - Zero tolerance blocking level – block all unknown executables - - - - -
    - - -**Defender/CloudExtendedTimeout** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -This feature allows Microsoft Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50. - -The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an extra 50 seconds. - -For example, if the desired timeout is 60 seconds, specify 50 seconds in this setting, which will enable the extended cloud check feature, and will raise the total time to 60 seconds. - -> [!NOTE] -> This feature depends on three other MAPS settings the must all be enabled- "Configure the 'Block at First Sight' feature; "Join Microsoft MAPS"; "Send file samples when further analysis is required". - - - -ADMX Info: -- GP Friendly name: *Configure extended cloud check* -- GP name: *MpEngine_MpBafsExtendedTimeout* -- GP element: *MpBafsExtendedTimeout* -- GP path: *Windows Components/Microsoft Defender Antivirus/MpEngine* -- GP ADMX file name: *WindowsDefender.admx* - - - - -
    - - -**Defender/ControlledFolderAccessAllowedApplications** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersAllowedApplications and changed to ControlledFolderAccessAllowedApplications. - -Added in Windows 10, version 1709. This policy setting allows user-specified applications to the controlled folder access feature. Adding an allowed application means the controlled folder access feature will allow the application to modify or delete content in certain folders such as My Documents. In most cases it won't be necessary to add entries. Microsoft Defender Antivirus will automatically detect and dynamically add applications that are friendly. Value type is string. Use the | as the substring separator. - - - -ADMX Info: -- GP Friendly name: *Configure allowed applications* -- GP name: *ExploitGuard_ControlledFolderAccess_AllowedApplications* -- GP element: *ExploitGuard_ControlledFolderAccess_AllowedApplications* -- GP path: *Windows Components/Microsoft Defender Antivirus/Windows Defender Exploit Guard/Controlled Folder Access* -- GP ADMX file name: *WindowsDefender.admx* - - - - -
    - - -**Defender/ControlledFolderAccessProtectedFolders** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersList and changed to ControlledFolderAccessProtectedFolders. - -This policy setting allows adding user-specified folder locations to the controlled folder access feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can't be changed. Value type is string. Use the | as the substring separator. - - - -ADMX Info: -- GP Friendly name: *Configure protected folders* -- GP name: *ExploitGuard_ControlledFolderAccess_ProtectedFolders* -- GP element: *ExploitGuard_ControlledFolderAccess_ProtectedFolders* -- GP path: *Windows Components/Microsoft Defender Antivirus/Windows Defender Exploit Guard/Controlled Folder Access* -- GP ADMX file name: *WindowsDefender.admx* - - - - -
    - - -**Defender/DaysToRetainCleanedMalware** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -Time period (in days) that quarantine items will be stored on the system. - -The default value is 0, which keeps items in quarantine, and doesn't automatically remove them. - - - -ADMX Info: -- GP Friendly name: *Configure removal of items from Quarantine folder* -- GP name: *Quarantine_PurgeItemsAfterDelay* -- GP element: *Quarantine_PurgeItemsAfterDelay* -- GP path: *Windows Components/Microsoft Defender Antivirus/Quarantine* -- GP ADMX file name: *WindowsDefender.admx* - - - -Valid values: 0–90 - - - - -
    - - -**Defender/DisableCatchupFullScan** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + + + + + + + +## AllowUserUIAccess + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/AllowUserUIAccess +``` + + + +This policy setting allows you to configure whether or not to display AM UI to the users. +If you enable this setting AM UI won't be available to users. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. Prevents users from accessing UI. | +| 1 (Default) | Allowed. Lets users access UI. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | UX_Configuration_UILockdown | +| Friendly Name | Enable headless UI mode | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Client Interface | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\UX Configuration | +| Registry Value Name | UILockdown | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## AttackSurfaceReductionOnlyExclusions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions +``` + + + +Exclude files and paths from Attack Surface Reduction (ASR) rules. + +Enabled: +Specify the folders or files and resources that should be excluded from ASR rules in the Options section. +Enter each rule on a new line as a name-value pair: +- Name column: Enter a folder path or a fully qualified resource name. For example, ""C:\Windows"" will exclude all files in that directory. ""C:\Windows\App.exe"" will exclude only that specific file in that specific folder +- Value column: Enter ""0"" for each item + +Disabled: +No exclusions will be applied to the ASR rules. + +Not configured: +Same as Disabled. + +You can configure ASR rules in the Configure Attack Surface Reduction rules GP setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `|`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ExploitGuard_ASR_ASROnlyExclusions | +| Friendly Name | Exclude files and paths from Attack Surface Reduction Rules | +| Element Name | Exclusions from ASR rules | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR | +| Registry Value Name | ExploitGuard_ASR_ASROnlyExclusions | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## AttackSurfaceReductionRules + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules +``` + + + +Set the state for each Attack Surface Reduction (ASR) rule. + +After enabling this setting, you can set each rule to the following in the Options section: +- Block: the rule will be applied +- Audit Mode: if the rule would normally cause an event, then it will be recorded (although the rule will not actually be applied) +- Off: the rule will not be applied +- Not Configured: the rule is enabled with default values +- Warn: the rule will be applied and the end-user will have the option to bypass the block + +Unless the ASR rule is disabled, a subsample of audit events are collected for ASR rules will the value of not configured. + +Enabled: +Specify the state for each ASR rule under the Options section for this setting. +Enter each rule on a new line as a name-value pair: +- Name column: Enter a valid ASR rule ID +- Value column: Enter the status ID that relates to state you want to specify for the associated rule + +The following status IDs are permitted under the value column: +- 1 (Block) +- 0 (Off) +- 2 (Audit) +- 5 (Not Configured) +- 6 (Warn) + + +Example: +xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 0 +xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 1 +xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 2 + +Disabled: +No ASR rules will be configured. + +Not configured: +Same as Disabled. + +You can exclude folders or files in the ""Exclude files and paths from Attack Surface Reduction Rules"" GP setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ExploitGuard_ASR_Rules | +| Friendly Name | Configure Attack Surface Reduction rules | +| Element Name | Set the state for each ASR rule | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR | +| Registry Value Name | ExploitGuard_ASR_Rules | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## AvgCPULoadFactor + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/AvgCPULoadFactor +``` + + + +This policy setting allows you to configure the maximum percentage CPU utilization permitted during a scan. Valid values for this setting are a percentage represented by the integers 5 to 100. A value of 0 indicates that there should be no throttling of CPU utilization. The default value is 50. + +If you enable this setting, CPU utilization will not exceed the percentage specified. + +If you disable or do not configure this setting, CPU utilization will not exceed the default value. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-100]` | +| Default Value | 50 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_AvgCPULoadFactor | +| Friendly Name | Specify the maximum percentage of CPU utilization during a scan | +| Element Name | Specify the maximum percentage of CPU utilization during a scan | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | AvgCPULoadFactor | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## CheckForSignaturesBeforeRunningScan + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/CheckForSignaturesBeforeRunningScan +``` + + + +This policy setting allows you to manage whether a check for new virus and spyware security intelligence will occur before running a scan. + +This setting applies to scheduled scans, but it has no effect on scans initiated manually from the user interface or to the ones started from the command line using "mpcmdrun -Scan". + +If you enable this setting, a check for new security intelligence will occur before running a scan. + +If you disable this setting or do not configure this setting, the scan will start using the existing security intelligence. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled | +| 1 | Enabled | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | CheckForSignaturesBeforeRunningScan | +| Friendly Name | Check for the latest virus and spyware security intelligence before running a scheduled scan | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | CheckForSignaturesBeforeRunningScan | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## CloudBlockLevel + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/CloudBlockLevel +``` + + + +This policy setting determines how aggressive Windows Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer. If this setting is on, Windows Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency. For more information about specific values that are supported, see the Windows Defender Antivirus documentation site. NoteThis feature requires the Join Microsoft MAPS setting enabled in order to function. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | NotConfigured | +| 2 | High | +| 4 | HighPlus | +| 6 | ZeroTolerance | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | MpCloudBlockLevel | +| Friendly Name | Select cloud protection level | +| Element Name | Select cloud blocking level | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > MpEngine | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\MpEngine | +| Registry Value Name | MpCloudBlockLevel | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## CloudExtendedTimeout + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/CloudExtendedTimeout +``` + + + +This feature allows Windows Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50. The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an additional 50 seconds. For example, if the desired timeout is 60 seconds, specify 50 seconds in this setting, which will enable the extended cloud check feature, and will raise the total time to 60 seconds. NoteThis feature depends on three other MAPS settings the must all be enabled- Configure the 'Block at First Sight' feature; Join Microsoft MAPS; Send file samples when further analysis is required. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-50]` | +| Default Value | 0 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | MpBafsExtendedTimeout | +| Friendly Name | Configure extended cloud check | +| Element Name | Specify the extended cloud check time in seconds | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > MpEngine | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\MpEngine | +| Registry Value Name | MpBafsExtendedTimeout | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## ControlledFolderAccessAllowedApplications + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/ControlledFolderAccessAllowedApplications +``` + + + +Add additional applications that should be considered "trusted" by controlled folder access. + +These applications are allowed to modify or delete files in controlled folder access folders. + +Microsoft Defender Antivirus automatically determines which applications should be trusted. You can configure this setting to add additional applications. + +Enabled: +Specify additional allowed applications in the Options section.. + +Disabled: +No additional applications will be added to the trusted list. + +Not configured: +Same as Disabled. + +You can enable controlled folder access in the Configure controlled folder access GP setting. + +Default system folders are automatically guarded, but you can add folders in the configure protected folders GP setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `|`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ExploitGuard_ControlledFolderAccess_AllowedApplications | +| Friendly Name | Configure allowed applications | +| Element Name | Enter the applications that should be trusted | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled Folder Access | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access | +| Registry Value Name | ExploitGuard_ControlledFolderAccess_AllowedApplications | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## ControlledFolderAccessProtectedFolders + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/ControlledFolderAccessProtectedFolders +``` + + + +Specify additional folders that should be guarded by the Controlled folder access feature. + +Files in these folders cannot be modified or deleted by untrusted applications. + +Default system folders are automatically protected. You can configure this setting to add additional folders. +The list of default system folders that are protected is shown in Windows Security. + +Enabled: +Specify additional folders that should be protected in the Options section. + +Disabled: +No additional folders will be protected. + +Not configured: +Same as Disabled. + +You can enable controlled folder access in the Configure controlled folder access GP setting. + +Microsoft Defender Antivirus automatically determines which applications can be trusted. You can add additional trusted applications in the Configure allowed applications GP setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `|`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ExploitGuard_ControlledFolderAccess_ProtectedFolders | +| Friendly Name | Configure protected folders | +| Element Name | Enter the folders that should be guarded | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled Folder Access | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access | +| Registry Value Name | ExploitGuard_ControlledFolderAccess_ProtectedFolders | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## DaysToRetainCleanedMalware + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/DaysToRetainCleanedMalware +``` + + + +This policy setting defines the number of days items should be kept in the Quarantine folder before being removed. + +If you enable this setting, items will be removed from the Quarantine folder after the number of days specified. + +If you disable or do not configure this setting, items will be kept in the quarantine folder indefinitely and will not be automatically removed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-90]` | +| Default Value | 0 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Quarantine_PurgeItemsAfterDelay | +| Friendly Name | Configure removal of items from Quarantine folder | +| Element Name | Configure removal of items from Quarantine folder | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Quarantine | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Quarantine | +| Registry Value Name | PurgeItemsAfterDelay | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## DisableCatchupFullScan + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/DisableCatchupFullScan +``` + + + This policy setting allows you to configure catch-up scans for scheduled full scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time. -If you enable this setting, catch-up scans for scheduled full scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone signs in to the computer. If there's no scheduled scan configured, there will be no catch-up scan run. +If you enable this setting, catch-up scans for scheduled full scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run. -If you disable or don't configure this setting, catch-up scans for scheduled full scans will be turned off. +If you disable or do not configure this setting, catch-up scans for scheduled full scans will be turned off. + -Supported values: + + + -- 1 - Disabled (default) -- 0 - Enabled + +**Description framework properties**: -OMA-URI Path: ./Vendor/MSFT/Policy/Config/Defender/DisableCatchupFullScan +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - - -ADMX Info: -- GP Friendly name: *Turn on catch-up full scan* -- GP name: *Scan_DisableCatchupFullScan* -- GP element: *Scan_DisableCatchupFullScan* -- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* -- GP ADMX file name: *WindowsDefender.admx* + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 | Enabled | +| 1 (Default) | Disabled | + - - + +**Group policy mapping**: - - +| Name | Value | +|:--|:--| +| Name | Scan_DisableCatchupFullScan | +| Friendly Name | Turn on catch-up full scan | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | DisableCatchupFullScan | +| ADMX File Name | WindowsDefender.admx | + - - + + + -
    + - -**Defender/DisableCatchupQuickScan** + +## DisableCatchupQuickScan - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/DisableCatchupQuickScan +``` + + + +This policy setting allows you to configure catch-up scans for scheduled quick scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time. + +If you enable this setting, catch-up scans for scheduled quick scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run. + +If you disable or do not configure this setting, catch-up scans for scheduled quick scans will be turned off. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Enabled | +| 1 (Default) | Disabled | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_DisableCatchupQuickScan | +| Friendly Name | Turn on catch-up quick scan | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | DisableCatchupQuickScan | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## EnableControlledFolderAccess + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/EnableControlledFolderAccess +``` + + + +Enable or disable controlled folder access for untrusted applications. You can choose to block, audit, or allow attempts by untrusted apps to: +- Modify or delete files in protected folders, such as the Documents folder +- Write to disk sectors + +You can also choose to only block or audit writes to disk sectors while still allowing the modification or deletion of files in protected folders. + +Microsoft Defender Antivirus automatically determines which applications can be trusted. You can add additional trusted applications in the Configure allowed applications GP setting. +Default system folders are automatically protected, but you can add folders in the Configure protected folders GP setting. + +Block: +The following will be blocked: +- Attempts by untrusted apps to modify or delete files in protected folders +- Attempts by untrusted apps to write to disk sectors +The Windows event log will record these blocks under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1123. - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to configure catch-up scans for scheduled quick scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time. - -If you enable this setting, catch-up scans for scheduled quick scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone signs in to the computer. If there's no scheduled scan configured, there will be no catch-up scan run. - -If you disable or don't configure this setting, catch-up scans for scheduled quick scans will be turned off. - -Supported values: - -- 1 - Disabled (default) -- 0 - Enabled - -OMA-URI Path: ./Vendor/MSFT/Policy/Config/Defender/DisableCatchupQuickScan - - - -ADMX Info: -- GP Friendly name: *Turn on catch-up quick scan* -- GP name: *Scan_DisableCatchupQuickScan* -- GP element: *Scan_DisableCatchupQuickScan* -- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - - - - - - - - - - - -
    - - -**Defender/EnableControlledFolderAccess** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +Disabled: +The following will not be blocked and will be allowed to run: +- Attempts by untrusted apps to modify or delete files in protected folders +- Attempts by untrusted apps to write to disk sectors +These attempts will not be recorded in the Windows event log. - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. The previous name was EnableGuardMyFolders and changed to EnableControlledFolderAccess. - -This policy enables setting the state (On/Off/Audit) for the controlled folder access feature. The controlled folder access feature removes modify and delete permissions from untrusted applications to certain folders such as My Documents. Value type is integer and the range is 0 - 2. - - - -ADMX Info: -- GP Friendly name: *Configure Controlled folder access* -- GP name: *ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess* -- GP element: *ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess* -- GP path: *Windows Components/Microsoft Defender Antivirus/Windows Defender Exploit Guard/Controlled Folder Access* -- GP ADMX file name: *WindowsDefender.admx* - - - -The following list shows the supported values: - -- 0 (default) - Disabled -- 1 - Enabled -- 2 - Audit Mode - - - - -
    - - -**Defender/EnableLowCPUPriority** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +Audit Mode: +The following will not be blocked and will be allowed to run: +- Attempts by untrusted apps to modify or delete files in protected folders +- Attempts by untrusted apps to write to disk sectors +The Windows event log will record these attempts under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1124. - -
    +Block disk modification only: +The following will be blocked: +- Attempts by untrusted apps to write to disk sectors +The Windows event log will record these attempts under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1123. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +The following will not be blocked and will be allowed to run: +- Attempts by untrusted apps to modify or delete files in protected folders +These attempts will not be recorded in the Windows event log. -> [!div class = "checklist"] -> * Device -
    +Audit disk modification only: +The following will not be blocked and will be allowed to run: +- Attempts by untrusted apps to write to disk sectors +- Attempts by untrusted apps to modify or delete files in protected folders +Only attempts to write to protected disk sectors will be recorded in the Windows event log (under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1124). +Attempts to modify or delete files in protected folders will not be recorded. - - +Not configured: +Same as Disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled | +| 1 | Enabled | +| 2 | Audit Mode | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess | +| Friendly Name | Configure Controlled folder access | +| Element Name | Configure the guard my folders feature | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled Folder Access | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access | +| Registry Value Name | EnableControlledFolderAccess | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## EnableLowCPUPriority + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/EnableLowCPUPriority +``` + + + This policy setting allows you to enable or disable low CPU priority for scheduled scans. If you enable this setting, low CPU priority will be used during scheduled scans. -If you disable or don't configure this setting, no changes will be made to CPU priority for scheduled scans. - -Supported values: - -- 0 - Disabled (default) -- 1 - Enabled - - - -ADMX Info: -- GP Friendly name: *Configure low CPU priority for scheduled scans* -- GP name: *Scan_LowCpuPriority* -- GP element: *Scan_LowCpuPriority* -- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - - - - - - - - - - - -
    - - -**Defender/EnableNetworkProtection** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -This policy allows you to turn on network protection (block/audit) or off. Network protection protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This protection includes preventing third-party browsers from connecting to dangerous sites. Value type is integer. - -If you enable this setting, network protection is turned on and employees can't turn it off. Its behavior can be controlled by the following options: Block and Audit. -If you enable this policy with the ""Block"" option, users/apps will be blocked from connecting to dangerous domains. You'll be able to see this activity in Windows Defender Security Center. -If you enable this policy with the ""Audit"" option, users/apps won't be blocked from connecting to dangerous domains. However, you'll still see this activity in Windows Defender Security Center. -If you disable this policy, users/apps won't be blocked from connecting to dangerous domains. You'll not see any network activity in Windows Defender Security Center. -If you don't configure this policy, network blocking will be disabled by default. - - - -ADMX Info: -- GP Friendly name: *Prevent users and apps from accessing dangerous websites* -- GP name: *ExploitGuard_EnableNetworkProtection* -- GP element: *ExploitGuard_EnableNetworkProtection* -- GP path: *Windows Components/Microsoft Defender Antivirus/Windows Defender Exploit Guard/Network Protection* -- GP ADMX file name: *WindowsDefender.admx* - - - -The following list shows the supported values: - -- 0 (default) - Disabled -- 1 - Enabled (block mode) -- 2 - Enabled (audit mode) - - - - -
    - - -**Defender/ExcludedExtensions** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -Allows an administrator to specify a list of file type extensions to ignore during a scan. Each file type in the list must be separated by a **|**. For example, "lib|obj". - - - -ADMX Info: -- GP Friendly name: *Path Exclusions* -- GP name: *Exclusions_Paths* -- GP element: *Exclusions_PathsList* -- GP path: *Windows Components/Microsoft Defender Antivirus/Exclusions* -- GP ADMX file name: *WindowsDefender.admx* - - - - -
    - - -**Defender/ExcludedPaths** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -Allows an administrator to specify a list of directory paths to ignore during a scan. Each path in the list must be separated by a **|**. For example, "C:\\Example|C:\\Example1". - - - -ADMX Info: -- GP Friendly name: *Extension Exclusions* -- GP name: *Exclusions_Extensions* -- GP element: *Exclusions_ExtensionsList* -- GP path: *Windows Components/Microsoft Defender Antivirus/Exclusions* -- GP ADMX file name: *WindowsDefender.admx* - - - - -
    - - -**Defender/ExcludedProcesses** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -Allows an administrator to specify a list of files opened by processes to ignore during a scan. - -> [!IMPORTANT] -> The process itself is not excluded from the scan, but can be by using the **Defender/ExcludedPaths** policy to exclude its path. - -Each file type must be separated by a **|**. For example, "C:\\Example.exe|C:\\Example1.exe". - - - -ADMX Info: -- GP Friendly name: *Process Exclusions* -- GP name: *Exclusions_Processes* -- GP element: *Exclusions_ProcessesList* -- GP path: *Windows Components/Microsoft Defender Antivirus/Exclusions* -- GP ADMX file name: *WindowsDefender.admx* - - - - -
    - - -**Defender/PUAProtection** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - - -Specifies the level of detection for potentially unwanted applications (PUAs). Windows Defender alerts you when potentially unwanted software is being downloaded or attempts to install itself on your computer. - -> [!NOTE] -> Potentially unwanted applications (PUA) are a category of software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software which might be unexpected or unwanted. By default in Windows 10 (version 2004 and later), Microsoft Defender Antivirus blocks apps that are considered PUA, for Enterprise (E5) devices. For more information about PUA, see [Detect and block potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus). - - - -ADMX Info: -- GP Friendly name: *Configure detection for potentially unwanted applications* -- GP name: *Root_PUAProtection* -- GP element: *Root_PUAProtection* -- GP path: *Windows Components/Microsoft Defender Antivirus* -- GP ADMX file name: *WindowsDefender.admx* - - - -The following list shows the supported values: - -- 0 (default) – PUA Protection off. Windows Defender won't protect against potentially unwanted applications. -- 1 – PUA Protection on. Detected items are blocked. They'll show in history along with other threats. -- 2 – Audit mode. Windows Defender will detect potentially unwanted applications, but take no action. You can review information about the applications Windows Defender would have taken action against by searching for events created by Windows Defender in the Event Viewer. - - - - -
    - - -**Defender/RealTimeScanDirection** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -Controls which sets of files should be monitored. - -> [!NOTE] -> If **AllowOnAccessProtection** is not allowed, then this configuration can be used to monitor specific files. - - - -ADMX Info: -- GP Friendly name: *Configure monitoring for incoming and outgoing file and program activity* -- GP name: *RealtimeProtection_RealtimeScanDirection* -- GP element: *RealtimeProtection_RealtimeScanDirection* -- GP path: *Windows Components/Microsoft Defender Antivirus/Real-time Protection* -- GP ADMX file name: *WindowsDefender.admx* - - - -The following list shows the supported values: - -- 0 (default) – Monitor all files (bi-directional). -- 1 – Monitor incoming files. -- 2 – Monitor outgoing files. - - - - -
    - - -**Defender/ScanParameter** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -Selects whether to perform a quick scan or full scan. - - - -ADMX Info: -- GP Friendly name: *Specify the scan type to use for a scheduled scan* -- GP name: *Scan_ScanParameters* -- GP element: *Scan_ScanParameters* -- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - -The following list shows the supported values: - -- 1 (default) – Quick scan -- 2 – Full scan - - - - -
    - - -**Defender/ScheduleQuickScanTime** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -Selects the time of day that the Windows Defender quick scan should run. The Windows Defender quick scan runs daily if a time is specified. - - - -For example, a value of 0=12:00AM, a value of 60=1:00AM, a value of 120=2:00, and so on, up to a value of 1380=11:00PM. - -The default value is 120 - - - -ADMX Info: -- GP Friendly name: *Specify the time for a daily quick scan* -- GP name: *Scan_ScheduleQuickScantime* -- GP element: *Scan_ScheduleQuickScantime* -- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - -Valid values: 0–1380 - - - - -
    - - -**Defender/ScheduleScanDay** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -Selects the day that the Windows Defender scan should run. - -> [!NOTE] -> The scan type will depends on what scan type is selected in the **Defender/ScanParameter** setting. - - - -ADMX Info: -- GP Friendly name: *Specify the day of the week to run a scheduled scan* -- GP name: *Scan_ScheduleDay* -- GP element: *Scan_ScheduleDay* -- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - -The following list shows the supported values: - -- 0 (default) – Every day -- 1 – Sunday -- 2 – Monday -- 3 – Tuesday -- 4 – Wednesday -- 5 – Thursday -- 6 – Friday -- 7 – Saturday -- 8 – No scheduled scan - - - - -
    - - -**Defender/ScheduleScanTime** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -Selects the time of day that the Windows Defender scan should run. - -> [!NOTE] -> The scan type will depends on what scan type is selected in the **Defender/ScanParameter** setting. - -For example, a value of 0=12:00AM, a value of 60=1:00AM, a value of 120=2:00, and so on, up to a value of 1380=11:00PM. - -The default value is 120. - - - -ADMX Info: -- GP Friendly name: *Specify the time of day to run a scheduled scan* -- GP name: *Scan_ScheduleTime* -- GP element: *Scan_ScheduleTime* -- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - -Valid values: 0–1380. - - - - -
    - - -**Defender/SecurityIntelligenceLocation** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - +If you disable or do not configure this setting, not changes will be made to CPU priority for scheduled scans. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled | +| 1 | Enabled | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_LowCpuPriority | +| Friendly Name | Configure low CPU priority for scheduled scans | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | LowCpuPriority | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## EnableNetworkProtection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection +``` + + + +Enable or disable Microsoft Defender Exploit Guard network protection to prevent employees from using any application to access dangerous domains that may host phishing scams, exploit-hosting sites, and other malicious content on the Internet. + +Enabled: +Specify the mode in the Options section: +-Block: Users and applications will not be able to access dangerous domains +-Audit Mode: Users and applications can connect to dangerous domains, however if this feature would have blocked access if it were set to Block, then a record of the event will be in the event logs. + +Disabled: +Users and applications will not be blocked from connecting to dangerous domains. + +Not configured: +Same as Disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled | +| 1 | Enabled (block mode) | +| 2 | Enabled (audit mode) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ExploitGuard_EnableNetworkProtection | +| Friendly Name | Prevent users and apps from accessing dangerous websites | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Network Protection | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection | +| Registry Value Name | EnableNetworkProtection | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## ExcludedExtensions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/ExcludedExtensions +``` + + + +Allows an administrator to specify a list of file type extensions to ignore during a scan. Each file type in the list must be separated by a |. For example, lib|obj. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `|`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Exclusions_Extensions | +| Friendly Name | Extension Exclusions | +| Element Name | Extension Exclusions | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Exclusions | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Exclusions | +| Registry Value Name | Exclusions_Extensions | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## ExcludedPaths + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/ExcludedPaths +``` + + + +Allows an administrator to specify a list of directory paths to ignore during a scan. Each path in the list must be separated by a |. For example, C:\Example|C:\Example1. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `|`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Exclusions_Paths | +| Friendly Name | Path Exclusions | +| Element Name | Path Exclusions | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Exclusions | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Exclusions | +| Registry Value Name | Exclusions_Paths | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## ExcludedProcesses + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/ExcludedProcesses +``` + + + +Allows an administrator to specify a list of files opened by processes to ignore during a scan. ImportantThe process itself is not excluded from the scan, but can be by using the Defender/ExcludedPaths policy to exclude its path. Each file type must be separated by a |. For example, C:\Example. exe|C:\Example1.exe. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `|`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Exclusions_Processes | +| Friendly Name | Process Exclusions | +| Element Name | Process Exclusions | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Exclusions | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Exclusions | +| Registry Value Name | Exclusions_Processes | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## PUAProtection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/PUAProtection +``` + + + +Enable or disable detection for potentially unwanted applications. You can choose to block, audit, or allow when potentially unwanted software is being downloaded or attempts to install itself on your computer. + +Enabled: +Specify the mode in the Options section: +-Block: Potentially unwanted software will be blocked. +-Audit Mode: Potentially unwanted software will not be blocked, however if this feature would have blocked access if it were set to Block, then a record of the event will be in the event logs. + +Disabled: +Potentially unwanted software will not be blocked. + +Not configured: +Same as Disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | PUA Protection off. Windows Defender will not protect against potentially unwanted applications. | +| 1 | PUA Protection on. Detected items are blocked. They will show in history along with other threats. | +| 2 | Audit mode. Windows Defender will detect potentially unwanted applications, but take no action. You can review information about the applications Windows Defender would have taken action against by searching for events created by Windows Defender in the Event Viewer. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Root_PUAProtection | +| Friendly Name | Configure detection for potentially unwanted applications | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender | +| Registry Value Name | PUAProtection | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## RealTimeScanDirection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/RealTimeScanDirection +``` + + + +This policy setting allows you to configure monitoring for incoming and outgoing files, without having to turn off monitoring entirely. It is recommended for use on servers where there is a lot of incoming and outgoing file activity but for performance reasons need to have scanning disabled for a particular scan direction. The appropriate configuration should be evaluated based on the server role. + +Note that this configuration is only honored for NTFS volumes. For any other file system type, full monitoring of file and program activity will be present on those volumes. + +The options for this setting are mutually exclusive: +0 = Scan incoming and outgoing files (default) +1 = Scan incoming files only +2 = Scan outgoing files only + +Any other value, or if the value does not exist, resolves to the default (0). + +If you enable this setting, the specified type of monitoring will be enabled. + +If you disable or do not configure this setting, monitoring for incoming and outgoing files will be enabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Monitor all files (bi-directional). | +| 1 | Monitor incoming files. | +| 2 | Monitor outgoing files. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | RealtimeProtection_RealtimeScanDirection | +| Friendly Name | Configure monitoring for incoming and outgoing file and program activity | +| Element Name | Configure monitoring for incoming and outgoing file and program activity | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Real-time Protection | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Real-Time Protection | +| Registry Value Name | RealtimeScanDirection | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## ScanParameter + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/ScanParameter +``` + + + +This policy setting allows you to specify the scan type to use during a scheduled scan. Scan type options are: +1 = Quick Scan (default) +2 = Full Scan + +If you enable this setting, the scan type will be set to the specified value. + +If you disable or do not configure this setting, the default scan type will used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 (Default) | Quick scan | +| 2 | Full scan | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_ScanParameters | +| Friendly Name | Specify the scan type to use for a scheduled scan | +| Element Name | Specify the scan type to use for a scheduled scan | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | ScanParameters | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## ScheduleQuickScanTime + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/ScheduleQuickScanTime +``` + + + +This policy setting allows you to specify the time of day at which to perform a daily quick scan. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default, this setting is set to disabled. The schedule is based on local time on the computer where the scan is executing. + +If you enable this setting, a daily quick scan will run at the time of day specified. + +If you disable or do not configure this setting, daily quick scan controlled by this config will not be run. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-1380]` | +| Default Value | 120 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_ScheduleQuickScantime | +| Friendly Name | Specify the time for a daily quick scan | +| Element Name | Specify the time for a daily quick scan | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | ScheduleQuickScanTime | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## ScheduleScanDay + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/ScheduleScanDay +``` + + + +This policy setting allows you to specify the day of the week on which to perform a scheduled scan. The scan can also be configured to run every day or to never run at all. + +This setting can be configured with the following ordinal number values: +(0x0) Every Day +(0x1) Sunday +(0x2) Monday +(0x3) Tuesday +(0x4) Wednesday +(0x5) Thursday +(0x6) Friday +(0x7) Saturday +(0x8) Never (default) + +If you enable this setting, a scheduled scan will run at the frequency specified. + +If you disable or do not configure this setting, a scheduled scan will run at a default frequency. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Every day | +| 1 | Sunday | +| 2 | Monday | +| 3 | Tuesday | +| 4 | Wednesday | +| 5 | Thursday | +| 6 | Friday | +| 7 | Saturday | +| 8 | No scheduled scan | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_ScheduleDay | +| Friendly Name | Specify the day of the week to run a scheduled scan | +| Element Name | Specify the day of the week to run a scheduled scan | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | ScheduleDay | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## ScheduleScanTime + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/ScheduleScanTime +``` + + + +This policy setting allows you to specify the time of day at which to perform a scheduled scan. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default, this setting is set to a time value of 2:00 AM. The schedule is based on local time on the computer where the scan is executing. + +If you enable this setting, a scheduled scan will run at the time of day specified. + +If you disable or do not configure this setting, a scheduled scan will run at a default time. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-1380]` | +| Default Value | 120 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_ScheduleTime | +| Friendly Name | Specify the time of day to run a scheduled scan | +| Element Name | Specify the time of day to run a scheduled scan | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | ScheduleTime | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## SecurityIntelligenceLocation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/SecurityIntelligenceLocation +``` + + + This policy setting allows you to define the security intelligence location for VDI-configured computers. -If you disable or don't configure this setting, security intelligence will be referred from the default local source. - - - -ADMX Info: -- GP Friendly name: *Specify the signature (Security intelligence) delivery optimization for Defender in Virtual Environments* -- GP name: *SecurityIntelligenceLocation* -- GP element: *SecurityIntelligenceLocation* -- GP path: *Windows Components/Microsoft Defender Antivirus/Windows Defender* -- GP ADMX file name: *WindowsDefender.admx* - - - - -- Empty string - no policy is set -- Non-empty string - the policy is set and security intelligence is gathered from the location. - - - - -
    - - -**Defender/SignatureUpdateFallbackOrder** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to define the order in which different definition update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the definition update sources in order. - -Possible values are: - -- InternalDefinitionUpdateServer -- MicrosoftUpdateServer -- MMPC -- FileShares - -For example: InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC - -If you enable this setting, definition update sources will be contacted in the order specified. Once definition updates have been successfully downloaded from one specified source, the remaining sources in the list won't be contacted. - -If you disable or don't configure this setting, definition update sources will be contacted in a default order. - -OMA-URI Path: ./Vendor/MSFT/Policy/Config/Defender/SignatureUpdateFallbackOrder - - - -ADMX Info: -- GP Friendly name: *Define the order of sources for downloading definition updates* -- GP name: *SignatureUpdate_FallbackOrder* -- GP element: *SignatureUpdate_FallbackOrder* -- GP path: *Windows Components/Microsoft Defender Antivirus/Signature Updates* -- GP ADMX file name: *WindowsDefender.admx* - - - - - - - - - - - - - -
    - - -**Defender/SignatureUpdateFileSharesSources** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to configure UNC file share sources for downloading definition updates. Sources will be contacted in the order specified. The value of this setting should be entered as a pipe-separated string enumerating the definition update sources. - -For example: \\unc1\Signatures | \\unc2\Signatures - -The list is empty by default. - -If you enable this setting, the specified sources will be contacted for definition updates. Once definition updates have been successfully downloaded from one specified source, the remaining sources in the list won't be contacted. - -If you disable or don't configure this setting, the list will remain empty by default and no sources will be contacted. - -OMA-URI Path: ./Vendor/MSFT/Policy/Config/Defender/SignatureUpdateFileSharesSources - - - -ADMX Info: -- GP Friendly name: *Define file shares for downloading definition updates* -- GP name: *SignatureUpdate_DefinitionUpdateFileSharesSources* -- GP element: *SignatureUpdate_DefinitionUpdateFileSharesSources* -- GP path: *Windows Components/Microsoft Defender Antivirus/Signature Updates* -- GP ADMX file name: *WindowsDefender.admx* - - - - - - - - - - - - - -
    - - -**Defender/SignatureUpdateInterval** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -Specifies the interval (in hours) that will be used to check for signatures, so instead of using the ScheduleDay and ScheduleTime the check for new signatures will be set according to the interval. - -A value of 0 means no check for new signatures, a value of 1 means to check every hour, a value of 2 means to check every two hours, and so on, up to a value of 24, which means to check every day. - -The default value is 8. - -OMA-URI Path: ./Vendor/MSFT/Policy/Config/Defender/SignatureUpdateInterval - - - -ADMX Info: -- GP Friendly name: *Specify the interval to check for definition updates* -- GP name: *SignatureUpdate_SignatureUpdateInterval* -- GP element: *SignatureUpdate_SignatureUpdateInterval* -- GP path: *Windows Components/Microsoft Defender Antivirus/Signature Updates* -- GP ADMX file name: *WindowsDefender.admx* - - - -Valid values: 0–24. - - - - -
    - - -**Defender/SubmitSamplesConsent** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -Checks for the user consent level in Windows Defender to send data. If the required consent has already been granted, Windows Defender submits them. If not (and if the user has specified never to ask), the UI is launched to ask for user consent (when **Defender/AllowCloudProtection** is allowed) before sending data. - - - -ADMX Info: -- GP Friendly name: *Send file samples when further analysis is required* -- GP name: *SubmitSamplesConsent* -- GP element: *SubmitSamplesConsent* -- GP path: *Windows Components/Microsoft Defender Antivirus/MAPS* -- GP ADMX file name: *WindowsDefender.admx* - - - -The following list shows the supported values: - -- 0 – Always prompt. -- 1 (default) – Send safe samples automatically. -- 2 – Never send. -- 3 – Send all samples automatically. - - - - -
    - - -**Defender/ThreatSeverityDefaultAction** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop. - -Allows an administrator to specify any valid threat severity levels and the corresponding default action ID to take. - -This value is a list of threat severity level IDs and corresponding actions, separated by a | using the format "*threat level*=*action*|*threat level*=*action*". For example, "1=6|2=2|4=10|5=3". - -The following list shows the supported values for threat severity levels: - -- 1 – Low severity threats -- 2 – Moderate severity threats -- 4 – High severity threats -- 5 – Severe threats - -The following list shows the supported values for possible actions: - -- 1 – Clean. Service tries to recover files and try to disinfect. -- 2 – Quarantine. Moves files to quarantine. -- 3 – Remove. Removes files from system. -- 6 – Allow. Allows file/does none of the above actions. -- 8 – User defined. Requires user to make a decision on which action to take. -- 10 – Block. Blocks file execution. - - - -ADMX Info: -- GP Friendly name: *Specify threat alert levels at which default action should not be taken when detected* -- GP name: *Threats_ThreatSeverityDefaultAction* -- GP element: *Threats_ThreatSeverityDefaultActionList* -- GP path: *Windows Components/Microsoft Defender Antivirus/Threats* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - - - - -## Related topics +If you disable or do not configure this setting, security intelligence will be referred from the default local source. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | SignatureUpdate_SharedSignaturesLocation | +| Friendly Name | Define security intelligence location for VDI clients. | +| Element Name | Define file share for downloading security intelligence updates in virtual environments | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## SignatureUpdateFallbackOrder + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/SignatureUpdateFallbackOrder +``` + + + +This policy setting allows you to define the order in which different security intelligence update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources in order. Possible values are: “InternalDefinitionUpdateServer”, “MicrosoftUpdateServer”, “MMPC”, and “FileShares” + +For example: { InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC } + +If you enable this setting, security intelligence update sources will be contacted in the order specified. Once security intelligence updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted. + +If you disable or do not configure this setting, security intelligence update sources will be contacted in a default order. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `|`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | SignatureUpdate_FallbackOrder | +| Friendly Name | Define the order of sources for downloading security intelligence updates | +| Element Name | Define the order of sources for downloading security intelligence updates | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## SignatureUpdateFileSharesSources + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/SignatureUpdateFileSharesSources +``` + + + +This policy setting allows you to configure UNC file share sources for downloading security intelligence updates. Sources will be contacted in the order specified. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources. For example: "{\\unc1 | \\unc2 }". The list is empty by default. + +If you enable this setting, the specified sources will be contacted for security intelligence updates. Once security intelligence updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted. + +If you disable or do not configure this setting, the list will remain empty by default and no sources will be contacted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `|`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | SignatureUpdate_DefinitionUpdateFileSharesSources | +| Friendly Name | Define file shares for downloading security intelligence updates | +| Element Name | Define file shares for downloading security intelligence updates | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## SignatureUpdateInterval + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/SignatureUpdateInterval +``` + + + +This policy setting allows you to specify an interval at which to check for security intelligence updates. The time value is represented as the number of hours between update checks. Valid values range from 1 (every hour) to 24 (once per day). + +If you enable this setting, checks for security intelligence updates will occur at the interval specified. + +If you disable or do not configure this setting, checks for security intelligence updates will occur at the default interval. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-24]` | +| Default Value | 8 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | SignatureUpdate_SignatureUpdateInterval | +| Friendly Name | Specify the interval to check for security intelligence updates | +| Element Name | Specify the interval to check for security intelligence updates | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates | +| Registry Value Name | SignatureUpdateInterval | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## SubmitSamplesConsent + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/SubmitSamplesConsent +``` + + + +This policy setting configures behaviour of samples submission when opt-in for MAPS telemetry is set. + +Possible options are: +(0x0) Always prompt +(0x1) Send safe samples automatically +(0x2) Never send +(0x3) Send all samples automatically + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Always prompt. | +| 1 (Default) | Send safe samples automatically. | +| 2 | Never send. | +| 3 | Send all samples automatically. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | SubmitSamplesConsent | +| Friendly Name | Send file samples when further analysis is required | +| Element Name | Send file samples when further analysis is required | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > MAPS | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Spynet | +| Registry Value Name | SubmitSamplesConsent | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## ThreatSeverityDefaultAction + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Defender/ThreatSeverityDefaultAction +``` + + + +Allows an administrator to specify any valid threat severity levels and the corresponding default action ID to take. This value is a list of threat severity level IDs and corresponding actions, separated by a | using the format threat level=action|threat level=action. For example, 1=6|2=2|4=10|5=3. The following list shows the supported values for threat severity levels:1 – Low severity threats2 – Moderate severity threats4 – High severity threats5 – Severe threatsThe following list shows the supported values for possible actions:1 – Clean. Service tries to recover files and try to disinfect. 2 – Quarantine. Moves files to quarantine. 3 – Remove. Removes files from system. 6 – Allow. Allows file/does none of the above actions. 8 – User defined. Requires user to make a decision on which action to take. 10 – Block. Blocks file execution. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Threats_ThreatSeverityDefaultAction | +| Friendly Name | Specify threat alert levels at which default action should not be taken when detected | +| Element Name | Specify threat alert levels at which default action should not be taken when detected | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Threats | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Threats | +| Registry Value Name | Threats_ThreatSeverityDefaultAction | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + + + + + + +## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md index 441350957a..95f4178efd 100644 --- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md +++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md @@ -702,11 +702,7 @@ ADMX Info: Set this policy to restrict peer selection to a specific source. Available options are: 1 = Active Directory Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix, 5 = Azure Active Directory. -When set, the Group ID will be assigned automatically from the selected source. - -If you set this policy, the GroupID policy will be ignored. - -The options set in this policy only apply to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. +When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy will be ignored. The default behavior, when neither the GroupID or GroupIDSource policies are set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. If GroupIDSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored. For option 3 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID. @@ -1457,9 +1453,11 @@ ADMX Info: Set this policy to restrict peer selection via selected option. -Options available are: 1=Subnet mask (more options will be added in a future release). +In Windows 11 the 'Local Peer Discovery' option was introduced to restrict peer discovery to the local network. Currently, the available options include: 0 = NAT, 1 = Subnet mask, and 2 = Local Peer Discovery. These options apply to both Download Modes LAN (1) and Group (2) and therefore it means that there is no peering between subnets. The default value in Windows 11 is set to "Local Peer Discovery". -Option 1 (Subnet mask) applies to both Download Mode LAN (1) and Group (2). +If Group mode is set, Delivery Optimization will connect to locally discovered peers that are also part of the same Group (have the same Group ID). + +The Local Peer Discovery (DNS-SD) option can only be set via MDM delivered policies on Windows 11 builds. @@ -1474,7 +1472,9 @@ ADMX Info: The following list shows the supported values: -- 1 - Subnet mask. +- 0 - NAT +- 1 - Subnet mask +- 2 - Local Peer Discovery diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index 8475dbc0d9..275de06fef 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -9,6 +9,7 @@ author: vinaypamnani-msft ms.localizationpriority: medium ms.reviewer: manager: aaroncz +ms.date: 12/31/2017 --- # Policy CSP - InternetExplorer @@ -4426,7 +4427,7 @@ The following list shows the supported values: ADMX Info: - GP Friendly name: *Enable extended hot keys in Internet Explorer mode* - GP name: *EnableExtendedIEModeHotkeys* -- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management* +- GP path: *Windows Components/Internet Explorer/Main* - GP ADMX file name: *inetres.admx* diff --git a/windows/client-management/mdm/policy-csp-kioskbrowser.md b/windows/client-management/mdm/policy-csp-kioskbrowser.md index 13fe288906..693f130feb 100644 --- a/windows/client-management/mdm/policy-csp-kioskbrowser.md +++ b/windows/client-management/mdm/policy-csp-kioskbrowser.md @@ -113,7 +113,7 @@ List of exceptions to the blocked website URLs (with wildcard support). This pol -List of blocked website URLs (with wildcard support). This policy is used to configure blocked URLs kiosk browsers can't navigate to. +List of blocked website URLs (with wildcard support). This policy is used to configure blocked URLs kiosk browsers can't navigate to. The delimiter for the URLs is "\uF000" character. > [!NOTE] > This policy only applies to the Kiosk Browser app in Microsoft Store. @@ -310,4 +310,4 @@ The value is an int 1-1440 that specifies the number of minutes the session is i ## Related topics -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md index 32217ff75b..10e2076e07 100644 --- a/windows/client-management/mdm/policy-csp-localusersandgroups.md +++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md @@ -104,11 +104,11 @@ See [Use custom settings for Windows 10 devices in Intune](/mem/intune/configura Example 1: Azure Active Directory focused. -The following example updates the built-in administrators group with Azure AD account "bob@contoso.com" and an Azure AD group with the SID **S-1-12-1-111111111-22222222222-3333333333-4444444444** on an AAD-joined machine. +The following example updates the built-in administrators group with the SID **S-1-5-21-2222222222-3333333333-4444444444-500** with an Azure AD account "bob@contoso.com" and an Azure AD group with the SID **S-1-12-1-111111111-22222222222-3333333333-4444444444** on an AAD-joined machine. ```xml - + @@ -119,12 +119,12 @@ The following example updates the built-in administrators group with Azure AD ac Example 2: Replace / Restrict the built-in administrators group with an Azure AD user account. > [!NOTE] -> When using ‘R’ replace option to configure the built-in ‘Administrators’ group. It is required to always specify the administrator as a member + any other custom members. This is because the built-in administrator must always be a member of the administrators group. +> When using the ‘R’ replace option to configure the built-in Administrators group with the SID **S-1-5-21-2222222222-3333333333-4444444444-500** you should always specify the administrator as a member plus any other custom members. This is necessary because the built-in administrator must always be a member of the administrators group. Example: ```xml - + @@ -134,11 +134,11 @@ Example: Example 3: Update action for adding and removing group members on a hybrid joined machine. -The following example shows how you can update a local group (**Administrators**)—add an AD domain group as a member using its name (**Contoso\ITAdmins**), add a Azure Active Directory group by its SID (**S-1-12-1-111111111-22222222222-3333333333-4444444444**), and remove a local account (**Guest**) if it exists. +The following example shows how you can update a local group (**Administrators** with the SID **S-1-5-21-2222222222-3333333333-4444444444-500**)—add an AD domain group as a member using its name (**Contoso\ITAdmins**), add an Azure Active Directory group by its SID (**S-1-12-1-111111111-22222222222-3333333333-4444444444**), and remove a local account (**Guest**) if it exists. ```xml - + diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md index 391b5dc68e..dc083daf3c 100644 --- a/windows/client-management/mdm/policy-csp-mixedreality.md +++ b/windows/client-management/mdm/policy-csp-mixedreality.md @@ -9,6 +9,7 @@ ms.technology: itpro-manage author: vinaypamnani-msft ms.reviewer: manager: aaroncz +ms.date: 12/31/2017 --- # Policy CSP - MixedReality @@ -113,8 +114,7 @@ Steps to use this policy correctly: |HoloLens (first gen) Commercial Suite|No| |HoloLens 2|Yes| -> [!NOTE] -> This feature is currently only available in [HoloLens Insider](/hololens/hololens-insider) builds. + [Scope](./policy-configuration-service-provider.md#policy-scope): @@ -160,7 +160,7 @@ Int value
    -This can be enabled to allow for other apps to be launched with in a single app Kiosk, which may be useful, for example, if you want to launch the Settings app to calibrate your device or change your Wi-fi. +This can be enabled to allow for other apps to be launched with in a single app Kiosk, which may be useful, for example, if you want to launch the Settings app to calibrate your device or change your Wi-Fi. By default, launching applications via Launcher API (Launcher Class (Windows.System) - Windows UWP applications) is disabled in single app kiosk mode. To enable applications to launch in single app kiosk mode on HoloLens devices, set the policy value to true. @@ -341,10 +341,7 @@ Supported value is Integer. -> [!NOTE] -> This feature is currently only available in [HoloLens Insider](/hololens/hololens-insider) builds. - -You may want to configure a different time server for your device fleet. IT admins can use thi policy to configure certain aspects of NTP client with following policies. In the Settings app, the Time/Language page will show the time server after a time sync has occurred. E.g. `time.windows.com` or another if another value is configured via MDM policy. +You may want to configure a different time server for your device fleet. IT admins can use this policy to configure certain aspects of NTP client with following policies. In the Settings app, the Time/Language page will show the time server after a time sync has occurred. E.g. `time.windows.com` or another if another value is configured via MDM policy. This policy setting specifies a set of parameters for controlling the Windows NTP Client. Refer to [Policy CSP - ADMX_W32Time - Windows Client Management](/windows/client-management/mdm/policy-csp-admx-w32time#admx-w32time-policy-configure-ntpclient) for supported configuration parameters. @@ -394,9 +391,6 @@ value="0"/> -> [!NOTE] -> This feature is currently only available in [HoloLens Insider](/hololens/hololens-insider) builds. - [Scope](./policy-configuration-service-provider.md#policy-scope): @@ -609,8 +603,6 @@ The following list shows the supported values: -> [!NOTE] -> This feature is currently only available in [HoloLens Insider](/hololens/hololens-insider) builds. This policy setting specifies whether the Windows NTP Client is enabled. @@ -642,9 +634,6 @@ This policy setting specifies whether the Windows NTP Client is enabled. -> [!NOTE] -> This feature is currently only available in [HoloLens Insider](/hololens/hololens-insider) builds. - [Scope](./policy-configuration-service-provider.md#policy-scope): @@ -678,8 +667,7 @@ The OMA-URI of new policy: `./Device/Vendor/MSFT/Policy/Config/MixedReality/Skip -> [!NOTE] -> This feature is currently only available in [HoloLens Insider](/hololens/hololens-insider) builds. + [Scope](./policy-configuration-service-provider.md#policy-scope): diff --git a/windows/client-management/mdm/policy-csp-msslegacy.md b/windows/client-management/mdm/policy-csp-msslegacy.md index 69fb84b6e9..c7e71ee0cf 100644 --- a/windows/client-management/mdm/policy-csp-msslegacy.md +++ b/windows/client-management/mdm/policy-csp-msslegacy.md @@ -1,211 +1,210 @@ --- -title: Policy CSP - MSSLegacy -description: Learn how Policy CSP - MSSLegacy, an ADMX-backed policy, requires a special SyncML format to enable or disable. +title: MSSLegacy Policy CSP +description: Learn more about the MSSLegacy Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 11/29/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - MSSLegacy -
    - - -## MSSLegacy policies - -
    -
    - MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes -
    -
    - MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers -
    -
    - MSSLegacy/IPSourceRoutingProtectionLevel -
    -
    - MSSLegacy/IPv6SourceRoutingProtectionLevel -
    -
    - > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -**MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes** + +## AllowICMPRedirectsToOverrideOSPFGeneratedRoutes - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes +``` + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + +Allow ICMP redirects to override OSPF generated routes. + -> [!div class = "checklist"] -> * Device + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + + + - + + + - -ADMX Info: -- GP name: *Pol_MSS_EnableICMPRedirect* -- GP ADMX file name: *mss-legacy.admx* + - - + +## AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + - -**MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers** + +```Device +./Device/Vendor/MSFT/Policy/Config/MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers +``` + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +Allow the computer to ignore NetBIOS name release requests except from WINS servers. + - -
    + +**Description framework properties**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -> [!div class = "checklist"] -> * Device + + + -
    + + + - - + - + +## IPSourceRoutingProtectionLevel + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + - -ADMX Info: -- GP name: *Pol_MSS_NoNameReleaseOnDemand* -- GP ADMX file name: *mss-legacy.admx* + +```Device +./Device/Vendor/MSFT/Policy/Config/MSSLegacy/IPSourceRoutingProtectionLevel +``` + - - + + + -
    + + +IP source routing protection level (protects against packet spoofing). + - -**MSSLegacy/IPSourceRoutingProtectionLevel** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## IPv6SourceRoutingProtectionLevel -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/MSSLegacy/IPv6SourceRoutingProtectionLevel +``` + - + + + - -ADMX Info: -- GP name: *Pol_MSS_DisableIPSourceRouting* -- GP ADMX file name: *mss-legacy.admx* + + +IPv6 source routing protection level (protects against packet spoofing). + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**MSSLegacy/IPv6SourceRoutingProtectionLevel** + + + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device +## Related articles -
    - - - - - - - -ADMX Info: -- GP name: *Pol_MSS_DisableIPSourceRoutingIPv6* -- GP ADMX file name: *mss-legacy.admx* - - - -
    - - - - -## Related topics - -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-settingssync.md b/windows/client-management/mdm/policy-csp-settingssync.md new file mode 100644 index 0000000000..3be0b76457 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-settingssync.md @@ -0,0 +1,96 @@ +--- +title: SettingsSync Policy CSP +description: Learn more about the SettingsSync Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz +ms.author: vinpa +ms.date: 11/29/2022 +ms.localizationpriority: medium +ms.prod: windows-client +ms.technology: itpro-manage +ms.topic: reference +--- + + + + +# Policy CSP - SettingsSync + +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + + + + +## DisableAccessibilitySettingSync + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/SettingsSync/DisableAccessibilitySettingSync +``` + + + +Prevent the "accessibility" group from syncing to and from this PC. This turns off and disables the "accessibility" group on the "Windows backup" settings page in PC settings. + +If you enable this policy setting, the "accessibility", group will not be synced. + +Use the option "Allow users to turn accessibility syncing on" so that syncing is turned off by default but not disabled. + +If you do not set or disable this setting, syncing of the "accessibility" group is on by default and configurable by the user. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableAccessibilitySettingSync | +| Friendly Name | Do not sync accessibility settings | +| Location | Computer Configuration | +| Path | Windows Components > Sync your settings | +| Registry Key Name | Software\Policies\Microsoft\Windows\SettingSync | +| Registry Value Name | DisableAccessibilitySettingSync | +| ADMX File Name | SettingSync.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-stickers.md b/windows/client-management/mdm/policy-csp-stickers.md new file mode 100644 index 0000000000..9b2eeee68c --- /dev/null +++ b/windows/client-management/mdm/policy-csp-stickers.md @@ -0,0 +1,79 @@ +--- +title: Stickers Policy CSP +description: Learn more about the Stickers Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz +ms.author: vinpa +ms.date: 11/02/2022 +ms.localizationpriority: medium +ms.prod: windows-client +ms.technology: itpro-manage +ms.topic: reference +--- + + + + +# Policy CSP - Stickers + + + + + + +## EnableStickers + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Stickers/EnableStickers +``` + + + +This policy setting allows you to control whether you want to allow stickers to be edited and placed on Desktop + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 939f3e2ac9..e26bcb675c 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -205,7 +205,7 @@ Windows diagnostic data is collected when the Allow Telemetry policy setting is If you disable or don't configure this setting, Microsoft will be the controller of the Windows diagnostic data collected from the device and processed in accordance with Microsoft’s [privacy statement](https://go.microsoft.com/fwlink/?LinkId=521839) unless you have enabled policies like Allow Update Compliance Processing or Allow Desktop Analytics Processing. -Configuring this setting doesn't change the Windows diagnostic data collection level set for the device or the operation of optional analytics processor services like Desktop Analytics and Update Compliance. +Configuring this setting doesn't change the Windows diagnostic data collection level set for the device or the operation of optional analytics processor services like Desktop Analytics and Windows Update for Business reports. See the documentation at [ConfigureWDD](https://aka.ms/ConfigureWDD) for information on this and other policies that will result in Microsoft being the processor of Windows diagnostic data. @@ -700,11 +700,11 @@ To enable this behavior, you must complete three steps: 1. Enable this policy setting. 2. Set **AllowTelemetry** to 1 – **Required (Basic)** or above. - 3. Set the Configure the Commercial ID setting for your Update Compliance workspace. + 3. If you're using Update Compliance rather than Windows Update for Business reports, set the Configure the Commercial ID setting for your Update Compliance workspace. When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments. -If you disable or don't configure this policy setting, devices won't appear in Update Compliance. +If you disable or don't configure this policy setting, devices won't appear in Windows Update for Business reports or Update Compliance. diff --git a/windows/client-management/mdm/policy-csp-tenantdefinedtelemetry.md b/windows/client-management/mdm/policy-csp-tenantdefinedtelemetry.md new file mode 100644 index 0000000000..0ab6c560aa --- /dev/null +++ b/windows/client-management/mdm/policy-csp-tenantdefinedtelemetry.md @@ -0,0 +1,80 @@ +--- +title: TenantDefinedTelemetry Policy CSP +description: Learn more about the TenantDefinedTelemetry Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz +ms.author: vinpa +ms.date: 11/02/2022 +ms.localizationpriority: medium +ms.prod: windows-client +ms.technology: itpro-manage +ms.topic: reference +--- + + + + +# Policy CSP - TenantDefinedTelemetry + + + + + + +## CustomTelemetryId + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/TenantDefinedTelemetry/CustomTelemetryId +``` + + + +This policy is used to let mission control what type of Edition we are currently in. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Base | +| 1 | Education | +| 2 | Commercial | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-tenantrestrictions.md b/windows/client-management/mdm/policy-csp-tenantrestrictions.md new file mode 100644 index 0000000000..936808277a --- /dev/null +++ b/windows/client-management/mdm/policy-csp-tenantrestrictions.md @@ -0,0 +1,98 @@ +--- +title: TenantRestrictions Policy CSP +description: Learn more about the TenantRestrictions Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz +ms.author: vinpa +ms.date: 11/29/2022 +ms.localizationpriority: medium +ms.prod: windows-client +ms.technology: itpro-manage +ms.topic: reference +--- + + + + +# Policy CSP - TenantRestrictions + +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + + + + +## ConfigureTenantRestrictions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348.320] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1320] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1320] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1320] and later
    :heavy_check_mark: Windows 10, version 21H2 [10.0.19044] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/TenantRestrictions/ConfigureTenantRestrictions +``` + + + +This setting enables and configures the device-based tenant restrictions feature for Azure Active Directory. + +When you enable this setting, compliant applications will be prevented from accessing disallowed tenants, according to a policy set in your Azure AD tenant. + +Note: Creation of a policy in your home tenant is required, and additional security measures for managed devices are recommended for best protection. Refer to Azure AD Tenant Restrictions for more details. + +https://go.microsoft.com/fwlink/?linkid=2148762 + +Before enabling firewall protection, ensure that a Windows Defender Application Control (WDAC) policy that correctly tags applications has been applied to the target devices. Enabling firewall protection without a corresponding WDAC policy will prevent all applications from reaching Microsoft endpoints. This firewall setting is not supported on all versions of Windows - see the following link for more information. +For details about setting up WDAC with tenant restrictions, see https://go.microsoft.com/fwlink/?linkid=2155230 + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | trv2_payload | +| Friendly Name | Cloud Policy Details | +| Location | Computer Configuration | +| Path | Windows Components > Tenant Restrictions | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\Payload | +| ADMX File Name | TenantRestrictions.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 91113eec51..7c1858edb3 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -2988,6 +2988,9 @@ The table below shows the applicability of Windows: +> [!NOTE] +> This policy will only take effect if Update/AllowAutoUpdate has been configured to option 3 or 4 for scheduled installation. + Enables the IT admin to schedule the day of the update installation. Supported data type is an integer. @@ -3049,6 +3052,9 @@ The table below shows the applicability of Windows: +> [!NOTE] +> This policy will only take effect if Update/AllowAutoUpdate has been configured to option 3 or 4 for scheduled installation. + Enables the IT admin to schedule the update installation on every week. Supported Value type is integer. @@ -3100,6 +3106,9 @@ The table below shows the applicability of Windows: +> [!NOTE] +> This policy will only take effect if Update/AllowAutoUpdate has been configured to option 3 or 4 for scheduled installation. + Enables the IT admin to schedule the update installation on the first week of the month. Supported value type is integer. @@ -3151,6 +3160,9 @@ The table below shows the applicability of Windows: +> [!NOTE] +> This policy will only take effect if Update/AllowAutoUpdate has been configured to option 3 or 4 for scheduled installation. + Enables the IT admin to schedule the update installation on the fourth week of the month. Supported value type is integer. @@ -3202,9 +3214,12 @@ The table below shows the applicability of Windows: +> [!NOTE] +> This policy will only take effect if Update/AllowAutoUpdate has been configured to option 3 or 4 for scheduled installation. + Enables the IT admin to schedule the update installation on the second week of the month. -Supported vlue type is integer. +Supported value type is integer. Supported values: @@ -3254,6 +3269,9 @@ The table below shows the applicability of Windows: +> [!NOTE] +> This policy will only take effect if Update/AllowAutoUpdate has been configured to option 3 or 4 for scheduled installation. + Enables the IT admin to schedule the update installation on the third week of the month. Supported value type is integer. @@ -3305,6 +3323,9 @@ The table below shows the applicability of Windows: +> [!NOTE] +> This policy will only take effect if Update/AllowAutoUpdate has been configured to option 3 or 4 for scheduled installation. + Enables the IT admin to schedule the time of the update installation. Note that there is a window of approximately 30 minutes to allow for higher success rates of installation. The supported data type is an integer. diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md index 7af2d1affc..15d68c57a4 100644 --- a/windows/client-management/mdm/policy-csp-windowslogon.md +++ b/windows/client-management/mdm/policy-csp-windowslogon.md @@ -1,267 +1,280 @@ --- -title: Policy CSP - WindowsLogon -description: Use the Policy CSP - WindowsLogon setting to control whether a device automatically signs in and locks the last interactive user after the system restarts. +title: WindowsLogon Policy CSP +description: Learn more about the WindowsLogon Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/09/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - WindowsLogon -
    - - -## WindowsLogon policies - -
    -
    - WindowsLogon/AllowAutomaticRestartSignOn -
    -
    - WindowsLogon/ConfigAutomaticRestartSignOn -
    -
    - WindowsLogon/DisableLockScreenAppNotifications -
    -
    - WindowsLogon/DontDisplayNetworkSelectionUI -
    -
    - WindowsLogon/EnableFirstLogonAnimation -
    -
    - WindowsLogon/EnableMPRNotifications -
    -
    - WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers -
    -
    - WindowsLogon/HideFastUserSwitching -
    -
    - > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -**WindowsLogon/AllowAutomaticRestartSignOn** + +## AllowAutomaticRestartSignOn - -The table below shows the applicability of Windows: + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsLogon/AllowAutomaticRestartSignOn +``` + - -
    + + +This policy setting controls whether a device will automatically sign in and lock the last interactive user after the system restarts or after a shutdown and cold boot. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +This only occurs if the last interactive user didn’t sign out before the restart or shutdown.​ -> [!div class = "checklist"] -> * Device +If the device is joined to Active Directory or Azure Active Directory, this policy only applies to Windows Update restarts. Otherwise, this will apply to both Windows Update restarts and user-initiated restarts and shutdowns.​ -
    +If you don’t configure this policy setting, it is enabled by default. When the policy is enabled, the user is automatically signed in and the session is automatically locked with all lock screen apps configured for that user after the device boots.​ - - -This policy setting controls whether a device automatically signs in and locks the last interactive user after the system restarts or after a shutdown and cold boot. +After enabling this policy, you can configure its settings through the ConfigAutomaticRestartSignOn policy, which configures the mode of automatically signing in and locking the last interactive user after a restart or cold boot​. -This scenario occurs only if the last interactive user didn't sign out before the restart or shutdown.​ +If you disable this policy setting, the device does not configure automatic sign in. The user’s lock screen apps are not restarted after the system restarts. + -If the device is joined to Active Directory or Azure Active Directory, this policy applies only to Windows Update restarts. Otherwise, this policy applies to both Windows Update restarts and user-initiated restarts and shutdowns.​ + + + -If you don't configure this policy setting, it's enabled by default. When the policy is enabled, the user is automatically signed in and the session is automatically locked with all lock screen apps configured for that user after the device boots.​ + +**Description framework properties**: -After enabling this policy, you can configure its settings through the [ConfigAutomaticRestartSignOn](#windowslogon-configautomaticrestartsignon) policy, which configures the mode of automatically signing in and locking the last interactive user after a restart or cold boot​. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -If you disable this policy setting, the device doesn't configure automatic sign in. The user’s lock screen apps aren't restarted after the system restarts. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: - -ADMX Info: -- GP Friendly name: *Sign-in and lock last interactive user automatically after a restart* -- GP name: *AutomaticRestartSignOn* -- GP path: *Windows Components/Windows Logon Options* -- GP ADMX file name: *WinLogon.admx* +| Name | Value | +|:--|:--| +| Name | AutomaticRestartSignOnDescription | +| Friendly Name | Sign-in and lock last interactive user automatically after a restart | +| Location | Computer Configuration | +| Path | Windows Components > Windows Logon Options | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | DisableAutomaticRestartSignOn | +| ADMX File Name | WinLogon.admx | + - - + + + - - + - - + +## ConfigAutomaticRestartSignOn - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsLogon/ConfigAutomaticRestartSignOn +``` + - -**WindowsLogon/ConfigAutomaticRestartSignOn** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting controls the configuration under which an automatic restart, sign in, and lock occurs after a restart or cold boot. If you chose “Disabled” in the [AllowAutomaticRestartSignOn](#windowslogon-allowautomaticrestartsignon) policy, then automatic sign in doesn't occur and this policy need not be configured. + + +This policy setting controls the configuration under which an automatic restart and sign on and lock occurs after a restart or cold boot. If you chose “Disabled” in the “Sign-in and lock last interactive user automatically after a restart” policy, then automatic sign on will not occur and this policy does not need to be configured. If you enable this policy setting, you can choose one of the following two options: -- Enabled if BitLocker is on and not suspended: Specifies that automatic sign in and lock occurs only if BitLocker is active and not suspended during the reboot or shutdown. Personal data can be accessed on the device’s hard drive at this time if BitLocker isn't on or suspended during an update. BitLocker suspension temporarily removes protection for system components and data but may be needed in certain circumstances to successfully update boot-critical components. +1. “Enabled if BitLocker is on and not suspended” specifies that automatic sign on and lock will only occur if BitLocker is active and not suspended during the reboot or shutdown. Personal data can be accessed on the device’s hard drive at this time if BitLocker is not on or suspended during an update. BitLocker suspension temporarily removes protection for system components and data but may be needed in certain circumstances to successfully update boot-critical components. BitLocker is suspended during updates if: - - The device doesn't have TPM 2.0 and PCR7 - - The device doesn't use a TPM-only protector -- Always Enabled: Specifies that automatic sign in happens even if BitLocker is off or suspended during reboot or shutdown. When BitLocker isn't enabled, personal data is accessible on the hard drive. Automatic restart and sign in should only be run under this condition if you're confident that the configured device is in a secure physical location. +- The device doesn’t have TPM 2.0 and PCR7, or +- The device doesn’t use a TPM-only protector +2. “Always Enabled” specifies that automatic sign on will happen even if BitLocker is off or suspended during reboot or shutdown. When BitLocker is not enabled, personal data is accessible on the hard drive. Automatic restart and sign on should only be run under this condition if you are confident that the configured device is in a secure physical location. -If you disable or don't configure this setting, automatic sign in defaults to the “Enabled if BitLocker is on and not suspended” behavior. +If you disable or don’t configure this setting, automatic sign on will default to the “Enabled if BitLocker is on and not suspended” behavior. + - + + + - -ADMX Info: -- GP Friendly name: *Configure the mode of automatically signing in and locking last interactive user after a restart or cold boot* -- GP name: *ConfigAutomaticRestartSignOn* -- GP path: *Windows Components/Windows Logon Options* -- GP ADMX file name: *WinLogon.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - +**ADMX mapping**: - - +| Name | Value | +|:--|:--| +| Name | ConfigAutomaticRestartSignOnDescription | +| Friendly Name | Configure the mode of automatically signing in and locking last interactive user after a restart or cold boot | +| Location | Computer Configuration | +| Path | Windows Components > Windows Logon Options | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| ADMX File Name | WinLogon.admx | + -
    + + + - -**WindowsLogon/DisableLockScreenAppNotifications** + - -The table below shows the applicability of Windows: + +## DisableLockScreenAppNotifications -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsLogon/DisableLockScreenAppNotifications +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to prevent app notifications from appearing on the lock screen. If you enable this policy setting, no app notifications are displayed on the lock screen. -If you disable or don't configure this policy setting, users can choose which apps display notifications on the lock screen. +If you disable or do not configure this policy setting, users can choose which apps display notifications on the lock screen. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off app notifications on the lock screen* -- GP name: *DisableLockScreenAppNotifications* -- GP path: *System/Logon* -- GP ADMX file name: *logon.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**WindowsLogon/DontDisplayNetworkSelectionUI** +**ADMX mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | DisableLockScreenAppNotifications | +| Friendly Name | Turn off app notifications on the lock screen | +| Location | Computer Configuration | +| Path | System > Logon | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | DisableLockScreenAppNotifications | +| ADMX File Name | Logon.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DontDisplayNetworkSelectionUI -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsLogon/DontDisplayNetworkSelectionUI +``` + - - -This policy setting allows you to control whether anyone can interact with available networks UI on the sign-in screen. + + +This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen. -If you enable this policy setting, the PC's network connectivity state can't be changed without signing into Windows. +If you enable this policy setting, the PC's network connectivity state cannot be changed without signing into Windows. If you disable or don't configure this policy setting, any user can disconnect the PC from the network or can connect the PC to other available networks without signing into Windows. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DontDisplayNetworkSelectionUI | +| Friendly Name | Do not display network selection UI | +| Location | Computer Configuration | +| Path | System > Logon | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | DontDisplayNetworkSelectionUI | +| ADMX File Name | Logon.admx | + + + + +**Example**: Here's an example to enable this policy: @@ -287,236 +300,333 @@ Here's an example to enable this policy: ``` + - + - -ADMX Info: -- GP Friendly name: *Do not display network selection UI* -- GP name: *DontDisplayNetworkSelectionUI* -- GP path: *System/Logon* -- GP ADMX file name: *logon.admx* + +## EnableFirstLogonAnimation - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsLogon/EnableFirstLogonAnimation +``` + - -**WindowsLogon/EnableFirstLogonAnimation** + + +This policy setting allows you to control whether users see the first sign-in animation when signing in to the computer for the first time. This applies to both the first user of the computer who completes the initial setup and users who are added to the computer later. It also controls if Microsoft account users will be offered the opt-in prompt for services during their first sign-in. - -The table below shows the applicability of Windows: +If you enable this policy setting, Microsoft account users will see the opt-in prompt for services, and users with other accounts will see the sign-in animation. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +If you disable this policy setting, users will not see the animation and Microsoft account users will not see the opt-in prompt for services. - -
    +If you do not configure this policy setting, the user who completes the initial Windows setup will see the animation during their first sign-in. If the first user had already completed the initial setup and this policy setting is not configured, users new to this computer will not see the animation. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +Note: The first sign-in animation will not be shown on Server, so this policy will have no effect. + -> [!div class = "checklist"] -> * Device + + + -
    + +**Description framework properties**: - - -This policy setting allows you to control whether users see the first sign-in animation when signing in to the computer for the first time. This view applies to both the first user of the computer who completes the initial setup and users who are added to the computer later. It also controls if Microsoft account users are offered the opt-in prompt for services during their first sign-in. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -If you enable this policy setting, Microsoft account users see the opt-in prompt for services, and users with other accounts see the sign-in animation. + +**Allowed values**: -If you disable this policy setting, users don't see the animation and Microsoft account users don't see the opt-in prompt for services. +| Value | Description | +|:--|:--| +| 0 | Disabled. | +| 1 (Default) | Enabled. | + -If you don't configure this policy setting, the user who completes the initial Windows setup see the animation during their first sign-in. If the first user had already completed the initial setup and this policy setting isn't configured, users new to this computer don't see the animation. + +**Group policy mapping**: -> [!NOTE] -> The first sign-in animation isn't displayed on Server, so this policy has no effect. +| Name | Value | +|:--|:--| +| Name | EnableFirstLogonAnimation | +| Friendly Name | Show first sign-in animation | +| Location | Computer Configuration | +| Path | System > Logon | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | EnableFirstLogonAnimation | +| ADMX File Name | Logon.admx | + - - -ADMX Info: -- GP Friendly name: *Show first sign-in animation* -- GP name: *EnableFirstLogonAnimation* -- GP path: *System/Logon* -- GP ADMX file name: *Logon.admx* + + + - - -Supported values: -- 0 - disabled -- 1 - enabled - - + - - + +## EnableMPRNotifications - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsLogon/EnableMPRNotifications +``` + - -**WindowsLogon/EnableMPRNotifications** + + +This policy controls the configuration under which winlogon sends MPR notifications in the system. - -The table below shows the applicability of Windows: +If you enable this setting or do not configure it, winlogon sends MPR notifications if a credential manager is configured. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +If you disable this setting, winlogon does not send MPR notifications. + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * Device +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -This policy allows winlogon to send MPR notifications in the system if a credential manager is configured. +**ADMX mapping**: -If you disable (0), MPR notifications will not be sent by winlogon. +| Name | Value | +|:--|:--| +| Name | EnableMPRNotifications | +| Friendly Name | Enable MPR notifications for the system | +| Location | Computer Configuration | +| Path | Windows Components > Windows Logon Options | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | EnableMPR | +| ADMX File Name | WinLogon.admx | + -If you enable (1) or do not configure this policy setting this policy, MPR notifications will be sent by winlogon. + + + - - -Supported values: + -- 0 - disabled -- 1 (default)- enabled - + +## EnumerateLocalUsersOnDomainJoinedComputers - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers +``` + - -**WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows local users to be enumerated on domain-joined computers. If you enable this policy setting, Logon UI will enumerate all local users on domain-joined computers. -If you disable or don't configure this policy setting, the Logon UI won't enumerate local users on domain-joined computers. +If you disable or do not configure this policy setting, the Logon UI will not enumerate local users on domain-joined computers. + - + + + - -ADMX Info: -- GP Friendly name: *Enumerate local users on domain-joined computers* -- GP name: *EnumerateLocalUsers* -- GP path: *System/Logon* -- GP ADMX file name: *logon.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**WindowsLogon/HideFastUserSwitching** +**ADMX mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | EnumerateLocalUsers | +| Friendly Name | Enumerate local users on domain-joined computers | +| Location | Computer Configuration | +| Path | System > Logon | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | EnumerateLocalUsers | +| ADMX File Name | Logon.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## HideFastUserSwitching -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsLogon/HideFastUserSwitching +``` + - - -This policy setting allows you to hide the Switch account button on the sign-in screen, Start, and the Task Manager. If you enable this policy setting, the Switch account button is hidden from the user who is attempting to sign-in or is signed in to the computer that has this policy applied. If you disable or don't configure this policy setting, the Switch account button is accessible to the user in the three locations. + + +This policy setting allows you to hide the Switch User interface in the Logon UI, the Start menu and the Task Manager. - - -ADMX Info: -- GP Friendly name: *Hide entry points for Fast User Switching* -- GP name: *HideFastUserSwitching* -- GP path: *System/Logon* -- GP ADMX file name: *Logon.admx* +If you enable this policy setting, the Switch User interface is hidden from the user who is attempting to log on or is logged on to the computer that has this policy applied. - - -The following list shows the supported values: +The locations that Switch User interface appear are in the Logon UI, the Start menu and the Task Manager. -- 0 (default) - Disabled (visible). -- 1 - Enabled (hidden). +If you disable or do not configure this policy setting, the Switch User interface is accessible to the user in the three locations. + - - -To validate on Desktop, do the following steps: + + + -1. Enable policy. -2. Verify that the Switch account button in Start is hidden. + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - + +**Allowed values**: -## Related topics +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled (visible). | +| 1 | Enabled (hidden). | + -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | HideFastUserSwitching | +| Friendly Name | Hide entry points for Fast User Switching | +| Location | Computer Configuration | +| Path | System > Logon | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | HideFastUserSwitching | +| ADMX File Name | Logon.admx | + + + + + + + + + +## OverrideShellProgram + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsLogon/OverrideShellProgram +``` + + + + +OverrideShellProgram policy allows IT admin to configure the shell program for Windows OS on a device. This policy has the highest precedence over other ways of configuring the shell program. + +The policy currently supports below options: + +1. Not Configured: Default shell will be launched. +2. Apply Lightweight Shell: Lightweight shell does not have a user interface and helps the device to achieve better performance as the shell consumes limited resources over default shell. Lightweight shell contains a limited set of features which could be consumed by applications. This configuration can be useful if the device needs to have a continuous running user interface application which would consume features offered by Lightweight shell. + +If you disable or do not configure this policy setting, then the default shell will be launched. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | +| Dependency [BootToCloudModeDependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `Device/Vendor/MSFT/Policy/Config/CloudDesktop/BootToCloudMode`
    Dependency Allowed Value: `[1]`
    Dependency Allowed Value Type: `Range`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Not Configured | +| 1 | Apply Lightweight shell | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 888db084cb..d1d4e1f569 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -1,920 +1,940 @@ items: - - name: Configuration service provider reference - href: index.yml +- name: Configuration service provider reference + href: index.yml + expanded: true + items: + - name: Device description framework (DDF) files + href: configuration-service-provider-ddf.md + - name: Support scenarios + href: configuration-service-provider-support.md + - name: WMI Bridge provider + items: + - name: Using PowerShell scripting with the WMI Bridge Provider + href: ../using-powershell-scripting-with-the-wmi-bridge-provider.md + - name: WMI providers supported in Windows 10 + href: ../wmi-providers-supported-in-windows.md + - name: Understanding ADMX policies + href: ../understanding-admx-backed-policies.md + items: + - name: Enable ADMX policies in MDM + href: ../enable-admx-backed-policies-in-mdm.md + - name: Win32 and Desktop Bridge app policy configuration + href: ../win32-and-centennial-app-policy-configuration.md + - name: OMA DM protocol support + href: ../oma-dm-protocol-support.md + items: + - name: Structure of OMA DM provisioning files + href: ../structure-of-oma-dm-provisioning-files.md + - name: Server requirements for OMA DM + href: ../server-requirements-windows-mdm.md + - name: Configuration service providers (CSPs) expanded: true items: - - name: Device description framework (DDF) files - href: configuration-service-provider-ddf.md - - name: Support scenarios - href: configuration-service-provider-support.md - - name: WMI Bridge provider + - name: Policy + href: policy-configuration-service-provider.md items: - - name: Using PowerShell scripting with the WMI Bridge Provider - href: ../using-powershell-scripting-with-the-wmi-bridge-provider.md - - name: WMI providers supported in Windows 10 - href: ../wmi-providers-supported-in-windows.md - - name: Understanding ADMX policies - href: ../understanding-admx-backed-policies.md + - name: Policy CSP DDF file + href: policy-ddf-file.md + - name: Policy CSP support scenarios + items: + - name: ADMX policies in Policy CSP + href: policies-in-policy-csp-admx-backed.md + - name: Policies in Policy CSP supported by Group Policy + href: policies-in-policy-csp-supported-by-group-policy.md + - name: Policies in Policy CSP supported by HoloLens 2 + href: policies-in-policy-csp-supported-by-hololens2.md + - name: Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite + href: policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md + - name: Policies in Policy CSP supported by HoloLens (1st gen) Development Edition + href: policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md + - name: Policies in Policy CSP supported by Windows 10 IoT Core + href: policies-in-policy-csp-supported-by-iot-core.md + - name: Policies in Policy CSP supported by Microsoft Surface Hub + href: policies-in-policy-csp-supported-by-surface-hub.md + - name: Policy CSPs that can be set using Exchange Active Sync (EAS) + href: policies-in-policy-csp-that-can-be-set-using-eas.md + - name: Policy CSP areas + expanded: true + items: + - name: AboveLock + href: policy-csp-abovelock.md + - name: Accounts + href: policy-csp-accounts.md + - name: ActiveXControls + href: policy-csp-activexcontrols.md + - name: ADMX_ActiveXInstallService + href: policy-csp-admx-activexinstallservice.md + - name: ADMX_AddRemovePrograms + href: policy-csp-admx-addremoveprograms.md + - name: ADMX_AdmPwd + href: policy-csp-admx-admpwd.md + - name: ADMX_AppCompat + href: policy-csp-admx-appcompat.md + - name: ADMX_AppxPackageManager + href: policy-csp-admx-appxpackagemanager.md + - name: ADMX_AppXRuntime + href: policy-csp-admx-appxruntime.md + - name: ADMX_AttachmentManager + href: policy-csp-admx-attachmentmanager.md + - name: ADMX_AuditSettings + href: policy-csp-admx-auditsettings.md + - name: ADMX_Bits + href: policy-csp-admx-bits.md + - name: ADMX_CipherSuiteOrder + href: policy-csp-admx-ciphersuiteorder.md + - name: ADMX_COM + href: policy-csp-admx-com.md + - name: ADMX_ControlPanel + href: policy-csp-admx-controlpanel.md + - name: ADMX_ControlPanelDisplay + href: policy-csp-admx-controlpaneldisplay.md + - name: ADMX_Cpls + href: policy-csp-admx-cpls.md + - name: ADMX_CredentialProviders + href: policy-csp-admx-credentialproviders.md + - name: ADMX_CredSsp + href: policy-csp-admx-credssp.md + - name: ADMX_CredUI + href: policy-csp-admx-credui.md + - name: ADMX_CtrlAltDel + href: policy-csp-admx-ctrlaltdel.md + - name: ADMX_DataCollection + href: policy-csp-admx-datacollection.md + - name: ADMX_DCOM + href: policy-csp-admx-dcom.md + - name: ADMX_Desktop + href: policy-csp-admx-desktop.md + - name: ADMX_DeviceCompat + href: policy-csp-admx-devicecompat.md + - name: ADMX_DeviceGuard + href: policy-csp-admx-deviceguard.md + - name: ADMX_DeviceInstallation + href: policy-csp-admx-deviceinstallation.md + - name: ADMX_DeviceSetup + href: policy-csp-admx-devicesetup.md + - name: ADMX_DFS + href: policy-csp-admx-dfs.md + - name: ADMX_DigitalLocker + href: policy-csp-admx-digitallocker.md + - name: ADMX_DiskDiagnostic + href: policy-csp-admx-diskdiagnostic.md + - name: ADMX_DistributedLinkTracking + href: policy-csp-admx-distributedlinktracking.md + - name: ADMX_DnsClient + href: policy-csp-admx-dnsclient.md + - name: ADMX_DWM + href: policy-csp-admx-dwm.md + - name: ADMX_EAIME + href: policy-csp-admx-eaime.md + - name: ADMX_EncryptFilesonMove + href: policy-csp-admx-encryptfilesonmove.md + - name: ADMX_EnhancedStorage + href: policy-csp-admx-enhancedstorage.md + - name: ADMX_ErrorReporting + href: policy-csp-admx-errorreporting.md + - name: ADMX_EventForwarding + href: policy-csp-admx-eventforwarding.md + - name: ADMX_EventLog + href: policy-csp-admx-eventlog.md + - name: ADMX_EventLogging + href: policy-csp-admx-eventlogging.md + - name: ADMX_EventViewer + href: policy-csp-admx-eventviewer.md + - name: ADMX_Explorer + href: policy-csp-admx-explorer.md + - name: ADMX_ExternalBoot + href: policy-csp-admx-externalboot.md + - name: ADMX_FileRecovery + href: policy-csp-admx-filerecovery.md + - name: ADMX_FileRevocation + href: policy-csp-admx-filerevocation.md + - name: ADMX_FileServerVSSProvider + href: policy-csp-admx-fileservervssprovider.md + - name: ADMX_FileSys + href: policy-csp-admx-filesys.md + - name: ADMX_FolderRedirection + href: policy-csp-admx-folderredirection.md + - name: ADMX_FramePanes + href: policy-csp-admx-framepanes.md + - name: ADMX_FTHSVC + href: policy-csp-admx-fthsvc.md + - name: ADMX_Globalization + href: policy-csp-admx-globalization.md + - name: ADMX_GroupPolicy + href: policy-csp-admx-grouppolicy.md + - name: ADMX_Help + href: policy-csp-admx-help.md + - name: ADMX_HelpAndSupport + href: policy-csp-admx-helpandsupport.md + - name: ADMX_HotSpotAuth + href: policy-csp-admx-hotspotauth.md + - name: ADMX_ICM + href: policy-csp-admx-icm.md + - name: ADMX_IIS + href: policy-csp-admx-iis.md + - name: ADMX_iSCSI + href: policy-csp-admx-iscsi.md + - name: ADMX_kdc + href: policy-csp-admx-kdc.md + - name: ADMX_Kerberos + href: policy-csp-admx-kerberos.md + - name: ADMX_LanmanServer + href: policy-csp-admx-lanmanserver.md + - name: ADMX_LanmanWorkstation + href: policy-csp-admx-lanmanworkstation.md + - name: ADMX_LeakDiagnostic + href: policy-csp-admx-leakdiagnostic.md + - name: ADMX_LinkLayerTopologyDiscovery + href: policy-csp-admx-linklayertopologydiscovery.md + - name: ADMX_LocationProviderAdm + href: policy-csp-admx-locationprovideradm.md + - name: ADMX_Logon + href: policy-csp-admx-logon.md + - name: ADMX_MicrosoftDefenderAntivirus + href: policy-csp-admx-microsoftdefenderantivirus.md + - name: ADMX_MMC + href: policy-csp-admx-mmc.md + - name: ADMX_MMCSnapins + href: policy-csp-admx-mmcsnapins.md + - name: ADMX_MobilePCMobilityCenter + href: policy-csp-admx-mobilepcmobilitycenter.md + - name: ADMX_MobilePCPresentationSettings + href: policy-csp-admx-mobilepcpresentationsettings.md + - name: ADMX_MSAPolicy + href: policy-csp-admx-msapolicy.md + - name: ADMX_msched + href: policy-csp-admx-msched.md + - name: ADMX_MSDT + href: policy-csp-admx-msdt.md + - name: ADMX_MSI + href: policy-csp-admx-msi.md + - name: ADMX_MsiFileRecovery + href: policy-csp-admx-msifilerecovery.md + - name: ADMX_MSS-legacy + href: policy-csp-admx-mss-legacy.md + - name: ADMX_nca + href: policy-csp-admx-nca.md + - name: ADMX_NCSI + href: policy-csp-admx-ncsi.md + - name: ADMX_Netlogon + href: policy-csp-admx-netlogon.md + - name: ADMX_NetworkConnections + href: policy-csp-admx-networkconnections.md + - name: ADMX_OfflineFiles + href: policy-csp-admx-offlinefiles.md + - name: ADMX_pca + href: policy-csp-admx-pca.md + - name: ADMX_PeerToPeerCaching + href: policy-csp-admx-peertopeercaching.md + - name: ADMX_PenTraining + href: policy-csp-admx-pentraining.md + - name: ADMX_PerformanceDiagnostics + href: policy-csp-admx-performancediagnostics.md + - name: ADMX_Power + href: policy-csp-admx-power.md + - name: ADMX_PowerShellExecutionPolicy + href: policy-csp-admx-powershellexecutionpolicy.md + - name: ADMX_PreviousVersions + href: policy-csp-admx-previousversions.md + - name: ADMX_Printing + href: policy-csp-admx-printing.md + - name: ADMX_Printing2 + href: policy-csp-admx-printing2.md + - name: ADMX_Programs + href: policy-csp-admx-programs.md + - name: ADMX_QOS + href: policy-csp-admx-qos.md + - name: ADMX_Reliability + href: policy-csp-admx-reliability.md + - name: ADMX_RemoteAssistance + href: policy-csp-admx-remoteassistance.md + - name: ADMX_RemovableStorage + href: policy-csp-admx-removablestorage.md + - name: ADMX_RPC + href: policy-csp-admx-rpc.md + - name: ADMX_sam + href: policy-csp-admx-sam.md + - name: ADMX_Scripts + href: policy-csp-admx-scripts.md + - name: ADMX_sdiageng + href: policy-csp-admx-sdiageng.md + - name: ADMX_sdiagschd + href: policy-csp-admx-sdiagschd.md + - name: ADMX_Securitycenter + href: policy-csp-admx-securitycenter.md + - name: ADMX_Sensors + href: policy-csp-admx-sensors.md + - name: ADMX_ServerManager + href: policy-csp-admx-servermanager.md + - name: ADMX_Servicing + href: policy-csp-admx-servicing.md + - name: ADMX_SettingSync + href: policy-csp-admx-settingsync.md + - name: ADMX_SharedFolders + href: policy-csp-admx-sharedfolders.md + - name: ADMX_Sharing + href: policy-csp-admx-sharing.md + - name: ADMX_ShellCommandPromptRegEditTools + href: policy-csp-admx-shellcommandpromptregedittools.md + - name: ADMX_Smartcard + href: policy-csp-admx-smartcard.md + - name: ADMX_Snmp + href: policy-csp-admx-snmp.md + - name: ADMX_StartMenu + href: policy-csp-admx-startmenu.md + - name: ADMX_SystemRestore + href: policy-csp-admx-systemrestore.md + - name: ADMX_TabletPCInputPanel + href: policy-csp-admx-tabletpcinputpanel.md + - name: ADMX_TabletShell + href: policy-csp-admx-tabletshell.md + - name: ADMX_Taskbar + href: policy-csp-admx-taskbar.md + - name: ADMX_tcpip + href: policy-csp-admx-tcpip.md + - name: ADMX_TerminalServer + href: policy-csp-admx-terminalserver.md + - name: ADMX_Thumbnails + href: policy-csp-admx-thumbnails.md + - name: ADMX_TouchInput + href: policy-csp-admx-touchinput.md + - name: ADMX_TPM + href: policy-csp-admx-tpm.md + - name: ADMX_UserExperienceVirtualization + href: policy-csp-admx-userexperiencevirtualization.md + - name: ADMX_UserProfiles + href: policy-csp-admx-userprofiles.md + - name: ADMX_W32Time + href: policy-csp-admx-w32time.md + - name: ADMX_WCM + href: policy-csp-admx-wcm.md + - name: ADMX_WDI + href: policy-csp-admx-wdi.md + - name: ADMX_WinCal + href: policy-csp-admx-wincal.md + - name: ADMX_WindowsConnectNow + href: policy-csp-admx-windowsconnectnow.md + - name: ADMX_WindowsExplorer + href: policy-csp-admx-windowsexplorer.md + - name: ADMX_WindowsMediaDRM + href: policy-csp-admx-windowsmediadrm.md + - name: ADMX_WindowsMediaPlayer + href: policy-csp-admx-windowsmediaplayer.md + - name: ADMX_WindowsRemoteManagement + href: policy-csp-admx-windowsremotemanagement.md + - name: ADMX_WindowsStore + href: policy-csp-admx-windowsstore.md + - name: ADMX_WinInit + href: policy-csp-admx-wininit.md + - name: ADMX_WinLogon + href: policy-csp-admx-winlogon.md + - name: ADMX_wlansvc + href: policy-csp-admx-wlansvc.md + - name: ADMX_WordWheel + href: policy-csp-admx-wordwheel.md + - name: ADMX_WorkFoldersClient + href: policy-csp-admx-workfoldersclient.md + - name: ADMX_WPN + href: policy-csp-admx-wpn.md + - name: ADMX-Winsrv + href: policy-csp-admx-winsrv.md + - name: ApplicationDefaults + href: policy-csp-applicationdefaults.md + - name: ApplicationManagement + href: policy-csp-applicationmanagement.md + - name: AppRuntime + href: policy-csp-appruntime.md + - name: AppVirtualization + href: policy-csp-appvirtualization.md + - name: AttachmentManager + href: policy-csp-attachmentmanager.md + - name: Audit + href: policy-csp-audit.md + - name: Authentication + href: policy-csp-authentication.md + - name: Autoplay + href: policy-csp-autoplay.md + - name: BitLocker + href: policy-csp-bitlocker.md + - name: BITS + href: policy-csp-bits.md + - name: Bluetooth + href: policy-csp-bluetooth.md + - name: Browser + href: policy-csp-browser.md + - name: Camera + href: policy-csp-camera.md + - name: Cellular + href: policy-csp-cellular.md + - name: CloudDesktop + href: policy-csp-clouddesktop.md + - name: CloudPC + href: policy-csp-cloudpc.md + - name: Connectivity + href: policy-csp-connectivity.md + - name: ControlPolicyConflict + href: policy-csp-controlpolicyconflict.md + - name: CredentialProviders + href: policy-csp-credentialproviders.md + - name: CredentialsDelegation + href: policy-csp-credentialsdelegation.md + - name: CredentialsUI + href: policy-csp-credentialsui.md + - name: Cryptography + href: policy-csp-cryptography.md + - name: DataProtection + href: policy-csp-dataprotection.md + - name: DataUsage + href: policy-csp-datausage.md + - name: Defender + href: policy-csp-defender.md + - name: DeliveryOptimization + href: policy-csp-deliveryoptimization.md + - name: Desktop + href: policy-csp-desktop.md + - name: DesktopAppInstaller + href: policy-csp-desktopappinstaller.md + - name: DeviceGuard + href: policy-csp-deviceguard.md + - name: DeviceHealthMonitoring + href: policy-csp-devicehealthmonitoring.md + - name: DeviceInstallation + href: policy-csp-deviceinstallation.md + - name: DeviceLock + href: policy-csp-devicelock.md + - name: Display + href: policy-csp-display.md + - name: DmaGuard + href: policy-csp-dmaguard.md + - name: EAP + href: policy-csp-eap.md + - name: Education + href: policy-csp-education.md + - name: EnterpriseCloudPrint + href: policy-csp-enterprisecloudprint.md + - name: ErrorReporting + href: policy-csp-errorreporting.md + - name: EventLogService + href: policy-csp-eventlogservice.md + - name: Experience + href: policy-csp-experience.md + - name: ExploitGuard + href: policy-csp-exploitguard.md + - name: Federated Authentication + href: policy-csp-federatedauthentication.md + - name: Feeds + href: policy-csp-feeds.md + - name: FileExplorer + href: policy-csp-fileexplorer.md + - name: Games + href: policy-csp-games.md + - name: Handwriting + href: policy-csp-handwriting.md + - name: HumanPresence + href: policy-csp-humanpresence.md + - name: InternetExplorer + href: policy-csp-internetexplorer.md + - name: Kerberos + href: policy-csp-kerberos.md + - name: KioskBrowser + href: policy-csp-kioskbrowser.md + - name: LanmanWorkstation + href: policy-csp-lanmanworkstation.md + - name: Licensing + href: policy-csp-licensing.md + - name: LocalPoliciesSecurityOptions + href: policy-csp-localpoliciessecurityoptions.md + - name: LocalSecurityAuthority + href: policy-csp-lsa.md + - name: LocalUsersAndGroups + href: policy-csp-localusersandgroups.md + - name: LockDown + href: policy-csp-lockdown.md + - name: Maps + href: policy-csp-maps.md + - name: MemoryDump + href: policy-csp-memorydump.md + - name: Messaging + href: policy-csp-messaging.md + - name: MixedReality + href: policy-csp-mixedreality.md + - name: MSSecurityGuide + href: policy-csp-mssecurityguide.md + - name: MSSLegacy + href: policy-csp-msslegacy.md + - name: Multitasking + href: policy-csp-multitasking.md + - name: NetworkIsolation + href: policy-csp-networkisolation.md + - name: NetworkListManager + href: policy-csp-networklistmanager.md + - name: NewsAndInterests + href: policy-csp-newsandinterests.md + - name: Notifications + href: policy-csp-notifications.md + - name: Power + href: policy-csp-power.md + - name: Printers + href: policy-csp-printers.md + - name: Privacy + href: policy-csp-privacy.md + - name: RemoteAssistance + href: policy-csp-remoteassistance.md + - name: RemoteDesktop + href: policy-csp-remotedesktop.md + - name: RemoteDesktopServices + href: policy-csp-remotedesktopservices.md + - name: RemoteManagement + href: policy-csp-remotemanagement.md + - name: RemoteProcedureCall + href: policy-csp-remoteprocedurecall.md + - name: RemoteShell + href: policy-csp-remoteshell.md + - name: RestrictedGroups + href: policy-csp-restrictedgroups.md + - name: Search + href: policy-csp-search.md + - name: Security + href: policy-csp-security.md + - name: ServiceControlManager + href: policy-csp-servicecontrolmanager.md + - name: Settings + href: policy-csp-settings.md + - name: SettingsSync + href: policy-csp-settingssync.md + - name: Speech + href: policy-csp-speech.md + - name: Start + href: policy-csp-start.md + - name: Stickers + href: policy-csp-stickers.md + - name: Storage + href: policy-csp-storage.md + - name: System + href: policy-csp-system.md + - name: SystemServices + href: policy-csp-systemservices.md + - name: TaskManager + href: policy-csp-taskmanager.md + - name: TaskScheduler + href: policy-csp-taskscheduler.md + - name: TenantDefinedTelemetry + href: policy-csp-tenantdefinedtelemetry.md + - name: TenantRestrictions + href: policy-csp-tenantrestrictions.md + - name: TextInput + href: policy-csp-textinput.md + - name: TimeLanguageSettings + href: policy-csp-timelanguagesettings.md + - name: Troubleshooting + href: policy-csp-troubleshooting.md + - name: Update + href: policy-csp-update.md + - name: UserRights + href: policy-csp-userrights.md + - name: VirtualizationBasedTechnology + href: policy-csp-virtualizationbasedtechnology.md + - name: WebThreatDefense + href: policy-csp-webthreatdefense.md + - name: Wifi + href: policy-csp-wifi.md + - name: WindowsAutoPilot + href: policy-csp-windowsautopilot.md + - name: WindowsConnectionManager + href: policy-csp-windowsconnectionmanager.md + - name: WindowsDefenderSecurityCenter + href: policy-csp-windowsdefendersecuritycenter.md + - name: WindowsDefenderSmartScreen + href: policy-csp-smartscreen.md + - name: WindowsInkWorkspace + href: policy-csp-windowsinkworkspace.md + - name: WindowsLogon + href: policy-csp-windowslogon.md + - name: WindowsPowerShell + href: policy-csp-windowspowershell.md + - name: WindowsSandbox + href: policy-csp-windowssandbox.md + - name: WirelessDisplay + href: policy-csp-wirelessdisplay.md + - name: AccountManagement + href: accountmanagement-csp.md items: - - name: Enable ADMX policies in MDM - href: ../enable-admx-backed-policies-in-mdm.md - - name: Win32 and Desktop Bridge app policy configuration - href: ../win32-and-centennial-app-policy-configuration.md - - name: OMA DM protocol support - href: ../oma-dm-protocol-support.md + - name: AccountManagement DDF file + href: accountmanagement-ddf.md + - name: Accounts + href: accounts-csp.md items: - - name: Structure of OMA DM provisioning files - href: ../structure-of-oma-dm-provisioning-files.md - - name: Server requirements for OMA DM - href: ../server-requirements-windows-mdm.md - - name: Configuration service providers (CSPs) - expanded: true + - name: Accounts DDF file + href: accounts-ddf-file.md + - name: ActiveSync + href: activesync-csp.md items: - - name: Policy - href: policy-configuration-service-provider.md - items: - - name: Policy CSP DDF file - href: policy-ddf-file.md - - name: Policy CSP support scenarios - items: - - name: ADMX policies in Policy CSP - href: policies-in-policy-csp-admx-backed.md - - name: Policies in Policy CSP supported by Group Policy - href: policies-in-policy-csp-supported-by-group-policy.md - - name: Policies in Policy CSP supported by HoloLens 2 - href: policies-in-policy-csp-supported-by-hololens2.md - - name: Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite - href: policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md - - name: Policies in Policy CSP supported by HoloLens (1st gen) Development Edition - href: policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md - - name: Policies in Policy CSP supported by Windows 10 IoT Core - href: policies-in-policy-csp-supported-by-iot-core.md - - name: Policies in Policy CSP supported by Microsoft Surface Hub - href: policies-in-policy-csp-supported-by-surface-hub.md - - name: Policy CSPs that can be set using Exchange Active Sync (EAS) - href: policies-in-policy-csp-that-can-be-set-using-eas.md - - name: Policy CSP areas - expanded: true - items: - - name: AboveLock - href: policy-csp-abovelock.md - - name: Accounts - href: policy-csp-accounts.md - - name: ActiveXControls - href: policy-csp-activexcontrols.md - - name: ADMX_ActiveXInstallService - href: policy-csp-admx-activexinstallservice.md - - name: ADMX_AddRemovePrograms - href: policy-csp-admx-addremoveprograms.md - - name: ADMX_AdmPwd - href: policy-csp-admx-admpwd.md - - name: ADMX_AppCompat - href: policy-csp-admx-appcompat.md - - name: ADMX_AppxPackageManager - href: policy-csp-admx-appxpackagemanager.md - - name: ADMX_AppXRuntime - href: policy-csp-admx-appxruntime.md - - name: ADMX_AttachmentManager - href: policy-csp-admx-attachmentmanager.md - - name: ADMX_AuditSettings - href: policy-csp-admx-auditsettings.md - - name: ADMX_Bits - href: policy-csp-admx-bits.md - - name: ADMX_CipherSuiteOrder - href: policy-csp-admx-ciphersuiteorder.md - - name: ADMX_COM - href: policy-csp-admx-com.md - - name: ADMX_ControlPanel - href: policy-csp-admx-controlpanel.md - - name: ADMX_ControlPanelDisplay - href: policy-csp-admx-controlpaneldisplay.md - - name: ADMX_Cpls - href: policy-csp-admx-cpls.md - - name: ADMX_CredentialProviders - href: policy-csp-admx-credentialproviders.md - - name: ADMX_CredSsp - href: policy-csp-admx-credssp.md - - name: ADMX_CredUI - href: policy-csp-admx-credui.md - - name: ADMX_CtrlAltDel - href: policy-csp-admx-ctrlaltdel.md - - name: ADMX_DataCollection - href: policy-csp-admx-datacollection.md - - name: ADMX_DCOM - href: policy-csp-admx-dcom.md - - name: ADMX_Desktop - href: policy-csp-admx-desktop.md - - name: ADMX_DeviceCompat - href: policy-csp-admx-devicecompat.md - - name: ADMX_DeviceGuard - href: policy-csp-admx-deviceguard.md - - name: ADMX_DeviceInstallation - href: policy-csp-admx-deviceinstallation.md - - name: ADMX_DeviceSetup - href: policy-csp-admx-devicesetup.md - - name: ADMX_DFS - href: policy-csp-admx-dfs.md - - name: ADMX_DigitalLocker - href: policy-csp-admx-digitallocker.md - - name: ADMX_DiskDiagnostic - href: policy-csp-admx-diskdiagnostic.md - - name: ADMX_DistributedLinkTracking - href: policy-csp-admx-distributedlinktracking.md - - name: ADMX_DnsClient - href: policy-csp-admx-dnsclient.md - - name: ADMX_DWM - href: policy-csp-admx-dwm.md - - name: ADMX_EAIME - href: policy-csp-admx-eaime.md - - name: ADMX_EncryptFilesonMove - href: policy-csp-admx-encryptfilesonmove.md - - name: ADMX_EventLogging - href: policy-csp-admx-eventlogging.md - - name: ADMX_EnhancedStorage - href: policy-csp-admx-enhancedstorage.md - - name: ADMX_ErrorReporting - href: policy-csp-admx-errorreporting.md - - name: ADMX_EventForwarding - href: policy-csp-admx-eventforwarding.md - - name: ADMX_EventLog - href: policy-csp-admx-eventlog.md - - name: ADMX_EventViewer - href: policy-csp-admx-eventviewer.md - - name: ADMX_Explorer - href: policy-csp-admx-explorer.md - - name: ADMX_ExternalBoot - href: policy-csp-admx-externalboot.md - - name: ADMX_FileRecovery - href: policy-csp-admx-filerecovery.md - - name: ADMX_FileRevocation - href: policy-csp-admx-filerevocation.md - - name: ADMX_FileServerVSSProvider - href: policy-csp-admx-fileservervssprovider.md - - name: ADMX_FileSys - href: policy-csp-admx-filesys.md - - name: ADMX_FolderRedirection - href: policy-csp-admx-folderredirection.md - - name: ADMX_FramePanes - href: policy-csp-admx-framepanes.md - - name: ADMX_FTHSVC - href: policy-csp-admx-fthsvc.md - - name: ADMX_Globalization - href: policy-csp-admx-globalization.md - - name: ADMX_GroupPolicy - href: policy-csp-admx-grouppolicy.md - - name: ADMX_Help - href: policy-csp-admx-help.md - - name: ADMX_HelpAndSupport - href: policy-csp-admx-helpandsupport.md - - name: ADMX_HotSpotAuth - href: policy-csp-admx-hotspotauth.md - - name: ADMX_ICM - href: policy-csp-admx-icm.md - - name: ADMX_IIS - href: policy-csp-admx-iis.md - - name: ADMX_iSCSI - href: policy-csp-admx-iscsi.md - - name: ADMX_kdc - href: policy-csp-admx-kdc.md - - name: ADMX_Kerberos - href: policy-csp-admx-kerberos.md - - name: ADMX_LanmanServer - href: policy-csp-admx-lanmanserver.md - - name: ADMX_LanmanWorkstation - href: policy-csp-admx-lanmanworkstation.md - - name: ADMX_LeakDiagnostic - href: policy-csp-admx-leakdiagnostic.md - - name: ADMX_LinkLayerTopologyDiscovery - href: policy-csp-admx-linklayertopologydiscovery.md - - name: ADMX_LocationProviderAdm - href: policy-csp-admx-locationprovideradm.md - - name: ADMX_Logon - href: policy-csp-admx-logon.md - - name: ADMX_MicrosoftDefenderAntivirus - href: policy-csp-admx-microsoftdefenderantivirus.md - - name: ADMX_MMC - href: policy-csp-admx-mmc.md - - name: ADMX_MMCSnapins - href: policy-csp-admx-mmcsnapins.md - - name: ADMX_MobilePCMobilityCenter - href: policy-csp-admx-mobilepcmobilitycenter.md - - name: ADMX_MobilePCPresentationSettings - href: policy-csp-admx-mobilepcpresentationsettings.md - - name: ADMX_MSAPolicy - href: policy-csp-admx-msapolicy.md - - name: ADMX_msched - href: policy-csp-admx-msched.md - - name: ADMX_MSDT - href: policy-csp-admx-msdt.md - - name: ADMX_MSI - href: policy-csp-admx-msi.md - - name: ADMX_MsiFileRecovery - href: policy-csp-admx-msifilerecovery.md - - name: ADMX_nca - href: policy-csp-admx-nca.md - - name: ADMX_NCSI - href: policy-csp-admx-ncsi.md - - name: ADMX_Netlogon - href: policy-csp-admx-netlogon.md - - name: ADMX_NetworkConnections - href: policy-csp-admx-networkconnections.md - - name: ADMX_OfflineFiles - href: policy-csp-admx-offlinefiles.md - - name: ADMX_pca - href: policy-csp-admx-pca.md - - name: ADMX_PeerToPeerCaching - href: policy-csp-admx-peertopeercaching.md - - name: ADMX_PenTraining - href: policy-csp-admx-pentraining.md - - name: ADMX_PerformanceDiagnostics - href: policy-csp-admx-performancediagnostics.md - - name: ADMX_Power - href: policy-csp-admx-power.md - - name: ADMX_PowerShellExecutionPolicy - href: policy-csp-admx-powershellexecutionpolicy.md - - name: ADMX_PreviousVersions - href: policy-csp-admx-previousversions.md - - name: ADMX_Printing - href: policy-csp-admx-printing.md - - name: ADMX_Printing2 - href: policy-csp-admx-printing2.md - - name: ADMX_Programs - href: policy-csp-admx-programs.md - - name: ADMX_Reliability - href: policy-csp-admx-reliability.md - - name: ADMX_RemoteAssistance - href: policy-csp-admx-remoteassistance.md - - name: ADMX_RemovableStorage - href: policy-csp-admx-removablestorage.md - - name: ADMX_RPC - href: policy-csp-admx-rpc.md - - name: ADMX_Scripts - href: policy-csp-admx-scripts.md - - name: ADMX_sdiageng - href: policy-csp-admx-sdiageng.md - - name: ADMX_sdiagschd - href: policy-csp-admx-sdiagschd.md - - name: ADMX_Securitycenter - href: policy-csp-admx-securitycenter.md - - name: ADMX_Sensors - href: policy-csp-admx-sensors.md - - name: ADMX_ServerManager - href: policy-csp-admx-servermanager.md - - name: ADMX_Servicing - href: policy-csp-admx-servicing.md - - name: ADMX_SettingSync - href: policy-csp-admx-settingsync.md - - name: ADMX_SharedFolders - href: policy-csp-admx-sharedfolders.md - - name: ADMX_Sharing - href: policy-csp-admx-sharing.md - - name: ADMX_ShellCommandPromptRegEditTools - href: policy-csp-admx-shellcommandpromptregedittools.md - - name: ADMX_Smartcard - href: policy-csp-admx-smartcard.md - - name: ADMX_Snmp - href: policy-csp-admx-snmp.md - - name: ADMX_StartMenu - href: policy-csp-admx-startmenu.md - - name: ADMX_SystemRestore - href: policy-csp-admx-systemrestore.md - - name: ADMX_TabletShell - href: policy-csp-admx-tabletshell.md - - name: ADMX_Taskbar - href: policy-csp-admx-taskbar.md - - name: ADMX_tcpip - href: policy-csp-admx-tcpip.md - - name: ADMX_TerminalServer - href: policy-csp-admx-terminalserver.md - - name: ADMX_Thumbnails - href: policy-csp-admx-thumbnails.md - - name: ADMX_TouchInput - href: policy-csp-admx-touchinput.md - - name: ADMX_TPM - href: policy-csp-admx-tpm.md - - name: ADMX_UserExperienceVirtualization - href: policy-csp-admx-userexperiencevirtualization.md - - name: ADMX_UserProfiles - href: policy-csp-admx-userprofiles.md - - name: ADMX_W32Time - href: policy-csp-admx-w32time.md - - name: ADMX_WCM - href: policy-csp-admx-wcm.md - - name: ADMX_WDI - href: policy-csp-admx-wdi.md - - name: ADMX_WinCal - href: policy-csp-admx-wincal.md - - name: ADMX_WindowsConnectNow - href: policy-csp-admx-windowsconnectnow.md - - name: ADMX_WindowsExplorer - href: policy-csp-admx-windowsexplorer.md - - name: ADMX_WindowsMediaDRM - href: policy-csp-admx-windowsmediadrm.md - - name: ADMX_WindowsMediaPlayer - href: policy-csp-admx-windowsmediaplayer.md - - name: ADMX_WindowsRemoteManagement - href: policy-csp-admx-windowsremotemanagement.md - - name: ADMX_WindowsStore - href: policy-csp-admx-windowsstore.md - - name: ADMX_WinInit - href: policy-csp-admx-wininit.md - - name: ADMX_WinLogon - href: policy-csp-admx-winlogon.md - - name: ADMX-Winsrv - href: policy-csp-admx-winsrv.md - - name: ADMX_wlansvc - href: policy-csp-admx-wlansvc.md - - name: ADMX_WordWheel - href: policy-csp-admx-wordwheel.md - - name: ADMX_WorkFoldersClient - href: policy-csp-admx-workfoldersclient.md - - name: ADMX_WPN - href: policy-csp-admx-wpn.md - - name: ApplicationDefaults - href: policy-csp-applicationdefaults.md - - name: ApplicationManagement - href: policy-csp-applicationmanagement.md - - name: AppRuntime - href: policy-csp-appruntime.md - - name: AppVirtualization - href: policy-csp-appvirtualization.md - - name: AttachmentManager - href: policy-csp-attachmentmanager.md - - name: Audit - href: policy-csp-audit.md - - name: Authentication - href: policy-csp-authentication.md - - name: Autoplay - href: policy-csp-autoplay.md - - name: BitLocker - href: policy-csp-bitlocker.md - - name: BITS - href: policy-csp-bits.md - - name: Bluetooth - href: policy-csp-bluetooth.md - - name: Browser - href: policy-csp-browser.md - - name: Camera - href: policy-csp-camera.md - - name: Cellular - href: policy-csp-cellular.md - - name: Connectivity - href: policy-csp-connectivity.md - - name: ControlPolicyConflict - href: policy-csp-controlpolicyconflict.md - - name: CredentialsDelegation - href: policy-csp-credentialsdelegation.md - - name: CredentialProviders - href: policy-csp-credentialproviders.md - - name: CredentialsUI - href: policy-csp-credentialsui.md - - name: Cryptography - href: policy-csp-cryptography.md - - name: DataProtection - href: policy-csp-dataprotection.md - - name: DataUsage - href: policy-csp-datausage.md - - name: Defender - href: policy-csp-defender.md - - name: DeliveryOptimization - href: policy-csp-deliveryoptimization.md - - name: Desktop - href: policy-csp-desktop.md - - name: DesktopAppInstaller - href: policy-csp-desktopappinstaller.md - - name: DeviceGuard - href: policy-csp-deviceguard.md - - name: DeviceHealthMonitoring - href: policy-csp-devicehealthmonitoring.md - - name: DeviceInstallation - href: policy-csp-deviceinstallation.md - - name: DeviceLock - href: policy-csp-devicelock.md - - name: Display - href: policy-csp-display.md - - name: DmaGuard - href: policy-csp-dmaguard.md - - name: EAP - href: policy-csp-eap.md - - name: Education - href: policy-csp-education.md - - name: EnterpriseCloudPrint - href: policy-csp-enterprisecloudprint.md - - name: ErrorReporting - href: policy-csp-errorreporting.md - - name: EventLogService - href: policy-csp-eventlogservice.md - - name: Experience - href: policy-csp-experience.md - - name: ExploitGuard - href: policy-csp-exploitguard.md - - name: Federated Authentication - href: policy-csp-federatedauthentication.md - - name: Feeds - href: policy-csp-feeds.md - - name: FileExplorer - href: policy-csp-fileexplorer.md - - name: Games - href: policy-csp-games.md - - name: Handwriting - href: policy-csp-handwriting.md - - name: HumanPresence - href: policy-csp-humanpresence.md - - name: InternetExplorer - href: policy-csp-internetexplorer.md - - name: Kerberos - href: policy-csp-kerberos.md - - name: KioskBrowser - href: policy-csp-kioskbrowser.md - - name: LanmanWorkstation - href: policy-csp-lanmanworkstation.md - - name: Licensing - href: policy-csp-licensing.md - - name: LocalPoliciesSecurityOptions - href: policy-csp-localpoliciessecurityoptions.md - - name: LocalSecurityAuthority - href: policy-csp-lsa.md - - name: LocalUsersAndGroups - href: policy-csp-localusersandgroups.md - - name: LockDown - href: policy-csp-lockdown.md - - name: Maps - href: policy-csp-maps.md - - name: MemoryDump - href: policy-csp-memorydump.md - - name: Messaging - href: policy-csp-messaging.md - - name: MixedReality - href: policy-csp-mixedreality.md - - name: MSSecurityGuide - href: policy-csp-mssecurityguide.md - - name: MSSLegacy - href: policy-csp-msslegacy.md - - name: Multitasking - href: policy-csp-multitasking.md - - name: NetworkIsolation - href: policy-csp-networkisolation.md - - name: NetworkListManager - href: policy-csp-networklistmanager.md - - name: NewsAndInterests - href: policy-csp-newsandinterests.md - - name: Notifications - href: policy-csp-notifications.md - - name: Power - href: policy-csp-power.md - - name: Printers - href: policy-csp-printers.md - - name: Privacy - href: policy-csp-privacy.md - - name: RemoteAssistance - href: policy-csp-remoteassistance.md - - name: RemoteDesktop - href: policy-csp-remotedesktop.md - - name: RemoteDesktopServices - href: policy-csp-remotedesktopservices.md - - name: RemoteManagement - href: policy-csp-remotemanagement.md - - name: RemoteProcedureCall - href: policy-csp-remoteprocedurecall.md - - name: RemoteShell - href: policy-csp-remoteshell.md - - name: RestrictedGroups - href: policy-csp-restrictedgroups.md - - name: Search - href: policy-csp-search.md - - name: Security - href: policy-csp-security.md - - name: ServiceControlManager - href: policy-csp-servicecontrolmanager.md - - name: Settings - href: policy-csp-settings.md - - name: Speech - href: policy-csp-speech.md - - name: Start - href: policy-csp-start.md - - name: Storage - href: policy-csp-storage.md - - name: System - href: policy-csp-system.md - - name: SystemServices - href: policy-csp-systemservices.md - - name: TaskManager - href: policy-csp-taskmanager.md - - name: TaskScheduler - href: policy-csp-taskscheduler.md - - name: TextInput - href: policy-csp-textinput.md - - name: TimeLanguageSettings - href: policy-csp-timelanguagesettings.md - - name: Troubleshooting - href: policy-csp-troubleshooting.md - - name: Update - href: policy-csp-update.md - - name: UserRights - href: policy-csp-userrights.md - - name: VirtualizationBasedTechnology - href: policy-csp-virtualizationbasedtechnology.md - - name: WebThreatDefense - href: policy-csp-webthreatdefense.md - - name: Wifi - href: policy-csp-wifi.md - - name: WindowsAutoPilot - href: policy-csp-windowsautopilot.md - - name: WindowsConnectionManager - href: policy-csp-windowsconnectionmanager.md - - name: WindowsDefenderSecurityCenter - href: policy-csp-windowsdefendersecuritycenter.md - - name: WindowsDefenderSmartScreen - href: policy-csp-smartscreen.md - - name: WindowsInkWorkspace - href: policy-csp-windowsinkworkspace.md - - name: WindowsLogon - href: policy-csp-windowslogon.md - - name: WindowsPowerShell - href: policy-csp-windowspowershell.md - - name: WindowsSandbox - href: policy-csp-windowssandbox.md - - name: WirelessDisplay - href: policy-csp-wirelessdisplay.md - - name: AccountManagement - href: accountmanagement-csp.md - items: - - name: AccountManagement DDF file - href: accountmanagement-ddf.md - - name: Accounts - href: accounts-csp.md - items: - - name: Accounts DDF file - href: accounts-ddf-file.md - - name: ActiveSync - href: activesync-csp.md - items: - - name: ActiveSync DDF file - href: activesync-ddf-file.md - - name: AllJoynManagement - href: alljoynmanagement-csp.md - items: - - name: AllJoynManagement DDF - href: alljoynmanagement-ddf.md - - name: APPLICATION - href: application-csp.md - - name: ApplicationControl - href: applicationcontrol-csp.md - items: - - name: ApplicationControl DDF file - href: applicationcontrol-csp-ddf.md - - name: AppLocker - href: applocker-csp.md - items: - - name: AppLocker DDF file - href: applocker-ddf-file.md - - name: AppLocker XSD - href: applocker-xsd.md - - name: AssignedAccess - href: assignedaccess-csp.md - items: - - name: AssignedAccess DDF file - href: assignedaccess-ddf.md - - name: BitLocker - href: bitlocker-csp.md - items: - - name: BitLocker DDF file - href: bitlocker-ddf-file.md - - name: CellularSettings - href: cellularsettings-csp.md - - name: CertificateStore - href: certificatestore-csp.md - items: - - name: CertificateStore DDF file - href: certificatestore-ddf-file.md - - name: CleanPC - href: cleanpc-csp.md - items: - - name: CleanPC DDF - href: cleanpc-ddf.md - - name: ClientCertificateInstall - href: clientcertificateinstall-csp.md - items: - - name: ClientCertificateInstall DDF file - href: clientcertificateinstall-ddf-file.md - - name: CM_CellularEntries - href: cm-cellularentries-csp.md - - name: CMPolicy - href: cmpolicy-csp.md - - name: CMPolicyEnterprise - href: cmpolicyenterprise-csp.md - items: - - name: CMPolicyEnterprise DDF file - href: cmpolicyenterprise-ddf-file.md - - name: CustomDeviceUI - href: customdeviceui-csp.md - items: - - name: CustomDeviceUI DDF file - href: customdeviceui-ddf.md - - name: Defender - href: defender-csp.md - items: - - name: Defender DDF file - href: defender-ddf.md - - name: DevDetail - href: devdetail-csp.md - items: - - name: DevDetail DDF file - href: devdetail-ddf-file.md - - name: DeveloperSetup - href: developersetup-csp.md - items: - - name: DeveloperSetup DDF - href: developersetup-ddf.md - - name: DeviceLock - href: devicelock-csp.md - items: - - name: DeviceLock DDF file - href: devicelock-ddf-file.md - - name: DeviceManageability - href: devicemanageability-csp.md - items: - - name: DeviceManageability DDF - href: devicemanageability-ddf.md - - name: DeviceStatus - href: devicestatus-csp.md - items: - - name: DeviceStatus DDF - href: devicestatus-ddf.md - - name: DevInfo - href: devinfo-csp.md - items: - - name: DevInfo DDF file - href: devinfo-ddf-file.md - - name: DiagnosticLog - href: diagnosticlog-csp.md - items: - - name: DiagnosticLog DDF file - href: diagnosticlog-ddf.md - - name: DMAcc - href: dmacc-csp.md - items: - - name: DMAcc DDF file - href: dmacc-ddf-file.md - - name: DMClient - href: dmclient-csp.md - items: - - name: DMClient DDF file - href: dmclient-ddf-file.md - - name: DMSessionActions - href: dmsessionactions-csp.md - items: - - name: DMSessionActions DDF file - href: dmsessionactions-ddf.md - - name: DynamicManagement - href: dynamicmanagement-csp.md - items: - - name: DynamicManagement DDF file - href: dynamicmanagement-ddf.md - - name: EMAIL2 - href: email2-csp.md - items: - - name: EMAIL2 DDF file - href: email2-ddf-file.md - - name: EnrollmentStatusTracking - href: enrollmentstatustracking-csp.md - items: - - name: EnrollmentStatusTracking DDF file - href: enrollmentstatustracking-csp-ddf.md - - name: EnterpriseAPN - href: enterpriseapn-csp.md - items: - - name: EnterpriseAPN DDF - href: enterpriseapn-ddf.md - - name: EnterpriseAppVManagement - href: enterpriseappvmanagement-csp.md - items: - - name: EnterpriseAppVManagement DDF file - href: enterpriseappvmanagement-ddf.md - - name: EnterpriseDataProtection - href: enterprisedataprotection-csp.md - items: - - name: EnterpriseDataProtection DDF file - href: enterprisedataprotection-ddf-file.md - - name: EnterpriseDesktopAppManagement - href: enterprisedesktopappmanagement-csp.md - items: - - name: EnterpriseDesktopAppManagement DDF - href: enterprisedesktopappmanagement-ddf-file.md - - name: EnterpriseDesktopAppManagement XSD - href: enterprisedesktopappmanagement2-xsd.md - - name: EnterpriseModernAppManagement - href: enterprisemodernappmanagement-csp.md - items: - - name: EnterpriseModernAppManagement DDF - href: enterprisemodernappmanagement-ddf.md - - name: EnterpriseModernAppManagement XSD - href: enterprisemodernappmanagement-xsd.md - - name: eUICCs - href: euiccs-csp.md - items: - - name: eUICCs DDF file - href: euiccs-ddf-file.md - - name: Firewall - href: firewall-csp.md - items: - - name: Firewall DDF file - href: firewall-ddf-file.md - - name: HealthAttestation - href: healthattestation-csp.md - items: - - name: HealthAttestation DDF - href: healthattestation-ddf.md - - name: Local Administrator Password Solution - href: laps-csp.md - items: - - name: Local Administrator Password Solution DDF - href: laps-ddf-file.md - - name: MultiSIM - href: multisim-csp.md - items: - - name: MultiSIM DDF file - href: multisim-ddf.md - - name: NAP - href: nap-csp.md - - name: NAPDEF - href: napdef-csp.md - - name: NetworkProxy - href: networkproxy-csp.md - items: - - name: NetworkProxy DDF file - href: networkproxy-ddf.md - - name: NetworkQoSPolicy - href: networkqospolicy-csp.md - items: - - name: NetworkQoSPolicy DDF file - href: networkqospolicy-ddf.md - - name: NodeCache - href: nodecache-csp.md - items: - - name: NodeCache DDF file - href: nodecache-ddf-file.md - - name: Office - href: office-csp.md - items: - - name: Office DDF - href: office-ddf.md - - name: PassportForWork - href: passportforwork-csp.md - items: - - name: PassportForWork DDF file - href: passportforwork-ddf.md - - name: PersonalDataEncryption - href: personaldataencryption-csp.md - items: - - name: PersonalDataEncryption DDF file - href: personaldataencryption-ddf-file.md - - name: Personalization - href: personalization-csp.md - items: - - name: Personalization DDF file - href: personalization-ddf.md - - name: Provisioning - href: provisioning-csp.md - - name: PXLOGICAL - href: pxlogical-csp.md - - name: Reboot - href: reboot-csp.md - items: - - name: Reboot DDF file - href: reboot-ddf-file.md - - name: RemoteFind - href: remotefind-csp.md - items: - - name: RemoteFind DDF file - href: remotefind-ddf-file.md - - name: RemoteWipe - href: remotewipe-csp.md - items: - - name: RemoteWipe DDF file - href: remotewipe-ddf-file.md - - name: Reporting - href: reporting-csp.md - items: - - name: Reporting DDF file - href: reporting-ddf-file.md - - name: RootCATrustedCertificates - href: rootcacertificates-csp.md - items: - - name: RootCATrustedCertificates DDF file - href: rootcacertificates-ddf-file.md - - name: SecureAssessment - href: secureassessment-csp.md - items: - - name: SecureAssessment DDF file - href: secureassessment-ddf-file.md - - name: SecurityPolicy - href: securitypolicy-csp.md - - name: SharedPC - href: sharedpc-csp.md - items: - - name: SharedPC DDF file - href: sharedpc-ddf-file.md - - name: Storage - href: storage-csp.md - items: - - name: Storage DDF file - href: storage-ddf-file.md - - name: SUPL - href: supl-csp.md - items: - - name: SUPL DDF file - href: supl-ddf-file.md - - name: SurfaceHub - href: surfacehub-csp.md - items: - - name: SurfaceHub DDF file - href: surfacehub-ddf-file.md - - name: TenantLockdown - href: tenantlockdown-csp.md - items: - - name: TenantLockdown DDF file - href: tenantlockdown-ddf.md - - name: TPMPolicy - href: tpmpolicy-csp.md - items: - - name: TPMPolicy DDF file - href: tpmpolicy-ddf-file.md - - name: UEFI - href: uefi-csp.md - items: - - name: UEFI DDF file - href: uefi-ddf.md - - name: UnifiedWriteFilter - href: unifiedwritefilter-csp.md - items: - - name: UnifiedWriteFilter DDF file - href: unifiedwritefilter-ddf.md - - name: UniversalPrint - href: universalprint-csp.md - items: - - name: UniversalPrint DDF file - href: universalprint-ddf-file.md - - name: Update - href: update-csp.md - items: - - name: Update DDF file - href: update-ddf-file.md - - name: VPN - href: vpn-csp.md - items: - - name: VPN DDF file - href: vpn-ddf-file.md - - name: VPNv2 - href: vpnv2-csp.md - items: - - name: VPNv2 DDF file - href: vpnv2-ddf-file.md - - name: ProfileXML XSD - href: vpnv2-profile-xsd.md - - name: EAP configuration - href: eap-configuration.md - - name: w4 APPLICATION - href: w4-application-csp.md - - name: w7 APPLICATION - href: w7-application-csp.md - - name: WiFi - href: wifi-csp.md - items: - - name: WiFi DDF file - href: wifi-ddf-file.md - - name: Win32AppInventory - href: win32appinventory-csp.md - items: - - name: Win32AppInventory DDF file - href: win32appinventory-ddf-file.md - - name: Win32CompatibilityAppraiser - href: win32compatibilityappraiser-csp.md - items: - - name: Win32CompatibilityAppraiser DDF file - href: win32compatibilityappraiser-ddf.md - - name: WindowsAdvancedThreatProtection - href: windowsadvancedthreatprotection-csp.md - items: - - name: WindowsAdvancedThreatProtection DDF file - href: windowsadvancedthreatprotection-ddf.md - - name: WindowsAutopilot - href: windowsautopilot-csp.md - items: - - name: WindowsAutopilot DDF file - href: windowsautopilot-ddf-file.md - - name: WindowsDefenderApplicationGuard - href: windowsdefenderapplicationguard-csp.md - items: - - name: WindowsDefenderApplicationGuard DDF file - href: windowsdefenderapplicationguard-ddf-file.md - - name: WindowsLicensing - href: windowslicensing-csp.md - items: - - name: WindowsLicensing DDF file - href: windowslicensing-ddf-file.md - - name: WiredNetwork - href: wirednetwork-csp.md - items: - - name: WiredNetwork DDF file - href: wirednetwork-ddf-file.md + - name: ActiveSync DDF file + href: activesync-ddf-file.md + - name: AllJoynManagement + href: alljoynmanagement-csp.md + items: + - name: AllJoynManagement DDF + href: alljoynmanagement-ddf.md + - name: APPLICATION + href: application-csp.md + - name: ApplicationControl + href: applicationcontrol-csp.md + items: + - name: ApplicationControl DDF file + href: applicationcontrol-csp-ddf.md + - name: AppLocker + href: applocker-csp.md + items: + - name: AppLocker DDF file + href: applocker-ddf-file.md + - name: AppLocker XSD + href: applocker-xsd.md + - name: AssignedAccess + href: assignedaccess-csp.md + items: + - name: AssignedAccess DDF file + href: assignedaccess-ddf.md + - name: BitLocker + href: bitlocker-csp.md + items: + - name: BitLocker DDF file + href: bitlocker-ddf-file.md + - name: CellularSettings + href: cellularsettings-csp.md + - name: CertificateStore + href: certificatestore-csp.md + items: + - name: CertificateStore DDF file + href: certificatestore-ddf-file.md + - name: CleanPC + href: cleanpc-csp.md + items: + - name: CleanPC DDF + href: cleanpc-ddf.md + - name: ClientCertificateInstall + href: clientcertificateinstall-csp.md + items: + - name: ClientCertificateInstall DDF file + href: clientcertificateinstall-ddf-file.md + - name: CM_CellularEntries + href: cm-cellularentries-csp.md + - name: CMPolicy + href: cmpolicy-csp.md + - name: CMPolicyEnterprise + href: cmpolicyenterprise-csp.md + items: + - name: CMPolicyEnterprise DDF file + href: cmpolicyenterprise-ddf-file.md + - name: CustomDeviceUI + href: customdeviceui-csp.md + items: + - name: CustomDeviceUI DDF file + href: customdeviceui-ddf.md + - name: Defender + href: defender-csp.md + items: + - name: Defender DDF file + href: defender-ddf.md + - name: DevDetail + href: devdetail-csp.md + items: + - name: DevDetail DDF file + href: devdetail-ddf-file.md + - name: DeveloperSetup + href: developersetup-csp.md + items: + - name: DeveloperSetup DDF + href: developersetup-ddf.md + - name: DeviceLock + href: devicelock-csp.md + items: + - name: DeviceLock DDF file + href: devicelock-ddf-file.md + - name: DeviceManageability + href: devicemanageability-csp.md + items: + - name: DeviceManageability DDF + href: devicemanageability-ddf.md + - name: DeviceStatus + href: devicestatus-csp.md + items: + - name: DeviceStatus DDF + href: devicestatus-ddf.md + - name: DevInfo + href: devinfo-csp.md + items: + - name: DevInfo DDF file + href: devinfo-ddf-file.md + - name: DiagnosticLog + href: diagnosticlog-csp.md + items: + - name: DiagnosticLog DDF file + href: diagnosticlog-ddf.md + - name: DMAcc + href: dmacc-csp.md + items: + - name: DMAcc DDF file + href: dmacc-ddf-file.md + - name: DMClient + href: dmclient-csp.md + items: + - name: DMClient DDF file + href: dmclient-ddf-file.md + - name: DMSessionActions + href: dmsessionactions-csp.md + items: + - name: DMSessionActions DDF file + href: dmsessionactions-ddf.md + - name: DynamicManagement + href: dynamicmanagement-csp.md + items: + - name: DynamicManagement DDF file + href: dynamicmanagement-ddf.md + - name: EMAIL2 + href: email2-csp.md + items: + - name: EMAIL2 DDF file + href: email2-ddf-file.md + - name: EnrollmentStatusTracking + href: enrollmentstatustracking-csp.md + items: + - name: EnrollmentStatusTracking DDF file + href: enrollmentstatustracking-csp-ddf.md + - name: EnterpriseAPN + href: enterpriseapn-csp.md + items: + - name: EnterpriseAPN DDF + href: enterpriseapn-ddf.md + - name: EnterpriseAppVManagement + href: enterpriseappvmanagement-csp.md + items: + - name: EnterpriseAppVManagement DDF file + href: enterpriseappvmanagement-ddf.md + - name: EnterpriseDataProtection + href: enterprisedataprotection-csp.md + items: + - name: EnterpriseDataProtection DDF file + href: enterprisedataprotection-ddf-file.md + - name: EnterpriseDesktopAppManagement + href: enterprisedesktopappmanagement-csp.md + items: + - name: EnterpriseDesktopAppManagement DDF + href: enterprisedesktopappmanagement-ddf-file.md + - name: EnterpriseDesktopAppManagement XSD + href: enterprisedesktopappmanagement2-xsd.md + - name: EnterpriseModernAppManagement + href: enterprisemodernappmanagement-csp.md + items: + - name: EnterpriseModernAppManagement DDF + href: enterprisemodernappmanagement-ddf.md + - name: EnterpriseModernAppManagement XSD + href: enterprisemodernappmanagement-xsd.md + - name: eUICCs + href: euiccs-csp.md + items: + - name: eUICCs DDF file + href: euiccs-ddf-file.md + - name: Firewall + href: firewall-csp.md + items: + - name: Firewall DDF file + href: firewall-ddf-file.md + - name: HealthAttestation + href: healthattestation-csp.md + items: + - name: HealthAttestation DDF + href: healthattestation-ddf.md + - name: Local Administrator Password Solution + href: laps-csp.md + items: + - name: Local Administrator Password Solution DDF + href: laps-ddf-file.md + - name: MultiSIM + href: multisim-csp.md + items: + - name: MultiSIM DDF file + href: multisim-ddf.md + - name: NAP + href: nap-csp.md + - name: NAPDEF + href: napdef-csp.md + - name: NetworkProxy + href: networkproxy-csp.md + items: + - name: NetworkProxy DDF file + href: networkproxy-ddf.md + - name: NetworkQoSPolicy + href: networkqospolicy-csp.md + items: + - name: NetworkQoSPolicy DDF file + href: networkqospolicy-ddf.md + - name: NodeCache + href: nodecache-csp.md + items: + - name: NodeCache DDF file + href: nodecache-ddf-file.md + - name: Office + href: office-csp.md + items: + - name: Office DDF + href: office-ddf.md + - name: PassportForWork + href: passportforwork-csp.md + items: + - name: PassportForWork DDF file + href: passportforwork-ddf.md + - name: PersonalDataEncryption + href: personaldataencryption-csp.md + items: + - name: PersonalDataEncryption DDF file + href: personaldataencryption-ddf-file.md + - name: Personalization + href: personalization-csp.md + items: + - name: Personalization DDF file + href: personalization-ddf.md + - name: Provisioning + href: provisioning-csp.md + - name: PXLOGICAL + href: pxlogical-csp.md + - name: Reboot + href: reboot-csp.md + items: + - name: Reboot DDF file + href: reboot-ddf-file.md + - name: RemoteFind + href: remotefind-csp.md + items: + - name: RemoteFind DDF file + href: remotefind-ddf-file.md + - name: RemoteWipe + href: remotewipe-csp.md + items: + - name: RemoteWipe DDF file + href: remotewipe-ddf-file.md + - name: Reporting + href: reporting-csp.md + items: + - name: Reporting DDF file + href: reporting-ddf-file.md + - name: RootCATrustedCertificates + href: rootcacertificates-csp.md + items: + - name: RootCATrustedCertificates DDF file + href: rootcacertificates-ddf-file.md + - name: SecureAssessment + href: secureassessment-csp.md + items: + - name: SecureAssessment DDF file + href: secureassessment-ddf-file.md + - name: SecurityPolicy + href: securitypolicy-csp.md + - name: SharedPC + href: sharedpc-csp.md + items: + - name: SharedPC DDF file + href: sharedpc-ddf-file.md + - name: Storage + href: storage-csp.md + items: + - name: Storage DDF file + href: storage-ddf-file.md + - name: SUPL + href: supl-csp.md + items: + - name: SUPL DDF file + href: supl-ddf-file.md + - name: SurfaceHub + href: surfacehub-csp.md + items: + - name: SurfaceHub DDF file + href: surfacehub-ddf-file.md + - name: TenantLockdown + href: tenantlockdown-csp.md + items: + - name: TenantLockdown DDF file + href: tenantlockdown-ddf.md + - name: TPMPolicy + href: tpmpolicy-csp.md + items: + - name: TPMPolicy DDF file + href: tpmpolicy-ddf-file.md + - name: UEFI + href: uefi-csp.md + items: + - name: UEFI DDF file + href: uefi-ddf.md + - name: UnifiedWriteFilter + href: unifiedwritefilter-csp.md + items: + - name: UnifiedWriteFilter DDF file + href: unifiedwritefilter-ddf.md + - name: UniversalPrint + href: universalprint-csp.md + items: + - name: UniversalPrint DDF file + href: universalprint-ddf-file.md + - name: Update + href: update-csp.md + items: + - name: Update DDF file + href: update-ddf-file.md + - name: VPN + href: vpn-csp.md + items: + - name: VPN DDF file + href: vpn-ddf-file.md + - name: VPNv2 + href: vpnv2-csp.md + items: + - name: VPNv2 DDF file + href: vpnv2-ddf-file.md + - name: ProfileXML XSD + href: vpnv2-profile-xsd.md + - name: EAP configuration + href: eap-configuration.md + - name: w4 APPLICATION + href: w4-application-csp.md + - name: w7 APPLICATION + href: w7-application-csp.md + - name: WiFi + href: wifi-csp.md + items: + - name: WiFi DDF file + href: wifi-ddf-file.md + - name: Win32AppInventory + href: win32appinventory-csp.md + items: + - name: Win32AppInventory DDF file + href: win32appinventory-ddf-file.md + - name: Win32CompatibilityAppraiser + href: win32compatibilityappraiser-csp.md + items: + - name: Win32CompatibilityAppraiser DDF file + href: win32compatibilityappraiser-ddf.md + - name: WindowsAdvancedThreatProtection + href: windowsadvancedthreatprotection-csp.md + items: + - name: WindowsAdvancedThreatProtection DDF file + href: windowsadvancedthreatprotection-ddf.md + - name: WindowsAutopilot + href: windowsautopilot-csp.md + items: + - name: WindowsAutopilot DDF file + href: windowsautopilot-ddf-file.md + - name: WindowsDefenderApplicationGuard + href: windowsdefenderapplicationguard-csp.md + items: + - name: WindowsDefenderApplicationGuard DDF file + href: windowsdefenderapplicationguard-ddf-file.md + - name: WindowsLicensing + href: windowslicensing-csp.md + items: + - name: WindowsLicensing DDF file + href: windowslicensing-ddf-file.md + - name: WiredNetwork + href: wirednetwork-csp.md + items: + - name: WiredNetwork DDF file + href: wirednetwork-ddf-file.md diff --git a/windows/client-management/new-in-windows-mdm-enrollment-management.md b/windows/client-management/new-in-windows-mdm-enrollment-management.md index b87e711db8..74ca04fcc6 100644 --- a/windows/client-management/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/new-in-windows-mdm-enrollment-management.md @@ -348,9 +348,9 @@ No. Only one MDM is allowed. Entry | Description --------------- | -------------------- -What is dmwappushsvc? | It's a Windows service that ships in Windows 10 and Windows 11 operating system as a part of the windows management platform. It's used internally by the operating system as a queue for categorizing and processing all WAP messages, which include Windows management messages, MMS, NabSync, and Service Indication/Service Loading (SI/SL). The service also initiates and orchestrates management sync sessions with the MDM server. | -What data is handled by dmwappushsvc? | It's a component handling the internal workings of the management platform and involved in processing messages that have been received by the device remotely for management. The messages in the queue are serviced by another component that is also part of the Windows management stack to process messages. The service also routes and authenticates WAP messages received by the device to internal OS components that process them further: MMS, NabSync, SI/SL. This service doesn't send telemetry.| -How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc). However, since this service is a component part of the OS and required for the proper functioning of the device, we strongly recommend not to disable the service. Disabling this service will cause your management to fail.| +What is dmwappushsvc? | It's a Windows service that ships in Windows 10 and Windows 11 operating system as a part of the windows management platform. It's used internally by the operating system as a queue for categorizing and processing all Wireless Application Protocol (WAP) messages, which include Windows management messages, and Service Indication/Service Loading (SI/SL). The service also initiates and orchestrates management sync sessions with the MDM server. | +What data is handled by dmwappushsvc? | It's a component handling the internal workings of the management platform and involved in processing messages that have been received by the device remotely for management. The messages in the queue are serviced by another component that is also part of the Windows management stack to process messages. The service also routes and authenticates WAP messages received by the device to internal OS components that process them further. This service doesn't send telemetry.| +How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc) and locating *Device Management Wireless Application Protocol (WAP) Push message Routing Service*. However, since this service is a component part of the OS and required for the proper functioning of the device, we strongly recommend not to disable the service. Disabling this service will cause your management to fail.| ## Change history for MDM documentation diff --git a/windows/client-management/understanding-admx-backed-policies.md b/windows/client-management/understanding-admx-backed-policies.md index 4a730f6508..344d0eb5a7 100644 --- a/windows/client-management/understanding-admx-backed-policies.md +++ b/windows/client-management/understanding-admx-backed-policies.md @@ -1,6 +1,6 @@ --- title: Understanding ADMX policies -description: In Windows 10, you can use ADMX policies for Windows 10 mobile device management (MDM) across Windows 10 devices. +description: You can use ADMX policies for Windows mobile device management (MDM) across Windows devices. ms.author: vinpa ms.topic: article ms.prod: windows-client @@ -237,7 +237,7 @@ Below is the internal OS mapping of a Group Policy to an MDM area and name. This `./[Device|User]/Vendor/MSFT/Policy/Config/[config|result]//` -The data payload of the SyncML needs to be encoded so that it doesn't conflict with the boilerplate SyncML XML tags. Use this online tool for encoding and encoding the policy data [Coder's Toolbox](http://coderstoolbox.net/string/#!encoding=xml&action=encode&charset=us_ascii) +The data payload of the SyncML needs to be encoded so that it doesn't conflict with the boilerplate SyncML XML tags. Use this online tool for encoding and decoding the policy data [Coder's Toolbox](https://coderstoolbox.net/string/#!encoding=xml&action=encode&charset=us_ascii). **Snippet of manifest for AppVirtualization area:** diff --git a/windows/configuration/TOC.yml b/windows/configuration/TOC.yml index ff2dba8be7..979f7648a6 100644 --- a/windows/configuration/TOC.yml +++ b/windows/configuration/TOC.yml @@ -37,7 +37,7 @@ - name: Use mobile device management (MDM) href: customize-windows-10-start-screens-by-using-mobile-device-management.md - name: Troubleshoot Start menu errors - href: start-layout-troubleshoot.md + href: /troubleshoot/windows-client/shell-experience/troubleshoot-start-menu-errors - name: Changes to Start policies in Windows 10 href: changes-to-start-policies-in-windows-10.md - name: Accessibility settings @@ -89,7 +89,7 @@ - name: Use MDM Bridge WMI Provider to create a Windows client kiosk href: kiosk-mdm-bridge.md - name: Troubleshoot kiosk mode issues - href: kiosk-troubleshoot.md + href: /troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting - name: Configure multi-user and guest devices items: diff --git a/windows/configuration/cortana-at-work/cortana-at-work-overview.md b/windows/configuration/cortana-at-work/cortana-at-work-overview.md index f19e425791..39e709ad20 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-overview.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-overview.md @@ -8,6 +8,8 @@ author: aczechowski ms.localizationpriority: medium ms.author: aaroncz ms.technology: itpro-configure +ms.date: 12/31/2017 +ms.topic: article --- # Configure Cortana in Windows 10 and Windows 11 diff --git a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md index 479f178665..90543d9202 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md @@ -8,6 +8,8 @@ ms.author: aaroncz ms.reviewer: manager: dougeby ms.technology: itpro-configure +ms.date: 12/31/2017 +ms.topic: article --- # Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md index 9d10404c6d..71800954eb 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md @@ -8,6 +8,8 @@ ms.author: aaroncz ms.reviewer: manager: dougeby ms.technology: itpro-configure +ms.date: 12/31/2017 +ms.topic: article --- # Test scenario 1 – Sign into Azure AD, enable the wake word, and try a voice query diff --git a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md index 53ab837468..9f38750042 100644 --- a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md +++ b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md @@ -8,6 +8,8 @@ author: aczechowski ms.localizationpriority: medium ms.author: aaroncz ms.technology: itpro-configure +ms.date: 12/31/2017 +ms.topic: article --- # Set up and test Cortana in Windows 10, version 2004 and later diff --git a/windows/configuration/customize-start-menu-layout-windows-11.md b/windows/configuration/customize-start-menu-layout-windows-11.md index 7aea595911..f043da3ecb 100644 --- a/windows/configuration/customize-start-menu-layout-windows-11.md +++ b/windows/configuration/customize-start-menu-layout-windows-11.md @@ -1,14 +1,16 @@ --- -title: Add or remove pinned apps on the Start menu in Windows 11 | Microsoft Docs +title: Add or remove pinned apps on the Start menu in Windows 11 description: Export Start layout to LayoutModification.json with pinned apps, and add or remove pinned apps. Use the JSON text in an MDM policy to deploy a custom Start menu layout to Windows 11 devices. manager: aaroncz +author: lizgt2000 ms.author: lizlong ms.reviewer: ericpapa ms.prod: windows-client -author: lizgt2000 ms.localizationpriority: medium ms.collection: highpri ms.technology: itpro-configure +ms.date: 01/10/2023 +ms.topic: article --- # Customize the Start menu layout on Windows 11 @@ -29,9 +31,11 @@ This article shows you how to export an existing Start menu layout, and use the ## Before you begin -- When you customize the Start layout, you overwrite the entire full layout. A partial Start layout isn't available. Users can pin and unpin apps, and uninstall apps from Start. You can't prevent users from changing the layout. +- When you customize the Start layout, you overwrite the entire full layout. A partial Start layout isn't available. Users can pin and unpin apps, and uninstall apps from Start. When a user signs in or Explorer restarts, Windows reapplies the MDM policy. This action restores the specified layout and doesn't retain any user changes. -- It's recommended to use a Mobile Device Management (MDM) provider. MDM providers help manage your devices, and help manage apps on your devices. You can use Microsoft Intune. Intune is a family of products that include Microsoft Intune, which is a cloud service, and Configuration Manager, which is on-premises. + To prevent users from making any changes to the Start menu layout, see the [NoChangeStartMenu](/windows/client-management/mdm/policy-csp-admx-startmenu#admx-startmenu-nochangestartmenu) policy. + +- It's recommended to use a mobile device management (MDM) provider. MDM providers help manage your devices, and help manage apps on your devices. You can use Microsoft Intune. Intune is a family of products that include Microsoft Intune, which is a cloud service, and Configuration Manager, which is on-premises. In this article, we mention these services. If you're not managing your devices using an MDM provider, the following resources may help you get started: @@ -62,16 +66,9 @@ Start has the following areas: - `Computer Configuration\Administrative Templates\Start Menu and Taskbar` - `User Configuration\Administrative Templates\Start Menu and Taskbar` -- **Recommended**: Shows recently opened files and recently installed apps. This section can't be customized using the JSON file. +- **Recommended**: Shows recently opened files and recently installed apps. This section can only be customized in Windows 11 SE using the following policy. - The [Start/HideRecentJumplists CSP](/windows/client-management/mdm/policy-csp-start#start-hiderecentjumplists) exposes settings that prevent files from showing in this section. This CSP also hides recent files that show from the taskbar. - - In **Intune**, you can configure this feature, and more. For more information on the Start menu settings you can configure in an Intune policy, see [Windows 10/11 device settings to allow or restrict features](/mem/intune/configuration/device-restrictions-windows-10#start). - - In **Group Policy**, there are policies that include settings that control the Start menu layout. Some policies may not work as expected. Be sure to test your policies before broadly deploying them across your devices: - - - `Computer Configuration\Administrative Templates\Start Menu and Taskbar` - - `User Configuration\Administrative Templates\Start Menu and Taskbar` + - `Computer Configuration\Administrative Templates\Start Menu and Taskbar\Remove Recommended section from Start Menu` ## Create the JSON file diff --git a/windows/configuration/customize-taskbar-windows-11.md b/windows/configuration/customize-taskbar-windows-11.md index 9b5dec303f..a630b2ac0b 100644 --- a/windows/configuration/customize-taskbar-windows-11.md +++ b/windows/configuration/customize-taskbar-windows-11.md @@ -9,6 +9,8 @@ author: lizgt2000 ms.localizationpriority: medium ms.collection: highpri ms.technology: itpro-configure +ms.date: 12/31/2017 +ms.topic: article --- # Customize the Taskbar on Windows 11 diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md index 7752ed29fa..baffd2a688 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md @@ -10,6 +10,7 @@ ms.author: lizlong ms.topic: article ms.collection: highpri ms.technology: itpro-configure +ms.date: 12/31/2017 --- # Customize Windows 10 Start and taskbar with Group Policy diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md index a853a65ee5..904afc2d16 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md @@ -9,6 +9,7 @@ ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.technology: itpro-configure +ms.date: 12/31/2017 --- # Customize Windows 10 Start and taskbar with provisioning packages diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json index 346cc5e640..315f3afa7f 100644 --- a/windows/configuration/docfx.json +++ b/windows/configuration/docfx.json @@ -36,7 +36,7 @@ "recommendations": true, "breadcrumb_path": "/windows/resources/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-M365-IT", - "ms.technology": "windows", + "ms.technology": "itpro-configure", "ms.topic": "article", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", diff --git a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md index 89cfab1cba..2eda1c13b6 100644 --- a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md +++ b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md @@ -10,6 +10,7 @@ ms.localizationpriority: medium ms.prod: windows-client ms.collection: highpri ms.technology: itpro-configure +ms.date: 12/31/2017 --- # Find the Application User Model ID of an installed app diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md index a5150fcdcb..48abdda3c1 100644 --- a/windows/configuration/guidelines-for-assigned-access-app.md +++ b/windows/configuration/guidelines-for-assigned-access-app.md @@ -13,6 +13,7 @@ ms.reviewer: sybruckm manager: aaroncz ms.collection: highpri ms.technology: itpro-configure +ms.date: 12/31/2017 --- # Guidelines for choosing an app for assigned access (kiosk mode) diff --git a/windows/configuration/index.yml b/windows/configuration/index.yml index be1a9d7a92..fe0ebfbafc 100644 --- a/windows/configuration/index.yml +++ b/windows/configuration/index.yml @@ -6,12 +6,9 @@ summary: Find out how to apply custom configurations to Windows 10 and Windows 1 metadata: title: Configure Windows client # Required; page title displayed in search results. Include the brand. < 60 chars. description: Find out how to apply custom configurations to Windows client devices. # Required; article description that is displayed in search results. < 160 chars. - services: windows-10 - ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. - ms.subservice: subservice ms.topic: landing-page # Required + ms.prod: windows-client ms.collection: - - windows-10 - highpri author: aczechowski ms.author: aaroncz diff --git a/windows/configuration/kiosk-additional-reference.md b/windows/configuration/kiosk-additional-reference.md index 456b4c7a45..91f7ece2cf 100644 --- a/windows/configuration/kiosk-additional-reference.md +++ b/windows/configuration/kiosk-additional-reference.md @@ -9,6 +9,7 @@ author: lizgt2000 ms.localizationpriority: medium ms.topic: reference ms.technology: itpro-configure +ms.date: 12/31/2017 --- # More kiosk methods and reference information @@ -32,5 +33,4 @@ Topic | Description [Use AppLocker to create a Windows client kiosk](lock-down-windows-10-applocker.md) | Learn how to use AppLocker to configure a Windows client kiosk device running Enterprise or Education so that users can only run a few specific apps. [Use Shell Launcher to create a Windows client kiosk](kiosk-shelllauncher.md) | Using Shell Launcher, you can configure a kiosk device that runs a Windows application as the user interface. [Use MDM Bridge WMI Provider to create a Windows client kiosk](kiosk-mdm-bridge.md) | Environments that use Windows Management Instrumentation (WMI) can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class. -[Troubleshoot kiosk mode issues](kiosk-troubleshoot.md) | Tips for troubleshooting multi-app kiosk configuration. - +[Troubleshoot kiosk mode issues](/troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting) | Tips for troubleshooting multi-app kiosk configuration. \ No newline at end of file diff --git a/windows/configuration/kiosk-mdm-bridge.md b/windows/configuration/kiosk-mdm-bridge.md index 3e6444f439..57f6e8b22d 100644 --- a/windows/configuration/kiosk-mdm-bridge.md +++ b/windows/configuration/kiosk-mdm-bridge.md @@ -9,6 +9,7 @@ author: lizgt2000 ms.localizationpriority: medium ms.topic: article ms.technology: itpro-configure +ms.date: 12/31/2017 --- # Use MDM Bridge WMI Provider to create a Windows client kiosk diff --git a/windows/configuration/kiosk-methods.md b/windows/configuration/kiosk-methods.md index 00f8c0181b..fca2b5ab94 100644 --- a/windows/configuration/kiosk-methods.md +++ b/windows/configuration/kiosk-methods.md @@ -9,6 +9,7 @@ ms.localizationpriority: medium author: lizgt2000 ms.topic: article ms.technology: itpro-configure +ms.date: 12/31/2017 --- # Configure kiosks and digital signs on Windows desktop editions diff --git a/windows/configuration/kiosk-policies.md b/windows/configuration/kiosk-policies.md index dec9776934..7891caf75d 100644 --- a/windows/configuration/kiosk-policies.md +++ b/windows/configuration/kiosk-policies.md @@ -9,6 +9,7 @@ ms.localizationpriority: medium ms.author: lizlong ms.topic: article ms.technology: itpro-configure +ms.date: 12/31/2017 --- # Policies enforced on kiosk devices @@ -56,7 +57,7 @@ Remove Task Manager | Enabled Remove Change Password option in Security Options UI | Enabled Remove Sign Out option in Security Options UI | Enabled Remove All Programs list from the Start Menu | Enabled – Remove and disable setting -Prevent access to drives from My Computer | Enabled - Restrict all drivers +Prevent access to drives from My Computer | Enabled - Restrict all drives >[!NOTE] >When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears explaining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics. diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md index 8213f557da..0443a3047c 100644 --- a/windows/configuration/kiosk-prepare.md +++ b/windows/configuration/kiosk-prepare.md @@ -9,6 +9,7 @@ author: lizgt2000 ms.localizationpriority: medium ms.topic: article ms.technology: itpro-configure +ms.date: 12/31/2017 --- # Prepare a device for kiosk configuration @@ -206,7 +207,7 @@ For a more secure kiosk experience, we recommend that you make the following con ## Enable logging -Logs can help you [troubleshoot issues](./kiosk-troubleshoot.md) kiosk issues. Logs about configuration and runtime issues can be obtained by enabling the **Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational** channel, which is disabled by default. +Logs can help you [troubleshoot issues](/troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting) kiosk issues. Logs about configuration and runtime issues can be obtained by enabling the **Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational** channel, which is disabled by default. :::image type="content" source="images/enable-assigned-access-log.png" alt-text="On Windows client, open Event Viewer, right-click Operational, select enable log to turn on logging to help troubleshoot."::: diff --git a/windows/configuration/kiosk-shelllauncher.md b/windows/configuration/kiosk-shelllauncher.md index 5987383d91..fc9e86e27c 100644 --- a/windows/configuration/kiosk-shelllauncher.md +++ b/windows/configuration/kiosk-shelllauncher.md @@ -9,6 +9,7 @@ author: lizgt2000 ms.localizationpriority: medium ms.topic: article ms.technology: itpro-configure +ms.date: 12/31/2017 --- # Use Shell Launcher to create a Windows client kiosk diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md index 8fe9c59229..3724425208 100644 --- a/windows/configuration/kiosk-single-app.md +++ b/windows/configuration/kiosk-single-app.md @@ -10,6 +10,7 @@ ms.localizationpriority: medium ms.topic: article ms.collection: highpri ms.technology: itpro-configure +ms.date: 12/31/2017 --- # Set up a single-app kiosk on Windows 10/11 @@ -336,7 +337,7 @@ To exit the assigned access (kiosk) app, press **Ctrl + Alt + Del**, and then si If you press **Ctrl + Alt + Del** and do not sign in to another account, after a set time, assigned access will resume. The default time is 30 seconds, but you can change that in the following registry key: -`HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI` +`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI` To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal. diff --git a/windows/configuration/kiosk-troubleshoot.md b/windows/configuration/kiosk-troubleshoot.md deleted file mode 100644 index 3f7f0c8659..0000000000 --- a/windows/configuration/kiosk-troubleshoot.md +++ /dev/null @@ -1,74 +0,0 @@ ---- -title: Troubleshoot kiosk mode issues (Windows 10/11) -description: Learn how to troubleshoot single-app and multi-app kiosk configurations, as well as common problems like sign-in issues. -ms.reviewer: sybruckm -manager: aaroncz -ms.prod: windows-client -author: lizgt2000 -ms.localizationpriority: medium -ms.author: lizlong -ms.topic: article -ms.technology: itpro-configure ---- - -# Troubleshoot kiosk mode issues - - -**Applies to** - -- Windows 10 -- Windows 11 - -## Single-app kiosk issues - ->[!TIP] ->We recommend that you [enable logging for kiosk issues](kiosk-prepare.md#enable-logging). For some failures, events are only captured once. If you enable logging after an issue occurs with your kiosk, the logs may not capture those one-time events. In that case, prepare a new kiosk environment (such as a [virtual machine (VM)](kiosk-prepare.md#testing-your-kiosk-in-a-virtual-machine-vm)), set up your kiosk account and configuration, and try to reproduce the problem. - -### Sign-in issues - -1. Verify that User Account Control (UAC) is turned on. -2. Check the Event Viewer logs for sign-in issues under **Applications and Services Logs\Microsoft\Windows\Authentication User Interface\Operational**. - -### Automatic logon issues - -Check the Event Viewer logs for auto logon issues under **Applications and Services Logs\Microsoft\Windows\Authentication User Interface\Operational**. - -## Multi-app kiosk issues - -> [!NOTE] -> [!INCLUDE [Multi-app kiosk mode not supported on Windows 11](./includes/multi-app-kiosk-support-windows11.md)] - -### Unexpected results - -For example: -- Start is not launched in full-screen -- Blocked hotkeys are allowed -- Task Manager, Cortana, or Settings can be launched -- Start layout has more apps than expected - -**Troubleshooting steps** - -1. [Verify that the provisioning package is applied successfully](kiosk-validate.md). -2. Verify that the account (config) is mapped to a profile in the configuration XML file. -3. Verify that the configuration XML file is authored and formatted correctly. Correct any configuration errors, then create and apply a new provisioning package. Sign out and sign in again to check the new configuration. -4. Additional logs about configuration and runtime issues can be obtained by enabling the **Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational** channel, which is disabled by default. - -![Event Viewer, right-click Operational, select enable log.](images/enable-assigned-access-log.png) - - -### Automatic logon issues - -Check the Event Viewer logs for auto logon issues under **Applications and Services Logs\Microsoft\Windows\Authentication User Interface\Operational**. - -### Apps configured in AllowedList are blocked - -1. Ensure the account is mapped to the correct profile and that the apps are specific for that profile. -2. Check the EventViewer logs for Applocker and AppxDeployment (under **Application and Services Logs\Microsoft\Windows**). - - -### Start layout not as expected - -- Make sure the Start layout is authored correctly. Ensure that the attributes **Size**, **Row**, and **Column** are specified for each application and are valid. -- Check if the apps included in the Start layout are installed for the assigned access user. -- Check if the shortcut exists on the target device, if a desktop app is missing on Start. - diff --git a/windows/configuration/kiosk-validate.md b/windows/configuration/kiosk-validate.md index 0d457a1715..7ab28c7741 100644 --- a/windows/configuration/kiosk-validate.md +++ b/windows/configuration/kiosk-validate.md @@ -9,6 +9,7 @@ author: lizgt2000 ms.localizationpriority: medium ms.topic: article ms.technology: itpro-configure +ms.date: 12/31/2017 --- # Validate kiosk configuration diff --git a/windows/configuration/kiosk-xml.md b/windows/configuration/kiosk-xml.md index d2d862af7b..2229eb5af7 100644 --- a/windows/configuration/kiosk-xml.md +++ b/windows/configuration/kiosk-xml.md @@ -9,6 +9,7 @@ ms.localizationpriority: medium ms.author: lizlong ms.topic: article ms.technology: itpro-configure +ms.date: 12/31/2017 --- # Assigned Access configuration (kiosk) XML reference diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md index 235382fe70..5e74a0ca9d 100644 --- a/windows/configuration/lock-down-windows-10-to-specific-apps.md +++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md @@ -10,6 +10,7 @@ ms.reviewer: sybruckm ms.localizationpriority: medium ms.topic: how-to ms.collection: highpri +ms.date: 12/31/2017 --- # Set up a multi-app kiosk on Windows 10 devices @@ -576,7 +577,7 @@ These apps are in addition to any mixed reality apps that you allow. After the admin has completed setup, the kiosk account can sign in and repeat the setup. The admin user may want to complete the kiosk user setup before providing the PC to employees or customers. -There's a difference between the mixed reality experiences for a kiosk user and other users. Typically, when a user connects a mixed reality device, they begin in the [Mixed Reality home](https://developer.microsoft.com/windows/mixed-reality/navigating_the_windows_mixed_reality_home). The Mixed Reality home is a shell that runs in "silent" mode when the PC is configured as a kiosk. When a kiosk user connects a mixed reality device, they'll see only a blank display in the device, and won't have access to the features and functionality available in the home. To run a mixed reality app, the kiosk user must launch the app from the PC Start screen. +There's a difference between the mixed reality experiences for a kiosk user and other users. Typically, when a user connects a mixed reality device, they begin in the [Mixed Reality home](/windows/mixed-reality/discover/navigating-the-windows-mixed-reality-home). The Mixed Reality home is a shell that runs in "silent" mode when the PC is configured as a kiosk. When a kiosk user connects a mixed reality device, they'll see only a blank display in the device, and won't have access to the features and functionality available in the home. To run a mixed reality app, the kiosk user must launch the app from the PC Start screen. ## Policies set by multi-app kiosk configuration diff --git a/windows/configuration/lockdown-features-windows-10.md b/windows/configuration/lockdown-features-windows-10.md index dab9d24432..9a32f053b2 100644 --- a/windows/configuration/lockdown-features-windows-10.md +++ b/windows/configuration/lockdown-features-windows-10.md @@ -9,6 +9,7 @@ ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.technology: itpro-configure +ms.date: 12/31/2017 --- # Lockdown features from Windows Embedded 8.1 Industry diff --git a/windows/configuration/manage-wifi-sense-in-enterprise.md b/windows/configuration/manage-wifi-sense-in-enterprise.md index 8df16b0bf1..f5ee82e15a 100644 --- a/windows/configuration/manage-wifi-sense-in-enterprise.md +++ b/windows/configuration/manage-wifi-sense-in-enterprise.md @@ -9,6 +9,7 @@ author: lizgt2000 ms.localizationpriority: medium ms.topic: article ms.technology: itpro-configure +ms.date: 12/31/2017 --- # Manage Wi-Fi Sense in your company diff --git a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md index f6230ee388..e6fe7659b1 100644 --- a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md +++ b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md @@ -9,6 +9,7 @@ ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.technology: itpro-configure +ms.date: 12/31/2017 --- # Configuration service providers for IT pros diff --git a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md index 12383a7586..4ea1962aa4 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md +++ b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md @@ -9,6 +9,7 @@ ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.technology: itpro-configure +ms.date: 12/31/2017 --- # Provision PCs with common settings for initial deployment (desktop wizard) diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md index dd404266a8..8efef893cd 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md +++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md @@ -9,6 +9,7 @@ ms.topic: article ms.reviewer: gkomatsu manager: aaroncz ms.technology: itpro-configure +ms.date: 12/31/2017 --- # Provision PCs with apps diff --git a/windows/configuration/provisioning-packages/provisioning-apply-package.md b/windows/configuration/provisioning-packages/provisioning-apply-package.md index 34e5609b63..400e2a7863 100644 --- a/windows/configuration/provisioning-packages/provisioning-apply-package.md +++ b/windows/configuration/provisioning-packages/provisioning-apply-package.md @@ -9,6 +9,7 @@ ms.localizationpriority: medium ms.reviewer: gkomatsu manager: aaroncz ms.technology: itpro-configure +ms.date: 12/31/2017 --- # Apply a provisioning package diff --git a/windows/configuration/provisioning-packages/provisioning-command-line.md b/windows/configuration/provisioning-packages/provisioning-command-line.md index cebf8679f9..05e6a1da83 100644 --- a/windows/configuration/provisioning-packages/provisioning-command-line.md +++ b/windows/configuration/provisioning-packages/provisioning-command-line.md @@ -9,6 +9,7 @@ ms.localizationpriority: medium ms.reviewer: gkomatsu manager: aaroncz ms.technology: itpro-configure +ms.date: 12/31/2017 --- # Windows Configuration Designer command-line interface (reference) diff --git a/windows/configuration/provisioning-packages/provisioning-create-package.md b/windows/configuration/provisioning-packages/provisioning-create-package.md index 6e8bd7a6fb..62d2d239ae 100644 --- a/windows/configuration/provisioning-packages/provisioning-create-package.md +++ b/windows/configuration/provisioning-packages/provisioning-create-package.md @@ -9,6 +9,7 @@ ms.localizationpriority: medium ms.reviewer: gkomatsu manager: aaroncz ms.technology: itpro-configure +ms.date: 12/31/2017 --- # Create a provisioning package diff --git a/windows/configuration/provisioning-packages/provisioning-how-it-works.md b/windows/configuration/provisioning-packages/provisioning-how-it-works.md index f06f67b436..4f93bfc292 100644 --- a/windows/configuration/provisioning-packages/provisioning-how-it-works.md +++ b/windows/configuration/provisioning-packages/provisioning-how-it-works.md @@ -9,6 +9,7 @@ ms.localizationpriority: medium ms.reviewer: gkomatsu manager: aaroncz ms.technology: itpro-configure +ms.date: 12/31/2017 --- # How provisioning works in Windows diff --git a/windows/configuration/provisioning-packages/provisioning-install-icd.md b/windows/configuration/provisioning-packages/provisioning-install-icd.md index a18e5b29ce..c77e2f658e 100644 --- a/windows/configuration/provisioning-packages/provisioning-install-icd.md +++ b/windows/configuration/provisioning-packages/provisioning-install-icd.md @@ -10,6 +10,7 @@ ms.reviewer: gkomatsu manager: aaroncz ms.collection: highpri ms.technology: itpro-configure +ms.date: 12/31/2017 --- # Install Windows Configuration Designer, and learn about any limitations diff --git a/windows/configuration/provisioning-packages/provisioning-multivariant.md b/windows/configuration/provisioning-packages/provisioning-multivariant.md index 45a99e20e8..a22a2e2dc5 100644 --- a/windows/configuration/provisioning-packages/provisioning-multivariant.md +++ b/windows/configuration/provisioning-packages/provisioning-multivariant.md @@ -9,6 +9,7 @@ ms.reviewer: gkomatsu manager: aaroncz ms.author: lizlong ms.technology: itpro-configure +ms.date: 12/31/2017 --- # Create a provisioning package with multivariant settings diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md index 5c61eb922b..4f0004d334 100644 --- a/windows/configuration/provisioning-packages/provisioning-packages.md +++ b/windows/configuration/provisioning-packages/provisioning-packages.md @@ -10,6 +10,7 @@ ms.topic: article ms.localizationpriority: medium ms.collection: highpri ms.technology: itpro-configure +ms.date: 12/31/2017 --- # Provisioning packages for Windows diff --git a/windows/configuration/provisioning-packages/provisioning-powershell.md b/windows/configuration/provisioning-packages/provisioning-powershell.md index 9b347a6304..074f0168f1 100644 --- a/windows/configuration/provisioning-packages/provisioning-powershell.md +++ b/windows/configuration/provisioning-packages/provisioning-powershell.md @@ -9,6 +9,7 @@ ms.localizationpriority: medium ms.reviewer: gkomatsu manager: aaroncz ms.technology: itpro-configure +ms.date: 12/31/2017 --- # PowerShell cmdlets for provisioning Windows client (reference) diff --git a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md index ae5b559aae..00a55c6d95 100644 --- a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md +++ b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md @@ -9,6 +9,7 @@ ms.localizationpriority: medium ms.reviewer: gkomatsu manager: aaroncz ms.technology: itpro-configure +ms.date: 12/31/2017 --- # Use a script to install a desktop app in provisioning packages diff --git a/windows/configuration/provisioning-packages/provisioning-uninstall-package.md b/windows/configuration/provisioning-packages/provisioning-uninstall-package.md index 2784db5f1e..1ae2f42140 100644 --- a/windows/configuration/provisioning-packages/provisioning-uninstall-package.md +++ b/windows/configuration/provisioning-packages/provisioning-uninstall-package.md @@ -9,6 +9,7 @@ ms.localizationpriority: medium ms.reviewer: gkomatsu manager: aaroncz ms.technology: itpro-configure +ms.date: 12/31/2017 --- # Settings changed when you uninstall a provisioning package diff --git a/windows/configuration/start-layout-troubleshoot.md b/windows/configuration/start-layout-troubleshoot.md deleted file mode 100644 index 37416c41fa..0000000000 --- a/windows/configuration/start-layout-troubleshoot.md +++ /dev/null @@ -1,329 +0,0 @@ ---- -title: Troubleshoot Start menu errors -description: Learn how to troubleshoot common Start menu errors in Windows 10. For example, learn to troubleshoot errors related to deployment, crashes, and performance. -ms.prod: windows-client -ms.author: lizlong -author: lizgt2000 -ms.localizationpriority: medium -ms.reviewer: -manager: aaroncz -ms.topic: troubleshooting -ms.technology: itpro-configure ---- - -# Troubleshoot Start menu errors - -> [!div class="nextstepaction"] -> Try our Virtual Agent - It can help you quickly identify and fix common Start menu issues. - -Start failures can be organized into these categories: - -- **Deployment/Install issues** - Easiest to identify but difficult to recover. This failure is consistent and usually permanent. Reset, restore from backup, or rollback to recover. -- **Performance issues** - More common with older hardware, low-powered machines. Symptoms include: High CPU utilization, disk contention, memory resources. This makes Start very slow to respond. Behavior is intermittent depending on available resources. -- **Crashes** - Also easy to identify. Crashes in Shell Experience Host or related can be found in System or Application event logs. This can be a code defect or related to missing or altered permissions to files or registry keys by a program or incorrect security tightening configurations. Determining permissions issues can be time consuming but a [SysInternals tool called Procmon](/sysinternals/downloads/procmon) will show **Access Denied**. The other option is to get a dump of the process when it crashes and depending on comfort level, review the dump in the debugger, or have support review the data. -- **Hangs** - in Shell Experience host or related. These are the hardest issues to identify as there are few events logged, but behavior is typically intermittent or recovers with a reboot. If a background application or service hangs, Start won't have resources to respond in time. Clean boot may help identify if the issue is related to additional software. Procmon is also useful in this scenario. -- **Other issues** - Customization, domain policies, deployment issues. - -## Basic troubleshooting - -When troubleshooting basic Start issues (and for the most part, all other Windows apps), there are a few things to check if they aren't working as expected. For issues where the Start menu or subcomponent isn't working, you can do some quick tests to narrow down where the issue may reside. - -### Check the OS and update version - -- Is the system running the latest Feature and Cumulative Monthly update? -- Did the issue start immediately after an update? Ways to check: - - PowerShell:[System.Environment]::OSVersion.Version - - WinVer from CMD.exe - -### Check if Start is installed - -- If Start fails immediately after a feature update, on thing to check is if the App package failed to install successfully. - -- If Start was working and just fails intermittently, it's likely that Start is installed correctly, but the issue occurs downstream. The way to check for this problem is to look for output from these two PowerShell commands: - - - `get-AppXPackage -Name Microsoft.Windows.ShellExperienceHost` - - `get-AppXPackage -Name Microsoft.Windows.Cortana` - - :::image type="content" alt-text="Example of output from cmdlets." source="images/start-ts-1.png" lightbox="images/start-ts-1.png"::: - - Failure messages will appear if they aren't installed - -- If Start isn't installed, then the fastest resolution is to revert to a known good configuration. This can be rolling back the update, resetting the PC to defaults (where there's a choice to save to delete user data), or restoring from backup. No method is supported to install Start Appx files. The results are often problematic and unreliable. - -### Check if Start is running - -If either component is failing to start on boot, reviewing the event logs for errors or crashes during boot may pin point the problem. Booting with MSCONFIG and using a selective or diagnostic startup option will eliminate and/or identify possible interference from additional applications. -- `get-process -name shellexperiencehost` -- `get-process -name searchui` - -If it's installed but not running, test booting into safe mode or use MSCONFIG to eliminate third-party or additional drivers and applications. - -### Check whether the system a clean install or upgrade - -- Is this system an upgrade or clean install? - - Run `test-path "$env:windir\panther\miglog.xml"` - - If that file doesn't exist, the system is a clean install. -- Upgrade issues can be found by running `test-path "$env:windir\panther\miglog.xml"` - -### Check if Start is registered or activated - -- Export the following Event log to CSV and do a keyword search in a text editor or spreadsheet: - - Microsoft-Windows-TWinUI/Operational for Microsoft.Windows.ShellExperienceHost or Microsoft.Windows.Cortana - - "Package wasn't found" - - "Invalid value for registry" - - "Element not found" - - "Package couldn't be registered" - -If these events are found, Start isn't activated correctly. Each event will have more detail in the description and should be investigated further. Event messages can vary. - -### Other things to consider - -When did the problem start? - -- Top issues for Start menu failure are triggered - - After an update - - After installation of an application - - After joining a domain or applying a domain policy -- Many of those issues are found to be - - Permission changes on Registry keys or folders - - Start or related component crashes or hangs - - Customization failure - -To narrow down the problem further, it's good to note: - -- What is the install background? - - Was this a deployment, install from media, other - - Using customizations? - - DISM - - Group Policy or MDM - - copyprofile - - Sysprep - - Other - -- Domain-joined - - Group policy settings that restrict access or permissions to folders or registry keys can cause issues with Start performance. - - Some Group Policies intended for Windows 7 or older have been known to cause issues with Start - - Untested Start Menu customizations can cause unexpected behavior by typically not complete Start failures. - -- Is the environment virtualized? - - VMware - - Citrix - - Other - -## Check Event logs that record Start Issues: - -- System Event log -- Application Event log -- Microsoft/Windows/Shell-Core* -- Microsoft/Windows/Apps/ -- Microsoft-Windows-TWinUI* -- Microsoft/Windows/AppReadiness* -- Microsoft/Windows/AppXDeployment* -- Microsoft-Windows-PushNotification-Platform/Operational -- Microsoft-Windows-CoreApplication/Operational -- Microsoft-Windows-ShellCommon-StartLayoutPopulation* -- Microsoft-Windows-CloudStore* - - -- Check for crashes that may be related to Start (explorer.exe, taskbar, and so on) - - Application log event 1000, 1001 - - Check WER reports - - C:\ProgramData\Microsoft\Windows\WER\ReportArchive\ - - C:\ProgramData\Micrt\Windowsosof\WER\ReportQueue\ - -If there is a component of Start that is consistently crashing, capture a dump that can be reviewed by Microsoft Support. - -## Common errors and mitigation - -The following list provides information about common errors you might run into with Start Menu, as well as steps to help you mitigate them. - -### Symptom: Start Menu doesn't respond on Windows 2012 R2, Windows 10, or Windows 2016 - -**Cause**: Background Tasks Infrastructure Service (BrokerInfrastructure) service isn't started. - -**Resolution**: Ensure that Background Tasks Infrastructure Service is set to automatic startup in Services MMC. - -If Background Tasks Infrastructure Service fails to start, verify that the Power Dependency Coordinator Driver (PDC) driver and registry key aren't disabled or deleted. If either are missing, restore from backup or the installation media. - -To verify the PDC Service, run `C:\>sc query pdc` in a command prompt. The results will be similar to the following: - ->SERVICE_NAME: pdc ->TYPE : 1 KERNEL_DRIVER ->STATE : 4 RUNNING -> (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) ->WIN32_EXIT_CODE : 0 (0x0) ->SERVICE_EXIT_CODE : 0 (0x0) ->CHECKPOINT : 0x0 ->WAIT_HINT : 0x0 - -The PDC service uses pdc.sys located in the %WinDir%\system32\drivers. - -The PDC registry key is: -`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pdc` -**Description**="@%SystemRoot%\\system32\\drivers\\pdc.sys,-101" -**DisplayName**="@%SystemRoot%\\system32\\drivers\\pdc.sys,-100" -**ErrorControl**=dword:00000003 -**Group**="Boot Bus Extender" -**ImagePath**=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,\ - 72,00,69,00,76,00,65,00,72,00,73,00,5c,00,70,00,64,00,63,00,2e,00,73,00,79,\ - 00,73,00,00,00 -**Start**=dword:00000000 -**Type**=dword:00000001 - -In addition to the listed dependencies for the service, Background Tasks Infrastructure Service requires the Power Dependency Coordinator Driver to be loaded. If the PDC doesn't load at boot, Background Tasks Infrastructure Service will fail and affect Start Menu. - -Events for both PDC and Background Tasks Infrastructure Service will be recorded in the event logs. PDC shouldn't be disabled or deleted. BrokerInfrastructure is an automatic service. This Service is required for all these operating Systems as running to have a stable Start Menu. - ->[!NOTE] ->You cannot stop this automatic service when machine is running (C:\windows\system32\svchost.exe -k DcomLaunch -p). - - -### Symptom: After upgrading from 1511 to 1607 versions of Windows, the Group Policy "Remove All Programs list from the Start Menu" may not work - -**Cause**: There was a change in the All Apps list between Windows 10, versions 1511 and 1607. These changes mean the original Group Policy and corresponding registry key no longer apply. - -**Resolution**: This issue was resolved in the June 2017 updates. Update Windows 10, version 1607, to the latest cumulative or feature updates. - ->[!NOTE] ->When the Group Policy is enabled, the desired behavior also needs to be selected. By default, it is set to **None**. - - -### Symptom: Application tiles like Alarm, Calculator, and Edge are missing from Start menu and the Settings app fails to open on Windows 10, version 1709 when a local user profile is deleted - -:::image type="content" alt-text="Screenshots that show download icons on app tiles and missing app tiles." source="images/start-ts-2.png" lightbox="images/start-ts-2.png"::: - -**Cause**: This issue is known. The first-time sign-in experience isn't detected and doesn't trigger the install of some apps. - -**Resolution**: This issue has been fixed for Windows 10, version 1709 in [KB 4089848](https://support.microsoft.com/help/4089848) March 22, 2018—KB4089848 (OS Build 16299.334) - -### Symptom: When attempting to customize Start Menu layout, the customizations don't apply or results aren't expected - -**Cause**: There are two main reasons for this issue: - -- Incorrect format: Editing the xml file incorrectly by adding an extra space or spaces, entering a bad character, or saving in the wrong format. - - To tell if the format is incorrect, check for **Event ID: 22** in the "Applications and Services\Microsoft\Windows\ShellCommon-StartLayoutPopulation\Operational" log. - - Event ID 22 is logged when the xml is malformed, meaning the specified file simply isn’t valid xml. - - When editing the xml file, it should be saved in UTF-8 format. - -- Unexpected information: This occurs when possibly trying to add a tile via an unexpected or undocumented method. - - **Event ID: 64** is logged when the xml is valid but has unexpected values. - - For example: The following error occurred while parsing a layout xml file: The attribute 'LayoutCustomizationRestrictiontype' on the element '{http://schemas.microsoft.com/Start/2014/LayoutModification}DefaultLayoutOverride' is not defined in the DTD/Schema. - -XML files can and should be tested locally on a Hyper-V or other virtual machine before deployment or application by Group Policy - -### Symptom: Start menu no longer works after a PC is refreshed using F12 during startup - -**Description**: If a user is having problems with a PC, it can be refreshed, reset, or restored. Refreshing the PC is a beneficial option because it maintains personal files and settings. When users have trouble starting the PC, "Change PC settings" in Settings is not accessible. So, to access the System Refresh, users may use the F12 key at startup. Refreshing the PC finishes, but Start Menu is not accessible. - -**Cause**: This issue is known and was resolved in a cumulative update released August 30, 2018. - -**Resolution**: Install corrective updates; a fix is included in the [September 11, 2018-KB4457142 release](https://support.microsoft.com/help/4457142). - -### Symptom: The All Apps list is missing from Start menu - -**Cause**: “Remove All Programs list from the Start menu" Group Policy is enabled. - -**Resolution**: Disable the “Remove All Programs list from the Start menu" Group Policy. - -### Symptom: Tiles are missing from the Start Menu when using Windows 10, version 1703 or older, Windows Server 2016, and Roaming User Profiles with a Start layout - -**Description**: There are two different Start Menu issues in Windows 10: -- Administrator configured tiles in the start layout fail to roam. -- User-initiated changes to the start layout are not roamed. - -Specifically, behaviors include -- Applications (apps or icons) pinned to the start menu are missing. -- Entire tile window disappears. -- The start button fails to respond. -- If a new roaming user is created, the first sign-in appears normal, but on subsequent sign-ins, tiles are missing. - - -![Example of a working layout.](images/start-ts-3.png) - -*Working layout on first sign-in of a new roaming user profile* - -![Example of a failing layout.](images/start-ts-4.png) - -*Failing layout on subsequent sign-ins* - - -**Cause**: A timing issue exists where the Start Menu is ready before the data is pulled locally from the Roaming User Profile. The issue does not occur on first logons of a new roaming user, as the code path is different and slower. - -**Resolution**: This issue has been resolved in Windows 10, versions 1703 and 1607, cumulative updates [as of March 2017](https://support.microsoft.com/help/4013429). - - -### Symptom: Start Menu layout customizations are lost after upgrading to Windows 10, version 1703 - -**Description**: - -Before the upgrade: - - ![Example of Start screen with customizations applied.](images/start-ts-5.jpg) - -After the upgrade the user pinned tiles are missing: - - ![Example of Start screen with previously pinned tiles missing.](images/start-ts-6.png) - -Additionally, users may see blank tiles if sign-in was attempted without network connectivity. - - ![Example of blank tiles.](images/start-ts-7.png) - - -**Resolution**: This issue was fixed in the [October 2017 update](https://support.microsoft.com/en-us/help/4041676). - -### Symptom: Tiles are missing after upgrade from Windows 10, version 1607 to version 1709 for users with Roaming User Profiles (RUP) enabled and managed Start Menu layout with partial lockdown - -**Resolution** The April 2018 LCU must be applied to Windows 10, version 1709 before a user logs on. - -### Symptom: Start Menu and/or Taskbar layout customizations are not applied if CopyProfile option is used in an answer file during Sysprep - -**Resolution**: CopyProfile is no longer supported when attempting to customize Start Menu or taskbar with a layoutmodification.xml. - -### Symptom: Start Menu issues with Tile Data Layer corruption - -**Cause**: Windows 10, version 1507 through the release of version 1607 uses a database for the Tile image information. This is called the Tile Data Layer database. (The feature was deprecated in [Windows 10 1703](/windows/deployment/planning/windows-10-removed-features).) - -**Resolution** There are steps you can take to fix the icons, first is to confirm that is the issue that needs to be addressed. - -1. The App or Apps work fine when you select the tiles. -2. The tiles are blank, have a generic placeholder icon, have the wrong or strange title information. -3. The app is missing, but listed as installed via PowerShell and works if you launch via URI. - - Example: `windows-feedback://` -4. In some cases, Start can be blank, and Action Center and Cortana do not launch. - ->[!Note] ->Corruption recovery removes any manual pins from Start. Apps should still be visible, but you’ll need to re-pin any secondary tiles and/or pin app tiles to the main Start view. Aps that you have installed that are completely missing from “all apps” is unexpected, however. That implies the re-registration didn’t work. - -Open a command prompt, and run the following command: - -```console -C:\Windows\System32\tdlrecover.exe -reregister -resetlayout -resetcache -``` - -Although a reboot is not required, it may help clear up any residual issues after the command is run. - -### Symptoms: Start Menu and Apps cannot start after upgrade to Windows 10 version 1809 when Symantec Endpoint Protection is installed - -**Description**: Start menu, Search, and Apps do not start after you upgrade a computer running Windows 7 that has Symantec Endpoint Protection installed to Windows 10 version 1809. - -**Cause**: This problem occurs because of a failure to load sysfer.dll. During upgrade, the setup process does not set the privilege group "All Application Packages" on sysfer.dll and other Symantec modules. - -**Resolution** This issue was fixed by the Windows Cumulative Update that were released on December 5, 2018—KB4469342 (OS Build 17763.168). - -If you have already encountered this issue, use one of the following two options to fix the issue: - -**Option 1** Remove sysfer.dll from system32 folder and copy it back. Windows will set privilege automatically. - -**Option 2** - -1. Locate the directory C:\Windows\system32. - -2. Right-click on sysfer.dll and choose **Properties**. - -3. Switch to the **Security** tab. - -4. Confirm that **All Application Packages** group is missing. - -5. Select **Edit**, and then select **Add** to add the group. - -6. Test Start and other Apps. diff --git a/windows/configuration/start-secondary-tiles.md b/windows/configuration/start-secondary-tiles.md index 8ff898fb1d..874a5657cc 100644 --- a/windows/configuration/start-secondary-tiles.md +++ b/windows/configuration/start-secondary-tiles.md @@ -9,6 +9,7 @@ ms.topic: article ms.reviewer: manager: aaroncz ms.technology: itpro-configure +ms.date: 12/31/2017 --- # Add image for secondary Microsoft Edge tiles diff --git a/windows/configuration/stop-employees-from-using-microsoft-store.md b/windows/configuration/stop-employees-from-using-microsoft-store.md index db9259cab0..3ebc98f62f 100644 --- a/windows/configuration/stop-employees-from-using-microsoft-store.md +++ b/windows/configuration/stop-employees-from-using-microsoft-store.md @@ -8,59 +8,58 @@ author: lizgt2000 ms.author: lizlong ms.topic: conceptual ms.localizationpriority: medium -ms.date: 4/16/2018 +ms.date: 11/29/2022 ms.collection: highpri ms.technology: itpro-configure --- # Configure access to Microsoft Store +**Applies to:** -**Applies to** +- Windows 10 -- Windows 10 - ->For more info about the features and functionality that are supported in each edition of Windows, see [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare). +> [!TIP] +> For more info about the features and functionality that are supported in each edition of Windows, see [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare). IT pros can configure access to Microsoft Store for client computers in their organization. For some organizations, business policies require blocking access to Microsoft Store. -> [!Important] +> [!IMPORTANT] > All executable code including Microsoft Store applications should have an update and maintenance plan. Organizations that use Microsoft Store applications should ensure that the applications can be updated through the Microsoft Store over the internet, through the [Private Store](/microsoft-store/distribute-apps-from-your-private-store), or [distributed offline](/microsoft-store/distribute-offline-apps) to keep the applications up to date. ## Options to configure access to Microsoft Store -You can use these tools to configure access to Microsoft Store: AppLocker or Group Policy. For Windows 10, this is only supported on Windows 10 Enterprise edition. +You can use either AppLocker or Group Policy to configure access to Microsoft Store. For Windows 10, configuring access to Microsoft Store is only supported on Windows 10 Enterprise edition. -## Block Microsoft Store using AppLocker - -Applies to: Windows 10 Enterprise, Windows 10 Education +## Block Microsoft Store using AppLocker +Applies to: Windows 10 Enterprise, Windows 10 Education AppLocker provides policy-based access control management for applications. You can block access to Microsoft Store app with AppLocker by creating a rule for packaged apps. You'll give the name of the Microsoft Store app as the packaged app that you want to block from client computers. For more information on AppLocker, see [What is AppLocker?](/windows/device-security/applocker/what-is-applocker) For more information on creating an AppLocker rule for app packages, see [Create a rule for packaged apps](/windows/device-security/applocker/create-a-rule-for-packaged-apps). -**To block Microsoft Store using AppLocker** +**To block Microsoft Store using AppLocker:** -1. Type secpol in the search bar to find and start AppLocker. +1. Enter **`secpol`** in the search bar to find and start AppLocker. -2. In the console tree of the snap-in, click **Application Control Policies**, click **AppLocker**, and then click **Packaged app Rules**. +2. In the console tree of the snap-in, select **Application Control Policies**, select **AppLocker**, and then select **Packaged app Rules**. -3. On the **Action** menu, or by right-clicking on **Packaged app Rules**, click **Create New Rule**. +3. On the **Action** menu, or by right-clicking on **Packaged app Rules**, select **Create New Rule**. -4. On **Before You Begin**, click **Next**. +4. On **Before You Begin**, select **Next**. -5. On **Permissions**, select the action (allow or deny) and the user or group that the rule should apply to, and then click **Next**. +5. On **Permissions**, select the action (allow or deny) and the user or group that the rule should apply to, and then select **Next**. -6. On **Publisher**, you can select **Use an installed app package as a reference**, and then click **Select**. +6. On **Publisher**, you can select **Use an installed app package as a reference**, and then select **Select**. -7. On **Select applications**, find and click **Store** under **Applications** column, and then click **OK**. Click **Next**. +7. On **Select applications**, find and select **Store** under **Applications** column, and then select **OK**. Select **Next**. [Create a rule for packaged apps](/windows/device-security/applocker/create-a-rule-for-packaged-apps) has more information on reference options and setting the scope on packaged app rules. -8. Optional: On **Exceptions**, specify conditions by which to exclude files from being affected by the rule. This allows you to add exceptions based on the same rule reference and rule scope as you set before. Click **Next**. +8. Optional: On **Exceptions**, specify conditions by which to exclude files from being affected by the rule. Conditions allow you to add exceptions based on the same rule reference and rule scope as you set before. Select **Next**. -## Block Microsoft Store using configuration service provider +## Block Microsoft Store using configuration service provider Applies to: Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education @@ -73,53 +72,51 @@ For more information, see [Configure an MDM provider](/microsoft-store/configure For more information on the rules available via AppLocker on the different supported operating systems, see [Operating system requirements](/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker#operating-system-requirements). +> [!IMPORTANT] +> If you block access to the Store using CSP, you need to also configure [AllowAppStoreAutoUpdate](/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowappstoreautoupdate) to enable in-box store apps to update while still blocking access to the store. -## Block Microsoft Store using Group Policy +## Block Microsoft Store using Group Policy +Applies to: Windows 10 Enterprise, Windows 10 Education -Applies to: Windows 10 Enterprise, Windows 10 Education - -> [!Note] +> [!NOTE] > Not supported on Windows 10 Pro, starting with version 1511. For more info, see [Knowledge Base article #3135657](/troubleshoot/windows-client/group-policy/cannot-disable-microsoft-store). You can also use Group Policy to manage access to Microsoft Store. -**To block Microsoft Store using Group Policy** +**To block Microsoft Store using Group Policy:** -1. Type gpedit in the search bar to find and start Group Policy Editor. +1. Enter **`gpedit`** in the search bar to find and start Group Policy Editor. -2. In the console tree of the snap-in, click **Computer Configuration**, click **Administrative Templates**, click **Windows Components**, and then click **Store**. +2. In the console tree of the snap-in, select **Computer Configuration**, select **Administrative Templates**, select **Windows Components**, and then select **Store**. -3. In the Setting pane, click **Turn off the Store application**, and then click **Edit policy setting**. +3. In the Setting pane, select **Turn off the Store application**, and then select **Edit policy setting**. -4. On the **Turn off the Store application** setting page, click **Enabled**, and then click **OK**. +4. On the **Turn off the Store application** setting page, select **Enabled**, and then select **OK**. -> [!Important] -> When you enable the policy to **Turn off the Store application**, it turns off app updates from the Microsoft Store. To allow store apps to update, disable the policy to **Turn off automatic download and install of Updates**. This configuration allows in-box store apps to update while still blocking access to the store. +> [!IMPORTANT] +> When you enable the policy to **Turn off the Store application**, it turns off app updates from the Microsoft Store. To allow store apps to update, disable the policy to **Turn off automatic download and install of Updates**. This policy is found under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store**. This configuration allows in-box store apps to update while still blocking access to the store. -## Show private store only using Group Policy +## Show private store only using Group Policy -Applies to Windows 10 Enterprise, Windows 10 Education +Applies to Windows 10 Enterprise, Windows 10 Education -If you're using Microsoft Store for Business and you want employees to only see apps you're managing in your private store, you can use Group Policy to show only the private store. Microsoft Store app will still be available, but employees can't view or purchase apps. Employees can view and install apps that the admin has added to your organization's private store. +If you're using Microsoft Store for Business and you want employees to only see apps you're managing in your private store, you can use Group Policy to show only the private store. Microsoft Store app will still be available, but employees can't view or purchase apps. Employees can view and install apps that the admin has added to your organization's private store. -**To show private store only in Microsoft Store app** +**To show private store only in Microsoft Store app:** -1. Type **gpedit** in the search bar, and then select **Edit group policy (Control panel)** to find and start Group Policy Editor. +1. Enter **`gpedit`** in the search bar, and then select **Edit group policy (Control panel)** to find and start Group Policy Editor. -2. In the console tree of the snap-in, go to **User Configuration** or **Computer Configuration** > **Administrative Templates** > **Windows Components**, and then click **Store**. +2. In the console tree of the snap-in, go to **User Configuration** or **Computer Configuration** > **Administrative Templates** > **Windows Components**, and then select **Store**. -3. Right-click **Only display the private store within the Microsoft Store app** in the right pane, and click **Edit**. +3. Right-click **Only display the private store within the Microsoft Store app** in the right pane, and select **Edit**. - This opens the **Only display the private store within the Microsoft Store app** policy settings. + The **Only display the private store within the Microsoft Store app** policy settings will open. -4. On the **Only display the private store within the Microsoft Store app** setting page, click **Enabled**, and then click **OK**. +4. On the **Only display the private store within the Microsoft Store app** setting page, select **Enabled**, and then select **OK**. -## Related topics +## Related articles [Distribute apps using your private store](/microsoft-store/distribute-apps-from-your-private-store) [Manage access to private store](/microsoft-store/manage-access-to-private-store) - - -  diff --git a/windows/configuration/supported-csp-start-menu-layout-windows.md b/windows/configuration/supported-csp-start-menu-layout-windows.md index 684b35d6f3..d079399d4b 100644 --- a/windows/configuration/supported-csp-start-menu-layout-windows.md +++ b/windows/configuration/supported-csp-start-menu-layout-windows.md @@ -8,6 +8,8 @@ ms.prod: windows-client author: lizgt2000 ms.localizationpriority: medium ms.technology: itpro-configure +ms.date: 12/31/2017 +ms.topic: article --- # Supported configuration service provider (CSP) policies for Windows 11 Start menu diff --git a/windows/configuration/supported-csp-taskbar-windows.md b/windows/configuration/supported-csp-taskbar-windows.md index c094fb12f9..b51d7becb9 100644 --- a/windows/configuration/supported-csp-taskbar-windows.md +++ b/windows/configuration/supported-csp-taskbar-windows.md @@ -8,6 +8,8 @@ ms.prod: windows-client author: lizgt2000 ms.localizationpriority: medium ms.technology: itpro-configure +ms.date: 12/31/2017 +ms.topic: article --- # Supported configuration service provider (CSP) policies for Windows 11 taskbar diff --git a/windows/configuration/wcd/wcd-cellular.md b/windows/configuration/wcd/wcd-cellular.md index 0f7cbab6bd..7b97d13b21 100644 --- a/windows/configuration/wcd/wcd-cellular.md +++ b/windows/configuration/wcd/wcd-cellular.md @@ -9,6 +9,7 @@ ms.localizationpriority: medium ms.author: aaroncz ms.topic: article ms.technology: itpro-configure +ms.date: 12/31/2017 --- # Cellular (Windows Configuration Designer reference) diff --git a/windows/configuration/wcd/wcd-changes.md b/windows/configuration/wcd/wcd-changes.md index b826e3cbbe..a4f21e84f9 100644 --- a/windows/configuration/wcd/wcd-changes.md +++ b/windows/configuration/wcd/wcd-changes.md @@ -9,6 +9,7 @@ ms.localizationpriority: medium ms.author: aaroncz ms.topic: article ms.technology: itpro-configure +ms.date: 12/31/2017 --- # Changes to settings in Windows Configuration Designer diff --git a/windows/configuration/wcd/wcd-deviceupdatecenter.md b/windows/configuration/wcd/wcd-deviceupdatecenter.md index 716237d02e..9d0ab9779d 100644 --- a/windows/configuration/wcd/wcd-deviceupdatecenter.md +++ b/windows/configuration/wcd/wcd-deviceupdatecenter.md @@ -8,6 +8,7 @@ ms.author: aaroncz manager: dougeby ms.topic: article ms.technology: itpro-configure +ms.date: 12/31/2017 --- # DeviceUpdateCenter (Windows Configuration Designer reference) diff --git a/windows/configuration/wcd/wcd-location.md b/windows/configuration/wcd/wcd-location.md index fe920d9f7c..9b1e501fec 100644 --- a/windows/configuration/wcd/wcd-location.md +++ b/windows/configuration/wcd/wcd-location.md @@ -9,6 +9,7 @@ ms.topic: article ms.reviewer: manager: dougeby ms.technology: itpro-configure +ms.date: 12/31/2017 --- # Location (Windows Configuration Designer reference) diff --git a/windows/configuration/wcd/wcd-maps.md b/windows/configuration/wcd/wcd-maps.md index 1f30e55191..37b93da96d 100644 --- a/windows/configuration/wcd/wcd-maps.md +++ b/windows/configuration/wcd/wcd-maps.md @@ -9,6 +9,7 @@ ms.topic: article ms.reviewer: manager: dougeby ms.technology: itpro-configure +ms.date: 12/31/2017 --- # Maps (Windows Configuration Designer reference) diff --git a/windows/configuration/wcd/wcd-networkproxy.md b/windows/configuration/wcd/wcd-networkproxy.md index 92226ac222..0b8561c8cf 100644 --- a/windows/configuration/wcd/wcd-networkproxy.md +++ b/windows/configuration/wcd/wcd-networkproxy.md @@ -9,6 +9,7 @@ ms.topic: article ms.reviewer: manager: dougeby ms.technology: itpro-configure +ms.date: 12/31/2017 --- # NetworkProxy (Windows Configuration Designer reference) diff --git a/windows/configuration/wcd/wcd-networkqospolicy.md b/windows/configuration/wcd/wcd-networkqospolicy.md index 84d67d3ede..2be6c377ba 100644 --- a/windows/configuration/wcd/wcd-networkqospolicy.md +++ b/windows/configuration/wcd/wcd-networkqospolicy.md @@ -9,6 +9,7 @@ ms.topic: article ms.reviewer: manager: dougeby ms.technology: itpro-configure +ms.date: 12/31/2017 --- # NetworkQoSPolicy (Windows Configuration Designer reference) @@ -21,7 +22,7 @@ Use to create network Quality of Service (QoS) policies. A QoS policy performs a | --- | :---: | :---: | :---: | :---: | | All settings | | ✔️ | | | -1. In **Available customizations**, select **NetworkQ0SPolicy**, enter a friendly name for the account, and then click **Add**. +1. In **Available customizations**, select **NetworkQoSPolicy**, enter a friendly name for the account, and then click **Add**. 2. In **Available customizations**, select the name that you just created. The following table describes the settings you can configure. | Setting | Description | diff --git a/windows/configuration/wcd/wcd-oobe.md b/windows/configuration/wcd/wcd-oobe.md index 589cf36452..df4078b569 100644 --- a/windows/configuration/wcd/wcd-oobe.md +++ b/windows/configuration/wcd/wcd-oobe.md @@ -9,6 +9,7 @@ ms.localizationpriority: medium ms.author: aaroncz ms.topic: article ms.technology: itpro-configure +ms.date: 12/31/2017 --- # OOBE (Windows Configuration Designer reference) diff --git a/windows/configuration/wcd/wcd-personalization.md b/windows/configuration/wcd/wcd-personalization.md index 69693eeb45..249dc446a7 100644 --- a/windows/configuration/wcd/wcd-personalization.md +++ b/windows/configuration/wcd/wcd-personalization.md @@ -9,6 +9,7 @@ ms.topic: article ms.reviewer: manager: dougeby ms.technology: itpro-configure +ms.date: 12/31/2017 --- # Personalization (Windows Configuration Designer reference) diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md index c76f9e2459..b2ac514b17 100644 --- a/windows/configuration/wcd/wcd-policies.md +++ b/windows/configuration/wcd/wcd-policies.md @@ -9,6 +9,7 @@ ms.localizationpriority: medium ms.author: aaroncz ms.topic: article ms.technology: itpro-configure +ms.date: 12/31/2017 --- # Policies (Windows Configuration Designer reference) diff --git a/windows/configuration/wcd/wcd-privacy.md b/windows/configuration/wcd/wcd-privacy.md index 73836d589b..df2b29c1ff 100644 --- a/windows/configuration/wcd/wcd-privacy.md +++ b/windows/configuration/wcd/wcd-privacy.md @@ -8,6 +8,7 @@ ms.author: aaroncz manager: dougeby ms.topic: article ms.technology: itpro-configure +ms.date: 12/31/2017 --- # Privacy (Windows Configuration Designer reference) diff --git a/windows/configuration/wcd/wcd-storaged3inmodernstandby.md b/windows/configuration/wcd/wcd-storaged3inmodernstandby.md index 6a133d5a59..61f8c30b69 100644 --- a/windows/configuration/wcd/wcd-storaged3inmodernstandby.md +++ b/windows/configuration/wcd/wcd-storaged3inmodernstandby.md @@ -8,6 +8,7 @@ ms.author: aaroncz ms.topic: article manager: dougeby ms.technology: itpro-configure +ms.date: 12/31/2017 --- # StorageD3InModernStandby (Windows Configuration Designer reference) diff --git a/windows/configuration/wcd/wcd-time.md b/windows/configuration/wcd/wcd-time.md index f7017ef138..659eef75c7 100644 --- a/windows/configuration/wcd/wcd-time.md +++ b/windows/configuration/wcd/wcd-time.md @@ -8,6 +8,7 @@ ms.author: aaroncz manager: dougeby ms.topic: article ms.technology: itpro-configure +ms.date: 12/31/2017 --- # Time diff --git a/windows/configuration/wcd/wcd-unifiedwritefilter.md b/windows/configuration/wcd/wcd-unifiedwritefilter.md index d402e1ceb6..55abb9002a 100644 --- a/windows/configuration/wcd/wcd-unifiedwritefilter.md +++ b/windows/configuration/wcd/wcd-unifiedwritefilter.md @@ -9,6 +9,7 @@ ms.topic: article ms.reviewer: manager: dougeby ms.technology: itpro-configure +ms.date: 12/31/2017 --- # UnifiedWriteFilter (reference) diff --git a/windows/configuration/wcd/wcd-universalappinstall.md b/windows/configuration/wcd/wcd-universalappinstall.md index cb622f51e2..bbd3749ad5 100644 --- a/windows/configuration/wcd/wcd-universalappinstall.md +++ b/windows/configuration/wcd/wcd-universalappinstall.md @@ -9,6 +9,7 @@ ms.topic: article ms.reviewer: manager: dougeby ms.technology: itpro-configure +ms.date: 12/31/2017 --- # UniversalAppInstall (reference) diff --git a/windows/configuration/wcd/wcd-universalappuninstall.md b/windows/configuration/wcd/wcd-universalappuninstall.md index 45e82deba6..ab0005120f 100644 --- a/windows/configuration/wcd/wcd-universalappuninstall.md +++ b/windows/configuration/wcd/wcd-universalappuninstall.md @@ -9,6 +9,7 @@ ms.topic: article ms.reviewer: manager: dougeby ms.technology: itpro-configure +ms.date: 12/31/2017 --- # UniversalAppUninstall (reference) diff --git a/windows/configuration/wcd/wcd-usberrorsoemoverride.md b/windows/configuration/wcd/wcd-usberrorsoemoverride.md index de2cdfc24b..3a53cca460 100644 --- a/windows/configuration/wcd/wcd-usberrorsoemoverride.md +++ b/windows/configuration/wcd/wcd-usberrorsoemoverride.md @@ -9,6 +9,7 @@ ms.topic: article ms.reviewer: manager: dougeby ms.technology: itpro-configure +ms.date: 12/31/2017 --- # UsbErrorsOEMOverride (reference) diff --git a/windows/configuration/wcd/wcd-weakcharger.md b/windows/configuration/wcd/wcd-weakcharger.md index dfd1c1ee93..2270de3845 100644 --- a/windows/configuration/wcd/wcd-weakcharger.md +++ b/windows/configuration/wcd/wcd-weakcharger.md @@ -9,6 +9,7 @@ ms.topic: article ms.reviewer: manager: dougeby ms.technology: itpro-configure +ms.date: 12/31/2017 --- # WeakCharger (reference) diff --git a/windows/configuration/wcd/wcd-windowshelloforbusiness.md b/windows/configuration/wcd/wcd-windowshelloforbusiness.md index 5abe841a5c..8c42614eca 100644 --- a/windows/configuration/wcd/wcd-windowshelloforbusiness.md +++ b/windows/configuration/wcd/wcd-windowshelloforbusiness.md @@ -9,6 +9,7 @@ ms.topic: article ms.reviewer: manager: dougeby ms.technology: itpro-configure +ms.date: 12/31/2017 --- # WindowsHelloForBusiness (Windows Configuration Designer reference) diff --git a/windows/configuration/wcd/wcd-windowsteamsettings.md b/windows/configuration/wcd/wcd-windowsteamsettings.md index 9255158400..9db59248ff 100644 --- a/windows/configuration/wcd/wcd-windowsteamsettings.md +++ b/windows/configuration/wcd/wcd-windowsteamsettings.md @@ -9,6 +9,7 @@ ms.topic: article ms.reviewer: manager: dougeby ms.technology: itpro-configure +ms.date: 12/31/2017 --- # WindowsTeamSettings (reference) diff --git a/windows/configuration/wcd/wcd-wlan.md b/windows/configuration/wcd/wcd-wlan.md index c6df66ef0f..c691224077 100644 --- a/windows/configuration/wcd/wcd-wlan.md +++ b/windows/configuration/wcd/wcd-wlan.md @@ -9,6 +9,7 @@ ms.localizationpriority: medium ms.author: aaroncz ms.topic: article ms.technology: itpro-configure +ms.date: 12/31/2017 --- # WLAN (reference) diff --git a/windows/configuration/wcd/wcd.md b/windows/configuration/wcd/wcd.md index 0cd1afaa90..c982e45ca3 100644 --- a/windows/configuration/wcd/wcd.md +++ b/windows/configuration/wcd/wcd.md @@ -9,6 +9,7 @@ ms.topic: article ms.reviewer: manager: dougeby ms.technology: itpro-configure +ms.date: 12/31/2017 --- # Windows Configuration Designer provisioning settings (reference) diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index 2356b68241..4ac1a97b0f 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -62,16 +62,11 @@ - name: Features removed or planned for replacement items: - name: Windows client features lifecycle - href: planning/features-lifecycle.md - - name: Features we're no longer developing - items: - - name: Windows deprecated features - href: planning/windows-10-deprecated-features.md - - name: Features we removed - items: - - name: Windows features removed - href: planning/windows-10-removed-features.md - + href: /windows/whats-new/feature-lifecycle?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json + - name: Deprecated features + href: /windows/whats-new/deprecated-features?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json + - name: Removed features + href: /windows/whats-new/removed-features?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json - name: Prepare items: - name: Prepare for Windows 11 @@ -184,11 +179,11 @@ href: update/deploy-updates-intune.md - name: Monitor items: - - name: Windows Update for Business reports (preview) + - name: Windows Update for Business reports items: - name: Windows Update for Business reports overview href: update/wufb-reports-overview.md - - name: Enable Windows Update for Business reports (preview) + - name: Enable Windows Update for Business reports items: - name: Windows Update for Business reports prerequisites href: update/wufb-reports-prerequisites.md @@ -200,7 +195,7 @@ href: update/wufb-reports-configuration-manual.md - name: Configure clients with Microsoft Intune href: update/wufb-reports-configuration-intune.md - - name: Use Windows Update for Business reports (preview) + - name: Use Windows Update for Business reports items: - name: Windows Update for Business reports workbook href: update/wufb-reports-workbook.md @@ -210,7 +205,7 @@ href: update/wufb-reports-use.md - name: Feedback, support, and troubleshooting href: update/wufb-reports-help.md - - name: Windows Update for Business reports (preview) schema reference + - name: Windows Update for Business reports schema reference items: - name: Windows Update for Business reports schema reference href: update/wufb-reports-schema.md @@ -221,7 +216,11 @@ - name: UCClientUpdateStatus href: update/wufb-reports-schema-ucclientupdatestatus.md - name: UCDeviceAlert - href: update/wufb-reports-schema-ucdevicealert.md + href: update/wufb-reports-schema-ucdevicealert.md + - name: UCDOAggregatedStatus + href: update/wufb-reports-schema-ucdoaggregatedstatus.md + - name: UCDOStatus + href: update/wufb-reports-schema-ucdostatus.md - name: UCServiceUpdateStatus href: update/wufb-reports-schema-ucserviceupdatestatus.md - name: UCUpdateAlert @@ -462,18 +461,6 @@ href: usmt/usmt-reroute-files-and-settings.md - name: Verify the Condition of a Compressed Migration Store href: usmt/verify-the-condition-of-a-compressed-migration-store.md - - name: USMT Troubleshooting - href: usmt/usmt-troubleshooting.md - - name: Common Issues - href: usmt/usmt-common-issues.md - - name: Frequently Asked Questions - href: usmt/usmt-faq.yml - - name: Log Files - href: usmt/usmt-log-files.md - - name: Return Codes - href: usmt/usmt-return-codes.md - - name: USMT Resources - href: usmt/usmt-resources.md - name: USMT Reference items: @@ -541,7 +528,22 @@ href: usmt/usmt-xml-elements-library.md - name: Offline Migration Reference href: usmt/offline-migration-reference.md - + + - name: Troubleshoot USMT + items: + - name: USMT Troubleshooting + href: usmt/usmt-troubleshooting.md + - name: USMT Common Issues + href: /troubleshoot/windows-client/deployment/usmt-common-issues + - name: USMT Frequently Asked Questions + href: usmt/usmt-faq.yml + - name: USMT Log Files + href: usmt/usmt-log-files.md + - name: USMT Return Codes + href: /troubleshoot/windows-client/deployment/usmt-return-codes + - name: USMT Resources + href: usmt/usmt-resources.md + - name: Application Compatibility Toolkit (ACT) Technical Reference items: - name: SUA User's Guide diff --git a/windows/deployment/Windows-AutoPilot-EULA-note.md b/windows/deployment/Windows-AutoPilot-EULA-note.md index bdcc134152..674bd00551 100644 --- a/windows/deployment/Windows-AutoPilot-EULA-note.md +++ b/windows/deployment/Windows-AutoPilot-EULA-note.md @@ -3,7 +3,7 @@ title: Windows Autopilot EULA dismissal – important information description: A notice about EULA dismissal through Windows Autopilot ms.prod: windows-client ms.localizationpriority: medium -ms.date: 10/31/2022 +ms.date: 11/23/2022 author: frankroj ms.author: frankroj manager: aaroncz @@ -13,8 +13,8 @@ ms.technology: itpro-deploy --- # Windows Autopilot EULA dismissal – important information ->[!IMPORTANT] ->The information below isn't the EULA. It is a notice of awareness to the administrator that's configuring to skip End User License Agreement (EULA) during the OOBE (Out-of-Box Experience). +> [!IMPORTANT] +> The information below isn't the EULA. It is a notice of awareness to the administrator that's configuring to skip End User License Agreement (EULA) during the OOBE (Out-of-Box Experience). Using this tool allows you to configure individual installations of Windows on devices managed by your organization. You may choose to suppress or hide certain set-up screens that are normally presented to users when setting up Windows, including the EULA acceptance screen. diff --git a/windows/deployment/add-store-apps-to-image.md b/windows/deployment/add-store-apps-to-image.md index ac883e80a0..1d67fee4df 100644 --- a/windows/deployment/add-store-apps-to-image.md +++ b/windows/deployment/add-store-apps-to-image.md @@ -9,72 +9,83 @@ ms.reviewer: manager: aaroncz ms.topic: article ms.custom: seo-marvel-apr2020 -ms.date: 10/31/2022 +ms.date: 11/23/2022 ms.technology: itpro-deploy --- # Add Microsoft Store for Business applications to a Windows 10 image -**Applies to** +*Applies to:* -- Windows 10 +- Windows 10 This article describes the correct way to add Microsoft Store for Business applications to a Windows 10 image. Adding Microsoft Store for Business applications to a Windows 10 image will enable you to deploy Windows 10 with pre-installed Microsoft Store for Business apps. ->[!IMPORTANT] ->In order for Microsoft Store for Business applications to persist after image deployment, these applications need to be pinned to Start prior to image deployment. +> [!IMPORTANT] +> In order for Microsoft Store for Business applications to persist after image deployment, these applications need to be pinned to Start prior to image deployment. ## Prerequisites -* [Windows Assessment and Deployment Kit (Windows ADK)](windows-adk-scenarios-for-it-pros.md) for the tools required to mount and edit Windows images. +- [Windows Assessment and Deployment Kit (Windows ADK)](windows-adk-scenarios-for-it-pros.md) for the tools required to mount and edit Windows images. -* Download an offline signed app package and license of the application you would like to add through [Microsoft Store for Business](/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app). -* A Windows Image. For instructions on image creation, see [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md). +- Download an offline signed app package and license of the application you would like to add through [Microsoft Store for Business](/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app). +- A Windows Image. For instructions on image creation, see [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md). ->[!NOTE] +> [!NOTE] > If you'd like to add an internal LOB Microsoft Store application, please follow the instructions on **[Sideload line of business (LOB) apps in Windows client devices](/windows/application-management/sideload-apps-in-windows-10)**. ## Adding a Store application to your image On a machine where your image file is accessible: + 1. Open Windows PowerShell with administrator privileges. -2. Mount the image. At the Windows PowerShell prompt, type: + +2. Mount the image. At the Windows PowerShell prompt, enter: `Mount-WindowsImage -ImagePath c:\images\myimage.wim -Index 1 -Path C:\test` -3. Use the Add-AppxProvisionedPackage cmdlet in Windows PowerShell to preinstall the app. Use the /PackagePath option to specify the location of the Store package and /LicensePath to specify the location of the license .xml file. In Windows PowerShell, type: + +3. Use the Add-AppxProvisionedPackage cmdlet in Windows PowerShell to preinstall the app. Use the /PackagePath option to specify the location of the Store package and /LicensePath to specify the location of the license .xml file. In Windows PowerShell, enter: `Add-AppxProvisionedPackage -Path C:\test -PackagePath C:\downloads\appxpackage -LicensePath C:\downloads\appxpackage\license.xml` ->[!NOTE] ->Paths and file names are examples. Use your paths and file names where appropriate. +> [!NOTE] +> Paths and file names are examples. Use your paths and file names where appropriate. > ->Do not dismount the image, as you will return to it later. +> Do not dismount the image, as you will return to it later. ## Editing the Start Layout In order for Microsoft Store for Business applications to persist after image deployment, these applications need to be pinned to Start prior to image deployment. On a test machine: + 1. **Install the Microsoft Store for Business application you previously added** to your image. + 2. **Pin these apps to the Start screen**, by typing the name of the app, right-clicking and selecting **Pin to Start**. + 3. Open Windows PowerShell with administrator privileges. + 4. Use `Export-StartLayout -path .xml` where *\\* is the path and name of the xml file your will later import into your Windows Image. + 5. Copy the XML file you created to a location accessible by the machine you previously used to add Store applications to your image. Now, on the machine where your image file is accessible: -1. Import the Start layout. At the Windows PowerShell prompt, type: + +1. Import the Start layout. At the Windows PowerShell prompt, enter: `Import-StartLayout -LayoutPath ".xml" -MountPath "C:\test\"` -2. Save changes and dismount the image. At the Windows PowerShell prompt, type: + +2. Save changes and dismount the image. At the Windows PowerShell prompt, enter: `Dismount-WindowsImage -Path c:\test -Save` ->[!NOTE] ->Paths and file names are examples. Use your paths and file names where appropriate. +> [!NOTE] +> Paths and file names are examples. Use your paths and file names where appropriate. > ->For more information on Start customization, see [Windows 10 Start Layout Customization](/archive/blogs/deploymentguys/windows-10-start-layout-customization) +> For more information on Start customization, see [Windows 10 Start Layout Customization](/archive/blogs/deploymentguys/windows-10-start-layout-customization) ## Related articles -* [Customize and export Start layout](/windows/configuration/customize-and-export-start-layout) -* [Export-StartLayout](/powershell/module/startlayout/export-startlayout) -* [Import-StartLayout](/powershell/module/startlayout/import-startlayout) -* [Sideload line of business (LOB) apps in Windows client devices](/windows/application-management/sideload-apps-in-windows-10) -* [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) -* [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) -* [Windows Assessment and Deployment Kit (Windows ADK)](windows-adk-scenarios-for-it-pros.md) + +- [Customize and export Start layout](/windows/configuration/customize-and-export-start-layout) +- [Export-StartLayout](/powershell/module/startlayout/export-startlayout) +- [Import-StartLayout](/powershell/module/startlayout/import-startlayout) +- [Sideload line of business (LOB) apps in Windows client devices](/windows/application-management/sideload-apps-in-windows-10) +- [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) +- [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) +- [Windows Assessment and Deployment Kit (Windows ADK)](windows-adk-scenarios-for-it-pros.md) diff --git a/windows/deployment/breadcrumb/toc.yml b/windows/deployment/breadcrumb/toc.yml index a43252b7e8..3cb4555445 100644 --- a/windows/deployment/breadcrumb/toc.yml +++ b/windows/deployment/breadcrumb/toc.yml @@ -9,4 +9,16 @@ items: items: - name: Deployment tocHref: /troubleshoot/windows-client/deployment/ + topicHref: /windows/deployment/ + +- name: Learn + tocHref: / + topicHref: / + items: + - name: Windows + tocHref: /windows/ + topicHref: /windows/resources/ + items: + - name: Deployment + tocHref: /windows/whats-new topicHref: /windows/deployment/ \ No newline at end of file diff --git a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md index 0ee1248e7e..3dbdf7eef2 100644 --- a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md +++ b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md @@ -8,15 +8,15 @@ manager: aaroncz ms.author: frankroj ms.topic: article ms.custom: seo-marvel-apr2020 -ms.date: 10/31/2022 +ms.date: 11/23/2022 ms.technology: itpro-deploy --- # Configure a PXE server to load Windows PE -**Applies to** +*Applies to:* -- Windows 10 +- Windows 10 This walkthrough describes how to configure a PXE server to load Windows PE by booting a client computer from the network. Using the Windows PE tools and a Windows 10 image file, you can install Windows 10 from the network. @@ -37,107 +37,122 @@ All four of the roles specified above can be hosted on the same computer or each 3. Run the following command to copy the base Windows PE files into a new folder. The script requires two arguments: hardware architecture and destination location. The value of **<architecture>** can be **x86**, **amd64**, or **arm** and **<destination>** is a path to a local directory. If the directory doesn't already exist, it will be created. - ``` + ```cmd copype.cmd ``` For example, the following command copies **amd64** architecture files to the **C:\winpe_amd64** directory: - ``` + ```cmd copype.cmd amd64 C:\winpe_amd64 ``` The script creates the destination directory structure and copies all the necessary files for that architecture. In the previous example, the following directories are created: - - ``` + + ```cmd C:\winpe_amd64 C:\winpe_amd64\fwfiles C:\winpe_amd64\media C:\winpe_amd64\mount ``` + 4. Mount the base Windows PE image (winpe.wim) to the \mount directory using the DISM tool. Mounting an image file unpacks the file contents into a folder so that you can make changes directly or by using tools such as DISM. See the following example. + ```cmd + dism.exe /mount-image /imagefile:c:\winpe_amd64\media\sources\boot.wim /index:1 /mountdir:C:\winpe_amd64\mount ``` - Dism /mount-image /imagefile:c:\winpe_amd64\media\sources\boot.wim /index:1 /mountdir:C:\winpe_amd64\mount - ``` - Verify that "The operation completed successfully" is displayed. Note: To view currently mounted images, type **dism /get-MountedWiminfo**. + + Verify that the message **The operation completed successfully** is displayed. + + > [!NOTE] + > To view currently mounted images, enter **`dism.exe /get-MountedWiminfo`**. 5. Map a network share to the root TFTP directory on the PXE/TFTP server and create a \Boot folder. Consult your TFTP server documentation to determine the root TFTP server directory, then enable sharing for this directory, and verify it can be accessed on the network. In the following example, the PXE server name is PXE-1 and the TFTP root directory is shared using a network path of **\\\PXE-1\TFTPRoot**: - ``` - net use y: \\PXE-1\TFTPRoot + ```cmd + net.exe use y: \\PXE-1\TFTPRoot y: md Boot ``` + 6. Copy the PXE boot files from the mounted directory to the \boot folder. For example: - ``` + ```cmd copy c:\winpe_amd64\mount\windows\boot\pxe\*.* y:\Boot ``` -7. Copy the boot.sdi file to the PXE/TFTP server. - ``` +7. Copy the boot.sdi file to the PXE/TFTP server. + + ```cmd copy C:\winpe_amd64\media\boot\boot.sdi y:\Boot ``` -8. Copy the bootable Windows PE image (boot.wim) to the \boot folder. - ``` +8. Copy the bootable Windows PE image (boot.wim) to the \boot folder. + + ```cmd copy C:\winpe_amd64\media\sources\boot.wim y:\Boot ``` -9. (Optional) Copy true type fonts to the \boot folder - ``` +9. (Optional) Copy TrueType fonts to the \boot folder + + ```cmd copy C:\winpe_amd64\media\Boot\Fonts y:\Boot\Fonts ``` ## Step 2: Configure boot settings and copy the BCD file -1. Create a BCD store using bcdedit.exe: +1. Create a BCD store using bcdedit.exe: + ```cmd + bcdedit.exe /createstore c:\BCD ``` - bcdedit /createstore c:\BCD - ``` -2. Configure RAMDISK settings: +2. Configure RAMDISK settings: + + ```cmd + bcdedit.exe /store c:\BCD /create {ramdiskoptions} /d "Ramdisk options" + bcdedit.exe /store c:\BCD /set {ramdiskoptions} ramdisksdidevice boot + bcdedit.exe /store c:\BCD /set {ramdiskoptions} ramdisksdipath \Boot\boot.sdi + bcdedit.exe /store c:\BCD /create /d "winpe boot image" /application osloader ``` - bcdedit /store c:\BCD /create {ramdiskoptions} /d "Ramdisk options" - bcdedit /store c:\BCD /set {ramdiskoptions} ramdisksdidevice boot - bcdedit /store c:\BCD /set {ramdiskoptions} ramdisksdipath \Boot\boot.sdi - bcdedit /store c:\BCD /create /d "winpe boot image" /application osloader - ``` + The last command will return a GUID, for example: - ``` + + ```console The entry {a4f89c62-2142-11e6-80b6-00155da04110} was successfully created. ``` + Copy this GUID for use in the next set of commands. In each command shown, replace "GUID1" with your GUID. -3. Create a new boot application entry for the Windows PE image: +3. Create a new boot application entry for the Windows PE image: + ```cmd + bcdedit.exe /store c:\BCD /set {GUID1} device ramdisk=[boot]\Boot\boot.wim,{ramdiskoptions} + bcdedit.exe /store c:\BCD /set {GUID1} path \windows\system32\winload.exe + bcdedit.exe /store c:\BCD /set {GUID1} osdevice ramdisk=[boot]\Boot\boot.wim,{ramdiskoptions} + bcdedit.exe /store c:\BCD /set {GUID1} systemroot \windows + bcdedit.exe /store c:\BCD /set {GUID1} detecthal Yes + bcdedit.exe /store c:\BCD /set {GUID1} winpe Yes ``` - bcdedit /store c:\BCD /set {GUID1} device ramdisk=[boot]\Boot\boot.wim,{ramdiskoptions} - bcdedit /store c:\BCD /set {GUID1} path \windows\system32\winload.exe - bcdedit /store c:\BCD /set {GUID1} osdevice ramdisk=[boot]\Boot\boot.wim,{ramdiskoptions} - bcdedit /store c:\BCD /set {GUID1} systemroot \windows - bcdedit /store c:\BCD /set {GUID1} detecthal Yes - bcdedit /store c:\BCD /set {GUID1} winpe Yes - ``` -4. Configure BOOTMGR settings (remember to replace GUID1 in the third command with your GUID): - ``` - bcdedit /store c:\BCD /create {bootmgr} /d "boot manager" - bcdedit /store c:\BCD /set {bootmgr} timeout 30 - bcdedit /store c:\BCD -displayorder {GUID1} -addlast - ``` -5. Copy the BCD file to your TFTP server: +4. Configure BOOTMGR settings (remember to replace GUID1 in the third command with your GUID): + ```cmd + bcdedit.exe /store c:\BCD /create {bootmgr} /d "boot manager" + bcdedit.exe /store c:\BCD /set {bootmgr} timeout 30 + bcdedit.exe /store c:\BCD -displayorder {GUID1} -addlast ``` + +5. Copy the BCD file to your TFTP server: + + ```cmd copy c:\BCD \\PXE-1\TFTPRoot\Boot\BCD ``` -Your PXE/TFTP server is now configured. You can view the BCD settings that have been configured using the command bcdedit /store <BCD file location> /enum all. See the following example. Note: Your GUID will be different than the one shown below. +Your PXE/TFTP server is now configured. You can view the BCD settings that have been configured using the command bcdedit.exe /store <BCD file location> /enum all. See the following example. Note: Your GUID will be different than the one shown below. -``` -C:\>bcdedit /store C:\BCD /enum all +```cmd +C:\>bcdedit.exe /store C:\BCD /enum all Windows Boot Manager -------------------- identifier {bootmgr} @@ -163,25 +178,46 @@ ramdisksdidevice boot ramdisksdipath \Boot\boot.sdi ``` ->[!TIP] ->If you start the PXE boot process, but receive the error that "The boot configuration data for your PC is missing or contains errors" then verify that \\boot directory is installed under the correct TFTP server root directory. In the example used here the name of this directory is TFTPRoot, but your TFTP server might be different. +> [!TIP] +> If you start the PXE boot process, but receive the error **The boot configuration data for your PC is missing or contains error**, then verify that `\boot` directory is installed under the correct TFTP server root directory. In the example used here the name of this directory is TFTPRoot, but your TFTP server might be different. ## PXE boot process summary The following process summarizes the PXE client boot. ->The following assumes that you have configured DHCP option 67 (Bootfile Name) to "boot\PXEboot.n12" which enables direct boot to PXE with no user interaction. For more information about DHCP options for network boot, see [Managing Network Boot Programs](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732351(v=ws.10)). + + +> [!NOTE] +> The following assumes that the client and PXE server are on the same network/subnet/vlan or that PXE requests have been appropriately forwarded from the client to the PXE server using IP helpers configured in the router or switch. For more information about IP helpers, see [Configuring Your Router to Forward Broadcasts](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732351(v=ws.10)#configuring-your-router-to-forward-broadcasts-recommended). + +1. A client contacts the PXE server. When the client is on a different network/subnet/vlan as the PXE server, the client is routed to the PXE server using the IP helpers. + +2. The PXE server sends DHCP options 060 (client identifier **PXEClient**), 066 (boot server host name) and 067 (boot file name) to the client. + +3. The client downloads `boot\PXEboot.n12` from the TFTP server based on DHCP option 067 boot file name value received from the PXE server. + +4. `PXEboot.n12` immediately begins a network boot. + +5. The client downloads `boot\bootmgr.exe` and the `boot\BCD` file from the TFTP server. + + > [!NOTE] + > The BCD store must reside in the `\boot` directory on the TFTP server and must be named BCD. + +6. `Bootmgr.exe` reads the BCD operating system entries and downloads `boot\boot.sdi` and the Windows PE image (`boot\boot.wim`). Optional files that can also be downloaded include TrueType fonts (`boot\Fonts\wgl4_boot.ttf`) and the hibernation state file (`\hiberfil.sys`) if these files are present. + +7. `Bootmgr.exe` starts Windows PE by calling `winload.exe` within the Windows PE image. + +8. Windows PE loads, a command prompt opens and `wpeinit.exe` is run to initialize Windows PE. + +9. The Windows PE client provides access to tools like `imagex.exe`, `diskpart.exe`, and `bcdboot.exe` using the Windows PE command prompt. With the help of these tools accompanied by a Windows 10 image file, the destination computer can be formatted properly to load a full Windows 10 operating system. + +### Related articles [Windows PE Walkthroughs](/previous-versions/windows/it-pro/windows-vista/cc748899(v=ws.10)) diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index b3dd2899ed..f19a79ea47 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -12,7 +12,7 @@ ms.collection: highpri appliesto: - ✅ Windows 10 - ✅ Windows 11 -ms.date: 10/31/2022 +ms.date: 11/23/2022 --- # Deploy Windows Enterprise licenses @@ -252,7 +252,7 @@ Use the following procedures to review whether a particular device meets these r To determine if the computer has a firmware-embedded activation key, enter the following command at an elevated Windows PowerShell prompt: -```PowerShell +```powershell (Get-CimInstance -query 'select * from SoftwareLicensingService').OA3xOriginalProductKey ``` diff --git a/windows/deployment/deploy-m365.md b/windows/deployment/deploy-m365.md index f7574e0d11..6ec6b46d6c 100644 --- a/windows/deployment/deploy-m365.md +++ b/windows/deployment/deploy-m365.md @@ -8,17 +8,16 @@ ms.prod: windows-client ms.localizationpriority: medium author: frankroj ms.topic: article -ms.collection: M365-modern-desktop ms.custom: seo-marvel-apr2020 -ms.date: 10/31/2022 +ms.date: 11/23/2022 ms.technology: itpro-deploy --- # Deploy Windows 10 with Microsoft 365 -**Applies to** +*Applies to:* -- Windows 10 +- Windows 10 This article provides a brief overview of Microsoft 365 and describes how to use a free 90-day trial account to review some of the benefits of Microsoft 365. @@ -34,38 +33,40 @@ For Windows 10 deployment, Microsoft 365 includes a fantastic deployment advisor ## Free trial account -**If you already have a Microsoft services subscription account and access to the Microsoft 365 Admin Center** +### If you already have a Microsoft services subscription account and access to the Microsoft 365 Admin Center From the [Microsoft 365 Admin Center](https://portal.office.com), go to Billing and then Purchase services. In the Enterprise Suites section of the service offerings, you'll find Microsoft 365 E3 and Microsoft 365 E5 tiles. There are "Start Free Trial" options available for your selection by hovering your mouse over the tiles. -**If you do not already have a Microsoft services subscription** +### If you do not already have a Microsoft services subscription -You can check out the Microsoft 365 deployment advisor and other resources for free! Just follow the steps below. +You can check out the Microsoft 365 deployment advisor and other resources for free! Just follow the steps below. ->[!NOTE] ->If you have not run a setup guide before, you will see the **Prepare your environment** guide first. This is to make sure you have basics covered like domain verification and a method for adding users. At the end of the "Prepare your environment" guide, there will be a **Ready to continue** button that sends you to the original guide that was selected. +> [!NOTE] +> If you have not run a setup guide before, you will see the **Prepare your environment** guide first. This is to make sure you have basics covered like domain verification and a method for adding users. At the end of the "Prepare your environment" guide, there will be a **Ready to continue** button that sends you to the original guide that was selected. 1. [Obtain a free Microsoft 365 trial](/microsoft-365/commerce/try-or-buy-microsoft-365). 2. Check out the [Microsoft 365 deployment advisor](https://aka.ms/microsoft365setupguide). -3. Also check out the [Windows Analytics deployment advisor](/mem/configmgr/desktop-analytics/overview). This advisor will walk you through deploying [Desktop Analytics](/mem/configmgr/desktop-analytics/overview). +3. Also check out the [Windows Analytics deployment advisor](/mem/configmgr/desktop-analytics/overview). This advisor will walk you through deploying [Desktop Analytics](/mem/configmgr/desktop-analytics/overview). Examples of these two deployment advisors are shown below. - [Deploy Windows 10 with Microsoft 365](#deploy-windows-10-with-microsoft-365) - [Free trial account](#free-trial-account) + - [If you already have a Microsoft services subscription account and access to the Microsoft 365 Admin Center](#if-you-already-have-a-microsoft-services-subscription-account-and-access-to-the-microsoft-365-admin-center) + - [If you do not already have a Microsoft services subscription](#if-you-do-not-already-have-a-microsoft-services-subscription) - [Microsoft 365 deployment advisor example](#microsoft-365-deployment-advisor-example) - [Windows Analytics deployment advisor example](#windows-analytics-deployment-advisor-example) - [Microsoft 365 Enterprise poster](#microsoft-365-enterprise-poster) - [Related articles](#related-articles) ## Microsoft 365 deployment advisor example + ![Microsoft 365 deployment advisor.](images/m365da.png) ## Windows Analytics deployment advisor example - ## Microsoft 365 Enterprise poster [![Microsoft 365 Enterprise poster.](images/m365e.png)](https://aka.ms/m365eposter) diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index 170984a53f..309fe14ba0 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -9,13 +9,14 @@ author: frankroj ms.topic: article ms.custom: seo-marvel-apr2020 ms.collection: highpri -ms.date: 10/31/2022 +ms.date: 11/23/2022 ms.technology: itpro-deploy --- # What's new in Windows client deployment -**Applies to:** +*Applies to:* + - Windows 10 - Windows 11 @@ -30,13 +31,14 @@ When you deploy Windows 11 with Autopilot, you can enable users to view addition ## Windows 11 Check out the following new articles about Windows 11: + - [Overview of Windows 11](/windows/whats-new/windows-11) - [Plan for Windows 11](/windows/whats-new/windows-11-plan) - [Prepare for Windows 11](/windows/whats-new/windows-11-prepare) The [Windows ADK for Windows 11](/windows-hardware/get-started/adk-install) is available.
    -## Deployment tools +## Deployment tools [SetupDiag](#setupdiag) is included with Windows 10, version 2004 and later, and Windows 11.
    New capabilities are available for [Delivery Optimization](#delivery-optimization) and [Windows Update for Business](#windows-update-for-business).
    @@ -51,6 +53,7 @@ The [Modern Desktop Deployment Center](/microsoft-365/enterprise/desktop-deploym ## Microsoft 365 Microsoft 365 is a new offering from Microsoft that combines + - Windows 10 - Office 365 - Enterprise Mobility and Security (EMS). @@ -68,6 +71,7 @@ Windows PowerShell cmdlets for Delivery Optimization have been improved: - **Enable-DeliveryOptimizationVerboseLogs** is a new cmdlet that enables a greater level of logging detail to help in troubleshooting. Other improvements in [Delivery Optimization](./do/waas-delivery-optimization.md) include: + - Enterprise network [throttling is enhanced](/windows-insider/archive/new-for-business#new-download-throttling-options-for-delivery-optimization-build-18917) to optimize foreground vs. background throttling. - Automatic cloud-based congestion detection is available for PCs with cloud service support. - Improved peer efficiency for enterprises and educational institutions with complex networks is enabled with [new policies](/windows/client-management/mdm/policy-csp-deliveryoptimization). These policies now support Microsoft 365 Apps for enterprise updates and Intune content. @@ -84,6 +88,7 @@ The following Delivery Optimization policies are removed in the Windows 10, vers ### Windows Update for Business [Windows Update for Business](./update/waas-manage-updates-wufb.md) enhancements in this release include: + - Intune console updates: target version is now available allowing you to specify which version of Windows 10 you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy. - Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we've created a new policy that enables admins to opt devices out of the built-in safeguard holds. diff --git a/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md index c723dc30ae..23b36c4d59 100644 --- a/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md @@ -15,46 +15,53 @@ ms.date: 10/27/2022 # Add a Windows 10 operating system image using Configuration Manager -**Applies to** +*Applies to:* -- Windows 10 +- Windows 10 Operating system images are typically the production image used for deployment throughout the organization. This article shows you how to add a Windows 10 operating system image created with Microsoft Configuration Manager, and how to distribute the image to a distribution point. ## Infrastructure For the purposes of this guide, we'll use one server computer: CM01. + - CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. - CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). ->[!IMPORTANT] ->The procedures in this article require a reference image. Our reference images is named **REFW10-X64-001.wim**. If you have not already created a reference image, then perform all the steps in [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md) on CM01, replacing MDT01 with CM01. The final result will be a reference image located in the D:\MDTBuildLab\Captures folder that you can use for the procedure below. +> [!IMPORTANT] +> The procedures in this article require a reference image. Our reference images is named **REFW10-X64-001.wim**. If you have not already created a reference image, then perform all the steps in [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md) on CM01, replacing MDT01 with CM01. The final result will be a reference image located in the D:\MDTBuildLab\Captures folder that you can use for the procedure below. - ## Add a Windows 10 operating system image +## Add a Windows 10 operating system image On **CM01**: -1. Using File Explorer, in the **D:\\Sources\\OSD\\OS** folder, create a subfolder named **Windows 10 Enterprise x64 RTM**. -2. Copy the REFW10-X64-001.wim file to the **D:\\Sources\\OSD\\OS\\Windows 10 Enterprise x64 RTM** folder. +1. Using File Explorer, in the **`D:\Sources\OSD\OS`** folder, create a subfolder named **Windows 10 Enterprise x64 RTM**. + +2. Copy the `REFW10-X64-001.wim` file to the **`D:\Sources\OSD\OS\Windows 10 Enterprise x64 RTM`** folder. ![figure 17.](../images/ref-image.png) The Windows 10 image being copied to the Sources folder structure. -3. Using the Configuration Manager Console, in the Software Library workspace, right-click **Operating System Images**, and select **Add Operating System Image**. -4. On the **Data Source** page, in the **Path:** text box, browse to \\\\CM01\\Sources$\\OSD\\OS\\Windows 10 Enterprise x64 RTM\\REFW10-X64-001.wim, select x64 next to Architecture and choose a language, then select **Next**. -5. On the **General** page, assign the name Windows 10 Enterprise x64 RTM, select **Next** twice, and then select **Close**. -6. Distribute the operating system image to the CM01 distribution point by right-clicking the **Windows 10 Enterprise x64 RTM** operating system image and then clicking **Distribute Content**. -7. In the Distribute Content Wizard, add the CM01 distribution point, select **Next** and select **Close**. -8. View the content status for the Windows 10 Enterprise x64 RTM package. Don't continue until the distribution is completed (it might take a few minutes). You also can review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for the **STATMSG: ID=2301** line. +3. Using the Configuration Manager Console, in the **Software Library** workspace, right-click **Operating System Images**, and select **Add Operating System Image**. + +4. On the **Data Source** page, in the **Path:** text box, browse to **`\\CM01\Sources$\OSD\OS\Windows 10 Enterprise x64 RTM\REFW10-X64-001.wim`**, select x64 next to Architecture and choose a language, then select **Next**. + +5. On the **General** page, assign the name Windows 10 Enterprise x64 RTM, select **Next** twice, and then select **Close**. + +6. Distribute the operating system image to the CM01 distribution point by right-clicking the **Windows 10 Enterprise x64 RTM** operating system image and then clicking **Distribute Content**. + +7. In the Distribute Content Wizard, add the CM01 distribution point, select **Next** and select **Close**. + +8. View the content status for the Windows 10 Enterprise x64 RTM package. Don't continue until the distribution is completed (it might take a few minutes). You also can review the `D:\Program Files\Microsoft Configuration Manager\Logs\distmgr.log` file and look for the **STATMSG: ID=2301** line. ![figure 18.](../images/fig18-distwindows.png) The distributed Windows 10 Enterprise x64 RTM package. -Next, see [Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md). +Next, see [Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md). ## Related articles diff --git a/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md index 7dfcbe25b8..feff4155ed 100644 --- a/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md @@ -15,25 +15,26 @@ ms.date: 10/27/2022 # Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager -**Applies to** +*Applies to:* - Windows 10 In this article, you'll learn how to configure the Windows Preinstallation Environment (Windows PE) to include the network drivers required to connect to the deployment share and the storage drivers required to see the local storage on machines. Even though the Windows PE boot image and the Windows 10 operating system contain many out-of-the-box drivers, it's likely you'll have to add new or updated drivers to support all your hardware. In this section, you import drivers for both Windows PE and the full Windows 10 operating system. For the purposes of this guide, we'll use one server computer: CM01. + - CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). ## Add drivers for Windows PE -This section will show you how to import some network and storage drivers for Windows PE. +This section will show you how to import some network and storage drivers for Windows PE. ->[!NOTE] ->Windows PE usually has a fairly comprehensive set of drivers out of the box, assuming that you are using a recent version of the Windows ADK. This is different than the full Windows OS which will often require drivers. You shouldn't add drivers to Windows PE unless you've an issue or are missing functionality, and in these cases you should only add the driver that you need. An example of a common driver that is added is the Intel I217 driver. Adding too many drivers can cause conflicts and lead to driver bloat in the Config Mgr database. This section shows you how to add drivers, but typically you can just skip this procedure. +> [!NOTE] +> Windows PE usually has a fairly comprehensive set of drivers out of the box, assuming that you are using a recent version of the Windows ADK. This is different than the full Windows OS which will often require drivers. You shouldn't add drivers to Windows PE unless you've an issue or are missing functionality, and in these cases you should only add the driver that you need. An example of a common driver that is added is the Intel I217 driver. Adding too many drivers can cause conflicts and lead to driver bloat in the Config Mgr database. This section shows you how to add drivers, but typically you can just skip this procedure. -This section assumes you've downloaded some drivers to the **D:\\Sources\\OSD\\DriverSources\\WinPE x64** folder on CM01. +This section assumes you've downloaded some drivers to the **`D:\Sources\OSD\DriverSources\WinPE x64`** folder on CM01. ![Drivers.](../images/cm01-drivers.png) @@ -41,12 +42,18 @@ Driver folder structure on CM01 On **CM01**: -1. Using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click the **Drivers** node and select **Import Driver**. -2. In the Import New Driver Wizard, on the **Specify a location to import driver** page, select the **Import all drivers in the following network path (UNC)** option, browse to the **\\\\CM01\\Sources$\\OSD\\DriverSources\\WinPE x64** folder and select **Next**. +1. Using the Configuration Manager Console, in the **Software Library** workspace, expand **Operating Systems**, right-click the **Drivers** node and select **Import Driver**. + +2. In the Import New Driver Wizard, on the **Specify a location to import driver** page, select the **Import all drivers in the following network path (UNC)** option, browse to the **`\\CM01\Sources$\OSD\DriverSources\WinPE x64`** folder and select **Next**. + 3. On the **Specify the details for the imported driver** page, select **Categories**, create a category named **WinPE x64**, and then select **Next**. + 4. On the **Select the packages to add the imported driver** page, select **Next**. + 5. On the **Select drivers to include in the boot image** page, select the **Zero Touch WinPE x64** boot image and select **Next**. + 6. In the popup window that appears, select **Yes** to automatically update the distribution point. + 7. Select **Next**, wait for the image to be updated, and then select **Close**. ![Add drivers to Windows PE step 1.](../images/fig21-add-drivers1.png)
    @@ -68,27 +75,28 @@ Driver folder structure on CM01 On **CM01**: -1. Using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click the **Drivers** node and select **Import Driver**. -2. In the Import New Driver Wizard, on the **Specify a location to import driver** page, select the **Import all drivers in the following network path (UNC)** option, browse to the **\\\\CM01\\Sources$\\OSD\\DriverSources\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w** folder and select **Next**. Wait a minute for driver information to be validated. +1. Using the Configuration Manager Console, in the **Software Library** workspace, expand **Operating Systems**, right-click the **Drivers** node and select **Import Driver**. + +2. In the Import New Driver Wizard, on the **Specify a location to import driver** page, select the **Import all drivers in the following network path (UNC)** option, browse to the **`\\CM01\Sources$\OSD\DriverSources\Windows 10 x64\Hewlett-Packard\HP EliteBook 8560w`** folder and select **Next**. Wait a minute for driver information to be validated. + 3. On the **Specify the details for the imported driver** page, select **Categories**, create a category named **Windows 10 x64 - HP EliteBook 8560w**, select **OK**, and then select **Next**. ![Create driver categories.](../images/fig22-createcategories.png "Create driver categories") Create driver categories - 4. On the **Select the packages to add the imported driver** page, select **New Package**, use the following settings for the package, and then select **Next**: - * Name: Windows 10 x64 - HP EliteBook 8560w - * Path: \\\\CM01\\Sources$\\OSD\\DriverPackages\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w + - Name: Windows 10 x64 - HP EliteBook 8560w + - Path: **`\\CM01\Sources$\OSD\DriverPackages\Windows 10 x64\Hewlett-Packard\HP EliteBook 8560w`** - >[!NOTE] - >The package path does not yet exist, so you've to type it in. The wizard will create the new package using the path you specify. + > [!NOTE] + > The package path does not yet exist so it has to be created by typing it in. The wizard will create the new package using the path you specify. -5. On the **Select drivers to include in the boot image** page, don't select anything, and select **Next** twice. After the package has been created, select **Close**. +5. On the **Select drivers to include in the boot image** page, don't select anything, and select **Next** twice. After the package has been created, select **Close**. - >[!NOTE] - >If you want to monitor the driver import process more closely, you can open the SMSProv.log file during driver import. + > [!NOTE] + > If you want to monitor the driver import process more closely, you can open the SMSProv.log file during driver import. ![Drivers imported and a new driver package created.](../images/cm01-drivers-packages.png "Drivers imported and a new driver package created") diff --git a/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md index 25f8bd58cf..bc6f5f88b1 100644 --- a/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md @@ -15,14 +15,16 @@ ms.date: 10/27/2022 # Create a custom Windows PE boot image with Configuration Manager -**Applies to** +*Applies to:* - Windows 10 In Microsoft Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. This article shows you how to create a custom Windows PE 5.0 boot image with the Microsoft Deployment Toolkit (MDT) wizard. You can also add the Microsoft Diagnostics and Recovery Toolset (DaRT) 10 to the boot image as part of the boot image creation process. + - The boot image that is created is based on the version of ADK that is installed. For the purposes of this guide, we'll use one server computer: CM01. + - CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). @@ -31,16 +33,21 @@ For the purposes of this guide, we'll use one server computer: CM01. The steps below outline the process for adding DaRT 10 installation files to the MDT installation directory. You also copy a custom background image to be used later. These steps are optional. If you don't wish to add DaRT, skip the steps below to copy DaRT tools, and later skip adding the DaRT component to the boot image. -We assume you've downloaded [Microsoft Desktop Optimization Pack (MDOP) 2015](https://my.visualstudio.com/Downloads?q=Desktop%20Optimization%20Pack%202015) and copied the x64 version of MSDaRT100.msi to the **C:\\Setup\\DaRT 10** folder on CM01. We also assume you've created a custom background image and saved it in **C:\\Setup\\Branding** on CM01. In this section, we use a custom background image named ContosoBackground.bmp. +We assume you've downloaded [Microsoft Desktop Optimization Pack (MDOP) 2015](https://my.visualstudio.com/Downloads?q=Desktop%20Optimization%20Pack%202015) and copied the x64 version of MSDaRT100.msi to the **C:\\Setup\\DaRT 10** folder on CM01. We also assume you've created a custom background image and saved it in **`C:\Setup\Branding`** on CM01. In this section, we use a custom background image named [ContosoBackground.png](../images/ContosoBackground.png) On **CM01**: -1. Install DaRT 10 (C:\\Setup\\DaRT 10\\MSDaRT100.msi) using the default settings. -2. Using File Explorer, navigate to the **C:\\Program Files\\Microsoft DaRT\\v10** folder. -3. Copy the Toolsx64.cab file to the **C:\\Program Files\\Microsoft Deployment Toolkit\\Templates\\Distribution\\Tools\\x64** folder. -4. Copy the Toolsx86.cab file to the **C:\\Program Files\\Microsoft Deployment Toolkit\\Templates\\Distribution\\Tools\\x86** folder. -5. Using File Explorer, navigate to the **C:\\Setup** folder. -6. Copy the **Branding** folder to **D:\\Sources\\OSD**. +1. Install DaRT 10 (**`C:\\Setup\\DaRT 10\\MSDaRT100.msi`**) using the default settings. + +2. Using File Explorer, navigate to the **`C:\Program Files\Microsoft DaRT\v10`** folder. + +3. Copy the Toolsx64.cab file to the **`C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x64`** folder. + +4. Copy the Toolsx86.cab file to the **`C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x86`** folder. + +5. Using File Explorer, navigate to the **`C:\Setup`** folder. + +6. Copy the **Branding** folder to **`D:\Sources\OSD`**. ## Create a boot image for Configuration Manager using the MDT wizard @@ -48,15 +55,18 @@ By using the MDT wizard to create the boot image in Configuration Manager, you g On **CM01**: -1. Using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Boot Images**, and select **Create Boot Image using MDT**. -2. On the **Package Source** page, in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\Boot\\Zero Touch WinPE x64** and select **Next**. +1. Using the Configuration Manager Console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Boot Images**, and select **Create Boot Image using MDT**. - >[!NOTE] - >The Zero Touch WinPE x64 folder does not yet exist. The folder will be created later by the wizard. +2. On the **Package Source** page, in the **Package source folder to be created (UNC Path):** text box, enter **`\\CM01\Sources$\OSD\Boot\Zero Touch WinPE x64`** and select **Next**. -3. On the **General Settings** page, assign the name **Zero Touch WinPE x64** and select **Next**. -4. On the **Options** page, select the **x64** platform, and select **Next**. -5. On the **Components** page, in addition to the default selected **Microsoft Data Access Components (MDAC/ADO)** support, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box and select **Next**. + > [!NOTE] + > The Zero Touch WinPE x64 folder does not yet exist. The folder will be created later by the wizard. + +3. On the **General Settings** page, assign the name **Zero Touch WinPE x64** and select **Next**. + +4. On the **Options** page, select the **x64** platform, and select **Next**. + +5. On the **Components** page, in addition to the default selected **Microsoft Data Access Components (MDAC/ADO)** support, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box and select **Next**. ![Add the DaRT component to the Configuration Manager boot image.](../images/mdt-06-fig16.png "Add the DaRT component to the Configuration Manager boot image") @@ -64,19 +74,25 @@ On **CM01**: >Note: Another common component to add here is Windows PowerShell to enable PowerShell support within Windows PE. -6. On the **Customization** page, select the **Use a custom background bitmap file** check box, and in the **UNC path:** text box, browse to **\\\\CM01\\Sources$\\OSD\\Branding\\ContosoBackground.bmp** and then select **Next** twice. Wait a few minutes while the boot image is generated, and then select **Finish**. -7. Distribute the boot image to the CM01 distribution point by selecting the **Boot images** node, right-clicking the **Zero Touch WinPE x64** boot image, and selecting **Distribute Content**. -8. In the Distribute Content Wizard, add the CM01 distribution point, and complete the wizard. -9. Using Configuration Manager Trace, review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Don't continue until you can see that the boot image is distributed. Look for the line that reads **STATMSG: ID=2301**. You also can monitor Content Status in the Configuration Manager Console at **\Monitoring\Overview\Distribution Status\Content Status\Zero Touch WinPE x64**. See the following examples: +6. On the **Customization** page, select the **Use a custom background bitmap file** check box, and in the **UNC path:** text box, browse to **`\\CM01\Sources$\OSD\Branding\ContosoBackground.bmp`** and then select **Next** twice. Wait a few minutes while the boot image is generated, and then select **Finish**. + +7. Distribute the boot image to the CM01 distribution point by selecting the **Boot images** node, right-clicking the **Zero Touch WinPE x64** boot image, and selecting **Distribute Content**. + +8. In the Distribute Content Wizard, add the CM01 distribution point, and complete the wizard. + +9. Using Configuration Manager Trace, review the `D:\Program Files\Microsoft Configuration Manager\Logs\distmgr.log` file. Don't continue until you can see that the boot image is distributed. Look for the line that reads **STATMSG: ID=2301**. You also can monitor Content Status in the Configuration Manager Console at **Monitoring** > **Overview** > **Distribution Status** > **Content Status** > **Zero Touch WinPE x64**. See the following examples: ![Content status for the Zero Touch WinPE x64 boot image step 1.](../images/fig16-contentstatus1.png)
    ![Content status for the Zero Touch WinPE x64 boot image step 2.](../images/fig16-contentstatus2.png) Content status for the Zero Touch WinPE x64 boot image -10. Using the Configuration Manager Console, in the Software Library workspace, under **Boot Images**, right-click the **Zero Touch WinPE x64** boot image and select **Properties**. +10. Using the Configuration Manager Console, in the **Software Library** workspace, under **Boot Images**, right-click the **Zero Touch WinPE x64** boot image and select **Properties**. + 11. On the **Data Source** tab, select the **Deploy this boot image from the PXE-enabled distribution point** check box, and select **OK**. + 12. Using Configuration Manager Trace, review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for this text: **Expanding PS100009 to D:\\RemoteInstall\\SMSImages**. + 13. Review the **D:\\RemoteInstall\\SMSImages** folder. You should see three folders containing boot images. Two are from the default boot images, and the third folder (PS100009) is from your new boot image with DaRT. See the examples below: ![PS100009 step 1.](../images/ps100009-1.png)
    diff --git a/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md b/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md index 3378ffe20d..dc5fff054b 100644 --- a/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md +++ b/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md @@ -14,13 +14,14 @@ ms.date: 10/27/2022 # Create a task sequence with Configuration Manager and MDT -**Applies to** +*Applies to:* -- Windows 10 +- Windows 10 In this article, you'll learn how to create a Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard. Creating task sequences in Configuration Manager requires many more steps than creating task sequences for MDT Lite Touch installation. Luckily, the MDT wizard helps you through the process and also guides you through creating the needed packages. For the purposes of this guide, we'll use one server computer: CM01. + - CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). Note: Active Directory [permissions](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md#configure-active-directory-permissions) for the **CM_JD** account are required for the task sequence to work properly. @@ -31,32 +32,46 @@ This section walks you through the process of creating a Configuration Manager t On **CM01**: -1. Using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**. -2. On the **Choose Template** page, select the **Client Task Sequence** template and select **Next**. -3. On the **General** page, assign the following settings and then select **Next**: - * Task sequence name: Windows 10 Enterprise x64 RTM - * Task sequence comments: Production image with Office 365 Pro Plus x64 -4. On the **Details** page, assign the following settings and then select **Next**: - * Join a Domain - * Domain: contoso.com - * Account: contoso\\CM\_JD - * Password: pass@word1 - * Windows Settings - * User name: Contoso - * Organization name: Contoso - * Product key: <blank> +1. Using the Configuration Manager Console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**. + +2. On the **Choose Template** page, select the **Client Task Sequence** template and select **Next**. + +3. On the **General** page, assign the following settings and then select **Next**: + - Task sequence name: Windows 10 Enterprise x64 RTM + - Task sequence comments: Production image with Office 365 Pro Plus x64 + +4. On the **Details** page, assign the following settings and then select **Next**: + - Join a Domain + - Domain: contoso.com + - Account: contoso\\CM\_JD + - Password: pass@word1 + - Windows Settings + - User name: Contoso + - Organization name: Contoso + - Product key: *\* + +5. On the **Capture Settings** page, accept the default settings, and select **Next**. + +6. On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then select **Next**. + +7. On the **MDT Package** page, select **Create a new Microsoft Deployment Toolkit Files package**, and in the **Package source folder to be created (UNC Path):** text box, enter **`\\CM01\Sources$\OSD\MDT\MDT`**. Then select **Next**. + +8. On the **MDT Details** page, assign the name **MDT** and select **Next**. + +9. On the **OS Image** page, browse and select the **Windows 10 Enterprise x64 RTM** package. Then select **Next**. -5. On the **Capture Settings** page, accept the default settings, and select **Next**. -6. On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then select **Next**. -7. On the **MDT Package** page, select **Create a new Microsoft Deployment Toolkit Files package**, and in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\MDT\\MDT**. Then select **Next**. -8. On the **MDT Details** page, assign the name **MDT** and select **Next**. -9. On the **OS Image** page, browse and select the **Windows 10 Enterprise x64 RTM** package. Then select **Next**. 10. On the **Deployment Method** page, accept the default settings (Zero Touch installation) and select **Next**. + 11. On the **Client Package** page, browse and select the **Microsoft Corporation Configuration Manager Client Package** and select **Next**. + 12. On the **USMT Package** page, browse and select the **Microsoft Corporation User State Migration Tool for Windows** package and select **Next**. -13. On the **Settings Package** page, select the **Create a new settings package** option, and in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\Settings\\Windows 10 x64 Settings** and select **Next**. + +13. On the **Settings Package** page, select the **Create a new settings package** option, and in the **Package source folder to be created (UNC Path):** text box, enter **`\\CM01\Sources$\OSD\Settings\Windows 10 x64 Settings`** and select **Next**. + 14. On the **Settings Details** page, assign the name **Windows 10 x64 Settings** and select **Next**. + 15. On the **Sysprep Package** page, select **Next** twice. + 16. On the **Confirmation** page, select **Finish**. ## Edit the task sequence @@ -65,66 +80,70 @@ After you create the task sequence, we recommend that you configure the task seq On **CM01**: -1. Using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, select **Task Sequences**, right-click the **Windows 10 Enterprise x64 RTM** task sequence, and select **Edit**. -2. In the **Install** group (about halfway down), select the **Set Variable for Drive Letter** action and configure the following: - * OSDPreserveDriveLetter: True - - >[!NOTE] - >If you don't change this value, your Windows installation will end up in D:\\Windows. +1. Using the Configuration Manager Console, in the **Software Library** workspace, expand **Operating Systems**, select **Task Sequences**, right-click the **Windows 10 Enterprise x64 RTM** task sequence, and select **Edit**. + +2. In the **Post Install** group, select **Apply Network Settings**, and configure the **Domain OU** value to use the **Contoso / Computers / Workstations** OU (browse for values). + +3. In the **Post Install** group, disable the **Auto Apply Drivers** action. (Disabling is done by selecting the action and, in the **Options** tab, selecting the **Disable this step** check box.) + +4. After the disabled **Post Install / Auto Apply Drivers** action, add a new group name: **Drivers**. + +5. After the **Post Install / Drivers** group, add an **Apply Driver Package** action with the following settings: + + - Name: HP EliteBook 8560w + - Driver Package: Windows 10 x64 - HP EliteBook 8560w + - Options tab - Add Condition: Task Sequence Variable: Model equals HP EliteBook 8560w + + > [!NOTE] + > You also can add a Query WMI condition with the following query: SELECT \* FROM Win32\_ComputerSystem WHERE Model LIKE '%HP EliteBook 8560w%' -3. In the **Post Install** group, select **Apply Network Settings**, and configure the **Domain OU** value to use the **Contoso / Computers / Workstations** OU (browse for values). -4. In the **Post Install** group, disable the **Auto Apply Drivers** action. (Disabling is done by selecting the action and, in the **Options** tab, selecting the **Disable this step** check box.) -5. After the disabled **Post Install / Auto Apply Drivers** action, add a new group name: **Drivers**. -6. After the **Post Install / Drivers** group, add an **Apply Driver Package** action with the following settings: - * Name: HP EliteBook 8560w - * Driver Package: Windows 10 x64 - HP EliteBook 8560w - * Options tab - Add Condition: Task Sequence Variable: Model equals HP EliteBook 8560w - - >[!NOTE] - >You also can add a Query WMI condition with the following query: SELECT \* FROM Win32\_ComputerSystem WHERE Model LIKE '%HP EliteBook 8560w%' - ![Driver package options.](../images/fig27-driverpackage.png "Driver package options") - + The driver package options -7. In the **State Restore / Install Applications** group, select the **Install Application** action. -8. Select the **Install the following applications** radio button, and add the OSD / Adobe Reader DC - OSD Install application to the list. +6. In the **State Restore / Install Applications** group, select the **Install Application** action. + +7. Select the **Install the following applications** radio button, and add the OSD / Adobe Reader DC - OSD Install application to the list. ![Add an application to the task sequence.](../images/fig28-addapp.png "Add an application to the task sequence") Add an application to the Configuration Manager task sequence - >[!NOTE] - >In recent versions of Configuration Manager the Request State Store and Release State Store actions described below are present by default. These actions are used for common computer replace scenarios. There's also the additional condition on the options tab: USMTOfflineMigration not equals TRUE. If these actions are not present, try updating to the Config Mgr current branch release. + > [!NOTE] + > In recent versions of Configuration Manager the Request State Store and Release State Store actions described below are present by default. These actions are used for common computer replace scenarios. There's also the additional condition on the options tab: USMTOfflineMigration not equals TRUE. If these actions are not present, try updating to the latest Configuration Manager current branch release. -9. In the **State Restore** group, after the **Set Status 5** action, verify there's a **User State \ Request State Store** action with the following settings: - * Request state storage location to: Restore state from another computer - * If computer account fails to connect to state store, use the Network Access account: selected - * Options: Continue on error - * Options / Add Condition: - * Task Sequence Variable - * USMTLOCAL not equals True +8. In the **State Restore** group, after the **Set Status 5** action, verify there's a **User State \ Request State Store** action with the following settings: -10. In the **State Restore** group, after the **Restore User State** action, verify there's a **Release State Store** action with the following settings: - * Options: Continue on error - * Options / Condition: - * Task Sequence Variable - * USMTLOCAL not equals True + - Request state storage location to: Restore state from another computer + - If computer account fails to connect to state store, use the Network Access account: selected + - Options: Continue on error + - Options / Add Condition: + - Task Sequence Variable + - USMTLOCAL not equals True -11. Select **OK**. +9. In the **State Restore** group, after the **Restore User State** action, verify there's a **Release State Store** action with the following settings: + - Options: Continue on error + - Options / Condition: + - Task Sequence Variable + - USMTLOCAL not equals True + +10. Select **OK**. ## Organize your packages (optional) -If desired, you can create a folder structure for packages. This folder structure is purely for organizational purposes and is useful if you need to manage a large number of packages. +If desired, you can create a folder structure for packages. This folder structure is purely for organizational purposes and is useful if you need to manage a large number of packages. To create a folder for packages: On **CM01**: -1. Using the Configuration Manager Console, in the Software Library workspace, expand **Application Management**, and then select **Packages**. -2. Right-click **Packages**, point to **Folder**, select **Create Folder** and create the OSD folder. This process will create the Root \ OSD folder structure. -3. Select the **MDT**, **User State Migration Tool for Windows**, and **Windows 10 x64 Settings** packages, right-click and select **Move**. -4. In the **Move Selected Items** dialog box, select the **OSD** folder, and select **OK**. +1. Using the Configuration Manager Console, in the **Software Library** workspace, expand **Application Management**, and then select **Packages**. + +2. Right-click **Packages**, point to **Folder**, select **Create Folder** and create the OSD folder. This process will create the Root \ OSD folder structure. + +3. Select the **MDT**, **User State Migration Tool for Windows**, and **Windows 10 x64 Settings** packages, right-click and select **Move**. + +4. In the **Move Selected Items** dialog box, select the **OSD** folder, and select **OK**. Next, see [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md). diff --git a/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md index 104e5718ef..7a7d509012 100644 --- a/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md @@ -15,62 +15,73 @@ ms.date: 10/27/2022 # Create an application to deploy with Windows 10 using Configuration Manager +*Applies to:* -**Applies to** - -- Windows 10 +- Windows 10 Microsoft Configuration Manager supports deploying applications as part of the Windows 10 deployment process. In this section, you create an application in Microsoft Configuration Manager that you later configure the task sequence to use. For the purposes of this guide, we'll use one server computer: CM01. -- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. ->[!NOTE] ->The [reference image](add-a-windows-10-operating-system-image-using-configuration-manager.md) used in this lab already contains some applications, such as Microsoft Office 365 Pro Plus x64. The procedure demonstrated in this article enables you to add some additional custom applications beyond those included in the reference image. +- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. + +> [!NOTE] +> The [reference image](add-a-windows-10-operating-system-image-using-configuration-manager.md) used in this lab already contains some applications, such as Microsoft Office 365 Pro Plus x64. The procedure demonstrated in this article enables you to add some additional custom applications beyond those included in the reference image. ## Example: Create the Adobe Reader application On **CM01**: -1. Create the **D:\Setup** folder if it doesn't already exist. -1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (ex: AcroRdrDC2000620034_en_US.exe) to **D:\\Setup\\Adobe** on CM01. The filename will differ depending on the version of Acrobat Reader. -2. Extract the .exe file that you downloaded to a .msi. The source folder will differ depending on where you downloaded the file. See the following example: +1. Create the **`D:\Setup`** folder if it doesn't already exist. - ```powershell - Set-Location C:\Users\administrator.CONTOSO\Downloads - .\AcroRdrDC2000620034_en_US.exe -sfx_o"d:\Setup\Adobe\" -sfx_ne - ``` - >Note: the extraction process will create the "Adobe" folder +2. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (ex: AcroRdrDC2000620034_en_US.exe) to **`D:\Setup\Adobe`** on CM01. The filename will differ depending on the version of Acrobat Reader. -3. Using File Explorer, copy the **D:\\Setup\\Adobe** folder to the **D:\\Sources\\Software\\Adobe** folder. -4. In the Configuration Manager Console, in the Software Library workspace, expand **Application Management**. -5. Right-click **Applications**, point to **Folder** and then select **Create Folder**. Assign the name **OSD**. -6. Right-click the **OSD** folder, and select **Create Application**. -7. In the Create Application Wizard, on the **General** page, use the following settings: +3. Extract the .exe file that you downloaded to a .msi. The source folder will differ depending on where you downloaded the file. See the following example: - * Automatically detect information about this application from installation files - * Type: Windows Installer (\*.msi file) - * Location: \\\\CM01\\Sources$\\Software\\Adobe\\AcroRead.msi + ```powershell + Set-Location C:\Users\administrator.CONTOSO\Downloads + .\AcroRdrDC2000620034_en_US.exe -sfx_o"d:\Setup\Adobe\" -sfx_ne + ``` + + > [!NOTE] + > The extraction process will create the "Adobe" folder. + +4. Using File Explorer, copy the **`D:\Setup\Adobe`** folder to the **`D:\Sources\Software\Adobe`** folder. + +5. In the Configuration Manager Console, in the **Software Library** workspace, expand **Application Management**. + +6. Right-click **Applications**, point to **Folder** and then select **Create Folder**. Assign the name **OSD**. + +7. Right-click the **OSD** folder, and select **Create Application**. + +8. In the Create Application Wizard, on the **General** page, use the following settings: + + - Automatically detect information about this application from installation files + - Type: Windows Installer (\*.msi file) + - Location: `\\CM01\Sources$\Software\Adobe\AcroRead.msi` ![The Create Application Wizard.](../images/mdt-06-fig20.png "The Create Application Wizard") The Create Application Wizard -8. Select **Next**, and wait while Configuration Manager parses the MSI file. -9. On the **Import Information** page, review the information and then select **Next**. -10. On the **General Information** page, name the application Adobe Acrobat Reader DC - OSD Install, select **Next** twice, and then select **Close**. +9. Select **Next**, and wait while Configuration Manager parses the MSI file. - >[!NOTE] - >Because it is not possible to reference an application deployment type in the task sequence, you should have a single deployment type for applications deployed by the task sequence. If you are deploying applications via both the task sequence and normal application deployment, and you have multiple deployment types, you should have two applications of the same software. In this section, you add the "OSD Install" suffix to applications that are deployed via the task sequence. If using packages, you can still reference both package and program in the task sequence. +10. On the **Import Information** page, review the information and then select **Next**. + +11. On the **General Information** page, name the application Adobe Acrobat Reader DC - OSD Install, select **Next** twice, and then select **Close**. + + > [!NOTE] + > Because it is not possible to reference an application deployment type in the task sequence, you should have a single deployment type for applications deployed by the task sequence. If you are deploying applications via both the task sequence and normal application deployment, and you have multiple deployment types, you should have two applications of the same software. In this section, you add the "OSD Install" suffix to applications that are deployed via the task sequence. If using packages, you can still reference both package and program in the task sequence. - ![Add the OSD Install suffix to the application name.](../images/mdt-06-fig21.png "Add the OSD Install suffix to the application name") + ![Add the OSD Install suffix to the application name.](../images/mdt-06-fig21.png "Add the OSD Install suffix to the application name") - Add the "OSD Install" suffix to the application name + Add the "OSD Install" suffix to the application name -11. In the **Applications** node, select the Adobe Reader - OSD Install application, and select **Properties** on the ribbon bar (this path is another place to view properties, you can also right-click and select properties). -12. On the **General Information** tab, select the **Allow this application to be installed from the Install Application task sequence action without being deployed** check box, and select **OK**. +12. In the **Applications** node, select the Adobe Reader - OSD Install application, and select **Properties** on the ribbon bar (this path is another place to view properties, you can also right-click and select properties). -Next, see [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md). +13. On the **General Information** tab, select the **Allow this application to be installed from the Install Application task sequence action without being deployed** check box, and select **OK**. + +Next, see [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md). ## Related articles diff --git a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md index c9e0d32d11..6a0dd625b6 100644 --- a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md @@ -14,13 +14,14 @@ ms.date: 10/27/2022 # Deploy Windows 10 using PXE and Configuration Manager -**Applies to** +*Applies to:* -- Windows 10 +- Windows 10 In this article, you'll learn how to deploy Windows 10 using Microsoft Configuration Manager deployment packages and task sequences. This article will walk you through the process of deploying the Windows 10 Enterprise image to a Unified Extensible Firmware Interface (UEFI) computer named PC0001. An existing Configuration Manager infrastructure that is integrated with MDT is used for the procedures in this article. This article assumes that you've completed the following prerequisite procedures: + - [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) - [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md) - [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md) @@ -30,37 +31,49 @@ This article assumes that you've completed the following prerequisite procedures - [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md) For the purposes of this guide, we'll use a minimum of two server computers (DC01 and CM01) and one client computer (PC0001). + - DC01 is a domain controller and DNS server for the contoso.com domain. DHCP services are also available and optionally installed on DC01 or another server. Note: DHCP services are required for the client (PC0001) to connect to the Windows Deployment Service (WDS). + - CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. - - CM01 is also running WDS that will be required to start PC0001 via PXE. **Note**: Ensure that only CM01 is running WDS. + + - CM01 is also running WDS that will be required to start PC0001 via PXE. + + > [!NOTE] + > Ensure that only CM01 is running WDS. + - PC0001 is a client computer that is blank, or has an operating system that will be erased and replaced with Windows 10. The device must be configured to boot from the network. ->[!NOTE] ->If desired, PC0001 can be a VM hosted on the server HV01, which is a Hyper-V host computer that we used previously to build a Windows 10 reference image. However, if PC0001 is a VM then you must ensure it has sufficient resources available to run the Configuration Manager OSD task sequence. 2GB of RAM or more is recommended. +> [!NOTE] +> If desired, PC0001 can be a VM hosted on the server HV01, which is a Hyper-V host computer that we used previously to build a Windows 10 reference image. However, if PC0001 is a VM then you must ensure it has sufficient resources available to run the Configuration Manager OSD task sequence. 2GB of RAM or more is recommended. -All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. +All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. All server and client computers referenced in this guide are on the same subnet. This connection isn't required. But each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the `contoso.com` domain. Internet connectivity is also required to download OS and application updates. ->[!NOTE] ->No WDS console configuration is required for PXE to work. Everything is done with the Configuration Manager console. +> [!NOTE] +> No WDS console configuration is required for PXE to work. Everything is done with the Configuration Manager console. ## Procedures 1. Start the PC0001 computer. At the Pre-Boot Execution Environment (PXE) boot menu, press **Enter** to allow it to PXE boot. -2. On the **Welcome to the Task Sequence Wizard** page, type in the password **pass\@word1** and select **Next**. + +2. On the **Welcome to the Task Sequence Wizard** page, enter in the password **pass\@word1** and select **Next**. + 3. On the **Select a task sequence to run** page, select **Windows 10 Enterprise x64 RTM** and select **Next**. -4. On the **Edit Task Sequence Variables** page, double-click the **OSDComputerName** variable, and in the **Value** field, type **PC0001** and select **OK**. Then select **Next**. -5. The operating system deployment will take several minutes to complete. + +4. On the **Edit Task Sequence Variables** page, double-click the **OSDComputerName** variable, and in the **Value** field, enter **PC0001** and select **OK**. Then select **Next**. + +5. The operating system deployment will take several minutes to complete. + 6. You can monitor the deployment on CM01 using the MDT Deployment Workbench. When you see the PC0001 entry, double-click **PC0001**, and then select **DaRT Remote Control** and review the **Remote Control** option. The task sequence will run and do the following steps: - * Install the Windows 10 operating system. - * Install the Configuration Manager client and the client hotfix. - * Join the computer to the domain. - * Install the application added to the task sequence. - - >[!NOTE] - >You also can use the built-in reports to get information about ongoing deployments. For example, a task sequence report gives you a quick overview of the task sequence progress. + - Install the Windows 10 operating system. + - Install the Configuration Manager client and the client hotfix. + - Join the computer to the domain. + - Install the application added to the task sequence. + + > [!NOTE] + > You also can use the built-in reports to get information about ongoing deployments. For example, a task sequence report gives you a quick overview of the task sequence progress. ![MDT monitoring.](../images/pc0001-monitor.png) diff --git a/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md index 5bec64ed7d..581ec6010d 100644 --- a/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md @@ -15,31 +15,32 @@ ms.date: 10/27/2022 # Finalize the operating system configuration for Windows 10 deployment with Configuration Manager -**Applies to** +*Applies to:* -- Windows 10 +- Windows 10 This article walks you through the steps to finalize the configuration of your Windows 10 operating deployment, which includes enabling optional MDT monitoring for Configuration Manager, logs folder settings, rules configuration, content distribution, and deployment of the previously created task sequence. For the purposes of this guide, we'll use one server computer: CM01. + - CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). ## Enable MDT monitoring -This section will walk you through the process of creating the D:\\MDTProduction deployment share using the MDT Deployment Workbench to enable monitoring for Configuration Manager. +This section will walk you through the process of creating the **`D:\MDTProduction`** deployment share using the MDT Deployment Workbench to enable monitoring for Configuration Manager. On **CM01**: -1. Open the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**. Use the following settings for the New Deployment Share Wizard: +1. Open the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**. Use the following settings for the New Deployment Share Wizard: - * Deployment share path: D:\\MDTProduction - * Share name: MDTProduction$ - * Deployment share description: MDT Production - * Options: <default settings> + - Deployment share path: D:\\MDTProduction + - Share name: MDTProduction$ + - Deployment share description: MDT Production + - Options: *\* -2. Right-click the **MDT Production** deployment share, and select **Properties**. On the **Monitoring** tab, select the **Enable monitoring for this deployment share** check box, and select **OK**. +2. Right-click the **MDT Production** deployment share, and select **Properties**. On the **Monitoring** tab, select the **Enable monitoring for this deployment share** check box, and select **OK**. ![Enable MDT monitoring for Configuration Manager.](../images/mdt-06-fig31.png) @@ -51,16 +52,17 @@ The D:\Logs folder was [created previously](prepare-for-zero-touch-installation- On **CM01**: -1. To configure NTFS permissions using icacls.exe, type the following command at an elevated Windows PowerShell prompt: +1. To configure NTFS permissions using `icacls.exe`, enter the following command at an elevated Windows PowerShell prompt: - ``` - icacls D:\Logs /grant '"CM_NAA":(OI)(CI)(M)' + ```cmd + icacls.exe D:\Logs /grant '"CM_NAA":(OI)(CI)(M)' ``` -2. Using File Explorer, navigate to the **D:\\Sources\\OSD\\Settings\\Windows 10 x64 Settings** folder. -3. To enable server-side logging, edit the CustomSetting.ini file with Notepad.exe and enter the following settings: +2. Using File Explorer, navigate to the **`D:\Sources\OSD\Settings\Windows 10 x64 Settings`** folder. - ``` +3. To enable server-side logging, edit the `CustomSetting.ini` file with `Notepad.exe` and enter the following settings: + + ```ini [Settings] Priority=Default Properties=OSDMigrateConfigFiles,OSDMigrateMode @@ -79,12 +81,12 @@ On **CM01**: ![Settings package during deployment.](../images/fig30-settingspack.png) - The Settings package, holding the rules and the Unattend.xml template used during deployment + The Settings package, holding the rules and the `Unattend.xml` template used during deployment -3. In the Configuration Manager console, update the distribution point for the **Windows 10 x64 Settings** package by right-clicking the **Windows 10 x64 Settings** package and selecting **Update Distribution Points**. Select **OK** in the popup dialog box. +4. In the Configuration Manager console, update the distribution point for the **Windows 10 x64 Settings** package by right-clicking the **Windows 10 x64 Settings** package and selecting **Update Distribution Points**. Select **OK** in the popup dialog box. - >[!NOTE] - >Although you haven't yet added a distribution point, you still need to select Update Distribution Points. This process also updates the Configuration Manager content library with changes. + > [!NOTE] + > Although you haven't yet added a distribution point, you still need to select Update Distribution Points. This process also updates the Configuration Manager content library with changes. ## Distribute content to the CM01 distribution portal @@ -92,9 +94,11 @@ In Configuration Manager, you can distribute all packages needed by a task seque On **CM01**: -1. Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems** and select **Task Sequences**. Right-click the **Windows 10 Enterprise x64 RTM** task sequence, and select **Distribute Content**. -2. In the Distribute Content Wizard, select **Next** twice then on the **Specify the content destination** page add the Distribution Point: **CM01.CONTOSO.COM**, and then complete the wizard. -3. Using the CMTrace tool, verify the distribution to the CM01 distribution point by reviewing the distmgr.log file, or use the Distribution Status / Content Status option in the Monitoring workspace. Don't continue until you see all the new packages being distributed successfully. +1. Using the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems** and select **Task Sequences**. Right-click the **Windows 10 Enterprise x64 RTM** task sequence, and select **Distribute Content**. + +2. In the Distribute Content Wizard, select **Next** twice then on the **Specify the content destination** page add the Distribution Point: **CM01.CONTOSO.COM**, and then complete the wizard. + +3. Using the CMTrace tool, verify the distribution to the CM01 distribution point by reviewing the `distmgr.log` file, or use the Distribution Status / Content Status option in the Monitoring workspace. Don't continue until you see all the new packages being distributed successfully. ![Content status.](../images/cm01-content-status1.png) @@ -106,20 +110,25 @@ This section provides steps to help you create a deployment for the task sequenc On **CM01**: -1. Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems** and select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM** and then select **Deploy**. +1. Using the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems** and select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM** and then select **Deploy**. + 2. In the Deploy Software Wizard, on the **General** page, select the **All Unknown Computers** collection and select **Next**. + 3. On the **Deployment Settings** page, use the below settings and then select **Next**: - * Purpose: Available - * Make available to the following: Only media and PXE + - Purpose: Available + - Make available to the following: Only media and PXE ![Configure the deployment settings.](../images/mdt-06-fig33.png) - + Configure the deployment settings 4. On the **Scheduling** page, accept the default settings and select **Next**. + 5. On the **User Experience** page, accept the default settings and select **Next**. + 6. On the **Alerts** page, accept the default settings and select **Next**. + 7. On the **Distribution Points** page, accept the default settings, select **Next** twice, and then select **Close**. ![Task sequence deployed.](../images/fig32-deploywiz.png) @@ -134,20 +143,20 @@ This section provides steps to help you configure the All Unknown Computers coll On **CM01**: -1. Using the Configuration Manager console, in the Asset and Compliance workspace, select **Device Collections**, right-click **All Unknown Computers**, and select **Properties**. +1. Using the Configuration Manager console, in the **Asset and Compliance** workspace, select **Device Collections**, right-click **All Unknown Computers**, and select **Properties**. 2. On the **Collection Variables** tab, create a new variable with the following settings: - * Name: OSDComputerName - * Clear the **Do not display this value in the Configuration Manager console** check box. + - Name: OSDComputerName + - Clear the **Do not display this value in the Configuration Manager console** check box. 3. Select **OK**. - >[!NOTE] - >Configuration Manager can prompt for information in many ways. Using a collection variable with an empty value is just one of them. Another option is the User-Driven Installation (UDI) wizard. - + > [!NOTE] + > Configuration Manager can prompt for information in many ways. Using a collection variable with an empty value is just one of them. Another option is the User-Driven Installation (UDI) wizard. + ![Configure a collection variable.](../images/mdt-06-fig35.png) - + Configure a collection variable Next, see [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md). diff --git a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md index ce164ba563..2fa98b5ab7 100644 --- a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md @@ -14,7 +14,7 @@ ms.date: 10/27/2022 # Prepare for Zero Touch Installation of Windows 10 with Configuration Manager -**Applies to** +*Applies to:* - Windows 10 @@ -28,18 +28,30 @@ In this article, you'll use [components](#components-of-configuration-manager-op > [!NOTE] > Procedures in this guide use Configuration Manager version 1910. For more information about the versions of Windows 10 supported by Configuration Manager, see [Support for Windows 10](/mem/configmgr/core/plan-design/configs/support-for-windows-10). + - The [Active Directory Schema has been extended](/mem/configmgr/core/plan-design/network/extend-the-active-directory-schema) and System Management container created. + - Active Directory Forest Discovery and Active Directory System Discovery are [enabled](/mem/configmgr/core/servers/deploy/configure/configure-discovery-methods). + - IP range [boundaries and a boundary group](/mem/configmgr/core/servers/deploy/configure/define-site-boundaries-and-boundary-groups) for content and site assignment have been created. + - The Configuration Manager [reporting services](/mem/configmgr/core/servers/manage/configuring-reporting) point role has been added and configured. + - A file system folder structure and Configuration Manager console folder structure for packages has been created. Steps to verify or create this folder structure are [provided below](#review-the-sources-folder-structure). -- The [Windows ADK](/windows-hardware/get-started/adk-install) (including USMT) version 1903, Windows PE add-on, WSIM 1903 update, [MDT](https://www.microsoft.com/download/details.aspx?id=54259) version 8456, and DaRT 10 (part of [MDOP 2015](https://my.visualstudio.com/Downloads?q=Desktop%20Optimization%20Pack%202015)) are installed. + +- The [Windows ADK](/windows-hardware/get-started/adk-install) version that is [supported for the version of Configuration Manager](/mem/configmgr/core/plan-design/configs/support-for-windows-adk) that is installed, including the Windows PE add-on. USMT should be installed as part of the Windows ADK install. + +- [MDT](https://www.microsoft.com/download/details.aspx?id=54259) version 8456 + +- DaRT 10 (part of [MDOP 2015](https://my.visualstudio.com/Downloads?q=Desktop%20Optimization%20Pack%202015)) are installed. + - The [CMTrace tool](/configmgr/core/support/cmtrace) (cmtrace.exe) is installed on the distribution point. > [!NOTE] - > CMTrace is automatically installed with the current branch of Configuration Manager at **Program Files\Microsoft Configuration Manager\tools\cmtrace.exe**. + > CMTrace is automatically installed with the current branch of Configuration Manager at **`Program Files\Microsoft Configuration Manager\tools\cmtrace.exe`**. + +For the purposes of this guide, we'll use three server computers: DC01, CM01 and HV01. -For the purposes of this guide, we'll use three server computers: DC01, CM01 and HV01. - DC01 is a domain controller and DNS server for the contoso.com domain. DHCP services are also available and optionally installed on DC01 or another server. - CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. - HV01 is a Hyper-V host computer that is used to build a Windows 10 reference image. This computer doesn't need to be a domain member. @@ -54,12 +66,12 @@ The following generic credentials are used in this guide. You should replace the - **Active Directory domain name**: `contoso.com` - **Domain administrator username**: `administrator` --**Domain administrator password**: `pass@word1` +- **Domain administrator password**: `pass@word1` ## Create the OU structure ->[!NOTE] ->If you've already [created the OU structure](../deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md#create-the-ou-structure) that was used in the OSD guide for MDT, the same structure is used here and you can skip this section. +> [!NOTE] +> If you've already [created the OU structure](../deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md#create-the-ou-structure) that was used in the OSD guide for MDT, the same structure is used here and you can skip this section. On **DC01**: @@ -107,25 +119,27 @@ A role-based model is used to configure permissions for the service accounts nee On **DC01**: -1. In the Active Directory Users and Computers console, browse to **contoso.com / Contoso / Service Accounts**. -2. Select the Service Accounts OU and create the CM\_JD account using the following settings: +1. In the Active Directory Users and Computers console, browse to **contoso.com** > **Contoso** > **Service Accounts**. - * Name: CM\_JD - * User sign-in name: CM\_JD - * Password: `pass@word1` - * User must change password at next logon: Clear - * User can't change password: Selected - * Password never expires: Selected +2. Select the Service Accounts OU and create the CM\_JD account using the following settings: -3. Repeat the step, but for the CM\_NAA account. -4. After creating the accounts, assign the following descriptions: + - Name: CM\_JD + - User sign-in name: CM\_JD + - Password: `pass@word1` + - User must change password at next logon: Clear + - User can't change password: Selected + - Password never expires: Selected - * CM\_JD: Configuration Manager Join Domain Account - * CM\_NAA: Configuration Manager Network Access Account +3. Repeat the step, but for the CM\_NAA account. + +4. After creating the accounts, assign the following descriptions: + + - CM\_JD: Configuration Manager Join Domain Account + - CM\_NAA: Configuration Manager Network Access Account ## Configure Active Directory permissions -In order for the Configuration Manager Join Domain Account (CM\_JD) to join machines into the contoso.com domain, you need to configure permissions in Active Directory. These steps assume you've downloaded the sample [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copied it to C:\\Setup\\Scripts on DC01. +In order for the Configuration Manager Join Domain Account (CM\_JD) to join machines into the contoso.com domain, you need to configure permissions in Active Directory. These steps assume you've downloaded the sample [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copied it to `C:\Setup\Scripts` on DC01. On **DC01**: @@ -139,18 +153,18 @@ On **DC01**: 2. The Set-OUPermissions.ps1 script allows the CM\_JD user account permissions to manage computer accounts in the Contoso / Computers / Workstations OU. The following list is that of permissions being granted: - * Scope: This object and all descendant objects - * Create Computer objects - * Delete Computer objects - * Scope: Descendant Computer objects - * Read All Properties - * Write All Properties - * Read Permissions - * Modify Permissions - * Change Password - * Reset Password - * Validated write to DNS host name - * Validated write to service principal name + - Scope: This object and all descendant objects + - Create Computer objects + - Delete Computer objects + - Scope: Descendant Computer objects + - Read All Properties + - Write All Properties + - Read Permissions + - Modify Permissions + - Change Password + - Reset Password + - Validated write to DNS host name + - Validated write to service principal name ## Review the Sources folder structure @@ -158,9 +172,6 @@ On **CM01**: To support the packages you create in this article, the following folder structure should be created on the Configuration Manager primary site server (CM01): ->[!NOTE] ->In most production environments, the packages are stored on a Distributed File System (DFS) share or a "normal" server share, but in a lab environment you can store them on the site server. - - D:\\Sources - D:\\Sources\\OSD - D:\\Sources\\OSD\\Boot @@ -173,11 +184,13 @@ To support the packages you create in this article, the following folder structu - D:\\Sources\\Software - D:\\Sources\\Software\\Adobe - D:\\Sources\\Software\\Microsoft +- D:\\Logs + +> [!NOTE] +> In most production environments, the packages are stored on a Distributed File System (DFS) share or a "normal" server share, but in a lab environment you can store them on the site server. You can run the following commands from an elevated Windows PowerShell prompt to create this folder structure: ->We'll also create the D:\Logs folder here which will be used later to support server-side logging. - ```powershell New-Item -ItemType Directory -Path "D:\Sources" New-Item -ItemType Directory -Path "D:\Sources\OSD" @@ -203,11 +216,13 @@ To extend the Configuration Manager console with MDT wizards and templates, inst On **CM01**: 1. Sign in as contoso\administrator. -2. Ensure the Configuration Manager Console is closed before continuing. -5. Select Start, type **Configure ConfigManager Integration**, and run the application the following settings: - * Site Server Name: CM01.contoso.com - * Site code: PS1 +2. Ensure the Configuration Manager Console is closed before continuing. + +3. Select Start, type **Configure ConfigManager Integration**, and run the application with the following settings: + + - Site Server Name: CM01.contoso.com + - Site code: PS1 ![figure 8.](../images/mdt-06-fig08.png) @@ -219,9 +234,11 @@ Most organizations want to display their name during deployment. In this section On **CM01**: -1. Open the Configuration Manager Console, select the Administration workspace, then select **Client Settings**. -2. In the right pane, right-click **Default Client Settings** and then select **Properties**. -3. In the **Computer Agent** node, in the **Organization name displayed in Software Center** text box, type in **Contoso** and select **OK**. +1. Open the Configuration Manager Console, select the **Administration** workspace, then select **Client Settings**. + +2. In the right pane, right-click **Default Client Settings** and then select **Properties**. + +3. In the **Computer Agent** node, in the **Organization name displayed in Software Center** text box, enter in **Contoso** and select **OK**. ![figure 9.](../images/mdt-06-fig10.png) @@ -237,9 +254,11 @@ Configuration Manager uses the Network Access account during the Windows 10 depl On **CM01**: -1. Using the Configuration Manager Console, in the Administration workspace, expand **Site Configuration** and select **Sites**. -2. Right-click **PS1 - Primary Site 1**, point to **Configure Site Components**, and then select **Software Distribution**. -3. On the **Network Access Account** tab, select **Specify the account that accesses network locations** and add the *New Account* **CONTOSO\\CM\_NAA** as the Network Access account (password: pass@word1). Use the new **Verify** option to verify that the account can connect to the **\\\\DC01\\sysvol** network share. +1. Using the Configuration Manager Console, in the **Administration** workspace, expand **Site Configuration** and select **Sites**. + +2. Right-click **PS1 - Primary Site 1**, point to **Configure Site Components**, and then select **Software Distribution**. + +3. On the **Network Access Account** tab, select **Specify the account that accesses network locations** and add the account **CONTOSO\\CM\_NAA** as the Network Access account (password: **pass@word1**). Use the new **Verify** option to verify that the account can connect to the **`\\DC01\sysvol`** network share. ![figure 11.](../images/mdt-06-fig12.png) @@ -251,36 +270,39 @@ Configuration Manager has many options for starting a deployment, but starting v On **CM01**: -1. In the Configuration Manager Console, in the Administration workspace, select **Distribution Points**. -2. Right-click the **\\\\CM01.CONTOSO.COM distribution point** and select **Properties**. -3. On the **PXE** tab, use the following settings: +1. In the Configuration Manager Console, in the **Administration** workspace, select **Distribution Points**. - * Enable PXE support for clients - * Allow this distribution point to respond to incoming PXE requests - * Enable unknown computer - * Require a password when computers use PXE - * Password and Confirm password: pass@word1 +2. Right-click the **\\\\CM01.CONTOSO.COM distribution point** and select **Properties**. + +3. On the **PXE** tab, use the following settings: + + - Enable PXE support for clients + - Allow this distribution point to respond to incoming PXE requests + - Enable unknown computer + - Require a password when computers use PXE + - Password and Confirm password: pass@word1 ![figure 12.](../images/mdt-06-fig13.png) Configure the CM01 distribution point for PXE. - >[!NOTE] - >If you select **Enable a PXE responder without Windows Deployment Service**, then WDS won't be installed, or if it's already installed it will be suspended, and the **ConfigMgr PXE Responder Service** (SccmPxe) will be used instead of WDS. The ConfigMgr PXE Responder doesn't support multicast. For more information, see [Install and configure distribution points](/configmgr/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_config-pxe). + > [!NOTE] + > If you select **Enable a PXE responder without Windows Deployment Service**, then WDS won't be installed, or if it's already installed it will be suspended, and the **ConfigMgr PXE Responder Service** (**SccmPxe**) will be used instead of WDS. The ConfigMgr PXE Responder doesn't support multicast. For more information, see [Install and configure distribution points](/configmgr/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_config-pxe). -4. Using the CMTrace tool, review the C:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Look for ConfigurePXE and CcmInstallPXE lines. +4. Using the CMTrace tool, review the **`C:\Program Files\Microsoft Configuration Manager\Logs\distmgr.log`** file. Look for the **ConfigurePXE** and **CcmInstallPXE** lines. ![figure 13.](../images/mdt-06-fig14.png) - The distmgr.log displays a successful configuration of PXE on the distribution point. + The `distmgr.log` displays a successful configuration of PXE on the distribution point. -5. Verify that you've seven files in each of the folders **D:\\RemoteInstall\\SMSBoot\\x86** and **D:\\RemoteInstall\\SMSBoot\\x64**. +5. Verify that you've seven files in each of the folders **`D:\RemoteInstall\SMSBoot\x86`** and **`D:\RemoteInstall\SMSBoot\x64`**. ![figure 14.](../images/mdt-06-fig15.png) The contents of the D:\\RemoteInstall\\SMSBoot\\x64 folder after you enable PXE. - **Note**: These files are used by WDS. They aren't used by the ConfigMgr PXE Responder. This article doesn't use the ConfigMgr PXE Responder. + > [!NOTE] + > These files are used by WDS. They aren't used by the ConfigMgr PXE Responder. This article doesn't use the ConfigMgr PXE Responder. Next, see [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md). @@ -288,15 +310,24 @@ Next, see [Create a custom Windows PE boot image with Configuration Manager](cre Operating system deployment with Configuration Manager is part of the normal software distribution infrastructure, but there are more components. For example, operating system deployment in Configuration Manager may use the State Migration Point role, which isn't used by normal application deployment in Configuration Manager. This section describes the Configuration Manager components involved with the deployment of an operating system, such as Windows 10. -- **State migration point (SMP).** The state migration point is used to store user state migration data during computer replace scenarios. -- **Distribution point (DP).** The distribution point is used to store all packages in Configuration Manager, including the operating system deployment-related packages. -- **Software update point (SUP).** The software update point, which is normally used to deploy updates to existing machines, also can be used to update an operating system as part of the deployment process. You also can use offline servicing to update the image directly on the Configuration Manager server. -- **Reporting services point.** The reporting services point can be used to monitor the operating system deployment process. -- **Boot images.** Boot images are the Windows Preinstallation Environment (Windows PE) images Configuration Manager uses to start the deployment. -- **Operating system images.** The operating system image package contains only one file, the custom .wim image. This image is typically the production deployment image. -- **Operating system installers.** The operating system installers were originally added to create reference images using Configuration Manager. Instead, we recommend that you use MDT Lite Touch to create your reference images. For more information on how to create a reference image, see [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md). -- **Drivers.** Like MDT Lite Touch, Configuration Manager also provides a repository (catalog) of managed device drivers. -- **Task sequences.** The task sequences in Configuration Manager look and feel much like the sequences in MDT Lite Touch, and they're used for the same purpose. However, in Configuration Manager, the task sequence is delivered to the clients as a policy via the Management Point (MP). MDT provides more task sequence templates to Configuration Manager. +- **State migration point (SMP).** The state migration point is used to store user state migration data during computer replace scenarios. + +- **Distribution point (DP).** The distribution point is used to store all packages in Configuration Manager, including the operating system deployment-related packages. + +- **Software update point (SUP).** The software update point, which is normally used to deploy updates to existing machines, also can be used to update an operating system as part of the deployment process. You also can use offline servicing to update the image directly on the Configuration Manager server. + +- **Reporting services point.** The reporting services point can be used to monitor the operating system deployment process. + +- **Boot images.** Boot images are the Windows Preinstallation Environment (Windows PE) images Configuration Manager uses to start the deployment. + +- **Operating system images.** The operating system image package contains only one file, the custom .wim image. This image is typically the production deployment image. + +- **Operating system installers.** The operating system installers were originally added to create reference images using Configuration Manager. Instead, we recommend that you use MDT Lite Touch to create your reference images. For more information on how to create a reference image, see [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md). + +- **Drivers.** Like MDT Lite Touch, Configuration Manager also provides a repository (catalog) of managed device drivers. + +- **Task sequences.** The task sequences in Configuration Manager look and feel much like the sequences in MDT Lite Touch, and they're used for the same purpose. However, in Configuration Manager, the task sequence is delivered to the clients as a policy via the Management Point (MP). MDT provides more task sequence templates to Configuration Manager. + > [!NOTE] > The Windows Assessment and Deployment Kit (ADK) for Windows 10 is also required to support management and deployment of Windows 10. @@ -304,28 +335,31 @@ Operating system deployment with Configuration Manager is part of the normal sof As noted above, MDT adds many enhancements to Configuration Manager. While these enhancements are called Zero Touch, that name doesn't reflect how deployment is conducted. The following sections provide a few samples of the 280 enhancements that MDT adds to Configuration Manager. ->[!NOTE] ->MDT installation requires the following: ->- The Windows ADK for Windows 10 (installed in the previous procedure) ->- Windows PowerShell ([version 5.1](https://www.microsoft.com/download/details.aspx?id=54616) is recommended; type **$host** to check) ->- Microsoft .NET Framework +> [!NOTE] +> MDT installation requires the following: +> +> - The Windows ADK for Windows 10 (installed in the previous procedure) +> - Windows PowerShell ([version 5.1](https://www.microsoft.com/download/details.aspx?id=54616) is recommended; type **$host** to check) +> - Microsoft .NET Framework ### MDT enables dynamic deployment -When MDT is integrated with Configuration Manager, the task sequence takes more instructions from the MDT rules. In its most simple form, these settings are stored in a text file, the CustomSettings.ini file, but you can store the settings in Microsoft SQL Server databases, or have Microsoft Visual Basic Scripting Edition (VBScripts) or web services provide the settings used. +When MDT is integrated with Configuration Manager, the task sequence processes more instructions from the MDT rules. In its most simple form, these settings are stored in a text file, the `CustomSettings.ini` file, but you can store the settings in Microsoft SQL Server databases, or have Microsoft Visual Basic Scripting Edition (VBScripts) or web services provide the settings used. The task sequence uses instructions that allow you to reduce the number of task sequences in Configuration Manager and instead store settings outside the task sequence. Here are a few examples: -- The following settings instruct the task sequence to install the HP Hotkeys package, but only if the hardware is an HP EliteBook 8570w. You don't have to add the package to the task sequence. - ``` syntax +- The following settings instruct the task sequence to install the HP Hotkeys package, but only if the hardware is an HP EliteBook 8570w. You don't have to add the package to the task sequence. + + ```ini [Settings] Priority=Model [HP EliteBook 8570w] Packages001=PS100010:Install HP Hotkeys ``` -- The following settings instruct the task sequence to put laptops and desktops in different organizational units (OUs) during deployment, assign different computer names, and finally have the task sequence install the Cisco VPN client, but only if the machine is a laptop. - ``` syntax +- The following settings instruct the task sequence to put laptops and desktops in different organizational units (OUs) during deployment, assign different computer names, and finally have the task sequence install the Cisco VPN client, but only if the machine is a laptop. + + ```ini [Settings] Priority= ByLaptopType, ByDesktopType [ByLaptopType] @@ -373,13 +407,17 @@ MDT Zero Touch simply extends Configuration Manager with many useful built-in op ### Why use MDT Lite Touch to create reference images -You can create reference images for Configuration Manager in Configuration Manager, but in general we recommend creating them in MDT Lite Touch for the following reasons: +You can create reference images for Configuration Manager in Configuration Manager, but in general it is recommended to create them in MDT Lite Touch for the following reasons: -- You can use the same image for every type of operating system deployment - Microsoft Virtual Desktop Infrastructure (VDI), Microsoft System Center Virtual Machine Manager (VMM), MDT, Configuration Manager, Windows Deployment Services (WDS), and more. -- Configuration Manager performs deployment in the LocalSystem context, which means that you can't configure the Administrator account with all of the settings that you would like to be included in the image. MDT runs in the context of the Local Administrator, which means you can configure the look and feel of the configuration and then use the CopyProfile functionality to copy these changes to the default user during deployment. -- The Configuration Manager task sequence doesn't suppress user interface interaction. -- MDT Lite Touch supports a Suspend action that allows for reboots, which is useful when you need to perform a manual installation or check the reference image before it's automatically captured. -- MDT Lite Touch doesn't require any infrastructure and is easy to delegate. +- You can use the same image for every type of operating system deployment - Microsoft Virtual Desktop Infrastructure (VDI), Microsoft System Center Virtual Machine Manager (VMM), MDT, Configuration Manager, Windows Deployment Services (WDS), and more. + +- Configuration Manager performs deployment in the LocalSystem context, which means that you can't configure the Administrator account with all of the settings that you would like to be included in the image. MDT runs in the context of the Local Administrator, which means you can configure the look and feel of the configuration and then use the CopyProfile functionality to copy these changes to the default user during deployment. + +- The Configuration Manager task sequence suppresses user interface interaction. + +- MDT Lite Touch supports a Suspend action that allows for reboots, which is useful when you need to perform a manual installation or check the reference image before it's automatically captured. + +- MDT Lite Touch doesn't require any infrastructure and is easy to delegate. ## Related articles diff --git a/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md index 473643d7e9..d87aff2989 100644 --- a/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md @@ -15,7 +15,7 @@ ms.date: 10/27/2022 # Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager -**Applies to** +*Applies to:* - Windows 10 @@ -23,29 +23,31 @@ This article will show you how to refresh a Windows 7 SP1 client with Windows 10 A computer refresh with Configuration Manager works the same as it does with MDT Lite Touch installation. Configuration Manager also uses the User State Migration Tool (USMT) from the Windows Assessment and Deployment Kit (Windows ADK) 10 in the background. A computer refresh with Configuration Manager has the following steps: -1. Data and settings are backed up locally in a backup folder. -2. The partition is wiped, except for the backup folder. -3. The new operating system image is applied. -4. Other applications are installed. -5. Data and settings are restored. +1. Data and settings are backed up locally in a backup folder. +2. The partition is wiped, except for the backup folder. +3. The new operating system image is applied. +4. Other applications are installed. +5. Data and settings are restored. ## Infrastructure -An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). +An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). For the purposes of this article, we'll use one server computer (CM01) and one client computer (PC0003). + - CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. + - PC0003 is a domain member client computer running Windows 7 SP1, or a later version of Windows, with the Configuration Manager client installed, that will be refreshed to Windows 10. ->[!NOTE] ->If desired, PC0003 can be a VM hosted on the server HV01, which is a Hyper-V host computer that we used previously to build a Windows 10 reference image. However, if PC0003 is a VM then you must ensure it has sufficient resources available to run the Configuration Manager OSD task sequence. 2GB of RAM or more is recommended. +> [!NOTE] +> If desired, PC0003 can be a VM hosted on the server HV01, which is a Hyper-V host computer that we used previously to build a Windows 10 reference image. However, if PC0003 is a VM then you must ensure it has sufficient resources available to run the Configuration Manager OSD task sequence. 2GB of RAM or more is recommended. -All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. +All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. All server and client computers referenced in this guide are on the same subnet. This interrelation isn't required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. ->[!IMPORTANT] ->This article assumes that you have [configured Active Directory permissions](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md#configure-active-directory-permissions) in the specified OU for the **CM_JD** account, and the client's Active Directory computer account is in the **Contoso > Computers > Workstations** OU. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed. +> [!IMPORTANT] +> This article assumes that you have [configured Active Directory permissions](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md#configure-active-directory-permissions) in the specified OU for the **CM_JD** account, and the client's Active Directory computer account is in the **Contoso** > **Computers** > **Workstations** OU. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed. ## Verify the Configuration Manager client settings @@ -53,8 +55,10 @@ To verify that PC003 is correctly assigned to the PS1 site: On **PC0003**: -1. Open the Configuration Manager control panel (control smscfgrc). +1. Open the Configuration Manager control panel (`control.exe smscfgrc`). + 2. On the **Site** tab, select **Configure Settings**, then select **Find Site**. + 3. Verify that Configuration Manager has successfully found a site to manage this client is displayed. See the following example. ![Found a site to manage this client.](../images/pc0003a.png) @@ -63,49 +67,49 @@ On **PC0003**: On **CM01**: -1. Using the Configuration Manager console, in the Asset and Compliance workspace, expand **Overview**, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: +1. Using the Configuration Manager console, in the **Asset and Compliance** workspace, expand **Overview**, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: - * General - * Name: Install Windows 10 Enterprise x64 - * Limited Collection: All Systems - * Membership rules - * Add Rule: Direct rule - * Resource Class: System Resource - * Attribute Name: Name - * Value: PC0003 - * Select Resources - * Select **PC0003** + - General + - Name: Install Windows 10 Enterprise x64 + - Limited Collection: All Systems + - Membership rules + - Add Rule: Direct rule + - Resource Class: System Resource + - Attribute Name: Name + - Value: PC0003 + - Select Resources + - Select **PC0003** - Use the default settings to complete the remaining wizard pages and select **Close**. + Use the default settings to complete the remaining wizard pages and select **Close**. -2. Review the Install Windows 10 Enterprise x64 collection. Don't continue until you see the PC0003 machine in the collection. +2. Review the Install Windows 10 Enterprise x64 collection. Don't continue until you see the PC0003 machine in the collection. - >[!NOTE] - >It may take a short while for the collection to refresh; you can view progress via the Colleval.log file. If you want to speed up the process, you can manually update membership on the Install Windows 10 Enterprise x64 collection by right-clicking the collection and selecting Update Membership. + > [!NOTE] + > It may take a short while for the collection to refresh; you can view progress via the `Colleval.log` file. If you want to speed up the process, you can manually update membership on the Install Windows 10 Enterprise x64 collection by right-clicking the collection and selecting Update Membership. ## Create a new deployment On **CM01**: -Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM**, and then select **Deploy**. Use the below settings: +Using the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM**, and then select **Deploy**. Use the below settings: - General - - Collection: Install Windows 10 Enterprise x64 + - Collection: Install Windows 10 Enterprise x64 - Deployment Settings - - Purpose: Available - - Make available to the following: Configuration Manager clients, media and PXE + - Purpose: Available + - Make available to the following: Configuration Manager clients, media and PXE - >[!NOTE] - >It's not necessary to make the deployment available to media and Pre-Boot Execution Environment (PXE) for a computer refresh, but you will use the same deployment for bare-metal deployments later on and you will need it at that point. + > [!NOTE] + > It's not necessary to make the deployment available to media and Pre-Boot Execution Environment (PXE) for a computer refresh, but you will use the same deployment for bare-metal deployments later on and you will need it at that point. - Scheduling - - <default> + - *\* - User Experience - - <default> + - *\* - Alerts - - <default> + - *\* - Distribution Points - - <default> + - *\* ## Initiate a computer refresh @@ -113,12 +117,14 @@ Now you can start the computer refresh on PC0003. On **CM01**: -1. Using the Configuration Manager console, in the Assets and Compliance workspace, select the **Install Windows 10 Enterprise x64** collection, right-click **PC0003**, point to **Client Notification**, select **Download Computer Policy**, and then select **OK** in the popup dialog box that appears. +1. Using the Configuration Manager console, in the **Assets and Compliance** workspace, select the **Install Windows 10 Enterprise x64** collection, right-click **PC0003**, point to **Client Notification**, select **Download Computer Policy**, and then select **OK** in the popup dialog box that appears. On **PC0003**: -1. Open the Software Center (select Start and type **Software Center**, or select the **New software is available** balloon in the system tray), select **Operating Systems** and select the **Windows 10 Enterprise x64 RTM** deployment, then select **Install**. -2. In the **Software Center** warning dialog box, select **Install Operating System**. +1. Open the Software Center (select Start and type **Software Center**, or select the **New software is available** balloon in the system tray), select **Operating Systems** and select the **Windows 10 Enterprise x64 RTM** deployment, then select **Install**. + +2. In the **Software Center** warning dialog box, select **Install Operating System**. + 3. The client computer will run the Configuration Manager task sequence, boot into Windows PE, and install the new OS and applications. See the following examples: ![Task sequence example 1.](../images/pc0003b.png)
    diff --git a/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md index 45a35d3282..dd75747e26 100644 --- a/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md @@ -16,7 +16,7 @@ ms.date: 10/27/2022 # Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager -**Applies to** +*Applies to:* - Windows 10 @@ -26,46 +26,56 @@ In this article, you'll create a backup-only task sequence that you run on PC000 ## Infrastructure -An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). +An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). For the purposes of this article, we'll use one server computer (CM01) and two client computers (PC0004, PC0006). + - CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. - - Important: CM01 must include the **[State migration point](/configmgr/osd/get-started/manage-user-state#BKMK_StateMigrationPoint)** role for the replace task sequence used in this article to work. + - Important: CM01 must include the **[State migration point](/configmgr/osd/get-started/manage-user-state#BKMK_StateMigrationPoint)** role for the replace task sequence used in this article to work. + - PC0004 is a domain member client computer running Windows 7 SP1, or a later version of Windows, with the Configuration Manager client installed, that will be replaced. + - PC0006 is a domain member client computer running Windows 10, with the Configuration Manager client installed, that will replace PC0004. ->[!NOTE] ->PC0004 and PC006 can be VMs hosted on the server HV01, which is a Hyper-V host computer that we used previously to build a Windows 10 reference image. However, the VMs must have sufficient resources available to run the Configuration Manager OSD task sequence. 2GB of RAM or more is recommended. +> [!NOTE] +> PC0004 and PC006 can be VMs hosted on the server HV01, which is a Hyper-V host computer that we used previously to build a Windows 10 reference image. However, the VMs must have sufficient resources available to run the Configuration Manager OSD task sequence. 2GB of RAM or more is recommended. -All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. +All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. All server and client computers referenced in this guide are on the same subnet. This interrelation isn't required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. ->[!IMPORTANT] ->This article assumes that you have [configured Active Directory permissions](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md#configure-active-directory-permissions) in the specified OU for the **CM_JD** account, and the client's Active Directory computer account is in the **Contoso > Computers > Workstations** OU. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed. +> [!IMPORTANT] +> This article assumes that you have [configured Active Directory permissions](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md#configure-active-directory-permissions) in the specified OU for the **CM_JD** account, and the client's Active Directory computer account is in the **Contoso > Computers > Workstations** OU. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed. ## Create a replace task sequence On **CM01**: -1. Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**. +1. Using the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**. + 2. On the **Choose Template** page, select the **Client Replace Task Sequence** template and select **Next**. + 3. On the **General** page, assign the following settings and select **Next**: - * Task sequence name: Replace Task Sequence - * Task sequence comments: USMT backup only + - Task sequence name: Replace Task Sequence + - Task sequence comments: USMT backup only 4. On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then select **Next**. + 5. On the **MDT Package** page, browse and select the **OSD / MDT** package. Then select **Next**. + 6. On the **USMT Package** page, browse and select the **OSD / Microsoft Corporation User State Migration Tool for Windows** package. Then select **Next**. + 7. On the **Settings Package** page, browse and select the **OSD / Windows 10 x64 Settings** package. Then select **Next**. + 8. On the **Summary** page, review the details and then select **Next**. + 9. On the **Confirmation** page, select **Finish**. -10. Review the Replace Task Sequence. +10. Review the Replace Task Sequence. - >[!NOTE] - >This task sequence has many fewer actions than the normal client task sequence. If it doesn't seem different, make sure you selected the **Client Replace Task Sequence** template when creating the task sequence. + > [!NOTE] + > This task sequence has many fewer actions than the normal client task sequence. If it doesn't seem different, make sure you selected the **Client Replace Task Sequence** template when creating the task sequence. ![The back-up only task sequence.](../images/mdt-06-fig42.png "The back-up only task sequence") @@ -77,70 +87,78 @@ This section walks you through the process of associating a new, blank device (P On **HV01** (if PC0006 is a VM) or in the PC0006 BIOS: -1. Make a note of the MAC address for PC0006. (If PC0006 is a virtual machine, you can see the MAC Address in the virtual machine settings.) In our example, the PC0006 MAC Address is 00:15:5D:0A:6A:96. Don't attempt to PXE boot PC0006 yet. +1. Make a note of the MAC address for PC0006. (If PC0006 is a virtual machine, you can see the MAC Address in the virtual machine settings.) In our example, the PC0006 MAC Address is 00:15:5D:0A:6A:96. Don't attempt to PXE boot PC0006 yet. On **CM01**: -2. When you're using the Configuration Manager console, in the Assets and Compliance workspace, right-click **Devices**, and then select **Import Computer Information**. -3. On the **Select Source** page, select **Import single computer** and select **Next**. -4. On the **Single Computer** page, use the following settings and then select **Next**: +1. When you're using the Configuration Manager console, in the **Assets and Compliance** workspace, right-click **Devices**, and then select **Import Computer Information**. - * Computer Name: PC0006 - * MAC Address: <the mac address that you wrote down> - * Source Computer: PC0004 +2. On the **Select Source** page, select **Import single computer** and select **Next**. + +3. On the **Single Computer** page, use the following settings and then select **Next**: + + - Computer Name: PC0006 + - MAC Address: *\ + - Source Computer: PC0004 ![Create the computer association.](../images/mdt-06-fig43.png "Create the computer association") Creating the computer association between PC0004 and PC0006. -5. On the **User Accounts** page, select **Capture and restore all user accounts** and select **Next**. -6. On the **Data Preview** page, select **Next**. -7. On the **Choose additional collections** page, select **Add** and then select the **Install Windows 10 Enterprise x64** collection. Now, select the checkbox next to the Install Windows 10 Enterprise x64 collection you just added, and then select **Next**. -8. On the **Summary** page, select **Next**, and then select **Close**. -9. Select the **User State Migration** node and review the computer association in the right hand pane. -10. Right-click the **PC0004/PC0006** association and select **View Recovery Information**. A recovery key has been assigned already, but a user state store location hasn't. -11. Review the **Install Windows 10 Enterprise x64** collection. Don't continue until you see the **PC0006** computer in the collection. You might have to update membership and refresh the collection again. +4. On the **User Accounts** page, select **Capture and restore all user accounts** and select **Next**. + +5. On the **Data Preview** page, select **Next**. + +6. On the **Choose additional collections** page, select **Add** and then select the **Install Windows 10 Enterprise x64** collection. Now, select the checkbox next to the Install Windows 10 Enterprise x64 collection you just added, and then select **Next**. + +7. On the **Summary** page, select **Next**, and then select **Close**. + +8. Select the **User State Migration** node and review the computer association in the right hand pane. + +9. Right-click the **PC0004/PC0006** association and select **View Recovery Information**. A recovery key has been assigned already, but a user state store location hasn't. + +10. Review the **Install Windows 10 Enterprise x64** collection. Don't continue until you see the **PC0006** computer in the collection. You might have to update membership and refresh the collection again. ## Create a device collection and add the PC0004 computer On **CM01**: -1. When you're using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: +1. When you're using the Configuration Manager console, in the **Asset and Compliance** workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: - * General - * Name: USMT Backup (Replace) - * Limited Collection: All Systems - * Membership rules: - * Add Rule: Direct rule - * Resource Class: System Resource - * Attribute Name: Name - * Value: PC0004 - * Select Resources: - * Select **PC0004** + - General + - Name: USMT Backup (Replace) + - Limited Collection: All Systems + - Membership rules: + - Add Rule: Direct rule + - Resource Class: System Resource + - Attribute Name: Name + - Value: PC0004 + - Select Resources: + - Select **PC0004** Use default settings for the remaining wizard pages, then select **Close**. -2. Review the **USMT Backup (Replace)** collection. Don't continue until you see the **PC0004** computer in the collection. +2. Review the **USMT Backup (Replace)** collection. Don't continue until you see the **PC0004** computer in the collection. ## Create a new deployment On **CM01**: -Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Replace Task Sequence**, and then select **Deploy**. Use the following settings: +Using the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Replace Task Sequence**, and then select **Deploy**. Use the following settings: -- General - - Collection: USMT Backup (Replace) -- Deployment Settings - - Purpose: Available - - Make available to the following: Only Configuration Manager Clients -- Scheduling - - <default> -- User Experience - - <default> -- Alerts - - <default> -- Distribution Points - - <default> +- General + - Collection: USMT Backup (Replace) +- Deployment Settings + - Purpose: Available + - Make available to the following: Only Configuration Manager Clients +- Scheduling + - *\ +- User Experience + - *\ +- Alerts + - *\ +- Distribution Points + - *\ ## Verify the backup @@ -148,15 +166,17 @@ This section assumes that you have a computer named PC0004 with the Configuratio On **PC0004**: -1. If it's not already started, start the PC0004 computer and open the Configuration Manager control panel (control smscfgrc). -2. On the **Actions** tab, select **Machine Policy Retrieval & Evaluation Cycle**, select **Run Now**, and then select **OK** in the popup dialog box that appears. +1. If it's not already started, start the PC0004 computer and open the Configuration Manager control panel (**`control.exe smscfgrc`**). +2. On the **Actions** tab, select **Machine Policy Retrieval & Evaluation Cycle**, select **Run Now**, and then select **OK** in the popup dialog box that appears. - >[!NOTE] - >You also can use the Client Notification option in the Configuration Manager console, as shown in [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md). + > [!NOTE] + > You also can use the Client Notification option in the Configuration Manager console, as shown in [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md). -3. Open the Software Center, select the **Replace Task Sequence** deployment and then select **Install**. -4. Confirm you want to upgrade the operating system on this computer by clicking **Install** again. -5. Allow the Replace Task Sequence to complete. The PC0004 computer will gather user data, boot into Windows PE and gather more data, then boot back to the full OS. The entire process should only take a few minutes. +3. Open the Software Center, select the **Replace Task Sequence** deployment and then select **Install**. + +4. Confirm you want to upgrade the operating system on this computer by clicking **Install** again. + +5. Allow the Replace Task Sequence to complete. The PC0004 computer will gather user data, boot into Windows PE and gather more data, then boot back to the full OS. The entire process should only take a few minutes. ![Task sequence example.](../images/pc0004b.png) @@ -164,11 +184,12 @@ Capturing the user state On **CM01**: -6. Open the state migration point storage folder (ex: D:\Migdata) and verify that a subfolder was created containing the USMT backup. -7. Using the Configuration Manager console, in the Assets and Compliance workspace, select the **User State Migration** node, right-click the **PC0004/PC0006** association, and select **View Recovery Information**. The object now also has a user state store location. +1. Open the state migration point storage folder (ex: D:\Migdata) and verify that a subfolder was created containing the USMT backup. - >[!NOTE] - >It may take a few minutes for the user state store location to be populated. +2. Using the Configuration Manager console, in the **Assets and Compliance** workspace, select the **User State Migration** node, right-click the **PC0004/PC0006** association, and select **View Recovery Information**. The object now also has a user state store location. + + > [!NOTE] + > It may take a few minutes for the user state store location to be populated. ## Deploy the new computer @@ -176,16 +197,16 @@ On **PC0006**: 1. Start the PC0006 virtual machine (or physical computer), press **F12** to Pre-Boot Execution Environment (PXE) boot when prompted. Allow it to boot Windows Preinstallation Environment (Windows PE), and then complete the deployment wizard using the following settings: - * Password: pass@word1 - * Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM + - Password: pass@word1 + - Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM -2. The setup now starts and does the following steps: +2. The setup now starts and does the following steps: - * Installs the Windows 10 operating system - * Installs the Configuration Manager client - * Joins it to the domain - * Installs the applications - * Restores the PC0004 backup + - Installs the Windows 10 operating system + - Installs the Configuration Manager client + - Joins it to the domain + - Installs the applications + - Restores the PC0004 backup When the process is complete, you'll have a new Windows 10 computer in your domain with user data and settings restored. See the following examples: diff --git a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md index 687b63ad7c..db3236d549 100644 --- a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md @@ -15,25 +15,25 @@ ms.date: 10/27/2022 # Perform an in-place upgrade to Windows 10 using Configuration Manager +*Applies to:* -**Applies to** - -- Windows 10 +- Windows 10 The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Configuration Manager task sequence to completely automate the process. ->[!IMPORTANT] ->Beginning with Windows 10 and Windows Server 2016, Windows Defender is already installed. A management client for Windows Defender is also installed automatically if the Configuration Manager client is installed. However, previous Windows operating systems installed the System Center Endpoint Protection (SCEP) client with the Configuration Manager client. The SCEP client can block in-place upgrade to Windows 10 due to incompatibility, and must be removed from a device before performing an in-place upgrade to Windows 10. +> [!IMPORTANT] +> Beginning with Windows 10 and Windows Server 2016, Windows Defender is already installed. A management client for Windows Defender is also installed automatically if the Configuration Manager client is installed. However, previous Windows operating systems installed the System Center Endpoint Protection (SCEP) client with the Configuration Manager client. The SCEP client can block in-place upgrade to Windows 10 due to incompatibility, and must be removed from a device before performing an in-place upgrade to Windows 10. ## Infrastructure -An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). +An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). For the purposes of this article, we'll use one server computer (CM01) and one client computer (PC0004). + - CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. - PC0004 is a domain member client computer running Windows 7 SP1, or a later version of Windows, with the Configuration Manager client installed, that will be upgraded to Windows 10. -All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. +All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. All server and client computers referenced in this guide are on the same subnet. This interrelation isn't required. But each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the `contoso.com` domain. Internet connectivity is also required to download OS and application updates. @@ -43,30 +43,40 @@ Configuration Manager Current Branch includes a native in-place upgrade task. Th On **CM01**: -1. Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Operating System Upgrade Packages**, and select **Add Operating System Upgrade Package**. -2. On the **Data Source** page, under **Path**, select **Browse** and enter the UNC path to your media source. In this example, we've extracted the Windows 10 installation media to **\\\\cm01\\Sources$\\OSD\\UpgradePackages\\Windows 10**. +1. Using the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Operating System Upgrade Packages**, and select **Add Operating System Upgrade Package**. + +2. On the **Data Source** page, under **Path**, select **Browse** and enter the UNC path to your media source. In this example, we've extracted the Windows 10 installation media to **`\\cm01\Sources$\OSD\UpgradePackages\Windows 10`**. + 3. If you have multiple image indexes in the installation media, select **Extract a specific image index from install.wim...** and choose the image index you want from the dropdown menu. In this example, we've chosen **Windows 10 Enterprise**. + 4. Next to **Architecture**, select **x64**, choose a language from the dropdown menu next to **Language**, and then select **Next**. + 5. Next to **Name**, enter **Windows 10 x64 RTM** and then complete the wizard by clicking **Next** and **Close**. -6. Distribute the OS upgrade package to the CM01 distribution point by right-clicking the **Windows 10 x64 RTM** OS upgrade package and then clicking **Distribute Content**. -7. In the Distribute Content Wizard, add the CM01 distribution point, select **Next** and select **Close**. -8. View the content status for the Windows 10 x64 RTM upgrade package. Don't continue until the distribution is completed (it might take a few minutes). You also can review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for the **STATMSG: ID=2301** line. + +6. Distribute the OS upgrade package to the CM01 distribution point by right-clicking the **Windows 10 x64 RTM** OS upgrade package and then clicking **Distribute Content**. + +7. In the Distribute Content Wizard, add the CM01 distribution point, select **Next** and select **Close**. + +8. View the content status for the Windows 10 x64 RTM upgrade package. Don't continue until the distribution is completed (it might take a few minutes). You also can review the **`D:\Program Files\Microsoft Configuration Manager\Logs\distmgr.log`** file and look for the **STATMSG: ID=2301** line. ## Create an in-place upgrade task sequence On **CM01**: -1. Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create Task Sequence**. +1. Using the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create Task Sequence**. + 2. On the **Create a new task sequence** page, select **Upgrade an operating system from an upgrade package** and select **Next**. + 3. Use the below settings to complete the wizard: - * Task sequence name: Upgrade Task Sequence - * Description: In-place upgrade - * Upgrade package: Windows 10 x64 RTM - * Include software updates: Don't install any software updates - * Install applications: OSD \ Adobe Acrobat Reader DC + - Task sequence name: Upgrade Task Sequence + - Description: In-place upgrade + - Upgrade package: Windows 10 x64 RTM + - Include software updates: Don't install any software updates + - Install applications: OSD \ Adobe Acrobat Reader DC 4. Complete the wizard, and select **Close**. + 5. Review the Upgrade Task Sequence. ![The upgrade task sequence.](../images/cm-upgrade-ts.png) @@ -79,7 +89,7 @@ After you create the upgrade task sequence, you can create a collection to test On **CM01**: -1. When you're using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: +1. When you're using the Configuration Manager console, in the **Asset and Compliance** workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: - General - Name: Windows 10 x64 in-place upgrade - Limited Collection: All Systems @@ -91,7 +101,7 @@ On **CM01**: - Select Resources - Select PC0004 -2. Review the Windows 10 x64 in-place upgrade collection. Don't continue until you see PC0004 in the collection. +2. Review the Windows 10 x64 in-place upgrade collection. Don't continue until you see PC0004 in the collection. ## Deploy the Windows 10 upgrade @@ -99,15 +109,23 @@ In this section, you create a deployment for the Windows 10 Enterprise x64 Updat On **CM01**: -1. Using the Configuration Manager console, in the Software Library workspace, right-click the **Upgrade Task Sequence** task sequence, and then select **Deploy**. -2. On the **General** page, browse and select the **Windows 10 x64 in-place upgrade** collection, and then select **Next**. -3. On the **Content** page, select **Next**. -4. On the **Deployment Settings** page, select **Next**: -5. On the **Scheduling** page, accept the default settings, and then select **Next**. -6. On the **User Experience** page, accept the default settings, and then select **Next**. -7. On the **Alerts** page, accept the default settings, and then select **Next**. -7. On the **Distribution Points** page, accept the default settings, and then select **Next**. -8. On the **Summary** page, select **Next**, and then select **Close**. +1. Using the Configuration Manager console, in the **Software Library** workspace, right-click the **Upgrade Task Sequence** task sequence, and then select **Deploy**. + +2. On the **General** page, browse and select the **Windows 10 x64 in-place upgrade** collection, and then select **Next**. + +3. On the **Content** page, select **Next**. + +4. On the **Deployment Settings** page, select **Next**: + +5. On the **Scheduling** page, accept the default settings, and then select **Next**. + +6. On the **User Experience** page, accept the default settings, and then select **Next**. + +7. On the **Alerts** page, accept the default settings, and then select **Next**. + +8. On the **Distribution Points** page, accept the default settings, and then select **Next**. + +9. On the **Summary** page, select **Next**, and then select **Close**. ## Start the Windows 10 upgrade @@ -115,15 +133,18 @@ Next, run the in-place upgrade task sequence on PC0004. On **PC0004**: -1. Open the Configuration Manager control panel (control smscfgrc). -2. On the **Actions** tab, select **Machine Policy Retrieval & Evaluation Cycle**, select **Run Now**, and then select **OK** in the popup dialog box that appears. +1. Open the Configuration Manager control panel (`control.exe smscfgrc`). - >[!NOTE] - >You also can use the Client Notification option in the Configuration Manager console, as shown in [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md). +2. On the **Actions** tab, select **Machine Policy Retrieval & Evaluation Cycle**, select **Run Now**, and then select **OK** in the popup dialog box that appears. -3. Open the Software Center, select the **Upgrade Task Sequence** deployment and then select **Install**. -4. Confirm you want to upgrade the operating system on this computer by clicking **Install** again. -5. Allow the Upgrade Task Sequence to complete. The PC0004 computer will download the install.wim file, perform an in-place upgrade, and install your added applications. See the following examples: + > [!NOTE] + > You also can use the Client Notification option in the Configuration Manager console, as shown in [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md). + +3. Open the Software Center, select the **Upgrade Task Sequence** deployment and then select **Install**. + +4. Confirm you want to upgrade the operating system on this computer by clicking **Install** again. + +5. Allow the Upgrade Task Sequence to complete. The PC0004 computer will download the **Operating System Upgrade Package** (the Windows installation source files), perform an in-place upgrade, and install your added applications. See the following examples: ![Upgrade task sequence example 1.](../images/pc0004-a.png)
    ![Upgrade task sequence example 2.](../images/pc0004-b.png)
    diff --git a/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md b/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md index c267cbdf68..80c99d9d57 100644 --- a/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md +++ b/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md @@ -9,43 +9,49 @@ ms.localizationpriority: medium author: frankroj ms.topic: article ms.technology: itpro-deploy -ms.date: 10/28/2022 +ms.date: 11/28/2022 --- # Assign applications using roles in MDT This article will show you how to add applications to a role in the MDT database and then assign that role to a computer. For the purposes of this article, the application we're adding is Adobe Reader XI. In addition to using computer-specific entries in the database, you can use roles in MDT to group settings together. -## Create and assign a role entry in the database +## Create and assign a role entry in the database -1. On MDT01, using Deployment Workbench, in the MDT Production deployment share, expand **Advanced Configuration** and then expand **Database**. -2. In the **Database** node, right-click **Role**, select **New**, and create a role entry with the following settings: - 1. Role name: Standard PC - 2. Applications / Lite Touch Applications: - 3. Install - Adobe Reader XI - x86 +1. On MDT01, using Deployment Workbench, in the MDT Production deployment share, expand **Advanced Configuration** and then expand **Database**. + +2. In the **Database** node, right-click **Role**, select **New**, and create a role entry with the following settings: + + 1. Role name: Standard PC + 2. Applications / Lite Touch Applications: + 3. Install - Adobe Reader XI - x86 ![figure 12.](../images/mdt-09-fig12.png) Figure 12. The Standard PC role with the application added -## Associate the role with a computer in the database +## Associate the role with a computer in the database After creating the role, you can associate it with one or more computer entries. -1. Using Deployment Workbench, expand **MDT Production**, expand **Advanced Configuration**, expand **Database**, and select **Computers**. -2. In the **Computers** node, double-click the **PC00075** entry, and add the following setting: - - Roles: Standard PC + +1. Using Deployment Workbench, expand **MDT Production**, expand **Advanced Configuration**, expand **Database**, and select **Computers**. + +2. In the **Computers** node, double-click the **PC00075** entry, and add the following setting: + - Roles: Standard PC ![figure 13.](../images/mdt-09-fig13.png) Figure 13. The Standard PC role added to PC00075 (having ID 1 in the database). -## Verify database access in the MDT simulation environment +## Verify database access in the MDT simulation environment When the database is populated, you can use the MDT simulation environment to simulate a deployment. The applications aren't installed, but you can see which applications would be installed if you did a full deployment of the computer. -1. On PC0001, log on as **CONTOSO\\MDT\_BA**. -2. Modify the C:\\MDT\\CustomSettings.ini file to look like below: - ``` +1. On PC0001, log on as **CONTOSO\\MDT\_BA**. + +2. Modify the C:\\MDT\\CustomSettings.ini file to look like below: + + ```ini [Settings] Priority=CSettings, CRoles, RApplications, Default [Default] @@ -108,9 +114,9 @@ When the database is populated, you can use the MDT simulation environment to si Order=Sequence ``` -3. Using an elevated Windows PowerShell prompt (run as Administrator), run the following commands. Press **Enter** after each command: +3. Using an elevated Windows PowerShell prompt (run as Administrator), run the following commands. Press **Enter** after each command: - ``` powershell + ```powershell Set-Location C:\MDT .\Gather.ps1 @@ -122,10 +128,10 @@ Figure 14. ZTIGather.log displaying the application GUID belonging to the Adobe ## Related articles -[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) -
    [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) -
    [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) -
    [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) -
    [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) -
    [Use web services in MDT](use-web-services-in-mdt.md) -
    [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) \ No newline at end of file +- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) +- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) +- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) +- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) +- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) +- [Use web services in MDT](use-web-services-in-mdt.md) +- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) diff --git a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md index 1e3e971ecc..043e8f7ab8 100644 --- a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md +++ b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md @@ -10,17 +10,18 @@ ms.localizationpriority: medium author: frankroj ms.topic: article ms.technology: itpro-deploy -ms.date: 10/28/2022 +ms.date: 11/28/2022 --- # Build a distributed environment for Windows 10 deployment -**Applies to** -- Windows 10 +**Applies to:** + +- Windows 10 Perform the steps in this article to build a distributed environment for Windows 10 deployment. A distributed environment for deployment is useful when you have a segmented network, for example one that is segmented geographically into two branch locations. If you work in a distributed environment, replicating the deployment shares is an important part of a deployment solution because images of 5 GB or more in size can present bandwidth issues when deployed over the wire. Replicating this content enables clients to do local deployments. -Four computers are used in this article: DC01, MDT01, MDT02, and PC0006. DC01 is a domain controller, MDT01 and MDT02 are domain member computers running Windows Server 2019, and PC0006 is a blank device where we'll deploy Windows 10. The second deployment server (MDT02) will be configured for a remote site (Stockholm) by replicating the deployment share on MDT01 at the original site (New York). All devices are members of the domain contoso.com for the fictitious Contoso Corporation. +Four computers are used in this article: DC01, MDT01, MDT02, and PC0006. DC01 is a domain controller, MDT01 and MDT02 are domain member computers running Windows Server 2019, and PC0006 is a blank device where we'll deploy Windows 10. The second deployment server (MDT02) will be configured for a remote site (Stockholm) by replicating the deployment share on MDT01 at the original site (New York). All devices are members of the domain contoso.com for the fictitious Contoso Corporation. For the purposes of this article, we assume that MDT02 is prepared with the same network and storage capabilities that were specified for MDT01, except that MDT02 is located on a different subnet than MDT01. For more information on the infrastructure setup for this article, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). @@ -28,7 +29,8 @@ For the purposes of this article, we assume that MDT02 is prepared with the same Computers used in this article. ->HV01 is also used in this topic to host the PC0006 virtual machine. +> [!NOTE] +> HV01 is also used in this topic to host the PC0006 virtual machine. ## Replicate deployment shares @@ -36,7 +38,7 @@ Replicating the content between MDT01 (New York) and MDT02 (Stockholm) can be do > [!NOTE] > Robocopy has options that allow for synchronization between folders. It has a simple reporting function; it supports transmission retry; and, by default, it will only copy/remove files from the source that are newer than files on the target. - + ### Linked deployment shares in MDT LDS is a built-in feature in MDT for replicating content. However, LDS works best with strong connections such as LAN connections with low latency. For most WAN links, DFS-R is the better option. @@ -55,9 +57,9 @@ On **MDT01**: 1. Install the DFS Replication role on MDT01 by entering the following at an elevated Windows PowerShell prompt: -```powershell -Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools -``` + ```powershell + Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools + ``` 2. Wait for installation to complete, and then verify that the installation was successful. See the following output: @@ -75,9 +77,9 @@ On **MDT02**: 1. Perform the same procedure on MDT02 by entering the following at an elevated Windows PowerShell prompt: -```powershell -Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools -``` + ```powershell + Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools + ``` 2. Wait for installation to complete, and then verify that the installation was successful. See the following output: @@ -95,10 +97,10 @@ On **MDT02**: 1. Create and share the **D:\\MDTProduction** folder using default permissions by entering the following at an elevated command prompt: - ```powershell - mkdir d:\MDTProduction - New-SmbShare -Name "MDTProduction$" -Path "D:\MDTProduction" - ``` + ```powershell + mkdir d:\MDTProduction + New-SmbShare -Name "MDTProduction$" -Path "D:\MDTProduction" + ``` 2. You should see the following output: @@ -112,11 +114,11 @@ On **MDT02**: ### Configure the deployment share -When you have multiple deployment servers sharing the same content, you need to configure the Bootstrap.ini file with information about which server to connect to based on where the client is located. In MDT that can be done by using the DefaultGateway property. +When you have multiple deployment servers sharing the same content, you need to configure the Bootstrap.ini file with information about which server to connect to based on where the client is located. In MDT that can be done by using the **DefaultGateway** property. On **MDT01**: -1. Using Notepad, navigate to the **D:\\MDTProduction\\Control** folder and modify the Boostrap.ini file as follows. Under [DefaultGateway] enter the IP addresses for the client's default gateway in New York and Stockholm, respectively (replace 10.10.10.1 and 10.10.20.1 with your default gateways). The default gateway setting is what tells the client which deployment share (that is, server) to use. +1. Using Notepad, navigate to the **D:\\MDTProduction\\Control** folder and modify the `Boostrap.ini` file as follows. Under `[DefaultGateway]` enter the IP addresses for the client's default gateway in New York and Stockholm, respectively (replace 10.10.10.1 and 10.10.20.1 with your default gateways). The default gateway setting is what tells the client which deployment share (that is, server) to use. ```ini [Settings] @@ -138,130 +140,167 @@ On **MDT01**: UserPassword=pass@word1 SkipBDDWelcome=YES ``` - >[!NOTE] - >The DeployRoot value needs to go into the Bootstrap.ini file, but you can use the same logic in the CustomSettings.ini file. For example, you can redirect the logs to the local deployment server (SLSHARE), or have the User State Migration Tool (USMT) migration store (UDDIR) local. To learn more about USMT, see [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) and [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md). - -2. Save the Bootstrap.ini file. + + > [!NOTE] + > The DeployRoot value needs to go into the Bootstrap.ini file, but you can use the same logic in the CustomSettings.ini file. For example, you can redirect the logs to the local deployment server (SLSHARE), or have the User State Migration Tool (USMT) migration store (UDDIR) local. To learn more about USMT, see [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) and [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md). + +2. Save the `Bootstrap.ini` file. + 3. Using the Deployment Workbench, right-click the **MDT Production** deployment share and select **Update Deployment Share**. Use the default settings for the Update Deployment Share Wizard. This process will take a few minutes. + 4. After the update is complete, use the Windows Deployment Services console on MDT01. In the **Boot Images** node, right-click the **MDT Production x64** boot image and select **Replace Image**. + 5. Browse and select the **D:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim** boot image, and then complete Replace Boot Image Wizard using the default settings. ![figure 5.](../images/mdt-10-fig05.png) Replacing the updated boot image in WDS. - >[!TIP] - >If you modify bootstrap.ini again later, be sure to repeat the process of updating the deployment share in the Deployment Workbench and replacing the boot image in the WDS console. + > [!TIP] + > If you modify bootstrap.ini again later, be sure to repeat the process of updating the deployment share in the Deployment Workbench and replacing the boot image in the WDS console. - ## Replicate the content +## Replicate the content - Once the MDT01 and MDT02 servers are prepared, you're ready to configure the actual replication. +Once the MDT01 and MDT02 servers are prepared, you're ready to configure the actual replication. - ### Create the replication group +### Create the replication group -6. On MDT01, using DFS Management (dfsmgmt.msc), right-click **Replication**, and select **New Replication Group**. -7. On the **Replication Group Type** page, select **Multipurpose replication group**, and select **Next**. -8. On the **Name and Domain** page, assign the **MDTProduction** name, and select **Next**. -9. On the **Replication Group Members** page, select **Add**, add **MDT01** and **MDT02**, and then select **Next**. +1. On MDT01, using DFS Management (dfsmgmt.msc), right-click **Replication**, and select **New Replication Group**. + +2. On the **Replication Group Type** page, select **Multipurpose replication group**, and select **Next**. + +3. On the **Name and Domain** page, assign the **MDTProduction** name, and select **Next**. + +4. On the **Replication Group Members** page, select **Add**, add **MDT01** and **MDT02**, and then select **Next**. ![figure 6.](../images/mdt-10-fig06.png) Adding the Replication Group Members. -10. On the **Topology Selection** page, select the **Full mesh** option and select **Next**. -11. On the **Replication Group Schedule and Bandwidth** page, accept the default settings and select **Next**. -12. On the **Primary Member** page, select **MDT01** and select **Next**. -13. On the **Folders to Replicate** page, select **Add**, enter **D:\\MDTProduction** as the folder to replicate, select **OK**, and then select **Next**. -14. On the **Local Path of MDTProduction** on the **Other Members** page, select **MDT02**, and select **Edit**. -15. On the **Edit** page, select the **Enabled** option, type in **D:\\MDTProduction** as the local path of folder, select the **Make the selected replicated folder on this member read-only** check box, select **OK**, and then select **Next**. -16. On the **Review Settings and Create Replication Group** page, select **Create**. -17. On the **Confirmation** page, select **Close**. +5. On the **Topology Selection** page, select the **Full mesh** option and select **Next**. - ### Configure replicated folders +6. On the **Replication Group Schedule and Bandwidth** page, accept the default settings and select **Next**. + +7. On the **Primary Member** page, select **MDT01** and select **Next**. + +8. On the **Folders to Replicate** page, select **Add**, enter **D:\\MDTProduction** as the folder to replicate, select **OK**, and then select **Next**. + +9. On the **Local Path of MDTProduction** on the **Other Members** page, select **MDT02**, and select **Edit**. + +10. On the **Edit** page, select the **Enabled** option, type in **D:\\MDTProduction** as the local path of folder, select the **Make the selected replicated folder on this member read-only** check box, select **OK**, and then select **Next**. + +11. On the **Review Settings and Create Replication Group** page, select **Create**. + +12. On the **Confirmation** page, select **Close**. + +### Configure replicated folders + +1. On **MDT01**, using DFS Management, expand **Replication** and then select **MDTProduction**. + +2. In the middle pane, right-click the **MDT01** member and select **Properties**. + +3. On the **MDT01 (MDTProduction) Properties** page, configure the following and then select **OK**: + + 1. In the **Staging** tab, set the quota to **20480 MB**. + + 2. In the **Advanced** tab, set the quota to **8192 MB**. -18. On **MDT01**, using DFS Management, expand **Replication** and then select **MDTProduction**. -19. In the middle pane, right-click the **MDT01** member and select **Properties**. -20. On the **MDT01 (MDTProduction) Properties** page, configure the following and then select **OK**: - 1. In the **Staging** tab, set the quota to **20480 MB**. - 2. In the **Advanced** tab, set the quota to **8192 MB**. In this scenario the size of the deployment share is known, but you might need to change the values for your environment. A good rule of thumb is to get the size of the 16 largest files and make sure they fit in the staging area. Below is a Windows PowerShell example that calculates the size of the 16 largest files in the D:\\MDTProduction deployment share: - - ``` powershell + + ```powershell (Get-ChildItem D:\MDTProduction -Recurse | Sort-Object Length -Descending | Select-Object -First 16 | Measure-Object -Property Length -Sum).Sum /1GB ``` -21. In the middle pane, right-click the **MDT02** member and select **Properties**. -22. On the **MDT02 (MDTProduction) Properties** page, configure the following and then select **OK**: - 1. In the **Staging** tab, set the quota to **20480 MB**. - 2. In the **Advanced** tab, set the quota to **8192 MB**. +4. In the middle pane, right-click the **MDT02** member and select **Properties**. + +5. On the **MDT02 (MDTProduction) Properties** page, configure the following and then select **OK**: + 1. In the **Staging** tab, set the quota to **20480 MB**. + + 2. In the **Advanced** tab, set the quota to **8192 MB**. > [!NOTE] > It will take some time for the replication configuration to be picked up by the replication members (MDT01 and MDT02). The time for the initial sync will depend on the WAN link speed between the sites. After that, delta changes are replicated quickly. -23. Verify that MDT01 and MDT02 are members of the MDTProduction replication group, with MDT01 being primary as follows using an elevated command prompt: +6. Verify that MDT01 and MDT02 are members of the MDTProduction replication group, with MDT01 being primary as follows using an elevated command prompt: -```cmd -C:\> dfsradmin membership list /rgname:MDTProduction /attr:MemName,IsPrimary -MemName IsPrimary -MDT01 Yes -MDT02 No -``` + ```cmd + C:\> dfsradmin membership list /rgname:MDTProduction /attr:MemName,IsPrimary + MemName IsPrimary + MDT01 Yes + MDT02 No + ``` ### Verify replication On **MDT02**: 1. Wait until you start to see content appear in the **D:\\MDTProduction** folder. + 2. Using DFS Management, expand **Replication**, right-click **MDTProduction**, and select **Create Diagnostics Report**. + 3. In the Diagnostics Report Wizard, on the **Type of Diagnostics Report or Test** page, choose **Health report** and select **Next**. + 4. On the **Path and Name** page, accept the default settings and select **Next**. + 5. On the **Members to Include** page, accept the default settings and select **Next**. + 6. On the **Options** page, accept the default settings and select **Next**. + 7. On the **Review Settings and Create Report** page, select **Create**. + 8. Open the report in Internet Explorer, and if necessary, select the **Allow blocked content** option. -![figure 9.](../images/mdt-10-fig09.png) + ![figure 9.](../images/mdt-10-fig09.png) + The DFS Replication Health Report. -The DFS Replication Health Report. - ->If there are replication errors you can review the DFS event log in Event Viewer under **Applications and Services Logs**. + > [!NOTE] + > If there are replication errors you can review the DFS event log in Event Viewer under **Applications and Services Logs**. ## Configure Windows Deployment Services (WDS) in a remote site Like you did in the previous article for MDT01, you need to add the MDT Production Lite Touch x64 Boot image to Windows Deployment Services on MDT02. For the following steps, we assume that WDS has already been installed on MDT02. + 1. On MDT02, using the WDS console, right-click **Boot Images** and select **Add Boot Image**. + 2. Browse to the **D:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim** file and add the image with the default settings. ## Deploy a Windows 10 client to the remote site -Now you should have a solution ready for deploying the Windows 10 client to the remote site: Stockholm, using the MDTProduction deployment share replica on MDT02. You can test this deployment with the following optional procedure. +Now you should have a solution ready for deploying the Windows 10 client to the remote site: Stockholm, using the MDTProduction deployment share replica on MDT02. You can test this deployment with the following optional procedure. ->For demonstration purposes, the following procedure uses a virtual machine (PC0006) hosted by the Hyper-V server HV01. To use the remote site server (MDT02) the VM must be assigned a default gateway that matches the one you entered in the Boostrap.ini file. +> [!NOTE] +> For demonstration purposes, the following procedure uses a virtual machine (PC0006) hosted by the Hyper-V server HV01. To use the remote site server (MDT02) the VM must be assigned a default gateway that matches the one you entered in the `Boostrap.ini` file. -1. Create a virtual machine with the following settings: - 1. Name: PC0006 - 2. Location: C:\\VMs - 3. Generation: 2 - 4. Memory: 2048 MB - 5. Hard disk: 60 GB (dynamic disk) +1. Create a virtual machine with the following settings: + + 1. **Name**: PC0006 + 2. **Location**: C:\\VMs + 3. **Generation**: 2 + 4. **Memory**: 2048 MB + 5. **Hard disk**: 60 GB (dynamic disk) 6. Install an operating system from a network-based installation server -2. Start the PC0006 virtual machine, and press **Enter** to start the Pre-Boot Execution Environment (PXE) boot. The VM will now load the Windows PE boot image from the WDS server. -3. After Windows Preinstallation Environment (Windows PE) has booted, complete the Windows Deployment Wizard using the following settings: - 1. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image - 2. Computer Name: PC0006 - 3. Applications: Select the Install - Adobe Reader -4. Setup will now start and perform the following steps: - 1. Install the Windows 10 Enterprise operating system. - 2. Install applications. - 3. Update the operating system using your local Windows Server Update Services (WSUS) server. + +2. Start the PC0006 virtual machine, and press **Enter** to start the Pre-Boot Execution Environment (PXE) boot. The VM will now load the Windows PE boot image from the WDS server. + +3. After Windows Preinstallation Environment (Windows PE) has booted, complete the Windows Deployment Wizard using the following settings: + + 1. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image + 2. Computer Name: PC0006 + 3. Applications: Select the Install - Adobe Reader + +4. Setup will now start and perform the following steps: + + 1. Install the Windows 10 Enterprise operating system. + 2. Install applications. + 3. Update the operating system using your local Windows Server Update Services (WSUS) server. ![pc0001.](../images/pc0006.png) ## Related articles -[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
    -[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
    -[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
    -[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
    -[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
    -[Configure MDT settings](configure-mdt-settings.md) \ No newline at end of file +- [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md) +- [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) +[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) +- [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) +- [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md) +- [Configure MDT settings](configure-mdt-settings.md) diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md b/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md index 6c254caad5..eb84fdcd77 100644 --- a/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md +++ b/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md @@ -9,23 +9,24 @@ ms.localizationpriority: medium author: frankroj ms.topic: article ms.technology: itpro-deploy -ms.date: 10/28/2022 +ms.date: 11/28/2022 --- # Configure MDT deployment share rules In this article, you'll learn how to configure the MDT rules engine to reach out to other resources, including external scripts, databases, and web services, for additional information instead of storing settings directly in the rules engine. The rules engine in MDT is powerful: most of the settings used for operating system deployments are retrieved and assigned via the rules engine. In its simplest form, the rules engine is the CustomSettings.ini text file. -## Assign settings +## Assign settings When using MDT, you can assign setting in three distinct ways: -- You can pre-stage the information before deployment. -- You can prompt the user or technician for information. -- You can have MDT generate the settings automatically. + +- You can pre-stage the information before deployment. +- You can prompt the user or technician for information. +- You can have MDT generate the settings automatically. In order to illustrate these three options, let's look at some sample configurations. -## Sample configurations +## Sample configurations Before adding the more advanced components like scripts, databases, and web services, consider the commonly used configurations below; they demonstrate the power of the rules engine. @@ -33,7 +34,7 @@ Before adding the more advanced components like scripts, databases, and web serv If you have a small test environment, or simply want to assign settings to a limited number of machines, you can edit the rules to assign settings directly for a given MAC Address. When you have many machines, it makes sense to use the database instead. -``` +```ini [Settings] Priority=MacAddress, Default [Default] @@ -48,7 +49,7 @@ In the preceding sample, you set the PC00075 computer name for a machine with a Another way to assign a computer name is to identify the machine via its serial number. -``` +```ini [Settings] Priority=SerialNumber, Default [Default] @@ -63,7 +64,7 @@ In this sample, you set the PC00075 computer name for a machine with a serial nu You also can configure the rules engine to use a known property, like a serial number, to generate a computer name on the fly. -``` +```ini [Settings] Priority=Default [Default] @@ -72,15 +73,15 @@ OSDComputerName=PC-%SerialNumber% ``` In this sample, you configure the rules to set the computer name to a prefix (PC-) and then the serial number. If the serial number of the machine is CND0370RJ7, the preceding configuration sets the computer name to PC-CND0370RJ7. -**Note** -Be careful when using the serial number to assign computer names. A serial number can contain more than 15 characters, but the Windows setup limits a computer name to 15 characters. - +> [!NOTE] +> Be careful when using the serial number to assign computer names. A serial number can contain more than 15 characters, but the Windows setup limits a computer name to 15 characters. + ### Generate a limited computer name based on a serial number To avoid assigning a computer name longer than 15 characters, you can configure the rules in more detail by adding VBScript functions, as follows: -``` +```ini [Settings] Priority=Default [Default] @@ -94,7 +95,7 @@ In the preceding sample, you still configure the rules to set the computer name In the rules, you find built-in properties that use a Windows Management Instrumentation (WMI) query to determine whether the machine you're deploying is a laptop, desktop, or server. In this sample, we assume you want to add laptops to different OUs in Active Directory. Note that ByLaptopType isn't a reserved word; rather, it's the name of the section to read. -``` +```ini [Settings] Priority=ByLaptopType, Default [Default] @@ -107,16 +108,10 @@ MachineObjectOU=OU=Laptops,OU=Contoso,DC=contoso,DC=com ## Related articles -[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) - -[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) - -[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) - -[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) - -[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) - -[Use web services in MDT](use-web-services-in-mdt.md) - -[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) +- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) +- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) +- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) +- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) +- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) +- [Use web services in MDT](use-web-services-in-mdt.md) +- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md b/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md index 0ef50cfcd2..19adc65b02 100644 --- a/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md +++ b/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md @@ -9,7 +9,7 @@ ms.localizationpriority: medium author: frankroj ms.topic: article ms.technology: itpro-deploy -ms.date: 10/28/2022 +ms.date: 11/28/2022 --- # Configure MDT for UserExit scripts @@ -20,7 +20,7 @@ In this article, you'll learn how to configure the MDT rules engine to use a Use You can call a UserExit by referencing the script in your rules. Then you can configure a property to be set to the result of a function of the VBScript. In this example, we have a VBScript named Setname.vbs (provided in the book sample files, in the UserExit folder). -``` +```ini [Settings] Priority=Default [Default] @@ -35,7 +35,7 @@ The UserExit=Setname.vbs calls the script and then assigns the computer name to The Setname.vbs script takes the MAC Address passed from the rules. The script then does some string manipulation to add a prefix (PC) and remove the semicolons from the MAC Address. -``` +```vb Function UserExit(sType, sWhen, sDetail, bSkip) UserExit = Success End Function @@ -48,23 +48,18 @@ Function SetName(sMac) SetName = "PC" & re.Replace(sMac, "") End Function ``` + The first three lines of the script make up a header that all UserExit scripts have. The interesting part is the lines between Function and End Function. Those lines add a prefix (PC), remove the colons from the MAC Address, and return the value to the rules by setting the SetName value. ->[!NOTE] ->The purpose of this sample isn't to recommend that you use the MAC Address as a base for computer naming, but to show you how to take a variable from MDT, pass it to an external script, make some changes to it, and then return the new value to the deployment process. - +> [!NOTE] +> The purpose of this sample isn't to recommend that you use the MAC Address as a base for computer naming, but to show you how to take a variable from MDT, pass it to an external script, make some changes to it, and then return the new value to the deployment process. + ## Related articles -[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) - -[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) - -[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) - -[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) - -[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) - -[Use web services in MDT](use-web-services-in-mdt.md) - -[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) +- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) +- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) +- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) +- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) +- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) +- [Use web services in MDT](use-web-services-in-mdt.md) +- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md index 6270caa911..cfb17a3eee 100644 --- a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md +++ b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md @@ -10,7 +10,7 @@ ms.localizationpriority: medium author: frankroj ms.topic: article ms.technology: itpro-deploy -ms.date: 10/28/2022 +ms.date: 11/28/2022 --- # Configure MDT settings @@ -24,20 +24,20 @@ The computers used in this article. ## In this section -- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) -- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) -- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) -- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) -- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) -- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) -- [Use web services in MDT](use-web-services-in-mdt.md) -- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) +- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) +- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) +- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) +- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) +- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) +- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) +- [Use web services in MDT](use-web-services-in-mdt.md) +- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) ## Related articles -[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
    -[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
    -[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
    -[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
    -[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
    -[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md) +- [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md) +- [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) +- [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) +- [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md) +- [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) +- [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md) diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md index 864d74b4d8..b26c222f91 100644 --- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md +++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md @@ -9,31 +9,33 @@ ms.localizationpriority: medium author: frankroj ms.topic: article ms.technology: itpro-deploy -ms.date: 10/28/2022 +ms.date: 11/28/2022 --- # Create a Windows 10 reference image -**Applies to** +**Applies to:** + - Windows 10 Creating a reference image is important because that image serves as the foundation for the devices in your organization. In this article, you 'll learn how to create a Windows 10 reference image using the Microsoft Deployment Toolkit (MDT). You 'll create a deployment share, configure rules and settings, and import all the applications and operating system files required to build a Windows 10 reference image. After completing the steps outlined in this article, you 'll have a Windows 10 reference image that can be used in your deployment solution. ->[!NOTE] ->For more information about the server, client, and network infrastructure used in this guide, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). +> [!NOTE] +> For more information about the server, client, and network infrastructure used in this guide, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). For the purposes of this article, we'll use three computers: DC01, MDT01, and HV01. - - DC01 is a domain controller for the contoso.com domain. - - MDT01 is a contoso.com domain member server. - - HV01 is a Hyper-V server that will be used to build the reference image. - - ![devices.](../images/mdt-08-fig01.png) +- DC01 is a domain controller for the contoso.com domain. +- MDT01 is a contoso.com domain member server. +- HV01 is a Hyper-V server that will be used to build the reference image. + + ![devices.](../images/mdt-08-fig01.png) Computers used in this article. ## The reference image The reference image described in this guide is designed primarily for deployment to physical devices. However, the reference image is typically created on a virtual platform, before being automatically run through the System Preparation (Sysprep) tool process and captured to a Windows Imaging (WIM) file. The reasons for creating the reference image on a virtual platform are: + - To reduce development time and can use snapshots to test different configurations quickly. - To rule out hardware issues. You get the best possible image, and if you've a problem, it's not likely to be hardware related. - To ensure that you won't have unwanted applications that could be installed as part of a driver install but not removed by the Sysprep process. @@ -47,24 +49,30 @@ With Windows 10, there's no hard requirement to create reference images. However On **MDT01**: -- Sign in as contoso\\administrator using a password of pass@word1 (credentials from the [prepare for deployment](prepare-for-windows-deployment-with-mdt.md) article). -- Start the MDT deployment workbench, and pin this workbench to the taskbar for easy access. -- Using the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**. -- Use the following settings for the New Deployment Share Wizard: - - Deployment share path: **D:\\MDTBuildLab** - - Share name: **MDTBuildLab$** - - Deployment share description: **MDT Build Lab** -- Accept the default selections on the Options page and select **Next**. -- Review the Summary page, select **Next**, wait for the deployment share to be created, then select **Finish**. -- Verify that you can access the \\\\MDT01\\MDTBuildLab$ share. +1. Sign in as **contoso\\administrator** using a password of **pass@word1** (credentials from the [prepare for deployment](prepare-for-windows-deployment-with-mdt.md) article). + +2. Start the MDT deployment workbench, and pin this workbench to the taskbar for easy access. + +3. Using the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**. + +4. Use the following settings for the New Deployment Share Wizard: + + - Deployment share path: **D:\\MDTBuildLab** + - Share name: **MDTBuildLab$** + - Deployment share description: **MDT Build Lab** + +5. Accept the default selections on the Options page and select **Next**. + +6. Review the Summary page, select **Next**, wait for the deployment share to be created, then select **Finish**. + +7. Verify that you can access the **\\\\MDT01\\MDTBuildLab$** share. ![figure 2.](../images/mdt-08-fig02.png) - The Deployment Workbench with the MDT Build Lab deployment share. ### Enable monitoring -To monitor the task sequence as it happens, right-click the **MDT Build Lab** deployment share, select **Properties**, select the **Monitoring** tab, and select **Enable monitoring for this deployment share**. This step is optional. +To monitor the task sequence as it happens, right-click the **MDT Build Lab** deployment share, select **Properties**, select the **Monitoring** tab, and select **Enable monitoring for this deployment share**. This step is optional. ### Configure permissions for the deployment share @@ -72,10 +80,11 @@ In order to read files in the deployment share and write the reference image bac On **MDT01**: -1. Ensure you're signed in as **contoso\\administrator**. -2. Modify the NTFS permissions for the **D:\\MDTBuildLab** folder by running the following command in an elevated Windows PowerShell prompt: +1. Ensure you're signed in as **contoso\\administrator**. - ``` powershell +2. Modify the NTFS permissions for the **D:\\MDTBuildLab** folder by running the following command in an elevated Windows PowerShell prompt: + + ```powershell icacls "D:\MDTBuildLab" /grant '"CONTOSO\MDT_BA":(OI)(CI)(M)' grant-smbshareaccess -Name MDTBuildLab$ -AccountName "Contoso\MDT_BA" -AccessRight Full -force ``` @@ -88,9 +97,9 @@ This section will show you how to populate the MDT deployment share with the Win MDT supports adding both full source Windows 10 DVDs (ISOs) and custom images that you've created. In this case, you create a reference image, so you add the full source setup files from Microsoft. ->[!NOTE] ->Due to the Windows limits on path length, we are purposely keeping the operating system destination directory short, using the folder name W10EX64RTM rather than a more descriptive name like Windows 10 Enterprise x64 RTM. - +> [!NOTE] +> Due to the Windows limits on path length, we are purposely keeping the operating system destination directory short, using the folder name W10EX64RTM rather than a more descriptive name like Windows 10 Enterprise x64 RTM. + ### Add Windows 10 Enterprise x64 (full source) On **MDT01**: @@ -100,16 +109,21 @@ On **MDT01**: ![ISO.](../images/iso-data.png) 2. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Build Lab**. + 3. Right-click the **Operating Systems** node, and create a new folder named **Windows 10**. + 4. Expand the **Operating Systems** node, right-click the **Windows 10** folder, and select **Import Operating System**. Use the following settings for the Import Operating System Wizard: + - Full set of source files - Source directory: (location of your source files) - - Destination directory name: W10EX64RTM -5. After adding the operating system, in the **Operating Systems / Windows 10** folder, double-click it and change the name to: **Windows 10 Enterprise x64 RTM Default Image**. See the following example. + - Destination directory name: **W10EX64RTM** + +5. After adding the operating system, in the **Operating Systems** > **Windows 10** folder, double-click it and change the name to: **Windows 10 Enterprise x64 RTM Default Image**. See the following example. ![Default image.](../images/deployment-workbench01.png) ->Depending on the DVD you used, there might be multiple editions available. For the purposes of this guide, we are using the Windows 10 Enterprise image, but other images will also work. +> [!NOTE] +> Depending on the DVD you used, there might be multiple editions available. For the purposes of this guide, we are using the Windows 10 Enterprise image, but other images will also work. ## Add applications @@ -120,18 +134,22 @@ On **MDT01**: First, create an MDT folder to store the Microsoft applications that will be installed: 1. In the MDT Deployment Workbench, expand **Deployment Shares \\ MDT Build Lab \\ Applications** + 2. Right-click **Applications** and then select **New Folder**. + 3. Under **Folder name**, type **Microsoft**. + 4. Select **Next** twice, and then select **Finish**. -The steps in this section use a strict naming standard for your MDT applications. -- Use the "Install - " prefix for typical application installations that run a setup installer of some kind, -- Use the "Configure - " prefix when an application configures a setting in the operating system. -- You also add an " - x86", " - x64", or "- x86-x64" suffix to indicate the application's architecture (some applications have installers for both architectures). - -Using a script naming standard is always recommended when using MDT as it helps maintain order and consistency. +The steps in this section use a strict naming standard for your MDT applications. -By storing configuration items as MDT applications, it's easy to move these objects between various solutions, or between test and production environments. +- Use the **Install -** prefix for typical application installations that run a setup installer of some kind. +- Use the **Configure -** prefix when an application configures a setting in the operating system. +- You also add an **- x86**, **- x64**, or **- x86-x64** suffix to indicate the application's architecture (some applications have installers for both architectures). + +Using a script naming standard is always recommended when using MDT as it helps maintain order and consistency. + +By storing configuration items as MDT applications, it's easy to move these objects between various solutions, or between test and production environments. In example sections, you 'll add the following applications: @@ -142,28 +160,30 @@ In example sections, you 'll add the following applications: >The 64-bit version of Microsoft Office 365 Pro Plus is recommended unless you need legacy app support. For more information, see [Choose between the 64-bit or 32-bit version of Office](https://support.office.com/article/choose-between-the-64-bit-or-32-bit-version-of-office-2dee7807-8f95-4d0c-b5fe-6c6f49b8d261) Download links: + - [Office Deployment Tool](https://www.microsoft.com/download/details.aspx?id=49117) - [Microsoft Visual C++ Redistributable 2019 - x86](https://aka.ms/vs/16/release/VC_redist.x86.exe) - [Microsoft Visual C++ Redistributable 2019 - x64](https://aka.ms/vs/16/release/VC_redist.x64.exe) -Download all three items in this list to the D:\\Downloads folder on MDT01. +Download all three items in this list to the D:\\Downloads folder on MDT01. ->[!NOTE] ->For the purposes of this lab, we'll leave the MSVC files in the D:\\Downloads folder and the Office365 files will be extracted to a child folder. If you prefer, you can place each application in its own separate child folder, and then modify the $ApplicationSourcePath below as needed (instead of just D:\\Downloads). +> [!NOTE] +> For the purposes of this lab, we'll leave the MSVC files in the D:\\Downloads folder and the Office365 files will be extracted to a child folder. If you prefer, you can place each application in its own separate child folder, and then modify the $ApplicationSourcePath below as needed (instead of just D:\\Downloads). + +> [!NOTE] +> All the Microsoft Visual C++ downloads can be found on [The latest supported Visual C++ downloads](https://go.microsoft.com/fwlink/p/?LinkId=619523). Visual C++ 2015, 2017 and 2019 all share the same redistributable files. ->[!NOTE] ->All the Microsoft Visual C++ downloads can be found on [The latest supported Visual C++ downloads](https://go.microsoft.com/fwlink/p/?LinkId=619523). Visual C++ 2015, 2017 and 2019 all share the same redistributable files. - ### Create configuration file: Microsoft Office 365 Professional Plus x64 -1. After downloading the most current version of the Office Deployment tool from the Microsoft Download Center using the link provided above, run the self-extracting executable file and extract the files to **D:\\Downloads\\Office365**. The Office Deployment Tool (setup.exe) and several sample configuration.xml files will be extracted. +1. After downloading the most current version of the Office Deployment tool from the Microsoft Download Center using the link provided above, run the self-extracting executable file and extract the files to **D:\\Downloads\\Office365**. The Office Deployment Tool (setup.exe) and several sample configuration.xml files will be extracted. + 2. Using a text editor (such as Notepad), create an XML file in the D:\\Downloads\\Office365 directory with the installation settings for Microsoft 365 Apps for enterprise that are appropriate for your organization. The file uses an XML format, so the file you create must have an extension of .xml but the file can have any filename. For example, you can use the following configuration.xml file, which provides these configuration settings: - - Install the 64-bit version of Microsoft 365 Apps for enterprise in English directly from the Office Content Delivery Network (CDN) on the internet. + - Install the 64-bit version of Microsoft 365 Apps for enterprise in English directly from the Office Content Delivery Network (CDN) on the internet. > [!NOTE] - > 64-bit is now the default and recommended edition. - - Use the General Availability Channel and get updates directly from the Office CDN on the internet. + > 64-bit is now the default and recommended edition. + - Use the General Availability Channel and get updates directly from the Office CDN on the internet. - Perform a silent installation. You won't see anything that shows the progress of the installation and you won't see any error messages. ```xml @@ -180,25 +200,28 @@ Download all three items in this list to the D:\\Downloads folder on MDT01. When you use these settings, anytime you build the reference image you'll be installing the most up-to-date General Availability Channel version of Microsoft 365 Apps for enterprise. - >[!TIP] - >You can also use the web-based interface of the [Office Customization Tool](https://config.office.com/) to help you create your configuration.xml file. - - For more information, see [Configuration options for the Office Deployment Tool](/deployoffice/configuration-options-for-the-office-2016-deployment-tool) and [Overview of the Office Deployment Tool](/DeployOffice/overview-of-the-office-2016-deployment-tool). + > [!TIP] + > You can also use the web-based interface of the [Office Customization Tool](https://config.office.com/) to help you create your configuration.xml file. + + For more information, see [Configuration options for the Office Deployment Tool](/deployoffice/configuration-options-for-the-office-2016-deployment-tool) and [Overview of the Office Deployment Tool](/DeployOffice/overview-of-the-office-2016-deployment-tool). 3. Ensure the configuration.xml file is in the D:\\Downloads\\Office365 folder. See the following example of the extracted files plus the configuration.xml file in the Downloads\\Office365 folder: ![folder.](../images/office-folder.png) - Assuming you've named the file "configuration.xml" as shown above, we'll use the command "**setup.exe /configure configuration.xml**" when we create the application in MDT. This command execution will perform the installation of Microsoft 365 Apps for enterprise using the configuration settings in the configuration.xml file. Don't perform this step yet. +Assuming you've named the file `configuration.xml` as shown above, we'll use the command **`setup.exe /configure configuration.xml`** when we create the application in MDT. This command execution will perform the installation of Microsoft 365 Apps for enterprise using the configuration settings in the configuration.xml file. Don't perform this step yet. - >[!IMPORTANT] - >After Microsoft 365 Apps for enterprise is installed on the reference image, do NOT open any Office programs. if you open an Office program, you're prompted to sign-in, which activates the installation of Microsoft 365 Apps for enterprise. Even if you don't sign in and you close the Sign in to set up Office dialog box, a temporary product key is installed. You don't want any kind of product key for Microsoft 365 Apps for enterprise installed as part of your reference image. +> [!IMPORTANT] +> After Microsoft 365 Apps for enterprise is installed on the reference image, do NOT open any Office programs. if you open an Office program, you're prompted to sign-in, which activates the installation of Microsoft 365 Apps for enterprise. Even if you don't sign in and you close the Sign in to set up Office dialog box, a temporary product key is installed. You don't want any kind of product key for Microsoft 365 Apps for enterprise installed as part of your reference image. Additional information + - Microsoft 365 Apps for enterprise is updated on a monthly basis with security updates and other quality updates (bug fixes), and possibly new features (depending on which update channel you're using). That means that once you've deployed your reference image, Microsoft 365 Apps for enterprise will most likely need to download and install the latest updates that have been released since you created your reference image. -- **Note**: With the installing Office Deployment Tool being used as part of the reference image, Microsoft 365 Apps for enterprise is installed immediately after the reference image is deployed to the user's device, rather than including Office apps part of the reference image. This way the user will have the most up-to-date version of Microsoft 365 Apps for enterprise right away and won't have to download any new updates (which is most likely what would happen if Microsoft 365 Apps for enterprise was installed as part of the reference image.) - - When you're creating your reference image, instead of installing Microsoft 365 Apps for enterprise directly from the Office CDN on the internet, you can install Microsoft 365 Apps for enterprise from a location on your local network, such as a file share. To do that, you would use the Office Deployment Tool in /download mode to download the installation files to that file share. Then you could use the Office Deployment Tool in /configure mode to install Microsoft 365 Apps for enterprise from that location on to your reference image. As part of that process, you'll need to point to that location in your configuration.xml file so that the Office Deployment Tool knows where to get the Microsoft 365 Apps for enterprise files. If you decide to do this step, the next time you create a new reference image, you'll want to be sure to use the Office Deployment Tool to download the most up-to-date installation files for Microsoft 365 Apps for enterprise to that location on your internal network. That way your new reference image will have a more up-to-date installation of Microsoft 365 Apps for enterprise. + > [!NOTE] + > With the installing Office Deployment Tool being used as part of the reference image, Microsoft 365 Apps for enterprise is installed immediately after the reference image is deployed to the user's device, rather than including Office apps part of the reference image. This way the user will have the most up-to-date version of Microsoft 365 Apps for enterprise right away and won't have to download any new updates (which is most likely what would happen if Microsoft 365 Apps for enterprise was installed as part of the reference image.) + +- When you're creating your reference image, instead of installing Microsoft 365 Apps for enterprise directly from the Office CDN on the internet, you can install Microsoft 365 Apps for enterprise from a location on your local network, such as a file share. To do that, you would use the Office Deployment Tool in /download mode to download the installation files to that file share. Then you could use the Office Deployment Tool in /configure mode to install Microsoft 365 Apps for enterprise from that location on to your reference image. As part of that process, you'll need to point to that location in your configuration.xml file so that the Office Deployment Tool knows where to get the Microsoft 365 Apps for enterprise files. If you decide to do this step, the next time you create a new reference image, you'll want to be sure to use the Office Deployment Tool to download the most up-to-date installation files for Microsoft 365 Apps for enterprise to that location on your internal network. That way your new reference image will have a more up-to-date installation of Microsoft 365 Apps for enterprise. ### Connect to the deployment share using Windows PowerShell @@ -206,15 +229,16 @@ If you need to add many applications, you can take advantage of the PowerShell s On **MDT01**: -1. Ensure you're signed in as **contoso\\Administrator**. -2. Import the snap-in and create the PSDrive by running the following commands in an elevated PowerShell prompt: +1. Ensure you're signed in as **contoso\\Administrator**. +2. Import the snap-in and create the PSDrive by running the following commands in an elevated PowerShell prompt: - ``` powershell + ```powershell Import-Module "C:\Program Files\Microsoft Deployment Toolkit\bin\MicrosoftDeploymentToolkit.psd1" New-PSDrive -Name "DS001" -PSProvider MDTProvider -Root "D:\MDTBuildLab" ``` ->[!TIP] ->Use "Get-Command -module MicrosoftDeploymentToolkit" to see a list of available cmdlets + +> [!TIP] +> Use `Get-Command -module MicrosoftDeploymentToolkit` to see a list of available cmdlets ### Create the install: Microsoft Office 365 Pro Plus - x64 @@ -222,10 +246,11 @@ In these steps, we assume that you've downloaded the Office Deployment Tool. You On **MDT01**: -1. Ensure you're signed on as **contoso\\Administrator**. -2. Create the application by running the following commands in an elevated PowerShell prompt: +1. Ensure you're signed on as **contoso\\Administrator**. - ``` powershell +2. Create the application by running the following commands in an elevated PowerShell prompt: + + ```powershell $ApplicationName = "Install - Office365 ProPlus - x64" $CommandLine = "setup.exe /configure configuration.xml" $ApplicationSourcePath = "D:\Downloads\Office365" @@ -233,7 +258,8 @@ On **MDT01**: ``` Upon successful installation, the following text is displayed: - ``` + + ```output VERBOSE: Performing the operation "import" on target "Application". VERBOSE: Beginning application import VERBOSE: Copying application source files from D:\Downloads\Office365 to D:\MDTBuildLab\Applications\Install - @@ -248,17 +274,18 @@ On **MDT01**: ### Create the install: Microsoft Visual C++ Redistributable 2019 - x86 ->[!NOTE] ->We have abbreviated "Microsoft Visual C++ Redistributable" in the $ApplicationName below as "MSVC" to avoid the path name exceeding the maxiumum allowed length of 248 characters. +> [!NOTE] +> We have abbreviated "Microsoft Visual C++ Redistributable" in the $ApplicationName below as "MSVC" to avoid the path name exceeding the maxiumum allowed length of 248 characters. In these steps, we assume that you've downloaded Microsoft Visual C++ Redistributable 2019 - x86. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to D:\\Downloads. On **MDT01**: -1. Ensure you're signed on as **contoso\\Administrator**. -2. Create the application by running the following commands in an elevated PowerShell prompt: +1. Ensure you're signed on as **contoso\\Administrator**. - ``` powershell +2. Create the application by running the following commands in an elevated PowerShell prompt: + + ```powershell $ApplicationName = "Install - MSVC 2019 - x86" $CommandLine = "vc_redist.x86.exe /Q" $ApplicationSourcePath = "D:\Downloads" @@ -266,7 +293,8 @@ On **MDT01**: ``` Upon successful installation, the following text is displayed: - ``` + + ```output VERBOSE: Performing the operation "import" on target "Application". VERBOSE: Beginning application import VERBOSE: Copying application source files from D:\Downloads to D:\MDTBuildLab\Applications\Install - MSVC 2019 - x86 @@ -284,10 +312,11 @@ In these steps, we assume that you've downloaded Microsoft Visual C++ Redistribu On **MDT01**: -1. Ensure you're signed on as **contoso\\Administrator**. -2. Create the application by running the following commands in an elevated PowerShell prompt: +1. Ensure you're signed on as **contoso\\Administrator**. - ``` powershell +2. Create the application by running the following commands in an elevated PowerShell prompt: + + ```powershell $ApplicationName = "Install - MSVC 2019 - x64" $CommandLine = "vc_redist.x64.exe /Q" $ApplicationSourcePath = "D:\Downloads" @@ -310,17 +339,19 @@ To create a Windows 10 reference image task sequence, the process is as follows: On **MDT01**: 1. When you're using the Deployment Workbench, under **Deployment Shares > MDT Build Lab** right-click **Task Sequences**, and create a **New Folder** named **Windows 10**. + 2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: - 1. Task sequence ID: REFW10X64-001 - 2. Task sequence name: Windows 10 Enterprise x64 RTM Default Image - 3. Task sequence comments: Reference Build - 4. Template: Standard Client Task Sequence - 5. Select OS: Windows 10 Enterprise x64 RTM Default Image - 6. Specify Product Key: Don't specify a product key at this time - 7. Full Name: Contoso - 8. Organization: Contoso - 9. Internet Explorer home page: http://www.contoso.com - 10. Admin Password: Don't specify an Administrator Password at this time + + 1. **Task sequence ID**: REFW10X64-001 + 2. **Task sequence name**: Windows 10 Enterprise x64 RTM Default Image + 3. **Task sequence comments**: Reference Build + 4. **Template**: Standard Client Task Sequence + 5. **Select OS**: Windows 10 Enterprise x64 RTM Default Image + 6. **Specify Product Key**: Don't specify a product key at this time + 7. **Full Name**: Contoso + 8. **Organization**: Contoso + 9. **Internet Explorer home page**: `http://www.contoso.com` + 10. **Admin Password**: Don't specify an Administrator Password at this time ### Edit the Windows 10 task sequence @@ -329,81 +360,99 @@ The steps below walk you through the process of editing the Windows 10 reference On **MDT01**: 1. In the **Task Sequences / Windows 10** folder, right-click the **Windows 10 Enterprise x64 RTM Default Image** task sequence, and select **Properties**. + 2. On the **Task Sequence** tab, configure the Windows 10 Enterprise x64 RTM Default Image task sequence with the following settings: - 1. **State Restore > Windows Update (Pre-Application Installation)** action: Enable this action by clicking the **Options** tab and clearing the **Disable this step** check box. - - 2. **State Restore > Windows Update (Post-Application Installation)** action: Also enable this action. - 3. **State Restore**: After the **Tattoo** action, add a new **Group** action (select **Add** then select **New Group**) with the following setting: - - Name: **Custom Tasks (Pre-Windows Update)** - 4. **State Restore**: After **Windows Update (Post-Application Installation)** action, rename **Custom Tasks** to **Custom Tasks (Post-Windows Update)**. - - **Note**: The reason for adding the applications after the Tattoo action but before running Windows Update is simply to save time during the deployment. This way we can add all applications that will upgrade some of the built-in components and avoid unnecessary updating. - 5. **State Restore > Custom Tasks (Pre-Windows Update)**: Add a new **Install Roles and Features** action with the following settings: - 1. Name: Install - Microsoft NET Framework 3.5.1 - 2. Select the operating system for which roles are to be installed: Windows 10 - 3. Select the roles and features that should be installed: .NET Framework 3.5 (includes .NET 2.0 and 3.0) - - >[!IMPORTANT] - >This is probably the most important step when creating a reference image. Many applications need the .NET Framework, and we strongly recommend having it available in the image. The one thing that makes this different from other components is that .NET Framework 3.5.1 is not included in the WIM file. It's installed from the **Sources\\SxS** folder on the media, and that makes it more difficult to add after the image has been deployed. - + - **State Restore > Windows Update (Pre-Application Installation)** action: Enable this action by clicking the **Options** tab and clearing the **Disable this step** check box. + + - **State Restore > Windows Update (Post-Application Installation)** action: Also enable this action. + + - **State Restore**: After the **Tattoo** action, add a new **Group** action (select **Add** then select **New Group**) with the following setting: + - Name: **Custom Tasks (Pre-Windows Update)** + + - **State Restore**: After **Windows Update (Post-Application Installation)** action, rename **Custom Tasks** to **Custom Tasks (Post-Windows Update)**. + > [!NOTE] + > The reason for adding the applications after the Tattoo action but before running Windows Update is simply to save time during the deployment. This way we can add all applications that will upgrade some of the built-in components and avoid unnecessary updating. + + - **State Restore > Custom Tasks (Pre-Windows Update)**: Add a new **Install Roles and Features** action with the following settings: + + - **Name**: Install - Microsoft NET Framework 3.5.1 + + - **Select the operating system for which roles are to be installed**: Windows 10 + + - **Select the roles and features that should be installed**: .NET Framework 3.5 (includes .NET 2.0 and 3.0) + + > [!IMPORTANT] + > This is probably the most important step when creating a reference image. Many applications need the .NET Framework, and we strongly recommend having it available in the image. The one thing that makes this different from other components is that .NET Framework 3.5.1 is not included in the WIM file. It's installed from the **Sources\\SxS** folder on the media, and that makes it more difficult to add after the image has been deployed. + ![task sequence.](../images/fig8-cust-tasks.png) The task sequence after creating the Custom Tasks (Pre-Windows Update) group and adding the Install - Microsoft NET Framework 3.5.1 action. - 6. **State Restore > Custom Tasks (Pre-Windows Update)**: After the **Install - Microsoft NET Framework 3.5.1** action, add a new **Install Application** action (selected from the **General** group) with the following settings: - 1. Name: Microsoft Visual C++ Redistributable 2019 - x86 - 2. Install a Single Application: browse to **Install - MSVC 2019 - x86** - 7. Repeat these steps (add a new **Install Application**) to add Microsoft Visual C++ Redistributable 2019 - x64 and Microsoft 365 Apps for enterprise as well. + - **State Restore > Custom Tasks (Pre-Windows Update)**: After the **Install - Microsoft NET Framework 3.5.1** action, add a new **Install Application** action (selected from the **General** group) with the following settings: + + - **Name**: Microsoft Visual C++ Redistributable 2019 - x86 + + - **Install a Single Application**: browse to **Install - MSVC 2019 - x86** + + - Repeat these steps (add a new **Install Application**) to add Microsoft Visual C++ Redistributable 2019 - x64 and Microsoft 365 Apps for enterprise as well. + 3. Select **OK**. - ![apps.](../images/mdt-apps.png) - + ![apps.](../images/mdt-apps.png) ### Optional configuration: Add a suspend action The goal when creating a reference image is to automate everything. But sometimes you've a special configuration or application setup that is too time-consuming to automate. If you need to do some manual configuration, you can add a little-known feature called Lite Touch Installation (LTI) Suspend. If you add the LTISuspend.wsf script as a custom action in the task sequence, it will suspend the task sequence until you select the Resume Task Sequence shortcut icon on the desktop. In addition to using the LTI Suspend feature for manual configuration or installation, you can also use it simply for verifying a reference image before you allow the task sequence to continue and use Sysprep and capture the virtual machine. ![figure 8.](../images/fig8-suspend.png) - A task sequence with optional Suspend action (LTISuspend.wsf) added. ![figure 9.](../images/fig9-resumetaskseq.png) - The Windows 10 desktop with the Resume Task Sequence shortcut. ### Edit the Unattend.xml file for Windows 10 Enterprise When using MDT, you don't need to edit the Unattend.xml file often because most configurations are taken care of by MDT. However if, for example, you want to configure Internet Explorer behavior, then you can edit the Unattend.xml. Editing the Unattend.xml for basic Internet Explorer settings is easy, but for more advanced settings, you 'll want to use the Internet Explorer Administration Kit (IEAK). ->[!WARNING] ->Don't use **SkipMachineOOBE** or **SkipUserOOBE** in your Unattend.xml file. These settings are deprecated and can have unintended effects if used. +> [!WARNING] +> Don't use **SkipMachineOOBE** or **SkipUserOOBE** in your Unattend.xml file. These settings are deprecated and can have unintended effects if used. + +> [!NOTE] +> You also can use the Unattend.xml to enable components in Windows 10, like the Telnet Client or Hyper-V client. Normally we prefer to do this via the **Install Roles and Features** action, or using Deployment Image Servicing and Management (DISM) command-line tools, because then we can add that as an application, being dynamic, having conditions, and so forth. Also, if you're adding packages via Unattend.xml, it's version specific, so Unattend.xml must match the exact version of the operating system you're servicing. ->[!NOTE] ->You also can use the Unattend.xml to enable components in Windows 10, like the Telnet Client or Hyper-V client. Normally we prefer to do this via the **Install Roles and Features** action, or using Deployment Image Servicing and Management (DISM) command-line tools, because then we can add that as an application, being dynamic, having conditions, and so forth. Also, if you're adding packages via Unattend.xml, it's version specific, so Unattend.xml must match the exact version of the operating system you're servicing. - Follow these steps to configure Internet Explorer settings in Unattend.xml for the Windows 10 Enterprise x64 RTM Default Image task sequence: On **MDT01**: 1. When you're using the Deployment Workbench, under **Deployment Shares > MDT Build Lab > Task Sequences** right-click the **Windows 10 Enterprise x64 RTM Default Image** task sequence and select **Properties**. + 2. In the **OS Info** tab, select **Edit Unattend.xml**. MDT now generates a catalog file. This file generation process will take a few minutes, and then Windows System Image Manager (Windows SIM) will start. - > [!IMPORTANT] - > The ADK version 1903 has a [known issue](/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-1903) generating a catalog file for Windows 10, version 1903 or 1909 X64 install.wim. You might see the error "Could not load file or assembly" in in the console output. To avoid this issue, [install the ADK, version 2004 or a later version](/windows-hardware/get-started/adk-install). A workaround is also available for the ADK version 1903: - > - Close the Deployment Workbench and install the [WSIM 1903 update](https://go.microsoft.com/fwlink/?linkid=2095334). This will update imagecat.exe and imgmgr.exe to version 10.0.18362.144. - > - Manually run imgmgr.exe (C:\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\WSIM\\imgmgr.exe). - > - Generate a catalog (Tools/Create Catalog) for the selected install.wim (ex: D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM\\sources\\install.wim). - > - After manually creating the catalog file (ex: D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM\\sources\\install_Windows 10 Enterprise.clg), open the Deployment Workbench and proceed to edit unattend.xml. + > [!IMPORTANT] + > The ADK version 1903 has a [known issue](/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-1903) generating a catalog file for Windows 10, version 1903 or 1909 X64 install.wim. You might see the error **Could not load file or assembly** in in the console output. To avoid this issue, [install the ADK, version 2004 or a later version](/windows-hardware/get-started/adk-install). A workaround is also available for the ADK version 1903: + > + > - Close the Deployment Workbench and install the [WSIM 1903 update](https://go.microsoft.com/fwlink/?linkid=2095334). This will update imagecat.exe and imgmgr.exe to version 10.0.18362.144. + > + > - Manually run imgmgr.exe (C:\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\WSIM\\imgmgr.exe). + > + > - Generate a catalog (Tools/Create Catalog) for the selected install.wim (ex: D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM\\sources\\install.wim). + > + > - After manually creating the catalog file (ex: D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM\\sources\\install_Windows 10 Enterprise.clg), open the Deployment Workbench and proceed to edit unattend.xml. 3. In Windows SIM, expand the **4 specialize** node in the **Answer File** pane and select the amd64\_Microsoft-Windows-IE-InternetExplorer\_neutral entry. + 4. In the **amd64\_Microsoft-Windows-IE-InternetExplorer\_neutral properties** window (right-hand window), set the following values: - - DisableDevTools: true + + - **DisableDevTools**: true + 5. Save the Unattend.xml file, and close Windows SIM. + > [!NOTE] > If errors are reported that certain display values are incorrect, you can ignore this message or browse to **7oobeSystem\\amd64_Microsoft-Windows-Shell-Setup__neutral\\Display** and enter the following: ColorDepth 32, HorizontalResolution 1, RefreshRate 60, VerticalResolution 1. + 6. On the Windows 10 Enterprise x64 RTM Default Image Properties, select **OK**. ![figure 10.](../images/fig10-unattend.png) - Windows System Image Manager with the Windows 10 Unattend.xml. ## Configure the MDT deployment share rules @@ -412,16 +461,17 @@ Understanding rules is critical to successfully using MDT. Rules are configured ### MDT deployment share rules overview -In MDT, there are always two rule files: the **CustomSettings.ini** file and the **Bootstrap.ini** file. You can add almost any rule to either. However, the Bootstrap.ini file is copied from the Control folder to the boot image, so the boot image needs to be updated every time you change that file. For this reason, add only a minimal set of rules to Bootstrap.ini, such as which deployment server and share to connect to - the DEPLOYROOT value. Put the other rules in CustomSettings.ini because that file is updated immediately when you select OK. +In MDT, there are always two rule files: the **CustomSettings.ini** file and the **Bootstrap.ini** file. You can add almost any rule to either. However, the Bootstrap.ini file is copied from the Control folder to the boot image, so the boot image needs to be updated every time you change that file. For this reason, add only a minimal set of rules to Bootstrap.ini, such as which deployment server and share to connect to - the DEPLOYROOT value. Put the other rules in CustomSettings.ini because that file is updated immediately when you select OK. To configure the rules for the MDT Build Lab deployment share: On **MDT01**: -1. Using the Deployment Workbench, right-click the **MDT Build Lab** deployment share and select **Properties**. -2. Select the **Rules** tab and replace the existing content with the following information (edit the settings as needed to match your deployment). For example, If you don't have a WSUS server in your environment, delete the **WSUSServer** line from the configuration: +1. Using the Deployment Workbench, right-click the **MDT Build Lab** deployment share and select **Properties**. - ``` +2. Select the **Rules** tab and replace the existing content with the following information (edit the settings as needed to match your deployment). For example, If you don't have a WSUS server in your environment, delete the **WSUSServer** line from the configuration: + + ```ini [Settings] Priority=Default @@ -456,12 +506,11 @@ On **MDT01**: ``` ![figure 11.](../images/mdt-rules.png) - The server-side rules for the MDT Build Lab deployment share. - -3. Select **Edit Bootstrap.ini** and modify using the following information: - ``` +3. Select **Edit Bootstrap.ini** and modify using the following information: + + ```ini [Settings] Priority=Default @@ -474,32 +523,38 @@ On **MDT01**: SkipBDDWelcome=YES ``` - >[!NOTE] - >For security reasons, you normally don't add the password to the Bootstrap.ini file; however, because this deployment share is for creating reference image builds only, and should not be published to the production network, it's acceptable to do so in this situation. Obviously if you're not using the same password (pass@word3) that is provided in this lab, you must enter your own custom password on the Rules tab and in Bootstrap.ini. - + > [!NOTE] + > For security reasons, you normally don't add the password to the Bootstrap.ini file; however, because this deployment share is for creating reference image builds only, and should not be published to the production network, it's acceptable to do so in this situation. Obviously if you're not using the same password (pass@word3) that is provided in this lab, you must enter your own custom password on the Rules tab and in Bootstrap.ini. + 4. On the **Windows PE** tab, in the **Platform** drop-down list, select **x86**. + 5. In the **Lite Touch Boot Image Settings** area, configure the following settings: - 1. Image description: MDT Build Lab x86 - 2. ISO file name: MDT Build Lab x86.iso + + - **Image description**: MDT Build Lab x86 + - **ISO file name**: MDT Build Lab x86.iso + 6. On the **Windows PE** tab, in the **Platform** drop-down list, select **x64**. + 7. In the **Lite Touch Boot Image Settings** area, configure the following settings: - 1. Image description: MDT Build Lab x64 - 2. ISO file name: MDT Build Lab x64.iso + + - **Image description**: MDT Build Lab x64 + - **ISO file name**: MDT Build Lab x64.iso + 8. Select **OK**. ->[!NOTE] ->In MDT, the x86 boot image can deploy both x86 and x64 operating systems (except on computers based on Unified Extensible Firmware Interface). - +> [!NOTE] +> In MDT, the x86 boot image can deploy both x86 and x64 operating systems (except on computers based on Unified Extensible Firmware Interface). + ### Update the deployment share After the deployment share has been configured, it needs to be updated. This update-process is the one when the Windows PE boot images are created. -1. In the Deployment Workbench, right-click the **MDT Build Lab** deployment share and select **Update Deployment Share**. -2. Use the default options for the Update Deployment Share Wizard. +1. In the Deployment Workbench, right-click the **MDT Build Lab** deployment share and select **Update Deployment Share**. +2. Use the default options for the Update Deployment Share Wizard. + +> [!NOTE] +> The update process will take 5 to 10 minutes. ->[!NOTE] ->The update process will take 5 to 10 minutes. - ### The rules explained Now that the MDT Build Lab deployment share (the share used to create the reference images) has been configured, it's time to explain the various settings used in the Bootstrap.ini and CustomSettings.ini files. @@ -508,14 +563,14 @@ The Bootstrap.ini and CustomSettings.ini files work together. The Bootstrap.ini The CustomSettings.ini file is normally stored on the server, in the Deployment share\\Control folder, but also can be stored on the media (when using offline media). ->[!NOTE] ->The settings, or properties, that are used in the rules (CustomSettings.ini and Bootstrap.ini) are listed in the MDT documentation, in the Microsoft Deployment Toolkit Reference / Properties / Property Definition section. - +> [!NOTE] +> The settings, or properties, that are used in the rules (CustomSettings.ini and Bootstrap.ini) are listed in the MDT documentation, in the Microsoft Deployment Toolkit Reference / Properties / Property Definition section. + ### The Bootstrap.ini file The Bootstrap.ini file is available via the deployment share's Properties dialog box, or via the D:\\MDTBuildLab\\Control folder on MDT01. -``` +```ini [Settings] Priority=Default [Default] @@ -527,23 +582,26 @@ SkipBDDWelcome=YES ``` So, what are these settings? -- **Priority.** This setting determines the order in which different sections are read. This Bootstrap.ini has only one section, named \[Default\]. -- **DeployRoot.** This location is of the deployment share. Normally, this value is set by MDT, but you need to update the DeployRoot value if you move to another server or other share. If you don't specify a value, the Windows Deployment Wizard prompts you for a location. -- **UserDomain, UserID, and UserPassword.** These values are used for automatic sign in to the deployment share. Again, if they aren't specified, the wizard prompts you. - >[!WARNING] - >Caution is advised. These values are stored in clear text on the boot image. Use them only for the MDT Build Lab deployment share and not for the MDT Production deployment share that you learn to create in the next topic. - -- **SkipBDDWelcome.** Even if it's nice to be welcomed every time we start a deployment, we prefer to skip the initial welcome page of the Windows Deployment Wizard. +- **Priority**: This setting determines the order in which different sections are read. This Bootstrap.ini has only one section, named \[Default\]. + +- **DeployRoot**: This location is of the deployment share. Normally, this value is set by MDT, but you need to update the DeployRoot value if you move to another server or other share. If you don't specify a value, the Windows Deployment Wizard prompts you for a location. + +- **UserDomain, UserID, and UserPassword**: These values are used for automatic sign in to the deployment share. Again, if they aren't specified, the wizard prompts you. + + > [!WARNING] + > Caution is advised. These values are stored in clear text on the boot image. Use them only for the MDT Build Lab deployment share and not for the MDT Production deployment share that you learn to create in the next topic. + +- **SkipBDDWelcome**: Even if it's nice to be welcomed every time we start a deployment, we prefer to skip the initial welcome page of the Windows Deployment Wizard. + +> [!NOTE] +> All properties beginning with "Skip" control only whether to display that pane in the Windows Deployment Wizard. Most of the panes also require you to actually set one or more values. ->[!NOTE] ->All properties beginning with "Skip" control only whether to display that pane in the Windows Deployment Wizard. Most of the panes also require you to actually set one or more values. - ### The CustomSettings.ini file The CustomSettings.ini file, whose content you see on the Rules tab of the deployment share Properties dialog box, contains most of the properties used in the configuration. -``` +```ini [Settings] Priority=Default [Default] @@ -575,82 +633,114 @@ SkipRoles=YES SkipCapture=NO SkipFinalSummary=YES ``` -- **Priority.** Has the same function as in Bootstrap.ini. Priority determines the order in which different sections are read. This CustomSettings.ini has only one section, named \[Default\]. In general, if you've multiple sections that set the same value, the value from the first section (higher priority) wins. The rare exceptions are listed in the ZTIGather.xml file. -- **\_SMSTSORGNAME.** The organization name displayed in the task sequence progress bar window during deployment. -- **UserDataLocation.** Controls the settings for user state backup. You don't need to use when building and capturing a reference image. -- **DoCapture.** Configures the task sequence to run the System Preparation (Sysprep) tool and capture the image to a file when the operating system is installed. -- **OSInstall.** Must be set to Y or YES (the code just looks for the Y character) for the setup to proceed. -- **AdminPassword.** Sets the local Administrator account password. -- **TimeZoneName.** Establishes the time zone to use. Don't confuse this value with TimeZone, which is only for legacy operating systems (Windows 7 and Windows Server 2003). - >[!NOTE] - >The easiest way to find the current time zone name on a Windows 10 machine is to run tzutil /g in a command prompt. You can also run tzutil /l to get a listing of all available time zone names. - -- **JoinWorkgroup.** Configures Windows to join a workgroup. -- **HideShell.** Hides the Windows Shell during deployment. This hide-operation is especially useful for Windows 10 deployments in which the deployment wizard will otherwise appear behind the tiles. -- **FinishAction.** Instructs MDT what to do when the task sequence is complete. -- **DoNotCreateExtraPartition.** Configures the task sequence not to create the extra partition for BitLocker. There's no need to do this configuration for your reference image. -- **WSUSServer.** Specifies which Windows Server Update Services (WSUS) server (and port, if needed) to use during the deployment. Without this option MDT will use Microsoft Update directly, which will increase deployment time and limit your options of controlling which updates are applied. -- **SLSHARE.** Instructs MDT to copy the log files to a server share if something goes wrong during deployment, or when a deployment is successfully completed. -- **ApplyGPOPack.** Allows you to deploy local group policies created by Microsoft Security Compliance Manager (SCM). -- **SkipAdminPassword.** Skips the pane that asks for the Administrator password. -- **SkipProductKey.** Skips the pane that asks for the product key. -- **SkipComputerName.** Skips the Computer Name pane. -- **SkipDomainMemberShip.** Skips the Domain Membership pane. If set to Yes, you need to configure either the JoinWorkgroup value or the JoinDomain, DomainAdmin, DomainAdminDomain, and DomainAdminPassword properties. -- **SkipUserData.** Skips the pane for user state migration. -- **SkipLocaleSelection.** Skips the pane for selecting language and keyboard settings. -- **SkipTimeZone.** Skips the pane for setting the time zone. -- **SkipApplications.** Skips the Applications pane. -- **SkipBitLocker.** Skips the BitLocker pane. -- **SkipSummary.** Skips the initial Windows Deployment Wizard summary pane. -- **SkipRoles.** Skips the Install Roles and Features pane. -- **SkipCapture.** Skips the Capture pane. -- **SkipFinalSummary.** Skips the final Windows Deployment Wizard summary. Because you use FinishAction=Shutdown, you don't want the wizard to stop in the end so that you need to select OK before the machine shuts down. +- **Priority**: Has the same function as in Bootstrap.ini. Priority determines the order in which different sections are read. This CustomSettings.ini has only one section, named \[Default\]. In general, if you've multiple sections that set the same value, the value from the first section (higher priority) wins. The rare exceptions are listed in the ZTIGather.xml file. + +- **\_SMSTSORGNAME**: The organization name displayed in the task sequence progress bar window during deployment. + +- **UserDataLocation**: Controls the settings for user state backup. You don't need to use when building and capturing a reference image. + +- **DoCapture**: Configures the task sequence to run the System Preparation (Sysprep) tool and capture the image to a file when the operating system is installed. + +- **OSInstall**: Must be set to Y or YES (the code just looks for the Y character) for the setup to proceed. + +- **AdminPassword**: Sets the local Administrator account password. + +- **TimeZoneName**: Establishes the time zone to use. Don't confuse this value with TimeZone, which is only for legacy operating systems (Windows 7 and Windows Server 2003). + + > [!NOTE] + > The easiest way to find the current time zone name on a Windows 10 machine is to run tzutil /g in a command prompt. You can also run tzutil /l to get a listing of all available time zone names. + +- **JoinWorkgroup**: Configures Windows to join a workgroup. + +- **HideShell**: Hides the Windows Shell during deployment. This hide-operation is especially useful for Windows 10 deployments in which the deployment wizard will otherwise appear behind the tiles. + +- **FinishAction**: Instructs MDT what to do when the task sequence is complete. + +- **DoNotCreateExtraPartition**: Configures the task sequence not to create the extra partition for BitLocker. There's no need to do this configuration for your reference image. + +- **WSUSServer**: Specifies which Windows Server Update Services (WSUS) server (and port, if needed) to use during the deployment. Without this option MDT will use Microsoft Update directly, which will increase deployment time and limit your options of controlling which updates are applied. + +- **SLSHARE**: Instructs MDT to copy the log files to a server share if something goes wrong during deployment, or when a deployment is successfully completed. + +- **ApplyGPOPack**: Allows you to deploy local group policies created by Microsoft Security Compliance Manager (SCM). + +- **SkipAdminPassword**: Skips the pane that asks for the Administrator password. + +- **SkipProductKey**: Skips the pane that asks for the product key. + +- **SkipComputerName**: Skips the Computer Name pane. + +- **SkipDomainMemberShip**: Skips the Domain Membership pane. If set to Yes, you need to configure either the JoinWorkgroup value or the JoinDomain, DomainAdmin, DomainAdminDomain, and DomainAdminPassword properties. + +- **SkipUserData**: Skips the pane for user state migration. + +- **SkipLocaleSelection**: Skips the pane for selecting language and keyboard settings. + +- **SkipTimeZone**: Skips the pane for setting the time zone. + +- **SkipApplications**: Skips the Applications pane. + +- **SkipBitLocker**: Skips the BitLocker pane. + +- **SkipSummary**: Skips the initial Windows Deployment Wizard summary pane. + +- **SkipRoles**: Skips the Install Roles and Features pane. + +- **SkipCapture**: Skips the Capture pane. + +- **SkipFinalSummary**: Skips the final Windows Deployment Wizard summary. Because you use FinishAction=Shutdown, you don't want the wizard to stop in the end so that you need to select OK before the machine shuts down. ## Build the Windows 10 reference image As previously described, this section requires a Hyper-V host. For more information, see [Hyper-V requirements](prepare-for-windows-deployment-with-mdt.md#hyper-v-requirements). -Once you've created your task sequence, you're ready to create the Windows 10 reference image. This image creation will be performed by launching the task sequence from a virtual machine that will then automatically perform the reference image creation and capture process. +Once you've created your task sequence, you're ready to create the Windows 10 reference image. This image creation will be performed by launching the task sequence from a virtual machine that will then automatically perform the reference image creation and capture process. The steps below outline the process used to boot a virtual machine using an ISO boot image created by MDT, and then run the reference image task sequence image to create and capture the Windows 10 reference image. 1. Copy D:\\MDTBuildLab\\Boot\\MDT Build Lab x86.iso on MDT01 to C:\\ISO on your Hyper-V host (HV01). - >[!NOTE] - >Remember, in MDT you can use the x86 boot image to deploy both x86 and x64 operating system images. That's why you can use the x86 boot image instead of the x64 boot image. + > [!NOTE] + > Remember, in MDT you can use the x86 boot image to deploy both x86 and x64 operating system images. That's why you can use the x86 boot image instead of the x64 boot image. On **HV01**: - -2. Create a new virtual machine with the following settings: + +1. Create a new virtual machine with the following settings: + 1. Name: REFW10X64-001 2. Store the virtual machine in a different location: C:\VM 3. Generation 1 4. Memory: 1024 MB 5. Network: Must be able to connect to \\MDT01\MDTBuildLab$ - 7. Hard disk: 60 GB (dynamic disk) - 8. Install OS with image file: C:\\ISO\\MDT Build Lab x86.iso -1. Before you start the VM, add a checkpoint for REFW10X64-001, and name it **Clean with MDT Build Lab x86 ISO**. + 6. Hard disk: 60 GB (dynamic disk) + 7. Install OS with image file: C:\\ISO\\MDT Build Lab x86.iso - >[!NOTE] - >Checkpoints are useful if you need to restart the process and want to make sure you can start clean. - -4. Start the REFW10X64-001 virtual machine and connect to it. +2. Before you start the VM, add a checkpoint for REFW10X64-001, and name it **Clean with MDT Build Lab x86 ISO**. - >[!NOTE] - >Up to this point we haven't discussed IP addressing or DHCP. In the initial setup for this guide, DC01 was provisioned as a DHCP server to provide IP address leases to client computers. You might have a different DHCP server on your network that you wish to use. The REFW10X64-001 virtual machine requires an IP address lease that provides it with connectivity to MDT01 so that it can connect to the \\MDT01\MDTBuildLab$ share. In the current scenario, this connectivity is accomplished with a DHCP scope that provides IP addresses in the 10.10.10.100 - 10.10.10.200 range, as part of a /24 subnet so that the client can connect to MDT01 at 10.10.10.11. + > [!NOTE] + > Checkpoints are useful if you need to restart the process and want to make sure you can start clean. + +3. Start the REFW10X64-001 virtual machine and connect to it. + + > [!NOTE] + > Up to this point we haven't discussed IP addressing or DHCP. In the initial setup for this guide, DC01 was provisioned as a DHCP server to provide IP address leases to client computers. You might have a different DHCP server on your network that you wish to use. The REFW10X64-001 virtual machine requires an IP address lease that provides it with connectivity to MDT01 so that it can connect to the \\MDT01\MDTBuildLab$ share. In the current scenario, this connectivity is accomplished with a DHCP scope that provides IP addresses in the 10.10.10.100 - 10.10.10.200 range, as part of a /24 subnet so that the client can connect to MDT01 at 10.10.10.11. After booting into Windows PE, complete the Windows Deployment Wizard with the following settings: - 1. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Default Image - 2. Specify whether to capture an image: Capture an image of this reference computer - - Location: \\\\MDT01\\MDTBuildLab$\\Captures - 3. File name: REFW10X64-001.wim + + - **Select a task sequence to execute on this computer**: Windows 10 Enterprise x64 RTM Default Image + + - **Specify whether to capture an image**: Capture an image of this reference computer + + - Location: \\\\MDT01\\MDTBuildLab$\\Captures + + - **File name**: REFW10X64-001.wim ![capture image.](../images/captureimage.png) - The Windows Deployment Wizard for the Windows 10 reference image. -5. The setup now starts and does the following steps: +4. The setup now starts and does the following steps: + 1. Installs the Windows 10 Enterprise operating system. 2. Installs the added applications, roles, and features. 3. Updates the operating system via your local Windows Server Update Services (WSUS) server. @@ -666,21 +756,21 @@ After some time, you 'll have a Windows 10 Enterprise x64 image that is fully pa ## Troubleshooting > [!IMPORTANT] -> If you encounter errors applying the image when using a BIOS firmware type, see [Windows 10 deployments fail with Microsoft Deployment Toolkit on computers with BIOS type firmware](https://support.microsoft.com/topic/windows-10-deployments-fail-with-microsoft-deployment-toolkit-on-computers-with-bios-type-firmware-70557b0b-6be3-81d2-556f-b313e29e2cb7). This +> If you encounter errors applying the image when using a BIOS firmware type, see [Windows 10 deployments fail with Microsoft Deployment Toolkit on computers with BIOS type firmware](https://support.microsoft.com/topic/windows-10-deployments-fail-with-microsoft-deployment-toolkit-on-computers-with-bios-type-firmware-70557b0b-6be3-81d2-556f-b313e29e2cb7). If you [enabled monitoring](#enable-monitoring), you can check the progress of the task sequence. ![monitoring.](../images/mdt-monitoring.png) -If there are problems with your task sequence, you can troubleshoot in Windows PE by pressing F8 to open a command prompt. There are several [MDT log files](/configmgr/mdt/troubleshooting-reference#mdt-logs) created that can be helpful determining the origin of an error, such as BDD.log. From the command line in Windows PE, you can copy these logs from the client to your MDT server for viewing with CMTrace. For example: copy BDD.log \\\\mdt01\\logs$. +If there are problems with your task sequence, you can troubleshoot in Windows PE by pressing F8 to open a command prompt. There are several [MDT log files](/configmgr/mdt/troubleshooting-reference#mdt-logs) created that can be helpful determining the origin of an error, such as BDD.log. From the command line in Windows PE, you can copy these logs from the client to your MDT server for viewing with CMTrace. For example: copy BDD.log \\\\mdt01\\logs$. After some time, you 'll have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep, located in the D:\\MDTBuildLab\\Captures folder on your deployment server. The file name is REFW10X64-001.wim. ## Related articles -[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
    -[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
    -[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
    -[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
    -[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
    -[Configure MDT settings](configure-mdt-settings.md) +- [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md) +- [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) +- [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md) +- [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) +- [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md) +- [Configure MDT settings](configure-mdt-settings.md) diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md index efcf8b1227..f92a6f30dc 100644 --- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md +++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md @@ -11,31 +11,32 @@ ms.topic: article ms.technology: itpro-deploy ms.collection: - highpri -ms.date: 10/28/2022 +ms.date: 11/28/2022 --- # Deploy a Windows 10 image using MDT -**Applies to** -- Windows 10 +**Applies to:** -This article will show you how to take your reference image for Windows 10 (that was [created](create-a-windows-10-reference-image.md)), and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT). +- Windows 10 + +This article will show you how to take your reference image for Windows 10 (that was [created](create-a-windows-10-reference-image.md)), and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT). We'll prepare for this deployment by creating an MDT deployment share that is used solely for image deployment. Separating the processes of creating reference images from the processes used to deploy them in production allows greater control of on both processes. We'll configure Active Directory permissions, configure the deployment share, create a new task sequence, and add applications, drivers, and rules. -For the purposes of this article, we'll use four computers: DC01, MDT01, HV01 and PC0005. +For the purposes of this article, we'll use four computers: DC01, MDT01, HV01 and PC0005. -- DC01 is a domain controller -- MDT01 is a domain member server -- HV01 is a Hyper-V server +- DC01 is a domain controller +- MDT01 is a domain member server +- HV01 is a Hyper-V server - PC0005 is a blank device to which we'll deploy Windows 10 -MDT01 and PC0005 are members of the domain contoso.com for the fictitious Contoso Corporation. HV01 used to test deployment of PC0005 in a virtual environment. +MDT01 and PC0005 are members of the domain contoso.com for the fictitious Contoso Corporation. HV01 used to test deployment of PC0005 in a virtual environment. ![devices.](../images/mdt-07-fig01.png) ->[!NOTE] ->For details about the setup for the procedures in this article, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). +> [!NOTE] +> For details about the setup for the procedures in this article, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). ## Step 1: Configure Active Directory permissions @@ -43,7 +44,7 @@ These steps will show you how to configure an Active Directory account with the On **DC01**: -1. Download the [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copy it to the **C:\\Setup\\Scripts** directory on **DC01**. This script configures permissions to allow the **MDT_JD** account to manage computer accounts in the contoso > Computers organizational unit. +1. Download the [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copy it to the **C:\\Setup\\Scripts** directory on **DC01**. This script configures permissions to allow the **MDT_JD** account to manage computer accounts in the contoso > Computers organizational unit. 2. Create the **MDT_JD** service account by running the following command from an elevated **Windows PowerShell prompt**: @@ -85,7 +86,9 @@ On **MDT01**: The steps for creating the deployment share for production are the same as when you created the deployment share for creating the custom reference image: 1. Ensure you're signed on as: contoso\administrator. + 2. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**. + 3. On the **Path** page, in the **Deployment share path** text box, type **D:\\MDTProduction** and select **Next**. 4. On the **Share** page, in the **Share name** text box, type **MDTProduction$** and select **Next**. @@ -93,6 +96,7 @@ The steps for creating the deployment share for production are the same as when 5. On the **Descriptive Name** page, in the **Deployment share description** text box, type **MDT Production** and select **Next**. 6. On the **Options** page, accept the default settings and select **Next** twice, and then select **Finish**. + 7. Using File Explorer, verify that you can access the **\\\\MDT01\\MDTProduction$** share. ### Configure permissions for the production deployment share @@ -101,11 +105,12 @@ To read files in the deployment share, you need to assign NTFS and SMB permissio On **MDT01**: -1. Ensure you're signed in as **contoso\\administrator**. -2. Modify the NTFS permissions for the **D:\\MDTProduction** folder by running the following command in an elevated Windows PowerShell prompt: +1. Ensure you're signed in as **contoso\\administrator**. - ``` powershell - icacls "D:\MDTProduction" /grant '"CONTOSO\MDT_BA":(OI)(CI)(M)' +2. Modify the NTFS permissions for the **D:\\MDTProduction** folder by running the following command in an elevated Windows PowerShell prompt: + + ```powershell + icacls.exe "D:\MDTProduction" /grant '"CONTOSO\MDT_BA":(OI)(CI)(M)' grant-smbshareaccess -Name MDTProduction$ -AccountName "Contoso\MDT_BA" -AccessRight Full -force ``` @@ -117,21 +122,22 @@ The next step is to add a reference image into the deployment share with the set In these steps, we assume that you've completed the steps in the [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) article, so you've a Windows 10 reference image at **D:\\MDTBuildLab\\Captures\REFW10X64-001.wim** on MDT01. -1. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**; select the **Operating Systems** node, and create a folder named **Windows 10**. -2. Right-click the **Windows 10** folder and select **Import Operating System**. +1. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**; select the **Operating Systems** node, and create a folder named **Windows 10**. -3. On the **OS Type** page, select **Custom image file** and select **Next**. +2. Right-click the **Windows 10** folder and select **Import Operating System**. -4. On the **Image** page, in the **Source file** text box, browse to **D:\\MDTBuildLab\\Captures\\REFW10X64-001.wim** and select **Next**. +3. On the **OS Type** page, select **Custom image file** and select **Next**. -5. On the **Setup** page, select the **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path** option; in the **Setup source directory** text box, browse to **D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM** and select **Next**. +4. On the **Image** page, in the **Source file** text box, browse to **D:\\MDTBuildLab\\Captures\\REFW10X64-001.wim** and select **Next**. -6. On the **Destination** page, in the **Destination directory name** text box, type **W10EX64RTM**, select **Next** twice, and then select **Finish**. -7. After adding the operating system, double-click the added operating system name in the **Operating Systems / Windows 10** node and change the name to **Windows 10 Enterprise x64 RTM Custom Image**. +5. On the **Setup** page, select the **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path** option; in the **Setup source directory** text box, browse to **D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM** and select **Next**. ->[!NOTE] ->The reason for adding the setup files has changed since earlier versions of MDT. MDT 2010 used the setup files to install Windows. MDT uses DISM to apply the image; however, you still need the setup files because some components in roles and features are stored outside the main image. - +6. On the **Destination** page, in the **Destination directory name** text box, type **W10EX64RTM**, select **Next** twice, and then select **Finish**. + +7. After adding the operating system, double-click the added operating system name in the **Operating Systems / Windows 10** node and change the name to **Windows 10 Enterprise x64 RTM Custom Image**. + +> [!NOTE] +> The reason for adding the setup files has changed since earlier versions of MDT. MDT 2010 used the setup files to install Windows. MDT uses DISM to apply the image; however, you still need the setup files because some components in roles and features are stored outside the main image. ![imported OS.](../images/fig2-importedos.png) @@ -143,9 +149,12 @@ When you configure your MDT Build Lab deployment share, you can also add applica On **MDT01**: -1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2200320263_en_US.exe) to **D:\\setup\\adobe** on MDT01. -2. Extract the .exe file that you downloaded to a .msi (ex: .\AcroRdrDC2200320263_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne). +1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2200320282_en_US.exe) to **D:\\setup\\adobe** on MDT01. + +2. Extract the .exe file that you downloaded to a .msi (ex: .\AcroRdrDC2200320282_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne). + 3. In the Deployment Workbench, expand the **MDT Production** node and navigate to the **Applications** node. + 4. Right-click the **Applications** node, and create a new folder named **Adobe**. 5. In the **Applications** node, right-click the **Adobe** folder and select **New Application**. @@ -161,22 +170,22 @@ On **MDT01**: 10. On the **Command Details** page, in the **Command Line** text box, type **msiexec /i AcroRead.msi /q**, select **Next** twice, and then select **Finish**. ![acroread image.](../images/acroread.png) - The Adobe Reader application added to the Deployment Workbench. ## Step 5: Prepare the drivers repository In order to deploy Windows 10 with MDT successfully, you need drivers for the boot images and for the actual operating system. This section will show you how to add drivers for the boot image and operating system, using the following hardware models as examples: -- Lenovo ThinkPad T420 -- Dell Latitude 7390 -- HP EliteBook 8560w -- Microsoft Surface Pro + +- Lenovo ThinkPad T420 +- Dell Latitude 7390 +- HP EliteBook 8560w +- Microsoft Surface Pro For boot images, you need to have storage and network drivers; for the operating system, you need to have the full suite of drivers. ->[!NOTE] ->You should only add drivers to the Windows PE images if the default drivers don't work. Adding drivers that are not necessary will only make the boot image larger and potentially delay the download time. - +> [!NOTE] +> You should only add drivers to the Windows PE images if the default drivers don't work. Adding drivers that are not necessary will only make the boot image larger and potentially delay the download time. + ### Create the driver source structure in the file system The key to successful management of drivers for MDT, and for any other deployment solution, is to have a good driver repository. From this repository, you import drivers into MDT for deployment, but you should always maintain the repository for future use. @@ -186,41 +195,50 @@ On **MDT01**: > [!IMPORTANT] > In the steps below, it's critical that the folder names used for various computer makes and models exactly match the results of **wmic computersystem get model,manufacturer** on the target system. -1. Using File Explorer, create the **D:\\drivers** folder. -2. In the **D:\\drivers** folder, create the following folder structure: - 1. WinPE x86 - 2. WinPE x64 - 3. Windows 10 x64 -3. In the new Windows 10 x64 folder, create the following folder structure: - - Dell Inc. - - Latitude E7450 - - Hewlett-Packard - - HP EliteBook 8560w - - Lenovo - - ThinkStation P500 (30A6003TUS) - - Microsoft Corporation - - Surface Laptop +1. Using File Explorer, create the **D:\\drivers** folder. + +2. In the **D:\\drivers** folder, create the following folder structure: + + 1. WinPE x86 + 2. WinPE x64 + 3. Windows 10 x64 + +3. In the new Windows 10 x64 folder, create the following folder structure: + + - Dell Inc. + - Latitude E7450 + - Hewlett-Packard + - HP EliteBook 8560w + - Lenovo + - ThinkStation P500 (30A6003TUS) + - Microsoft Corporation + - Surface Laptop > [!NOTE] > Even if you're not going to use both x86 and x64 boot images, we still recommend that you add the support structure for future use. - + ### Create the logical driver structure in MDT When you import drivers to the MDT driver repository, MDT creates a single instance folder structure based on driver class names. However, you can, and should, mimic the driver structure of your driver source repository in the Deployment Workbench. This mimic is done by creating logical folders in the Deployment Workbench. -1. On MDT01, using Deployment Workbench, select the **Out-of-Box Drivers** node. -2. In the **Out-Of-Box Drivers** node, create the following folder structure: - 1. WinPE x86 - 2. WinPE x64 - 3. Windows 10 x64 -3. In the **Windows 10 x64** folder, create the following folder structure: - - Dell Inc. - - Latitude E7450 - - Hewlett-Packard - - HP EliteBook 8560w - - Lenovo - - 30A6003TUS - - Microsoft Corporation - - Surface Laptop + +1. On MDT01, using Deployment Workbench, select the **Out-of-Box Drivers** node. + +2. In the **Out-Of-Box Drivers** node, create the following folder structure: + + 1. WinPE x86 + 2. WinPE x64 + 3. Windows 10 x64 + +3. In the **Windows 10 x64** folder, create the following folder structure: + + - Dell Inc. + - Latitude E7450 + - Hewlett-Packard + - HP EliteBook 8560w + - Lenovo + - 30A6003TUS + - Microsoft Corporation + - Surface Laptop The preceding folder names should match the actual make and model values that MDT reads from devices during deployment. You can find out the model values for your machines by using the following command in Windows PowerShell: @@ -230,36 +248,40 @@ Get-WmiObject -Class:Win32_ComputerSystem Or, you can use this command in a normal command prompt: -```console -wmic csproduct get name +```cmd +wmic.exe csproduct get name ``` If you want a more standardized naming convention, try the **ModelAliasExit.vbs script** from the Deployment Guys blog post, entitled [Using and Extending Model Aliases for Hardware Specific Application Installation](/archive/blogs/deploymentguys/using-and-extending-model-aliases-for-hardware-specific-application-installation). ![drivers.](../images/fig4-oob-drivers.png) - The Out-of-Box Drivers structure in the Deployment Workbench. ### Create the selection profiles for boot image drivers By default, MDT adds any storage and network drivers that you import to the boot images. However, you should add only the drivers that are necessary to the boot image. You can control which drivers are added by using selection profiles. -The drivers that are used for the boot images (Windows PE) are Windows 10 drivers. If you can’t locate Windows 10 drivers for your device, a Windows 7 or Windows 8.1 driver will most likely work, but Windows 10 drivers should be your first choice. + +The drivers that are used for the boot images (Windows PE) are Windows 10 drivers. If you can't locate Windows 10 drivers for your device, a Windows 7 or Windows 8.1 driver will most likely work, but Windows 10 drivers should be your first choice. On **MDT01**: -1. In the Deployment Workbench, under the **MDT Production** node, expand the **Advanced Configuration** node, right-click the **Selection Profiles** node, and select **New Selection Profile**. -2. In the New Selection Profile Wizard, create a selection profile with the following settings: - 1. Selection Profile name: WinPE x86 - 2. Folders: Select the WinPE x86 folder in Out-of-Box Drivers. - 3. Select **Next**, **Next** and **Finish**. -3. Right-click the **Selection Profiles** node again, and select **New Selection Profile**. -4. In the New Selection Profile Wizard, create a selection profile with the following settings: - 1. Selection Profile name: WinPE x64 - 2. Folders: Select the WinPE x64 folder in Out-of-Box Drivers. - 3. Select **Next**, **Next** and **Finish**. +1. In the Deployment Workbench, under the **MDT Production** node, expand the **Advanced Configuration** node, right-click the **Selection Profiles** node, and select **New Selection Profile**. + +2. In the **New Selection Profile Wizard**, create a selection profile with the following settings: + + - **Selection Profile name**: WinPE x86 + - **Folders**: Select the WinPE x86 folder in Out-of-Box Drivers. + - Select **Next**, **Next** and **Finish**. + +3. Right-click the **Selection Profiles** node again, and select **New Selection Profile**. + +4. In the New Selection Profile Wizard, create a selection profile with the following settings: + + - **Selection Profile name**: WinPE x64 + - **Folders**: Select the WinPE x64 folder in Out-of-Box Drivers. + - Select **Next**, **Next** and **Finish**. ![figure 5.](../images/fig5-selectprofile.png) - Creating the WinPE x64 selection profile. ### Extract and import drivers for the x64 boot image @@ -269,11 +291,17 @@ Windows PE supports all the hardware models that we have, but here you learn to On **MDT01**: 1. Download **PROWinx64.exe** from Intel.com (ex: [PROWinx64.exe](https://downloadcenter.intel.com/downloads/eula/25016/Intel-Network-Adapter-Driver-for-Windows-10?httpDown=https%3A%2F%2Fdownloadmirror.intel.com%2F25016%2Feng%2FPROWinx64.exe)). -2. Extract PROWinx64.exe to a temporary folder - in this example to the **C:\\Tmp\\ProWinx64** folder. - a. **Note**: Extracting the .exe file manually requires an extraction utility. You can also run the .exe and it will self-extract files to the **%userprofile%\AppData\Local\Temp\RarSFX0** directory. This directory is temporary and will be deleted when the .exe terminates. -3. Using File Explorer, create the **D:\\Drivers\\WinPE x64\\Intel PRO1000** folder. -4. Copy the content of the **C:\\Tmp\\PROWinx64\\PRO1000\\Winx64\\NDIS64** folder to the **D:\\Drivers\\WinPE x64\\Intel PRO1000** folder. -5. In the Deployment Workbench, expand the **MDT Production** > **Out-of-Box Drivers** node, right-click the **WinPE x64** node, and select **Import Drivers**, and use the following Driver source directory to import drivers: **D:\\Drivers\\WinPE x64\\Intel PRO1000**. + +2. Extract PROWinx64.exe to a temporary folder - in this example to the **C:\\Tmp\\ProWinx64** folder. + + > [!NOTE] + > Extracting the .exe file manually requires an extraction utility. You can also run the .exe and it will self-extract files to the **%userprofile%\AppData\Local\Temp\RarSFX0** directory. This directory is temporary and will be deleted when the .exe terminates. + +3. Using File Explorer, create the **D:\\Drivers\\WinPE x64\\Intel PRO1000** folder. + +4. Copy the content of the **C:\\Tmp\\PROWinx64\\PRO1000\\Winx64\\NDIS64** folder to the **D:\\Drivers\\WinPE x64\\Intel PRO1000** folder. + +5. In the Deployment Workbench, expand the **MDT Production** > **Out-of-Box Drivers** node, right-click the **WinPE x64** node, and select **Import Drivers**, and use the following Driver source directory to import drivers: **D:\\Drivers\\WinPE x64\\Intel PRO1000**. ### Download, extract, and import drivers @@ -281,8 +309,7 @@ On **MDT01**: For the ThinkStation P500 model, you use the Lenovo ThinkVantage Update Retriever software to download the drivers. With Update Retriever, you need to specify the correct Lenovo Machine Type for the actual hardware (the first four characters of the model name). As an example, the Lenovo ThinkStation P500 model has the 30A6003TUS model name, meaning the Machine Type is 30A6. -> [!div class="mx-imgBorder"] -> ![ThinkStation image.](../images/thinkstation.png) +![ThinkStation image.](../images/thinkstation.png) To get the updates, download the drivers from the Lenovo ThinkVantage Update Retriever using its export function. You can also download the drivers by searching PC Support on the [Lenovo website](https://go.microsoft.com/fwlink/p/?LinkId=619543). @@ -292,7 +319,7 @@ On **MDT01**: 1. In the Deployment Workbench, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Lenovo** node. -2. Right-click the **30A6003TUS** folder and select **Import Drivers** and use the following Driver source directory to import drivers: +2. Right-click the **30A6003TUS** folder and select **Import Drivers** and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Lenovo\\ThinkStation P500 (30A6003TUS)** @@ -308,9 +335,9 @@ On **MDT01**: 1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Dell Inc.** node. -2. Right-click the **Latitude E7450** folder and select **Import Drivers** and use the following Driver source directory to import drivers: +2. Right-click the **Latitude E7450** folder and select **Import Drivers** and use the following Driver source directory to import drivers: - **D:\\Drivers\\Windows 10 x64\\Dell Inc.\\Latitude E7450** + **`D:\Drivers\Windows 10 x64\Dell Inc.\Latitude E7450`** ### For the HP EliteBook 8560w @@ -320,11 +347,11 @@ In these steps, we assume you've downloaded and extracted the drivers for the HP On **MDT01**: -1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Hewlett-Packard** node. +1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Hewlett-Packard** node. -2. Right-click the **HP EliteBook 8560w** folder and select **Import Drivers** and use the following Driver source directory to import drivers: +2. Right-click the **HP EliteBook 8560w** folder and select **Import Drivers** and use the following Driver source directory to import drivers: - **D:\\Drivers\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w** + **`D:\Drivers\Windows 10 x64\Hewlett-Packard\HP EliteBook 8560w`** ### For the Microsoft Surface Laptop @@ -332,11 +359,11 @@ For the Microsoft Surface Laptop model, you find the drivers on the Microsoft we On **MDT01**: -1. In the Deployment Workbench, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Microsoft** node. +1. In the Deployment Workbench, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Microsoft** node. -2. Right-click the **Surface Laptop** folder and select **Import Drivers**; and use the following Driver source directory to import drivers: +2. Right-click the **Surface Laptop** folder and select **Import Drivers**; and use the following Driver source directory to import drivers: - **D:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Laptop** + **`D:\Drivers\Windows 10 x64\Microsoft\Surface Laptop`** ## Step 6: Create the deployment task sequence @@ -349,6 +376,7 @@ On **MDT01**: 1. In the Deployment Workbench, under the **MDT Production** node, right-click **Task Sequences**, and create a folder named **Windows 10**. 2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: + - Task sequence ID: W10-X64-001 - Task sequence name: Windows 10 Enterprise x64 RTM Custom Image - Task sequence comments: Production Image @@ -366,26 +394,27 @@ On **MDT01**: 2. On the **Task Sequence** tab, configure the **Windows 10 Enterprise x64 RTM Custom Image** task sequence with the following settings: - 1. Preinstall: After the **Enable BitLocker (Offline)** action, add a **Set Task Sequence Variable** action with the following settings: - 1. Name: Set DriverGroup001 - 2. Task Sequence Variable: DriverGroup001 - 3. Value: Windows 10 x64\\%Make%\\%Model% + 1. Preinstall: After the **Enable BitLocker (Offline)** action, add a **Set Task Sequence Variable** action with the following settings: - 2. Configure the **Inject Drivers** action with the following settings: - - Choose a selection profile: Nothing - - Install all drivers from the selection profile + - **Name**: Set DriverGroup001 + - **Task Sequence Variable**: DriverGroup001 + - **Value**: Windows 10 x64\\%Make%\\%Model% - > [!NOTE] - > The configuration above indicates that MDT should only use drivers from the folder specified by the DriverGroup001 property, which is defined by the "Choose a selection profile: Nothing" setting, and that MDT shouldn't use plug and play to determine which drivers to copy, which is defined by the "Install all drivers from the selection profile" setting. - - 3. State Restore. Enable the **Windows Update (Pre-Application Installation)** action. + 2. Configure the **Inject Drivers** action with the following settings: - 4. State Restore. Enable the **Windows Update (Post-Application Installation)** action. + - **Choose a selection profile**: Nothing + - Install all drivers from the selection profile + + > [!NOTE] + > The configuration above indicates that MDT should only use drivers from the folder specified by the DriverGroup001 property, which is defined by the "Choose a selection profile: Nothing" setting, and that MDT shouldn't use plug and play to determine which drivers to copy, which is defined by the "Install all drivers from the selection profile" setting. + + 3. State Restore. Enable the **Windows Update (Pre-Application Installation)** action. + + 4. State Restore. Enable the **Windows Update (Post-Application Installation)** action. 3. Select **OK**. ![drivergroup.](../images/fig6-taskseq.png) - The task sequence for production deployment. ## Step 7: Configure the MDT production deployment share @@ -400,9 +429,10 @@ In this section, you'll learn how to configure the MDT Build Lab deployment shar On **MDT01**: 1. Right-click the **MDT Production** deployment share and select **Properties**. + 2. Select the **Rules** tab and replace the existing rules with the following information (modify the domain name, WSUS server, and administrative credentials to match your environment): - ``` + ```ini [Settings] Priority=Default @@ -441,7 +471,7 @@ On **MDT01**: 3. Select **Edit Bootstrap.ini** and modify using the following information: - ``` + ```ini [Settings] Priority=Default @@ -461,11 +491,11 @@ On **MDT01**: - Image description: MDT Production x86 - ISO file name: MDT Production x86.iso - + > [!NOTE] - > + > > Because you're going to use Pre-Boot Execution Environment (PXE) later to deploy the machines, you don't need the ISO file; however, we recommend creating ISO files because they're useful when troubleshooting deployments and for quick tests. - + 6. On the **Drivers and Patches** sub tab, select the **WinPE x86** selection profile and select the **Include all drivers from the selection profile** option. 7. On the **Windows PE** tab, in the **Platform** drop-down list, select **x64**. @@ -483,9 +513,9 @@ On **MDT01**: 11. Select **OK**. - >[!NOTE] - >It will take a while for the Deployment Workbench to create the monitoring database and web service. - + > [!NOTE] + > It will take a while for the Deployment Workbench to create the monitoring database and web service. + ![figure 8.](../images/mdt-07-fig08.png) The Windows PE tab for the x64 boot image. @@ -494,13 +524,13 @@ On **MDT01**: The rules for the MDT Production deployment share are different from those rules for the MDT Build Lab deployment share. The biggest differences are that you deploy the machines into a domain instead of a workgroup. -You can optionally remove the **UserID** and **UserPassword** entries from Bootstrap.ini so that users performing PXE boot are prompted to provide credentials with permission to connect to the deployment share. Setting **SkipBDDWelcome=NO** enables the welcome screen that displays options to run the deployment wizard, run DaRT tools (if installed), exit to a Windows PE command prompt, set the keyboard layout, or configure a static IP address. In this example, we're skipping the welcome screen and providing credentials. +You can optionally remove the **UserID** and **UserPassword** entries from Bootstrap.ini so that users performing PXE boot are prompted to provide credentials with permission to connect to the deployment share. Setting **SkipBDDWelcome=NO** enables the welcome screen that displays options to run the deployment wizard, run DaRT tools (if installed), exit to a Windows PE command prompt, set the keyboard layout, or configure a static IP address. In this example, we're skipping the welcome screen and providing credentials. ### The Bootstrap.ini file This file is the MDT Production Bootstrap.ini: -``` +```ini [Settings] Priority=Default @@ -516,7 +546,7 @@ SkipBDDWelcome=YES This file is the CustomSettings.ini file with the new join domain information: -``` +```ini [Settings] Priority=Default @@ -555,14 +585,15 @@ EventService=http://MDT01:9800 ``` Some properties to use in the MDT Production rules file are as follows: -- **JoinDomain.** The domain to join. -- **DomainAdmin.** The account to use when joining the machine to the domain. -- **DomainAdminDomain.** The domain for the join domain account. -- **DomainAdminPassword.** The password for the join domain account. -- **MachineObjectOU.** The organizational unit (OU) to which to add the computer account. -- **ScanStateArgs.** Arguments for the User State Migration Tool (USMT) ScanState command. -- **USMTMigFiles(\*).** List of USMT templates (controlling what to back up and restore). -- **EventService.** Activates logging information to the MDT monitoring web service. + +- **JoinDomain.** The domain to join. +- **DomainAdmin.** The account to use when joining the machine to the domain. +- **DomainAdminDomain.** The domain for the join domain account. +- **DomainAdminPassword.** The password for the join domain account. +- **MachineObjectOU.** The organizational unit (OU) to which to add the computer account. +- **ScanStateArgs.** Arguments for the User State Migration Tool (USMT) ScanState command. +- **USMTMigFiles(\*).** List of USMT templates (controlling what to back up and restore). +- **EventService.** Activates logging information to the MDT monitoring web service. > [!NOTE] > For more information about localization support, see the following articles: @@ -578,7 +609,6 @@ If your organization has a Microsoft Software Assurance agreement, you also can If you've licensing for MDOP and DaRT, you can add DaRT to the boot images using the steps in this section. If you don't have DaRT licensing, or don't want to use it, skip to the next section, [Update the Deployment Share](#update-the-deployment-share). To enable the remote connection feature in MDT, you need to do the following steps: - > [!NOTE] > DaRT 10 is part of [MDOP 2015](/microsoft-desktop-optimization-pack/#how-to-get-mdop). > @@ -592,34 +622,33 @@ On **MDT01**: ![DaRT image.](../images/dart.png) -2. Copy the two tools CAB files from **C:\\Program Files\\Microsoft DaRT\\v10** (**Toolsx86.cab** and **Toolsx64.cab**) to the production deployment share at **D:\\MDTProduction\\Tools\\x86** and **D:\\MDTProduction\\Tools\\x64**, respectively. +3. Copy the two tools CAB files from **C:\\Program Files\\Microsoft DaRT\\v10** (**Toolsx86.cab** and **Toolsx64.cab**) to the production deployment share at **D:\\MDTProduction\\Tools\\x86** and **D:\\MDTProduction\\Tools\\x64**, respectively. -3. In the Deployment Workbench, right-click the **MDT Production** deployment share and select **Properties**. +4. In the Deployment Workbench, right-click the **MDT Production** deployment share and select **Properties**. -4. On the **Windows PE** tab, in the **Platform** drop-down list, make sure **x86** is selected. +5. On the **Windows PE** tab, in the **Platform** drop-down list, make sure **x86** is selected. -5. On the **Features** sub tab, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** checkbox. +6. On the **Features** sub tab, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** checkbox. ![DaRT selection.](../images/mdt-07-fig09.png) - Selecting the DaRT 10 feature in the deployment share. -8. In the **Windows PE** tab, in the **Platform** drop-down list, select **x64**. +7. In the **Windows PE** tab, in the **Platform** drop-down list, select **x64**. -9. In the **Features** sub tab, in addition to the default selected feature pack, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box. +8. In the **Features** sub tab, in addition to the default selected feature pack, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box. -10. Select **OK**. +9. Select **OK**. ### Update the deployment share Like the MDT Build Lab deployment share, the MDT Production deployment share needs to be updated after it has been configured. This update-process is the one during which the Windows PE boot images are created. -1. Right-click the **MDT Production** deployment share and select **Update Deployment Share**. +1. Right-click the **MDT Production** deployment share and select **Update Deployment Share**. -2. Use the default options for the Update Deployment Share Wizard. +2. Use the default options for the Update Deployment Share Wizard. ->[!NOTE] ->The update process will take 5 to 10 minutes. +> [!NOTE] +> The update process will take 5 to 10 minutes. ## Step 8: Deploy the Windows 10 client image @@ -638,7 +667,6 @@ On **MDT01**: 3. Browse to the **D:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim** file and add the image with the default settings. ![figure 9.](../images/mdt-07-fig10.png) - The boot image added to the WDS console. ### Deploy the Windows 10 client @@ -657,19 +685,18 @@ On **HV01**: - Hard disk: 60 GB (dynamic disk) - Installation Options: Install an operating system from a network-based installation server -2. Start the PC0005 virtual machine, and press **Enter** to start the PXE boot. The VM will now load the Windows PE boot image from the WDS server. +2. Start the PC0005 virtual machine, and press **Enter** to start the PXE boot. The VM will now load the Windows PE boot image from the WDS server. ![figure 10.](../images/mdt-07-fig11.png) - The initial PXE boot process of PC0005. -3. After Windows PE has booted, complete the Windows Deployment Wizard using the following setting: +3. After Windows PE has booted, complete the Windows Deployment Wizard using the following setting: - Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image - Computer Name: **PC0005** - Applications: Select the **Install - Adobe Reader** checkbox. -4. Setup now begins and does the following steps: +4. Setup now begins and does the following steps: - Installs the Windows 10 Enterprise operating system. - Installs the added application. @@ -689,14 +716,13 @@ Since you've enabled the monitoring on the MDT Production deployment share, you On **MDT01**: -1. In the Deployment Workbench, expand the **MDT Production** deployment share folder. +1. In the Deployment Workbench, expand the **MDT Production** deployment share folder. -2. Select the **Monitoring** node, and wait until you see PC0005. +2. Select the **Monitoring** node, and wait until you see PC0005. -3. Double-click PC0005, and review the information. +3. Double-click PC0005, and review the information. ![figure 11.](../images/mdt-07-fig13.png) - The Monitoring node, showing the deployment progress of PC0005. ### Use information in the Event Viewer @@ -704,7 +730,6 @@ On **MDT01**: When monitoring is enabled, MDT also writes information to the event viewer on MDT01. This information can be used to trigger notifications via scheduled tasks when deployment is completed. For example, you can configure scheduled tasks to send an email when a certain event is created in the event log. ![figure 12.](../images/mdt-07-fig14.png) - The Event Viewer showing a successful deployment of PC0005. ## Multicast deployments @@ -721,13 +746,15 @@ Setting up MDT for multicast is straightforward. You enable multicast on the dep On **MDT01**: -1. In the Deployment Workbench, right-click the **MDT Production** deployment share folder and select **Properties**. -2. On the **General** tab, select the **Enable multicast for this deployment share (requires Windows Server 2008 R2 Windows Deployment Services)** check box, and select **OK**. -3. Right-click the **MDT Production** deployment share folder and select **Update Deployment Share**. -4. After updating the deployment share, use the Windows Deployment Services console to, verify that the multicast namespace was created. +1. In the Deployment Workbench, right-click the **MDT Production** deployment share folder and select **Properties**. + +2. On the **General** tab, select the **Enable multicast for this deployment share (requires Windows Server 2008 R2 Windows Deployment Services)** check box, and select **OK**. + +3. Right-click the **MDT Production** deployment share folder and select **Update Deployment Share**. + +4. After updating the deployment share, use the Windows Deployment Services console to, verify that the multicast namespace was created. ![figure 13.](../images/mdt-07-fig15.png) - The newly created multicast namespace. ## Use offline media to deploy Windows 10 @@ -742,19 +769,19 @@ To filter what is being added to the media, you create a selection profile. When On **MDT01**: -1. In the Deployment Workbench, under the **MDT Production / Advanced Configuration** node, right-click **Selection Profiles**, and select **New Selection Profile**. +1. In the Deployment Workbench, under the **MDT Production / Advanced Configuration** node, right-click **Selection Profiles**, and select **New Selection Profile**. -2. Use the following settings for the New Selection Profile Wizard: +2. Use the following settings for the New Selection Profile Wizard: - - General Settings - - Selection profile name: Windows 10 Offline Media + - General Settings + - **Selection profile name**: Windows 10 Offline Media - - Folders - - Applications / Adobe - - Operating Systems / Windows 10 - - Out-Of-Box Drivers / WinPE x64 - - Out-Of-Box Drivers / Windows 10 x64 - - Task Sequences / Windows 10 + - Folders + - Applications / Adobe + - Operating Systems / Windows 10 + - Out-Of-Box Drivers / WinPE x64 + - Out-Of-Box Drivers / Windows 10 x64 + - Task Sequences / Windows 10 ![offline media.](../images/mdt-offline-media.png) @@ -762,17 +789,18 @@ On **MDT01**: In these steps, you generate offline media from the MDT Production deployment share. To filter what is being added to the media, you use the previously created selection profile. -1. On MDT01, using File Explorer, create the **D:\\MDTOfflineMedia** folder. +1. On MDT01, using File Explorer, create the **D:\\MDTOfflineMedia** folder. - >[!NOTE] - >When creating offline media, you need to create the target folder first. It's crucial that you don't create a subfolder inside the deployment share folder because it will break the offline media. - -2. In the Deployment Workbench, under the **MDT Production / Advanced Configuration** node, right-click the **Media** node, and select **New Media**. + > [!NOTE] + > When creating offline media, you need to create the target folder first. It's crucial that you don't create a subfolder inside the deployment share folder because it will break the offline media. -3. Use the following settings for the New Media Wizard: - - General Settings - - Media path: **D:\\MDTOfflineMedia** - - Selection profile: **Windows 10 Offline Media** +2. In the Deployment Workbench, under the **MDT Production / Advanced Configuration** node, right-click the **Media** node, and select **New Media**. + +3. Use the following settings for the New Media Wizard: + + - General Settings + - Media path: **D:\\MDTOfflineMedia** + - Selection profile: **Windows 10 Offline Media** ### Configure the offline media @@ -780,24 +808,25 @@ Offline media has its own rules, its own Bootstrap.ini and CustomSettings.ini fi On **MDT01**: -1. Copy the CustomSettings.ini file from the **D:\MDTProduction\Control** folder to **D:\\MDTOfflineMedia\\Content\\Deploy\\Control**. Overwrite the existing files. +1. Copy the CustomSettings.ini file from the **D:\MDTProduction\Control** folder to **D:\\MDTOfflineMedia\\Content\\Deploy\\Control**. Overwrite the existing files. -2. In the Deployment Workbench, under the **MDT Production / Advanced Configuration / Media** node, right-click the **MEDIA001** media, and select **Properties**. +2. In the Deployment Workbench, under the **MDT Production / Advanced Configuration / Media** node, right-click the **MEDIA001** media, and select **Properties**. -3. In the **General** tab, configure the following: +3. In the **General** tab, configure the following: - Clear the Generate x86 boot image check box. - ISO file name: Windows 10 Offline Media.iso -4. On the **Windows PE** tab, in the **Platform** drop-down list, select **x64**. +4. On the **Windows PE** tab, in the **Platform** drop-down list, select **x64**. -5. On the **General** sub tab, configure the following settings: - - In the **Lite Touch Boot Image Settings** area: - - Image description: MDT Production x64 - - In the **Windows PE Customizations** area, set the Scratch space size to 128. +5. On the **General** sub tab, configure the following settings: -6. On the **Drivers and Patches** sub tab, select the **WinPE x64** selection profile and select the **Include all drivers from the selection profile** option. + - In the **Lite Touch Boot Image Settings** area: + - **Image description**: MDT Production x64 + - In the **Windows PE Customizations** area, set the Scratch space size to 128. -7. Select **OK**. +6. On the **Drivers and Patches** sub tab, select the **WinPE x64** selection profile and select the **Include all drivers from the selection profile** option. + +7. Select **OK**. ### Generate the offline media @@ -805,30 +834,36 @@ You've now configured the offline media deployment share, however the share hasn On **MDT01**: -1. In the Deployment Workbench, navigate to the **MDT Production / Advanced Configuration / Media** node. +1. In the Deployment Workbench, navigate to the **MDT Production / Advanced Configuration / Media** node. -2. Right-click the **MEDIA001** media, and select **Update Media Content**. The Update Media Content process now generates the offline media in the **D:\\MDTOfflineMedia\\Content** folder. The process might require several minutes. +2. Right-click the **MEDIA001** media, and select **Update Media Content**. The Update Media Content process now generates the offline media in the **D:\\MDTOfflineMedia\\Content** folder. The process might require several minutes. ### Create a bootable USB stick The ISO that you got when updating the offline media item can be burned to a DVD and used directly (it will be bootable), but it's often more efficient to use USB sticks instead since they're faster and can hold more data. (A dual-layer DVD is limited to 8.5 GB.) ->[!TIP] ->In this example, the .wim file is 5.5 GB in size. However, bootable USB sticks are formatted with the FAT32 file system which limits file size to 4.0 GB. You can place the image on a different drive (ex: E:\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.swm) and then modify E:\Deploy\Control\OperatingSystems.xml to point to it. Alternatively to keep using the USB you must split the .wim file, which can be done using DISM:
     
    Dism /Split-Image /ImageFile:D:\MDTOfflinemedia\Content\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.wim /SWMFile:E:\sources\install.swm /FileSize:3800.
     
    Windows Setup automatically installs from this file, provided you name it install.swm. The file names for the next files include numbers, for example: install2.swm, install3.swm.
     
    To enable split image in MDT, the Settings.xml file in your deployment share (ex: D:\MDTProduction\Control\Settings.xml) must have the **SkipWimSplit** value set to **False**. By default this value is set to True (`True`), so this must be changed and the offline media content updated. +> [!TIP] +> In this example, the .wim file is 5.5 GB in size. However, bootable USB sticks are formatted with the FAT32 file system which limits file size to 4.0 GB. You can place the image on a different drive (ex: E:\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.swm) and then modify E:\Deploy\Control\OperatingSystems.xml to point to it. Alternatively to keep using the USB you must split the .wim file, which can be done using DISM: +> +> **`Dism.exe /Split-Image /ImageFile:D:\MDTOfflinemedia\Content\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.wim /SWMFile:E:\sources\install.swm /FileSize:3800.`** +> +> Windows Setup automatically installs from this file, provided you name it install.swm. The file names for the next files include numbers, for example: install2.swm, install3.swm. +> +> To enable split image in MDT, the Settings.xml file in your deployment share (ex: D:\MDTProduction\Control\Settings.xml) must have the **SkipWimSplit** value set to **False**. By default this value is set to True (`True`), so this must be changed and the offline media content updated. Follow these steps to create a bootable USB stick from the offline media content: -1. On a physical machine running Windows 7 or later, insert the USB stick you want to use. +1. On a physical machine running Windows 7 or later, insert the USB stick you want to use. -2. Copy the content of the **MDTOfflineMedia\\Content** folder to the root of the USB stick. +2. Copy the content of the **MDTOfflineMedia\\Content** folder to the root of the USB stick. -3. Start an elevated command prompt (run as Administrator), and start the Diskpart utility by typing **Diskpart** and pressing **Enter**. +3. Start an elevated command prompt (run as Administrator), and start the Diskpart utility by typing **Diskpart** and pressing **Enter**. -4. In the Diskpart utility, you can type **list volume** (or the shorter **list vol**) to list the volumes, but you only need to remember the drive letter of the USB stick to which you copied the content. In our example, the USB stick had the drive letter F. +4. In the Diskpart utility, you can type **list volume** (or the shorter **list vol**) to list the volumes, but you only need to remember the drive letter of the USB stick to which you copied the content. In our example, the USB stick had the drive letter F. -5. In the Diskpart utility, type **select volume F** (replace F with your USB stick drive letter). +5. In the Diskpart utility, type **select volume F** (replace F with your USB stick drive letter). -6. In the Diskpart utility, type **active**, and then type **exit**. +6. In the Diskpart utility, type **active**, and then type **exit**. ## Unified Extensible Firmware Interface (UEFI)-based deployments @@ -840,9 +875,9 @@ The partitions when deploying an UEFI-based machine. ## Related articles -[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
    -[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
    -[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
    -[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
    -[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
    -[Configure MDT settings](configure-mdt-settings.md)
    +- [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md) +- [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) +- [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md) +- [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) +- [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md) +- [Configure MDT settings](configure-mdt-settings.md) diff --git a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md index 701f10efc1..73c2d4b629 100644 --- a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md +++ b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md @@ -11,19 +11,20 @@ ms.topic: article ms.technology: itpro-deploy ms.collection: - highpri -ms.date: 10/28/2022 +ms.date: 11/28/2022 --- # Get started with MDT -**Applies to** +**Applies to:** + - Windows 10 This article provides an overview of the features, components, and capabilities of the [Microsoft Deployment Toolkit (MDT)](/mem/configmgr/mdt/). When you have finished reviewing this information, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). ## About MDT -MDT is a unified collection of tools, processes, and guidance for automating desktop and server deployment. You can use it to create reference images or as a complete deployment solution. MDT is one of the most important tools available to IT professionals today. +MDT is a unified collection of tools, processes, and guidance for automating desktop and server deployment. You can use it to create reference images or as a complete deployment solution. MDT is one of the most important tools available to IT professionals today. In addition to reducing deployment time and standardizing desktop and server images, MDT enables you to more easily manage security and ongoing configurations. MDT builds on top of the core deployment tools in the [Windows Assessment and Deployment Kit](/windows-hardware/get-started/adk-install) (Windows ADK) with more guidance and features designed to reduce the complexity and time required for deployment in an enterprise environment. @@ -37,39 +38,58 @@ MDT supports the deployment of Windows 10, and Windows 7, Windows 8.1, and Windo MDT has been in existence since 2003, when it was first introduced as Business Desktop Deployment (BDD) 1.0. The toolkit has evolved, both in functionality and popularity, and today it's considered fundamental to Windows operating system and enterprise application deployment. MDT has many useful features, such as: -- **Windows Client support.** Supports Windows 7, Windows 8.1, and Windows 10. -- **Windows Server support.** Supports Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019. -- **Additional operating systems support.** Supports Windows Thin PC and [Windows Embedded POSReady 7](https://www.microsoft.com/en-us/download/details.aspx?id=26558), and Windows 8.1 Embedded Industry. -- **UEFI support.** Supports deployment to machines using Unified Extensible Firmware Interface (UEFI) version 2.3.1. -- **GPT support.** Supports deployment to machines that require the new GPT partition table format. This feature is related to UEFI. -- **Enhanced Windows PowerShell support.** Provides support for running PowerShell scripts. + +- **Windows Client support**: Supports Windows 7, Windows 8.1, and Windows 10. + +- **Windows Server support**: Supports Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019. + +- **Additional operating systems support**: Supports Windows Thin PC and [Windows Embedded POSReady 7](https://www.microsoft.com/download/details.aspx?id=26558), and Windows 8.1 Embedded Industry. + +- **UEFI support**: Supports deployment to machines using Unified Extensible Firmware Interface (UEFI) version 2.3.1. + +- **GPT support**: Supports deployment to machines that require the new GPT partition table format. This feature is related to UEFI. + +- **Enhanced Windows PowerShell support**: Provides support for running PowerShell scripts. ![figure 2.](../images/mdt-05-fig02.png) - The deployment share mounted as a standard PSDrive allows for administration using PowerShell. -- **Add local administrator accounts.** Allows you to add multiple user accounts to the local Administrators group on the target computers, either via settings or the deployment wizard. -- **Automated participation in CEIP and WER.** Provides configuration for participation in Windows Customer Experience Improvement Program (CEIP) and Windows Error Reporting (WER). -- **Deploy Windows RE.** Enables deployment of a customized Windows Recovery Environment (Windows RE) as part of the task sequence. -- **Deploy to VHD.** Provides ready-made task sequence templates for deploying Windows into a virtual hard disk (VHD) file. -- **Improved deployment wizard.** Provides more progress information and a cleaner UI for the Lite Touch Deployment Wizard. -- **Monitoring.** Allows you to see the status of currently running deployments. -- **Apply GPO Pack.** Allows you to deploy local group policy objects created by Microsoft Security Compliance Manager (SCM). -- **Partitioning routines.** Provides improved partitioning routines to ensure that deployments work regardless of the current hard drive structure. -- **Offline BitLocker.** Provides the capability to have BitLocker enabled during the Windows Preinstallation Environment (Windows PE) phase, thus saving hours of encryption time. -- **USMT offline user-state migration.** Provides support for running the User State Migration Tool (USMT) capture offline, during the Windows PE phase of the deployment. +- **Add local administrator accounts**: Allows you to add multiple user accounts to the local Administrators group on the target computers, either via settings or the deployment wizard. + +- **Automated participation in CEIP and WER**: Provides configuration for participation in Windows Customer Experience Improvement Program (CEIP) and Windows Error Reporting (WER). + +- **Deploy Windows RE**: Enables deployment of a customized Windows Recovery Environment (Windows RE) as part of the task sequence. + +- **Deploy to VHD**: Provides ready-made task sequence templates for deploying Windows into a virtual hard disk (VHD) file. + +- **Improved deployment wizard**: Provides more progress information and a cleaner UI for the Lite Touch Deployment Wizard. + +- **Monitoring**: Allows you to see the status of currently running deployments. + +- **Apply GPO Pack**: Allows you to deploy local group policy objects created by Microsoft Security Compliance Manager (SCM). + +- **Partitioning routines**: Provides improved partitioning routines to ensure that deployments work regardless of the current hard drive structure. + +- **Offline BitLocker**: Provides the capability to have BitLocker enabled during the Windows Preinstallation Environment (Windows PE) phase, thus saving hours of encryption time. + +- **USMT offline user-state migration**: Provides support for running the User State Migration Tool (USMT) capture offline, during the Windows PE phase of the deployment. ![figure 3.](../images/mdt-05-fig03.png) - The offline USMT backup in action. -- **Install or uninstall Windows roles or features.** Enables you to select roles and features as part of the deployment wizard. MDT also supports uninstall of roles and features. -- **Microsoft System Center Orchestrator integration.** Provides the capability to use Orchestrator runbooks as part of the task sequence. -- **Support for DaRT.** Supports optional integration of the DaRT components into the boot image. -- **Support for Microsoft Office.** Provides added support for deploying Microsoft Office. -- **Support for Modern UI app package provisioning.** Provisions applications based on the new Windows app package standard, which is used in Windows 8 and later. -- **Extensibility.** Provides the capability to extend MDT far beyond the built-in features by adding custom scripts, web services, System Center Orchestrator runbooks, PowerShell scripts, and VBScripts. -- **Upgrade task sequence.** Provides a new upgrade task sequence template that you can use to upgrade existing Windows 7, Windows 8, and Windows 8.1 systems directly to Windows 10, automatically preserving all data, settings, applications, and drivers. For more information about using this new upgrade task sequence, see the [Microsoft Deployment Toolkit resource page](/mem/configmgr/mdt/). +- **Install or uninstall Windows roles or features**: Enables you to select roles and features as part of the deployment wizard. MDT also supports uninstall of roles and features. + +- **Microsoft System Center Orchestrator integration**: Provides the capability to use Orchestrator runbooks as part of the task sequence. + +- **Support for DaRT**: Supports optional integration of the DaRT components into the boot image. + +- **Support for Microsoft Office**: Provides added support for deploying Microsoft Office. + +- **Support for Modern UI app package provisioning**: Provisions applications based on the new Windows app package standard, which is used in Windows 8 and later. + +- **Extensibility**: Provides the capability to extend MDT far beyond the built-in features by adding custom scripts, web services, System Center Orchestrator runbooks, PowerShell scripts, and VBScripts. + +- **Upgrade task sequence**: Provides a new upgrade task sequence template that you can use to upgrade existing Windows 7, Windows 8, and Windows 8.1 systems directly to Windows 10, automatically preserving all data, settings, applications, and drivers. For more information about using this new upgrade task sequence, see the [Microsoft Deployment Toolkit resource page](/mem/configmgr/mdt/). ## MDT Lite Touch components @@ -88,6 +108,7 @@ A deployment share is essentially a folder on the server that is shared and cont ## Rules The rules (CustomSettings.ini and Bootstrap.ini) make up the brain of MDT. The rules control the Windows Deployment Wizard on the client and, for example, can provide the following settings to the machine being deployed: + - Computer name - Domain to join, and organizational unit (OU) in Active Directory to hold the computer object - Whether to enable BitLocker @@ -95,13 +116,11 @@ The rules (CustomSettings.ini and Bootstrap.ini) make up the brain of MDT. The r You can manage hundreds of settings in the rules. For more information, see the [Microsoft Deployment Toolkit resource center](/mem/configmgr/mdt/). ![figure 5.](../images/mdt-05-fig05.png) - Example of an MDT rule. In this example, the new computer name is being calculated based on PC- plus the first seven (Left) characters from the serial number ## Boot images -Boot images are the Windows Preinstallation Environment (Windows PE) images that are used to start the deployment. They can be started from a CD or DVD, an ISO file, a USB device, or over the network using a Pre-Boot Execution Environment (PXE) server. The boot images connect to the deployment -share on the server and start the deployment. +Boot images are the Windows Preinstallation Environment (Windows PE) images that are used to start the deployment. They can be started from a CD or DVD, an ISO file, a USB device, or over the network using a Pre-Boot Execution Environment (PXE) server. The boot images connect to the deployment share on the server and start the deployment. ## Operating systems @@ -124,33 +143,44 @@ With the Deployment Workbench, you can add any Microsoft packages that you want Task sequences are the heart and soul of the deployment solution. When creating a task sequence, you need to select a template. The templates are located in the Templates folder in the MDT installation directory, and they determine which default actions are present in the sequence. You can think of a task sequence as a list of actions that need to be executed in a certain order. Each action can also have conditions. Some examples of actions are as follows: -- **Gather.** Reads configuration settings from the deployment server. -- **Format and Partition.** Creates the partition(s) and formats them. -- **Inject Drivers.** Finds out which drivers the machine needs and downloads them from the central driver repository. -- **Apply Operating System.** Uses ImageX to apply the image. -- **Windows Update.** Connects to a WSUS server and updates the machine. + +- **Gather**: Reads configuration settings from the deployment server. +- **Format and Partition**: Creates the partition(s) and formats them. +- **Inject Drivers**: Finds out which drivers the machine needs and downloads them from the central driver repository. +- **Apply Operating System**: Applies the Windows image. +- **Windows Update**: Connects to a WSUS server and updates the machine. ## Task sequence templates MDT comes with nine default task sequence templates. You can also create your own templates. As long as you store them in the Templates folder, they'll be available when you create a new task sequence. -- **Sysprep and Capture task sequence.** Used to run the System Preparation (Sysprep) tool and capture an image of a reference computer. + +- **Sysprep and Capture task sequence**: Used to run the System Preparation (Sysprep) tool and capture an image of a reference computer. > [!NOTE] > It's preferable to use a complete build and capture instead of the Sysprep and Capture task sequence. A complete build and capture can be automated, whereas Sysprep and Capture can't. - -- **Standard Client task sequence.** The most frequently used task sequence. Used for creating reference images and for deploying clients in production. -- **Standard Client Replace task sequence.** Used to run User State Migration Tool (USMT) backup and the optional full Windows Imaging (WIM) backup action. Can also be used to do a secure wipe of a machine that is going to be decommissioned. -- **Custom task sequence.** As the name implies, a custom task sequence with only one default action (one Install Application action). -- **Standard Server task sequence.** The default task sequence for deploying operating system images to servers. The main difference between this template and the Standard Client task sequence template is that it doesn't contain any USMT actions because USMT isn't supported on servers. -- **Lite Touch OEM task sequence.** Used to preload operating systems images on the computer hard drive. Typically used by computer original equipment manufacturers (OEMs) but some enterprise organizations also use this feature. -- **Post OS Installation task sequence.** A task sequence prepared to run actions after the operating system has been deployed. Useful for server deployments but not often used for client deployments. -- **Deploy to VHD Client task sequence.** Similar to the Standard Client task sequence template but also creates a virtual hard disk (VHD) file on the target computer and deploys the image to the VHD file. -- **Deploy to VHD Server task sequence.** Same as the Deploy to VHD Client task sequence but for servers. -- **Standard Client Upgrade task sequence.** A simple task sequence template used to perform an in-place upgrade from Windows 7, Windows 8, or Windows 8.1 directly to Windows 10, automatically preserving existing data, settings, applications, and drivers. + +- **Standard Client task sequence**: The most frequently used task sequence. Used for creating reference images and for deploying clients in production. + +- **Standard Client Replace task sequence**: Used to run User State Migration Tool (USMT) backup and the optional full Windows Imaging (WIM) backup action. Can also be used to do a secure wipe of a machine that is going to be decommissioned. + +- **Custom task sequence**: As the name implies, a custom task sequence with only one default action (one Install Application action). + +- **Standard Server task sequence**: The default task sequence for deploying operating system images to servers. The main difference between this template and the Standard Client task sequence template is that it doesn't contain any USMT actions because USMT isn't supported on servers. + +- **Lite Touch OEM task sequence**: Used to preload operating systems images on the computer hard drive. Typically used by computer original equipment manufacturers (OEMs) but some enterprise organizations also use this feature. + +- **Post OS Installation task sequence**: A task sequence prepared to run actions after the operating system has been deployed. Useful for server deployments but not often used for client deployments. + +- **Deploy to VHD Client task sequence**: Similar to the Standard Client task sequence template but also creates a virtual hard disk (VHD) file on the target computer and deploys the image to the VHD file. + +- **Deploy to VHD Server task sequence**: Same as the Deploy to VHD Client task sequence but for servers. + +- **Standard Client Upgrade task sequence**: A simple task sequence template used to perform an in-place upgrade from Windows 7, Windows 8, or Windows 8.1 directly to Windows 10, automatically preserving existing data, settings, applications, and drivers. ## Selection profiles Selection profiles, which are available in the Advanced Configuration node, provide a way to filter content in the Deployment Workbench. Selection profiles are used for several purposes in the Deployment Workbench and in Lite Touch deployments. For example, they can be used to: + - Control which drivers and packages are injected into the Lite Touch (and generic) boot images. - Control which drivers are injected during the task sequence. - Control what is included in any media that you create. @@ -161,8 +191,8 @@ Selection profiles, which are available in the Advanced Configuration node, prov MDT uses many log files during operating system deployments. By default the logs are client side, but by configuring the deployment settings, you can have MDT store them on the server, as well. -**Note** -The easiest way to view log files is to use Configuration Manager Trace (CMTrace), which is included in the [Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717). +> [!NOTE] +> The easiest way to view log files is to use Configuration Manager Trace (CMTrace), which is included in the [Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717). ## Monitoring @@ -170,4 +200,4 @@ On the deployment share, you also can enable monitoring. After you enable monito ## See next -[Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md) +- [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md) diff --git a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md index 874e591992..e5eb7ae010 100644 --- a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md +++ b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md @@ -11,13 +11,14 @@ ms.topic: article ms.technology: itpro-deploy ms.collection: - highpri -ms.date: 10/28/2022 +ms.date: 11/28/2022 --- # Prepare for deployment with MDT -**Applies to** -- Windows 10 +**Applies to:** + +- Windows 10 This article will walk you through the steps necessary to prepare your network and server infrastructure to deploy Windows 10 with the Microsoft Deployment Toolkit (MDT). It covers the installation of the necessary system prerequisites, the creation of shared folders and service accounts, and the configuration of security permissions in the file system and in Active Directory. @@ -28,25 +29,34 @@ The procedures in this guide use the following names and infrastructure. ### Network and servers For the purposes of this article, we'll use three server computers: **DC01**, **MDT01**, and **HV01**. -- All servers are running Windows Server 2019. - - You can use an earlier version of Windows Server with minor modifications to some procedures. - - Note: Although MDT supports Windows Server 2008 R2, at least Windows Server 2012 R2 or later is required to perform the procedures in this guide. -- **DC01** is a domain controller, DHCP server, and DNS server for contoso.com, representing the fictitious Contoso Corporation. + +- All servers are running Windows Server 2019. + + - You can use an earlier version of Windows Server with minor modifications to some procedures. + +- **DC01** is a domain controller, DHCP server, and DNS server for **contoso.com**, representing the fictitious Contoso Corporation. + - **MDT01** is a domain member server in contoso.com with a data (D:) drive that can store at least 200 GB. MDT01 will host deployment shares and run the Windows Deployment Service. Optionally, MDT01 is also a WSUS server. - - A second MDT server (**MDT02**) configured identically to MDT01 is optionally used to [build a distributed environment](build-a-distributed-environment-for-windows-10-deployment.md) for Windows 10 deployment. This server is located on a different subnet than MDT01 and has a different default gateway. + + - A second MDT server (**MDT02**) configured identically to MDT01 is optionally used to [build a distributed environment](build-a-distributed-environment-for-windows-10-deployment.md) for Windows 10 deployment. This server is located on a different subnet than MDT01 and has a different default gateway. + - **HV01** is a Hyper-V host computer that is used to build a Windows 10 reference image. - - See [Hyper-V requirements](#hyper-v-requirements) below for more information about HV01. + - See [Hyper-V requirements](#hyper-v-requirements) below for more information about HV01. ### Client computers Several client computers are referenced in this guide with hostnames of PC0001 to PC0007. - **PC0001**: A computer running Windows 10 Enterprise x64, fully patched with the latest security updates, and configured as a member in the contoso.com domain. + - Client name: PC0001 - IP Address: DHCP + - **PC0002**: A computer running Windows 7 SP1 Enterprise x64, fully patched with the latest security updates, and configured as a member in the contoso.com domain. This computer is referenced during the migration scenarios. + - Client name: PC0002 - IP Address: DHCP + - **PC0003 - PC0007**: These are other client computers similar to PC0001 and PC0002 that are used in this guide and another guide for various scenarios. The device names are incremented for clarity within each scenario. For example, PC0003 and PC0004 are running Windows 7 just like PC0002, but are used for Configuration Manager refresh and replace scenarios, respectively. ### Storage requirements @@ -59,15 +69,15 @@ If you don't have access to a Hyper-V server, you can install Hyper-V on a Windo ### Network requirements -All server and client computers referenced in this guide are on the same subnet. This isn't required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. +All server and client computers referenced in this guide are on the same subnet. This isn't required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. ### Domain credentials The following generic credentials are used in this guide. You should replace these credentials as they appear in each procedure with your credentials. -**Active Directory domain name**: contoso.com
    -**Domain administrator username**: administrator
    -**Domain administrator password**: pass@word1 +- **Active Directory domain name**: contoso.com +- **Domain administrator username**: administrator +- **Domain administrator password**: pass@word1 ### Organizational unit structure @@ -82,33 +92,39 @@ These steps assume that you have the MDT01 member server running and configured On **MDT01**: Visit the [Download and install the Windows ADK](/windows-hardware/get-started/adk-install) page and download the following items to the **D:\\Downloads\\ADK** folder on MDT01 (you'll need to create this folder): + - [The Windows ADK for Windows 10](https://go.microsoft.com/fwlink/?linkid=2086042) - [The Windows PE add-on for the ADK](https://go.microsoft.com/fwlink/?linkid=2087112) - [The Windows System Image Manager (WSIM) 1903 update](https://go.microsoft.com/fwlink/?linkid=2095334) - (Optional) [The MDT_KB4564442 patch for BIOS firmware](https://download.microsoft.com/download/3/0/6/306AC1B2-59BE-43B8-8C65-E141EF287A5E/KB4564442/MDT_KB4564442.exe) - - This patch is needed to resolve a bug that causes detection of BIOS-based machines as UEFI-based machines. If you have a UEFI deployment, you don't need this patch. + - This patch is needed to resolve a bug that causes detection of BIOS-based machines as UEFI-based machines. If you have a UEFI deployment, you don't need this patch. ->[!TIP] ->You might need to temporarily disable IE Enhanced Security Configuration for administrators in order to download files from the Internet to the server. This setting can be disabled by using Server Manager (Local Server/Properties). +> [!TIP] +> You might need to temporarily disable IE Enhanced Security Configuration for administrators in order to download files from the Internet to the server. This setting can be disabled by using Server Manager (Local Server/Properties). 1. On **MDT01**, ensure that you're signed in as an administrator in the CONTOSO domain. - - For the purposes of this guide, we're using a Domain Admin account of **administrator** with a password of pass@word1. You can use your own administrator username and password as long as you properly adjust all steps in this guide that use these login credentials. + + - For the purposes of this guide, we're using a Domain Admin account of **administrator** with a password of **pass@word1**. You can use your own administrator username and password as long as you properly adjust all steps in this guide that use these login credentials. + 2. Start the **ADK Setup** (D:\\Downloads\\ADK\\adksetup.exe), select **Next** twice to accept the default installation parameters, select **Accept** to accept the license agreement, and then on the **Select the features you want to install** page accept the default list of features by clicking **Install**. This will install deployment tools and the USMT. Verify that the installation completes successfully before moving to the next step. + 3. Start the **WinPE Setup** (D:\\Downloads\\ADK\\adkwinpesetup.exe), select **Next** twice to accept the default installation parameters, select **Accept** to accept the license agreement, and then on the **Select the features you want to install** page select **Install**. This will install Windows PE for x86, AMD64, ARM, and ARM64. Verify that the installation completes successfully before moving to the next step. + 4. Extract the **WSIM 1903 update** (D:\\Downloads\ADK\\WSIM1903.zip) and then run the **UpdateWSIM.bat** file. - You can confirm that the update is applied by viewing properties of the ImageCat.exe and ImgMgr.exe files at **C:\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\WSIM** and verifying that the **Details** tab displays a **File version** of **10.0.18362.144** or later. -5. If you downloaded the optional MDT_KB4564442 patch for BIOS based deployment, see [this support article](https://support.microsoft.com/en-us/topic/windows-10-deployments-fail-with-microsoft-deployment-toolkit-on-computers-with-bios-type-firmware-70557b0b-6be3-81d2-556f-b313e29e2cb7) for instructions on how to install the patch. + +5. If you downloaded the optional MDT_KB4564442 patch for BIOS based deployment, see [this support article](https://support.microsoft.com/topic/windows-10-deployments-fail-with-microsoft-deployment-toolkit-on-computers-with-bios-type-firmware-70557b0b-6be3-81d2-556f-b313e29e2cb7) for instructions on how to install the patch. ## Install and initialize Windows Deployment Services (WDS) On **MDT01**: 1. Open an elevated Windows PowerShell prompt and enter the following command: - + ```powershell Install-WindowsFeature -Name WDS -IncludeManagementTools - WDSUTIL /Verbose /Progress /Initialize-Server /Server:MDT01 /RemInst:"D:\RemoteInstall" - WDSUTIL /Set-Server /AnswerClients:All + WDSUTIL.exe /Verbose /Progress /Initialize-Server /Server:MDT01 /RemInst:"D:\RemoteInstall" + WDSUTIL.exe /Set-Server /AnswerClients:All ``` ## Optional: Install Windows Server Update Services (WSUS) @@ -117,26 +133,32 @@ If you wish to use MDT as a WSUS server using the Windows Internal Database (WID To install WSUS on MDT01, enter the following at an elevated Windows PowerShell prompt: - ```powershell - Install-WindowsFeature -Name UpdateServices, UpdateServices-WidDB, UpdateServices-Services, UpdateServices-RSAT, UpdateServices-API, UpdateServices-UI - cmd /c "C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall CONTENT_DIR=C:\WSUS - ``` +```powershell +Install-WindowsFeature -Name UpdateServices, UpdateServices-WidDB, UpdateServices-Services, UpdateServices-RSAT, UpdateServices-API, UpdateServices-UI +"C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall CONTENT_DIR=C:\WSUS +``` ->To use the WSUS that you have installed on MDT01, you must also [configure Group Policy](../update/waas-manage-updates-wsus.md#configure-automatic-updates-and-update-service-location) on DC01 and perform the neccessary post-installation configuration of WSUS on MDT01. +> [!NOTE] +> To use the WSUS that you have installed on MDT01, you must also [configure Group Policy](../update/waas-manage-updates-wsus.md#configure-automatic-updates-and-update-service-location) on DC01 and perform the necessary post-installation configuration of WSUS on MDT01. ## Install MDT ->[!NOTE] ->MDT installation requires the following: ->- The Windows ADK for Windows 10 (installed in the previous procedure) ->- Windows PowerShell ([version 5.1](https://www.microsoft.com/download/details.aspx?id=54616) is recommended; type **$host** to check) ->- Microsoft .NET Framework +> [!NOTE] +> MDT installation requires the following: +> +> - The Windows ADK for Windows 10 (installed in the previous procedure) +> - Windows PowerShell ([version 5.1](https://www.microsoft.com/download/details.aspx?id=54616) is recommended; enter `$host` to check) +> - Microsoft .NET Framework On **MDT01**: -1. Visit the [MDT resource page](/mem/configmgr/mdt/) and select **Download MDT**. -2. Save the **MicrosoftDeploymentToolkit_x64.msi** file to the D:\\Downloads\\MDT folder on MDT01. - - **Note**: As of the publishing date for this guide, the current version of MDT is 8456 (6.3.8456.1000), but a later version will also work. +1. Visit the [MDT resource page](/mem/configmgr/mdt/) and select **Download MDT**. + +2. Save the **MicrosoftDeploymentToolkit_x64.msi** file to the D:\\Downloads\\MDT folder on MDT01. + + > [!NOTE] + > As of the publishing date for this guide, the current version of MDT is 8456 (6.3.8456.1000), but a later version will also work. + 3. Install **MDT** (D:\\Downloads\\MDT\\MicrosoftDeploymentToolkit_x64.exe) with the default settings. ## Create the OU structure @@ -186,20 +208,27 @@ To use the Active Directory Users and Computers console (instead of PowerShell): On **DC01**: -1. Using the Active Directory Users and Computers console (dsa.msc), in the contoso.com domain level, create a top-level OU named **Contoso**. -2. In the **Contoso** OU, create the following OUs: - 1. Accounts - 2. Computers - 3. Groups -3. In the **Contoso / Accounts** OU, create the following underlying OUs: - 1. Admins - 2. Service Accounts - 3. Users -4. In the **Contoso / Computers** OU, create the following underlying OUs: - 1. Servers - 2. Workstations -5. In the **Contoso / Groups** OU, create the following OU: - 1. Security Groups +1. Using the Active Directory Users and Computers console (dsa.msc), in the contoso.com domain level, create a top-level OU named **Contoso**. + +2. In the **Contoso** OU, create the following OUs: + + - Accounts + - Computers + - Groups + +3. In the **Contoso / Accounts** OU, create the following underlying OUs: + + - Admins + - Service Accounts + - Users + +4. In the **Contoso / Computers** OU, create the following underlying OUs: + + - Servers + - Workstations + +5. In the **Contoso / Groups** OU, create the following OU: + - Security Groups The final result of either method is shown below. The **MDT_BA** account will be created next. @@ -212,6 +241,7 @@ To create an MDT build account, open an elevated Windows PowerShell prompt on DC ```powershell New-ADUser -Name MDT_BA -UserPrincipalName MDT_BA -path "OU=Service Accounts,OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM" -Description "MDT Build Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled $true ``` + If you have the Active Directory Users and Computers console open you can refresh the view and see this new account in the **Contoso\Accounts\Service Accounts** OU as shown in the screenshot above. ## Create and share the logs folder @@ -220,8 +250,9 @@ By default MDT stores the log files locally on the client. In order to capture a On **MDT01**: -1. Sign in as **CONTOSO\\administrator**. -2. Create and share the **D:\\Logs** folder by running the following commands in an elevated Windows PowerShell prompt: +1. Sign in as **CONTOSO\\administrator**. + +2. Create and share the **D:\\Logs** folder by running the following commands in an elevated Windows PowerShell prompt: ```powershell New-Item -Path D:\Logs -ItemType directory @@ -235,7 +266,7 @@ See the following example: ## Use CMTrace to read log files (optional) -The log files in MDT Lite Touch are formatted to be read by Configuration Manager Trace ([CMTrace](/sccm/core/support/cmtrace)), which is available as part of the [Microsoft System 2012 R2 Center Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717). You should also download this tool. +The log files in MDT Lite Touch are formatted to be read by Configuration Manager Trace ([CMTrace](/sccm/core/support/cmtrace)), which is available as part of the [Microsoft System 2012 R2 Center Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717). You should also download this tool. You can use Notepad (example below): ![figure 8.](../images/mdt-05-fig09.png) @@ -252,8 +283,9 @@ When you've completed all the steps in this section to prepare for deployment, s ## Appendix -**Sample files** +### Sample files The following sample files are also available to help automate some MDT deployment tasks. This guide doesn't use these files, but they're made available here so you can see how some tasks can be automated with Windows PowerShell. + - [Set-OUPermissions.ps1](https://go.microsoft.com/fwlink/p/?LinkId=619362). This sample Windows PowerShell script creates a domain account and then configures OU permissions to allow the account to join machines to the domain in the specified OU. - [MDTSample.zip](https://go.microsoft.com/fwlink/p/?LinkId=619363). This sample web service shows you how to configure a computer name dynamically using MDT. diff --git a/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md b/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md index 13c28f34bf..b38d0d58a8 100644 --- a/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md +++ b/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md @@ -9,17 +9,19 @@ ms.localizationpriority: medium author: frankroj ms.topic: article ms.technology: itpro-deploy -ms.date: 10/28/2022 +ms.date: 11/28/2022 --- # Refresh a Windows 7 computer with Windows 10 -**Applies to** -- Windows 10 +**Applies to:** + +- Windows 10 This article will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the online computer refresh process. The computer refresh scenario is a reinstallation of an updated operating system on the same computer. You can also use this procedure to reinstall the same OS version. In this article, the computer refresh will be done while the computer is online. MDT also supports an offline computer refresh. For more info on that scenario, see the USMTOfflineMigration property on the [MDT resource page](/mem/configmgr/mdt/). -For the purposes of this article, we'll use three computers: DC01, MDT01, and PC0001. +For the purposes of this article, we'll use three computers: DC01, MDT01, and PC0001. + - DC01 is a domain controller for the contoso.com domain. - MDT01 is domain member server that hosts your deployment share. - PC0001 is a domain member computer running a previous version of Windows that is going to be refreshed to a new version of Windows 10, with data and settings restored. The example used here is a computer running Windows 7 SP1. @@ -27,7 +29,6 @@ For the purposes of this article, we'll use three computers: DC01, MDT01, and PC Both DC01 and MDT01 are running Windows Server 2019; however any supported version of Windows Server can be used. For more information on the setup for this article, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). ![computers.](../images/mdt-04-fig01.png "Computers used in this topic") - The computers used in this article. ## The computer refresh process @@ -36,26 +37,26 @@ A computer refresh isn't the same as an in-place upgrade because a computer refr For a computer refresh with MDT, you use the User State Migration Tool (USMT), which is part of the Windows Assessment and Deployment Kit (ADK) for Windows 10, to migrate user data and settings. To complete a computer refresh, you will: -1. Back up data and settings locally, in a backup folder. -2. Wipe the partition, except for the backup folder. -3. Apply the new operating system image. -4. Install other applications. -5. Restore data and settings. +1. Back up data and settings locally, in a backup folder. +2. Wipe the partition, except for the backup folder. +3. Apply the new operating system image. +4. Install other applications. +5. Restore data and settings. During the computer refresh, USMT uses a feature called Hard-Link Migration Store. When you use this feature, the files are linked in the file system, which allows for fast migration, even when there's many files. ->[!NOTE] ->In addition to the USMT backup, you can enable an optional full Windows Imaging (WIM) backup of the machine by configuring the MDT rules. If you do this, a .wim file is created in addition to the USMT backup. The .wim file contains the entire volume from the computer and helpdesk personnel can extract content from it if needed. Please note that this is a data WIM backup only. Using this backup to restore the entire computer is not a supported scenario. - +> [!NOTE] +> In addition to the USMT backup, you can enable an optional full Windows Imaging (WIM) backup of the machine by configuring the MDT rules. If you do this, a .wim file is created in addition to the USMT backup. The .wim file contains the entire volume from the computer and helpdesk personnel can extract content from it if needed. Please note that this is a data WIM backup only. Using this backup to restore the entire computer is not a supported scenario. + ### Multi-user migration By default, ScanState in USMT backs up all profiles on the machine, including local computer profiles. If you have a computer that has been in your environment for a while, it likely has several domain-based profiles on it, including those of former users. You can limit which profiles are backed up by configuring command-line switches to ScanState (added as rules in MDT). -For example, the following line configures USMT to migrate only domain user profiles and not profiles from the local SAM account database: ScanStateArgs=/ue:\*\\\* /ui:CONTOSO\\\* +For example, the following line configures USMT to migrate only domain user profiles and not profiles from the local SAM account database: `ScanStateArgs=/ue:*\* /ui:CONTOSO\*` + +> [!NOTE] +> You also can combine the preceding switches with the /uel switch, which excludes profiles that have not been accessed within a specific number of days. For example, adding /uel:60 will configure ScanState (or LoadState) not to include profiles that haven't been accessed for more than 60 days. ->[!NOTE] ->You also can combine the preceding switches with the /uel switch, which excludes profiles that have not been accessed within a specific number of days. For example, adding /uel:60 will configure ScanState (or LoadState) not to include profiles that haven't been accessed for more than 60 days. - ### Support for additional settings In addition to the command-line switches that control which profiles to migrate, [XML templates](../usmt/understanding-migration-xml-files.md) control exactly what data is being migrated. You can control data within and outside the user profiles. @@ -72,45 +73,50 @@ In this section, we assume that you've already performed the prerequisite proced - [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) - [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) -It's also assumed that you have a domain member client computer named PC0001 in your environment running Windows 7, 8.1 or 10 that is ready for a refresh to the latest version of Windows 10. For demonstration purposes, we'll be refreshing a Windows 7 SP1 PC to Windows 10, version 1909. - +It's also assumed that you have a domain member client computer named PC0001 in your environment running Windows 7, 8.1 or 10 that is ready for a refresh to the latest version of Windows 10. For demonstration purposes, we'll be refreshing a Windows 7 SP1 PC to Windows 10, version 1909. + ### Upgrade (refresh) a Windows 7 SP1 client ->[!IMPORTANT] ->Domain join details [specified in the deployment share rules](deploy-a-windows-10-image-using-mdt.md#configure-the-rules) will be used to rejoin the computer to the domain during the refresh process. If the Windows 7 client is domain-jonied in a different OU than the one specified by MachineObjectOU, the domain join process will initially fail and then retry without specifying an OU. If the domain account that is specified (ex: **MDT_JD**) has [permissions limited to a specific OU](deploy-a-windows-10-image-using-mdt.md#step-1-configure-active-directory-permissions) then the domain join will ultimately fail, the refresh process will proceed, and the client computer object will be orphaned in Active Directory. In the current guide, computer objects should be located in Contoso > Computers > Workstations. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed. To diagnose MDT domain join errors, see **ZTIDomainJoin.log** in the C:\Windows\Temp\DeploymentLogs directory on the client computer. +> [!IMPORTANT] +> Domain join details [specified in the deployment share rules](deploy-a-windows-10-image-using-mdt.md#configure-the-rules) will be used to rejoin the computer to the domain during the refresh process. If the Windows 7 client is domain-jonied in a different OU than the one specified by MachineObjectOU, the domain join process will initially fail and then retry without specifying an OU. If the domain account that is specified (ex: **MDT_JD**) has [permissions limited to a specific OU](deploy-a-windows-10-image-using-mdt.md#step-1-configure-active-directory-permissions) then the domain join will ultimately fail, the refresh process will proceed, and the client computer object will be orphaned in Active Directory. In the current guide, computer objects should be located in **Contoso** > **Computers** > **Workstations**. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed. To diagnose MDT domain join errors, see **ZTIDomainJoin.log** in the C:\Windows\Temp\DeploymentLogs directory on the client computer. + +1. On PC0001, sign in as **contoso\\Administrator** and start the Lite Touch Deploy Wizard by opening **\\\\MDT01\\MDTProduction$\\Scripts\\Litetouch.vbs**. -1. On PC0001, sign in as **contoso\\Administrator** and start the Lite Touch Deploy Wizard by opening **\\\\MDT01\\MDTProduction$\\Scripts\\Litetouch.vbs**. 2. Complete the deployment guide using the following settings: - - * Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image - * Computer name: <default> - * Specify where to save a complete computer backup: Don't back up the existing computer - >[!NOTE] - >Skip this optional full WIM backup that we are choosing not to perform. The USMT backup will still run. - * Select one or more applications to install: Install - Adobe Reader + + - Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image + + - **Computer name**: *\* + + - **Specify where to save a complete computer backup**: Don't back up the existing computer + + > [!NOTE] + > Skip this optional full WIM backup that we are choosing not to perform. The USMT backup will still run. + + - **Select one or more applications to install**: Install - Adobe Reader ![Computer refresh.](../images/fig2-taskseq.png "Start the computer refresh") -4. Setup starts and performs the following actions: - - * Backs up user settings and data using USMT. - * Installs the Windows 10 Enterprise x64 operating system. - * Installs any added applications. - * Updates the operating system using your local Windows Server Update Services (WSUS) server. - * Restores user settings and data using USMT. +3. Setup starts and performs the following actions: -5. You can monitor progress of the deployment using the deployment workbench on MDT01. See the following example: + - Backs up user settings and data using USMT. + - Installs the Windows 10 Enterprise x64 operating system. + - Installs any added applications. + - Updates the operating system using your local Windows Server Update Services (WSUS) server. + - Restores user settings and data using USMT. + +4. You can monitor progress of the deployment using the deployment workbench on MDT01. See the following example: ![monitor deployment.](../images/monitor-pc0001.png) -6. After the refresh process completes, sign in to the Windows 10 computer and verify that user accounts, data and settings were migrated. +5. After the refresh process completes, sign in to the Windows 10 computer and verify that user accounts, data and settings were migrated. ## Related articles -[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
    -[Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)
    -[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
    -[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
    -[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
    -[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
    -[Configure MDT settings](configure-mdt-settings.md) +- [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md) +- [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md) +- [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) +- [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) +- [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md) +- [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md) +- [Configure MDT settings](configure-mdt-settings.md) diff --git a/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md index 8476e0e4ed..b240a4f426 100644 --- a/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md +++ b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md @@ -10,26 +10,27 @@ ms.localizationpriority: medium author: frankroj ms.topic: article ms.technology: itpro-deploy -ms.date: 10/28/2022 +ms.date: 11/28/2022 --- # Replace a Windows 7 computer with a Windows 10 computer -**Applies to** -- Windows 10 +**Applies to:** -A computer replace scenario for Windows 10 is similar to a computer refresh for Windows 10. However, because you're replacing a device, you can't store the backup on the old computer. Instead you need to store the backup to a location where the new computer can read it. The User State Migration Tool (USMT) will be used to back up and restore data and settings. +- Windows 10 + +A computer replace scenario for Windows 10 is similar to a computer refresh for Windows 10. However, because you're replacing a device, you can't store the backup on the old computer. Instead you need to store the backup to a location where the new computer can read it. The User State Migration Tool (USMT) will be used to back up and restore data and settings. + +For the purposes of this article, we'll use four computers: DC01, MDT01, PC0002, and PC0007. -For the purposes of this article, we'll use four computers: DC01, MDT01, PC0002, and PC0007. - DC01 is a domain controller for the contoso.com domain. - MDT01 is domain member server that hosts your deployment share. -- PC0002 is an old computer running Windows 7 SP1 that will be replaced by PC0007. +- PC0002 is an old computer running Windows 7 SP1 that will be replaced by PC0007. - PC0007 is a new computer will have the Windows 10 OS installed prior to data from PC0002 being migrated. Both PC0002 and PC0007 are members of the contoso.com domain. For more details on the setup for this article, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). ![The computers used in this topic.](../images/mdt-03-fig01.png) - The computers used in this article. >HV01 is also used in this topic to host the PC0007 virtual machine for demonstration purposes, however typically PC0007 is a physical computer. @@ -43,7 +44,9 @@ The computers used in this article. On **MDT01**: 1. Open the Deployment Workbench, under **Deployment Shares** right-click **MDT Production**, select **Properties**, and then select the **Rules** tab. + 2. Change the **SkipUserData=YES** option to **NO**, and select **OK**. + 3. Right-click on **MDT Production** and select **Update Deployment Share**. Then select **Next**, **Next**, and **Finish** to complete the Update Deployment Share Wizard with the default settings. ### Create and share the MigData folder @@ -51,23 +54,25 @@ On **MDT01**: On **MDT01**: 1. Create and share the **D:\\MigData** folder by running the following three commands in an elevated Windows PowerShell prompt: - ``` powershell + + ```powershell New-Item -Path D:\MigData -ItemType directory New-SmbShare -Name MigData$ -Path D:\MigData -ChangeAccess EVERYONE icacls D:\MigData /grant '"MDT_BA":(OI)(CI)(M)' ``` - ### Create a backup only (replace) task sequence -2. In Deployment Workbench, under the **MDT Production** deployment share, select the **Task Sequences** node and create a new folder named **Other**. +### Create a backup only (replace) task sequence -3. Right-click the **Other** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: +1. In Deployment Workbench, under the **MDT Production** deployment share, select the **Task Sequences** node and create a new folder named **Other**. - * Task sequence ID: REPLACE-001 - * Task sequence name: Backup Only Task Sequence - * Task sequence comments: Run USMT to back up user data and settings - * Template: Standard Client Replace Task Sequence +2. Right-click the **Other** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: -4. In the **Other** folder, double-click **Backup Only Task Sequence**, and then in the **Task Sequence** tab, review the sequence. Notice that it only contains a subset of the normal client task sequence actions. + - Task sequence ID: REPLACE-001 + - Task sequence name: Backup Only Task Sequence + - Task sequence comments: Run USMT to back up user data and settings + - Template: Standard Client Replace Task Sequence + +3. In the **Other** folder, double-click **Backup Only Task Sequence**, and then in the **Task Sequence** tab, review the sequence. Notice that it only contains a subset of the normal client task sequence actions. ![The Backup Only Task Sequence action list.](../images/mdt-03-fig02.png "The Backup Only Task Sequence action list") @@ -77,36 +82,39 @@ On **MDT01**: During a computer replace, the following are the high-level steps that occur: -1. On the computer you're replacing, a special replace task sequence runs the USMT backup and, if you configured it, runs the optional full Windows Imaging (WIM) backup. -2. On the new computer, you perform a standard bare-metal deployment. At the end of the bare-metal deployment, the USMT backup from the old computer is restored. +1. On the computer you're replacing, a special replace task sequence runs the USMT backup and, if you configured it, runs the optional full Windows Imaging (WIM) backup. + +2. On the new computer, you perform a standard bare-metal deployment. At the end of the bare-metal deployment, the USMT backup from the old computer is restored. ### Run the replace task sequence On **PC0002**: -1. Sign in as **CONTOSO\\Administrator** and verify that you have write access to the **\\\\MDT01\\MigData$** share. -2. Run **\\\\MDT01\\MDTProduction$\\Scripts\\LiteTouch.vbs**. -3. Complete the Windows Deployment Wizard using the following settings: +1. Sign in as **CONTOSO\\Administrator** and verify that you have write access to the **\\\\MDT01\\MigData$** share. - 1. Select a task sequence to execute on this computer: Backup Only Task Sequence - * Specify where to save your data and settings: Specify a location - * Location: \\\\MDT01\\MigData$\\PC0002 - - >[!NOTE] - >If you are replacing the computer at a remote site you should create the MigData folder on MDT02 and use that share instead. - - 2. Specify where to save a complete computer backup: Don't back up the existing computer +2. Run **\\\\MDT01\\MDTProduction$\\Scripts\\LiteTouch.vbs**. + +3. Complete the **Windows Deployment Wizard** using the following settings: + + - **Select a task sequence to execute on this computer**: Backup Only Task Sequence + + - **Specify where to save your data and settings**: Specify a location + + - **Location**: \\\\MDT01\\MigData$\\PC0002 + + > [!NOTE] + > If you are replacing the computer at a remote site you should create the MigData folder on MDT02 and use that share instead. + + - **Specify where to save a complete computer backup**: Don't back up the existing computer The task sequence will now run USMT (Scanstate.exe) to capture user data and settings of the computer. ![The new task sequence.](../images/mdt-03-fig03.png "The new task sequence") - The new task sequence running the Capture User State action on PC0002. -4. On **MDT01**, verify that you have a USMT.MIG compressed backup file in the **D:\\MigData\\PC0002\\USMT** folder. +4. On **MDT01**, verify that you have a USMT.MIG compressed backup file in the **D:\\MigData\\PC0002\\USMT** folder. ![The USMT backup.](../images/mdt-03-fig04.png "The USMT backup") - The USMT backup of PC0002. ### Deploy the replacement computer @@ -115,37 +123,37 @@ To demonstrate deployment of the replacement computer, HV01 is used to host a vi On **HV01**: -1. Create a virtual machine with the following settings: +1. Create a virtual machine with the following settings: - * Name: PC0007 - * Location: C:\\VMs - * Generation: 2 - * Memory: 2048 MB - * Hard disk: 60 GB (dynamic disk) - * Install an operating system from a network-based installation server + - **Name**: PC0007 + - **Location**: C:\\VMs + - **Generation**: 2 + - **Memory**: 2048 MB + - **Hard disk**: 60 GB (dynamic disk) + - Install an operating system from a network-based installation server -2. Start the PC0007 virtual machine, and press **Enter** to start the Pre-Boot Execution Environment (PXE) boot. The VM will now load the Windows PE boot image from MDT01 (or MDT02 if at a remote site). +2. Start the PC0007 virtual machine, and press **Enter** to start the Pre-Boot Execution Environment (PXE) boot. The VM will now load the Windows PE boot image from MDT01 (or MDT02 if at a remote site). ![The initial PXE boot process.](../images/mdt-03-fig05.png "The initial PXE boot process") The initial PXE boot process of PC0007. -3. After Windows Preinstallation Environment (Windows PE) has booted, complete the Windows Deployment Wizard using the following settings: +3. After Windows Preinstallation Environment (Windows PE) has booted, complete the Windows Deployment Wizard using the following settings: - * Select a task sequence to execute on this computer: - * Windows 10 Enterprise x64 RTM Custom Image - * Computer Name: PC0007 - * Move Data and Settings: Don't move user data and settings. - * User Data (Restore) > Specify a location: \\\\MDT01\\MigData$\\PC0002 - * Applications: Adobe > Install - Adobe Reader + - Select a task sequence to execute on this computer: + - Windows 10 Enterprise x64 RTM Custom Image + - **Computer Name**: PC0007 + - **Move Data and Settings**: Don't move user data and settings. + - **User Data (Restore)** > **Specify a location**: \\\\MDT01\\MigData$\\PC0002 + - **Applications**: Adobe > Install - Adobe Reader -4. Setup now starts and does the following actions: +4. Setup now starts and does the following actions: - * Partitions and formats the disk. - * Installs the Windows 10 Enterprise operating system. - * Installs the application. - * Updates the operating system via your local Windows Server Update Services (WSUS) server. - * Restores the USMT backup from PC0002. + - Partitions and formats the disk. + - Installs the Windows 10 Enterprise operating system. + - Installs the application. + - Updates the operating system via your local Windows Server Update Services (WSUS) server. + - Restores the USMT backup from PC0002. You can view progress of the process by clicking the Monitoring node in the Deployment Workbench on MDT01. @@ -153,9 +161,9 @@ You can view progress of the process by clicking the Monitoring node in the Depl ## Related articles -[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
    -[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
    -[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
    -[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
    -[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
    -[Configure MDT settings](configure-mdt-settings.md) +- [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md) +- [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) +- [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) +- [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md) +- [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) +- [Configure MDT settings](configure-mdt-settings.md) diff --git a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md index c4b88adeaf..b8460e77a7 100644 --- a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md +++ b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md @@ -10,7 +10,7 @@ author: frankroj ms.topic: article ms.custom: seo-marvel-mar2020 ms.technology: itpro-deploy -ms.date: 10/28/2022 +ms.date: 11/28/2022 --- # Set up MDT for BitLocker @@ -18,6 +18,7 @@ ms.date: 10/28/2022 This article will show you how to configure your environment for BitLocker, the disk volume encryption built into Windows 10 Enterprise and Windows 10 Pro, using MDT. BitLocker in Windows 10 has two requirements in regard to an operating system deployment: - A protector, which can either be stored in the Trusted Platform Module (TPM) chip, or stored as a password. Technically, you can also use a USB stick to store the protector, but it's not a practical approach as the USB stick can be lost or stolen. We, therefore, recommend that you instead use a TPM chip and/or a password. + - Multiple partitions on the hard drive. To configure your environment for BitLocker, you'll need to do the following actions: @@ -29,10 +30,8 @@ To configure your environment for BitLocker, you'll need to do the following act > [!NOTE] > Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery password in Active Directory. For more information about this feature, see [Backing Up BitLocker and TPM Recovery Information to AD DS](/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds). -If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker. - -> [!NOTE] -> Backing up TPM to Active Directory was supported only on Windows 10 version 1507 and 1511. +> +> If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker. For the purposes of this article, we'll use DC01, a domain controller that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more information on the setup for this article, see [Deploy Windows 10 with the Microsoft Deployment Toolkit](./prepare-for-windows-deployment-with-mdt.md). @@ -54,18 +53,24 @@ The BitLocker Recovery information on a computer object in the contoso.com domai The BitLocker Drive Encryption Administration Utilities are added as features via Server Manager (or Windows PowerShell): 1. On DC01, log on as **CONTOSO\\Administrator**, and, using Server Manager, select **Add roles and features**. + 2. On the **Before you begin** page, select **Next**. + 3. On the **Select installation type** page, select **Role-based or feature-based installation**, and select **Next**. + 4. On the **Select destination server** page, select **DC01.contoso.com** and select **Next**. + 5. On the **Select server roles** page, select **Next**. + 6. On the **Select features** page, expand **Remote Server Administration Tools**, expand **Feature Administration Tools**, select the following features, and then select **Next**: + 1. BitLocker Drive Encryption Administration Utilities 2. BitLocker Drive Encryption Tools 3. BitLocker Recovery Password Viewer + 7. On the **Confirm installation selections** page, select **Install**, and then select **Close**. ![figure 3.](../images/mdt-09-fig03.png) - Selecting the BitLocker Drive Encryption Administration Utilities. ### Create the BitLocker Group Policy @@ -73,32 +78,41 @@ Selecting the BitLocker Drive Encryption Administration Utilities. Following these steps, you enable the backup of BitLocker and TPM recovery information to Active Directory. You also enable the policy for the TPM validation profile. 1. On DC01, using Group Policy Management, right-click the **Contoso** organizational unit (OU), and select **Create a GPO in this domain, and Link it here**. + 2. Assign the name **BitLocker Policy** to the new Group Policy. -3. Expand the **Contoso** OU, right-click the **BitLocker Policy**, and select **Edit**. Configure the following policy settings: - Computer Configuration / Policies / Administrative Templates / Windows Components / BitLocker Drive Encryption / Operating System Drives - 1. Enable the **Choose how BitLocker-protected operating system drives can be recovered** policy, and configure the following settings: - 1. Allow data recovery agent (default) - 2. Save BitLocker recovery information to Active Directory Domain Services (default) - 3. Don't enable BitLocker until recovery information is stored in AD DS for operating system drives - 2. Enable the **Configure TPM platform validation profile for BIOS-based firmware configurations** policy. - 3. Enable the **Configure TPM platform validation profile for native UEFI firmware configurations** policy. + +3. Expand the **Contoso** OU, right-click the **BitLocker Policy**, and select **Edit**. Configure the following policy settings found under **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** + + 1. Enable the **Choose how BitLocker-protected operating system drives can be recovered** policy, and configure the following settings: + + - Allow data recovery agent (default) + - Save BitLocker recovery information to Active Directory Domain Services (default) + - Don't enable BitLocker until recovery information is stored in AD DS for operating system drives + + 2. Enable the **Configure TPM platform validation profile for BIOS-based firmware configurations** policy. + + 3. Enable the **Configure TPM platform validation profile for native UEFI firmware configurations** policy. > [!NOTE] -> If you consistently get the error "Windows BitLocker Drive Encryption Information. The system boot information has changed since BitLocker was enabled. You must supply a BitLocker recovery password to start this system." after encrypting a computer with BitLocker, you might have to change the various "Configure TPM platform validation profile" Group Policies, as well. Whether or not you need to do this will depend on the hardware you are using. +> If you consistently get the error: +> +> **Windows BitLocker Drive Encryption Information. The system boot information has changed since BitLocker was enabled. You must supply a BitLocker recovery password to start this system.** +> +> after encrypting a computer with BitLocker, you might have to change the various **Configure TPM platform validation profile** Group Policies, as well. Whether or not you need to do this will depend on the hardware you are using. ### Set permissions in Active Directory for BitLocker In addition to the Group Policy created previously, you need to configure permissions in Active Directory to be able to store the TPM recovery information. In these steps, we assume you've downloaded the [Add-TPMSelfWriteACE.vbs script](https://raw.githubusercontent.com/DeploymentArtist/DF4/master/BitLocker%20and%20TPM/Add-TPMSelfWriteACE.vbs) to C:\\Setup\\Scripts on DC01. 1. On DC01, start an elevated PowerShell prompt (run as Administrator). + 2. Configure the permissions by running the following command: - ```dos - cscript C:\Setup\Scripts\Add-TPMSelfWriteACE.vbs + ```cmd + cscript.exe C:\Setup\Scripts\Add-TPMSelfWriteACE.vbs ``` ![figure 4.](../images/mdt-09-fig04.png) - Running the Add-TPMSelfWriteACE.vbs script on DC01. ## Add BIOS configuration tools from Dell, HP, and Lenovo @@ -113,7 +127,7 @@ If you want to automate enabling the TPM chip as part of the deployment process, The HP tools are part of HP System Software Manager. The executable file from HP is named BiosConfigUtility.exe. This utility uses a configuration file for the BIOS settings. Here's a sample command to enable TPM and set a BIOS password using the BiosConfigUtility.exe tool: -```dos +```cmd BIOSConfigUtility.EXE /SetConfig:TPMEnable.REPSET /NewAdminPassword:Password1234 ``` @@ -135,7 +149,7 @@ Embedded Security Device Availability The Lenovo tools are a set of VBScripts available as part of the Lenovo BIOS Setup using Windows Management Instrumentation Deployment Guide. Lenovo also provides a separate download of the scripts. Here's a sample command to enable TPM using the Lenovo tools: -```dos +```cmd cscript.exe SetConfig.vbs SecurityChip Active ``` @@ -146,21 +160,24 @@ When configuring a task sequence to run any BitLocker tool, either directly or u In the following task sequence, we added five actions: - **Check TPM Status.** Runs the ZTICheckforTPM.wsf script to determine if TPM is enabled. Depending on the status, the script will set the TPMEnabled and TPMActivated properties to either true or false. + - **Configure BIOS for TPM.** Runs the vendor tools (in this case, HP, Dell, and Lenovo). To ensure this action is run only when necessary, add a condition so the action is run only when the TPM chip isn't already activated. Use the properties from the ZTICheckforTPM.wsf. > [!NOTE] > It is common for organizations to wrap these tools in scripts to get additional logging and error handling. - **Restart computer.** Self-explanatory, reboots the computer. + - **Check TPM Status.** Runs the ZTICheckforTPM.wsf script one more time. + - **Enable BitLocker.** Runs the built-in action to activate BitLocker. ## Related articles -[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
    -[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
    -[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
    -[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
    -[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
    -[Use web services in MDT](use-web-services-in-mdt.md)
    -[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) +- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) +- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) +- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) +- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) +- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) +- [Use web services in MDT](use-web-services-in-mdt.md) +- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) diff --git a/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md b/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md index 39b4f39cc5..b9a293d1de 100644 --- a/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md +++ b/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md @@ -9,7 +9,7 @@ ms.localizationpriority: medium author: frankroj ms.topic: article ms.technology: itpro-deploy -ms.date: 10/28/2022 +ms.date: 11/28/2022 --- # Simulate a Windows 10 deployment in a test environment @@ -19,7 +19,9 @@ This article will walk you through the process of creating a simulated environme ## Test environment - A Windows 10 client named **PC0001** will be used to simulate deployment. The client is joined to the contoso.com domain and has access to the Internet to required download tools and scripts. + - It's assumed that you've performed (at least) the following procedures so that you have an MDT service account and an MDT production deployment share: + - [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md) - [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) - [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) @@ -29,6 +31,7 @@ This article will walk you through the process of creating a simulated environme On **PC0001**: 1. Sign as **contoso\\Administrator**. + 2. Copy the following to a PowerShell script named gather.ps1 and copy it to a directory named **C:\MDT** on PC0001. ```powershell @@ -48,15 +51,22 @@ On **PC0001**: ``` 3. Download and install the free [Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717) on PC0001 so that you have access to the Configuration Manager Trace (cmtrace.exe) tool. + 4. Using Local Users and Groups (lusrmgr.msc), add the **contoso\\MDT\_BA** user account to the local **Administrators** group. + 5. Sign off, and then sign on to PC0001 as **contoso\\MDT\_BA**. + 6. Open the **\\\\MDT01\\MDTProduction$\\Scripts** folder and copy the following files to **C:\\MDT**: - 1. ZTIDataAccess.vbs - 2. ZTIGather.wsf - 3. ZTIGather.xml - 4. ZTIUtility.vbs + + - ZTIDataAccess.vbs + - ZTIGather.wsf + - ZTIGather.xml + - ZTIUtility.vbs + 7. From the **\\\\MDT01\\MDTProduction$\\Control** folder, copy the CustomSettings.ini file to **C:\\MDT**. + 8. In the **C:\\MDT** folder, create a subfolder named **X64**. + 9. From the **\\\\MDT01\\MDTProduction$\\Tools\\X64** folder, copy the Microsoft.BDD.Utility.dll file to **C:\\MDT\\X64**. ![files.](../images/mdt-09-fig06.png) @@ -64,27 +74,30 @@ On **PC0001**: The C:\\MDT folder with the files added for the simulation environment. 10. Type the following at an elevated Windows PowerShell prompt: - ``` powershell + + ```powershell Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process -Force Set-Location C:\MDT .\Gather.ps1 ``` + When prompted, press **R** to run the gather script. 11. Review the ZTIGather.log in the **C:\\MININT\\SMSOSD\\OSDLOGS** folder using CMTrace. - **Note** - Warnings or errors regarding the Wizard.hta are expected. If the log file looks okay, you're ready to try a real deployment. - + + > [!NOTE] + > Warnings or errors regarding the Wizard.hta are expected. If the log file looks okay, you're ready to try a real deployment. + ![ztigather.](../images/mdt-09-fig07.png) The ZTIGather.log file from PC0001. ## Related articles -[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
    -[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
    -[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
    -[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
    -[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
    -[Use web services in MDT](use-web-services-in-mdt.md)
    -[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) +- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) +- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) +- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) +- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) +- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) +- [Use web services in MDT](use-web-services-in-mdt.md) +- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) diff --git a/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md index f7438e3a79..83c7037743 100644 --- a/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md +++ b/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md @@ -9,76 +9,90 @@ ms.localizationpriority: medium author: frankroj ms.topic: article ms.technology: itpro-deploy -ms.date: 10/28/2022 +ms.date: 11/28/2022 --- # Perform an in-place upgrade to Windows 10 with MDT -**Applies to** -- Windows 10 +**Applies to:** -The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. +- Windows 10 ->[!TIP] ->In-place upgrade is the preferred method to use when migrating from Windows 10 to a later release of Windows 10, and is also a preferred method for upgrading from Windows 7 or 8.1 if you do not plan to significantly change the device's configuration or applications. MDT includes an in-place upgrade task sequence template that makes the process really simple. +The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. + +> [!TIP] +> In-place upgrade is the preferred method to use when migrating from Windows 10 to a later release of Windows 10, and is also a preferred method for upgrading from Windows 7 or 8.1 if you do not plan to significantly change the device's configuration or applications. MDT includes an in-place upgrade task sequence template that makes the process really simple. In-place upgrade differs from [computer refresh](refresh-a-windows-7-computer-with-windows-10.md) in that you can't use a custom image to perform the in-place upgrade. In this article, we'll add a default Windows 10 image to the production deployment share specifically to perform an in-place upgrade. -Three computers are used in this article: DC01, MDT01, and PC0002. +Three computers are used in this article: DC01, MDT01, and PC0002. - DC01 is a domain controller for the contoso.com domain -- MDT01 is a domain member server +- MDT01 is a domain member server - PC0002 is a domain member computer running Windows 7 SP1, targeted for the Windows 10 upgrade ![computers.](../images/mdt-upgrade.png) - The computers used in this article. ->[!NOTE] ->For details about the setup for the procedures in this article, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). - +> [!NOTE] +> For details about the setup for the procedures in this article, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). +> >If you have already completed all the steps in [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md), then you already have a production deployment share and you can skip to [Add Windows 10 Enterprise x64 (full source)](#add-windows-10-enterprise-x64-full-source). ## Create the MDT production deployment share On **MDT01**: -1. Ensure you're signed on as: contoso\administrator. +1. Ensure you're signed on as **contoso\administrator**. + 2. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**. + 3. On the **Path** page, in the **Deployment share path** text box, type **D:\\MDTProduction** and select **Next**. + 4. On the **Share** page, in the **Share name** text box, type **MDTProduction$** and select **Next**. + 5. On the **Descriptive Name** page, in the **Deployment share description** text box, type **MDT Production** and select **Next**. + 6. On the **Options** page, accept the default settings and select **Next** twice, and then select **Finish**. + 7. Using File Explorer, verify that you can access the **\\\\MDT01\\MDTProduction$** share. ## Add Windows 10 Enterprise x64 (full source) ->If you have already have a Windows 10 [reference image](create-a-windows-10-reference-image.md) in the **MDT Build Lab** deployment share, you can use the deployment workbench to copy and paste this image from the MDT Build Lab share to the MDT Production share and skip the steps in this section. +> [!NOTE] +> If you have already have a Windows 10 [reference image](create-a-windows-10-reference-image.md) in the **MDT Build Lab** deployment share, you can use the deployment workbench to copy and paste this image from the MDT Build Lab share to the MDT Production share and skip the steps in this section. On **MDT01**: 1. Sign in as contoso\\administrator and copy the content of a Windows 10 Enterprise x64 DVD/ISO to the **D:\\Downloads\\Windows 10 Enterprise x64** folder on MDT01, or just insert the DVD or mount an ISO on MDT01. + 2. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**. + 3. Right-click the **Operating Systems** node, and create a new folder named **Windows 10**. + 4. Expand the **Operating Systems** node, right-click the **Windows 10** folder, and select **Import Operating System**. Use the following settings for the Import Operating System Wizard: + - Full set of source files - - Source directory: (location of your source files) - - Destination directory name: W10EX64RTM + - **Source directory**: (location of your source files) + - **Destination directory name**: `W10EX64RTM` + 5. After adding the operating system, in the **Operating Systems / Windows 10** folder, double-click it and change the name to: **Windows 10 Enterprise x64 RTM Default Image**. ## Create a task sequence to upgrade to Windows 10 Enterprise On **MDT01**: -1. Using the Deployment Workbench, select **Task Sequences** in the **MDT Production** node, then create a folder named **Windows 10**. -2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: - - Task sequence ID: W10-X64-UPG - - Task sequence name: Windows 10 Enterprise x64 RTM Upgrade - - Template: Standard Client Upgrade Task Sequence - - Select OS: Windows 10 Enterprise x64 RTM Default Image - - Specify Product Key: Don't specify a product key at this time - - Organization: Contoso - - Admin Password: Don't specify an Administrator password at this time +1. Using the Deployment Workbench, select **Task Sequences** in the **MDT Production** node, then create a folder named **Windows 10**. + +2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the **New Task Sequence Wizard**: + + - **Task sequence ID**: W10-X64-UPG + - **Task sequence name**: Windows 10 Enterprise x64 RTM Upgrade + - **Template**: Standard Client Upgrade Task Sequence + - **Select OS**: Windows 10 Enterprise x64 RTM Default Image + - **Specify Product Key**: Don't specify a product key at this time + - **Organization**: Contoso + - **Admin Password**: Don't specify an Administrator password at this time ## Perform the Windows 10 upgrade @@ -87,24 +101,24 @@ To initiate the in-place upgrade, perform the following steps on PC0002 (the dev On **PC0002**: 1. Start the MDT deployment wizard by running the following command: **\\\\MDT01\\MDTProduction$\\Scripts\\LiteTouch.vbs** -2. Select the **Windows 10 Enterprise x64 RTM Upgrade** task sequence, and then select **Next**. + +2. Select the **Windows 10 Enterprise x64 RTM Upgrade** task sequence, and then select **Next**. + 3. Select one or more applications to install (will appear if you use custom image): Install - Adobe Reader + 4. On the **Ready** tab, select **Begin** to start the task sequence. - When the task sequence begins, it automatically initiates the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers. + +When the task sequence begins, it automatically initiates the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers. ![upgrade1.](../images/upgrademdt-fig5-winupgrade.png) -
    - ![upgrade2.](../images/mdt-upgrade-proc.png) -
    - ![upgrade3.](../images/mdt-post-upg.png) After the task sequence completes, the computer will be fully upgraded to Windows 10. ## Related articles -[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
    -[Microsoft Deployment Toolkit downloads and resources](/mem/configmgr/mdt/) +- [Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md) +- [Microsoft Deployment Toolkit downloads and resources](/mem/configmgr/mdt/) diff --git a/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md b/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md index f4fe3ef970..141bdd8589 100644 --- a/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md +++ b/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md @@ -9,39 +9,50 @@ ms.localizationpriority: medium author: frankroj ms.topic: article ms.technology: itpro-deploy +ms.date: 11/28/2022 --- # Use Orchestrator runbooks with MDT This article will show you how to integrate Microsoft System Center 2012 R2 Orchestrator with MDT to replace the existing web services that are used in deployment solutions. + MDT can integrate with System Center 2012 R2 Orchestrator, which is a component that ties the Microsoft System Center products together, as well as other products from both Microsoft and third-party vendors. The difference between using Orchestrator and "normal" web services, is that with Orchestrator you have a rich drag-and-drop style interface when building the solution, and little or no coding is required. ->[!Note] ->If you are licensed to use Orchestrator, we highly recommend that you start using it. To find out more about licensing options for System Center 2012 R2 and Orchestrator, visit the [System Center 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=619553) website. - -## Orchestrator terminology +> [!NOTE] +> If you are licensed to use Orchestrator, we highly recommend that you start using it. To find out more about licensing options for System Center 2012 R2 and Orchestrator, visit the [System Center 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=619553) website. + +## Orchestrator terminology Before diving into the core details, here's a quick course in Orchestrator terminology: -- **Orchestrator Server.** This is a server that executes runbooks. -- **Runbooks.** A runbook is similar to a task sequence; it's a series of instructions based on conditions. Runbooks consist of workflow activities; an activity could be Copy File, Get User from Active Directory, or even Write to Database. -- **Orchestrator Designer.** This is where you build the runbooks. In brief, you do that by creating an empty runbook, dragging in the activities you need, and then connecting them in a workflow with conditions and subscriptions. -- **Subscriptions.** These are variables that come from an earlier activity in the runbook. So if you first execute an activity in which you type in a computer name, you can then subscribe to that value in the next activity. All these variables are accumulated during the execution of the runbook. -- **Orchestrator Console.** This is the Microsoft Silverlight-based web page you can use interactively to execute runbooks. The console listens to TCP port 81 by default. -- **Orchestrator web services.** These are the web services you use in the Microsoft Deployment Toolkit to execute runbooks during deployment. The web services listen to TCP port 82 by default. -- **Integration packs.** These provide additional workflow activities you can import to integrate with other products or solutions, like the rest of Active Directory, other System Center 2012 R2 products, or Microsoft Exchange Server, to name a few. -**Note** -To find and download additional integration packs, see [Integration Packs for System Center 2012 - Orchestrator](/previous-versions/system-center/packs/hh295851(v=technet.10)). +- **Orchestrator Server**: This is a server that executes runbooks. + +- **Runbooks**: A runbook is similar to a task sequence; it's a series of instructions based on conditions. Runbooks consist of workflow activities; an activity could be Copy File, Get User from Active Directory, or even Write to Database. + +- **Orchestrator Designer**: This is where you build the runbooks. In brief, you do that by creating an empty runbook, dragging in the activities you need, and then connecting them in a workflow with conditions and subscriptions. + +- **Subscriptions**: These are variables that come from an earlier activity in the runbook. So if you first execute an activity in which you type in a computer name, you can then subscribe to that value in the next activity. All these variables are accumulated during the execution of the runbook. + +- **Orchestrator Console**: This is the Microsoft Silverlight-based web page you can use interactively to execute runbooks. The console listens to TCP port 81 by default. + +- **Orchestrator web services**: These are the web services you use in the Microsoft Deployment Toolkit to execute runbooks during deployment. The web services listen to TCP port 82 by default. + +- **Integration packs**: These provide additional workflow activities you can import to integrate with other products or solutions, like the rest of Active Directory, other System Center 2012 R2 products, or Microsoft Exchange Server, to name a few. + +> [!NOTE] +> To find and download additional integration packs, see [Integration Packs for System Center 2012 - Orchestrator](/previous-versions/system-center/packs/hh295851(v=technet.10)). -## Create a sample runbook +## Create a sample runbook This section assumes you have Orchestrator 2012 R2 installed on a server named OR01. In this section, you create a sample runbook, which is used to log some of the MDT deployment information into a text file on OR01. 1. On OR01, using File Explorer, create the **E:\\Logfile** folder, and grant Users modify permissions (NTFS). + 2. In the **E:\\Logfile** folder, create the DeployLog.txt file. - **Note** - Make sure File Explorer is configured to show known file extensions so the file isn't named DeployLog.txt.txt. - + + > [!NOTE] + > Make sure File Explorer is configured to show known file extensions so the file isn't named DeployLog.txt.txt. + ![figure 23.](../images/mdt-09-fig23.png) Figure 23. The DeployLog.txt file. @@ -53,11 +64,16 @@ This section assumes you have Orchestrator 2012 R2 installed on a server named O Figure 24. Folder created in the Runbooks node. 4. In the **Runbooks** node, right-click the **1.0 MDT** folder, and select **New / Runbook**. + 5. On the ribbon bar, select **Check Out**. + 6. Right-click the **New Runbook** label, select **Rename**, and assign the name **MDT Sample**. + 7. Add (using a drag-and-drop operation) the following items from the **Activities** list to the middle pane: - 1. Runbook Control / Initialize Data - 2. Text File Management / Append Line + + - Runbook Control / Initialize Data + - Text File Management / Append Line + 8. Connect **Initialize Data** to **Append Line**. ![figure 25.](../images/mdt-09-fig25.png) @@ -65,6 +81,7 @@ This section assumes you have Orchestrator 2012 R2 installed on a server named O Figure 25. Activities added and connected. 9. Right-click the **Initialize Data** activity, and select **Properties** + 10. On **the Initialize Data Properties** page, select **Add**, change **Parameter 1** to **OSDComputerName**, and then select **Finish**. ![figure 26.](../images/mdt-09-fig26.png) @@ -72,8 +89,11 @@ This section assumes you have Orchestrator 2012 R2 installed on a server named O Figure 26. The Initialize Data Properties window. 11. Right-click the **Append Line** activity, and select **Properties**. + 12. On the **Append Line Properties** page, in the **File** text box, type **E:\\Logfile\\DeployLog.txt**. + 13. In the **File** encoding drop-down list, select **ASCII**. + 14. In the **Append** area, right-click inside the **Text** text box and select **Expand**. ![figure 27.](../images/mdt-09-fig27.png) @@ -87,7 +107,9 @@ This section assumes you have Orchestrator 2012 R2 installed on a server named O Figure 28. Subscribing to data. 16. In the **Published Data** window, select the **OSDComputerName** item, and select **OK**. + 17. After the **{OSDComputerName from "Initialize Data"}** text, type in **has been deployed at** and, once again, right-click and select **Subscribe / Published Data**. + 18. In the **Published Data** window, select the **Show common Published Data** check box, select the **Activity end time** item, and select **OK**. ![figure 29.](../images/mdt-09-fig29.png) @@ -95,14 +117,21 @@ This section assumes you have Orchestrator 2012 R2 installed on a server named O Figure 29. The expanded text box after all subscriptions have been added. 19. On the **Append Line Properties** page, select **Finish**. - ## Test the demo MDT runbook - After the runbook is created, you're ready to test it. -20. On the ribbon bar, select **Runbook Tester**. -21. Select **Run**, and in the **Initialize Data Parameters** dialog box, use the following setting and then select **OK**: - - OSDComputerName: PC0010 -22. Verify that all activities are green (for more information, see each target). -23. Close the **Runbook Tester**. -24. On the ribbon bar, select **Check In**. +## Test the demo MDT runbook + +After the runbook is created, you're ready to test it. + +1. On the ribbon bar, select **Runbook Tester**. + +2. Select **Run**, and in the **Initialize Data Parameters** dialog box, use the following setting and then select **OK**: + + - **OSDComputerName**: PC0010 + +3. Verify that all activities are green (for more information, see each target). + +4. Close the **Runbook Tester**. + +5. On the ribbon bar, select **Check In**. ![figure 30.](../images/mdt-09-fig30.png) @@ -110,23 +139,33 @@ Figure 30. All tests completed. ## Use the MDT demo runbook from MDT -1. On MDT01, using the Deployment Workbench, in the MDT Production deployment share, select the **Task Sequences** node, and create a folder named **Orchestrator**. -2. Right-click the **Orchestrator** node, and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: - 1. Task sequence ID: OR001 - 2. Task sequence name: Orchestrator Sample - 3. Task sequence comments: <blank> - 4. Template: Custom Task Sequence -3. In the **Orchestrator** node, double-click the **Orchestrator Sample** task sequence, and then select the **Task Sequence** tab. -4. Remove the default **Application Install** action. -5. Add a **Gather** action and select the **Gather only local data (do not process rules)** option. -6. After the **Gather** action, add a **Set Task Sequence Variable** action with the following settings: - 1. Name: Set Task Sequence Variable - 2. Task Sequence Variable: OSDComputerName - 3. Value: %hostname% -7. After the **Set Task Sequence Variable** action, add a new **Execute Orchestrator Runbook** action with the following settings: - 1. Orchestrator Server: OR01.contoso.com - 2. Use Browse to select **1.0 MDT / MDT Sample**. -8. Select **OK**. +1. On MDT01, using the Deployment Workbench, in the MDT Production deployment share, select the **Task Sequences** node, and create a folder named **Orchestrator**. + +2. Right-click the **Orchestrator** node, and select **New Task Sequence**. Use the following settings for the **New Task Sequence Wizard**: + + - **Task sequence ID**: OR001 + - **Task sequence name**: Orchestrator Sample + - **Task sequence comments**: *\* + - **Template**: Custom Task Sequence + +3. In the **Orchestrator** node, double-click the **Orchestrator Sample** task sequence, and then select the **Task Sequence** tab. + +4. Remove the default **Application Install** action. + +5. Add a **Gather** action and select the **Gather only local data (do not process rules)** option. + +6. After the **Gather** action, add a **Set Task Sequence Variable** action with the following settings: + + - **Name**: Set Task Sequence Variable + - **Task Sequence Variable**: OSDComputerName + - **Value**: %hostname% + +7. After the **Set Task Sequence Variable** action, add a new **Execute Orchestrator Runbook** action with the following settings: + + - **Orchestrator Server**: OR01.contoso.com + - Use **Browse** to select **1.0 MDT / MDT Sample**. + +8. Select **OK**. ![figure 31.](../images/mdt-09-fig31.png) @@ -135,22 +174,29 @@ Figure 31. The ready-made task sequence. ## Run the orchestrator sample task sequence Since this task sequence just starts a runbook, you can test the task sequence on the PC0001 client that you used for the MDT simulation environment. -**Note** -Make sure the account you're using has permissions to run runbooks on the Orchestrator server. For more information about runbook permissions, see [Runbook Permissions](/previous-versions/system-center/system-center-2012-R2/hh403774(v=sc.12)). - -1. On PC0001, log on as **CONTOSO\\MDT\_BA**. -2. Using an elevated command prompt (run as Administrator), type the following command: - ``` syntax - cscript \\MDT01\MDTProduction$\Scripts\Litetouch.vbs +> [!NOTE] +> Make sure the account you're using has permissions to run runbooks on the Orchestrator server. For more information about runbook permissions, see [Runbook Permissions](/previous-versions/system-center/system-center-2012-R2/hh403774(v=sc.12)). + +1. On PC0001, log on as **CONTOSO\\MDT\_BA**. + +2. Using an elevated command prompt (run as Administrator), type the following command: + + ```cmd + cscript.exe \\MDT01\MDTProduction$\Scripts\Litetouch.vbs ``` -3. Complete the Windows Deployment Wizard using the following information: - 1. Task Sequence: Orchestrator Sample - 2. Credentials: - 1. User Name: MDT\_BA - 2. Password: P@ssw0rd - 3. Domain: CONTOSO -4. Wait until the task sequence is completed and then verify that the DeployLog.txt file in the E:\\Logfile folder on OR01 was updated. + +3. Complete the **Windows Deployment Wizard** using the following information: + + 1. **Task Sequence**: Orchestrator Sample + + 2. **Credentials**: + + - **User Name**: MDT\_BA + - **Password**: P@ssw0rd + - **Domain**: CONTOSO + +4. Wait until the task sequence is completed and then verify that the DeployLog.txt file in the E:\\Logfile folder on OR01 was updated. ![figure 32.](../images/mdt-09-fig32.png) @@ -158,16 +204,10 @@ Figure 32. The ready-made task sequence. ## Related articles -[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) - -[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) - -[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) - -[Simulate a Windows10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) - -[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) - -[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) - -[Use web services in MDT](use-web-services-in-mdt.md) +- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) +- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) +- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) +- [Simulate a Windows10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) +- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) +- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) +- [Use web services in MDT](use-web-services-in-mdt.md) diff --git a/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md b/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md index f4d4812ffe..61bd481d35 100644 --- a/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md +++ b/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md @@ -9,69 +9,81 @@ ms.localizationpriority: medium author: frankroj ms.topic: article ms.technology: itpro-deploy -ms.date: 10/28/2022 +ms.date: 11/28/2022 --- # Use the MDT database to stage Windows 10 deployment information This article is designed to teach you how to use the MDT database to pre-stage information on your Windows 10 deployment in a Microsoft SQL Server 2012 SP1 Express database, rather than include the information in a text file (CustomSettings.ini). You can use this process, for example, to add the client machines you want to deploy, specify their computer names and IP addresses, indicate applications to be deployed, and determine many more settings for the machines. -## Database prerequisites +## Database prerequisites MDT can use either SQL Server Express or full SQL Server. However, since the deployment database isn't large, even in large enterprise environments, we recommend using the free SQL Server 2012 SP1 Express database in your environment. ->[!NOTE] ->Be sure to enable Named Pipes when configuring the SQL Server 2012 SP1 Express database. Although it is a legacy protocol, Named Pipes has proven to work well when connecting from Windows Preinstallation Environment (Windows PE) to the SQL Server database. - -## Create the deployment database +> [!NOTE] +> Be sure to enable Named Pipes when configuring the SQL Server 2012 SP1 Express database. Although it is a legacy protocol, Named Pipes has proven to work well when connecting from Windows Preinstallation Environment (Windows PE) to the SQL Server database. + +## Create the deployment database The MDT database is by default created and managed from the Deployment Workbench. In these steps, we assume you have installed SQL Server 2012 SP1 Express on MDT01. ->[!NOTE] ->Since SQL Server 2012 SP1 Express runs by default on a separate instance (SQLEXPRESS), the SQL Server Browser service must be running, and the firewall configured to allow traffic to it. Port 1433 TCP and port 1434 UDP need to be opened for inbound traffic on MDT01. - -1. On MDT01, using Deployment Workbench, expand the MDT Production deployment share, expand **Advanced Configuration**, right-click **Database**, and select **New Database**. -2. In the New DB Wizard, on the **SQL Server Details** page, enter the following settings and select **Next**: - 1. SQL Server Name: MDT01 - 2. Instance: SQLEXPRESS - 3. Port: <blank> - 4. Network Library: Named Pipes -3. On the **Database** page, select **Create a new database**; in the **Database** field, type **MDT** and select **Next**. -4. On the **SQL Share** page, in the **SQL Share** field, type **Logs$** and select **Next**. Select **Next** again and then select **Finish**. +> [!NOTE] +> Since SQL Server 2012 SP1 Express runs by default on a separate instance (SQLEXPRESS), the SQL Server Browser service must be running, and the firewall configured to allow traffic to it. Port 1433 TCP and port 1434 UDP need to be opened for inbound traffic on MDT01. + +1. On MDT01, using Deployment Workbench, expand the MDT Production deployment share, expand **Advanced Configuration**, right-click **Database**, and select **New Database**. + +2. In the New DB Wizard, on the **SQL Server Details** page, enter the following settings and select **Next**: + + 1. SQL Server Name: MDT01 + 2. Instance: SQLEXPRESS + 3. Port: <blank> + 4. Network Library: Named Pipes + +3. On the **Database** page, select **Create a new database**; in the **Database** field, type **MDT** and select **Next**. + +4. On the **SQL Share** page, in the **SQL Share** field, type **Logs$** and select **Next**. Select **Next** again and then select **Finish**. ![figure 8.](../images/mdt-09-fig08.png) Figure 8. The MDT database added to MDT01. -## Configure database permissions +## Configure database permissions After creating the database, you need to assign permissions to it. In MDT, the account you used to run the deployment is used to access the database. In this environment, the network access account is MDT\_BA. -1. On MDT01, start SQL Server Management Studio. -2. In the **Connect to Server** dialog box, in the **Server name** list, select **MDT01\\SQLEXPRESS** and select **Connect**. -3. In the **Object Explorer** pane, expand the top-level **Security** node, right-click **Logins**, and select **New Login**. + +1. On MDT01, start SQL Server Management Studio. + +2. In the **Connect to Server** dialog box, in the **Server name** list, select **MDT01\\SQLEXPRESS** and select **Connect**. + +3. In the **Object Explorer** pane, expand the top-level **Security** node, right-click **Logins**, and select **New Login**. ![figure 9.](../images/mdt-09-fig09.png) Figure 9. The top-level Security node. -4. On the **Login - New** page, next to the **Login** name field, select **Search**, and search for **CONTOSO\\MDT\_BA**. Then in the left pane, select **User Mapping**. Select the **MDT** database, and assign the following roles: - 1. db\_datareader - 2. db\_datawriter - 3. public (default) -5. Select **OK**, and close SQL Server Management Studio. +4. On the **Login - New** page, next to the **Login** name field, select **Search**, and search for **CONTOSO\\MDT\_BA**. Then in the left pane, select **User Mapping**. Select the **MDT** database, and assign the following roles: + + 1. db\_datareader + 2. db\_datawriter + 3. public (default) + +5. Select **OK**, and close SQL Server Management Studio. ![figure 10.](../images/mdt-09-fig10.png) Figure 10. Creating the login and settings permissions to the MDT database. -## Create an entry in the database +## Create an entry in the database To start using the database, you add a computer entry and assign a description and computer name. Use the computer's MAC Address as the identifier. -1. On MDT01, using the Deployment Workbench, in the MDT Production deployment share, expand **Advanced Configuration**, and expand **Database**. -2. Right-click **Computers**, select **New**, and add a computer entry with the following settings: - 1. Description: New York Site - PC00075 - 2. MacAddress: <PC00075 MAC Address in the 00:00:00:00:00:00 format> - 3. Details Tab / OSDComputerName: PC00075 + +1. On MDT01, using the Deployment Workbench, in the MDT Production deployment share, expand **Advanced Configuration**, and expand **Database**. + +2. Right-click **Computers**, select **New**, and add a computer entry with the following settings: + + 1. Description: New York Site - PC00075 + 2. MacAddress: <PC00075 MAC Address in the 00:00:00:00:00:00 format> + 3. Details Tab / OSDComputerName: PC00075 ![figure 11.](../images/mdt-09-fig11.png) @@ -79,16 +91,10 @@ Figure 11. Adding the PC00075 computer to the database. ## Related articles -[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) - -[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) - -[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) - -[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) - -[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) - -[Use web services in MDT](use-web-services-in-mdt.md) - -[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) +- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) +- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) +- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) +- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) +- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) +- [Use web services in MDT](use-web-services-in-mdt.md) +- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) diff --git a/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md b/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md index 9c9f75a03e..02770d5644 100644 --- a/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md +++ b/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md @@ -9,7 +9,7 @@ ms.localizationpriority: medium author: frankroj ms.topic: article ms.technology: itpro-deploy -ms.date: 10/28/2022 +ms.date: 11/28/2022 --- # Use web services in MDT @@ -17,79 +17,96 @@ ms.date: 10/28/2022 In this article, you'll learn how to create a simple web service that generates computer names and then configure MDT to use that service during your Windows 10 deployment. Web services provide a powerful way to assign settings during a deployment. Web services are web applications that run code on the server side, and MDT has built-in functions to call these web services. Using a web service in MDT is straightforward, but it does require that you've enabled the Web Server (IIS) role on the server. Developing web services involves some coding, but for most web services used with MDT, you can use the free Microsoft Visual Studio Express 2013 for Web. -## Create a sample web service +## Create a sample web service In these steps, we assume you have installed Microsoft Visual Studio Express 2013 for Web on PC0001 (the Windows 10 client) and downloaded the [MDT Sample Web Service](https://www.microsoft.com/download/details.aspx?id=42516) from the Microsoft Download Center and extracted it to C:\\Projects. -1. On PC0001, using Visual Studio Express 2013 for Web, open the C:\\Projects\\MDTSample\\ MDTSample.sln solution file. -2. On the ribbon bar, verify that Release is selected. -3. In the **Debug** menu, select the **Build MDTSample** action. -4. On MDT01, create a folder structure for **E:\\MDTSample\\bin**. -5. From PC0001, copy the C:\\Projects\\MDTSample\\obj\\Release\\MDTSample.dll file to the **E:\\MDTSample\\bin** folder on MDT01. -6. From PC0001, copy the following files from C:\\Projects\\MDTSample file to the **E:\\MDTSample** folder on MDT01: - 1. Web.config - 2. mdtsample.asmx -![figure 15.](../images/mdt-09-fig15.png) +1. On PC0001, using Visual Studio Express 2013 for Web, open the C:\\Projects\\MDTSample\\ MDTSample.sln solution file. -Figure 15. The sample project in Microsoft Visual Studio Express 2013 for Web. +2. On the ribbon bar, verify that Release is selected. -## Create an application pool for the web service +3. In the **Debug** menu, select the **Build MDTSample** action. + +4. On MDT01, create a folder structure for **E:\\MDTSample\\bin**. + +5. From PC0001, copy the C:\\Projects\\MDTSample\\obj\\Release\\MDTSample.dll file to the **E:\\MDTSample\\bin** folder on MDT01. + +6. From PC0001, copy the following files from C:\\Projects\\MDTSample file to the **E:\\MDTSample** folder on MDT01: + + - Web.config + - mdtsample.asmx + + ![figure 15.](../images/mdt-09-fig15.png) + + Figure 15. The sample project in Microsoft Visual Studio Express 2013 for Web. + +## Create an application pool for the web service This section assumes that you've enabled the Web Server (IIS) role on MDT01. -1. On MDT01, using Server Manager, install the **IIS Management Console** role (available under Web Server (IIS) / Management Tools). -2. Using Internet Information Services (IIS) Manager, expand the **MDT01 (CONTOSO\\Administrator)** node. If prompted with the **Do you want to get started with Microsoft Web Platform?** question, select the **Do not show this message** check box and then select **No**. -3. Right-click **Application Pools**, select **Add Application Pool**, and configure the new application pool with the following settings: - 1. Name: MDTSample - 2. .NET Framework version: .NET Framework 4.0.30319 - 3. Manage pipeline mode: Integrated - 4. Select the **Start application pool immediately** check box. - 5. Select **OK**. -![figure 16.](../images/mdt-09-fig16.png) +1. On MDT01, using Server Manager, install the **IIS Management Console** role (available under Web Server (IIS) / Management Tools). -Figure 16. The new MDTSample application. +2. Using Internet Information Services (IIS) Manager, expand the **MDT01 (CONTOSO\\Administrator)** node. If prompted with the **Do you want to get started with Microsoft Web Platform?** question, select the **Do not show this message** check box and then select **No**. -## Install the web service +3. Right-click **Application Pools**, select **Add Application Pool**, and configure the new application pool with the following settings: -1. On MDT01, using Internet Information Services (IIS) Manager, expand **Sites**, right-click **Default Web Site**, and select **Add Application**. Use the following settings for the application: - 1. Alias: MDTSample - 2. Application pool: MDTSample - 3. Physical Path: E:\\MDTSample + - **Name**: MDTSample + - **.NET Framework version**: .NET Framework 4.0.30319 + - **Manage pipeline mode**: Integrated + - Select the **Start application pool immediately** check box. + - Select **OK**. + + ![figure 16.](../images/mdt-09-fig16.png) + + Figure 16. The new MDTSample application. + +## Install the web service + +1. On MDT01, using Internet Information Services (IIS) Manager, expand **Sites**, right-click **Default Web Site**, and select **Add Application**. Use the following settings for the application: + + - **Alias**: MDTSample + - **Application pool**: MDTSample + - **Physical Path**: E:\\MDTSample ![figure 17.](../images/mdt-09-fig17.png) Figure 17. Adding the MDTSample web application. -2. In the **Default Web Site** node, select the MDTSample web application, and in the right pane, double-click **Authentication**. Use the following settings for the **Authentication** dialog box: - 1. Anonymous Authentication: Enabled - 2. ASP.NET Impersonation: Disabled +2. In the **Default Web Site** node, select the MDTSample web application, and in the right pane, double-click **Authentication**. Use the following settings for the **Authentication** dialog box: -![figure 18.](../images/mdt-09-fig18.png) + - **Anonymous Authentication**: Enabled + - **ASP.NET Impersonation**: Disabled -Figure 18. Configuring Authentication for the MDTSample web service. + ![figure 18.](../images/mdt-09-fig18.png) -## Test the web service in Internet Explorer + Figure 18. Configuring Authentication for the MDTSample web service. -1. On PC0001, using Internet Explorer, navigate to: **http://MDT01/MDTSample/mdtsample.asmx**. -2. Select the **GetComputerName** link. +## Test the web service in Internet Explorer + +1. On PC0001, using Internet Explorer, navigate to: **`http://MDT01/MDTSample/mdtsample.asmx'**. + +2. Select the **GetComputerName** link. ![figure 19.](../images/mdt-09-fig19.png) Figure 19. The MDT Sample web service. -3. On the **GetComputerName** page, type in the following settings, and select **Invoke**: - 1. Model: Hewlett-Packard - 2. SerialNumber: 123456789 -![figure 20.](../images/mdt-09-fig20.png) +3. On the **GetComputerName** page, type in the following settings, and select **Invoke**: -Figure 20. The result from the MDT Sample web service. + - **Model**: Hewlett-Packard + - **SerialNumber**: 123456789 -## Test the web service in the MDT simulation environment + ![figure 20.](../images/mdt-09-fig20.png) + + Figure 20. The result from the MDT Sample web service. + +## Test the web service in the MDT simulation environment After verifying the web service using Internet Explorer, you're ready to do the same test in the MDT simulation environment. 1. On PC0001, edit the CustomSettings.ini file in the **C:\\MDT** folder to look like the following: - ``` + + ```ini [Settings] Priority=Default, GetComputerName [Default] @@ -99,35 +116,32 @@ After verifying the web service using Internet Explorer, you're ready to do the Parameters=Model,SerialNumber OSDComputerName=string ``` + ![figure 21.](../images/mdt-09-fig21.png) Figure 21. The updated CustomSettings.ini file. 2. Save the CustomSettings.ini file. + 3. Using an elevated Windows PowerShell prompt (run as Administrator), run the following commands. Press **Enter** after each command: - ``` + + ```powershell Set-Location C:\MDT .\Gather.ps1 ``` + 4. Review the ZTIGather.log in the **C:\\MININT\\SMSOSD\\OSDLOGS** folder. -![figure 22.](../images/mdt-09-fig22.png) + ![figure 22.](../images/mdt-09-fig22.png) -Figure 22. The OSDCOMPUTERNAME value obtained from the web service. + Figure 22. The OSDCOMPUTERNAME value obtained from the web service. ## Related articles -[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) - -[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) - -[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) - -[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) - -[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) - -[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) - -[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) - +- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) +- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) +- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) +- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) +- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) +- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) +- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) diff --git a/windows/deployment/deploy-windows-to-go.md b/windows/deployment/deploy-windows-to-go.md index 873c456881..0a538f15f8 100644 --- a/windows/deployment/deploy-windows-to-go.md +++ b/windows/deployment/deploy-windows-to-go.md @@ -6,16 +6,17 @@ manager: aaroncz author: frankroj ms.author: frankroj ms.prod: windows-client +ms.technology: itpro-deploy ms.topic: article ms.custom: seo-marvel-apr2020 -ms.date: 10/31/2022 +ms.date: 11/23/2022 --- # Deploy Windows To Go in your organization -**Applies to** +*Applies to:* -- Windows 10 +- Windows 10 This article helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you've reviewed the articles [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this article to start your Windows To Go deployment. @@ -26,15 +27,15 @@ This article helps you to deploy Windows To Go in your organization. Before you The below list is items that you should be aware of before you start the deployment process: -* Only use recommended USB drives for Windows To Go. Use of other drives isn't supported. Check the list at [Windows To Go: feature overview](planning/windows-to-go-overview.md) for the latest USB drives certified for use as Windows To Go drives. +- Only use recommended USB drives for Windows To Go. Use of other drives isn't supported. Check the list at [Windows To Go: feature overview](planning/windows-to-go-overview.md) for the latest USB drives certified for use as Windows To Go drives. -* After you provision a new workspace, always eject a Windows To Go drive using the **Safely Remove Hardware and Eject Media** control that can be found in the notification area or in Windows Explorer. Removing the drive from the USB port without ejecting it first can cause the drive to become corrupted. +- After you provision a new workspace, always eject a Windows To Go drive using the **Safely Remove Hardware and Eject Media** control that can be found in the notification area or in Windows Explorer. Removing the drive from the USB port without ejecting it first can cause the drive to become corrupted. -* When running a Windows To Go workspace, always shut down the workspace before unplugging the drive. +- When running a Windows To Go workspace, always shut down the workspace before unplugging the drive. -* Configuration Manager SP1 and later includes support for user self-provisioning of Windows To Go drives. For more information on this deployment option, see [How to Provision Windows To Go in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/jj651035(v=technet.10)). +- Configuration Manager SP1 and later includes support for user self-provisioning of Windows To Go drives. For more information on this deployment option, see [How to Provision Windows To Go in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/jj651035(v=technet.10)). -* If you're planning on using a USB drive duplicator to duplicate Windows To Go drives, don't configure offline domain join or BitLocker on the drive. +- If you're planning on using a USB drive duplicator to duplicate Windows To Go drives, don't configure offline domain join or BitLocker on the drive. ## Basic deployment steps @@ -42,15 +43,15 @@ Unless you're using a customized operating system image, your initial Windows To Completing these steps will give you a generic Windows To Go drive that can be distributed to your users and then customized for their usage as needed. This drive is also appropriate for use with USB drive duplicators. Your specific deployment scenarios will involve more than just these basic steps but these additional deployment considerations are similar to traditional PC deployment and can be incorporated into your Windows To Go deployment plan. For more information, see [Windows Deployment Options](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825230(v=win.10)). ->[!WARNING] ->If you plan to use the generic Windows To Go drive as the master drive in a USB duplicator, the drive should not be booted. If the drive has been booted inadvertently it should be reprovisioned prior to duplication. +> [!WARNING] +> If you plan to use the generic Windows To Go drive as the master drive in a USB duplicator, the drive should not be booted. If the drive has been booted inadvertently it should be reprovisioned prior to duplication. ### Create the Windows To Go workspace In this step we're creating the operating system image that will be used on the Windows To Go drives. You can use the Windows To Go Creator Wizard or you can [do this manually](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)) using a combination of Windows PowerShell and command-line tools. ->[!WARNING] ->The preferred method to create a single Windows To Go drive is to use the Windows To Go Creator Wizard included in Windows 10 Enterprise and Windows 10 Education. +> [!WARNING] +> The preferred method to create a single Windows To Go drive is to use the Windows To Go Creator Wizard included in Windows 10 Enterprise and Windows 10 Education. #### To create a Windows To Go workspace with the Windows To Go Creator Wizard @@ -58,37 +59,31 @@ In this step we're creating the operating system image that will be used on the 2. Insert the USB drive that you want to use as your Windows To Go drive into your PC. -3. Verify that the .wim file location (which can be a network share, a DVD, or a USB drive) is accessible and that it contains a valid Windows 10 Enterprise or Windows 10 Education image that has been generalized using sysprep. Many environments can use the same image for both Windows To Go and desktop deployments. +3. Verify that the `.wim` file location (which can be a network share, a DVD, or a USB drive) is accessible and that it contains a valid Windows 10 Enterprise or Windows 10 Education image that has been generalized using sysprep. Many environments can use the same image for both Windows To Go and desktop deployments. - >[!NOTE] - >For more information about .wim files, see [Windows System Image Manager (Windows SIM) Technical Reference](/previous-versions/windows/it-pro/windows-8.1-and-8/hh824929(v=win.10)). For more information about using sysprep, see [Sysprep Overview](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825209(v=win.10)). + > [!NOTE] + > For more information about `.wim` files, see [Windows System Image Manager (Windows SIM) Technical Reference](/previous-versions/windows/it-pro/windows-8.1-and-8/hh824929(v=win.10)). For more information about using sysprep, see [Sysprep Overview](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825209(v=win.10)). -4. Using Cortana, search for **Windows To Go** and then press **Enter**. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**. The **Windows To Go Creator Wizard** opens. +4. Search for **Windows To Go** and then press **Enter**. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**. The **Windows To Go Creator Wizard** opens. 5. On the **Choose the drive you want to use** page select the drive that represents the USB drive you inserted previously, then select **Next.** -6. On the **Choose a Windows image** page, select **Add Search Location** and then navigate to the .wim file location and select select folder. The wizard will display the installable images present in the folder; select the Windows 10 Enterprise or Windows 10 Education image you wish to use and then select **Next**. +6. On the **Choose a Windows image** page, select **Add Search Location** and then navigate to the `.wim` file location and select folder. The wizard will display the installable images present in the folder; select the Windows 10 Enterprise or Windows 10 Education image you wish to use and then select **Next**. -7. (Optional) On the **Set a BitLocker password (optional)** page, you can select **Use BitLocker with my Windows To Go Workspace** to encrypt your Windows To Go drive. If you don't wish to encrypt the drive at this time, select **Skip**. If you decide you want to add BitLocker protection later, see [Enable BitLocker protection for your Windows To Go drive](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)) for instructions. -r +7. (Optional) On the **Set a BitLocker password (optional)** page, you can select **Use BitLocker with my Windows To Go Workspace** to encrypt your Windows To Go drive. If you don't wish to encrypt the drive at this time, select **Skip**. If you decide you want to add BitLocker protection later, for instructions see [Enable BitLocker protection for your Windows To Go drive](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)). - >[!WARNING] - >If you plan to use a USB-Duplicator to create multiple Windows To Go drives, do not enable BitLocker. Drives protected with BitLocker should not be duplicated. + > [!WARNING] + > If you plan to use a USB-Duplicator to create multiple Windows To Go drives, do not enable BitLocker. Drives protected with BitLocker should not be duplicated. - If you choose to encrypt the Windows To Go drive now: + If you choose to encrypt the Windows To Go drive now, enter a password that is at least eight characters long and conforms to your organizations password complexity policy. This password will be provided before the operating system is started so any characters you use must be able to be interpreted by the firmware. Some firmware doesn't support non-ASCII characters. - - Type a password that is at least eight characters long and conforms to your organizations password complexity policy. This password will be provided before the operating system is started so any characters you use must be able to be interpreted by the firmware. Some firmware doesn't support non-ASCII characters. - - -~~~ - >[!IMPORTANT] - >The BitLocker recovery password will be saved in the documents library of the computer used to create the workspace automatically. If your organization is using Active Directory Domain Services (AD DS) to store recovery passwords it will also be saved in AD DS under the computer account of the computer used to create the workspace. This password will be used only if you need to recover access to the drive because the BitLocker password specified in the previous step is not available, such as if a password is lost or forgotten. For more information about BitLocker and AD DS, see [Active Directory Domain Services considerations](/previous-versions/windows/it-pro/windows-8.1-and-8/jj592683(v=ws.11)). -~~~ + > [!IMPORTANT] + > The BitLocker recovery password will be saved in the documents library of the computer used to create the workspace automatically. If your organization is using Active Directory Domain Services (AD DS) to store recovery passwords it will also be saved in AD DS under the computer account of the computer used to create the workspace. This password will be used only if you need to recover access to the drive because the BitLocker password specified in the previous step is not available, such as if a password is lost or forgotten. For more information about BitLocker and AD DS, see [Active Directory Domain Services considerations](/previous-versions/windows/it-pro/windows-8.1-and-8/jj592683(v=ws.11)). 8. Verify that the USB drive inserted is the one you want to provision for Windows To Go and then select **Create** to start the Windows To Go workspace creation process. - >[!WARNING] - >The USB drive identified will be reformatted as part of the Windows To Go provisioning process and any data on the drive will be erased. + > [!WARNING] + > The USB drive identified will be reformatted as part of the Windows To Go provisioning process and any data on the drive will be erased. 9. Wait for the creation process to complete, which can take 20 to 30 minutes. A completion page will be displayed that tells you when your Windows To Go workspace is ready to use. From the completion page, you can configure the Windows To Go startup options to configure the current computer as a Windows To Go host computer. @@ -98,11 +93,15 @@ Your Windows To Go workspace is now ready to be started. You can now [prepare a The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints. This procedure can only be used on PCs that are running Windows 10. Before starting, ensure that only the USB drive that you want to provision as a Windows To Go drive is connected to the PC. -1. Using Cortana, search for **powershell**, right-click **Windows PowerShell**, and then select **Run as administrator**. +1. Search for **powershell**, right-click **Windows PowerShell**, and then select **Run as administrator**. -2. In the Windows PowerShell session type, the following commands to partition a master boot record (MBR) disk for use with a FAT32 system partition and an NTFS-formatted operating system partition. This disk layout can support computers that use either UEFI or BIOS firmware: +2. In the Windows PowerShell session, enter the following commands to partition a master boot record (MBR) disk for use with a FAT32 system partition and an NTFS-formatted operating system partition. This disk layout can support computers that use either UEFI or BIOS firmware: - ``` +
    +
    + Expand to show PowerShell commands to partition an MBR disk + + ```powershell # The following command will set $Disk to all USB drives with >20 GB of storage $Disk = Get-Disk | Where-Object {$_.Path -match "USBSTOR" -and $_.Size -gt 20Gb -and -not $_.IsBoot } @@ -136,27 +135,31 @@ The following Windows PowerShell cmdlet or cmdlets perform the same function as Set-Partition -InputObject $OSPartition -NoDefaultDriveLetter $TRUE ``` +
    + 3. Next you need to apply the operating system image that you want to use with Windows To Go to the operating system partition you created on the disk (this may take 30 minutes or longer, depending on the size of the image and the speed of your USB connection). The following command shows how this can be accomplished using the [Deployment Image Servicing and Management](/windows-hardware/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows) command-line tool (DISM): - >[!TIP] - >The index number must be set correctly to a valid Enterprise image in the .WIM file. + > [!TIP] + > The index number must be set correctly to a valid Enterprise image in the `.wim` file. - ``` + ```cmd #The WIM file must contain a sysprep generalized image. - dism /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\ + dism.exe /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\ ``` -4. Now use the [bcdboot](/previous-versions/windows/it-pro/windows-8.1-and-8/hh824874(v=win.10)) command line tool to move the necessary boot components to the system partition on the disk. This helps ensure that the boot components, operating system versions, and architectures match. The `/f ALL` parameter indicates that boot components for UEFI and BIOS should be placed on the system partition of the disk. The following example illustrates this step: +4. Now use the [bcdboot](/previous-versions/windows/it-pro/windows-8.1-and-8/hh824874(v=win.10)) command line tool to move the necessary boot components to the system partition on the disk. This helps ensure that the boot components, operating system versions, and architectures match. The `/f ALL` parameter indicates that boot components for UEFI and BIOS should be placed on the system partition of the disk. The following example illustrates this step: -~~~ -``` -W:\Windows\System32\bcdboot W:\Windows /f ALL /s S: -``` -~~~ + ```cmd + W:\Windows\System32\bcdboot.exe W:\Windows /f ALL /s S: + ``` 5. Apply SAN policy—OFFLINE\_INTERNAL - "4" to prevent the operating system from automatically bringing online any internally connected disk. This is done by creating and saving a **san\_policy.xml** file on the disk. The following example illustrates this step: - ``` +
    +
    + Expand to show example san_policy.xml file + + ```xml @@ -186,15 +189,21 @@ W:\Windows\System32\bcdboot W:\Windows /f ALL /s S: ``` +
    + 6. Place the **san\_policy.xml** file created in the previous step into the root directory of the Windows partition on the Windows To Go drive (W: from the previous examples) and run the following command: - ``` + ```cmd Dism.exe /Image:W:\ /Apply-Unattend:W:\san_policy.xml ``` 7. Create an answer file (unattend.xml) that disables the use of Windows Recovery Environment with Windows To Go. You can use the following code sample to create a new answer file or you can paste it into an existing answer file: - ``` +
    +
    + Expand to show example san_policy.xml file + + ```xml @@ -218,10 +227,12 @@ W:\Windows\System32\bcdboot W:\Windows /f ALL /s S: ``` - After the answer file has been saved, copy unattend.xml into the sysprep folder on the Windows To Go drive (for example, W:\\Windows\\System32\\sysprep\) +
    - >[!IMPORTANT] - >Setup unattend files are processed based on their location. Setup will place a temporary unattend file into the **%systemroot%\\panther** folder which is the first location that setup will check for installation information. You should make sure that folder does not contain a previous version of an unattend.xml file to ensure that the one you just created is used. + After the answer file has been saved, copy `unattend.xml` into the sysprep folder on the Windows To Go drive (for example, `W:\Windows\System32\sysprep\`) + + > [!IMPORTANT] + > Setup unattend files are processed based on their location. Setup will place a temporary unattend file into the **`%systemroot%\panther`** folder which is the first location that setup will check for installation information. You should make sure that folder does not contain a previous version of an unattend.xml file to ensure that the one you just created is used. If you don't wish to boot your Windows To Go device on this computer and want to remove it to boot it on another PC, be sure to use the **Safely Remove Hardware and Eject Media** option to safely disconnect the drive before physically removing it from the PC. @@ -231,14 +242,14 @@ Your Windows To Go workspace is now ready to be started. You can now [prepare a Computers running Windows 8 and later can be configured as host computers that use Windows To Go automatically whenever a Windows To Go workspace is available at startup. When the Windows To Go startup options are enabled on a host computer, Windows will divert startup to the Windows To Go drive whenever it's attached to the computer. This makes it easy to switch from using the host computer to using the Windows To Go workspace. ->[!TIP] ->If you will be using a PC running Windows 7 as your host computer, see [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkId=618951) for information to help you prepare the host computer. +> [!TIP] +> If you will be using a PC running Windows 7 as your host computer, see [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkId=618951) for information to help you prepare the host computer. If you want to use the Windows To Go workspace, shut down the computer, plug in the Windows To Go drive, and turn on the computer. To use the host computer, shut down the Windows To Go workspace, unplug the Windows To Go drive, and turn on the computer. To set the Windows To Go Startup options for host computers running Windows 10: -1. Using Cortana, search for **Windows To Go startup options** and then press **Enter**. +1. Search for **Windows To Go startup options** and then press **Enter**. 2. In the **Windows To Go Startup Options** dialog box, select **Yes**, and then select **Save Changes** to configure the computer to boot from USB @@ -250,7 +261,7 @@ For host computers running Windows 8 or Windows 8.1: You can configure your organization's computers to automatically start from the USB drive by enabling the following Group Policy setting: -**\\\\Computer Configuration\\Administrative Templates\\Windows Components\\Portable Operating System\\Windows To Go Default Startup Options** +**Computer Configuration** > **Administrative Templates** > **Windows Components** > **Portable Operating System** > **Windows To Go Default Startup Options** After this policy setting is enabled, automatic starting of a Windows To Go workspace will be attempted when a USB drive is connected to the computer when it's started. Users won't be able to use the Windows To Go Startup Options to change this behavior. If you disable this policy setting, booting to Windows To Go when a USB drive is connected won't occur unless a user configures the option manually in the firmware. If you don't configure this policy setting, users who are members of the Administrators group can enable or disable booting from a USB drive using the Windows To Go Startup Options. @@ -260,13 +271,13 @@ Your host computer is now ready to boot directly into Windows To Go workspace wh After you've configured your host PC to boot from USB, you can use the following procedure to boot your Windows To Go workspace: -**To boot your workspace** +**To boot your workspace:** -1. Make sure that the host PC isn't in a sleep state. If the computer is in a sleep state, either shut it down or hibernate it. +1. Make sure that the host PC isn't in a sleep state. If the computer is in a sleep state, either shut it down or hibernate it. -2. Insert the Windows To Go USB drive directly into a USB 3.0 or USB 2.0 port on the PC. Don't use a USB hub or extender. +2. Insert the Windows To Go USB drive directly into a USB 3.0 or USB 2.0 port on the PC. Don't use a USB hub or extender. -3. Turn on the PC. If your Windows To Go drive is protected with BitLocker you'll be asked to type the password, otherwise the workspace will boot directly into the Windows To Go workspace. +3. Turn on the PC. If your Windows To Go drive is protected with BitLocker you'll be asked to enter the password, otherwise the workspace will boot directly into the Windows To Go workspace. ## Advanced deployment steps @@ -276,26 +287,26 @@ The following steps are used for more advanced deployments where you want to hav Making sure that Windows To Go workspaces are effective when used off premises is essential to a successful deployment. One of the key benefits of Windows To Go is the ability for your users to use the enterprise managed domain joined workspace on an unmanaged computer that is outside your corporate network. To enable this usage, typically you would provision the USB drive as described in the basic deployment instructions and then add the configuration to support domain joining of the workspace, installation of any line-of-business applications, and configuration of your chosen remote connectivity solution such as a virtual private network client or DirectAccess. Once these configurations have been performed the user can work from the workspace using a computer that is off-premises. The following procedure allows you to provision domain joined Windows To Go workspaces for workers that don't have physical access to your corporate network. -**Prerequisites for remote access scenario** +**Prerequisites for remote access scenario:** -- A domain-joined computer running Windows 8 or later and is configured as a Windows To Go host computer +- A domain-joined computer running Windows 8 or later and is configured as a Windows To Go host computer -- A Windows To Go drive that hasn't been booted or joined to the domain using unattend settings. +- A Windows To Go drive that hasn't been booted or joined to the domain using unattend settings. -- A domain user account with rights to add computer accounts to the domain and is a member of the Administrator group on the Windows To Go host computer +- A domain user account with rights to add computer accounts to the domain and is a member of the Administrator group on the Windows To Go host computer -- [DirectAccess](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831539(v=ws.11)) configured on the domain +- [DirectAccess](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831539(v=ws.11)) configured on the domain -**To configure your Windows To Go workspace for remote access** +**To configure your Windows To Go workspace for remote access:** 1. Start the host computer and sign in using a user account with privileges to add workstations to the domain and then run the following command from an elevated command prompt replacing the example placeholder parameters (denoted by <>) with the ones applicable for your environment: - ``` - djoin /provision /domain /machine /certtemplate /policynames /savefile /reuse + ```cmd + djoin.exe /provision /domain /machine /certtemplate /policynames /savefile /reuse ``` - >[!NOTE] - >The **/certtemplate** parameter supports the use of certificate templates for distributing certificates for DirectAccess, if your organization is not using certificate templates you can omit this parameter. Additionally, if are using djoin.exe with Windows Server 2008-based Domain Controllers, append the /downlevel switch during provisioning. For more information, see the [Offline Domain Join Step-by-Step guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd392267(v=ws.10)). + > [!NOTE] + > The **/certtemplate** parameter supports the use of certificate templates for distributing certificates for DirectAccess, if your organization is not using certificate templates you can omit this parameter. Additionally, if are using `djoin.exe` with Windows Server 2008-based Domain Controllers, append the /downlevel switch during provisioning. For more information, see the [Offline Domain Join Step-by-Step guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd392267(v=ws.10)). 2. Insert the Windows To Go drive. @@ -303,7 +314,11 @@ Making sure that Windows To Go workspaces are effective when used off premises i 4. From the Windows PowerShell command prompt run: - ``` +
    +
    + Expand this section to show PowerShell commands to run + + ```powershell # The following command will set $Disk to all USB drives with >20 GB of storage $Disk = Get-Disk | Where-Object {$_.Path -match "USBSTOR" -and $_.Size -gt 20Gb -and -not $_.IsBoot } @@ -337,27 +352,31 @@ Making sure that Windows To Go workspaces are effective when used off premises i Set-Partition -InputObject $OSPartition -NoDefaultDriveLetter $TRUE ``` +
    + 5. Next you need to apply the operating system image that you want to use with Windows To Go to the operating system partition you created on the disk (this may take 30 minutes or longer, depending on the size of the image and the speed of your USB connection). The following command shows how this can be accomplished using the [Deployment Image Servicing and Management](/windows-hardware/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows) command-line tool (DISM): -~~~ ->[!TIP] ->The index number must be set correctly to a valid Enterprise image in the .WIM file. + ```cmd + #The WIM file must contain a sysprep generalized image. + dism.exe /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\ + ``` -``` -#The WIM file must contain a sysprep generalized image. -dism /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\ -``` -~~~ + > [!TIP] + > The index number must be set correctly to a valid Enterprise image in the `.wim` file. 6. After those commands have completed, run the following command: - ``` - djoin /requestodj /loadfile C:\example\path\domainmetadatafile /windowspath W:\Windows + ```cmd + djoin.exe /requestodj /loadfile C:\example\path\domainmetadatafile /windowspath W:\Windows ``` 7. Next, we'll need to edit the unattend.xml file to configure the first run (OOBE) settings. In this example we're hiding the Microsoft Software License Terms (EULA) page, configuring automatic updates to install important and recommended updates automatically, and identifying this workspace as part of a private office network. You can use other OOBE settings that you've configured for your organization if desired. For more information about the OOBE settings, see [OOBE](/previous-versions/windows/it-pro/windows-8.1-and-8/ff716016(v=win.10)): - ``` +
    +
    + Expand this section to show example unattend.xml file + + ```xml @@ -391,16 +410,18 @@ dism /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /ind ``` +
    + 8. Safely remove the Windows To Go drive. 9. From a host computer, either on or off premises, start the computer and boot the Windows To Go workspace. - * If on premises using a host computer with a direct network connection, sign on using your domain credentials. + - If on premises using a host computer with a direct network connection, sign on using your domain credentials. - * If off premises, join a wired or wireless network with internet access and then sign on again using your domain credentials. + - If off premises, join a wired or wireless network with internet access and then sign on again using your domain credentials. - >[!NOTE] - >Depending on your DirectAccess configuration you might be asked to insert your smart card to log on to the domain. + > [!NOTE] + > Depending on your DirectAccess configuration you might be asked to insert your smart card to log on to the domain. You should now be able to access your organization's network resources and work from your Windows To Go workspace as you would normally work from your standard desktop computer on premises. @@ -410,17 +431,23 @@ Enabling BitLocker on your Windows To Go drive will help ensure that your data i #### Prerequisites for enabling BitLocker scenario -* A Windows To Go drive that can be successfully provisioned. +- A Windows To Go drive that can be successfully provisioned. -* A computer running Windows 8 configured as a Windows To Go host computer +- A computer running Windows 8 configured as a Windows To Go host computer -* Review the following Group Policy settings for BitLocker Drive Encryption and modify the configuration as necessary: +- Review the following Group Policy settings for BitLocker Drive Encryption and modify the configuration as necessary: - **\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives\\Require additional authentication at startup**. This policy allows the use of a password key protector with an operating system drive; this policy must be enabled to configure BitLocker from within the Windows To Go workspace. This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you're using BitLocker with or without a Trusted Platform Module (TPM). You must enable this setting and select the **Allow BitLocker without a compatible TPM** check box and then enable the **Configure use of passwords for operating system drives** setting. + - **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Require additional authentication at startup** - **\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives\\Configure use of passwords for operating system drives**. This policy setting enables passwords to be used to unlock BitLocker-protected operating system drives and provides the means to configure complexity and length requirements on passwords for Windows To Go workspaces. For the complexity requirement setting to be effective the Group Policy setting **Password must meet complexity requirements** located in **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\** must be also enabled. + This policy allows the use of a password key protector with an operating system drive; this policy must be enabled to configure BitLocker from within the Windows To Go workspace. This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you're using BitLocker with or without a Trusted Platform Module (TPM). You must enable this setting and select the **Allow BitLocker without a compatible TPM** check box and then enable the **Configure use of passwords for operating system drives** setting. - **\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives\\Enable use of BitLocker authentication requiring preboot keyboard input on slates**. This policy setting allows users to enable authentication options that require user input from the preboot environment even if the platform indicates a lack of preboot input capability. If this setting isn't enabled, passwords can't be used to unlock BitLocker-protected operating system drives. + - **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Configure use of passwords for operating system drives** + + This policy setting enables passwords to be used to unlock BitLocker-protected operating system drives and provides the means to configure complexity and length requirements on passwords for Windows To Go workspaces. For the complexity requirement setting to be effective the Group Policy setting **Password must meet complexity requirements** located in **Computer Configuration** > **Windows Settings** > **Security Settings** > **Account Policies** > **Password Policy** must be also enabled. + + - **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Enable use of BitLocker authentication requiring preboot keyboard input on slates** + + This policy setting allows users to enable authentication options that require user input from the preboot environment even if the platform indicates a lack of preboot input capability. If this setting isn't enabled, passwords can't be used to unlock BitLocker-protected operating system drives. You can choose to enable BitLocker protection on Windows To Go drives before distributing them to users as part of your provisioning process or you can allow your end-users to apply BitLocker protection to them after they have taken possession of the drive. A step-by-step procedure is provided for both scenarios. @@ -432,10 +459,12 @@ Enabling BitLocker after distribution requires that your users turn on BitLocker BitLocker recovery keys are the keys that can be used to unlock a BitLocker protected drive if the standard unlock method fails. It's recommended that your BitLocker recovery keys be backed up to Active Directory Domain Services (AD DS). If you don't want to use AD DS to store recovery keys you can save recovery keys to a file or print them. How BitLocker recovery keys are managed differs depending on when BitLocker is enabled. -- If BitLocker protection is enabled during provisioning, the BitLocker recovery keys will be stored under the computer account of the computer used for provisioning the drives. If backing up recovery keys to AD DS isn't used, the recovery keys will need to be printed or saved to a file for each drive. The IT administrator must track which keys were assigned to which Windows To Go drive. +- If BitLocker protection is enabled during provisioning, the BitLocker recovery keys will be stored under the computer account of the computer used for provisioning the drives. If backing up recovery keys to AD DS isn't used, the recovery keys will need to be printed or saved to a file for each drive. The IT administrator must track which keys were assigned to which Windows To Go drive. -- **Warning** - If BitLocker is enabled after distribution, the recovery key will be backed up to AD DS under the computer account of the workspace. If backing up recovery keys to AD DS isn't used, they can be printed or saved to a file by the user. If the IT administrator wants a central record of recovery keys, a process by which the user provides the key to the IT department must be put in place. +- If BitLocker is enabled after distribution, the recovery key will be backed up to AD DS under the computer account of the workspace. If backing up recovery keys to AD DS isn't used, they can be printed or saved to a file by the user. + + > [!WARNING] + > If backing up recovery keys to AD DS isn't used and the IT administrator wants a central record of recovery keys, a process by which the user provides the key to the IT department must be put in place. #### To enable BitLocker during provisioning @@ -447,10 +476,14 @@ BitLocker recovery keys are the keys that can be used to unlock a BitLocker prot 4. Provision the Windows To Go drive using the following cmdlets: - >[!NOTE] - >If you used the [manual method for creating a workspace](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)) you should have already provisioned the Windows To Go drive. If so, you can continue on to the next step. + > [!NOTE] + > If you used the [manual method for creating a workspace](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)) you should have already provisioned the Windows To Go drive. If so, you can continue on to the next step. - ``` +
    +
    + Expand this section to show PowerShell commands to run + + ```powershell # The following command will set $Disk to all USB drives with >20 GB of storage $Disk = Get-Disk | Where-Object {$_.Path -match "USBSTOR" -and $_.Size -gt 20Gb -and -not $_.IsBoot } @@ -484,25 +517,27 @@ BitLocker recovery keys are the keys that can be used to unlock a BitLocker prot Set-Partition -InputObject $OSPartition -NoDefaultDriveLetter $TRUE ``` +
    + Next you need to apply the operating system image that you want to use with Windows To Go to the operating system partition you created on the disk (this may take 30 minutes or longer, depending on the size of the image and the speed of your USB connection). The following command shows how this can be accomplished using the [Deployment Image Servicing and Management](/windows-hardware/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows) command-line tool (DISM): - >[!TIP] - >The index number must be set correctly to a valid Enterprise image in the .WIM file. + > [!TIP] + > The index number must be set correctly to a valid Enterprise image in the `.wim` file. - ``` + ```cmd #The WIM file must contain a sysprep generalized image. - dism /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\ + dism.exe /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\ ``` 5. In the same PowerShell session, use the following cmdlet to add a recovery key to the drive: - ``` + ```powershell $BitlockerRecoveryProtector = Add-BitLockerKeyProtector W: -RecoveryPasswordProtector ``` 6. Next, use the following cmdlets to save the recovery key to a file: - ``` + ```powershell #The BitLocker Recovery key is essential if for some reason you forget the BitLocker password #This recovery key can also be backed up into Active Directory using manage-bde.exe or the #PowerShell cmdlet Backup-BitLockerKeyProtector. @@ -512,35 +547,34 @@ BitLocker recovery keys are the keys that can be used to unlock a BitLocker prot 7. Then, use the following cmdlets to add the password as a secure string. If you omit the password the cmdlet will prompt you for the password before continuing the operation: - ``` + ```powershell # Create a variable to store the password $spwd = ConvertTo-SecureString -String -AsplainText -Force Enable-BitLocker W: -PasswordProtector $spwd ``` - >[!WARNING] - >To have BitLocker only encrypt used space on the disk append the parameter `-UsedSpaceOnly` to the `Enable-BitLocker` cmdlet. As data is added to the drive BitLocker will encrypt additional space. Using this parameter will speed up the preparation process as a smaller percentage of the disk will require encryption. If you are in a time critical situation where you cannot wait for encryption to complete you can also safely remove the Windows To Go drive during the encryption process. The next time the drive is inserted in a computer it will request the BitLocker password. Once the password is supplied, the encryption process will continue. If you do this, make sure your users know that BitLocker encryption is still in process and that they will be able to use the workspace while the encryption completes in the background. + > [!WARNING] + > To have BitLocker only encrypt used space on the disk append the parameter `-UsedSpaceOnly` to the `Enable-BitLocker` cmdlet. As data is added to the drive BitLocker will encrypt additional space. Using this parameter will speed up the preparation process as a smaller percentage of the disk will require encryption. If you are in a time critical situation where you cannot wait for encryption to complete you can also safely remove the Windows To Go drive during the encryption process. The next time the drive is inserted in a computer it will request the BitLocker password. Once the password is supplied, the encryption process will continue. If you do this, make sure your users know that BitLocker encryption is still in process and that they will be able to use the workspace while the encryption completes in the background. 8. Copy the numerical recovery password and save it to a file in a safe location. The recovery password will be required if the password is lost or forgotten. - >[!WARNING] - >If the **Choose how BitLocker-protected removable data drives can be recovered** Group Policy setting has been configured to back up recovery information to Active Directory Domain Services, the recovery information for the drive will be stored under the account of the host computer used to apply the recovery key. + > [!WARNING] + > If the **Choose how BitLocker-protected removable data drives can be recovered** Group Policy setting has been configured to back up recovery information to Active Directory Domain Services, the recovery information for the drive will be stored under the account of the host computer used to apply the recovery key. - If you want to have the recovery information stored under the account of the Windows To Go workspace, you can turn BitLocker from within the Windows To Go workspace using the BitLocker Setup Wizard from the BitLocker Control Panel item as described in [To enable BitLocker after distribution](#enable-bitlocker). + If you want to have the recovery information stored under the account of the Windows To Go workspace, you can turn BitLocker from within the Windows To Go workspace using the BitLocker Setup Wizard from the BitLocker Control Panel item as described in [To enable BitLocker after distribution](#to-enable-bitlocker-after-distribution). 9. Safely remove the Windows To Go drive. The Windows To Go drives are now ready to be distributed to users and are protected by BitLocker. When you distribute the drives, make sure the users know the following information: -* Initial BitLocker password that they'll need to boot the drives. +- Initial BitLocker password that they'll need to boot the drives. -* Current encryption status. +- Current encryption status. -* Instructions to change the BitLocker password after the initial boot. +- Instructions to change the BitLocker password after the initial boot. -* Instructions for how to retrieve the recovery password if necessary. These instructions may be a help desk process, an automated password retrieval site, or a person to contact. +- Instructions for how to retrieve the recovery password if necessary. These instructions may be a help desk process, an automated password retrieval site, or a person to contact. - #### To enable BitLocker after distribution 1. Insert your Windows To Go drive into your host computer (that is currently shut down) and then turn on the computer and boot into your Windows To Go workspace @@ -551,8 +585,8 @@ The Windows To Go drives are now ready to be distributed to users and are protec 4. Complete the steps in the **BitLocker Setup Wizard** selecting the password protection option. ->[!NOTE] ->If you have not configured the Group Policy setting **\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives\\Require additional authentication at startup** to specify **Allow BitLocker without a compatible TPM** you will not be able to enable BitLocker from within the Windows To Go workspace. +> [!NOTE] +> If you have not configured the Group Policy setting **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Require additional authentication at startup** to specify **Allow BitLocker without a compatible TPM** you will not be able to enable BitLocker from within the Windows To Go workspace. ### Advanced deployment sample script @@ -562,11 +596,11 @@ The sample script creates an unattend file that streamlines the deployment proce #### Prerequisites for running the advanced deployment sample script -* To run this sample script, you must open a Windows PowerShell session as an administrator from a domain-joined computer using an account that has permission to create domain accounts. +- To run this sample script, you must open a Windows PowerShell session as an administrator from a domain-joined computer using an account that has permission to create domain accounts. -* Using offline domain join is required by this script, since the script doesn't create a local administrator user account. However, domain membership will automatically put "Domain admins" into the local administrators group. Review your domain policies. If you're using DirectAccess, you'll need to modify the djoin.exe command to include the `policynames` and potentially the `certtemplate` parameters. +- Using offline domain join is required by this script, since the script doesn't create a local administrator user account. However, domain membership will automatically put "Domain admins" into the local administrators group. Review your domain policies. If you're using DirectAccess, you'll need to modify the `djoin.exe` command to include the `policynames` and potentially the `certtemplate` parameters. -* The script needs to use drive letters, so you can only provision half as many drives as you have free drive letters. +- The script needs to use drive letters, so you can only provision half as many drives as you have free drive letters. #### To run the advanced deployment sample script @@ -576,22 +610,26 @@ The sample script creates an unattend file that streamlines the deployment proce 3. Configure the PowerShell execution policy. By default PowerShell's execution policy is set to Restricted; that means that scripts won't run until you have explicitly given them permission to. To configure PowerShell's execution policy to allow the script to run, use the following command from an elevated PowerShell prompt: - ``` + ```powershell Set-ExecutionPolicy RemoteSigned ``` The RemoteSigned execution policy will prevent unsigned scripts from the internet from running on the computer, but will allow locally created scripts to run. For more information on execution policies, see [Set-ExecutionPolicy](/powershell/module/microsoft.powershell.security/set-executionpolicy). > [!TIP] - > To get online help for any Windows PowerShell cmdlet, whether or not it is installed locally type the following cmdlet, replacing <cmdlet-name> with the name of the cmdlet you want to see the help for: - > + > To get online help for any Windows PowerShell cmdlet, whether or not it is installed locally, enter the following cmdlet, replacing `` with the name of the cmdlet you want to see the help for: + > > `Get-Help -Online` - > + > > This command causes Windows PowerShell to open the online version of the help topic in your default Internet browser. #### Windows To Go multiple drive provisioning sample script -``` +
    +
    + Expand this section to view Windows To Go multiple drive provisioning sample script + +```powershell <# .SYNOPSIS Windows To Go multiple drive provisioning sample script. @@ -959,22 +997,23 @@ write-output "Provsioning completed in: $elapsedTime (hh:mm:ss.000)" write-output "" "Provisioning script complete." ``` +
    + ## Considerations when using different USB keyboard layouts with Windows To Go In the PowerShell provisioning script, after the image has been applied, you can add the following commands that will correctly set the keyboard settings. The following example uses the Japanese keyboard layout: -``` - reg load HKLM\WTG-Keyboard ${OSDriveLetter}:\Windows\System32\config\SYSTEM > info.log - reg add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v LayerDriver /d JPN:kbd106dll /t REG_SZ /f - reg add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v OverrideKeyboardIdentifier /d PCAT_106KEY /t REG_SZ /f - reg add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v OverrideKeyboardSubtype /d 2 /t REG_DWORD /f - reg add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v OverrideKeyboardType /d 7 /t REG_DWORD /f - reg unload HKLM\WTG-Keyboard +```cmd +reg.exe load HKLM\WTG-Keyboard ${OSDriveLetter}:\Windows\System32\config\SYSTEM > info.log +reg.exe add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v LayerDriver /d JPN:kbd106dll /t REG_SZ /f +reg.exe add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v OverrideKeyboardIdentifier /d PCAT_106KEY /t REG_SZ /f +reg.exe add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v OverrideKeyboardSubtype /d 2 /t REG_DWORD /f +reg.exe add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v OverrideKeyboardType /d 7 /t REG_DWORD /f +reg.exe unload HKLM\WTG-Keyboard ``` ## Related articles - [Windows To Go: feature overview](planning/windows-to-go-overview.md) [Windows 10 forums](https://go.microsoft.com/fwlink/p/?LinkId=618949) diff --git a/windows/deployment/deploy.md b/windows/deployment/deploy.md index 51982b85d2..6274640054 100644 --- a/windows/deployment/deploy.md +++ b/windows/deployment/deploy.md @@ -9,7 +9,7 @@ ms.prod: windows-client ms.localizationpriority: medium ms.topic: article ms.custom: seo-marvel-apr2020 -ms.date: 10/31/2022 +ms.date: 11/23/2022 ms.technology: itpro-deploy --- @@ -23,7 +23,7 @@ Windows 10 upgrade options are discussed and information is provided about plann |[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) |This article provides information about support for upgrading directly to Windows 10 from a previous operating system. | |[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) |This article provides information about support for upgrading from one edition of Windows 10 to another. | |[Windows 10 volume license media](windows-10-media.md) |This article provides information about updates to volume licensing media in the current version of Windows 10. | -|[Manage Windows upgrades with Upgrade Readiness](/mem/configmgr/desktop-analytics/overview) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they're known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. | +|[Manage Windows upgrades with Upgrade Readiness](/mem/configmgr/desktop-analytics/overview) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they're known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. | |[Windows 10 deployment test lab](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After you complete this guide, more guides are provided to deploy Windows 10 in the test lab using [Microsoft Deployment Toolkit](windows-10-poc-mdt.md) or [Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md). | |[Plan for Windows 10 deployment](planning/index.md) | This section describes Windows 10 deployment considerations and provides information to help Windows 10 deployment planning. | |[Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). | diff --git a/windows/deployment/do/TOC.yml b/windows/deployment/do/TOC.yml index 0a05966e61..6c21a68819 100644 --- a/windows/deployment/do/TOC.yml +++ b/windows/deployment/do/TOC.yml @@ -1,49 +1,67 @@ -- name: Delivery Optimization for Windows client +- name: Delivery Optimization for Windows and Microsoft Connected Cache href: index.yml +- name: What's new + href: whats-new-do.md items: - - name: Get started - items: - - name: What is Delivery Optimization - href: waas-delivery-optimization.md - - name: What's new - href: whats-new-do.md - - name: Delivery Optimization Frequently Asked Questions - href: waas-delivery-optimization-faq.yml - - - - - name: Configure Delivery Optimization +- name: Delivery Optimization + items: + - name: What is Delivery Optimization + href: waas-delivery-optimization.md + - name: Delivery Optimization Frequently Asked Questions + href: waas-delivery-optimization-faq.yml + - name: Configure Delivery Optimization for Windows + items: + - name: Windows Delivery Optimization settings + href: waas-delivery-optimization-setup.md#recommended-delivery-optimization-settings + - name: Configure Delivery Optimization settings using Microsoft Intune + href: /mem/intune/configuration/delivery-optimization-windows + - name: Resources for Delivery Optimization + items: + - name: Set up Delivery Optimization for Windows + href: waas-delivery-optimization-setup.md + - name: Delivery Optimization reference + href: waas-delivery-optimization-reference.md + - name: Delivery Optimization client-service communication + href: delivery-optimization-workflow.md + - name: Using a proxy with Delivery Optimization + href: delivery-optimization-proxy.md +- name: Microsoft Connected Cache + items: + - name: Microsoft Connected Cache overview + href: waas-microsoft-connected-cache.md + - name: MCC for Enterprise and Education items: - - name: Configure Windows Clients - items: - - name: Windows Delivery Optimization settings - href: waas-delivery-optimization-setup.md#recommended-delivery-optimization-settings - - name: Windows Delivery Optimization Frequently Asked Questions - href: ../do/waas-delivery-optimization-faq.yml - - name: Configure Microsoft Intune - items: - - name: Delivery Optimization settings in Microsoft Intune - href: /mem/intune/configuration/delivery-optimization-windows - - - name: Microsoft Connected Cache + - name: Requirements + href: mcc-enterprise-prerequisites.md + - name: Deploy Microsoft Connected Cache + href: mcc-enterprise-deploy.md + - name: Update or uninstall MCC + href: mcc-enterprise-update-uninstall.md + - name: Appendix + href: mcc-enterprise-appendix.md + - name: MCC for ISPs items: - - name: MCC overview - href: waas-microsoft-connected-cache.md - - name: MCC for Enterprise and Education - href: mcc-enterprise.md - - name: MCC for ISPs + - name: How-to guides + items: + - name: Operator sign up and service onboarding + href: mcc-isp-signup.md + - name: Create, provision, and deploy the cache node in Azure portal + href: mcc-isp-create-provision-deploy.md + - name: Verify cache node functionality and monitor health and performance + href: mcc-isp-verify-cache-node.md + - name: Update or uninstall your cache node + href: mcc-isp-update.md + - name: Resources + items: + - name: Frequently Asked Questions + href: mcc-isp-faq.yml + - name: Enhancing VM performance + href: mcc-isp-vm-performance.md + - name: Support and troubleshooting + href: mcc-isp-support.md + - name: MCC for ISPs (early preview) href: mcc-isp.md +- name: Content endpoints for Delivery Optimization and Microsoft Connected Cache + href: delivery-optimization-endpoints.md - - name: Resources - items: - - name: Set up Delivery Optimization for Windows - href: waas-delivery-optimization-setup.md - - name: Delivery Optimization reference - href: waas-delivery-optimization-reference.md - - name: Delivery Optimization client-service communication - href: delivery-optimization-workflow.md - - name: Using a proxy with Delivery Optimization - href: delivery-optimization-proxy.md - - name: Content endpoints for Delivery Optimization and Microsoft Connected Cache - href: delivery-optimization-endpoints.md - + diff --git a/windows/deployment/do/delivery-optimization-endpoints.md b/windows/deployment/do/delivery-optimization-endpoints.md index 8de2e95ad4..49b08e601c 100644 --- a/windows/deployment/do/delivery-optimization-endpoints.md +++ b/windows/deployment/do/delivery-optimization-endpoints.md @@ -34,4 +34,4 @@ This article lists the endpoints that need to be allowed through the firewall to | *.assets1.xboxlive.com, *.assets2.xboxlive.com, *.dlassets.xboxlive.com, *.dlassets2.xboxlive.com, *.d1.xboxlive.com, *.d2.xboxlive.com, *.assets.xbox.com, *.xbl-dlassets-origin.xboxlive.com, *.assets-origin.xboxlive.com, *.xvcb1.xboxlive.com, *.xvcb2.xboxlive.com, *.xvcf1.xboxlive.com, *.xvcf2.xboxlive.com | HTTP / 80 | Xbox | | Microsoft Configuration Manager Distribution Point | | *.tlu.dl.adu.microsoft.com, *.nlu.dl.adu.microsoft.com, *.dcsfe.prod.adu.microsoft.com | HTTP / 80 | Device Update | [Complete list](/azure/iot-hub-device-update/) of endpoints for Device Update updates. | Microsoft Configuration Manager Distribution Point | | *.do.dsp.mp.microsoft.com | HTTP / 80
    HTTPs / 443 | Microsoft Connected Cache -> Delivery Optimization Services communication | [Complete list](../do/waas-delivery-optimization-faq.yml) of endpoints for Delivery Optimization only. | Microsoft Connected Cache Managed in Azure | -| *.azure-devices.net, *.global.azure-devices-provisioning.net, *.azurecr.io, *.blob.core.windows.net, *.mcr.microsoft.com | AMQP / 5671
    MQTT / 8883
    HTTPs / 443 | IoT Edge / IoT Hub communication| [Complete list](/azure/iot-hub/iot-hub-devguide-protocols) of Azure IoT Hub communication protocols and ports. [Azure IoT Guide](/azure/iot-hub/iot-hub-devguide-endpoints) to understanding Azure IoT Hub endpoints. | Microsoft Connected Cache Managed in Azure | +| *.azure-devices.net, *.global.azure-devices-provisioning.net, *.azurecr.io, *.blob.core.windows.net, *.mcr.microsoft.com, github.com | AMQP / 5671
    MQTT / 8883
    HTTPs / 443 | IoT Edge / IoT Hub communication| [Complete list](/azure/iot-hub/iot-hub-devguide-protocols) of Azure IoT Hub communication protocols and ports. [Azure IoT Guide](/azure/iot-hub/iot-hub-devguide-endpoints) to understanding Azure IoT Hub endpoints. | Microsoft Connected Cache Managed in Azure | diff --git a/windows/deployment/do/delivery-optimization-proxy.md b/windows/deployment/do/delivery-optimization-proxy.md index de59da66d7..ef06dbd00a 100644 --- a/windows/deployment/do/delivery-optimization-proxy.md +++ b/windows/deployment/do/delivery-optimization-proxy.md @@ -6,9 +6,9 @@ ms.prod: windows-client author: carmenf ms.localizationpriority: medium ms.author: carmenf -ms.collection: M365-modern-desktop ms.topic: article ms.technology: itpro-updates +ms.date: 12/31/2017 --- # Using a proxy with Delivery Optimization diff --git a/windows/deployment/do/delivery-optimization-test.md b/windows/deployment/do/delivery-optimization-test.md new file mode 100644 index 0000000000..a7af3ce745 --- /dev/null +++ b/windows/deployment/do/delivery-optimization-test.md @@ -0,0 +1,209 @@ +--- +title: Testing Delivery Optimization +description: Explanation of Delivery Optimization distributed cache and high-level design. Demonstrate how Delivery Optimization peer-to-peer works in different test scenarios. +ms.date: 11/08/2022 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: reference +ms.localizationpriority: medium +author: cmknox +ms.author: carmenf +ms.reviewer: mstewart +manager: naengler +--- + +# Testing Delivery Optimization + +## Overview + +Delivery Optimization is a powerful and useful tool to help enterprises manage bandwidth usage for downloading Microsoft content. It's a solution designed to be used in large-scale environments with large numbers of devices, various content sizes, etc. Delivery Optimization is native to Win10+ and provides default configuration to get the most out of the typical customer environment. It's used to deliver many different types of content, so Microsoft customers enjoy the best possible download experience for their environment. There are three components to Delivery Optimization, 1) HTTP downloader, 2) Peer-to-peer (P2P) cloud technology, and 3) Microsoft Connected Cache. One of the most powerful advantages of using Delivery Optimization is the ability to fine-tune settings that empower users to dial in Microsoft content delivery to meet the needs of specific environments. + +## Monitoring The Results + +Since Delivery Optimization is on by default, you'll be able to monitor the value either through the Windows Settings for ‘Delivery Optimization’, using Delivery Optimization PowerShell [cmdlets.](waas-delivery-optimization-setup.md), and/or via the [Windows Update for Business Report.](../update/wufb-reports-workbook.md) experience in Azure. + +In the case where Delivery Optimization isn't working in your environment, it's important to investigate to get to the root of the problem. We recommend a test environment be created to easily evaluate typical devices to ensure Delivery Optimization is working properly. For starters, ‘Scenario 1: Basic Setup’ should be created to test the use of Delivery Optimization between two machines. This scenario is designed to eliminate any noise in the environment to ensure there's nothing preventing Delivery Optimization from working on the devices. Once you have a baseline, you can expand the test environment for more sophisticated tests. + +## Expectations and Goals + +The focus of the testing scenarios in this article is primarily centered on demonstrating the Delivery Optimization policies centered around the successful downloading of bytes using P2P. More specifically, the goal will be to show peer to peer is working as expected, using the following criteria: + +* Peers can find each other (for example on the same LAN / subnet / Group – matching your 'Download Mode' policy). +* Files are downloading in the expected 'Download Mode' policy setting (validates connectivity to DO cloud, HTTP, and local configs). +* At least some downloads happening via P2P (validates connectivity between peers). + +Several elements that influence overall peering, using Delivery Optimization. The most common, impactful environment factors should be considered. + +* **The number of files in the cache and** **the** **number of devices have a big effect on overall peering.** There's a set number of files available for peering at a time, from each client, so the peering device may not be serving a particular file. +* **File size** **and** **internet connection** **reliability matter.** There's a Delivery Optimization setting to determine the minimum file size to use P2P. In addition, an internet connection must be open and reliable enough to let the Delivery Optimization client make cloud service API calls and download metadata files before starting a file download. +* **Delivery Optimization Policies can play a role.** In general, it's important to familiarize yourself with the Delivery Optimization settings and defaults [Delivery Optimization reference - Windows Deployment | Microsoft Docs.](waas-delivery-optimization-reference.md). + +### Delivery Optimization is a Hybrid P2P Platform + +* Delivery Optimization’s hybrid approach to downloading from multiple sources (HTTP and peer) in parallel is especially critical for large-scale environments, constantly assessing the optimal source from which to deliver the content. In conjunction, the distribution of content cache, across participating devices, contributes to Delivery Optimization’s ability to find bandwidth savings as more peers become available. + +* At the point a download is initiated, the DO client starts downloading from the HTTP source and discovering peers simultaneously. With a smaller file, most of the bytes could be downloaded from an HTTP source before connecting to a peer, even though peers are available. With a larger file and quality LAN peers, it might reduce the HTTP request rate to near zero, but only after making those initial requests from HTTP. + +* In the next section, you'll see how the two testing scenarios produce differing results in the number of bytes coming from HTTP vs. peers, which shows Delivery Optimization continuously evaluating the optimal location from which to download the content. + +## Test Scenarios + +### Scenario 1: Basic Setup + +**Goal:** +Demonstrate how Delivery Optimization peer-to-peer technology works using two machines in a controlled test environment + +**Expected Results:** +Machine 1 will download zero bytes from peers and Machine 2 will download 50-99% from peers. + +#### Test Machine Setup + +|Setup Checklist| Value/Explanation +|--------|-------------------------------| +|Number of machines used| 2 | +|Virtual Machines/physical devices| 2 | +|Windows OS version | Windows 10 (21H2) and Windows 11 (21H2) | +|RAM | 8 GB | +|Disk size | 127 GB | +|Network | Connected to same network, one that is representative of the corporate network. | +|Pause Windows Updates | This controls the test environment so no other content is made available during the test, and potentially altering the outcome of the test. If there are problems and no peering happens, use 'Get-DeliveryOptimizationStatus' on the first machine to return a real-time list of the connected peers. | +|Ensure all Store apps are up to date | This will help prevent any new, unexpected updates to download during testing. | +|Delivery Optimization 'Download Mode' Policy | 2 (Group)(set on each machine) | +|Delivery Optimization 'GroupID' Policy | Set the *same* 'GUID' on each test machine. A GUID is a required value, which can be generated using PowerShell, ‘[[guid]::NewGuid().](https://blogs.technet.microsoft.com/heyscriptingguy/2013/07/25/powertip-create-a-new-guid-by-using-powershell/)’. | +|**Required on Windows 11 devices only** set Delivery Optimization 'Restrict Peer Selection' policy | 0-NAT (set on each machine). The default behavior in Windows 11 is set to '2-Local Peer Discovery'. For testing purposes, this needs to be scoped to the NAT. | + +#### Test Instructions + +The following set of instructions will be used for each machine: + +1. Open PowerShell console as 'Administrator'. + * Clear the DO cache: 'Delete-DeliveryOptimizationCache'. + * Run 'Get-DeliveryOptimizationStatus'. +2. Open MS Store and search for 'Asphalt Legends 9'. Select *Get* to initiate the download of the content (content size: ~3.4 GB). + +**On machine #1** + +* Run 'Test Instructions' + +|Windows 10 | Windows 11 +|--------|-------------------------------| +| :::image type="content" source="images/test-scenarios/win10/m1-basic-complete.png" alt-text="Windows 10 21H2 - Machine 1 - Basic Test." lightbox="images/test-scenarios/win10/m1-basic-complete.png"::: | :::image type="content" source="images/test-scenarios/win11/m1-basic-complete.png" alt-text="Windows 11 21H2 - Machine 1 - Basic Test." lightbox="images/test-scenarios/win11/m1-basic-complete.png"::: | +| **Observations** | | +| * No peers were found on the first machine downloading the content.
    * 'TotalBytesDownloaded' is equal to the file size.
    * Status is set to 'Caching' the content so future peers can use it.
    * Download was happening in the foreground.
    * DownloadMode is set to 'Group' and no peers were found.
    * No distinct observations seen between Window 10 and Windows 11 devices. | + +*Wait 5 minutes*. + +**On machine #2** + +* Run 'Test Instructions' + +|Windows 10 | Windows 11 | +|--------|--------------------------------| +| :::image type="content" source="images/test-scenarios/win10/m2-basic-complete.png" alt-text="Windows 10 21H2 - Machine 2 - Basic Test." lightbox="images/test-scenarios/win10/m2-basic-complete.png"::: | :::image type="content" source="images/test-scenarios/win11/m2-basic-complete.png" alt-text="Windows 11 21H2 - Machine 2 - Basic Test." lightbox="images/test-scenarios/win11/m2-basic-complete.png":::| +| **Observations** | **Observations**| +| * A peer was found for the content and 87% of total bytes came from the peer.
    * One peer was found for the piece of content, which is expected as there are only two devices in the peering group.
    * Download mode was set to 'Group', but since group mode includes both LAN and Group devices, Delivery Optimization prioritizes LAN peers, if found. Therefore, 'BytesFromLanPeers' shows bytes where 'BytesFromGroupPeers' doesn't.
    * 'DownloadDuration' is roughly the same between machines.|* A peer was found for the content and 90% of total bytes came from the peer.
    * All other points are the same as Windows 10 results. | + +### Scenario 2: Advance Setup + +**Goal:** +Demonstrate how Delivery Optimization peer-to-peer technology works in a non-controlled environment and expanding to three machines +**Expected Results:** +Machine 1 will download zero bytes from peers and Machine 2 will find peers and download 50-99% from peers. Machine 3 will find two peers and download 50-99% from peers. + +#### Test Machine Setup + +|Setup Checklist| Value/Explanation | +|--------|-------------------------------| +|Number of machines used| 3 | +|Virtual Machines| 3 | +|Windows OS version | Windows 10 (21H2) | +|RAM | 8 GB | +|Disk size | 127 GB | +|Network | Connected to same network, one that is representative of the corporate network. | +|Delivery Optimization 'Download Mode' Policy| 2 (Group)(set on each machine) | +|Delivery Optimization 'Group ID' Policy| Set the *same* 'GUID' on each test machine. A GUID is required value, which can be generated using PowerShell, '[guid]::NewGuid().](https://blogs.technet.microsoft.com/heyscriptingguy/2013/07/25/powertip-create-a-new-guid-by-using-powershell/)'. | +|Delivery Optimization 'Delay background download from http' Policy | 60 (set on each machine) | +|Delivery Optimization 'Delay foreground download from http Policy |60 (set on each machine) | + +#### Testing Instructions + +The following set of instructions will be used for each machine: + +1. Clear the DO cache: ‘Delete-DeliveryOptimizationCache’. +2. Open MS Store and search for 'Asphalt Legends 9'. Select *Get* to initiate the download of the content (content size: ~3.4 GB). +3. Open PowerShell console as Administrator. Run 'Get-DeliveryOptimizationStatus'. + +**On machine #1:** + +* Run ‘Test Instructions’ + +**Output: Windows 10 (21H2)** + +![Windows 10 21H2 - Machine 1 - Advanced Test.](images/test-scenarios/win10/m1-adv-complete.png) + +**Observations** + +* The first download in the group of devices shows all bytes coming from HTTP, 'BytesFromHttp'. +* Download is in the ‘Foreground’ because the Store app is doing the download and in the foreground on the device because it is initiated by the user in the Store app. +* No peers are found. + +*Wait 5 minutes*. + +**On machine #2:** + +* Run ‘Test Instructions’ + +**Output** Windows 10 (21H2) + +![Windows 10 21H2 - Machine 2 - Advanced Test.](images/test-scenarios/win10/m2-adv-complete.png) + +**Observations** + +* 'PercentPeerCaching' is 99.8% +* There are still 'BytesFromHttp' source being used +* One peer was found +* All peering was done from device on the LAN, as shown with 'BytesFromLanPeers' + +**On machine #3:** + +* Run ‘Test Instructions’ + +**Output:** Windows 10 (21H2) + +![Windows 10 21H2 - Machine 3 - Advanced Test.](images/test-scenarios/win10/m3-adv-complete.png) + +**Observations** + +* 'PercentPeerCaching' is roughly the same as machine #2, at 99.7%. +* Now, two peers are found. +* Still downloading from HTTP source as seen with 'BytesFromHttp' value. + +## Peer sourcing observations for all machines in the test group + +The distributed nature of the Delivery Optimization technology is obvious when you rerun the ‘Get-DeliveryOptimizationStatus’ cmdlet on each of the test machines. For each, there's a new value populated for the ‘BytesToLanPeers’ field. This demonstrates that as more peers become available, the requests to download bytes are distributed across the peering group and act as the source for the peering content. Each peer plays a role in servicing the other. + +**Output:** Machine 1 + +'BytesToPeers' sourced from Machine 1 are '5704426044'. This represents the total number of bytes downloaded by the two peers in the group. + +![Windows 10 21H2 - Machine 1 - Advanced BytesToPeers Test.](images/test-scenarios/win10/m1-adv-bytes-to-peers.png) + +**Output:** Machine 2 + +'BytesToPeers' sourced from Machine 2 are '1899143740'. When there are two peers in the group with bytes available, notice that the distribution of bytes comes from either Machine 1 or Machine 2. + +![Windows 10 21H2 - Machine 2 - Advanced BytesToPeers Test.](images/test-scenarios/win10/m2-adv-bytes-to-peers.png) + +**Output:** Machine 3 + +'BytesToPeers' sourced from Machine 3 are '0'. This means that no other peers are downloading bytes from this peer, which is expected since it was the last machine in the group. + +![Windows 10 21H2 - Machine 3 - Advanced BytesToPeers Test.](images/test-scenarios/win10/m3-adv-bytes-to-peers.png) + +## Conclusion + +Using Delivery Optimization can help make a big impact in customer environments to optimize bandwidth. The peer-to-peer technology offers many configurations designed to be flexible for any organization. Delivery Optimization uses a distributed cache across different sources to ensure the most optimal download experience, while limiting the resources used on each device. + +The testing scenarios found in this document help to show a controlled test environment, helping to prevent updates from interrupting the peering results. The other, a more real-world case, demonstrates how content available across peers will be used as the source of the content. + +If there are issues found while testing, the Delivery Optimization PowerShell [cmdlets.](waas-delivery-optimization-setup.md) can be a helpful tool to help explain what is happening in the environment. diff --git a/windows/deployment/do/delivery-optimization-workflow.md b/windows/deployment/do/delivery-optimization-workflow.md index e5513df9f2..6d8accfe59 100644 --- a/windows/deployment/do/delivery-optimization-workflow.md +++ b/windows/deployment/do/delivery-optimization-workflow.md @@ -6,9 +6,9 @@ ms.prod: windows-client author: carmenf ms.localizationpriority: medium ms.author: carmenf -ms.collection: M365-modern-desktop ms.topic: article ms.technology: itpro-updates +ms.date: 12/31/2017 --- # Delivery Optimization client-service communication explained diff --git a/windows/deployment/do/images/addcachenode.png b/windows/deployment/do/images/addcachenode.png new file mode 100644 index 0000000000..ea8db2a08a Binary files /dev/null and b/windows/deployment/do/images/addcachenode.png differ diff --git a/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md b/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md new file mode 100644 index 0000000000..5d80bf89fd --- /dev/null +++ b/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md @@ -0,0 +1,29 @@ +--- +title: Don't Remove images under do/images/elixir_ux - used by Azure portal Diagnose/Solve feature UI +manager: aaroncz +description: Elixir images read me file +ms.prod: windows-client +ms.mktglfcycl: deploy +audience: itpro +author: nidos +ms.author: nidos +ms.topic: article +ms.date: 12/31/2017 +ms.technology: itpro-updates +--- + +# Read Me + +This file contains the images that are included in this GitHub repository that are used by the Azure UI for Diagnose and Solve. The following images _shouldn't be removed_ from the repository: + +:::image type="content" source="ux-check-verbose-2.png" alt-text="A screenshot that shows 6 out of the 22 checks raising errors."::: + +:::image type="content" source="ux-check-verbose-1.png" alt-text="A screenshot that all checks passing after the iotedge check command."::: + +:::image type="content" source="ux-connectivity-check.png" alt-text="A screenshot of green checkmarks, showing that all of the connectivity checks are successful."::: + +:::image type="content" source="ux-edge-agent-failed.png" alt-text="A screenshot of the terminal after the command 'iotedge list', which shows three containers and the edgeAgent container failing."::: + +:::image type="content" source="ux-iot-edge-list.png" alt-text="A screenshot of the terminal after the command 'iotedge list', showing all three containers running successfully."::: + +:::image type="content" source="ux-mcc-failed.png" alt-text="A screenshot of the terminal after the command 'iotedge list', showing the MCC container in a failure state."::: \ No newline at end of file diff --git a/windows/deployment/do/images/elixir_ux/ux-check-verbose-1.png b/windows/deployment/do/images/elixir_ux/ux-check-verbose-1.png new file mode 100644 index 0000000000..692416d04c Binary files /dev/null and b/windows/deployment/do/images/elixir_ux/ux-check-verbose-1.png differ diff --git a/windows/deployment/do/images/elixir_ux/ux-check-verbose-2.png b/windows/deployment/do/images/elixir_ux/ux-check-verbose-2.png new file mode 100644 index 0000000000..5f232fe0c6 Binary files /dev/null and b/windows/deployment/do/images/elixir_ux/ux-check-verbose-2.png differ diff --git a/windows/deployment/do/images/elixir_ux/ux-connectivity-check.png b/windows/deployment/do/images/elixir_ux/ux-connectivity-check.png new file mode 100644 index 0000000000..0e72c45b33 Binary files /dev/null and b/windows/deployment/do/images/elixir_ux/ux-connectivity-check.png differ diff --git a/windows/deployment/do/images/elixir_ux/ux-edge-agent-failed.png b/windows/deployment/do/images/elixir_ux/ux-edge-agent-failed.png new file mode 100644 index 0000000000..1ce0e3e929 Binary files /dev/null and b/windows/deployment/do/images/elixir_ux/ux-edge-agent-failed.png differ diff --git a/windows/deployment/do/images/elixir_ux/ux-iot-edge-list.png b/windows/deployment/do/images/elixir_ux/ux-iot-edge-list.png new file mode 100644 index 0000000000..a26638a119 Binary files /dev/null and b/windows/deployment/do/images/elixir_ux/ux-iot-edge-list.png differ diff --git a/windows/deployment/do/images/elixir_ux/ux-mcc-failed.png b/windows/deployment/do/images/elixir_ux/ux-mcc-failed.png new file mode 100644 index 0000000000..b82d0e4441 Binary files /dev/null and b/windows/deployment/do/images/elixir_ux/ux-mcc-failed.png differ diff --git a/windows/deployment/do/images/emcc07.png b/windows/deployment/do/images/emcc07.png deleted file mode 100644 index 21420eab09..0000000000 Binary files a/windows/deployment/do/images/emcc07.png and /dev/null differ diff --git a/windows/deployment/do/images/emcc10.png b/windows/deployment/do/images/emcc10.png deleted file mode 100644 index 77c8754bf5..0000000000 Binary files a/windows/deployment/do/images/emcc10.png and /dev/null differ diff --git a/windows/deployment/do/images/emcc06.png b/windows/deployment/do/images/ent-mcc-azure-cache-created.png similarity index 100% rename from windows/deployment/do/images/emcc06.png rename to windows/deployment/do/images/ent-mcc-azure-cache-created.png diff --git a/windows/deployment/do/images/emcc05.png b/windows/deployment/do/images/ent-mcc-azure-create-connected-cache.png similarity index 100% rename from windows/deployment/do/images/emcc05.png rename to windows/deployment/do/images/ent-mcc-azure-create-connected-cache.png diff --git a/windows/deployment/do/images/emcc04.png b/windows/deployment/do/images/ent-mcc-azure-marketplace.png similarity index 100% rename from windows/deployment/do/images/emcc04.png rename to windows/deployment/do/images/ent-mcc-azure-marketplace.png diff --git a/windows/deployment/do/images/emcc03.png b/windows/deployment/do/images/ent-mcc-azure-search-result.png similarity index 100% rename from windows/deployment/do/images/emcc03.png rename to windows/deployment/do/images/ent-mcc-azure-search-result.png diff --git a/windows/deployment/do/images/emcc08.png b/windows/deployment/do/images/ent-mcc-cache-nodes.png similarity index 100% rename from windows/deployment/do/images/emcc08.png rename to windows/deployment/do/images/ent-mcc-cache-nodes.png diff --git a/windows/deployment/do/images/emcc20.png b/windows/deployment/do/images/ent-mcc-connect-eflowvm.png similarity index 100% rename from windows/deployment/do/images/emcc20.png rename to windows/deployment/do/images/ent-mcc-connect-eflowvm.png diff --git a/windows/deployment/do/images/ent-mcc-connected-cache-installer-download.png b/windows/deployment/do/images/ent-mcc-connected-cache-installer-download.png new file mode 100644 index 0000000000..45cb01de9f Binary files /dev/null and b/windows/deployment/do/images/ent-mcc-connected-cache-installer-download.png differ diff --git a/windows/deployment/do/images/emcc02.png b/windows/deployment/do/images/ent-mcc-create-azure-resource.png similarity index 100% rename from windows/deployment/do/images/emcc02.png rename to windows/deployment/do/images/ent-mcc-create-azure-resource.png diff --git a/windows/deployment/do/images/ent-mcc-create-cache-failed.png b/windows/deployment/do/images/ent-mcc-create-cache-failed.png new file mode 100644 index 0000000000..5c2ac09d56 Binary files /dev/null and b/windows/deployment/do/images/ent-mcc-create-cache-failed.png differ diff --git a/windows/deployment/do/images/emcc09.5.png b/windows/deployment/do/images/ent-mcc-create-cache-node-name.png similarity index 100% rename from windows/deployment/do/images/emcc09.5.png rename to windows/deployment/do/images/ent-mcc-create-cache-node-name.png diff --git a/windows/deployment/do/images/emcc09.png b/windows/deployment/do/images/ent-mcc-create-cache-node.png similarity index 100% rename from windows/deployment/do/images/emcc09.png rename to windows/deployment/do/images/ent-mcc-create-cache-node.png diff --git a/windows/deployment/do/images/emcc11.png b/windows/deployment/do/images/ent-mcc-delete-cache-node.png similarity index 100% rename from windows/deployment/do/images/emcc11.png rename to windows/deployment/do/images/ent-mcc-delete-cache-node.png diff --git a/windows/deployment/do/images/emcc29.png b/windows/deployment/do/images/ent-mcc-delivery-optimization-activity.png similarity index 100% rename from windows/deployment/do/images/emcc29.png rename to windows/deployment/do/images/ent-mcc-delivery-optimization-activity.png diff --git a/windows/deployment/do/images/emcc12.png b/windows/deployment/do/images/ent-mcc-download-installer.png similarity index 100% rename from windows/deployment/do/images/emcc12.png rename to windows/deployment/do/images/ent-mcc-download-installer.png diff --git a/windows/deployment/do/images/emcc28.png b/windows/deployment/do/images/ent-mcc-get-deliveryoptimizationstatus.png similarity index 100% rename from windows/deployment/do/images/emcc28.png rename to windows/deployment/do/images/ent-mcc-get-deliveryoptimizationstatus.png diff --git a/windows/deployment/do/images/emcc26.png b/windows/deployment/do/images/ent-mcc-group-policy-hostname.png similarity index 100% rename from windows/deployment/do/images/emcc26.png rename to windows/deployment/do/images/ent-mcc-group-policy-hostname.png diff --git a/windows/deployment/do/images/emcc13.png b/windows/deployment/do/images/ent-mcc-installer-script.png similarity index 100% rename from windows/deployment/do/images/emcc13.png rename to windows/deployment/do/images/ent-mcc-installer-script.png diff --git a/windows/deployment/do/images/emcc23.png b/windows/deployment/do/images/ent-mcc-intune-do.png similarity index 100% rename from windows/deployment/do/images/emcc23.png rename to windows/deployment/do/images/ent-mcc-intune-do.png diff --git a/windows/deployment/do/images/emcc24.png b/windows/deployment/do/images/ent-mcc-iotedge-list.png similarity index 100% rename from windows/deployment/do/images/emcc24.png rename to windows/deployment/do/images/ent-mcc-iotedge-list.png diff --git a/windows/deployment/do/images/emcc25.png b/windows/deployment/do/images/ent-mcc-journalctl.png similarity index 100% rename from windows/deployment/do/images/emcc25.png rename to windows/deployment/do/images/ent-mcc-journalctl.png diff --git a/windows/deployment/do/images/emcc01.png b/windows/deployment/do/images/ent-mcc-overview.png similarity index 100% rename from windows/deployment/do/images/emcc01.png rename to windows/deployment/do/images/ent-mcc-overview.png diff --git a/windows/deployment/do/images/emcc19.png b/windows/deployment/do/images/ent-mcc-script-complete.png similarity index 100% rename from windows/deployment/do/images/emcc19.png rename to windows/deployment/do/images/ent-mcc-script-complete.png diff --git a/windows/deployment/do/images/emcc17.png b/windows/deployment/do/images/ent-mcc-script-device-code.png similarity index 100% rename from windows/deployment/do/images/emcc17.png rename to windows/deployment/do/images/ent-mcc-script-device-code.png diff --git a/windows/deployment/do/images/emcc16.png b/windows/deployment/do/images/ent-mcc-script-dynamic-address.png similarity index 100% rename from windows/deployment/do/images/emcc16.png rename to windows/deployment/do/images/ent-mcc-script-dynamic-address.png diff --git a/windows/deployment/do/images/emcc15.png b/windows/deployment/do/images/ent-mcc-script-existing-switch.png similarity index 100% rename from windows/deployment/do/images/emcc15.png rename to windows/deployment/do/images/ent-mcc-script-existing-switch.png diff --git a/windows/deployment/do/images/emcc14.png b/windows/deployment/do/images/ent-mcc-script-new-switch.png similarity index 100% rename from windows/deployment/do/images/emcc14.png rename to windows/deployment/do/images/ent-mcc-script-new-switch.png diff --git a/windows/deployment/do/images/emcc18.png b/windows/deployment/do/images/ent-mcc-script-select-hub.png similarity index 100% rename from windows/deployment/do/images/emcc18.png rename to windows/deployment/do/images/ent-mcc-script-select-hub.png diff --git a/windows/deployment/do/images/emcc27.png b/windows/deployment/do/images/ent-mcc-store-example-download.png similarity index 100% rename from windows/deployment/do/images/emcc27.png rename to windows/deployment/do/images/ent-mcc-store-example-download.png diff --git a/windows/deployment/do/images/emcc22.png b/windows/deployment/do/images/ent-mcc-verify-server-powershell.png similarity index 100% rename from windows/deployment/do/images/emcc22.png rename to windows/deployment/do/images/ent-mcc-verify-server-powershell.png diff --git a/windows/deployment/do/images/emcc21.png b/windows/deployment/do/images/ent-mcc-verify-server-ssh.png similarity index 100% rename from windows/deployment/do/images/emcc21.png rename to windows/deployment/do/images/ent-mcc-verify-server-ssh.png diff --git a/windows/deployment/do/images/imcc07.png b/windows/deployment/do/images/imcc07.png deleted file mode 100644 index 31668ba8a1..0000000000 Binary files a/windows/deployment/do/images/imcc07.png and /dev/null differ diff --git a/windows/deployment/do/images/imcc21.png b/windows/deployment/do/images/imcc21.png deleted file mode 100644 index 5bd68d66c5..0000000000 Binary files a/windows/deployment/do/images/imcc21.png and /dev/null differ diff --git a/windows/deployment/do/images/imcc48.png b/windows/deployment/do/images/imcc48.png deleted file mode 100644 index eb53b7a5be..0000000000 Binary files a/windows/deployment/do/images/imcc48.png and /dev/null differ diff --git a/windows/deployment/do/images/imcc49.png b/windows/deployment/do/images/imcc49.png deleted file mode 100644 index eb53b7a5be..0000000000 Binary files a/windows/deployment/do/images/imcc49.png and /dev/null differ diff --git a/windows/deployment/do/images/imcc53.png b/windows/deployment/do/images/imcc53.png deleted file mode 100644 index ddec14d717..0000000000 Binary files a/windows/deployment/do/images/imcc53.png and /dev/null differ diff --git a/windows/deployment/do/images/imcc54.png b/windows/deployment/do/images/imcc54.png deleted file mode 100644 index c40ab0c5c9..0000000000 Binary files a/windows/deployment/do/images/imcc54.png and /dev/null differ diff --git a/windows/deployment/do/images/imcc24.png b/windows/deployment/do/images/mcc-isp-bash-allocate-space.png similarity index 100% rename from windows/deployment/do/images/imcc24.png rename to windows/deployment/do/images/mcc-isp-bash-allocate-space.png diff --git a/windows/deployment/do/images/imcc23.png b/windows/deployment/do/images/mcc-isp-bash-datadrive.png similarity index 100% rename from windows/deployment/do/images/imcc23.png rename to windows/deployment/do/images/mcc-isp-bash-datadrive.png diff --git a/windows/deployment/do/images/imcc20.png b/windows/deployment/do/images/mcc-isp-bash-device-code.png similarity index 100% rename from windows/deployment/do/images/imcc20.png rename to windows/deployment/do/images/mcc-isp-bash-device-code.png diff --git a/windows/deployment/do/images/imcc22.png b/windows/deployment/do/images/mcc-isp-bash-drive-number.png similarity index 100% rename from windows/deployment/do/images/imcc22.png rename to windows/deployment/do/images/mcc-isp-bash-drive-number.png diff --git a/windows/deployment/do/images/imcc25.png b/windows/deployment/do/images/mcc-isp-bash-iot-prompt.png similarity index 100% rename from windows/deployment/do/images/imcc25.png rename to windows/deployment/do/images/mcc-isp-bash-iot-prompt.png diff --git a/windows/deployment/do/images/imcc08.png b/windows/deployment/do/images/mcc-isp-cache-nodes-option.png similarity index 100% rename from windows/deployment/do/images/imcc08.png rename to windows/deployment/do/images/mcc-isp-cache-nodes-option.png diff --git a/windows/deployment/do/images/imcc19.png b/windows/deployment/do/images/mcc-isp-copy-install-script.png similarity index 100% rename from windows/deployment/do/images/imcc19.png rename to windows/deployment/do/images/mcc-isp-copy-install-script.png diff --git a/windows/deployment/do/images/imcc10.png b/windows/deployment/do/images/mcc-isp-create-cache-node-fields.png similarity index 100% rename from windows/deployment/do/images/imcc10.png rename to windows/deployment/do/images/mcc-isp-create-cache-node-fields.png diff --git a/windows/deployment/do/images/imcc09.png b/windows/deployment/do/images/mcc-isp-create-cache-node-option.png similarity index 100% rename from windows/deployment/do/images/imcc09.png rename to windows/deployment/do/images/mcc-isp-create-cache-node-option.png diff --git a/windows/deployment/do/images/imcc12.png b/windows/deployment/do/images/mcc-isp-create-new-node.png similarity index 100% rename from windows/deployment/do/images/imcc12.png rename to windows/deployment/do/images/mcc-isp-create-new-node.png diff --git a/windows/deployment/do/images/imcc13.png b/windows/deployment/do/images/mcc-isp-create-node-form.png similarity index 100% rename from windows/deployment/do/images/imcc13.png rename to windows/deployment/do/images/mcc-isp-create-node-form.png diff --git a/windows/deployment/do/images/imcc02.png b/windows/deployment/do/images/mcc-isp-create-resource.png similarity index 100% rename from windows/deployment/do/images/imcc02.png rename to windows/deployment/do/images/mcc-isp-create-resource.png diff --git a/windows/deployment/do/images/imcc04.png b/windows/deployment/do/images/mcc-isp-create.png similarity index 100% rename from windows/deployment/do/images/imcc04.png rename to windows/deployment/do/images/mcc-isp-create.png diff --git a/windows/deployment/do/images/mcc-isp-deploy-cache-node-numbered.png b/windows/deployment/do/images/mcc-isp-deploy-cache-node-numbered.png new file mode 100644 index 0000000000..17fb6a18f1 Binary files /dev/null and b/windows/deployment/do/images/mcc-isp-deploy-cache-node-numbered.png differ diff --git a/windows/deployment/do/images/imcc06.png b/windows/deployment/do/images/mcc-isp-deployment-complete.png similarity index 100% rename from windows/deployment/do/images/imcc06.png rename to windows/deployment/do/images/mcc-isp-deployment-complete.png diff --git a/windows/deployment/do/images/imcc01.png b/windows/deployment/do/images/mcc-isp-diagram.png similarity index 100% rename from windows/deployment/do/images/imcc01.png rename to windows/deployment/do/images/mcc-isp-diagram.png diff --git a/windows/deployment/do/images/imcc27.png b/windows/deployment/do/images/mcc-isp-edge-journalctl.png similarity index 100% rename from windows/deployment/do/images/imcc27.png rename to windows/deployment/do/images/mcc-isp-edge-journalctl.png diff --git a/windows/deployment/do/images/imcc42.png b/windows/deployment/do/images/mcc-isp-gnu-grub.png similarity index 100% rename from windows/deployment/do/images/imcc42.png rename to windows/deployment/do/images/mcc-isp-gnu-grub.png diff --git a/windows/deployment/do/images/imcc31.png b/windows/deployment/do/images/mcc-isp-hyper-v-begin.png similarity index 100% rename from windows/deployment/do/images/imcc31.png rename to windows/deployment/do/images/mcc-isp-hyper-v-begin.png diff --git a/windows/deployment/do/images/imcc36.png b/windows/deployment/do/images/mcc-isp-hyper-v-disk.png similarity index 100% rename from windows/deployment/do/images/imcc36.png rename to windows/deployment/do/images/mcc-isp-hyper-v-disk.png diff --git a/windows/deployment/do/images/imcc33.png b/windows/deployment/do/images/mcc-isp-hyper-v-generation.png similarity index 100% rename from windows/deployment/do/images/imcc33.png rename to windows/deployment/do/images/mcc-isp-hyper-v-generation.png diff --git a/windows/deployment/do/images/imcc37.png b/windows/deployment/do/images/mcc-isp-hyper-v-installation-options.png similarity index 100% rename from windows/deployment/do/images/imcc37.png rename to windows/deployment/do/images/mcc-isp-hyper-v-installation-options.png diff --git a/windows/deployment/do/images/imcc34.png b/windows/deployment/do/images/mcc-isp-hyper-v-memory.png similarity index 100% rename from windows/deployment/do/images/imcc34.png rename to windows/deployment/do/images/mcc-isp-hyper-v-memory.png diff --git a/windows/deployment/do/images/imcc32.png b/windows/deployment/do/images/mcc-isp-hyper-v-name.png similarity index 100% rename from windows/deployment/do/images/imcc32.png rename to windows/deployment/do/images/mcc-isp-hyper-v-name.png diff --git a/windows/deployment/do/images/imcc35.png b/windows/deployment/do/images/mcc-isp-hyper-v-networking.png similarity index 100% rename from windows/deployment/do/images/imcc35.png rename to windows/deployment/do/images/mcc-isp-hyper-v-networking.png diff --git a/windows/deployment/do/images/imcc38.png b/windows/deployment/do/images/mcc-isp-hyper-v-summary.png similarity index 100% rename from windows/deployment/do/images/imcc38.png rename to windows/deployment/do/images/mcc-isp-hyper-v-summary.png diff --git a/windows/deployment/do/images/imcc41.png b/windows/deployment/do/images/mcc-isp-hyper-v-vm-processor.png similarity index 100% rename from windows/deployment/do/images/imcc41.png rename to windows/deployment/do/images/mcc-isp-hyper-v-vm-processor.png diff --git a/windows/deployment/do/images/imcc40.png b/windows/deployment/do/images/mcc-isp-hyper-v-vm-security.png similarity index 100% rename from windows/deployment/do/images/imcc40.png rename to windows/deployment/do/images/mcc-isp-hyper-v-vm-security.png diff --git a/windows/deployment/do/images/imcc39.png b/windows/deployment/do/images/mcc-isp-hyper-v-vm-settings.png similarity index 100% rename from windows/deployment/do/images/imcc39.png rename to windows/deployment/do/images/mcc-isp-hyper-v-vm-settings.png diff --git a/windows/deployment/do/images/imcc18.png b/windows/deployment/do/images/mcc-isp-installer-download.png similarity index 100% rename from windows/deployment/do/images/imcc18.png rename to windows/deployment/do/images/mcc-isp-installer-download.png diff --git a/windows/deployment/do/images/imcc16.png b/windows/deployment/do/images/mcc-isp-list-nodes.png similarity index 100% rename from windows/deployment/do/images/imcc16.png rename to windows/deployment/do/images/mcc-isp-list-nodes.png diff --git a/windows/deployment/do/images/imcc05.png b/windows/deployment/do/images/mcc-isp-location-west.png similarity index 100% rename from windows/deployment/do/images/imcc05.png rename to windows/deployment/do/images/mcc-isp-location-west.png diff --git a/windows/deployment/do/images/mcc-isp-metrics.png b/windows/deployment/do/images/mcc-isp-metrics.png new file mode 100644 index 0000000000..1ca9078f3e Binary files /dev/null and b/windows/deployment/do/images/mcc-isp-metrics.png differ diff --git a/windows/deployment/do/images/imcc30.png b/windows/deployment/do/images/mcc-isp-nmcli.png similarity index 100% rename from windows/deployment/do/images/imcc30.png rename to windows/deployment/do/images/mcc-isp-nmcli.png diff --git a/windows/deployment/do/images/imcc17.png b/windows/deployment/do/images/mcc-isp-node-configuration.png similarity index 100% rename from windows/deployment/do/images/imcc17.png rename to windows/deployment/do/images/mcc-isp-node-configuration.png diff --git a/windows/deployment/do/images/imcc15.png b/windows/deployment/do/images/mcc-isp-node-names.png similarity index 100% rename from windows/deployment/do/images/imcc15.png rename to windows/deployment/do/images/mcc-isp-node-names.png diff --git a/windows/deployment/do/images/imcc11.png b/windows/deployment/do/images/mcc-isp-node-server-ip.png similarity index 100% rename from windows/deployment/do/images/imcc11.png rename to windows/deployment/do/images/mcc-isp-node-server-ip.png diff --git a/windows/deployment/do/images/mcc-isp-operator-verification.png b/windows/deployment/do/images/mcc-isp-operator-verification.png new file mode 100644 index 0000000000..3641761e0a Binary files /dev/null and b/windows/deployment/do/images/mcc-isp-operator-verification.png differ diff --git a/windows/deployment/do/images/mcc-isp-provision-cache-node-numbered.png b/windows/deployment/do/images/mcc-isp-provision-cache-node-numbered.png new file mode 100644 index 0000000000..e61bb78fc4 Binary files /dev/null and b/windows/deployment/do/images/mcc-isp-provision-cache-node-numbered.png differ diff --git a/windows/deployment/do/images/imcc26.png b/windows/deployment/do/images/mcc-isp-running-containers.png similarity index 100% rename from windows/deployment/do/images/imcc26.png rename to windows/deployment/do/images/mcc-isp-running-containers.png diff --git a/windows/deployment/do/images/imcc03.png b/windows/deployment/do/images/mcc-isp-search-marketplace.png similarity index 100% rename from windows/deployment/do/images/imcc03.png rename to windows/deployment/do/images/mcc-isp-search-marketplace.png diff --git a/windows/deployment/do/images/mcc-isp-search.png b/windows/deployment/do/images/mcc-isp-search.png new file mode 100644 index 0000000000..4ab4f0b0d6 Binary files /dev/null and b/windows/deployment/do/images/mcc-isp-search.png differ diff --git a/windows/deployment/do/images/mcc-isp-sign-up.png b/windows/deployment/do/images/mcc-isp-sign-up.png new file mode 100644 index 0000000000..0bc62894c6 Binary files /dev/null and b/windows/deployment/do/images/mcc-isp-sign-up.png differ diff --git a/windows/deployment/do/images/imcc14.png b/windows/deployment/do/images/mcc-isp-success-instructions.png similarity index 100% rename from windows/deployment/do/images/imcc14.png rename to windows/deployment/do/images/mcc-isp-success-instructions.png diff --git a/windows/deployment/do/images/imcc45.png b/windows/deployment/do/images/mcc-isp-ubuntu-erase-disk.png similarity index 100% rename from windows/deployment/do/images/imcc45.png rename to windows/deployment/do/images/mcc-isp-ubuntu-erase-disk.png diff --git a/windows/deployment/do/images/imcc44.png b/windows/deployment/do/images/mcc-isp-ubuntu-keyboard.png similarity index 100% rename from windows/deployment/do/images/imcc44.png rename to windows/deployment/do/images/mcc-isp-ubuntu-keyboard.png diff --git a/windows/deployment/do/images/imcc43.png b/windows/deployment/do/images/mcc-isp-ubuntu-language.png similarity index 100% rename from windows/deployment/do/images/imcc43.png rename to windows/deployment/do/images/mcc-isp-ubuntu-language.png diff --git a/windows/deployment/do/images/imcc51.png b/windows/deployment/do/images/mcc-isp-ubuntu-restart.png similarity index 100% rename from windows/deployment/do/images/imcc51.png rename to windows/deployment/do/images/mcc-isp-ubuntu-restart.png diff --git a/windows/deployment/do/images/imcc47.png b/windows/deployment/do/images/mcc-isp-ubuntu-time-zone.png similarity index 100% rename from windows/deployment/do/images/imcc47.png rename to windows/deployment/do/images/mcc-isp-ubuntu-time-zone.png diff --git a/windows/deployment/do/images/imcc52.png b/windows/deployment/do/images/mcc-isp-ubuntu-upgrade.png similarity index 100% rename from windows/deployment/do/images/imcc52.png rename to windows/deployment/do/images/mcc-isp-ubuntu-upgrade.png diff --git a/windows/deployment/do/images/imcc50.png b/windows/deployment/do/images/mcc-isp-ubuntu-who.png similarity index 100% rename from windows/deployment/do/images/imcc50.png rename to windows/deployment/do/images/mcc-isp-ubuntu-who.png diff --git a/windows/deployment/do/images/imcc46.png b/windows/deployment/do/images/mcc-isp-ubuntu-write-changes.png similarity index 100% rename from windows/deployment/do/images/imcc46.png rename to windows/deployment/do/images/mcc-isp-ubuntu-write-changes.png diff --git a/windows/deployment/do/images/imcc55.PNG b/windows/deployment/do/images/mcc-isp-use-bgp.png similarity index 100% rename from windows/deployment/do/images/imcc55.PNG rename to windows/deployment/do/images/mcc-isp-use-bgp.png diff --git a/windows/deployment/do/images/imcc28.png b/windows/deployment/do/images/mcc-isp-wget.png similarity index 100% rename from windows/deployment/do/images/imcc28.png rename to windows/deployment/do/images/mcc-isp-wget.png diff --git a/windows/deployment/do/images/test-scenarios/win10/m1-adv-bytes-to-peers.png b/windows/deployment/do/images/test-scenarios/win10/m1-adv-bytes-to-peers.png new file mode 100644 index 0000000000..39e145d0f9 Binary files /dev/null and b/windows/deployment/do/images/test-scenarios/win10/m1-adv-bytes-to-peers.png differ diff --git a/windows/deployment/do/images/test-scenarios/win10/m1-adv-complete.png b/windows/deployment/do/images/test-scenarios/win10/m1-adv-complete.png new file mode 100644 index 0000000000..a5d87e1ebf Binary files /dev/null and b/windows/deployment/do/images/test-scenarios/win10/m1-adv-complete.png differ diff --git a/windows/deployment/do/images/test-scenarios/win10/m1-basic-complete.png b/windows/deployment/do/images/test-scenarios/win10/m1-basic-complete.png new file mode 100644 index 0000000000..4d958b58f7 Binary files /dev/null and b/windows/deployment/do/images/test-scenarios/win10/m1-basic-complete.png differ diff --git a/windows/deployment/do/images/test-scenarios/win10/m2-adv-bytes-to-peers.png b/windows/deployment/do/images/test-scenarios/win10/m2-adv-bytes-to-peers.png new file mode 100644 index 0000000000..3169fc9cda Binary files /dev/null and b/windows/deployment/do/images/test-scenarios/win10/m2-adv-bytes-to-peers.png differ diff --git a/windows/deployment/do/images/test-scenarios/win10/m2-adv-complete.png b/windows/deployment/do/images/test-scenarios/win10/m2-adv-complete.png new file mode 100644 index 0000000000..e48269c367 Binary files /dev/null and b/windows/deployment/do/images/test-scenarios/win10/m2-adv-complete.png differ diff --git a/windows/deployment/do/images/test-scenarios/win10/m2-basic-complete.png b/windows/deployment/do/images/test-scenarios/win10/m2-basic-complete.png new file mode 100644 index 0000000000..ebaaeda112 Binary files /dev/null and b/windows/deployment/do/images/test-scenarios/win10/m2-basic-complete.png differ diff --git a/windows/deployment/do/images/test-scenarios/win10/m3-adv-bytes-to-peers.png b/windows/deployment/do/images/test-scenarios/win10/m3-adv-bytes-to-peers.png new file mode 100644 index 0000000000..ba85f09312 Binary files /dev/null and b/windows/deployment/do/images/test-scenarios/win10/m3-adv-bytes-to-peers.png differ diff --git a/windows/deployment/do/images/test-scenarios/win10/m3-adv-complete.png b/windows/deployment/do/images/test-scenarios/win10/m3-adv-complete.png new file mode 100644 index 0000000000..0fa7cacbb9 Binary files /dev/null and b/windows/deployment/do/images/test-scenarios/win10/m3-adv-complete.png differ diff --git a/windows/deployment/do/images/test-scenarios/win11/m1-basic-complete.png b/windows/deployment/do/images/test-scenarios/win11/m1-basic-complete.png new file mode 100644 index 0000000000..108ad7581b Binary files /dev/null and b/windows/deployment/do/images/test-scenarios/win11/m1-basic-complete.png differ diff --git a/windows/deployment/do/images/test-scenarios/win11/m2-basic-complete.png b/windows/deployment/do/images/test-scenarios/win11/m2-basic-complete.png new file mode 100644 index 0000000000..ae37e90a4f Binary files /dev/null and b/windows/deployment/do/images/test-scenarios/win11/m2-basic-complete.png differ diff --git a/windows/deployment/do/includes/get-azure-subscription.md b/windows/deployment/do/includes/get-azure-subscription.md new file mode 100644 index 0000000000..114671fd5e --- /dev/null +++ b/windows/deployment/do/includes/get-azure-subscription.md @@ -0,0 +1,17 @@ +--- +author: amymzhou +ms.author: amyzhou +manager: dougeby +ms.prod: w10 +ms.collection: M365-modern-desktop +ms.topic: include +ms.localizationpriority: medium +--- + + +1. Sign in to the [Azure portal](https://portal.azure.com). +1. Select **Subscriptions**. If you don't see **Subscriptions**, type **Subscriptions** in the search bar. As you begin typing, the list filters based on your input. +1. If you already have an Azure Subscription, skip to step 5. If you don't have an Azure Subscription, select **+ Add** on the top left. +1. Select the **Pay-As-You-Go** subscription. You'll be asked to enter credit card information, but you'll not be charged for using the MCC service. +1. On the **Subscriptions** page, you'll find details about your current subscription. Select the subscription name. +1. After you select the subscription name, you'll find the subscription ID in the **Overview** tab. Select the **Copy to clipboard** icon next to your Subscription ID to copy the value. \ No newline at end of file diff --git a/windows/deployment/do/includes/mcc-prerequisites.md b/windows/deployment/do/includes/mcc-prerequisites.md new file mode 100644 index 0000000000..f90bc995e6 --- /dev/null +++ b/windows/deployment/do/includes/mcc-prerequisites.md @@ -0,0 +1,17 @@ +--- +author: amyzhou +ms.author: amyzhou +manager: dougeby +ms.prod: w10 +ms.collection: M365-modern-desktop +ms.topic: include +ms.date: 11/09/2022 +ms.localizationpriority: medium +--- + + +Peak Egress | Hardware Specifications| +---|---| +< 5G Peak | VM with 8 cores, 16 GB memory, 1 SSD Drive 500GB| +10 - 20G Peak | VM with 16 cores, 32 GB memory, 2 - 3 SSD Drives 1 TB| +20 - 40G Peak | Hardware (sample hardware spec) with 32 cores, 64 GB memory, 4 - 6 SSDs 1 TB | \ No newline at end of file diff --git a/windows/deployment/do/includes/waas-delivery-optimization-monitor.md b/windows/deployment/do/includes/waas-delivery-optimization-monitor.md index 2828da9932..5f75f6344a 100644 --- a/windows/deployment/do/includes/waas-delivery-optimization-monitor.md +++ b/windows/deployment/do/includes/waas-delivery-optimization-monitor.md @@ -28,15 +28,15 @@ ms.localizationpriority: medium | TotalBytesDownloaded | The number of bytes from any source downloaded so far | | PercentPeerCaching |The percentage of bytes downloaded from peers versus over HTTP | | BytesFromPeers | Total bytes downloaded from peer devices (sum of bytes downloaded from LAN, Group, and Internet Peers) | -| BytesfromHTTP | Total number of bytes received over HTTP | +| BytesfromHTTP | Total number of bytes received over HTTP. This represents all HTTP sources, which includes BytesFromCacheServer | | Status | Current state of the operation. Possible values are: **Downloading** (download in progress); **Complete** (download completed, but is not uploading yet); **Caching** (download completed successfully and is ready to upload or uploading); **Paused** (download/upload paused by caller) | | Priority | Priority of the download; values are **foreground** or **background** | -| BytesFromCacheServer | Total number of bytes received from cache server | +| BytesFromCacheServer | Total number of bytes received from cache server (MCC) | | BytesFromLanPeers | Total number of bytes received from peers found on the LAN | -| BytesFromGroupPeers | Total number of bytes received from peers found in the group | +| BytesFromGroupPeers | Total number of bytes received from peers found in the group. (Note: Group mode is LAN + Group. If peers are found on the LAN, those bytes will be registered in 'BytesFromLANPeers'.) | | BytesFromInternetPeers | Total number of bytes received from internet peers | | BytesToLanPeers | Total number of bytes delivered from peers found on the LAN | -| BytesToGroupPeers | Total number of bytes delivered from peers found in the group | +| BytesToGroupPeers | Total number of bytes delivered from peers found in the group | | BytesToInternetPeers | Total number of bytes delivered from peers found on the LAN | | DownloadDuration | Total download time in seconds | | HttpConnectionCount | | diff --git a/windows/deployment/do/index.yml b/windows/deployment/do/index.yml index 668b0e4d0e..5cbe1535a0 100644 --- a/windows/deployment/do/index.yml +++ b/windows/deployment/do/index.yml @@ -1,17 +1,15 @@ ### YamlMime:Landing title: Delivery Optimization # < 60 chars -summary: Set up peer to peer downloads for Windows Updates and learn about Microsoft Connected Cache. # < 160 chars +summary: Set up peer to peer downloads for Microsoft content supported by Delivery Optimization and learn about Microsoft Connected Cache. # < 160 chars metadata: title: Delivery Optimization # Required; page title displayed in search results. Include the brand. < 60 chars. description: Learn about using peer to peer downloads on Windows clients and learn about Microsoft Connected Cache. # Required; article description that is displayed in search results. < 160 chars. - services: windows-10 - ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. - ms.subservice: subservice - ms.topic: landing-page # Required + ms.topic: landing-page + ms.prod: windows-client + ms.technology: itpro-updates ms.collection: - - windows-10 - highpri author: aczechowski ms.author: aaroncz @@ -38,7 +36,7 @@ landingContent: # Card (optional) - - title: Configure Delivery Optimization on Windows clients + - title: Configure Delivery Optimization on Windows linkLists: - linkListType: how-to-guide links: @@ -69,8 +67,8 @@ landingContent: linkLists: - linkListType: deploy links: - - text: MCC for Enterprise and Education (Private Preview) - url: mcc-enterprise.md + - text: MCC for Enterprise and Education (early preview) + url: waas-microsoft-connected-cache.md - text: Sign up url: https://aka.ms/MSConnectedCacheSignup @@ -79,10 +77,13 @@ landingContent: linkLists: - linkListType: deploy links: - - text: MCC for ISPs (Private Preview) - url: mcc-isp.md + - text: MCC for ISPs (public preview) + url: mcc-isp-signup.md - text: Sign up - url: https://aka.ms/MSConnectedCacheSignup + url: https://aka.ms/MCCForISPSurvey + - text: MCC for ISPs (early preview) + url: mcc-isp.md + # Card (optional) - title: Resources @@ -99,4 +100,6 @@ landingContent: url: delivery-optimization-proxy.md - text: Content endpoints for Delivery Optimization and Microsoft Connected Cache url: delivery-optimization-endpoints.md + - text: Testing Delivery Optimization + url: delivery-optimization-test.md diff --git a/windows/deployment/do/mcc-enterprise-appendix.md b/windows/deployment/do/mcc-enterprise-appendix.md new file mode 100644 index 0000000000..11915236a8 --- /dev/null +++ b/windows/deployment/do/mcc-enterprise-appendix.md @@ -0,0 +1,123 @@ +--- +title: Appendix +manager: aaroncz +description: Appendix on Microsoft Connected Cache (MCC) for Enterprise and Education. +ms.prod: windows-client +author: amymzhou +ms.author: amyzhou +ms.topic: article +ms.date: 12/31/2017 +ms.technology: itpro-updates +--- + +# Appendix + +## Steps to obtain an Azure Subscription ID + + +[!INCLUDE [Get Azure subscription](includes/get-azure-subscription.md)] + +### Troubleshooting + +If you're not able to sign up for a Microsoft Azure subscription with the **Account belongs to a directory that cannot be associated with an Azure subscription. Please sign in with a different account.** error, see the following articles: +- [Can't sign up for a Microsoft Azure subscription](/troubleshoot/azure/general/cannot-sign-up-subscription). +- [Troubleshoot issues when you sign up for a new account in the Azure portal](/azure/cost-management-billing/manage/troubleshoot-azure-sign-up). + +## Installing on VMWare + +We've seen that Microsoft Connected Cache for Enterprise and Education can be successfully installed on VMWare. To do so, there are a couple of additional configurations to be made: + +1. Ensure that you're using ESX. In the VM settings, turn on the option **Expose hardware assisted virtualization to the guest OS**. +1. Using the HyperV Manager, create an external switch. For the external switch to have internet connection, ensure **"Allow promiscuous mode"**, **"Allow forged transmits"**, and **"Allow MAC changes"** are all switched to **Yes**. + +## Diagnostics Script + +If you're having issues with your MCC, we included a diagnostics script. The script collects all your logs and zips them into a single file. You can then send us these logs via email for the MCC team to debug. + +To run this script: + +1. Navigate to the following folder in the MCC installation files: + + mccinstaller > Eflow > Diagnostics + +1. Run the following commands: + + ```powershell + Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process + .\collectMccDiagnostics.ps1 + ``` + +1. The script stores all the debug files into a folder and then creates a tar file. After the script is finished running, it will output the path of the tar file, which you can share with us. The location should be **\**\mccdiagnostics\support_bundle_\$timestamp.tar.gz + +1. [Email the MCC team](mailto:mccforenterprise@microsoft.com?subject=Debugging%20Help%20Needed%20for%20MCC%20for%20Enterprise) and attach this file asking for debugging support. Screenshots of the error along with any other warnings you saw will be helpful during out debugging process. + +## IoT Edge runtime + +The Azure IoT Edge runtime enables custom and cloud logic on IoT Edge devices. +The runtime sits on the IoT Edge device, and performs management and +communication operations. The runtime performs several functions: + +- Installs and update workloads (Docker containers) on the device. +- Maintains Azure IoT Edge security standards on the device. +- Ensures that IoT Edge modules (Docker containers) are always running. +- Reports module (Docker containers) health to the cloud for remote monitoring. +- Manages communication between an IoT Edge device and the cloud. + +For more information on Azure IoT Edge, see the [Azure IoT Edge documentation](/azure/iot-edge/about-iot-edge). + +## Routing local Windows Clients to an MCC + +### Get the IP address of your MCC using ifconfig + +There are multiple methods that can be used to apply a policy to PCs that should participate in downloading from the MCC. + +#### Registry Key + +You can either set your MCC IP address or FQDN using: + +1. Registry Key (version 1709 and later): + `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization` +
    + "DOCacheHost"=" " + + From an elevated command prompt: + + ``` + reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization" /v DOCacheHost /t REG_SZ /d "10.137.187.38" /f + ``` + +1. MDM Path (version 1809 and later): + + `.Vendor/MSFT/Policy/Config/DeliveryOptimization/DOCacheHost` + +1. In Windows (release version 1809 and later), you can apply the policy via Group Policy Editor. The policy to apply is **DOCacheHost**. To configure the clients to pull content from the MCC using Group Policy, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Delivery Optimization**. Set the **Cache Server Hostname** to the IP address of your MCC, such as `10.137.187.38`. + + :::image type="content" source="./images/ent-mcc-group-policy-hostname.png" alt-text="Screenshot of the Group Policy editor showing the Cache Server Hostname Group Policy setting." lightbox="./images/ent-mcc-group-policy-hostname.png"::: + + +**Verify Content using the DO Client** + +To verify that the Delivery Optimization client can download content using MCC, you can use the following steps: + +1. Download a game or application from the Microsoft Store. + + :::image type="content" source="./images/ent-mcc-store-example-download.png" alt-text="Screenshot of the Microsoft Store with the game, Angry Birds 2, selected."::: + + +1. Verify downloads came from MCC by one of two methods: + + - Using the PowerShell Cmdlet Get-DeliveryOptimizationStatus you should see *BytesFromCacheServer*. + + :::image type="content" source="./images/ent-mcc-get-deliveryoptimizationstatus.png" alt-text="Screenshot of the output of Get-DeliveryOptimization | FT from PowerShell." lightbox="./images/ent-mcc-get-deliveryoptimizationstatus.png"::: + + - Using the Delivery Optimization Activity Monitor + + :::image type="content" source="./images/ent-mcc-delivery-optimization-activity.png" alt-text="Screenshot of the Delivery Optimization Activity Monitor."::: + +## EFLOW + +- [What is Azure IoT Edge for Linux on Windows](/azure/iot-edge/iot-edge-for-linux-on-windows) +- [Install Azure IoT Edge for Linux on Windows](/azure/iot-edge/how-to-provision-single-device-linux-on-windows-symmetric#install-iot-edge) +- [PowerShell functions for Azure IoT Edge for Linux on Windows](/azure/iot-edge/reference-iot-edge-for-linux-on-windows-functions) +- EFLOW FAQ and Support: [Support · Azure/iotedge-eflow Wiki (github.com)](https://github.com/Azure/iotedge-eflow/wiki/Support#how-can-i-apply-updates-to-eflow) +- [Now ready for Production: Linux IoT Edge Modules on Windows - YouTube](https://www.youtube.com/watch?v=pgqVCg6cxVU&ab_channel=MicrosoftIoTDevelopers) \ No newline at end of file diff --git a/windows/deployment/do/mcc-enterprise-deploy.md b/windows/deployment/do/mcc-enterprise-deploy.md new file mode 100644 index 0000000000..c39e4b5a84 --- /dev/null +++ b/windows/deployment/do/mcc-enterprise-deploy.md @@ -0,0 +1,325 @@ +--- +title: Deploying your cache node +manager: dougeby +description: How to deploy Microsoft Connected Cache (MCC) for Enterprise and Education cache node +ms.prod: windows-client +author: amymzhou +ms.author: amyzhou +ms.topic: article +ms.date: 12/31/2017 +ms.technology: itpro-updates +--- + +# Deploying your cache node + +**Applies to** + +- Windows 10 +- Windows 11 + +## Steps to deploy MCC + +To deploy MCC to your server: + +1. [Provide Microsoft with the Azure subscription ID](#provide-microsoft-with-the-azure-subscription-id) +1. [Create the MCC Resource in Azure](#create-the-mcc-resource-in-azure) +1. [Create an MCC Node](#create-an-mcc-node-in-azure) +1. [Edit Cache Node Information](#edit-cache-node-information) +1. [Install MCC on a physical server or VM](#install-mcc-on-windows) +1. [Verify proper functioning MCC server](#verify-proper-functioning-mcc-server) +1. [Review common Issues](#common-issues) if needed. + +For questions regarding these instructions contact [msconnectedcache@microsoft.com](mailto:msconnectedcache@microsoft.com) + +### Provide Microsoft with the Azure Subscription ID + +As part of the MCC preview onboarding process an Azure subscription ID must be provided to Microsoft. + +> [!IMPORTANT] +> [Take this survey](https://aka.ms/MSConnectedCacheSignup) and provide your Azure subscription ID and contact information to be added to the allowlist for this preview. You will not be able to proceed if you skip this step. + +For information about creating or locating your subscription ID, see [Steps to obtain an Azure Subscription ID](mcc-enterprise-appendix.md#steps-to-obtain-an-azure-subscription-id). + +### Create the MCC resource in Azure + +The MCC Azure management portal is used to create and manage MCC nodes. An Azure Subscription ID is used to grant access to the preview and to create the MCC resource in Azure and Cache nodes. + +Once you take the survey above and the MCC team adds your subscription ID to the allowlist, you'll be given a link to the Azure portal where you can create the resource described below. + +1. In the Azure portal home page, choose **Create a resource**: + :::image type="content" source="./images/ent-mcc-create-azure-resource.png" alt-text="Screenshot of the Azure portal. The create a resource option is outlined in red."::: + +1. Type **Microsoft Connected Cache** into the search box, and hit **Enter** to show search results. + + > [!NOTE] + > You won't see Microsoft Connected Cache in the drop-down list. You'll need to type the string and press enter to see the result. + +1. Select **Microsoft Connected Cache Enterprise** and choose **Create** on the next screen to start the process of creating the MCC resource. + + :::image type="content" source="./images/ent-mcc-azure-search-result.png" alt-text="Screenshot of the Azure portal search results for Microsoft Connected Cache."::: + :::image type="content" source="./images/ent-mcc-azure-marketplace.png" alt-text="Screenshot of Microsoft Connected Cache Enterprise within the Azure Marketplace."::: + +1. Fill in the required fields to create the MCC resource. + + - Choose the subscription that you provided to Microsoft. + - Azure resource groups are logical groups of resources. Create a new resource group and choose a name for your resource group. + - Choose **(US) West US** for the location of the resource. This choice won't impact MCC if the physical location isn't in the West US, it's just a limitation of the preview. + + > [!IMPORTANT] + > Your MCC resource will not be created properly if you do not select **(US) West US** + + - Choose a name for the MCC resource. + - Your MCC resource must not contain the word **Microsoft** in it. + + :::image type="content" source="./images/ent-mcc-azure-create-connected-cache.png" alt-text="Screenshot of the Create a Connected Cache page within the Azure Marketplace."::: + +1. Once all the information has been entered, select the **Review + Create** button. Once validation is complete, select the **Create** button to start the + resource creation. + + :::image type="content" source="./images/ent-mcc-azure-cache-created.png" alt-text="Screenshot of the completed cache deployment within the Azure." lightbox="./images/ent-mcc-azure-cache-created.png"::: + +#### Error: Validation failed + +- If you get a Validation failed error message on your portal, it's likely because you selected the **Location** as **US West 2** or some other location that isn't **(US) West US**. + - To resolve this error, go to the previous step and choose **(US) West US**. + + :::image type="content" source="./images/ent-mcc-create-cache-failed.png" alt-text="Screenshot of a failed cache deployment due to an incorrect location."::: + +### Create an MCC node in Azure + +Creating an MCC node is a multi-step process and the first step is to access the MCC early preview management portal. + +1. After the successful resource creation, select **Go to resource**. +1. Under **Cache Node Management** section on the leftmost panel, select **Cache Nodes**. + + :::image type="content" source="./images/ent-mcc-cache-nodes.png" alt-text="Screenshot of the Cache Node Management section with the navigation link to the Cache Nodes page outlined in red."::: + +1. On the **Cache Nodes** blade, select the **Create Cache Node** button. + + :::image type="content" source="./images/ent-mcc-create-cache-node.png" alt-text="Screenshot of the Cache Nodes page with the Create Cache Node option outlined in red."::: + +1. Selecting the **Create Cache Node** button will open the **Create Cache Node** page; **Cache Node Name** is the only field required for cache node creation. + + | **Field Name**| **Expected Value**|**Description** | + |---|---|---| + | **Cache Node Name** | Alphanumeric name that doesn't include any spaces. | The name of the cache node. You may choose names based on location such as `Seattle-1`. This name must be unique and can't be changed later. | + +1. Enter the information for the **Cache Node** and select the **Create** button. + + :::image type="content" source="./images/ent-mcc-create-cache-node-name.png" alt-text="Screenshot of the Cache Nodes page displaying the Cache Node Name text entry during the creation process."::: + +If there are errors, the form will provide guidance on how to correct the errors. + +Once the MCC node has been created, the installer instructions will be exposed. More details on the installer instructions will be addressed later in this article, in the [Install Connected Cache](#install-mcc-on-windows) section. + +:::image type="content" source="./images/ent-mcc-connected-cache-installer-download.png" alt-text="Screenshot of the Connected Cache installer download button, installer instructions, and script."::: + +#### Edit cache node information + +Cache nodes can be deleted here by selecting the check box to the left of a **Cache Node Name** and then selecting the delete toolbar item. Be aware that if a cache node is deleted, there's no way to recover the cache node or any of the information related to the cache node. + +:::image type="content" source="./images/ent-mcc-delete-cache-node.png" alt-text="Screenshot of deleting a cache node from the Cache Nodes page."::: + +### Install MCC on Windows + +Installing MCC on your Windows device is a simple process. A PowerShell script performs the following tasks: + +- Installs the Azure CLI +- Downloads, installs, and deploys EFLOW +- Enables Microsoft Update so EFLOW can stay up to date +- Creates a virtual machine +- Enables the firewall and opens ports 80 and 22 for inbound and outbound traffic. Port 80 is used by MCC, and port 22 is used for SSH communications. +- Configures Connected Cache tuning settings. +- Creates the necessary *FREE* Azure resource - IoT Hub/IoT Edge. +- Deploys the MCC container to server. + +#### Run the installer + +1. Download and unzip `mccinstaller.zip` from the create cache node page or cache node configuration page, both of which contain the necessary installation files. + + :::image type="content" source="./images/ent-mcc-download-installer.png" alt-text="Screenshot of the download installer option on the Create Cache Node page."::: + + The following files are contained in the `mccinstaller.zip` file: + + - **installmcc.ps1**: Main installer file. + - **installEflow.ps1**: Installs the necessary prerequisites such as the Linux VM, IoT Edge runtime, and Docker, and makes necessary host OS settings to optimize caching performance. + - **resourceDeploymentForConnectedCache.ps1**: Creates Azure cloud resources required to support MCC control plane. + - **mccdeployment.json**: Deployment manifest used by IoT Edge to deploy the MCC container and configure settings on the container, such as cache drive location sizes. + - **updatemcc.ps1**: The update script used to upgrade MCC to a particular version. + - **mccupdate.json**: Used as part of the update script + +1. Open Windows PowerShell as administrator then navigate to the location of these files. + + > [!NOTE] + > Ensure that Hyper-V is enabled on your device. + > - **Windows 10:** [Enable Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v) + > - **Windows Server:** [Install the Hyper-V role on Windows Server](/windows-server/virtualization/hyper-v/get-started/install-the-hyper-v-role-on-windows-server)' + > + > Don't use PowerShell ISE, PowerShell 6.x, or PowerShell 7.x. Only Windows PowerShell version 5.x is supported. + +#### If you're installing MCC on a local virtual machine + +1. Turn the virtual machine **off** while you enable nested virtualization and MAC spoofing. + 1. Enable nested virtualization: + + ```powershell + Set -VMProcessor -VMName "VM name" -ExposeVirtualizationExtensions $true + ``` + + 1. Enable MAC spoofing: + + ```powershell + Get-VMNetworkAdapter -VMName "VM name" | Set-VMNetworkAdapter -MacAddressSpoofing On + ``` + +1. Set the execution policy. + + ```powershell + Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process + ``` + + > [!NOTE] + > After setting the execution policy, you'll see a warning asking if you wish to change the execution policy. Choose **[A] Yes to All**. + +1. Copy the command from the Azure portal and run it in Windows PowerShell. + + :::image type="content" source="./images/ent-mcc-installer-script.png" alt-text="Screenshot of the installer script for the connected cache node."::: + + > [!NOTE] + > After running the command, and multiple times throughout the installation process, you'll receive the following notice. Select **[R] Run once** to proceed. + >
    + >
    Security warning + >
    Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your computer. If you trust this script, use the Unblock-File cmdlet to allow the script to run without this warning message. Do you want to run C:\Users\mccinstaller\Eflow\installmcc.ps1? + >
    + >
    [D] Do not run **[R] Run once** [S] Suspend [?] Help (default is "D"): + +1. Choose whether you would like to create a new virtual switch or select an existing one. Name your switch and select the Net Adapter to use for the switch. A computer restart will be required if you're creating a new switch. + + > [!NOTE] + > Restarting your computer after creating a switch is recommended. You'll notice network delays during installation if the computer has not been restarted. + + If you restarted your computer after creating a switch, start from Step 2 above and skip step 5. + + :::image type="content" source="./images/ent-mcc-script-new-switch.png" alt-text="Screenshot of the installer script running in PowerShell when a new switch is created." lightbox="./images/ent-mcc-script-new-switch.png"::: + +1. Rerun the script after the restart. This time, choose **No** when asked to create a new switch. Enter the number corresponding to the switch you previously created. + + :::image type="content" source="./images/ent-mcc-script-existing-switch.png" alt-text="Screenshot of the installer script running in PowerShell when using an existing switch." lightbox="./images/ent-mcc-script-existing-switch.png"::: + +1. Decide whether you would like to use dynamic or static address for the Eflow VM + + :::image type="content" source="./images/ent-mcc-script-dynamic-address.png" alt-text="Screenshot of the installer script running in PowerShell asking if you'd like to use a dynamic address." lightbox="./images/ent-mcc-script-dynamic-address.png"::: + + > [!NOTE] + > Choosing a dynamic IP address might assign a different IP address when the MCC restarts. A static IP address is recommended so you don't have to change this value in your management solution when MCC restarts. + +1. Choose where you would like to download, install, and store the virtual hard disk for EFLOW. You'll also be asked how much memory, storage, and how many cores you would like to allocate for the VM. For this example, we chose the default values for all prompts. + +1. Follow the Azure Device Login link and sign into the Azure portal. + + :::image type="content" source="./images/ent-mcc-script-device-code.png" alt-text="Screenshot of the installer script running in PowerShell displaying the code and URL to use for the Azure portal." lightbox="./images/ent-mcc-script-device-code.png"::: + +1. If this is your first MCC deployment, select **n** so that a new IoT Hub can be created. If you have already configured MCC before, choose **y** so that your MCCs are grouped in the same IoT Hub. + + 1. You'll be shown a list of existing IoT Hubs in your Azure Subscription. Enter the number corresponding to the IoT Hub to select it. **You'll likely have only 1 IoT Hub in your subscription, in which case you want to enter "1"** + + :::image type="content" source="./images/ent-mcc-script-select-hub.png" alt-text="Screenshot of the installer script running in PowerShell prompting you to select which IoT Hub to use." lightbox="./images/ent-mcc-script-select-hub.png"::: + :::image type="content" source="./images/ent-mcc-script-complete.png" alt-text="Screenshot of the installer script displaying the completion summary in PowerShell." lightbox="./images/ent-mcc-script-complete.png"::: + + +1. Your MCC deployment is now complete. + + 1. If you don't see any errors, continue to the next section to validate your MCC deployment. + 1. After validating your MCC is properly functional, review your management solution documentation, such as [Intune](/mem/intune/configuration/delivery-optimization-windows), to set the cache host policy to the IP address of your MCC. + 1. If you had errors during your deployment, see the [Common Issues](#common-issues) section in this article. + +## Verify proper functioning MCC server + +#### Verify Client Side + +Connect to the EFLOW VM and check if MCC is properly running: + +1. Open PowerShell as an Administrator. +2. Enter the following commands: + + ```powershell + Connect-EflowVm + sudo -s + iotedge list + ``` + + :::image type="content" source="./images/ent-mcc-connect-eflowvm.png" alt-text="Screenshot of running connect-EflowVm, sudo -s, and iotedge list from PowerShell." lightbox="./images/ent-mcc-connect-eflowvm.png"::: + +You should see MCC, edgeAgent, and edgeHub running. If you see edgeAgent or edgeHub but not MCC, try this command in a few minutes. The MCC container can take a few minutes to deploy. + +#### Verify server side + +For a validation of properly functioning MCC, execute the following command in the EFLOW VM or any device in the network. Replace with the IP address of the cache server. + +```powershell +wget [http:///mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com] +``` + +A successful test result will display a status code of 200 along with additional information. + +:::image type="content" source="./images/ent-mcc-verify-server-ssh.png" alt-text="Screenshot of a successful wget with an SSH client." lightbox="./images/ent-mcc-verify-server-ssh.png"::: + + :::image type="content" source="./images/ent-mcc-verify-server-powershell.png" alt-text="Screenshot of a successful wget using PowerShell." lightbox="./images/ent-mcc-verify-server-powershell.png"::: + +Similarly, enter the following URL from a browser in the network: + +`http:///mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com` + +If the test fails, see the [common issues](#common-issues) section for more information. + +### Intune (or other management software) configuration for MCC + +For an [Intune](/mem/intune/) deployment, create a **Configuration Profile** and include the Cache Host eFlow IP Address or FQDN: + +:::image type="content" source="./images/ent-mcc-intune-do.png" alt-text="Screenshot of Intune showing the Delivery Optimization cache server host names."::: + +## Common Issues + +#### PowerShell issues + +If you're seeing errors similar to this error: `The term Get- isn't recognized as the name of a cmdlet, function, script file, or operable program.` + +1. Ensure you're running Windows PowerShell version 5.x. + +1. Run \$PSVersionTable and ensure you're running version 5.x and *not version 6 or 7*. + +1. Ensure you have Hyper-V enabled: + + **Windows 10:** [Enable Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v) + + **Windows Server:** [Install the Hyper-V role on Windows Server](/windows-server/virtualization/hyper-v/get-started/install-the-hyper-v-role-on-windows-server) + +#### Verify Running MCC Container + +Connect to the Connected Cache server and check the list of running IoT Edge modules using the following commands: + +```bash +Connect-EflowVm +sudo iotedge list +``` + +:::image type="content" source="./images/ent-mcc-iotedge-list.png" alt-text="Screenshot of the iotedge list command." lightbox="./images/ent-mcc-iotedge-list.png"::: + +If edgeAgent and edgeHub containers are listed, but not "MCC", you may view the status of the IoT Edge security manager using the command: + +```bash +sudo journalctl -u iotedge -f +``` + +For example, this command will provide the current status of the starting, stopping of a container, or the container pull and start. + +:::image type="content" source="./images/ent-mcc-journalctl.png" alt-text="Screenshot of the output from journalctl -u iotedge -f." lightbox="./images/ent-mcc-journalctl.png"::: + +Use this command to check the IoT Edge Journal + +```bash +sudo journalctl -u iotedge -f +``` + +> [!NOTE] +> You should consult the IoT Edge troubleshooting guide ([Common issues and resolutions for Azure IoT Edge](/azure/iot-edge/troubleshoot)) for any issues you may encounter configuring IoT Edge, but we've listed a few issues that we encountered during our internal validation. diff --git a/windows/deployment/do/mcc-enterprise-prerequisites.md b/windows/deployment/do/mcc-enterprise-prerequisites.md new file mode 100644 index 0000000000..fac81254f0 --- /dev/null +++ b/windows/deployment/do/mcc-enterprise-prerequisites.md @@ -0,0 +1,56 @@ +--- +title: Requirements for Microsoft Connected Cache (MCC) for Enterprise and Education +manager: dougeby +description: Overview of requirements for Microsoft Connected Cache (MCC) for Enterprise and Education. +ms.prod: windows-client +author: amymzhou +ms.author: amyzhou +ms.topic: article +ms.date: 12/31/2017 +ms.technology: itpro-updates +--- + +# Requirements of Microsoft Connected Cache for Enterprise and Education (early preview) + +**Applies to** + +- Windows 10 +- Windows 11 + +## Enterprise requirements for MCC + +1. **Azure subscription**: MCC management portal is hosted within Azure and is used to create the Connected Cache [Azure resource](/azure/cloud-adoption-framework/govern/resource-consistency/resource-access-management) and IoT Hub resource. Both are free services. + + Your Azure subscription ID is first used to provision MCC services, and enable access to the preview. The MCC server requirement for an Azure subscription will cost you nothing. If you don't have an Azure subscription already, you can create an Azure [Pay-As-You-Go](https://azure.microsoft.com/offers/ms-azr-0003p/) account, which requires a credit card for verification purposes. For more information, see the [Azure Free Account FAQ](https://azure.microsoft.com/free/free-account-faq/). + + The resources used for the preview and in the future when this product is ready for production will be free to you, like other caching solutions. + +2. **Hardware to host MCC**: The recommended configuration will serve approximately 35000 managed devices, downloading a 2 GB payload in 24-hour timeframe at a sustained rate of 6.5 Gbps. + + > [!NOTE] + > Azure VMs are not currently supported. If you'd like to install your cache node on VMWare, see the [Appendix](mcc-enterprise-appendix.md) for a few additional configurations. + + **EFLOW Requires Hyper-V support** + - On Windows client, enable the Hyper-V feature + - On Windows Server, install the Hyper-V role and create a default network switch + + Disk recommendations: + - Using an SSD is recommended as cache read speed of SSD is superior to HDD + + NIC requirements: + - Multiple NICs on a single MCC instance aren't supported. + - 1 Gbps NIC is the minimum speed recommended but any NIC is supported. + - For best performance, NIC and BIOS should support SR-IOV + + VM networking: + - An external virtual switch to support outbound and inbound network communication (created during the installation process) + +## Sizing recommendations + +| Component | Branch Office / Small Enterprise | Large Enterprise | +| -- | --- | --- | +| OS| Windows Server 2019*/2022
    Windows 10*/11 (Pro or Enterprise) with Hyper-V Support

    * Windows 10 and Windows Server 2019 build 17763 or later | Same | +|NIC | 1 Gbps | 5 Gbps | +|Disk | SSD
    1 drive
    50 GB each |SSD
    1 drive
    200 GB each | +|Memory | 4 GB | 8 GB | +|Cores | 4 | 8 | diff --git a/windows/deployment/do/mcc-enterprise-update-uninstall.md b/windows/deployment/do/mcc-enterprise-update-uninstall.md new file mode 100644 index 0000000000..83882c952c --- /dev/null +++ b/windows/deployment/do/mcc-enterprise-update-uninstall.md @@ -0,0 +1,45 @@ +--- +title: Update or uninstall Microsoft Connected Cache for Enterprise and Education +manager: dougeby +description: Details on updating or uninstalling Microsoft Connected Cache (MCC) for Enterprise and Education. +ms.prod: windows-client +author: amymzhou +ms.author: amyzhou +ms.topic: article +ms.date: 12/31/2017 +ms.technology: itpro-updates +--- +# Update or uninstall Microsoft Connected Cache for Enterprise and Education + +Throughout the preview phase, we'll send you security and feature updates for MCC. Follow these steps to perform the update. + +## Update MCC + +Run the following command with the **arguments** we provided in the email to update your MCC: + +```powershell +# .\updatemcc.ps1 version="**\**" tenantid="**\**" customerid="**\**" cachenodeid="**\**" customerkey="**\**" +``` + +For example: + +```powershell +# .\updatemcc.ps1 version="msconnectedcacheprod.azurecr.io/mcc/linux/iot/mcc-ubuntu-iot-amd64:1.2.1.659" tenantid="799a999aa-99a1-99aa-99aa-9a9aa099db99" customerid="99a999aa-99a1-99aa-99aa-9aaa9aaa0saa" cachenodeid=" aa99aaaa-999a-9aas-99aa99daaa99 " customerkey="a99d999a-aaaa-aa99-0999aaaa99a" +``` + +## Uninstall MCC + +Please contact the MCC Team before uninstalling to let us know if you're facing issues. + +This script will remove the following items: + +1. EFLOW + Linux VM +1. IoT Edge +1. Edge Agent +1. Edge Hub +1. MCC +1. Moby CLI +1. Moby Engine + +To delete MCC, go to Control Panel \> Uninstall a program \> Select Azure IoT +Edge LTS \> Uninstall diff --git a/windows/deployment/do/mcc-enterprise.md b/windows/deployment/do/mcc-enterprise.md deleted file mode 100644 index 2063ed9e6c..0000000000 --- a/windows/deployment/do/mcc-enterprise.md +++ /dev/null @@ -1,545 +0,0 @@ ---- -title: Microsoft Connected Cache for Enterprise and Education (private preview) -manager: dougeby -description: Details on Microsoft Connected Cache (MCC) for Enterprise and Education. -ms.prod: windows-client -author: carmenf -ms.localizationpriority: medium -ms.author: carmenf -ms.collection: M365-modern-desktop -ms.topic: article -ms.technology: itpro-updates ---- - -# Microsoft Connected Cache for Enterprise and Education (private preview) - -**Applies to** - -- Windows 10 -- Windows 11 - -## Overview - -> [!IMPORTANT] -> Microsoft Connected Cache is currently a private preview feature. During this phase we invite customers to take part in early access for testing purposes. This phase does not include formal support, and should not be used for production workloads. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). - -Microsoft Connected Cache (MCC) preview is a software-only caching solution that delivers Microsoft content within Enterprise networks. MCC can be deployed to as many physical servers or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying a client policy using your management tool, such as [Intune](/mem/intune/). - -MCC is a hybrid (a mix of on-premises and cloud resources) SaaS solution built as an Azure IoT Edge module; it's a Docker compatible Linux container that is deployed to your Windows devices. IoT Edge for Linux on Windows (EFLOW) was chosen because it's a secure, reliable container management infrastructure. EFLOW is a Linux virtual machine, based on Microsoft's first party CBL-Mariner operating system. It’s built with the IoT Edge runtime and validated as a tier 1 supported environment for IoT Edge workloads. MCC will be a Linux IoT Edge module running on the Windows Host OS. - -Even though your MCC scenario isn't related to IoT, Azure IoT Edge is used as a more generic Linux container, deployment, and management infrastructure. The Azure IoT Edge runtime sits on your designated MCC device and performs management and communication operations. The runtime performs the following important functions to manage MCC on your edge device: - -1. Installs and updates MCC on your edge device. -2. Maintains Azure IoT Edge security standards on your edge device. -3. Ensures that MCC is always running. -4. Reports MCC health and usage to the cloud for remote monitoring. - -To deploy a functional MCC to your device, you must obtain the necessary keys that will provision the Connected Cache instance to communicate with Delivery Optimization services and enable the device to cache and deliver content. See [figure 1](#fig1) below for a summary of the architecture of MCC, built using IoT Edge. - -For more information about Azure IoT Edge, see [What is Azure IoT Edge](/azure/iot-edge/about-iot-edge). - -## How MCC works - -The following steps describe how MCC is provisioned and used. - -1. The Azure Management Portal is used to create MCC nodes. -2. The MCC container is deployed and provisioned to a server using the installer provided in the portal. -3. Client policy is configured in your management solution to point to the IP address or FQDN of the cache server. -4. Microsoft end-user devices make range requests for content from the MCC node. -5. An MCC node pulls content from the CDN, seeds its local cache stored on disk, and delivers content to the client. -6. Subsequent requests from end-user devices for content come from the cache. - -If an MCC node is unavailable, the client will pull content from CDN to ensure uninterrupted service for your subscribers. - - - -![eMCC img01](images/emcc01.png) - -Figure 1: **MCC processes**. Each number in the diagram corresponds to the steps described above. - - -## Enterprise requirements for MCC - -1. **Azure subscription**: MCC management portal is hosted within Azure and is used to create the Connected Cache [Azure resource](/azure/cloud-adoption-framework/govern/resource-consistency/resource-access-management) and IoT Hub resource. Both are free services. - - Your Azure subscription ID is first used to provision MCC services, and enable access to the preview. The MCC server requirement for an Azure subscription will cost you nothing. If you do not have an Azure subscription already, you can create an Azure [Pay-As-You-Go](https://azure.microsoft.com/offers/ms-azr-0003p/) account which requires a credit card for verification purposes. For more information, see the [Azure Free Account FAQ](https://azure.microsoft.com/free/free-account-faq/). - - The resources used for the preview and in the future when this product is ready for production will be completely free to you, like other caching solutions. - -2. **Hardware to host MCC**: The recommended configuration will serve approximately 35000 managed devices, downloading a 2GB payload in 24-hour timeframe at a sustained rate of 6.5 Gbps. - - **EFLOW Requires Hyper-V support** - - On Windows client, enable the Hyper-V feature - - On Windows Server, install the Hyper-V role and create a default network switch - - Disk recommendations: - - Using an SSD is recommended as cache read speed of SSD is superior to HDD - - NIC requirements: - - Multiple NICs on a single MCC instance aren't supported. - - 1 Gbps NIC is the minimum speed recommended but any NIC is supported. - - For best performance, NIC and BIOS should support SR-IOV - - VM networking: - - An external virtual switch to support outbound and inbound network communication (created during the installation process) - -### Sizing recommendations - -| Component | Branch Office / Small Enterprise | Large Enterprise | -| -- | --- | --- | -| OS| Windows Server 2019*/2022
    Windows 10*/11 (Pro or Enterprise) with Hyper-V Support

    * Windows 10 and Windows Server 2019 build 17763 or later | Same | -|NIC | 1 Gbps | 5 Gbps | -|Disk | SSD
    1 drive
    50GB each |SSD
    1 drive
    200GB each | -|Memory | 4GB | 8GB | -|Cores | 4 | 8 | - -## Steps to deploy MCC - -To deploy MCC to your server: - -1. [Provide Microsoft with the Azure subscription ID](#provide-microsoft-with-the-azure-subscription-id) -2. [Create the MCC Resource in Azure](#create-the-mcc-resource-in-azure) -3. [Create an MCC Node](#create-an-mcc-node-in-azure) -4. [Edit Cache Node Information](#edit-cache-node-information) -5. [Install MCC on a physical server or VM](#install-mcc-on-windows) -6. [Verify proper functioning MCC server](#verify-proper-functioning-mcc-server) -7. [Review common Issues](#common-issues) if needed. - -For questions regarding these instructions contact [msconnectedcache@microsoft.com](mailto:msconnectedcache@microsoft.com) - -### Provide Microsoft with the Azure Subscription ID - -As part of the MCC preview onboarding process an Azure subscription ID must be provided to Microsoft. - -> [!IMPORTANT] -> [Take this survey](https://aka.ms/MSConnectedCacheSignup) and provide your Azure subscription ID and contact information to be added to the allowlist for this preview. You will not be able to proceed if you skip this step. - -For information about creating or locating your subscription ID, see [Steps to obtain an Azure Subscription ID](#steps-to-obtain-an-azure-subscription-id). - -### Create the MCC resource in Azure - -The MCC Azure management portal is used to create and manage MCC nodes. An Azure Subscription ID is used to grant access to the preview and to create the MCC resource in Azure and Cache nodes. - -Once you take the survey above and the MCC team adds your subscription ID to the allowlist, you will be given a link to the Azure portal where you can create the resource described below. - -1. On the Azure portal home page, choose **Create a resource**: - ![eMCC img02](images/emcc02.png) - -2. Type **Microsoft Connected Cache** into the search box, and hit **Enter** to show search results. - -> [!NOTE] -> You'll not see Microsoft Connected Cache in the drop-down list. You need to type it and press enter to see the result. - -3. Select **Microsoft Connected Cache** and choose **Create** on the next screen to start the process of creating the MCC resource. - - ![eMCC img03](images/emcc03.png) - ![eMCC img04](images/emcc04.png) - -4. Fill in the required fields to create the MCC resource. - - - Choose the subscription that you provided to Microsoft. - - Azure resource groups are logical groups of resources. Create a new resource group and choose a name for your resource group. - - Choose **(US) West US** for the location of the resource. This choice will not impact MCC if the physical location isn't in the West US, it's just a limitation of the preview. - - > [!NOTE] - > Your MCC resource will not be created properly if you do not select **(US) West US** - - - Choose a name for the MCC resource. - - > [!NOTE] - > Your MCC resource must not contain the word **Microsoft** in it. - - ![eMCC img05](images/emcc05.png) - -5. Once all the information has been entered, click the **Review + Create** button. Once validation is complete, click the **Create** button to start the - resource creation. - - ![eMCC img06](images/emcc06.png) - -#### Error: Validation failed - -- If you get a Validation failed error message on your portal, it's likely because you selected the **Location** as **US West 2** or some other location that isn't **(US) West US**. -- To resolve this error, go to the previous step and choose **(US) West US**. - - ![eMCC img07](images/emcc07.png) - -### Create an MCC node in Azure - -Creating an MCC node is a multi-step process and the first step is to access the MCC private preview management portal. - -1. After the successful resource creation click on the **Go to resource**. -2. Under **Cache Node Management** section on the leftmost panel, click on **Cache Nodes**. - - ![eMCC img08](images/emcc08.png) - -3. On the **Cache Nodes** blade, click on the **Create Cache Node** button. - - ![eMCC img09](images/emcc09.png) - -4. Clicking the **Create Cache Node** button will open the **Create Cache Node** page; **Cache Node Name** is the only field required for cache node creation. - -| **Field Name** | **Expected Value** | **Description** | -|---------------------|--------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------| -| **Cache Node Name** | Alphanumeric name that includes no spaces. | The name of the cache node. You may choose names based on location like Seattle-1. This name must be unique and cannot be changed later. | - -5. Enter the information for the **Cache Node** and click the **Create** button. - -![eMCC img9.5](images/emcc09.5.png) - -If there are errors, the form will provide guidance on how to correct the errors. - -Once the MCC node has been created, the installer instructions will be exposed. More details on the installer instructions will be addressed later in this article, in the [Install Connected Cache](#install-mcc-on-windows) section. - -![eMCC img10](images/emcc10.png) - -#### Edit cache node information - -Cache nodes can be deleted here by clicking the check box to the left of a **Cache Node Name** and then clicking the delete toolbar item. Be aware that if a cache node is deleted, there is no way to recover the cache node or any of the information related to the cache node. - -![eMCC img11](images/emcc11.png) - -### Install MCC on Windows - -Installing MCC on your Windows device is a simple process. A PowerShell script performs the following tasks: - - - Installs the Azure CLI - - Downloads, installs, and deploys EFLOW - - Enables Microsoft Update so EFLOW can stay up to date - - Creates a virtual machine - - Enables the firewall and opens ports 80 and 22 for inbound and outbound traffic. Port 80 is used by MCC, and port 22 is used for SSH communications. - - Configures Connected Cache tuning settings. - - Creates the necessary *FREE* Azure resource - IoT Hub/IoT Edge. - - Deploys the MCC container to server. - -#### Run the installer - -1. Download and unzip mccinstaller.zip from the create cache node page or cache node configuration page which contains the necessary installation files. - - ![eMCC img12](images/emcc12.png) - -Files contained in the mccinstaller.zip file: - - - **installmcc.ps1**: Main installer file. - - **installEflow.ps1**: Installs the necessary prerequisites such as the Linux VM, IoT Edge runtime, and Docker, and makes necessary host OS settings to optimize caching performance. - - **resourceDeploymentForConnectedCache.ps1**: Creates Azure cloud resources required to support MCC control plane. - - **mccdeployment.json**: Deployment manifest used by IoT Edge to deploy the MCC container and configure settings on the container, such as cache drive location sizes. - - **updatemcc.ps1**: The update script used to upgrade MCC to a particular version. - - **mccupdate.json**: Used as part of the update script - -1. Open Windows PowerShell as administrator and navigate to the location of these files. - -> [!NOTE] -> Ensure that Hyper-V is enabled on your device. -> Do not use PowerShell ISE, PowerShell 6.x, or PowerShell 7.x. Only Windows PowerShell version 5.x is supported. - - **Windows 10:** [Enable Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v) - - **Windows Server:** [Install the Hyper-V role on Windows Server](/windows-server/virtualization/hyper-v/get-started/install-the-hyper-v-role-on-windows-server) - -#### If you're installing MCC on a local virtual machine: - -1. Enable Nested Virtualization - - ```powershell - Set-VMProcessor -VMName "VM name" -ExposeVirtualizationExtensions $true - ``` -2. Enable Mac Spoofing - ```powershell - Get-VMNetworkAdapter -VMName "VM name" | Set-VMNetworkAdapter -MacAddressSpoofing On - ``` - **Virtual machine should be in the OFF state while enabling Nested Virtualization and Mac Spoofing** - -3. Set the execution policy - - ```powershell - Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process - ``` - > [!NOTE] - > After setting the execution policy, you'll see a warning asking if you wish to change the execution policy. Choose **[A] Yes to All**. - -4. Copy the command from the portal and run it in Windows PowerShell - - ![eMCC img13](images/emcc13.png) - - > [!NOTE] - > After running the command, and multiple times throughout the installation process, you'll receive the following notice. **Please select [R] Run once to proceed**. - >
    - >
    Security warning - >
    Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your computer. If you trust this script, use the Unblock-File cmdlet to allow the script to run without this warning message. Do you want to run C:\\Users\\mccinstaller\\Eflow\\installmcc.ps1? - >
    - >
    [D] Do not run **[R] Run once** [S] Suspend [?] Help (default is "D"): - -3. Choose whether you would like to create a new virtual switch or select an existing one. Name your switch and select the Net Adapter to use for the switch. A computer restart will be required if you're creating a new switch. - - > [!NOTE] - > Restarting your computer after creating a switch is recommended. You'll notice network delays during installation if the computer has not been restarted. - - If you restarted your computer after creating a switch, start from Step 2 above and skip step 5. - - ![eMCC img14](images/emcc14.png) - -4. Re-run the script after the restart. This time, choose **No** when asked to create a new switch. Enter the number corresponding to the switch you previously created. - - ![eMCC img15](images/emcc15.png) - -5. Decide whether you would like to use dynamic or static address for the Eflow VM - - ![eMCC img16](images/emcc16.png) - - > [!NOTE] - > Choosing a dynamic IP address might assign a different IP address when the MCC restarts. - >
    A static IP address is recommended so you do not have to change this value in your management solution when MCC restarts. - -6. Choose where you would like to download, install, and store the virtual hard disk for EFLOW. You'll also be asked how much memory, storage, and cores you would like to allocate for the VM. In this example, we chose the default values for all prompts. - -7. Follow the Azure Device Login link and sign into the Azure portal. - - ![eMCC img17](images/emcc17.png) - -8. If this is your first MCC deployment, please select **n** so that a new IoT Hub can be created. If you have already configured MCC before, choose **y** so that your MCCs are grouped in the same IoT Hub. - - 1. You'll be shown a list of existing IoT Hubs in your Azure Subscription; Enter the number corresponding to the IoT Hub to select it. **You'll likely have only 1 IoT Hub in your subscription, in which case you want to enter “1”** - - ![eMCC img18](images/emcc18.png) - ![eMCC img19](images/emcc19.png) - -9. Your MCC deployment is now complete. - - 1. If you do not see any errors, please continue to the next section to validate your MCC deployment. - 2. After validating your MCC is properly functional, please review your management solution documentation, such as [Intune](/mem/intune/configuration/delivery-optimization-windows), to set the cache host policy to the IP address of your MCC. - 3. If you had errors during your deployment, see the [Troubleshooting](#troubleshooting) section in this article. - -### Verify proper functioning MCC server - -#### Verify Client Side - -Connect to the EFLOW VM and check if MCC is properly running: - -1. Open PowerShell as an Administrator -2. Enter the following commands: - -```powershell -Connect-EflowVm -sudo -s -iotedge list -``` - -![eMCC img20](images/emcc20.png) - -You should see MCC, edgeAgent, and edgeHub running. If you see edgeAgent or edgeHub but not MCC, please try this command in a few minutes. The MCC container can take a few minutes to deploy - -#### Verify server side - -For a validation of properly functioning MCC, execute the following command in the EFLOW VM or any device in the network. Replace with the IP address of the cache server. - -```powershell -wget [http:///mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com] -``` - -A successful test result will look like this: - -![eMCC img21](images/emcc21.png) - -OR - -![eMCC img22](images/emcc22.png) - -Similarly, enter this URL from a browser in the network: - -[http://YourCacheServerIP/mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com]() - -If the test fails, see the common issues section for more information. - -### Intune (or other management software) configuration for MCC - -For an Intune deployment, create a Configuration Profile and include the Cache Host eFlow IP Address or FQDN: - -![eMCC img23](images/emcc23.png) - -### Common Issues - -#### PowerShell issues - -If you're seeing errors similar to this: “The term ‘Get-Something’ isn't recognized as the name of a cmdlet, function, script file, or operable program.” - -1. Ensure you're running Windows PowerShell version 5.x. - -2. Run \$PSVersionTable and ensure you’re running version 5.x and *not version 6 or 7*. - -3. Ensure you have Hyper-V enabled: - - **Windows 10:** [Enable Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v) - - **Windows Server:** [Install the Hyper-V role on Windows Server](/windows-server/virtualization/hyper-v/get-started/install-the-hyper-v-role-on-windows-server) - -#### Verify Running MCC Container - -Connect to the Connected Cache server and check the list of running IoT Edge modules using the following commands: - -```bash -Connect-EflowVm -sudo iotedge list​ -``` - -![eMCC img24](images/emcc24.png) - -If edgeAgent and edgeHub containers are listed, but not “MCC”, you may view the status of the IoT Edge security manager using the command: - -```bash -sudo journalctl -u iotedge -f -``` - -For example, this command will provide the current status of the starting, stopping of a container, or the container pull and start as is shown in the sample below: - -![eMCC img25](images/emcc25.png) - -Use this command to check the IoT Edge Journal - -```bash -sudo journalctl -u iotedge –f -``` - -Please note: You should consult the IoT Edge troubleshooting guide ([Common issues and resolutions for Azure IoT Edge](/azure/iot-edge/troubleshoot)) for any issues you may encounter configuring IoT Edge, but we have listed a few issues below that we hit during our internal validation. - -## Diagnostics Script - -If you're having issues with your MCC, we included a diagnostics script which will collect all your logs and zip them into a single file. You can then send us these logs via email for the MCC team to debug. - -To run this script: - -1. Navigate to the following folder in the MCC installation files: - - mccinstaller \> Eflow \> Diagnostics - -2. Run the following commands: - -```powershell -Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process -.\collectMccDiagnostics.ps1 -``` - -3. The script stores all the debug files into a folder and then creates a tar file. After the script is finished running, it will output the path of the tar file which you can share with us (should be “**\**\\mccdiagnostics\\support_bundle_\$timestamp.tar.gz”) - -4. [Email the MCC team](mailto:mccforenterprise@microsoft.com?subject=Debugging%20Help%20Needed%20for%20MCC%20for%20Enterprise) and attach this file asking for debugging support. Screenshots of the error along with any other warnings you saw will be helpful during out debugging process. - -## Update MCC - -Throughout the private preview phase, we will send you security and feature updates for MCC. Please follow these steps to perform the update. - -Run the following command with the **arguments** we provided in the email to update your MCC: - -```powershell -# .\updatemcc.ps1 version="**\**" tenantid="**\**" customerid="**\**" cachenodeid="**\**" customerkey="**\**" -``` -For example: -```powershell -# .\updatemcc.ps1 version="msconnectedcacheprod.azurecr.io/mcc/linux/iot/mcc-ubuntu-iot-amd64:1.2.1.659" tenantid="799a999aa-99a1-99aa-99aa-9a9aa099db99" customerid="99a999aa-99a1-99aa-99aa-9aaa9aaa0saa" cachenodeid=" aa99aaaa-999a-9aas-99aa99daaa99 " customerkey="a99d999a-aaaa-aa99-0999aaaa99a” -``` - -## Uninstall MCC - -Please contact the MCC Team before uninstalling to let us know if you're facing -issues. - -This script will remove the following: - -1. EFLOW + Linux VM -2. IoT Edge -3. Edge Agent -4. Edge Hub -5. MCC -6. Moby CLI -7. Moby Engine - -To delete MCC, go to Control Panel \> Uninstall a program \> Select Azure IoT -Edge LTS \> Uninstall - -## Appendix - -### Steps to obtain an Azure Subscription ID - -1. Sign in to https://portal.azure.com/ and navigate to the Azure services section. -2. Click on **Subscriptions**. If you do not see **Subscriptions**, click on the **More Services** arrow and search for **Subscriptions**. -3. If you already have an Azure Subscription, skip to step 5. If you do not have an Azure Subscription, select **+ Add** on the top left. -4. Select the **Pay-As-You-Go** subscription. You'll be asked to enter credit card information, but you'll not be charged for using the MCC service. -5. On the **Subscriptions** blade, you'll find details about your current subscription. Click on the subscription name. -6. After you select the subscription name, you'll find the subscription ID in the **Overview** tab. Click on the **Copy to clipboard** icon next to your Subscription ID to copy the value. - -### Troubleshooting - -If you’re not able to sign up for a Microsoft Azure subscription with the error: **Account belongs to a directory that cannot be associated with an Azure subscription. Please sign in with a different account.** See [Can't sign up for a Microsoft Azure subscription](/troubleshoot/azure/general/cannot-sign-up-subscription). - -Also see [Troubleshoot issues when you sign up for a new account in the Azure portal](/azure/cost-management-billing/manage/troubleshoot-azure-sign-up). - -### IoT Edge runtime - -The Azure IoT Edge runtime enables custom and cloud logic on IoT Edge devices. -The runtime sits on the IoT Edge device, and performs management and -communication operations. The runtime performs several functions: - -- Installs and update workloads (Docker containers) on the device. -- Maintains Azure IoT Edge security standards on the device. -- Ensures that IoT Edge modules (Docker containers) are always running. -- Reports module (Docker containers) health to the cloud for remote monitoring. -- Manages communication between an IoT Edge device and the cloud. - -For more information on Azure IoT Edge, please see the [Azure IoT Edge documentation](/azure/iot-edge/about-iot-edge). - -### EFLOW - -- [What is Azure IoT Edge for Linux on Windows](/azure/iot-edge/iot-edge-for-linux-on-windows) -- [Install Azure IoT Edge for Linux on Windows](/azure/iot-edge/how-to-provision-single-device-linux-on-windows-symmetric#install-iot-edge) -- [PowerShell functions for Azure IoT Edge for Linux on Windows](/azure/iot-edge/reference-iot-edge-for-linux-on-windows-functions) -- EFLOW FAQ and Support: [Support · Azure/iotedge-eflow Wiki (github.com)](https://github.com/Azure/iotedge-eflow/wiki/Support#how-can-i-apply-updates-to-eflow) -- [Now ready for Production: Linux IoT Edge Modules on Windows - YouTube](https://www.youtube.com/watch?v=pgqVCg6cxVU&ab_channel=MicrosoftIoTDevelopers) - -### Routing local Windows Clients to an MCC - -#### Get the IP address of your MCC using ifconfig - -There are multiple methods that can be used to apply a policy to PCs that should participate in downloading from the MCC. - -##### Registry Key - -You can either set your MCC IP address or FQDN using: - -1. Registry Key in 1709 and higher - - [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization]
    - "DOCacheHost"=" " - - From an elevated command prompt: - - ``` - reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization" /v DOCacheHost /t REG_SZ /d "10.137.187.38" /f - ``` - -2. MDM Path in 1809 or higher: - - .Vendor/MSFT/Policy/Config/DeliveryOptimization/DOCacheHost - -3. In Windows release version 1809 and later, you can apply the policy via Group Policy Editor. The policy to apply is **DOCacheHost**. To configure the clients to pull content from the MCC using Group Policy, set the Cache Server Hostname (Setting found under Computer Configuration, Administrative Templates, Windows Components, Delivery Optimization) to the IP address of your MCC. For example 10.137.187.38. - - ![eMCC img26](images/emcc26.png) - -**Verify Content using the DO Client** - -To verify that the Delivery Optimization client can download content using MCC, you can use the following steps: - -1. Download a game or application from the Microsoft Store. - - ![eMCC img27](images/emcc27.png) - -2. Verify downloads came from MCC by one of two methods: - - - Using PowerShell Cmdlet Get-DeliveryOptimizationStatus you should see BytesFromCacheServer test - - ![eMCC img28](images/emcc28.png) - - - Looking at the Delivery Optimization Activity Monitor - - ![eMCC img29](images/emcc29.png) - -## Also see - -[Microsoft Connected Cache for ISPs](mcc-isp.md)
    -[Introducing Microsoft Connected Cache](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/introducing-microsoft-connected-cache-microsoft-s-cloud-managed/ba-p/963898) diff --git a/windows/deployment/do/mcc-isp-cache-node-configuration.md b/windows/deployment/do/mcc-isp-cache-node-configuration.md new file mode 100644 index 0000000000..8d8bc76577 --- /dev/null +++ b/windows/deployment/do/mcc-isp-cache-node-configuration.md @@ -0,0 +1,40 @@ +--- +title: Cache node configuration +manager: aaroncz +description: Configuring a cache node on Azure portal +ms.prod: windows-client +author: amyzhou +ms.author: amyzhou +ms.topic: article +ms.date: 12/31/2017 +ms.technology: itpro-updates +--- + +# Cache node configuration + +All cache node configuration will take place within Azure portal. This article outlines all of the settings that you'll be able to configure. + +## Settings + +| Field Name | Expected Value| Description | +| -- | --- | --- | +| **Cache node name** | Alphanumeric string that contains no spaces | The name of the cache node. You may choose names based on location like Seattle-1. This name must be unique and can't be changed later. | +| **Server IP address** | IPv4 address | IP address of your MCC server. This address is used to route end-user devices in your network to the server for Microsoft content downloads. The IP address must be publicly accessible. | +| **Max allowable egress (Mbps)** | Integer in Mbps | The maximum egress (Mbps) of your MCC based on the specifications of your hardware. For example, 10,000 Mbps.| +| **Enable cache node** | Enable or Disable | You can choose to enable or disable a cache node at any time. | + +## Storage + +| Field Name | Expected Value| Description | +| -- | --- | --- | +| **Cache drive** | File path string | Up to 9 drives can be configured for each cache node to configure cache storage. Enter the file path to each drive. For example: /dev/folder/ | +| **Cache drive size in gigabytes** | Integer in GB | Set the size of each drive configured for the cache node. | + +## Client routing + +| Field Name | Expected Value| Description | +| -- | --- | --- | +| **Manual routing - Address range/CIDR blocks** | IPv4 CIDR notation | The IP address range (CIDR blocks) that should be routed to the MCC server as a comma separated list. For example: 2.21.234.0/24, 3.22.235.0/24, 4.23.236.0/24 | +| **BGP - Neighbor ASN** | ASN | When configuring BGP, enter the ASN(s) of your neighbors that you want to establish. | +| **BGP - Neighbor IP address** | IPv4 address | When configuring BGP, enter the IP address(es) of neighbors that you want to establish. | + diff --git a/windows/deployment/do/mcc-isp-create-provision-deploy.md b/windows/deployment/do/mcc-isp-create-provision-deploy.md new file mode 100644 index 0000000000..aa7180c750 --- /dev/null +++ b/windows/deployment/do/mcc-isp-create-provision-deploy.md @@ -0,0 +1,144 @@ +--- +title: Create, provision, and deploy the cache node in Azure portal +manager: aaroncz +description: Instructions for creating, provisioning, and deploying Microsoft Connected Cache for ISP on Azure portal +ms.prod: windows-client +author: nidos +ms.author: nidos +ms.topic: article +ms.date: 12/31/2017 +ms.technology: itpro-updates +--- + +# Create, Configure, provision, and deploy the cache node in Azure portal + +**Applies to** + +- Windows 10 +- Windows 11 + +This article outlines how to create, provision, and deploy your Microsoft Connected Cache nodes. The creation and provisioning of your cache node takes place in Azure portal. The deployment of your cache node will require downloading an installer script that will be run on your cache server. + +> [!IMPORTANT] +> Before you can create your Microsoft Connected Cache, you will need to complete the [sign up process](mcc-isp-signup.md). You cannot proceed without signing up for our service. + +## Create cache node + +1. Open [Azure portal](https://www.portal.azure.com) and navigate to the **Microsoft Connected Cache** resource. + +1. Navigate to **Settings** > **Cache nodes** and select **Create Cache Node**. + +1. Provide a name for your cache node and select **Create** to create your cache node. + +## Configure cache node + +During the configuration of your cache node, there are many fields for you to configure your cache node. To learn more about the definitions of each field, review the [Configuration fields](#general-configuration-fields) at the bottom of this article. + +### Client routing + +Before serving traffic to your customers, client routing configuration is needed. During the configuration of your cache node in Azure portal, you'll be able to route your clients to your cache node. + +Microsoft Connected Cache offers two ways for you to route your clients to your cache node. The first method of manual entry involves uploading a comma-separated list of CIDR blocks that represents the clients. The second method of setting BGP (Border Gateway Protocol) is more automatic and dynamic, which is set up by establishing neighborships with other ASNs. All routing methods are set up within Azure portal. + +Once client routing and other settings are configured, your cache node will be able to download content and serve traffic to your customers. + +At this time, only IPv4 addresses are supported. IPv6 addresses aren't supported. + +#### Manual routing + +You can manually upload a list of your CIDR blocks in Azure portal to enable manual routing of your customers to your cache node. + +#### BGP routing + +BGP (Border Gateway Protocol) routing is another method offered for client routing. BGP dynamically retrieves CIDR ranges by exchanging information with routers to understand reachable networks. For an automatic method of routing traffic, you can choose to configure BGP routing in Azure portal. + +1. Navigate to **Settings** > **Cache nodes**. Select the cache node you wish to provision. + + :::image type="content" source="images/mcc-isp-provision-cache-node-numbered.png" alt-text="Screenshot of the Azure portal depicting the cache node configuration page of a cache node. This screenshot shows all of the fields you can choose to configure the cache node." lightbox="./images/mcc-isp-provision-cache-node-numbered.png"::: + +1. Enter the max allowable egress that your hardware can support. + +1. Under **Cache storage**, specify the location of the cache drives to store content along with the size of the cache drives in Gigabytes. +**Note:** Up to nine cache drives are supported. + +1. Under **Routing information**, select the routing method you would like to use. For more information, see [Client routing](#client-routing). + + - If you choose **Manual routing**, enter your address range/CIDR blocks. + - If you choose **BGP routing**, enter the ASN and IP addresses of the neighborship. + > [!NOTE] + > **Prefix count** and **IP Space** will stop displaying `0` when BGP is successfully established. + +## Deploy cache node software to server + +Once the user executes the cache server provisioning script, resources are created behind the scenes resulting in the successful cache node installation. The script takes the input of different IDs outlined below to register the server as an Azure IoT Edge device. Even though Microsoft Connected Cache scenario isn't related to IoT, Azure IoT Edge is installed for container management and communication operation purposes. + +### Components installed during provisioning + +#### IoT Edge + +IoT Edge performs several functions important to manage MCC on your edge device: + +1. Installs and updates MCC on your edge device. +1. Maintains Azure IoT Edge security standards on your edge device. +1. Ensures that MCC is always running. +1. Reports MCC health and usage to the cloud for remote monitoring. + +#### Docker container engine + +Azure IoT Edge relies on an OCI-compatible container runtime. The Moby engine is the only container engine officially supported with IoT Edge and is installed as part of the server provisioning process. + +### Components of the device provisioning script + +There are five IDs that the device provisioning script takes as input in order to successfully provision and install your cache server. The provisioning script will automatically include these keys, with no input necessary from the user. + +| ID | Description | +|---|---| +| Customer ID | A unique alphanumeric ID that the cache nodes are associated with. | +| Cache node ID | The unique alphanumeric ID of the cache node being provisioned. | +| Customer key | The unique alphanumeric ID that provides secure authentication of the cache node to Delivery Optimization services. | +| Registration key | Single use device registration key used by Microsoft Delivery Optimization services. | + +:::image type="content" source="images/mcc-isp-deploy-cache-node-numbered.png" alt-text="Screenshot of the server provisioning tab within cache node configuration in Azure portal."::: + +1. After completing cache node provisioning, navigate to the **Server provisioning** tab. Select **Download provisioning package** to download the installation package to your server. + +1. Open a terminal window in the directory where you would like to deploy your cache node and run the following command to change the access permission to the Bash script: + + ```bash + sudo chmod +x provisionmcc.sh + ``` + +1. Copy and paste the script command line shown in the Azure portal. + +1. Run the script in your server terminal for your cache node by . The script may take a few minutes to run. If there were no errors, you have set up your cache node successfully. To verify the server is set up correctly, follow the [verification steps](mcc-isp-verify-cache-node.md). + + > [!NOTE] + > The same script can be used to provision multiple cache nodes, but the command line is unique per cache node. Additionally, if you need to reprovision your server or provision a new server or VM for the cache node, you must copy the command line from the Azure portal again as the "registrationkey" value is unique for each successful execution of the provisioning script. + +### General configuration fields + +| Field Name | Expected Value| Description | +|---|---|---| +| **Cache node name** | Alphanumeric string that contains no spaces | The name of the cache node. You may choose names based on location like Seattle-1. This name must be unique and can't be changed later. | +| **Server IP address** | IPv4 address | IP address of your MCC server. This address is used to route end-user devices in your network to the server for Microsoft content downloads. The IP address must be publicly accessible. | +| **Max allowable egress (Mbps)** | Integer in Mbps | The maximum egress (Mbps) of your MCC based on the specifications of your hardware. For example, 10,000 Mbps.| +| **Enable cache node** | Enable or Disable | You can choose to enable or disable a cache node at any time. | + +### Storage fields + +> [!IMPORTANT] +> All cache drives must have read/write permissions set or the cache node will not function. +> For example, in a terminal you can run: `sudo chmod 777 /path/to/cachedrive` + +| Field Name | Expected Value| Description | +|---|---|---| +| **Cache drive** | File path string | Up to 9 drives can be configured for each cache node to configure cache storage. Enter the file path to each drive. For example: `/dev/folder/` Each cache drive should have read/write permissions configured. | +| **Cache drive size in gigabytes** | Integer in GB | Set the size of each drive configured for the cache node. | + +### Client routing fields + +| Field Name | Expected Value| Description | +|---|---|---| +| **Manual routing - Address range/CIDR blocks** | IPv4 CIDR notation | The IP address range (CIDR blocks) that should be routed to the MCC server as a comma separated list. For example: 2.21.234.0/24, 3.22.235.0/24, 4.23.236.0/24 | +| **BGP - Neighbor ASN** | ASN | When configuring BGP, enter the ASN(s) of your neighbors that you want to establish. | +| **BGP - Neighbor IP address** | IPv4 address | When configuring BGP, enter the IP address(es) of neighbors that you want to establish. | diff --git a/windows/deployment/do/mcc-isp-faq.yml b/windows/deployment/do/mcc-isp-faq.yml new file mode 100644 index 0000000000..74688ffae3 --- /dev/null +++ b/windows/deployment/do/mcc-isp-faq.yml @@ -0,0 +1,84 @@ +### YamlMime:FAQ +metadata: + title: Microsoft Connected Cache Frequently Asked Questions + description: The following article is a list of frequently asked questions for Microsoft Connected Cache. + author: amymzhou + ms.author: amymzhou + manager: aaroncz + ms.collection: + - highpri + ms.topic: faq + ms.date: 09/30/2022 + ms.prod: windows-client + ms.technology: itpro-updates +title: Microsoft Connected Cache Frequently Asked Questions +summary: | + **Applies to** + - Windows 10 and later + +sections: + - name: Ignored + questions: + - question: Is this product a free service? + answer: Yes. Microsoft Connected Cache is a free service. + - question: What will Microsoft Connected Cache do for me? How will it impact our customers? + answer: As an ISP, your network can benefit from reduced load on your backbone and improve customer download experience for supported Microsoft static content. It will also help you save on CDN costs. + - question: Is there a non-disclosure agreement to sign? + answer: No, a non-disclosure agreement isn't required. + - question: What are the prerequisites and hardware requirements? + answer: | + - Azure subscription + - Hardware to host Microsoft Connected Cache + - Ubuntu 20.04 LTS on a physical server or VM of your choice. + + > [!NOTE] + > The Microsoft Connected Cache is deployed and managed using Azure IoT Edge and Ubuntu 20.04 is an [Azure IoT Edge Tier 1 operating system](/azure/iot-edge/support?view=iotedge-2020-11#tier-1). Additionally, the Microsoft Connected Cache module is optimized for Ubuntu 20.04 LTS. + + The following are recommended hardware configurations: + + + [!INCLUDE [Microsoft Connected Cache Prerequisites](includes/mcc-prerequisites.md)] + + We have one customer who is able to achieve mid-30s Gbps egress rate using the following hardware specification: + - Dell PowerEdge R330 + - 2 x Intel(R) Xeon(R) CPU E5-2630 v3 @ 2.40 GHz, total 32 core + - 48 GB, Micron Technology 18ASF1G72PDZ-2G1A1, Speed: 2133 MT/s + - 4 - Transcend SSD230s 1 TB SATA Drives + Intel Corporation Ethernet 10G 2P X520 Adapter (Link Aggregated) + - question: Will I need to provide hardware BareMetal server or VM? + answer: Microsoft Connected Cache is a software-only caching solution and will require you to provide your own server to host the software. + - question: Can we use hard drives instead of SSDs? + answer: We highly recommend using SSDs as Microsoft Connected Cache is a read intensive application. We also recommend using multiple drives to improve performance. + - question: Will I need to manually enter the CIDR blocks? If I have multiple cache nodes, should I configure a subset of CIDR blocks to each cache node? + answer: You can choose to route your traffic using manual CIDR blocks or BGP. If you have multiple Microsoft Connected Cache(s), you can allocate subsets of CIDR blocks to each cache node if you wish. However, since Microsoft Connected Cache has automatic load balancing, we recommend adding all of your traffic to all of your cache nodes. + - question: Should I add any load balancing mechanism? + answer: You don't need to add any load balancing. Our service will take care of routing traffic if you have multiple cache nodes serving the same CIDR blocks based on the reported health of the cache node. + - question: How many Microsoft Connected Cache instances will I need? How do we set up if we support multiple countries? + answer: As stated in the table above, the recommended configuration will achieve near the maximum possible egress of 40 Gbps with a two-port link aggregated NIC and four cache drives. We have a feature coming soon that will help you estimate the number of cache nodes needed. If your ISP spans multiple countries, you can set up separate cache nodes per country. + - question: Where should we install Microsoft Connected Cache? + answer: You are in control of your hardware and you can pick the location based on your traffic and end customers. You can choose the location where you have your routers or where you have dense traffic or any other parameters. + - question: How long would a piece of content live within the Microsoft Connected Cache? Is content purged from the cache? + answer: Once a request for said content is made, NGINX will look at the cache control headers from the original acquisition. If that content has expired, NGINX will continue to serve the stale content while it's downloading the new content. We cache the content for 30 days. The content will be in the hot cache path (open handles and such) for 24 hrs, but will reside on disk for 30 days. The drive fills up and nginx will start to delete content based on its own algorithm, probably some combination of least recently used. + - question: What content is cached by Microsoft Connected Cache? + answer: For more information about content cached, see [Delivery Optimization and Microsoft Connected Cache content endpoints - Windows Deployment](delivery-optimization-endpoints.md). + - question: Does Microsoft Connected Cache support Xbox or Teams content? + answer: Currently, Microsoft Connected Cache doesn't support Xbox or Teams content. However, supporting Xbox content is of high priority, and we expect this feature soon. We'll let you know as soon as it becomes available! + - question: Is IPv6 supported? + answer: No, we don't currently support IPV6. We plan to support it in the future. + - question: Is Microsoft Connected Cache stable and reliable? + answer: We have already successfully onboarded ISPs in many countries around the world and have received positive feedback! However, you can always start off with a portion of your CIDR blocks to test out the performance of MCC before expanding to more customers. + - question: How does Microsoft Connected Cache populate its content? + answer: Microsoft Connected Cache is a cold cache warmed by client requests. The client requests content and that is what fills up the cache. There's no off-peak cache fill necessary. Microsoft Connected Cache will reach out to different CDN providers just like a client device would. The traffic flow from Microsoft Connected Cache will vary depending on how you currently transit to each of these CDN providers. The content can come from third party CDNs or from AFD. + - question: What do I do if I need more support and have more questions even after reading this FAQ page? + answer: For further support for Microsoft Connected Cache, visit [Troubleshooting Issues for Microsoft Connected Cache for ISP (public preview)](mcc-isp-support.md). + - question: What CDNs will Microsoft Connected Cache pull content from? + answer: | + Microsoft relies on a dynamic mix of 1st and 3rd party CDN providers to ensure enough capacity, redundancy, and performance for the delivery of Microsoft served content. Though we don't provide lists of the CDN vendors we utilize as they can change without notice, our endpoints are public knowledge. If someone were to perform a series of DNS lookups against our endpoints (tlu.dl.delivery.mp.microsoft.com for example), they would be able to determine which CDN or CDNs were in rotation at a given point in time: + + $ dig +noall +answer tlu.dl.delivery.mp.microsoft.com | grep -P "IN\tA" + + c-0001.c-msedge.net. 20 IN A 13.107.4.50 + + $ whois 13.107.4.50|grep "Organization:" + + Organization: Microsoft Corporation (MSFT) diff --git a/windows/deployment/do/mcc-isp-signup.md b/windows/deployment/do/mcc-isp-signup.md new file mode 100644 index 0000000000..e53324e321 --- /dev/null +++ b/windows/deployment/do/mcc-isp-signup.md @@ -0,0 +1,93 @@ +--- +title: Operator sign up and service onboarding +manager: aaroncz +description: Service onboarding for Microsoft Connected Cache for ISP +ms.prod: windows-client +ms.mktglfcycl: deploy +audience: itpro +author: nidos +ms.author: nidos +ms.topic: article +ms.date: 12/31/2017 +ms.technology: itpro-updates +--- + +# Operator sign up and service onboarding for Microsoft Connected Cache + +**Applies to** + +- Windows 10 +- Windows 11 + +This article details the process of signing up for Microsoft Connected Cache for Internet Service Providers (public preview). + +## Prerequisites + +Before you begin sign up, ensure you have the following components: +- **Azure Pay-As-You-Go subscription**: Microsoft Connected Cache is a completely free-of-charge service hosted in Azure. You will need to have a Pay-As-You-Go subscription in order to onboard to our service. To create a subscription, [visit this page](https://azure.microsoft.com/offers/ms-azr-0003p/). +- **Access to Azure portal**: Ensure you have the credentials needed to access your organization's Azure portal. +- **Peering DB**: Ensure your organization's [Peering DB](https://www.peeringdb.com/) page is up-to-date and active. Check that the NOC email listed is accurate, and that you have access to this email. +- **Server**: Ensure the server you wish to install Microsoft Connected Cache on is ready, and that the server is installed Ubuntu 20.04 LTS. + +## Resource creation and sign up process + +1. Navigate to the [Azure portal](https://www.portal.azure.com). Select **Create a Resource**. Then, search for **Microsoft Connected Cache**. + + :::image type="content" source="./images/mcc-isp-search.png" alt-text="Screenshot of the Azure portal that shows the Microsoft Connected Cache resource in Azure marketplace."::: + +1. Select **Create** to create a **Microsoft Connected Cache**. When prompted, enter a name for your cache resource. + + > [!IMPORTANT] + > After your resource has been created, we need some information to verify your network operator status and approve you to host Microsoft Connected Cache nodes. Please ensure that your [Peering DB](https://www.peeringdb.com/) organization information is up to date as this information will be used for verification. The NOC contact email will be used to send verification information. +1. Navigate to **Settings** > **Sign up**. Enter your organization ASN. Indicate whether you're a transit provider. If so, additionally, include any ASN(s) for downstream network operators that you may transit traffic for. + + :::image type="content" source="./images/mcc-isp-sign-up.png" alt-text="Screenshot of the sign up page in the Microsoft Connected Cache resource page in Azure portal." lightbox="./images/mcc-isp-sign-up.png"::: + +1. Once we verify the information entered, a verification code will be sent to the NOC email address provided on [Peering DB](https://www.peeringdb.com/). Once you receive the email, navigate to your Azure portal > **Microsoft Connected Cache** > **Settings** > **Verify operator**, and enter the verification code sent to the NOC email address. + + > [!NOTE] + > Verification codes expire in 24 hours. You will need to generate a new code if it expires. + + :::image type="content" source="images/mcc-isp-operator-verification.png" alt-text="Screenshot of the sign up verification page on Azure portal for Microsoft Connected Cache." lightbox="./images/mcc-isp-operator-verification.png"::: + +1. Once verified, follow the instructions in [Create, provision, and deploy cache node](mcc-isp-create-provision-deploy.md) to create your cache node. + + + +### Cache performance + +To make sure you're maximizing the performance of your cache node, review the following information: + +#### OS requirements + +The Microsoft Connected Cache module is optimized for Ubuntu 20.04 LTS. Install Ubuntu 20.04 LTS on a physical server or VM of your choice. + +#### NIC requirements + +- Multiple NICs on a single MCC instance are supported using a *link aggregated* configuration. +- 10 Gbps NIC is the minimum speed recommended, but any NIC is supported. + +#### Drive performance + +The maximum number of disks supported is 9. When configuring your drives, we recommend SSD drives as cache read speed of SSD is superior to HDD. In addition, using multiple disks is recommended to improve cache performance. + +RAID disk configurations are discouraged as cache performance will be impacted. If using RAID disk configurations, ensure striping. + +### Hardware configuration example + +There are many hardware configurations that suit Microsoft Connected Cache. As an example, a customer has deployed the following hardware configuration and is able to achieve a peak egress of about 35 Gbps: + +**Dell PowerEdge R330** + +- 2 x Intel(R) Xeon(R) CPU E5-2630 v3 @ 2.40 GHz, total 32 core +- 48 GB, Micron Technology 18ASF1G72PDZ-2G1A1, Speed: 2133 MT/s +- 4 - Transcend SSD230s 1 TB SATA Drives +- Intel Corporation Ethernet 10G 2P X520 Adapter (Link Aggregated) + +### Virtual machines + +Microsoft Connected Cache supports both physical and virtual machines as cache servers. If you're using a virtual machine as your server, refer to [VM performance](mcc-isp-vm-performance.md) for tips on how to improve your VM performance. \ No newline at end of file diff --git a/windows/deployment/do/mcc-isp-support.md b/windows/deployment/do/mcc-isp-support.md new file mode 100644 index 0000000000..a10e0f5a63 --- /dev/null +++ b/windows/deployment/do/mcc-isp-support.md @@ -0,0 +1,50 @@ +--- +title: Support and troubleshooting +manager: aaroncz +description: Troubleshooting issues for Microsoft Connected Cache for ISP +ms.prod: windows-client +audience: itpro +author: nidos +ms.author: nidos +ms.topic: reference +ms.date: 12/31/2017 +ms.technology: itpro-updates +--- + +# Support and troubleshooting + +**Applies to** + +- Windows 10 +- Windows 11 + +This article provides information on how to troubleshoot common issues with Microsoft Connected Cache for ISPs. +## Sign up errors + +### Cannot verify account + +During sign-up, we verify the information you provide against what is present in [Peering DB](https://www.peeringdb.com/). Make sure the information for your ISP entry on [Peering DB](https://www.peeringdb.com/) is up to date and matches what you provide during sign-up. + +### Invalid verification code + +During sign-up, a verification code is sent to your NOC email address present in [Peering DB](https://www.peeringdb.com/). This code expires in 24 hours. If it's expired, you'll need to request a new verification code to complete the sign-up. + +## Cache Node Errors + +### Cannot find my cache node + +Did you previously had access to your cache nodes but it's now no longer accessible? If so, it may be because you had a trial subscription, and its trial period ended. To resolve this issue, complete the following two steps: + +1. Create a new Azure Pay-As-You-Go subscription +1. Recreate the cache nodes using the new subscription + +## Steps to obtain an Azure subscription ID + + +[!INCLUDE [Get Azure subscription](includes/get-azure-subscription.md)] + +## Recommended resources + +- [Pay-as-you-go-subscription](https://azure.microsoft.com/offers/ms-azr-0003p/) +- [Azure free account FAQs](https://azure.microsoft.com/free/free-account-faq/) + diff --git a/windows/deployment/do/mcc-isp-update.md b/windows/deployment/do/mcc-isp-update.md new file mode 100644 index 0000000000..2e74cc5a44 --- /dev/null +++ b/windows/deployment/do/mcc-isp-update.md @@ -0,0 +1,57 @@ +--- +title: Update or uninstall your cache node +manager: aaroncz +description: How to update or uninstall your cache node +ms.prod: windows-client +ms.mktglfcycl: deploy +audience: itpro +author: amyzhou +ms.author: amyzhou +ms.topic: article +ms.date: 12/31/2017 +ms.technology: itpro-updates +--- + +# Update or uninstall your cache node + +This article details how to update or uninstall your cache node. + +## Update cache node + +Microsoft will release updates for Microsoft Connected Cache periodically to improve performance, functionality, and security. Updates won't require any action from the customer. Instead, when an update is available, your cache node will automatically update during low traffic hours with minimal to no impact to your end customers. + +To view which version your cache nodes are currently on, navigate to the **Cache nodes** tab to view the versions in the list view. + +## Uninstall cache node + +There are two main steps required to uninstall your cache node: + +1. Remove your cache node from Azure portal +1. Run the uninstall script to cleanly remove MCC from your server + +You must complete both steps to ensure a clean uninstall of your cache node. + +### Remove your cache node from Azure portal + +Within the [Azure portal](https://www.portal.azure.com), navigate to **Cache Nodes**, then select the cache node you wish to delete. Once selected, select **Delete** on the top bar to remove this cache node from your account. + +### Run the uninstall script to cleanly remove Microsoft Connected Cache from your server + +In the installer zip file, you'll find the file **uninstallmcc.sh**. This script uninstalls Microsoft Connected Cache and all the related components. Only run it if you're facing issues with Microsoft Connected Cache installation. + +The **uninstallmcc.sh** script removes the following components: + +- IoT Edge +- Edge Agent +- Edge Hub +- MCC +- Moby CLI +- Moby engine + +To run the script, use the following commands: + +```bash +sudo chmod +x uninstallmcc.sh +sudo ./uninstallmcc.sh + +``` diff --git a/windows/deployment/do/mcc-isp-verify-cache-node.md b/windows/deployment/do/mcc-isp-verify-cache-node.md new file mode 100644 index 0000000000..da0003c24f --- /dev/null +++ b/windows/deployment/do/mcc-isp-verify-cache-node.md @@ -0,0 +1,79 @@ +--- +title: Verify cache node functionality and monitor health and performance +manager: aaroncz +description: How to verify the functionality of a cache node +keywords: updates, downloads, network, bandwidth +ms.prod: windows-client +audience: itpro +author: amyzhou +ms.author: amyzhou +ms.topic: article +ms.date: 12/31/2017 +ms.technology: itpro-updates +--- + +# Verify cache node functionality and monitor health and performance + +This article details how to verify that your cache node(s) are functioning properly and serving traffic. This article also details how to monitor your cache nodes. + +## Verify functionality on Azure portal + +Sign into the [Azure portal](https://www.portal.azure.com) and navigate to the **Overview** page. Select the **Monitoring** tab to verify the functionality of your server(s) by validating the number of healthy nodes shown. If you see any **Unhealthy nodes**, select the **Diagnose and Solve** link to troubleshoot and resolve the issue. + +## Verify functionality on the server + +It can take a few minutes for the container to deploy after you've saved the configuration. + +To validate a properly functioning MCC, run the following command in the terminal of the cache server or any device in the network. Replace `` with the IP address of the cache server. + +```bash +wget http:///mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com +``` + +If successful, you'll see a terminal output similar to the following output: + +```bash +HTTP request sent, awaiting response... 200 OK +Length: 969710 (947K) [image/gif] +Saving to: 'wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com' + +wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com 100%[========================] +``` + +Similarly, enter the following URL into a web browser on any device on the network: + +```http +http:///mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com +``` + +If the test fails, for more information, see the [FAQ](mcc-isp-faq.yml) article. + +## Monitor cache node health and performance + +Within Azure portal, there are many charts and graphs that are available to monitor cache node health and performance. + +### Available Metrics + +Within Azure portal, you're able to build your custom charts and graphs using the following available metrics: + +| Metric name | Description | +|---|---| +| **Cache Efficiency** | Cache efficiency is defined as the total cache hit bytes divided by all bytes requested. The higher this value (0 - 100%), the more efficient the cache node is. | +| **Healthy nodes** | The number of cache nodes that are reporting as healthy| +| **Unhealthy nodes**| The number of cache nodes that are reporting as unhealthy| +| **Maximum in**| The maximum egress (in Gbps) of inbound traffic| +| **Maximum out**| The maximum egress (in Gbps) of outbound traffic| +| **Average in**| The average egress (in Gbps) of inbound traffic| +| **Average out**| The average egress (in Gbps) of outbound traffic| + +For more information about how to build your custom charts and graphs, see [Azure Monitor](/azure/azure-monitor/essentials/data-platform-metrics). + +### Monitoring your metrics + +To view the metrics associated with your cache nodes, navigate to the **Overview** > **Monitoring** tab within the Azure portal. + +:::image type="content" source="./images/mcc-isp-metrics.png" alt-text="Screenshot of the Azure portal displaying the metrics view in the Overview tab."::: + +You can choose to monitor the health and performance of all cache nodes or one at a time by using the dropdown menu. The **Egress bits per second** graph shows your inbound and outbound traffic of your cache nodes over time. You can change the time range (1 hour, 12 hours, 1 day, 7 days, 14 days, and 30 days) by selecting the time range of choice on the top bar. + +If you're unable to view metrics for your cache node, it may be that your cache node is unhealthy, inactive, or hasn't been fully configured. diff --git a/windows/deployment/do/mcc-isp-vm-performance.md b/windows/deployment/do/mcc-isp-vm-performance.md new file mode 100644 index 0000000000..9316c9a5af --- /dev/null +++ b/windows/deployment/do/mcc-isp-vm-performance.md @@ -0,0 +1,33 @@ +--- +title: Enhancing VM performance +manager: aaroncz +description: How to enhance performance on a virtual machine used with Microsoft Connected Cache for ISPs +ms.prod: windows-client +author: amyzhou +ms.author: amyzhou +ms.topic: reference +ms.technology: itpro-updates +ms.date: 12/31/2017 +--- + +# Enhancing virtual machine performance + +In virtual environments, the cache server egress peaks at around 1.1 Gbps. If you want to maximize the egress in virtual environments, it's critical to change two settings. + +## Virtual machine settings + +Change the following settings to maximize the egress in virtual environments: + +1. Enable **Single Root I/O Virtualization (SR-IOV)** in the following three locations: + + - The BIOS of the MCC virtual machine + - The network card properties of the MCC virtual machine + - The hypervisor for the MCC virtual machine + + Microsoft has found these settings to double egress when using a Microsoft Hyper-V deployment. + +2. Enable high performance in the BIOS instead of energy savings. Microsoft has found this setting to also nearly double egress in a Microsoft Hyper-V deployment. + +## Next steps + +[Support and troubleshooting](mcc-isp-support.md) diff --git a/windows/deployment/do/mcc-isp.md b/windows/deployment/do/mcc-isp.md index 9ac74d0930..34b12c0d9b 100644 --- a/windows/deployment/do/mcc-isp.md +++ b/windows/deployment/do/mcc-isp.md @@ -5,17 +5,16 @@ ms.prod: windows-client ms.technology: itpro-updates ms.localizationpriority: medium author: amymzhou -ms.author: aaroncz +ms.author: amyzhou ms.reviewer: carmenf -manager: dougeby -ms.collection: M365-modern-desktop +manager: aaroncz ms.topic: how-to ms.date: 05/20/2022 --- -# Microsoft Connected Cache for Internet Service Providers (ISPs) +# Microsoft Connected Cache for Internet Service Providers (early preview) -_Applies to_ +*Applies to* - Windows 10 - Windows 11 @@ -23,7 +22,7 @@ _Applies to_ ## Overview > [!IMPORTANT] -> Microsoft Connected Cache is currently a private preview feature. During this phase we invite customers to take part in early access for testing purposes. This phase doesn't include formal support. Instead, you'll be working directly with the product team to provide feedback on Microsoft Connected Cache. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). +> This document is for Microsoft Connected Cache (early preview). During this phase we invite customers to take part in early access for testing purposes. This phase doesn't include formal support. Instead, you'll be working directly with the product team to provide feedback on Microsoft Connected Cache. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). Microsoft Connected Cache (MCC) preview is a software-only caching solution that delivers Microsoft content within operator networks. MCC can be deployed to as many physical servers or VMs as needed and is managed from a cloud portal. Microsoft cloud services handle routing of consumer devices to the cache server for content downloads. @@ -31,15 +30,15 @@ Microsoft Connected Cache is a hybrid application, in that it's a mix of on-prem ## How MCC works -:::image type="content" source="images/imcc01.png" alt-text="Data flow diagram of how Microsoft Connected Cache works." lightbox="images/imcc01.png"::: +:::image type="content" source="./images/mcc-isp-diagram.png" alt-text="Data flow diagram of how Microsoft Connected Cache works." lightbox="./images/mcc-isp-diagram.png"::: The following steps describe how MCC is provisioned and used: 1. The Azure Management Portal is used to create and manage MCC nodes. -2. A shell script is used to provision the server and deploy the MCC application. +1. A shell script is used to provision the server and deploy the MCC application. -3. A combination of the Azure Management Portal and shell script is used to configure Microsoft Delivery Optimization Services to route traffic to the MCC server. +1. A combination of the Azure Management Portal and shell script is used to configure Microsoft Delivery Optimization Services to route traffic to the MCC server. - The publicly accessible IPv4 address of the server is configured on the portal. @@ -50,31 +49,31 @@ The following steps describe how MCC is provisioned and used: > [!NOTE] > Only IPv4 addresses are supported at this time. Entering IPv6 addresses will result in an error. -4. Microsoft end-user devices (clients) periodically connect with Microsoft Delivery Optimization Services, and the services match the IP address of the client with the IP address of the corresponding MCC node. +1. Microsoft end-user devices (clients) periodically connect with Microsoft Delivery Optimization Services, and the services match the IP address of the client with the IP address of the corresponding MCC node. -5. Microsoft clients make the range requests for content from the MCC node. +1. Microsoft clients make the range requests for content from the MCC node. -6. A MCC node gets content from the CDN, seeds its local cache stored on disk, and delivers the content to the client. +1. An MCC node gets content from the CDN, seeds its local cache stored on disk, and delivers the content to the client. -7. Subsequent requests from end-user devices for content will be served from cache. +1. Subsequent requests from end-user devices for content will be served from cache. -8. If the MCC node is unavailable, the client gets content from the CDN to ensure uninterrupted service for your subscribers. +1. If the MCC node is unavailable, the client gets content from the CDN to ensure uninterrupted service for your subscribers. ## ISP requirements for MCC ### Azure subscription -The MCC management portal is hosted within Azure. It's used to create the Connected Cache Azure resource and IoT Hub resource. Both are _free_ services. +The MCC management portal is hosted within Azure. It's used to create the Connected Cache Azure resource and IoT Hub resource. Both are *free* services. > [!NOTE] > If you request Exchange or Public peering in the future, business email addresses must be used to register ASNs. Microsoft doesn't accept Gmail or other non-business email addresses. -Your Azure subscription ID is first used to provision MCC services and enable access to the preview. The MCC server requirement for an Azure subscription will cost you nothing. If you don't have an Azure subscription already, you can create an Azure [Pay-As-You-Go](https://azure.microsoft.com/offers/ms-azr-0003p/) account, which requires a credit card for verification purposes. For more information, see the [Azure free account FAQ](https://azure.microsoft.com/free/free-account-faq/). _Don't submit a trial subscription_ as you'll lose access to your Azure resources after the trial period ends. +Your Azure subscription ID is first used to provision MCC services and enable access to the preview. The MCC server requirement for an Azure subscription will cost you nothing. If you don't have an Azure subscription already, you can create an Azure [Pay-As-You-Go](https://azure.microsoft.com/offers/ms-azr-0003p/) account, which requires a credit card for verification purposes. For more information, see the [Azure free account FAQ](https://azure.microsoft.com/free/free-account-faq/). *Don't submit a trial subscription* as you'll lose access to your Azure resources after the trial period ends. The resources used for the preview, and in the future when this product is ready for production, will be free to you - like other caching solutions. > [!IMPORTANT] -> To join the Microsoft Connected Cache private preview, provide your Azure subscription ID by filling out [this survey](https://aka.ms/MCCForISPSurvey). +> To join the Microsoft Connected Cache early preview, provide your Azure subscription ID by filling out [this survey](https://aka.ms/MCCForISPSurvey). ### Hardware to host the MCC @@ -89,7 +88,7 @@ This recommended configuration can egress at a rate of 9 Gbps with a 10 Gbps NIC #### NIC requirements -- Multiple NICs on a single MCC instance are supported using a _link aggregated_ configuration. +- Multiple NICs on a single MCC instance are supported using a *link aggregated* configuration. - 10 Gbps NIC is the minimum speed recommended, but any NIC is supported. ### Sizing recommendations @@ -97,10 +96,10 @@ This recommended configuration can egress at a rate of 9 Gbps with a 10 Gbps NIC The MCC module is optimized for Ubuntu 20.04 LTS. Install Ubuntu 20.04 LTS on a physical server or VM of your choice. The following recommended configuration can egress at a rate of 9 Gbps with a 10 Gbps NIC. | Component | Minimum | Recommended | -| -- | --- | --- | +|---|---|---| | OS | Ubuntu 20.04 LTS VM or physical server | Ubuntu 20.04 LTS VM or physical server (preferred) | | NIC | 10 Gbps| at least 10 Gbps | -| Disk | SSD
    1 drive
    2 TB each |SSD
    2-4 drives
    at least 2 TB each | +| Disk | SSD
    1 drive
    2 TB each |SSD
    2-4 drives
    at least 2 TB each | | Memory | 8 GB | 32 GB or greater | | Cores | 4 | 8 or more | @@ -110,8 +109,8 @@ To deploy MCC: 1. [Provide Microsoft with your Azure subscription ID](#provide-microsoft-with-your-azure-subscription-id) 2. [Create the MCC Resource in Azure](#create-the-mcc-resource-in-azure) -3. [Create a Cache Node](#create-a-mcc-node-in-azure) -4. [Configure Cache Node Routing](#edit-cache-node-information) +3. [Create a Cache Node](#create-an-mcc-node-in-azure) +4. [Configure Cache Node Routing](#edit-cache-node-information) 5. [Install MCC on a physical server or VM](#install-mcc) 6. [Verify properly functioning MCC server](#verify-properly-functioning-mcc-server) 7. [Review common issues if needed](#common-issues) @@ -135,20 +134,20 @@ Operators who have been given access to the program will be sent a link to the A 1. Choose **Create a resource**. - :::image type="content" source="images/imcc02.png" alt-text="Select the option to 'Create a resource' in the Azure portal."::: + :::image type="content" source="./images/mcc-isp-create-resource.png" alt-text="Screenshot of the option to 'Create a resource' in the Azure portal."::: 1. Type **Microsoft Connected Cache** into the search box and press **Enter** to show the search results. 1. Select **Microsoft Connected Cache**. - :::image type="content" source="images/imcc03.png" alt-text="Search the Azure Marketplace for 'Microsoft Connected Cache'."::: + :::image type="content" source="./images/mcc-isp-search-marketplace.png" alt-text="Screenshot of searching the Azure Marketplace for 'Microsoft Connected Cache'."::: > [!IMPORTANT] - > Don't select _Connected Cache Resources_, which is different from **Microsoft Connected Cache**. + > Don't select *Connected Cache Resources*, which is different from **Microsoft Connected Cache**. 1. Select **Create** on the next screen to start the process of creating the MCC resource. - :::image type="content" source="images/imcc04.png" alt-text="Select the option to Create the Microsoft Connected Cache service."::: + :::image type="content" source="./images/mcc-isp-create.png" alt-text="Screenshot of the Create option for the Microsoft Connected Cache service."::: 1. Fill in the following required fields to create the MCC resource: @@ -163,11 +162,11 @@ Operators who have been given access to the program will be sent a link to the A - Specify a **Connected Cache Resource Name**. - :::image type="content" source="images/imcc05.png" alt-text="Enter the required information to create a Connected Cache in Azure."::: + :::image type="content" source="./images/mcc-isp-location-west.png" alt-text="Screenshot of entering the required information, including the West US location, to create a Connected Cache in Azure."::: 1. Select **Review + Create**. Once validation is complete, select **Create** to start the resource creation. - :::image type="content" source="images/imcc06.png" alt-text="'Your deployment is complete' message displaying deployment details."::: + :::image type="content" source="./images/mcc-isp-deployment-complete.png" alt-text="'Screenshot of the 'Your deployment is complete' message displaying deployment details."::: #### Common Resource Creation Errors @@ -175,58 +174,55 @@ Operators who have been given access to the program will be sent a link to the A If you get the error message "Validation failed" in the Azure portal, it's likely because you selected the **Location** as **US West 2** or another unsupported location. To resolve this error, go to the previous step and choose **(US) West US** for the **Location**. -:::image type="content" source="images/imcc07.png" alt-text="'Validation failed' error message for Connected Cache in an unsupported location."::: - ##### Error: Could not create Marketplace item If you get the error message "Could not create marketplace item" in the Azure portal, use the following steps to troubleshoot: -- Make sure that you've selected **Microsoft Connected Cache** and not _Connected Cache resources_ while trying to create a MCC resource. +- Make sure that you've selected **Microsoft Connected Cache** and not *Connected Cache resources* while trying to create an MCC resource. - Make sure that you're using the same subscription that you provided to Microsoft and you have privileges to create an Azure resource. - If the issue persists, clear your browser cache and start in a new window. -### Create a MCC node in Azure +### Create an MCC node in Azure 1. After you successfully create the resource, select **Go to resource**. 1. Under the **Cache Node Management** section in the left panel, select **Cache Nodes**. - :::image type="content" source="images/imcc08.png" alt-text="The 'Cache Nodes' option in the Cache Node Management menu section."::: + :::image type="content" source="./images/mcc-isp-cache-nodes-option.png" alt-text="Screenshot of the 'Cache Nodes' option in the Cache Node Management menu section."::: 1. On the **Cache Nodes** section, select **Create Cache Node**. - :::image type="content" source="images/imcc09.png" alt-text="Select the 'Create Cache Node' option."::: + :::image type="content" source="./images/mcc-isp-create-cache-node-option.png" alt-text="Screenshot of the selecting the 'Create Cache Node' option."::: 1. This action opens the **Create Cache Node** page. The only required fields are **Cache Node Name** and **Max Allowable Egress (Mbps)**. | Field name | Expected value | Description | |--|--|--| | **Cache Node Name** | Alphanumeric name that includes no spaces. | The name of the cache node. You may choose names based on location like Seattle-1. This name must be unique and can't be changed later. | - | **Server IP Address** | IPv4 Address | IP address of your MCC server. This address is used to route end-user devices in your network to the server for Microsoft content downloads. _The IP address must be publicly accessible._ | + | **Server IP Address** | IPv4 Address | IP address of your MCC server. This address is used to route end-user devices in your network to the server for Microsoft content downloads. *The IP address must be publicly accessible.* | | **Max Allowable Egress (Mbps)** | Integer in Mbps | The maximum egress (Mbps) of your MCC based on the specifications of your hardware. For example, `10,000` Mbps. | | **Address Range/CIDR Blocks** | IPv4 CIDR notation | The IP address range (CIDR blocks) that should be routed to the MCC server as a comma separated list. For example: `2.21.234.0/24, 3.22.235.0/24, 4.23.236.0/24` | - | **Enable Cache Node** | Enable or Disable | **Enable** permits the cache node to receive content requests.
    **Disable** prevents the cache node from receiving content requests.
    Cache nodes are enabled by default. | + | **Enable Cache Node** | Enable or Disable | **Enable** permits the cache node to receive content requests.
    **Disable** prevents the cache node from receiving content requests.
    Cache nodes are enabled by default. | - :::image type="content" source="images/imcc10.png" alt-text="Available fields on the Create Cache Node page."::: + :::image type="content" source="./images/mcc-isp-create-cache-node-fields.png" alt-text="Screenshot of the available fields on the Create Cache Node page."::: > [!TIP] > The information icon next to each field provides a description. > - > :::image type="content" source="images/imcc11.png" alt-text="Create Cache Node page showing the description for the Server IP Address field."::: + > :::image type="content" source="./images/mcc-isp-node-server-ip.png" alt-text="Screenshot of the Create Cache Node page showing the description for the Server IP Address field."::: - > [!NOTE] - > After you create the cache node, if you return to this page, it populates the values for the two read-only fields: - > - > | Field name | Description | - > |--|--| - > | **IP Space** | Number of IP addresses that will be routed to your cache server. | - > | **Activation Keys** | Set of keys to activate your cache node with the MCC services. Copy the keys for use during install. The CustomerID is your Azure subscription ID. | + After you create the cache node, if you return to this page, it populates the values for the two read-only fields: + + | Field name | Description | + |--|--| + | **IP Space** | Number of IP addresses that will be routed to your cache server. | + | **Activation Keys** | Set of keys to activate your cache node with the MCC services. Copy the keys for use during install. The CustomerID is your Azure subscription ID. | 1. Enter the information to create the cache node, and then select **Create**. - :::image type="content" source="images/imcc12.png" alt-text="Select 'Create' on the Create Cache Node page."::: + :::image type="content" source="./images/mcc-isp-create-new-node.png" alt-text="Screenshot of selecting 'Create' on the Create Cache Node page."::: If there are errors, the page gives you guidance on how to correct the errors. For example: @@ -236,11 +232,11 @@ If there are errors, the page gives you guidance on how to correct the errors. F See the following example with all information entered: -:::image type="content" source="images/imcc13.png" alt-text="Create Cache Node page with all information entered."::: +:::image type="content" source="./images/mcc-isp-create-node-form.png" alt-text="Screenshot of the Create Cache Node page with all information entered."::: Once you create the MCC node, it will display the installer instructions. For more information on the installer instructions, see the [Install Connected Cache](#install-mcc) section. -:::image type="content" source="images/imcc14.png" alt-text="Cache node successfully created with Connected Cache installer instructions."::: +:::image type="content" source="./images/mcc-isp-success-instructions.png" alt-text="Screenshot of the Cache node successfully created with Connected Cache installer instructions."::: ### IP address space approval @@ -258,15 +254,15 @@ There are three states for IP address space. MCC configuration supports BGP and If your IP address space has this status, contact Microsoft for more information. -:::image type="content" source="images/imcc15.png" alt-text="A list of cache node names with example IP address space statuses."::: +:::image type="content" source="./images/mcc-isp-node-names.png" alt-text="Screenshot of a list of cache node names with example IP address space statuses."::: ## Edit cache node information -:::image type="content" source="images/imcc16.png" alt-text="Cache Nodes list in the Azure portal."::: +:::image type="content" source="./images/mcc-isp-list-nodes.png" alt-text="Screenshot of the Cache Nodes list in the Azure portal."::: To modify the configuration for existing MCC nodes in the portal, select the cache node name in the cache nodes list. This action opens the **Cache Node Configuration** page. You can edit the **Server IP Address** or **Address Range/CIDR Blocks** field. You can also enable or disable the cache node. -:::image type="content" source="images/imcc17.png" alt-text="Cache Node Configuration page, highlighting editable fields."::: +:::image type="content" source="./images/mcc-isp-node-configuration.png" alt-text="Screenshot of the Cache Node Configuration page, highlighting editable fields."::: To delete a cache node, select it in the cache nodes list, and then select **Delete** in the toolbar. If you delete a cache node, there's no way to recover it or any of the information related to the cache node. @@ -298,7 +294,7 @@ Before you start, make sure that you have a data drive configured on your server 1. From either **Create Cache Node** or **Cache Node Configuration** pages, select **Download Installer** to download the installer file. - :::image type="content" source="images/imcc18.png" alt-text="The Create Cache Node page highlighting the Download Installer action."::: + :::image type="content" source="./images/mcc-isp-installer-download.png" alt-text="Screenshot of the Create Cache Node page highlighting the Download Installer action."::: Unzip the **mccinstaller.zip** file, which includes the following installation files and folders: @@ -322,19 +318,19 @@ Before you start, make sure that you have a data drive configured on your server 1. In the Azure portal, in the Connected Cache installer instructions, copy the cache node installer Bash script command. Run the Bash script from the terminal. - :::image type="content" source="images/imcc19.png" alt-text="Copy the cache node installer Bash script in the Connected Cache installer instructions."::: + :::image type="content" source="./images/mcc-isp-copy-install-script.png" alt-text="Screenshot of the Copy option for the cache node installer Bash script in the Connected Cache installer instructions."::: 1. Sign in to the Azure portal with a device code. - :::image type="content" source="images/imcc20.png" alt-text="Bash script prompt to sign in to the Azure portal with a device code."::: + :::image type="content" source="./images/mcc-isp-bash-device-code.png" alt-text="Screenshot of the Bash script prompt to sign in to the Azure portal with a device code." lightbox="./images/mcc-isp-bash-device-code.png"::: 1. Specify the number of drives to configure. Use an integer value less than 10. - :::image type="content" source="images/imcc22.png" alt-text="Bash script prompt to enter the number of cache drives to configure."::: + :::image type="content" source="./images/mcc-isp-bash-drive-number.png" alt-text="Screenshot of the Bash script prompt to enter the number of cache drives to configure." lightbox="./images/mcc-isp-bash-drive-number.png"::: 1. Specify the location of the cache drives. For example, `/datadrive/` - :::image type="content" source="images/imcc23.png" alt-text="Bash script prompt to enter the location for cache drive."::: + :::image type="content" source="./images/mcc-isp-bash-datadrive.png" alt-text="Screenshot of the Bash script prompt to enter the location for cache drive." lightbox="./images/mcc-isp-bash-datadrive.png"::: > [!IMPORTANT] > The script changes the permission and ownership on the cache drive to **everyone** with the command `chmod 777`. @@ -350,15 +346,15 @@ Before you start, make sure that you have a data drive configured on your server 1. Specify an integer value as the size in GB for each cache drive. The minimum is `100` GB. - :::image type="content" source="images/imcc24.png" alt-text="Bash script prompt to enter the amount of space to allocate to the cache drive."::: + :::image type="content" source="./images/mcc-isp-bash-allocate-space.png" alt-text="Screenshot of the Bash script prompt to enter the amount of space to allocate to the cache drive." lightbox="./images/mcc-isp-bash-allocate-space.png"::: 1. Specify whether you have an existing IoT Hub. - - If this process is for your _first MCC deployment_, enter `n`. + - If this process is for your *first MCC deployment*, enter `n`. - - If you already have a MCC deployment, you can use an existing IoT Hub from your previous installation. Select `Y` to see your existing IoT Hubs. You can copy and paste the resulting IoT Hub name to continue. + - If you already have an MCC deployment, you can use an existing IoT Hub from your previous installation. Select `Y` to see your existing IoT Hubs. You can copy and paste the resulting IoT Hub name to continue. - :::image type="content" source="images/imcc25.png" alt-text="Bash script output with steps for existing IoT Hub."::: + :::image type="content" source="./images/mcc-isp-bash-iot-prompt.png" alt-text="Screenshot of the Bash script output with steps for existing IoT Hub." lightbox="./images/mcc-isp-bash-iot-prompt.png"::: 1. If you want to configure BGP, enter `y`. If you want to use manual entered prefixes for routing, enter `n` and skip to Step 16. You can always configure BGP at a later time using the Update Script. @@ -394,7 +390,7 @@ Before you start, make sure that you have a data drive configured on your server 1. To start routing using BGP, change the **Prefix Source** from **Manually Entered** to **Use BGP**. - :::image type="content" source="images/imcc55.PNG" alt-text="Cache node configuration with the Prefix Source set to Use BGP."::: + :::image type="content" source="./images/mcc-isp-use-bgp.png" alt-text="Screenshot of the Cache Node Configuration page with the Prefix Source set to Use BGP."::: 1. If there are no errors, go to the next section to verify the MCC server. @@ -415,7 +411,7 @@ Sign in to the Connected Cache server or use SSH. Run the following command from sudo iotedge list ``` -:::image type="content" source="images/imcc26.png" alt-text="Terminal output of iotedge list command, showing the running containers."::: +:::image type="content" source="./images/mcc-isp-running-containers.png" alt-text="Screenshot of the terminal output of iotedge list command, showing the running containers." lightbox="./images/mcc-isp-running-containers.png"::: If it lists the **edgeAgent** and **edgeHub** containers, but doesn't include **MCC**, view the status of the IoT Edge security manager using the command: @@ -425,7 +421,7 @@ sudo journalctl -u iotedge -f For example, this command provides the current status of the starting and stopping of a container, or the container pull and start: -:::image type="content" source="images/imcc27.png" alt-text="Terminal output of journalctl command for iotedge."::: +:::image type="content" source="./images/mcc-isp-edge-journalctl.png" alt-text="Terminal output of journalctl command for iotedge." lightbox="./images/mcc-isp-edge-journalctl.png"::: ### Verify server side @@ -439,7 +435,7 @@ wget http:///mscomtest/wuidt.gif?cacheHostOrigin=au.download.wind The following screenshot shows a successful test result: -:::image type="content" source="images/imcc28.png" alt-text="Terminal output of successful test result with wget command to validate a MCC."::: +:::image type="content" source="./images/mcc-isp-wget.png" alt-text="Screenshot of the terminal output of successful test result with wget command to validate a Microsoft Connected Cache." lightbox="./images/mcc-isp-wget.png"::: Similarly, enter the following URL into a web browser on any device on the network: @@ -484,7 +480,7 @@ To configure the device to work with your DNS, use the following steps: nmcli device show eno1 ``` - :::image type="content" source="images/imcc30.png" alt-text="Sample output of nmcli command to show network adapter information."::: + :::image type="content" source="images/mcc-isp-nmcli.png" alt-text="Screenshot of a sample output of nmcli command to show network adapter information." lightbox="./images/mcc-isp-nmcli.png"::: 1. Open or create the Docker configuration file used to configure the DNS server. @@ -535,7 +531,7 @@ To run the script: ## Updating your MCC -Throughout the private preview phase, Microsoft will release security and feature updates for MCC. Follow these steps to update your MCC. +Throughout the early preview phase, Microsoft will release security and feature updates for MCC. Follow these steps to update your MCC. Run the following commands, replacing the variables with the values provided in the email to update your MCC: @@ -553,7 +549,7 @@ sudo ./updatemcc.sh version="msconnectedcacheprod.azurecr.io/mcc/linux/iot/mcc-u ### Configure BGP on an Existing MCC -If you have a MCC that's already active and running, follow the steps below to configure BGP. +If you have an MCC that's already active and running, follow the steps below to configure BGP. 1. Run the Update commands as described above. @@ -585,20 +581,12 @@ sudo ./uninstallmcc.sh ``` ## Appendix - + ### Steps to obtain an Azure subscription ID -1. Sign in to the [Azure portal](https://portal.azure.com/) and go to the **Azure services** section. + +[!INCLUDE [Get Azure subscription](includes/get-azure-subscription.md)] -2. Select **Subscriptions**. If you don't see **Subscriptions**, select the **More Services** arrow and search for **Subscriptions**. - -3. If you already have an Azure subscription, skip to step 5. If you don't have an Azure Subscription, select **+ Add** on the top left. - -4. Select the **Pay-As-You-Go** subscription. You'll be asked to enter credit card information, but you won't be charged for using the MCC service. - -5. On the **Subscriptions** section, you'll find details about your current subscription. Select the subscription name. - -6. After you select the subscription name, you'll find the subscription ID in the **Overview** tab. To copy the value, select the **Copy to clipboard** icon next to your subscription ID. ### Performance of MCC in virtual environments @@ -618,7 +606,7 @@ In virtual environments, the cache server egress peaks at around 1.1 Gbps. If yo More users can be given access to manage Microsoft Connected Cache, even if they don't have an Azure account. Once you've created the first cache node in the portal, you can add other users as **Owners** of the Microsoft Connected Cache resource group and the Microsoft Connected Cache resource. -For more information on how to add other users as an owner, see [Grant a user access to Azure resources using the Azure portal](/azure/role-based-access-control/quickstart-assign-role-user-portal). Make sure to do this action for both the _MCC resource_ and _MCC resource group_. +For more information on how to add other users as an owner, see [Grant a user access to Azure resources using the Azure portal](/azure/role-based-access-control/quickstart-assign-role-user-portal). Make sure to do this action for both the *MCC resource* and *MCC resource group*. ### Setting up a VM on Windows Server @@ -631,93 +619,93 @@ You can use hardware that will natively run Ubuntu 20.04 LTS, or you can run an 1. Start the **New Virtual Machine Wizard** in Hyper-V. - :::image type="content" source="images/imcc31.png" alt-text="The Before You Begin page of the Hyper-V New Virtual Machine Wizard."::: + :::image type="content" source="./images/mcc-isp-hyper-v-begin.png" alt-text="Screenshot of the Before You Begin page of the Hyper-V New Virtual Machine Wizard."::: 1. Specify a name and choose a location. - :::image type="content" source="images/imcc32.png" alt-text="The Specify Name and Location page of the Hyper-V New Virtual Machine Wizard."::: + :::image type="content" source="./images/mcc-isp-hyper-v-name.png" alt-text="Screenshot of the Specify Name and Location page in the Hyper-V New Virtual Machine Wizard."::: 1. Select **Generation 2**. You can't change this setting later. - :::image type="content" source="images/imcc33.png" alt-text="The Specify Generation page of the Hyper-V New Virtual Machine Wizard."::: + :::image type="content" source="./images/mcc-isp-hyper-v-generation.png" alt-text="Screenshot of the Specify Generation page in the Hyper-V New Virtual Machine Wizard."::: 1. Specify the startup memory. - :::image type="content" source="images/imcc34.png" alt-text="The Assign Memory page of the Hyper-V New Virtual Machine Wizard."::: + :::image type="content" source="./images/mcc-isp-hyper-v-memory.png" alt-text="Screenshot of the Assign Memory page of the Hyper-V New Virtual Machine Wizard."::: 1. Choose the network adapter connection. - :::image type="content" source="images/imcc35.png" alt-text="The Configure Networking page of the Hyper-V New Virtual Machine Wizard."::: + :::image type="content" source="./images/mcc-isp-hyper-v-networking.png" alt-text="Screenshot of the Configure Networking page of the Hyper-V New Virtual Machine Wizard."::: 1. Set the virtual hard disk parameters. You should specify enough space for the OS and the content that will be cached. For example, `1024` GB is 1 terabyte. - :::image type="content" source="images/imcc36.png" alt-text="The Connect Virtual Hard Disk page of the Hyper-V New Virtual Machine Wizard."::: + :::image type="content" source="./images/mcc-isp-hyper-v-disk.png" alt-text="Screenshot of the Connect Virtual Hard Disk page of the Hyper-V New Virtual Machine Wizard."::: 1. Select **Install an OS from a bootable image file** and browse to the ISO for Ubuntu 20.04 LTS that you previously downloaded. - :::image type="content" source="images/imcc37.png" alt-text="The Installation Options page of the Hyper-V New Virtual Machine Wizard."::: + :::image type="content" source="./images/mcc-isp-hyper-v-installation-options.png" alt-text="Screenshot of the Installation Options page of the Hyper-V New Virtual Machine Wizard."::: 1. Review the settings and select **Finish** to create the Ubuntu VM. - :::image type="content" source="images/imcc38.png" alt-text="Completing the New Virtual Machine Wizard on Hyper-V."::: + :::image type="content" source="./images/mcc-isp-hyper-v-summary.png" alt-text="Screenshot of completing the New Virtual Machine Wizard on Hyper-V."::: 1. Before you start the Ubuntu VM, disable **Secure Boot** and allocate multiple cores to the VM. 1. In Hyper-V Manager, open the **Settings** for the VM. - :::image type="content" source="images/imcc39.png" alt-text="Open Settings for a VM in Hyper-V Manager."::: + :::image type="content" source="./images/mcc-isp-hyper-v-vm-settings.png" alt-text="Screenshot of the settings for a VM in Hyper-V Manager."::: 1. Select **Security**. Disable the option to **Enable Secure Boot**. - :::image type="content" source="images/imcc40.png" alt-text="Security page of VM settings in Hyper-V Manager."::: + :::image type="content" source="./images/mcc-isp-hyper-v-vm-security.png" alt-text="Screenshot of the security page from VM settings in Hyper-V Manager."::: 1. Select **Processor**. Increase the number of virtual processors. This example shows `12`, but your configuration may vary. - :::image type="content" source="images/imcc41.png" alt-text="Processor page of VM settings in Hyper-V Manager."::: + :::image type="content" source="./images/mcc-isp-hyper-v-vm-processor.png" alt-text="Screenshot of the processor page from VM settings in Hyper-V Manager."::: 1. Start the VM and select **Install Ubuntu**. - :::image type="content" source="images/imcc42.png" alt-text="GNU GRUB screen, select Install Ubuntu."::: + :::image type="content" source="./images/mcc-isp-gnu-grub.png" alt-text="Screenshot of the GNU GRUB screen, with Install Ubuntu selected."::: 1. Choose your default language. - :::image type="content" source="images/imcc43.png" alt-text="Ubuntu install, Welcome page, select language."::: + :::image type="content" source="./images/mcc-isp-ubuntu-language.png" alt-text="Screenshot of the Ubuntu install's language selection page."::: 1. Choose the options for installing updates and third party hardware. For example, download updates and install third party software drivers. 1. Select **Erase disk and install Ubuntu**. If you had a previous version of Ubuntu installed, we recommend erasing and installing Ubuntu 16.04. - :::image type="content" source="images/imcc45.png" alt-text="Ubuntu install, Installation type page, Erase disk and install Ubuntu."::: + :::image type="content" source="./images/mcc-isp-ubuntu-erase-disk.png" alt-text="Screenshot of the Ubuntu install Installation type page with the Erase disk and install Ubuntu option selected."::: Review the warning about writing changes to disk, and select **Continue**. - :::image type="content" source="images/imcc46.png" alt-text="Ubuntu install, 'Write the changes to disks' warning."::: + :::image type="content" source="./images/mcc-isp-ubuntu-write-changes.png" alt-text="Screenshot of the Ubuntu install's 'Write the changes to disks' warning."::: 1. Choose the time zone. - :::image type="content" source="images/imcc47.png" alt-text="Ubuntu install, 'Where are you page' to specify time zone."::: + :::image type="content" source="./images/mcc-isp-ubuntu-time-zone.png" alt-text="Screenshot of the Ubuntu install's 'Where are you page' to specify time zone."::: 1. Choose the keyboard layout. - :::image type="content" source="images/imcc48.png" alt-text="Ubuntu install, Keyboard layout page."::: + :::image type="content" source="./images/mcc-isp-ubuntu-keyboard.png" alt-text="Screenshot of the Ubuntu install's Keyboard layout page."::: 1. Specify your name, a name for the computer, a username, and a strong password. Select the option to **Require my password to log in**. > [!TIP] > Everything is case sensitive in Linux. - :::image type="content" source="images/imcc50.png" alt-text="Ubuntu install, 'Who are you' screen."::: + :::image type="content" source="./images/mcc-isp-ubuntu-who.png" alt-text="Screenshot of the Ubuntu install's, 'Who are you' screen."::: 1. To complete the installation, select **Restart now**. - :::image type="content" source="images/imcc51.png" alt-text="Ubuntu install, installation complete, restart now."::: + :::image type="content" source="./images/mcc-isp-ubuntu-restart.png" alt-text="Screenshot of the Ubuntu install's installation complete, restart now screen."::: 1. After the computer restarts, sign in with the username and password. > [!IMPORTANT] > If it shows that an upgrade is available, select **Don't upgrade**. > - > :::image type="content" source="images/imcc52.png" alt-text="Ubuntu install, Upgrade Available prompt, Don't Upgrade."::: + > :::image type="content" source="./images/mcc-isp-ubuntu-upgrade.png" alt-text="Screenshot of the Ubuntu install's Upgrade Available prompt with Don't Upgrade selected."::: Your Ubuntu VM is now ready to [Install MCC](#install-mcc). @@ -735,6 +723,6 @@ For more information on Azure IoT Edge, see the [Azure IoT Edge documentation](/ ## Related articles -[Microsoft Connected Cache for enterprise and education](mcc-enterprise.md) +[Microsoft Connected Cache overview](waas-microsoft-connected-cache.md) [Introducing Microsoft Connected Cache](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/introducing-microsoft-connected-cache-microsoft-s-cloud-managed/ba-p/963898) diff --git a/windows/deployment/do/waas-delivery-optimization-faq.yml b/windows/deployment/do/waas-delivery-optimization-faq.yml index 0fe613a87a..0827ee5979 100644 --- a/windows/deployment/do/waas-delivery-optimization-faq.yml +++ b/windows/deployment/do/waas-delivery-optimization-faq.yml @@ -2,28 +2,20 @@ metadata: title: Delivery Optimization Frequently Asked Questions description: The following is a list of frequently asked questions for Delivery Optimization. - ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee ms.reviewer: aaroncz - ms.prod: m365-security - ms.mktglfcycl: explore - ms.sitesec: library - ms.pagetype: security - ms.localizationpriority: medium + ms.prod: windows-client author: carmenf ms.author: carmenf manager: dougeby - audience: ITPro + ms.technology: itpro-updates ms.collection: - - M365-security-compliance - highpri ms.topic: faq ms.date: 08/04/2022 - ms.custom: seo-marvel-apr2020 title: Delivery Optimization Frequently Asked Questions summary: | **Applies to** - - Windows 10 - - Windows 11 + - Windows 10 and later sections: diff --git a/windows/deployment/do/waas-delivery-optimization-reference.md b/windows/deployment/do/waas-delivery-optimization-reference.md index 22dff75ed5..6564dcd26e 100644 --- a/windows/deployment/do/waas-delivery-optimization-reference.md +++ b/windows/deployment/do/waas-delivery-optimization-reference.md @@ -7,10 +7,10 @@ ms.prod: windows-client author: carmenf ms.localizationpriority: medium ms.author: carmenf -ms.collection: M365-modern-desktop ms.topic: article ms.custom: seo-marvel-apr2020 ms.technology: itpro-updates +ms.date: 12/31/2017 --- # Delivery Optimization reference @@ -64,7 +64,7 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz | [Delay foreground download cache server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackForeground | 1903 | | [Delay background download cache server fallback (in secs)](#delay-background-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackBackground | 1903 | | [Cache Server Hostname](#cache-server-hostname) | DOCacheHost | 1809 | -| [Cache Server Hostname Source](#cache-server-hostname-source) | DOCacheHostSource | 1809 | +| [Cache Server Hostname Source](#cache-server-hostname-source) | DOCacheHostSource | 2004 | | [Maximum Foreground Download Bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) | DOMaxForegroundDownloadBandwidth | 2004 | | [Maximum Background Download Bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) | DOMaxBackgroundDownloadBandwidth | 2004 | @@ -146,7 +146,7 @@ Starting in Windows 10, version 1803, set this policy to restrict peer selection - 4 = DNS Suffix - 5 = Starting with Windows 10, version 1903, you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5. -When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy will be ignored. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored. +When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy will be ignored. The default behavior, when neither the GroupID or GroupIDSource policies are set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. If GroupIDSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored. ### Minimum RAM (inclusive) allowed to use Peer Caching diff --git a/windows/deployment/do/waas-delivery-optimization-setup.md b/windows/deployment/do/waas-delivery-optimization-setup.md index ff28a0815c..8b49d9f487 100644 --- a/windows/deployment/do/waas-delivery-optimization-setup.md +++ b/windows/deployment/do/waas-delivery-optimization-setup.md @@ -1,16 +1,15 @@ --- title: Set up Delivery Optimization -ms.reviewer: -manager: dougeby description: In this article, learn how to set up Delivery Optimization. -ms.prod: windows-client author: carmenf -ms.localizationpriority: medium ms.author: carmenf -ms.collection: M365-modern-desktop -ms.topic: article -ms.custom: seo-marvel-apr2020 +ms.reviewer: mstewart +manager: aaroncz +ms.prod: windows-client ms.technology: itpro-updates +ms.localizationpriority: medium +ms.topic: how-to +ms.date: 12/19/2022 --- # Set up Delivery Optimization for Windows @@ -28,7 +27,7 @@ You can use Group Policy or an MDM solution like Intune to configure Delivery Op You will find the Delivery Optimization settings in Group Policy under **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization**. -Starting with Microsoft Intune version 1902, you can set many Delivery Optimization policies as a profile, which you can then apply to groups of devices. For more information, see [Delivery Optimization settings in Microsoft Intune](/intune/delivery-optimization-windows). +Starting with Microsoft Intune version 1902, you can set many Delivery Optimization policies as a profile, which you can then apply to groups of devices. For more information, see [Delivery Optimization settings in Microsoft Intune](/mem/intune/configuration/delivery-optimization-windows). **Starting with Windows 10, version 1903**, you can use the Azure Active Directory (Azure AD) Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5. @@ -68,7 +67,7 @@ For this scenario, grouping devices by domain allows devices to be included in p To do this in Group Policy go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**. -To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set DODownloadMode to 1 or 2. +To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DODownloadMode](/windows/client-management/mdm/policy-csp-deliveryoptimization#dodownloadmode) to 1 or 2. ### Hub and spoke topology with boundary groups @@ -76,10 +75,10 @@ The default download mode setting is **1**; this means all devices breaking out To do this in Group Policy go to ****Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**. -To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set **DODownloadMode** to **2**. +To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DODownloadMode](/windows/client-management/mdm/policy-csp-deliveryoptimization#dodownloadmode) to **2**. > [!NOTE] -> For more about using Delivery Optimization with Configuration Manager boundary groups, see [Delivery Optmization](/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#delivery-optimization). +> For more information about using Delivery Optimization with Configuration Manager boundary groups, see [Delivery Optmization](/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#delivery-optimization). ### Large number of mobile devices @@ -87,17 +86,15 @@ If you have a mobile workforce with a great many mobile devices, set Delivery Op To do this in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Allow uploads while the device is on battery while under set Battery level** to 60. -To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set **DOMinBatteryPercentageAllowedToUpload** to 60. +To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DOMinBatteryPercentageAllowedToUpload](/windows/client-management/mdm/policy-csp-deliveryoptimization#dominbatterypercentageallowedtoupload) to 60. ### Plentiful free space and large numbers of devices Many devices now come with large internal drives. You can set Delivery Optimization to take better advantage of this space (especially if you have large numbers of devices) by changing the minimum file size to cache. If you have more than 30 devices in your local network or group, change it from the default 50 MB to 10 MB. If you have more than 100 devices (and are running Windows 10, version 1803 or later), set this value to 1 MB. -[//]: # (default of 50 aimed at consumer) - To do this in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Minimum Peer Caching Content File Size** to 10 (if you have more than 30 devices) or 1 (if you have more than 100 devices). -To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set **DOMinFileSizeToCache** to 100 (if you have more than 30 devices) or 1 (if you have more than 100 devices). +To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DOMinFileSizeToCache](/windows/client-management/mdm/policy-csp-deliveryoptimization#dominfilesizetocache) to 100 (if you have more than 30 devices) or 1 (if you have more than 100 devices). ### Lab scenario @@ -105,7 +102,7 @@ In a lab situation, you typically have a large number of devices that are plugge To do this in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Max Cache Age** to **604800** (7 days) or more (up to 30 days). -To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set DOMaxCacheAge to 7 or more (up to 30 days). +To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DOMaxCacheAge](/windows/client-management/mdm/policy-csp-deliveryoptimization#domaxcacheage) to 7 or more (up to 30 days). diff --git a/windows/deployment/do/waas-delivery-optimization.md b/windows/deployment/do/waas-delivery-optimization.md index d22068202b..149bfe398d 100644 --- a/windows/deployment/do/waas-delivery-optimization.md +++ b/windows/deployment/do/waas-delivery-optimization.md @@ -7,12 +7,11 @@ author: carmenf ms.localizationpriority: medium ms.author: carmenf ms.collection: - - M365-modern-desktop - - m365initiative-coredeploy - highpri ms.topic: article ms.custom: seo-marvel-apr2020 ms.technology: itpro-updates +ms.date: 12/31/2017 --- # What is Delivery Optimization? diff --git a/windows/deployment/do/waas-microsoft-connected-cache.md b/windows/deployment/do/waas-microsoft-connected-cache.md index d492d18d11..bc0d6223b6 100644 --- a/windows/deployment/do/waas-microsoft-connected-cache.md +++ b/windows/deployment/do/waas-microsoft-connected-cache.md @@ -6,12 +6,10 @@ ms.prod: windows-client author: carmenf ms.localizationpriority: medium ms.author: carmenf -ms.collection: - - M365-modern-desktop - - m365initiative-coredeploy ms.topic: article ms.custom: seo-marvel-apr2020 ms.technology: itpro-updates +ms.date: 12/31/2017 --- # Microsoft Connected Cache overview @@ -22,41 +20,40 @@ ms.technology: itpro-updates - Windows 11 > [!IMPORTANT] -> Microsoft Connected Cache is currently a private preview feature. During this phase we invite customers to take part in early access for testing purposes. This phase does not include formal support, and should not be used for production workloads. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). +> Microsoft Connected Cache is currently a preview feature. To view our early preview documentation, visit [Microsoft Connected Cache for Internet Service Providers (ISPs)](mcc-isp.md). For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). Microsoft Connected Cache (MCC) preview is a software-only caching solution that delivers Microsoft content within Enterprise networks. MCC can be deployed to as many bare-metal servers or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying the client policy using management tools such as Intune. -MCC is a hybrid (mix of on-prem and cloud resources) SaaS solution built as an Azure IoT Edge module and Docker compatible Linux container deployed to your Windows devices. The Delivery Optimization team chose IoT Edge for Linux on Windows (EFLOW) as a secure, reliable container management infrastructure. EFLOW is a Linux virtual machine, based on Microsoft's first party CBL-Mariner operating system. It’s built with the IoT Edge runtime and validated as a tier 1 supported environment for IoT Edge workloads. MCC will be a Linux IoT Edge module running on the Windows Host OS. +MCC is a hybrid (mix of on-premises and cloud resources) SaaS solution built as an Azure IoT Edge module and Docker compatible Linux container deployed to your Windows devices. The Delivery Optimization team chose IoT Edge for Linux on Windows (EFLOW) as a secure, reliable container management infrastructure. EFLOW is a Linux virtual machine, based on Microsoft's first party CBL-Mariner operating system. It’s built with the IoT Edge runtime and validated as a tier 1 supported environment for IoT Edge workloads. MCC will be a Linux IoT Edge module running on the Windows Host OS. -Even though your MCC scenario is not related to IoT, Azure IoT Edge is used as a more generic Linux container deployment and management infrastructure. The Azure IoT Edge runtime sits on your designated MCC device and performs management and communication operations. The runtime performs several functions important to manage MCC on your edge device: +Even though your MCC scenario isn't related to IoT, Azure IoT Edge is used as a more generic Linux container deployment and management infrastructure. The Azure IoT Edge runtime sits on your designated MCC device and performs management and communication operations. The runtime performs several functions important to manage MCC on your edge device: 1. Installs and updates MCC on your edge device. -2. Maintains Azure IoT Edge security standards on your edge device. -3. Ensures that MCC is always running. -4. Reports MCC health and usage to the cloud for remote monitoring. +1. Maintains Azure IoT Edge security standards on your edge device. +1. Ensures that MCC is always running. +1. Reports MCC health and usage to the cloud for remote monitoring. To deploy a functional MCC to your device, you must obtain the necessary keys to provision the Connected Cache instance that communicates with Delivery Optimization services, and enable the device to cache and deliver content. The architecture of MCC is described below. -For more details information on Azure IoT Edge, please see the Azure IoT Edge [documentation](/azure/iot-edge/about-iot-edge). +For more information on Azure IoT Edge, see the Azure IoT Edge [documentation](/azure/iot-edge/about-iot-edge). ## How MCC Works 1. The Azure Management Portal is used to create MCC nodes. -2. The MCC container is deployed and provisioned to the server using the installer provided in the portal. -3. Client policy is set in your management solution to point to the IP address or FQDN of the cache server. -4. Microsoft end-user devices make range requests for content from the MCC node. -5. The MCC node pulls content from the CDN, seeds its local cache stored on disk, and delivers the content to the client. -6. Subsequent requests from end-user devices for content will now come from cache. -7. If the MCC node is unavailable, the client will pull content from CDN to ensure uninterrupted service for your subscribers. +1. The MCC container is deployed and provisioned to the server using the installer provided in the portal. +1. Client policy is set in your management solution to point to the IP address or FQDN of the cache server. +1. Microsoft end-user devices make range requests for content from the MCC node. +1. The MCC node pulls content from the CDN, seeds its local cache stored on disk, and delivers the content to the client. +1. Subsequent requests from end-user devices for content will now come from cache. +1. If the MCC node is unavailable, the client will pull content from CDN to ensure uninterrupted service for your subscribers. -See the following diagram. +The following diagram displays and overview of how MCC functions: -![MCC Overview](images/waas-mcc-diag-overview.png#lightbox) +:::image type="content" source="./images/waas-mcc-diag-overview.png" alt-text="Diagram displaying the components of MCC." lightbox="./images/waas-mcc-diag-overview.png"::: -For more information about MCC, see the following articles: -- [Microsoft Connected Cache for Enterprise and Education](mcc-enterprise.md) -- [Microsoft Connected Cache for ISPs](mcc-isp.md) -## Also see -[Introducing Microsoft Connected Cache](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/introducing-microsoft-connected-cache-microsoft-s-cloud-managed/ba-p/963898) \ No newline at end of file +## Next steps + +- [Microsoft Connected Cache for Enterprise and Education](mcc-enterprise-prerequisites.md) +- [Microsoft Connected Cache for ISPs](mcc-isp-signup.md) diff --git a/windows/deployment/do/waas-optimize-windows-10-updates.md b/windows/deployment/do/waas-optimize-windows-10-updates.md index 75f5fb76b3..5d39e69f91 100644 --- a/windows/deployment/do/waas-optimize-windows-10-updates.md +++ b/windows/deployment/do/waas-optimize-windows-10-updates.md @@ -9,6 +9,7 @@ ms.reviewer: manager: dougeby ms.topic: article ms.technology: itpro-updates +ms.date: 12/31/2017 --- # Optimize Windows update delivery diff --git a/windows/deployment/do/whats-new-do.md b/windows/deployment/do/whats-new-do.md index 3609de6b15..3239c88eeb 100644 --- a/windows/deployment/do/whats-new-do.md +++ b/windows/deployment/do/whats-new-do.md @@ -6,12 +6,10 @@ ms.prod: windows-client author: carmenf ms.localizationpriority: medium ms.author: carmenf -ms.collection: - - M365-modern-desktop - - m365initiative-coredeploy ms.topic: article ms.custom: seo-marvel-apr2020 ms.technology: itpro-updates +ms.date: 12/31/2017 --- # What's new in Delivery Optimization @@ -21,7 +19,7 @@ ms.technology: itpro-updates - Windows 10 - Windows 11 -## Microsoft Connected Cache (private preview) +## Microsoft Connected Cache (early preview) Microsoft Connected Cache (MCC) is a software-only caching solution that delivers Microsoft content within Enterprise networks. MCC can be deployed to as many bare-metal servers or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying the client policy using management tools such as Intune. diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml index 7c6b7cb6ed..58bb72052d 100644 --- a/windows/deployment/index.yml +++ b/windows/deployment/index.yml @@ -6,12 +6,10 @@ summary: Learn about deploying and keeping Windows client devices up to date. # metadata: title: Windows client deployment resources and documentation # Required; page title displayed in search results. Include the brand. < 60 chars. description: Learn about deploying Windows 10 and keeping it up to date in your organization. # Required; article description that is displayed in search results. < 160 chars. - services: windows-10 - ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. - ms.subservice: subservice - ms.topic: landing-page # Required + ms.topic: landing-page + ms.technology: itpro-apps + ms.prod: windows-client ms.collection: - - windows-10 - highpri author: frankroj ms.author: frankroj diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md index 5bae3977a7..eb154e5d93 100644 --- a/windows/deployment/mbr-to-gpt.md +++ b/windows/deployment/mbr-to-gpt.md @@ -4,7 +4,7 @@ description: Use MBR2GPT.EXE to convert a disk from the Master Boot Record (MBR) ms.prod: windows-client author: frankroj ms.author: frankroj -ms.date: 10/31/2022 +ms.date: 11/23/2022 manager: aaroncz ms.localizationpriority: high ms.topic: article @@ -15,18 +15,19 @@ ms.technology: itpro-deploy # MBR2GPT.EXE -**Applies to** -- Windows 10 +*Applies to:* -**MBR2GPT.EXE** converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool runs from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS) by using the **/allowFullOS** option. +- Windows 10 -MBR2GPT.EXE is located in the **Windows\\System32** directory on a computer running Windows 10 version 1703 (also known as the Creator's Update) or later. +**MBR2GPT.EXE** converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool runs from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS) by using the **`/allowFullOS`** option. + +MBR2GPT.EXE is located in the **`Windows\System32`** directory on a computer running Windows 10 version 1703 or later. The tool is available in both the full OS environment and Windows PE. To use this tool in a deployment task sequence with Configuration Manager or Microsoft Deployment Toolkit (MDT), you must first update the Windows PE image (winpe.wim, boot.wim) with the [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) 1703, or a later version. See the following video for a detailed description and demonstration of MBR2GPT. - +> [!VIDEO https://www.youtube-nocookie.com/embed/hfJep4hmg9o] You can use MBR2GPT to: @@ -45,6 +46,7 @@ Offline conversion of system disks with earlier versions of Windows installed, s ## Disk Prerequisites Before any change to the disk is made, MBR2GPT validates the layout and geometry of the selected disk to ensure that: + - The disk is currently using MBR - There's enough space not occupied by partitions to store the primary and secondary GPTs: - 16 KB + 2 sectors at the front of the disk @@ -66,21 +68,21 @@ If any of these checks fails, the conversion won't proceed, and an error will be | Option | Description | |----|-------------| -|/validate| Instructs MBR2GPT.exe to perform only the disk validation steps and report whether the disk is eligible for conversion. | -|/convert| Instructs MBR2GPT.exe to perform the disk validation and to proceed with the conversion if all validation tests pass. | -|/disk:\| Specifies the disk number of the disk to be converted to GPT. If not specified, the system disk is used. The mechanism used is the same as used by the diskpart.exe tool **SELECT DISK SYSTEM** command.| -|/logs:\| Specifies the directory where MBR2GPT.exe logs should be written. If not specified, **%windir%** is used. If specified, the directory must already exist, it will not be automatically created or overwritten.| -|/map:\=\| Specifies other partition type mappings between MBR and GPT. The MBR partition number is specified in decimal notation, not hexadecimal. The GPT GUID can contain brackets, for example: **/map:42={af9b60a0-1431-4f62-bc68-3311714a69ad}**. Multiple /map options can be specified if multiple mappings are required. | -|/allowFullOS| By default, MBR2GPT.exe is blocked unless it's run from Windows PE. This option overrides this block and enables disk conversion while running in the full Windows environment.
    **Note**: Since the existing MBR system partition is in use while running the full Windows environment, it can't be reused. In this case, a new ESP is created by shrinking the OS partition.| +|**/validate**| Instructs `MBR2GPT.exe` to perform only the disk validation steps and report whether the disk is eligible for conversion. | +|**/convert**| Instructs `MBR2GPT.exe` to perform the disk validation and to proceed with the conversion if all validation tests pass. | +|**/disk:*\***| Specifies the disk number of the disk to be converted to GPT. If not specified, the system disk is used. The mechanism used is the same as used by the diskpart.exe tool **SELECT DISK SYSTEM** command.| +|**/logs:*\***| Specifies the directory where `MBR2GPT.exe` logs should be written. If not specified, **%windir%** is used. If specified, the directory must already exist, it will not be automatically created or overwritten.| +|**/map:*\*=*\***| Specifies other partition type mappings between MBR and GPT. The MBR partition number is specified in decimal notation, not hexadecimal. The GPT GUID can contain brackets, for example: **/map:42={af9b60a0-1431-4f62-bc68-3311714a69ad}**. Multiple /map options can be specified if multiple mappings are required. | +|**/allowFullOS**| By default, `MBR2GPT.exe` is blocked unless it's run from Windows PE. This option overrides this block and enables disk conversion while running in the full Windows environment.
    **Note**: Since the existing MBR system partition is in use while running the full Windows environment, it can't be reused. In this case, a new ESP is created by shrinking the OS partition.| ## Examples ### Validation example -In the following example, disk 0 is validated for conversion. Errors and warnings are logged to the default location, **%windir%**. +In the following example, disk 0 is validated for conversion. Errors and warnings are logged to the default location of **`%windir%`**. -```console -X:\>mbr2gpt /validate /disk:0 +```cmd +X:\>mbr2gpt.exe /validate /disk:0 MBR2GPT: Attempting to validate disk 0 MBR2GPT: Retrieving layout of disk MBR2GPT: Validating layout, disk sector size is: 512 @@ -92,16 +94,25 @@ MBR2GPT: Validation completed successfully In the following example: 1. Using DiskPart, the current disk partition layout is displayed prior to conversion - three partitions are present on the MBR disk (disk 0): a system reserved partition, a Windows partition, and a recovery partition. A DVD-ROM is also present as volume 0. + 2. The OS volume is selected, partitions are listed, and partition details are displayed for the OS partition. The [MBR partition type](/windows/win32/fileio/disk-partition-types) is **07** corresponding to the installable file system (IFS) type. -2. The MBR2GPT tool is used to convert disk 0. -3. The DiskPart tool displays that disk 0 is now using the GPT format. -4. The new disk layout is displayed - four partitions are present on the GPT disk: three are identical to the previous partitions and one is the new EFI system partition (volume 3). -5. The OS volume is selected again, and detail displays that it has been converted to the [GPT partition type](/windows/win32/api/winioctl/ns-winioctl-partition_information_gpt) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type. + +3. The MBR2GPT tool is used to convert disk 0. + +4. The DiskPart tool displays that disk 0 is now using the GPT format. + +5. The new disk layout is displayed - four partitions are present on the GPT disk: three are identical to the previous partitions and one is the new EFI system partition (volume 3). + +6. The OS volume is selected again, and detail displays that it has been converted to the [GPT partition type](/windows/win32/api/winioctl/ns-winioctl-partition_information_gpt) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type. As noted in the output from the MBR2GPT tool, you must make changes to the computer firmware so that the new EFI system partition will boot properly. -```console -X:\>DiskPart +
    +
    + Expand to show MBR2GPT example + +```cmd +X:\>DiskPart.exe Microsoft DiskPart version 10.0.15048.0 @@ -219,6 +230,8 @@ Offset in Bytes: 524288000 * Volume 1 D Windows NTFS Partition 58 GB Healthy ``` +
    + ## Specifications ### Disk conversion workflow @@ -259,17 +272,18 @@ Since GPT partitions use a different set of type IDs than MBR partitions, each p 4. All other MBR partitions recognized by Windows are converted to GPT partitions of type PARTITION_BASIC_DATA_GUID (ebd0a0a2-b9e5-4433-87c0-68b6b72699c7). In addition to applying the correct partition types, partitions of type PARTITION_MSFT_RECOVERY_GUID also have the following GPT attributes set: + - GPT_ATTRIBUTE_PLATFORM_REQUIRED (0x0000000000000001) - GPT_BASIC_DATA_ATTRIBUTE_NO_DRIVE_LETTER (0x8000000000000000) For more information about partition types, see: + - [GPT partition types](/windows/win32/api/winioctl/ns-winioctl-partition_information_gpt) - [MBR partition types](/windows/win32/fileio/disk-partition-types) - ### Persisting drive letter assignments -The conversion tool will attempt to remap all drive letter assignment information contained in the registry that corresponds to the volumes of the converted disk. If a drive letter assignment can't be restored, an error will be displayed at the console and in the log, so that you can manually perform the correct assignment of the drive letter. +The conversion tool will attempt to remap all drive letter assignment information contained in the registry that corresponds to the volumes of the converted disk. If a drive letter assignment can't be restored, an error will be displayed at the console and in the log, so that you can manually perform the correct assignment of the drive letter. > [!IMPORTANT] > This code runs after the layout conversion has taken place, so the operation cannot be undone at this stage. @@ -293,7 +307,7 @@ Four log files are created by the MBR2GPT tool: - setupact.log - setuperr.log -These files contain errors and warnings encountered during disk validation and conversion. Information in these files can be helpful in diagnosing problems with the tool. The setupact.log and setuperr.log files will have the most detailed information about disk layouts, processes, and other information pertaining to disk validation and conversion. +These files contain errors and warnings encountered during disk validation and conversion. Information in these files can be helpful in diagnosing problems with the tool. The setupact.log and setuperr.log files will have the most detailed information about disk layouts, processes, and other information pertaining to disk validation and conversion. > [!NOTE] > The setupact*.log files are different than the Windows Setup files that are found in the %Windir%\Panther directory. @@ -302,12 +316,12 @@ The default location for all these log files in Windows PE is **%windir%**. ### Interactive help -To view a list of options available when using the tool, type **mbr2gpt /?** +To view a list of options available when using the tool, enter **`mbr2gpt.exe /?`** The following text is displayed: -```console -C:\> mbr2gpt /? +```cmd +C:\> mbr2gpt.exe /? Converts a disk from MBR to GPT partitioning without modifying or deleting data on the disk. @@ -348,19 +362,18 @@ MBR2GPT has the following associated return codes: | Return code | Description | |----|-------------| -|0| Conversion completed successfully.| -|1| Conversion was canceled by the user.| -|2| Conversion failed due to an internal error.| -|3| Conversion failed due to an initialization error.| -|4| Conversion failed due to invalid command-line parameters. | -|5| Conversion failed due to error reading the geometry and layout of the selected disk.| -|6| Conversion failed because one or more volumes on the disk is encrypted.| -|7| Conversion failed because the geometry and layout of the selected disk don't meet requirements.| -|8| Conversion failed due to error while creating the EFI system partition.| -|9| Conversion failed due to error installing boot files.| -|10| Conversion failed due to error while applying GPT layout.| -|100| Conversion to GPT layout succeeded, but some boot configuration data entries couldn't be restored.| - +|**0**| Conversion completed successfully.| +|**1**| Conversion was canceled by the user.| +|**2**| Conversion failed due to an internal error.| +|**3**| Conversion failed due to an initialization error.| +|**4**| Conversion failed due to invalid command-line parameters. | +|**5**| Conversion failed due to error reading the geometry and layout of the selected disk.| +|**6**| Conversion failed because one or more volumes on the disk is encrypted.| +|**7**| Conversion failed because the geometry and layout of the selected disk don't meet requirements.| +|**8**| Conversion failed due to error while creating the EFI system partition.| +|**9**| Conversion failed due to error installing boot files.| +|**10**| Conversion failed due to error while applying GPT layout.| +|**100**| Conversion to GPT layout succeeded, but some boot configuration data entries couldn't be restored.| ### Determining the partition type @@ -381,8 +394,8 @@ You can also view the partition type of a disk by opening the Disk Management to If Windows PowerShell and Disk Management aren't available, such as when you're using Windows PE, you can determine the partition type at a command prompt with the DiskPart tool. To determine the partition style from a command line, type **diskpart** and then type **list disk**. See the following example: -```console -X:\>DiskPart +```cmd +X:\>DiskPart.exe Microsoft DiskPart version 10.0.15048.0 @@ -405,15 +418,15 @@ In this example, Disk 0 is formatted with the MBR partition style, and Disk 1 is When you start a Windows 10, version 1903-based computer in the Windows Preinstallation Environment (Windows PE), you encounter the following issues: -**Issue 1** When you run the MBR2GPT.exe command, the process exits without converting the drive. +**Issue 1** When you run the `MBR2GPT.exe` command, the process exits without converting the drive. -**Issue 2** When you manually run the MBR2GPT.exe command in a Command Prompt window, there's no output from the tool. +**Issue 2** When you manually run the `MBR2GPT.exe` command in a Command Prompt window, there's no output from the tool. -**Issue 3** When MBR2GPT.exe runs inside an imaging process such as a Microsoft Configuration Manager task sequence, an MDT task sequence, or by using a script, you receive the following exit code: 0xC0000135/3221225781. +**Issue 3** When `MBR2GPT.exe` runs inside an imaging process such as a Microsoft Configuration Manager task sequence, an MDT task sequence, or by using a script, you receive the following exit code: 0xC0000135/3221225781. #### Cause -This issue occurs because in Windows 10, version 1903 and later versions, MBR2GPT.exe requires access to the ReAgent.dll file. However, this dll file and its associated libraries are currently not included in the Windows PE boot image for Windows 10, version 1903 and later. +This issue occurs because in Windows 10, version 1903 and later versions, `MBR2GPT.exe` requires access to the ReAgent.dll file. However, this dll file and its associated libraries are currently not included in the Windows PE boot image for Windows 10, version 1903 and later. #### Workaround @@ -430,31 +443,31 @@ To fix this issue, mount the Windows PE image (WIM), copy the missing file from **Command 1:** - ```console + ```cmd copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Setup\amd64\Sources\ReAgent*.*" "C:\WinPE_Mount\Windows\System32" ``` - + This command copies three files: - * ReAgent.admx - * ReAgent.dll - * ReAgent.xml + - ReAgent.admx + - ReAgent.dll + - ReAgent.xml **Command 2:** - ```console + ```cmd copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Setup\amd64\Sources\En-Us\ReAgent*.*" "C:\WinPE_Mount\Windows\System32\En-Us" ``` - + This command copies two files: - * ReAgent.adml - * ReAgent.dll.mui + - ReAgent.adml + - ReAgent.dll.mui > [!NOTE] > If you aren't using an English version of Windows, replace "En-Us" in the path with the appropriate string that represents the system language. -3. After you copy all the files, commit the changes and unmount the Windows PE WIM. MBR2GPT.exe now functions as expected in Windows PE. For information about how to unmount WIM files while committing changes, see [Unmounting an image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#unmounting-an-image). +3. After you copy all the files, commit the changes and unmount the Windows PE WIM. `MBR2GPT.exe` now functions as expected in Windows PE. For information about how to unmount WIM files while committing changes, see [Unmounting an image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#unmounting-an-image). ## Related articles diff --git a/windows/deployment/planning/index.md b/windows/deployment/planning/index.md index cb2208b86e..4d26878cb9 100644 --- a/windows/deployment/planning/index.md +++ b/windows/deployment/planning/index.md @@ -21,7 +21,7 @@ Windows 10 provides new deployment capabilities, scenarios, and tools by buildin |[Windows 10 deployment considerations](windows-10-deployment-considerations.md) |There are new deployment options in Windows 10 that help you simplify the deployment process and automate migration of existing settings and applications. | |[Windows 10 compatibility](windows-10-compatibility.md) |Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10. | |[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md) |There are specific infrastructure requirements to deploy and manage Windows 10 that should be in place prior to significant Windows 10 deployments within your organization. | -|[Features removed or planned for replacement](features-lifecycle.md) |Information is provided about Windows 10 features and functionality that are removed or planned for replacement. | +|[Features removed or planned for replacement](/windows/whats-new/feature-lifecycle) |Information is provided about Windows features and functionality that are removed or planned for replacement. | |[Application Compatibility Toolkit (ACT) Technical Reference](act-technical-reference.md) |The Microsoft® Application Compatibility Toolkit (ACT) helps you determine whether the applications, devices, and computers in your organization are compatible with versions of the Windows® operating system. | ## Related topics diff --git a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md index f99d187140..6eeb930f19 100644 --- a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md +++ b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md @@ -8,6 +8,7 @@ ms.prod: windows-client author: frankroj ms.topic: article ms.technology: itpro-deploy +ms.date: 12/31/2017 --- # Security and data protection considerations for Windows To Go diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml index bf3c38f95e..853855b43b 100644 --- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml +++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml @@ -3,7 +3,8 @@ metadata: title: Windows 10 Enterprise FAQ for IT pros (Windows 10) description: Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise. keywords: Windows 10 Enterprise, download, system requirements, drivers, appcompat, manage updates, Windows as a service, servicing channels, deployment tools - ms.prod: w10 + ms.prod: windows-client + ms.technology: itpro-deploy ms.mktglfcycl: plan ms.localizationpriority: medium ms.sitesec: library diff --git a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml index 848e407d94..c234ad4992 100644 --- a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml +++ b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml @@ -8,7 +8,8 @@ metadata: ms.author: frankroj manager: aaroncz keywords: FAQ, mobile, device, USB - ms.prod: w10 + ms.prod: windows-client + ms.technology: itpro-deploy ms.mktglfcycl: deploy ms.pagetype: mobility ms.sitesec: library diff --git a/windows/deployment/s-mode.md b/windows/deployment/s-mode.md index eaba8cdb52..6263da1c9b 100644 --- a/windows/deployment/s-mode.md +++ b/windows/deployment/s-mode.md @@ -8,7 +8,7 @@ author: frankroj ms.author: frankroj ms.topic: article ms.custom: seo-marvel-apr2020 -ms.date: 10/31/2022 +ms.date: 11/23/2022 ms.technology: itpro-deploy --- @@ -20,15 +20,15 @@ S mode is an evolution of the S SKU introduced with Windows 10 April 2018 Update ## S mode key features -**Microsoft-verified security** +### Microsoft-verified security With Windows 10 in S mode, you'll find your favorite applications, such as Office, Evernote, and Spotify in the Microsoft Store where they're Microsoft-verified for security. You can also feel secure when you're online. Microsoft Edge, your default browser, gives you protection against phishing and socially engineered malware. -**Performance that lasts** +### Performance that lasts Start-ups are quick, and S mode is built to keep them that way. With Microsoft Edge as your browser, your online experience is fast and secure. Plus, you'll enjoy a smooth, responsive experience, whether you're streaming HD video, opening apps, or being productive on the go. -**Choice and flexibility** +### Choice and flexibility Save your files to your favorite cloud, like OneDrive or Dropbox, and access them from any device you choose. Browse the Microsoft Store for thousands of apps, and if you don't find exactly what you want, you can easily [switch out of S mode](./windows-10-pro-in-s-mode.md) to Windows 10 Home, Pro, or Enterprise editions at any time and search the web for more choices, as shown below. @@ -49,6 +49,6 @@ The [MSIX Packaging Tool](/windows/application-management/msix-app-packaging-too ## Related links - [Consumer applications for S mode](https://www.microsoft.com/windows/s-mode) -- [S mode devices](https://www.microsoft.com/en-us/windows/view-all-devices) +- [S mode devices](https://www.microsoft.com/windows/view-all-devices) - [Windows Defender Application Control deployment guide](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide) -- [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) +- [Microsoft Defender for Endpoint documentation](/microsoft-365/security/defender-endpoint/) diff --git a/windows/deployment/update/PSFxWhitepaper.md b/windows/deployment/update/PSFxWhitepaper.md index 7d41b154fe..0e62430e64 100644 --- a/windows/deployment/update/PSFxWhitepaper.md +++ b/windows/deployment/update/PSFxWhitepaper.md @@ -10,6 +10,7 @@ manager: dougeby ms.topic: article ms.custom: seo-marvel-apr2020 ms.technology: itpro-updates +ms.date: 12/31/2017 --- # Windows Updates using forward and reverse differentials diff --git a/windows/deployment/update/WIP4Biz-intro.md b/windows/deployment/update/WIP4Biz-intro.md index 97cc22efe7..9671062faf 100644 --- a/windows/deployment/update/WIP4Biz-intro.md +++ b/windows/deployment/update/WIP4Biz-intro.md @@ -9,6 +9,7 @@ manager: dougeby ms.reviewer: ms.topic: article ms.technology: itpro-updates +ms.date: 12/31/2017 --- # Introduction to the Windows Insider Program for Business diff --git a/windows/deployment/update/check-release-health.md b/windows/deployment/update/check-release-health.md index 007cd09674..d60d4df294 100644 --- a/windows/deployment/update/check-release-health.md +++ b/windows/deployment/update/check-release-health.md @@ -16,9 +16,6 @@ ms.custom: - 'O365E_ViewStatusServices' - 'O365E_ServiceHealthModern' - 'seo-marvel-apr2020' -ms.collection: - - Ent_O365 - - M365-subscription-management search.appverid: - MET150 - MOE150 diff --git a/windows/deployment/update/create-deployment-plan.md b/windows/deployment/update/create-deployment-plan.md index 5263372cb3..9db3fb6b10 100644 --- a/windows/deployment/update/create-deployment-plan.md +++ b/windows/deployment/update/create-deployment-plan.md @@ -5,10 +5,10 @@ ms.prod: windows-client author: aczechowski ms.localizationpriority: medium ms.author: aaroncz -ms.collection: m365initiative-coredeploy manager: dougeby ms.topic: article ms.technology: itpro-updates +ms.date: 12/31/2017 --- # Create a deployment plan diff --git a/windows/deployment/update/deploy-updates-configmgr.md b/windows/deployment/update/deploy-updates-configmgr.md index a7aa23afba..e15dae5bcc 100644 --- a/windows/deployment/update/deploy-updates-configmgr.md +++ b/windows/deployment/update/deploy-updates-configmgr.md @@ -9,6 +9,7 @@ ms.reviewer: manager: dougeby ms.topic: article ms.technology: itpro-updates +ms.date: 12/31/2017 --- # Deploy Windows 10 updates with Configuration Manager diff --git a/windows/deployment/update/deploy-updates-intune.md b/windows/deployment/update/deploy-updates-intune.md index 31deefe3f5..f81e158e4b 100644 --- a/windows/deployment/update/deploy-updates-intune.md +++ b/windows/deployment/update/deploy-updates-intune.md @@ -11,6 +11,7 @@ ms.topic: article ms.technology: itpro-updates ms.collection: - highpri +ms.date: 12/31/2017 --- # Deploy Windows 10 updates with Intune diff --git a/windows/deployment/update/deployment-service-overview.md b/windows/deployment/update/deployment-service-overview.md index 5ae667d595..b04b472ad9 100644 --- a/windows/deployment/update/deployment-service-overview.md +++ b/windows/deployment/update/deployment-service-overview.md @@ -10,6 +10,7 @@ ms.reviewer: manager: dougeby ms.topic: article ms.technology: itpro-updates +ms.date: 12/31/2017 --- @@ -35,14 +36,14 @@ The service is privacy focused and backed by leading industry compliance certifi ## How it works -The deployment service complements existing Windows Update for Business capabilities, including existing device policies and [Update Compliance](update-compliance-monitor.md). +The deployment service complements existing Windows Update for Business capabilities, including existing device policies and [Windows Update for Businesss reports](wufb-reports-overview.md). :::image type="content" source="media/wufbds-product-large.png" alt-text="Elements in following text."::: Windows Update for Business comprises three elements: - Client policy to govern update experiences and timing – available through Group Policy and CSPs - Deployment service APIs to approve and schedule specific updates – available through the Microsoft Graph and associated SDKs (including PowerShell) -- Update Compliance to monitor update deployment – available through the Azure Marketplace +- Windows Update for Business reports to monitor update deployment Unlike existing client policy, the deployment service doesn't interact with devices directly. The service is native to the cloud and all operations take place between various Microsoft services. It creates a direct communication channel between a management tool (including scripting tools such as Windows PowerShell) and the Windows Update service so that the approval and offering of content can be directly controlled by an IT Pro. diff --git a/windows/deployment/update/deployment-service-troubleshoot.md b/windows/deployment/update/deployment-service-troubleshoot.md index cf7599e9c8..8d974c72fe 100644 --- a/windows/deployment/update/deployment-service-troubleshoot.md +++ b/windows/deployment/update/deployment-service-troubleshoot.md @@ -10,6 +10,7 @@ ms.reviewer: manager: dougeby ms.topic: article ms.technology: itpro-updates +ms.date: 12/31/2017 --- diff --git a/windows/deployment/update/eval-infra-tools.md b/windows/deployment/update/eval-infra-tools.md index 29d681f691..29557c5e99 100644 --- a/windows/deployment/update/eval-infra-tools.md +++ b/windows/deployment/update/eval-infra-tools.md @@ -7,8 +7,8 @@ ms.author: aaroncz manager: dougeby ms.localizationpriority: medium ms.topic: article -ms.collection: m365initiative-coredeploy ms.technology: itpro-updates +ms.date: 12/31/2017 --- # Evaluate infrastructure and tools diff --git a/windows/deployment/update/feature-update-user-install.md b/windows/deployment/update/feature-update-user-install.md index de573530ce..019f4f5331 100644 --- a/windows/deployment/update/feature-update-user-install.md +++ b/windows/deployment/update/feature-update-user-install.md @@ -8,7 +8,6 @@ ms.author: aaroncz ms.date: 07/10/2018 ms.reviewer: manager: dougeby -ms.collection: M365-modern-desktop ms.topic: article ms.custom: seo-marvel-apr2020 ms.technology: itpro-updates diff --git a/windows/deployment/update/get-started-updates-channels-tools.md b/windows/deployment/update/get-started-updates-channels-tools.md index d53be32342..777e52fd68 100644 --- a/windows/deployment/update/get-started-updates-channels-tools.md +++ b/windows/deployment/update/get-started-updates-channels-tools.md @@ -8,6 +8,7 @@ ms.author: aaroncz manager: dougeby ms.topic: article ms.technology: itpro-updates +ms.date: 12/31/2017 --- # Windows client updates, channels, and tools diff --git a/windows/deployment/update/how-windows-update-works.md b/windows/deployment/update/how-windows-update-works.md index 492051959d..4a82f9dda6 100644 --- a/windows/deployment/update/how-windows-update-works.md +++ b/windows/deployment/update/how-windows-update-works.md @@ -6,11 +6,10 @@ author: aczechowski ms.localizationpriority: medium ms.author: aaroncz manager: dougeby -ms.collection: - - M365-modern-desktop ms.topic: article ms.custom: seo-marvel-apr2020 ms.technology: itpro-updates +ms.date: 12/31/2017 --- # How Windows Update works diff --git a/windows/deployment/update/images/update-terminology.png b/windows/deployment/update/images/update-terminology.png index 803c35d447..81e1b28320 100644 Binary files a/windows/deployment/update/images/update-terminology.png and b/windows/deployment/update/images/update-terminology.png differ diff --git a/windows/deployment/update/images/wufb-do-overview.png b/windows/deployment/update/images/wufb-do-overview.png new file mode 100644 index 0000000000..bacdb44d25 Binary files /dev/null and b/windows/deployment/update/images/wufb-do-overview.png differ diff --git a/windows/deployment/update/includes/wufb-reports-recommend.md b/windows/deployment/update/includes/wufb-reports-recommend.md index 7a8c702ba0..94e46ac38f 100644 --- a/windows/deployment/update/includes/wufb-reports-recommend.md +++ b/windows/deployment/update/includes/wufb-reports-recommend.md @@ -5,10 +5,10 @@ manager: aaroncz ms.prod: w10 ms.collection: M365-modern-desktop ms.topic: include -ms.date: 11/04/2022 +ms.date: 12/05/2022 ms.localizationpriority: medium --- > [!Important] -> If you're using Update Compliance, it's highly recommended that you start transitioning to Windows Update for Business reports. For more information, see [Windows Update for Business reports overview](..\wufb-reports-overview.md). +> Update Compliance is [deprecated](/windows/whats-new/deprecated-features) and is no longer accepting new onboarding requests. Update Compliance has been replaced by [Windows Update for Business reports](..\wufb-reports-overview.md). If you're currently using Update Compliance, you can continue to use it, but you can't change your `CommercialID`. Support for Update Compliance will end on March 31, 2023 when the service will be [retired](/windows/whats-new/feature-lifecycle#terminology). diff --git a/windows/deployment/update/index.md b/windows/deployment/update/index.md index 352013a1ea..a9e7a9592a 100644 --- a/windows/deployment/update/index.md +++ b/windows/deployment/update/index.md @@ -8,6 +8,7 @@ ms.localizationpriority: high ms.author: aaroncz ms.topic: article ms.technology: itpro-updates +ms.date: 12/31/2017 --- # Update Windows client in enterprise deployments @@ -33,7 +34,7 @@ Windows as a service provides a new way to think about building, deploying, and | [Overview of Windows as a service](waas-overview.md) | Explains the differences in building, deploying, and servicing Windows client; introduces feature updates, quality updates, and the different servicing branches; compares servicing tools. | | [Prepare servicing strategy for Windows client updates](waas-servicing-strategy-windows-10-updates.md) | Explains the decisions you need to make in your servicing strategy. | | [Assign devices to servicing branches for Windows client updates](waas-servicing-channels-windows-10-updates.md) | Explains how to assign devices to the General Availability Channel for feature and quality updates, and how to enroll devices in Windows Insider. | -| [Monitor Windows Updates with Update Compliance](update-compliance-monitor.md) | Explains how to use Update Compliance to monitor and manage Windows Updates on devices in your organization. | +| [Monitor Windows Updates with Windows Update for Business reports](wufb-reports-overview.md) | Explains how to use Windows Update for Business reports to monitor and manage Windows Updates on devices in your organization. | | [Optimize update delivery](../do/waas-optimize-windows-10-updates.md) | Explains the benefits of using Delivery Optimization or BranchCache for update distribution. | | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) | Explains how to use Windows Update for Business to manage when devices receive updates directly from Windows Update. Includes walkthroughs for configuring Windows Update for Business using Group Policy and Microsoft Intune. | | [Deploy Windows client updates using Windows Server Update Services (WSUS)](waas-manage-updates-wsus.md) | Explains how to use WSUS to manage Windows client updates. | diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md index 7470c798bc..83136ce4d4 100644 --- a/windows/deployment/update/media-dynamic-update.md +++ b/windows/deployment/update/media-dynamic-update.md @@ -6,10 +6,9 @@ author: SteveDiAcetis ms.localizationpriority: medium ms.author: aaroncz manager: dougeby -ms.collection: - - M365-modern-desktop ms.topic: article ms.technology: itpro-updates +ms.date: 12/31/2017 --- # Update Windows installation media with Dynamic Update diff --git a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md index a200aba260..d9091e373e 100644 --- a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md +++ b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md @@ -8,6 +8,7 @@ author: lizgt2000 ms.reviewer: manager: aaroncz ms.technology: itpro-updates +ms.date: 12/31/2017 --- # Olympia Corp diff --git a/windows/deployment/update/optional-content.md b/windows/deployment/update/optional-content.md index 6dc355433f..b362518be7 100644 --- a/windows/deployment/update/optional-content.md +++ b/windows/deployment/update/optional-content.md @@ -6,9 +6,9 @@ author: aczechowski ms.localizationpriority: medium ms.author: aaroncz manager: dougeby -ms.collection: M365-modern-desktop ms.topic: article ms.technology: itpro-updates +ms.date: 12/31/2017 --- # Migrating and acquiring optional Windows content during updates diff --git a/windows/deployment/update/plan-define-readiness.md b/windows/deployment/update/plan-define-readiness.md index e0740e7232..e3399f0279 100644 --- a/windows/deployment/update/plan-define-readiness.md +++ b/windows/deployment/update/plan-define-readiness.md @@ -7,8 +7,8 @@ ms.author: aaroncz manager: dougeby ms.localizationpriority: medium ms.topic: article -ms.collection: m365initiative-coredeploy ms.technology: itpro-updates +ms.date: 12/31/2017 --- # Define readiness criteria diff --git a/windows/deployment/update/plan-define-strategy.md b/windows/deployment/update/plan-define-strategy.md index cacb1535bc..32d063dab3 100644 --- a/windows/deployment/update/plan-define-strategy.md +++ b/windows/deployment/update/plan-define-strategy.md @@ -7,8 +7,8 @@ ms.localizationpriority: medium ms.author: aaroncz manager: dougeby ms.topic: article -ms.collection: m365initiative-coredeploy ms.technology: itpro-updates +ms.date: 12/31/2017 --- # Define update strategy with a calendar diff --git a/windows/deployment/update/plan-determine-app-readiness.md b/windows/deployment/update/plan-determine-app-readiness.md index d2bbbc7d48..8d7abb8429 100644 --- a/windows/deployment/update/plan-determine-app-readiness.md +++ b/windows/deployment/update/plan-determine-app-readiness.md @@ -5,10 +5,10 @@ description: How to test your apps to know which need attention prior to deployi ms.prod: windows-client ms.localizationpriority: medium ms.topic: article -ms.collection: m365initiative-coredeploy ms.author: aaroncz author: aczechowski ms.technology: itpro-updates +ms.date: 12/31/2017 --- # Determine application readiness diff --git a/windows/deployment/update/prepare-deploy-windows.md b/windows/deployment/update/prepare-deploy-windows.md index 6e5fbbe148..e88bc01c45 100644 --- a/windows/deployment/update/prepare-deploy-windows.md +++ b/windows/deployment/update/prepare-deploy-windows.md @@ -8,8 +8,8 @@ ms.author: aaroncz ms.reviewer: manager: dougeby ms.topic: article -ms.collection: m365initiative-coredeploy ms.technology: itpro-updates +ms.date: 12/31/2017 --- # Prepare to deploy Windows diff --git a/windows/deployment/update/quality-updates.md b/windows/deployment/update/quality-updates.md index c7c30db293..2f3003eef4 100644 --- a/windows/deployment/update/quality-updates.md +++ b/windows/deployment/update/quality-updates.md @@ -9,6 +9,7 @@ ms.reviewer: manager: dougeby ms.topic: article ms.technology: itpro-updates +ms.date: 12/31/2017 --- # Monthly quality updates diff --git a/windows/deployment/update/safeguard-holds.md b/windows/deployment/update/safeguard-holds.md index dfe7420469..7287acbcc1 100644 --- a/windows/deployment/update/safeguard-holds.md +++ b/windows/deployment/update/safeguard-holds.md @@ -10,6 +10,7 @@ ms.topic: article ms.technology: itpro-updates ms.collection: - highpri +ms.date: 12/31/2017 --- # Safeguard holds @@ -31,9 +32,9 @@ IT admins managing updates using the [Windows Update for Business deployment ser ## Am I affected by a safeguard hold? -IT admins can use [Update Compliance](update-compliance-monitor.md) to monitor various update health metrics for devices in their organization. Update Compliance provides a [Safeguard Holds report](/windows/deployment/update/update-compliance-safeguard-holds), as well as [queries in the Feature Update Status report](/windows/deployment/update/update-compliance-feature-update-status), to provide you insight into the safeguard holds that are preventing devices from updating or upgrading. +IT admins can use [Windows Update for Business reports](wufb-reports-overview.md) to monitor various update health metrics for devices in their organization. The reports provide a list of [active Safeguard Holds](wufb-reports-workbook.md#bkmk_update-group-feature) to provide you insight into the safeguard holds that are preventing devices from updating or upgrading. -The Update Compliance reports identify safeguard holds by their 8-digit identifiers. For safeguard holds associated with publicly discussed known issues, you can find additional details about the issue on the [Windows release health](/windows/release-health/) dashboard by searching for the safeguard hold ID on the **Known issues** page for the relevant release. +Windows Update for Business reports identifies safeguard holds by their 8-digit identifiers. For safeguard holds associated with publicly discussed known issues, you can find additional details about the issue on the [Windows release health](/windows/release-health/) dashboard by searching for the safeguard hold ID on the **Known issues** page for the relevant release. On devices that use Windows Update (but not Windows Update for Business), the **Windows Update** page in the Settings app displays a message stating that an update is on its way, but not ready for the device. Instead of the option to download and install the update, users will see this message: @@ -48,4 +49,4 @@ We recommend that you do not attempt to manually update until issues have been r > [!CAUTION] > Opting out of a safeguard hold can put devices at risk from known performance issues. We strongly recommend that you complete robust testing to ensure the impact is acceptable before opting out. -With that in mind, IT admins who stay informed with [Update Compliance](update-compliance-feature-update-status.md#safeguard-holds) and the [Windows release health](/windows/release-health/) dashboard can choose to temporarily [opt-out of the protection of all safeguard holds](safeguard-opt-out.md) and allow an update to proceed. We recommend opting out only in an IT environment and for validation purposes. If you do opt out of a hold, this condition is temporary. Once an update is complete, the protection of safeguard holds is reinstated automatically. +With that in mind, IT admins who stay informed with [Windows Update for Business reports](wufb-reports-overview.md) and the [Windows release health](/windows/release-health/) dashboard can choose to temporarily [opt-out of the protection of all safeguard holds](safeguard-opt-out.md) and allow an update to proceed. We recommend opting out only in an IT environment and for validation purposes. If you do opt out of a hold, this condition is temporary. Once an update is complete, the protection of safeguard holds is reinstated automatically. diff --git a/windows/deployment/update/safeguard-opt-out.md b/windows/deployment/update/safeguard-opt-out.md index b8da300767..d5e7feb5f0 100644 --- a/windows/deployment/update/safeguard-opt-out.md +++ b/windows/deployment/update/safeguard-opt-out.md @@ -8,6 +8,7 @@ ms.author: aaroncz manager: dougeby ms.topic: article ms.technology: itpro-updates +ms.date: 12/31/2017 --- # Opt out of safeguard holds diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md index b1549aa4b9..f7d7f2d1b8 100644 --- a/windows/deployment/update/servicing-stack-updates.md +++ b/windows/deployment/update/servicing-stack-updates.md @@ -7,11 +7,11 @@ ms.localizationpriority: high ms.author: aaroncz manager: dougeby ms.collection: - - M365-modern-desktop - highpri ms.topic: article ms.custom: seo-marvel-apr2020 ms.technology: itpro-updates +ms.date: 12/31/2017 --- # Servicing stack updates @@ -21,6 +21,7 @@ ms.technology: itpro-updates - Windows 10 - Windows 11 +- Windows Server ## What is a servicing stack update? Servicing stack updates provide fixes to the servicing stack, the component that installs Windows updates. Additionally, it contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month. @@ -40,7 +41,9 @@ Servicing stack update are released depending on new issues or vulnerabilities. Both Windows client and Windows Server use the cumulative update mechanism, in which many fixes to improve the quality and security of Windows are packaged into a single update. Each cumulative update includes the changes and fixes from all previous updates. -Servicing stack updates must ship separately from the cumulative updates because they modify the component that installs Windows updates. The servicing stack is released separately because the servicing stack itself requires an update. For example, the cumulative update [KB4284880](https://support.microsoft.com/help/4284880/windows-10-update-kb4284880) requires the [May 17, 2018 servicing stack update](https://support.microsoft.com/help/4132216), which includes updates to Windows Update. +Servicing stack updates improve the reliability of the update process to mitigate potential issues while installing the latest quality updates and feature updates. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes. + +Beginning with the February 2021 LCU, Microsoft will publish all future cumulative updates and SSUs for Windows 10, version 2004 and later together as one cumulative monthly update to the normal release category in WSUS. ## Is there any special guidance? @@ -59,3 +62,5 @@ Typically, the improvements are reliability and performance improvements that do ## Simplifying on-premises deployment of servicing stack updates With the Windows Update experience, servicing stack updates and cumulative updates are deployed together to the device. The update stack automatically orchestrates the installation, so both are applied correctly. Starting in February 2021, the cumulative update will include the latest servicing stack updates, to provide a single cumulative update payload to both Windows Server Update Services (WSUS) and Microsoft Catalog. If you use an endpoint management tool backed by WSUS, such as Configuration Manager, you will only have to select and deploy the monthly cumulative update. The latest servicing stack updates will automatically be applied correctly. Release notes and file information for cumulative updates, including those related to the servicing stack, will be in a single KB article. The combined monthly cumulative update will be available on Windows 10, version 2004 and later starting with the 2021 2C release, KB4601382. + + diff --git a/windows/deployment/update/update-baseline.md b/windows/deployment/update/update-baseline.md index a943c5f47b..e860aa2cbb 100644 --- a/windows/deployment/update/update-baseline.md +++ b/windows/deployment/update/update-baseline.md @@ -8,6 +8,7 @@ ms.author: aaroncz manager: dougeby ms.topic: article ms.technology: itpro-updates +ms.date: 12/31/2017 --- # Update Baseline diff --git a/windows/deployment/update/update-compliance-configuration-manual.md b/windows/deployment/update/update-compliance-configuration-manual.md index 14b086ba49..56aabc0f35 100644 --- a/windows/deployment/update/update-compliance-configuration-manual.md +++ b/windows/deployment/update/update-compliance-configuration-manual.md @@ -7,9 +7,9 @@ ms.prod: windows-client author: mestew ms.author: mstewart ms.localizationpriority: medium -ms.collection: M365-analytics ms.topic: article ms.technology: itpro-updates +ms.date: 12/31/2017 --- # Manually Configuring Devices for Update Compliance diff --git a/windows/deployment/update/update-compliance-configuration-mem.md b/windows/deployment/update/update-compliance-configuration-mem.md index c43640a133..2a40c16a2a 100644 --- a/windows/deployment/update/update-compliance-configuration-mem.md +++ b/windows/deployment/update/update-compliance-configuration-mem.md @@ -7,9 +7,9 @@ ms.prod: windows-client author: mestew ms.author: mstewart ms.localizationpriority: medium -ms.collection: M365-analytics ms.topic: article ms.technology: itpro-updates +ms.date: 12/31/2017 --- # Configuring Microsoft Intune devices for Update Compliance diff --git a/windows/deployment/update/update-compliance-configuration-script.md b/windows/deployment/update/update-compliance-configuration-script.md index 5895bd3235..bcae3d1cce 100644 --- a/windows/deployment/update/update-compliance-configuration-script.md +++ b/windows/deployment/update/update-compliance-configuration-script.md @@ -7,7 +7,6 @@ ms.prod: windows-client author: mestew ms.author: mstewart ms.localizationpriority: medium -ms.collection: M365-analytics ms.topic: article ms.date: 06/16/2022 ms.technology: itpro-updates diff --git a/windows/deployment/update/update-compliance-delivery-optimization.md b/windows/deployment/update/update-compliance-delivery-optimization.md index d58e554f1e..d4189f5d1b 100644 --- a/windows/deployment/update/update-compliance-delivery-optimization.md +++ b/windows/deployment/update/update-compliance-delivery-optimization.md @@ -7,10 +7,10 @@ ms.prod: windows-client author: mestew ms.author: mstewart ms.localizationpriority: medium -ms.collection: M365-analytics ms.topic: article ms.custom: seo-marvel-apr2020 ms.technology: itpro-updates +ms.date: 12/31/2017 --- # Delivery Optimization in Update Compliance diff --git a/windows/deployment/update/update-compliance-feature-update-status.md b/windows/deployment/update/update-compliance-feature-update-status.md index 8fdb433a95..6144ffaf3a 100644 --- a/windows/deployment/update/update-compliance-feature-update-status.md +++ b/windows/deployment/update/update-compliance-feature-update-status.md @@ -6,10 +6,10 @@ description: Learn how the Feature Update Status report provides information abo ms.prod: windows-client author: mestew ms.author: mstewart -ms.collection: M365-analytics ms.topic: article ms.custom: seo-marvel-apr2020 ms.technology: itpro-updates +ms.date: 12/31/2017 --- # Feature Update Status diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md index 7adaefb575..1b4b422507 100644 --- a/windows/deployment/update/update-compliance-get-started.md +++ b/windows/deployment/update/update-compliance-get-started.md @@ -7,7 +7,6 @@ author: mestew ms.author: mstewart ms.localizationpriority: medium ms.collection: - - M365-analytics - highpri ms.topic: article ms.date: 05/03/2022 @@ -50,8 +49,11 @@ Before you begin the process to add Update Compliance to your Azure subscription Update Compliance is offered as an Azure Marketplace application that is linked to a new or existing [Azure Log Analytics](/azure/log-analytics/query-language/get-started-analytics-portal) workspace within your Azure subscription. For the following steps, you must have either an Owner or Contributor [Azure role](/azure/role-based-access-control/rbac-and-directory-admin-roles#azure-roles) as a minimum in order to add the solution. -Use the following steps: -1. Go to the [Update Compliance page in the Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/Microsoft.WaaSUpdateInsights?tab=Overview). You might need to sign in to your Azure subscription to access this page. +> [!IMPORTANT] +> Update Compliance is deprecated and no longer accepting any new onboarding requests. The instructions below are listed for verification and troubleshooting purposes only for existing Updates Compliance users. Update Compliance has been replaced by [Windows Update for Business reports](wufb-reports-overview.md) for monitoring compliance of updates. + + +1. Go to the [Update Compliance page in the Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/). The solution was published by Microsoft and named **WaaSUpdateInsights**. 2. Select **Get it now**. 3. Choose an existing or configure a new Log Analytics Workspace, ensuring it is in a **Compatible Log Analytics region** from the following table. Although an Azure subscription is required, you won't be charged for ingestion of Update Compliance data. - [Desktop Analytics](/sccm/desktop-analytics/overview) users should use the same workspace for Update Compliance. diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md index 699a32f76f..4e34f7828b 100644 --- a/windows/deployment/update/update-compliance-monitor.md +++ b/windows/deployment/update/update-compliance-monitor.md @@ -7,10 +7,10 @@ ms.prod: windows-client author: mestew ms.author: mstewart ms.localizationpriority: medium -ms.collection: M365-analytics ms.topic: article ms.custom: seo-marvel-apr2020 ms.technology: itpro-updates +ms.date: 12/31/2017 --- # Monitor Windows Updates with Update Compliance diff --git a/windows/deployment/update/update-compliance-need-attention.md b/windows/deployment/update/update-compliance-need-attention.md index 328e1da5de..7ac31b890b 100644 --- a/windows/deployment/update/update-compliance-need-attention.md +++ b/windows/deployment/update/update-compliance-need-attention.md @@ -4,10 +4,10 @@ manager: aczechowski description: Learn how the Need attention! section provides a breakdown of all Windows 10 device and update issues detected by Update Compliance. author: mestew ms.author: mstewart -ms.collection: M365-analytics ms.topic: article ms.prod: windows-client ms.technology: itpro-updates +ms.date: 12/31/2017 --- # Needs attention! diff --git a/windows/deployment/update/update-compliance-privacy.md b/windows/deployment/update/update-compliance-privacy.md index 9c144da544..068ccd2f9a 100644 --- a/windows/deployment/update/update-compliance-privacy.md +++ b/windows/deployment/update/update-compliance-privacy.md @@ -6,9 +6,9 @@ description: an overview of the Feature Update Status report ms.prod: windows-client author: mestew ms.author: mstewart -ms.collection: M365-analytics ms.topic: article ms.technology: itpro-updates +ms.date: 12/31/2017 --- # Privacy in Update Compliance diff --git a/windows/deployment/update/update-compliance-safeguard-holds.md b/windows/deployment/update/update-compliance-safeguard-holds.md index 09af30da57..9974fa5753 100644 --- a/windows/deployment/update/update-compliance-safeguard-holds.md +++ b/windows/deployment/update/update-compliance-safeguard-holds.md @@ -6,10 +6,10 @@ description: Learn how the Safeguard Holds report provides information about saf ms.prod: windows-client author: mestew ms.author: mstewart -ms.collection: M365-analytics ms.topic: article ms.custom: seo-marvel-apr2020 ms.technology: itpro-updates +ms.date: 12/31/2017 --- # Safeguard Holds diff --git a/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md b/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md index 71b6715fcc..62ba2be862 100644 --- a/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md +++ b/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md @@ -6,9 +6,9 @@ description: WaaSDeploymentStatus schema ms.prod: windows-client author: mestew ms.author: mstewart -ms.collection: M365-analytics ms.topic: article ms.technology: itpro-updates +ms.date: 12/31/2017 --- # WaaSDeploymentStatus diff --git a/windows/deployment/update/update-compliance-schema-waasinsiderstatus.md b/windows/deployment/update/update-compliance-schema-waasinsiderstatus.md index 645fc9d551..b159c82ad4 100644 --- a/windows/deployment/update/update-compliance-schema-waasinsiderstatus.md +++ b/windows/deployment/update/update-compliance-schema-waasinsiderstatus.md @@ -6,9 +6,9 @@ description: WaaSInsiderStatus schema ms.prod: windows-client author: mestew ms.author: mstewart -ms.collection: M365-analytics ms.topic: article ms.technology: itpro-updates +ms.date: 12/31/2017 --- # WaaSInsiderStatus diff --git a/windows/deployment/update/update-compliance-schema-waasupdatestatus.md b/windows/deployment/update/update-compliance-schema-waasupdatestatus.md index e6a798932f..762486f62f 100644 --- a/windows/deployment/update/update-compliance-schema-waasupdatestatus.md +++ b/windows/deployment/update/update-compliance-schema-waasupdatestatus.md @@ -6,9 +6,9 @@ description: WaaSUpdateStatus schema ms.prod: windows-client author: mestew ms.author: mstewart -ms.collection: M365-analytics ms.topic: article ms.technology: itpro-updates +ms.date: 12/31/2017 --- # WaaSUpdateStatus diff --git a/windows/deployment/update/update-compliance-schema-wudoaggregatedstatus.md b/windows/deployment/update/update-compliance-schema-wudoaggregatedstatus.md index 95e7fa7f84..066c38fee1 100644 --- a/windows/deployment/update/update-compliance-schema-wudoaggregatedstatus.md +++ b/windows/deployment/update/update-compliance-schema-wudoaggregatedstatus.md @@ -6,9 +6,9 @@ description: WUDOAggregatedStatus schema ms.prod: windows-client author: mestew ms.author: mstewart -ms.collection: M365-analytics ms.topic: article ms.technology: itpro-updates +ms.date: 12/31/2017 --- # WUDOAggregatedStatus diff --git a/windows/deployment/update/update-compliance-schema-wudostatus.md b/windows/deployment/update/update-compliance-schema-wudostatus.md index 5e944ba263..769508bbff 100644 --- a/windows/deployment/update/update-compliance-schema-wudostatus.md +++ b/windows/deployment/update/update-compliance-schema-wudostatus.md @@ -6,9 +6,9 @@ description: WUDOStatus schema ms.prod: windows-client author: mestew ms.author: mstewart -ms.collection: M365-analytics ms.topic: article ms.technology: itpro-updates +ms.date: 12/31/2017 --- # WUDOStatus diff --git a/windows/deployment/update/update-compliance-schema.md b/windows/deployment/update/update-compliance-schema.md index af79627add..9f3340f361 100644 --- a/windows/deployment/update/update-compliance-schema.md +++ b/windows/deployment/update/update-compliance-schema.md @@ -6,9 +6,9 @@ description: an overview of Update Compliance data schema ms.prod: windows-client author: mestew ms.author: mstewart -ms.collection: M365-analytics ms.topic: article ms.technology: itpro-updates +ms.date: 12/31/2017 --- # Update Compliance Schema diff --git a/windows/deployment/update/update-compliance-security-update-status.md b/windows/deployment/update/update-compliance-security-update-status.md index 308992e24d..e20fd18105 100644 --- a/windows/deployment/update/update-compliance-security-update-status.md +++ b/windows/deployment/update/update-compliance-security-update-status.md @@ -6,10 +6,10 @@ description: Learn how the Security Update Status section provides information a ms.prod: windows-client author: mestew ms.author: mstewart -ms.collection: M365-analytics ms.topic: article ms.custom: seo-marvel-apr2020 ms.technology: itpro-updates +ms.date: 12/31/2017 --- # Security Update Status diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md index 89d56d1c49..6dbb018e21 100644 --- a/windows/deployment/update/update-compliance-using.md +++ b/windows/deployment/update/update-compliance-using.md @@ -7,10 +7,10 @@ ms.prod: windows-client author: mestew ms.author: mstewart ms.localizationpriority: medium -ms.collection: M365-analytics ms.topic: article ms.custom: seo-marvel-apr2020 ms.technology: itpro-updates +ms.date: 12/31/2017 --- # Use Update Compliance diff --git a/windows/deployment/update/update-policies.md b/windows/deployment/update/update-policies.md index fd4fdeacb6..7b93908dff 100644 --- a/windows/deployment/update/update-policies.md +++ b/windows/deployment/update/update-policies.md @@ -8,8 +8,8 @@ ms.author: aaroncz manager: dougeby ms.localizationpriority: medium ms.topic: article -ms.collection: M365-modern-desktop ms.technology: itpro-updates +ms.date: 12/31/2017 --- # Policies for update compliance, activity, and user experience diff --git a/windows/deployment/update/waas-branchcache.md b/windows/deployment/update/waas-branchcache.md index 9ab24e12bd..a0ce1d97fe 100644 --- a/windows/deployment/update/waas-branchcache.md +++ b/windows/deployment/update/waas-branchcache.md @@ -10,6 +10,7 @@ manager: dougeby ms.topic: article ms.custom: seo-marvel-apr2020 ms.technology: itpro-updates +ms.date: 12/31/2017 --- # Configure BranchCache for Windows client updates diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md index 0565315cf2..0dec620c52 100644 --- a/windows/deployment/update/waas-configure-wufb.md +++ b/windows/deployment/update/waas-configure-wufb.md @@ -3,13 +3,12 @@ title: Configure Windows Update for Business manager: dougeby description: You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. ms.prod: windows-client -ms.collection: - - m365initiative-coredeploy author: aczechowski ms.localizationpriority: medium ms.author: aaroncz ms.topic: article ms.technology: itpro-updates +ms.date: 12/31/2017 --- # Configure Windows Update for Business diff --git a/windows/deployment/update/waas-integrate-wufb.md b/windows/deployment/update/waas-integrate-wufb.md index 1018e89ac2..2cfbaa9a5d 100644 --- a/windows/deployment/update/waas-integrate-wufb.md +++ b/windows/deployment/update/waas-integrate-wufb.md @@ -5,10 +5,10 @@ ms.prod: windows-client author: aczechowski ms.localizationpriority: medium ms.author: aaroncz -ms.collection: m365initiative-coredeploy manager: dougeby ms.topic: article ms.technology: itpro-updates +ms.date: 12/31/2017 --- # Integrate Windows Update for Business with management solutions diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md index 3fbea85a1b..504427dbce 100644 --- a/windows/deployment/update/waas-manage-updates-wsus.md +++ b/windows/deployment/update/waas-manage-updates-wsus.md @@ -9,6 +9,7 @@ manager: dougeby ms.topic: article ms.collection: highpri ms.technology: itpro-updates +ms.date: 12/31/2017 --- # Deploy Windows client updates using Windows Server Update Services (WSUS) diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md index 2737ca60d1..9adb25acae 100644 --- a/windows/deployment/update/waas-manage-updates-wufb.md +++ b/windows/deployment/update/waas-manage-updates-wufb.md @@ -10,6 +10,7 @@ ms.topic: article ms.custom: seo-marvel-apr2020 ms.collection: highpri ms.technology: itpro-updates +ms.date: 12/31/2017 --- # What is Windows Update for Business? @@ -48,7 +49,7 @@ Windows Update for Business enables an IT administrator to receive and manage a Windows Update for Business provides management policies for several types of updates to Windows 10 devices: - **Feature updates:** Previously referred to as "upgrades," feature updates contain not only security and quality revisions, but also significant feature additions and changes. Feature updates are released as soon as they become available. -- **Quality updates:** Quality updates are traditional operating system updates, typically released on the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as updates for Microsoft Office or Visual Studio) as quality updates. These non-Windows Updates are known as "Microsoft updates" and you can set devices to receive such updates (or not) along with their Windows updates. +- **Quality updates:** Quality updates are traditional operating system updates, typically released on the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. - **Driver updates:** Updates for non-Microsoft drivers that are relevant to your devices. Driver updates are on by default, but you can use Windows Update for Business policies to turn them off if you prefer. - **Microsoft product updates**: Updates for other Microsoft products, such as versions of Office that are installed by using Windows Installer (MSI). Versions of Office that are installed by using Click-to-Run can't be updated by using Windows Update for Business. Product updates are off by default. You can turn them on by using Windows Update for Business policies. diff --git a/windows/deployment/update/waas-morenews.md b/windows/deployment/update/waas-morenews.md index f9e1a3a00d..caa224c51d 100644 --- a/windows/deployment/update/waas-morenews.md +++ b/windows/deployment/update/waas-morenews.md @@ -10,6 +10,7 @@ ms.reviewer: manager: dougeby ms.localizationpriority: high ms.technology: itpro-updates +ms.date: 12/31/2017 --- # Windows as a service - More news diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md index f2ed2acdde..a254a031ee 100644 --- a/windows/deployment/update/waas-overview.md +++ b/windows/deployment/update/waas-overview.md @@ -9,6 +9,7 @@ manager: dougeby ms.topic: article ms.collection: highpri ms.technology: itpro-updates +ms.date: 12/31/2017 --- # Overview of Windows as a service diff --git a/windows/deployment/update/waas-quick-start.md b/windows/deployment/update/waas-quick-start.md index baa37b5307..73aa593ccf 100644 --- a/windows/deployment/update/waas-quick-start.md +++ b/windows/deployment/update/waas-quick-start.md @@ -8,6 +8,7 @@ ms.author: aaroncz manager: dougeby ms.topic: article ms.technology: itpro-updates +ms.date: 12/31/2017 --- # Quick guide to Windows as a service diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md index 41ea13a0b3..83911247af 100644 --- a/windows/deployment/update/waas-restart.md +++ b/windows/deployment/update/waas-restart.md @@ -12,6 +12,7 @@ ms.custom: ms.collection: highpri date: 09/22/2022 ms.technology: itpro-updates +ms.date: 12/31/2017 --- # Manage device restarts after updates diff --git a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md index c5bc2f6f23..150ffc53ab 100644 --- a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md +++ b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md @@ -11,6 +11,7 @@ ms.topic: article ms.custom: - seo-marvel-apr2020 ms.technology: itpro-updates +ms.date: 12/31/2017 --- # Assign devices to servicing channels for Windows 10 updates diff --git a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md index b5be3068c1..08636638a2 100644 --- a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md +++ b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md @@ -8,8 +8,8 @@ ms.author: aaroncz ms.reviewer: manager: dougeby ms.topic: article -ms.collection: m365initiative-coredeploy ms.technology: itpro-updates +ms.date: 12/31/2017 --- # Prepare a servicing strategy for Windows client updates diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md index 35f4f7a60a..6bcdbc9cde 100644 --- a/windows/deployment/update/waas-wu-settings.md +++ b/windows/deployment/update/waas-wu-settings.md @@ -10,6 +10,7 @@ ms.topic: article ms.collection: highpri date: 09/22/2022 ms.technology: itpro-updates +ms.date: 01/06/2023 --- # Manage additional Windows Update settings @@ -155,7 +156,7 @@ Enables the IT admin to manage automatic update behavior to scan, download, and #### Configuring Automatic Updates by using Group Policy -Under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Configure Automatic Updates**, you must select one of the four options: +Under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Configure Automatic Updates**, you must select one of the following options: **2 - Notify for download and auto install** - When Windows finds updates that apply to this device, users will be notified that updates are ready to be downloaded. After going to **Settings > Update & security > Windows Update**, users can download and install any available updates. @@ -163,11 +164,13 @@ Under **Computer Configuration\Administrative Templates\Windows Components\Windo **4 - Auto download and schedule the install** - Specify the schedule using the options in the Group Policy Setting. For more information about this setting, see [Schedule update installation](waas-restart.md#schedule-update-installation). -**5 - Allow local admin to choose setting** - With this option, local administrators will be allowed to use the settings app to select a configuration option of their choice. Local administrators will not be allowed to disable the configuration for Automatic Updates. +**5 - Allow local admin to choose setting** - With this option, local administrators will be allowed to use the settings app to select a configuration option of their choice. Local administrators will not be allowed to disable the configuration for Automatic Updates. This option is not available in any Windows 10 or later versions. -If this setting is set to *Disabled*, any updates that are available on Windows Update must be downloaded and installed manually. To do this, users must go to **Settings > Update & security > Windows Update**. +**7 - Notify for install and notify for restart** (Windows Server 2016 and later only) - With this option, when Windows finds updates that apply to this device, they will be downloaded, then users will be notified that updates are ready to be installed. Once updates are installed, a notification will be displayed to users to restart the device. -If this setting is set to *Not Configured*, an administrator can still configure Automatic Updates through the settings app, under **Settings > Update & security > Windows Update > Advanced options**. +If this setting is set to **Disabled**, any updates that are available on Windows Update must be downloaded and installed manually. To do this, users must go to **Settings > Update & security > Windows Update**. + +If this setting is set to **Not Configured**, an administrator can still configure Automatic Updates through the settings app, under **Settings > Update & security > Windows Update > Advanced options**. #### Configuring Automatic Updates by editing the registry @@ -204,6 +207,10 @@ To do this, follow these steps: * **4**: Automatically download and scheduled installation. + * **5**: Allow local admin to select the configuration mode. This option is not available for Windows 10 or later versions. + + * **7**: Notify for install and notify for restart. (Windows Server 2016 and later only) + * ScheduledInstallDay (REG_DWORD): * **0**: Every day. diff --git a/windows/deployment/update/waas-wufb-csp-mdm.md b/windows/deployment/update/waas-wufb-csp-mdm.md index 5841a5e312..fb55c40664 100644 --- a/windows/deployment/update/waas-wufb-csp-mdm.md +++ b/windows/deployment/update/waas-wufb-csp-mdm.md @@ -9,6 +9,7 @@ ms.reviewer: manager: dougeby ms.topic: article ms.technology: itpro-updates +ms.date: 12/31/2017 --- # Walkthrough: Use CSPs and MDMs to configure Windows Update for Business diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md index a3167e3d42..fc123bcbb6 100644 --- a/windows/deployment/update/waas-wufb-group-policy.md +++ b/windows/deployment/update/waas-wufb-group-policy.md @@ -6,11 +6,11 @@ author: aczechowski ms.localizationpriority: medium ms.author: aaroncz ms.collection: - - m365initiative-coredeploy - highpri manager: dougeby ms.topic: article ms.technology: itpro-updates +ms.date: 12/31/2017 --- # Walkthrough: Use Group Policy to configure Windows Update for Business diff --git a/windows/deployment/update/windows-as-a-service.md b/windows/deployment/update/windows-as-a-service.md index f77d24dd02..4781231061 100644 --- a/windows/deployment/update/windows-as-a-service.md +++ b/windows/deployment/update/windows-as-a-service.md @@ -9,8 +9,8 @@ description: Discover the latest news articles, videos, and podcasts about Windo ms.reviewer: manager: dougeby ms.localizationpriority: high -ms.collection: M365-modern-desktop ms.technology: itpro-updates +ms.date: 12/31/2017 --- # Windows as a service diff --git a/windows/deployment/update/windows-update-logs.md b/windows/deployment/update/windows-update-logs.md index b6b6d5fe17..c2bc7fce94 100644 --- a/windows/deployment/update/windows-update-logs.md +++ b/windows/deployment/update/windows-update-logs.md @@ -9,6 +9,7 @@ ms.topic: article ms.custom: seo-marvel-apr2020 ms.collection: highpri ms.technology: itpro-updates +ms.date: 12/31/2017 --- # Windows Update log files diff --git a/windows/deployment/update/windows-update-security.md b/windows/deployment/update/windows-update-security.md index 333be3151a..0ad5f772c7 100644 --- a/windows/deployment/update/windows-update-security.md +++ b/windows/deployment/update/windows-update-security.md @@ -6,7 +6,6 @@ description: Overview of the security for Windows Update. ms.prod: windows-client author: mestew ms.author: mstewart -ms.collection: M365-analytics ms.topic: article ms.date: 10/25/2022 ms.technology: itpro-updates diff --git a/windows/deployment/update/wufb-compliancedeadlines.md b/windows/deployment/update/wufb-compliancedeadlines.md index 1d5e88dec2..05d34805c3 100644 --- a/windows/deployment/update/wufb-compliancedeadlines.md +++ b/windows/deployment/update/wufb-compliancedeadlines.md @@ -10,6 +10,7 @@ ms.reviewer: manager: dougeby ms.topic: article ms.technology: itpro-updates +ms.date: 12/31/2017 --- # Enforcing compliance deadlines for updates diff --git a/windows/deployment/update/wufb-reports-admin-center.md b/windows/deployment/update/wufb-reports-admin-center.md index e8b2322c33..a59cc0511f 100644 --- a/windows/deployment/update/wufb-reports-admin-center.md +++ b/windows/deployment/update/wufb-reports-admin-center.md @@ -6,10 +6,8 @@ ms.prod: windows-client author: mestew ms.author: mstewart ms.localizationpriority: medium -ms.collection: - - M365-analytics ms.topic: article -ms.date: 06/20/2022 +ms.date: 11/15/2022 ms.technology: itpro-updates --- diff --git a/windows/deployment/update/wufb-reports-configuration-intune.md b/windows/deployment/update/wufb-reports-configuration-intune.md index 571998d9b1..5f07d75c3e 100644 --- a/windows/deployment/update/wufb-reports-configuration-intune.md +++ b/windows/deployment/update/wufb-reports-configuration-intune.md @@ -7,13 +7,12 @@ ms.prod: windows-client author: mestew ms.author: mstewart ms.localizationpriority: medium -ms.collection: M365-analytics ms.topic: article -ms.date: 08/24/2022 +ms.date: 12/22/2022 ms.technology: itpro-updates --- -# Configuring Microsoft Intune devices for Windows Update for Business reports (preview) +# Configuring Microsoft Intune devices for Windows Update for Business reports ***(Applies to: Windows 11 & Windows 10 managed by [Microsoft Intune](/mem/intune/fundamentals/what-is-intune)*** @@ -28,7 +27,7 @@ This article is targeted at configuring devices enrolled to [Microsoft Intune](/ ## Create a configuration profile -Create a configuration profile that will set the required policies for Windows Update for Business reports. There are two profile types that can be used to create a configuration profile for Windows Update for Business reports: +Create a configuration profile that will set the required policies for Windows Update for Business reports. There are two profile types that can be used to create a configuration profile for Windows Update for Business reports (select one): - The [settings catalog](#settings-catalog) - [Template](#custom-oma-uri-based-profile) for a custom OMA URI-based profile @@ -46,9 +45,12 @@ Create a configuration profile that will set the required policies for Windows U - **Value**: Basic (*Basic is the minimum value, but it can be safely set to a higher value*) - **Setting**: Allow Update Compliance Processing - **Value**: Enabled + 1. Recommended settings, but not required: + - **Setting**: Configure Telemetry Opt In Settings Ux + - **Value**: Disabled (*By turning this setting on you are disabling the ability for a user to potentially override the diagnostic data level of devices such that data won't be available for those devices in Windows Update for Business reports*) - **Setting**: Configure Telemetry Opt In Change Notification - 1. (*Recommended, but not required*) Allow device name to be sent in Windows Diagnostic Data. If this policy is disabled, the device name won't be sent and won't be visible in Windows Update for Business reports: - - **Setting**: Allow device name to be sent in Windows diagnostic data + - **Value**: Disabled (*By turning this setting on you are disabling notifications of diagnostic data changes*) + - **Setting**: Allow device name to be sent in Windows diagnostic data (*If this policy is disabled, the device name won't be sent and won't be visible in Windows Update for Business reports*) - **Value**: Allowed 1. Continue through the next set of tabs **Scope tags**, **Assignments**, and **Applicability Rules** to assign the configuration profile to devices you wish to enroll. @@ -102,8 +104,12 @@ Create a configuration profile that will set the required policies for Windows U The [Windows Update for Business reports Configuration Script](wufb-reports-configuration-script.md) is a useful tool for properly enrolling devices in Windows Update for Business reports, though it isn't strictly necessary. It checks to ensure that devices have the required services running and checks connectivity to the endpoints detailed in the section on [Manually configuring devices for Windows Update for Business reports](wufb-reports-configuration-manual.md). You can deploy the script as a Win32 app. For more information, see [Win32 app management in Microsoft Intune](/mem/intune/apps/apps-win32-app-management). +> [!NOTE] +> Using the script is optional when configuring devices through Intune. The script can be leveraged as a troubleshooting tool to ensure that devices are properly configured for Windows Update for Business reports. + When you deploy the configuration script as a Win32 app, you won't be able to retrieve the results of logs on the device without having access to the device, or saving results of the logs to a shared filesystem. We recommend deploying the script in pilot mode to a subset of devices that you can access. After following this guidance, you can deploy the configuration script in deployment mode as a Win32 app to all Windows Update for Business reports devices. + ## Next steps [Use Windows Update for Business reports](wufb-reports-use.md) diff --git a/windows/deployment/update/wufb-reports-configuration-manual.md b/windows/deployment/update/wufb-reports-configuration-manual.md index 7ce5722f77..d2e5f13df1 100644 --- a/windows/deployment/update/wufb-reports-configuration-manual.md +++ b/windows/deployment/update/wufb-reports-configuration-manual.md @@ -7,13 +7,12 @@ ms.prod: windows-client author: mestew ms.author: mstewart ms.localizationpriority: medium -ms.collection: M365-analytics ms.topic: article -ms.date: 06/06/2022 +ms.date: 11/15/2022 ms.technology: itpro-updates --- -# Manually configuring devices for Windows Update for Business reports (preview) +# Manually configuring devices for Windows Update for Business reports ***(Applies to: Windows 11 & Windows 10)*** diff --git a/windows/deployment/update/wufb-reports-configuration-script.md b/windows/deployment/update/wufb-reports-configuration-script.md index 56d4ccd30d..c3213f8a7d 100644 --- a/windows/deployment/update/wufb-reports-configuration-script.md +++ b/windows/deployment/update/wufb-reports-configuration-script.md @@ -7,13 +7,12 @@ ms.prod: windows-client author: mestew ms.author: mstewart ms.localizationpriority: medium -ms.collection: M365-analytics ms.topic: article -ms.date: 06/16/2022 +ms.date: 11/15/2022 ms.technology: itpro-updates --- -# Configuring devices through the Windows Update for Business reports (preview) configuration script +# Configuring devices through the Windows Update for Business reports configuration script ***(Applies to: Windows 11 & Windows 10)*** diff --git a/windows/deployment/update/wufb-reports-enable.md b/windows/deployment/update/wufb-reports-enable.md index 6f1acf7aea..7550754b01 100644 --- a/windows/deployment/update/wufb-reports-enable.md +++ b/windows/deployment/update/wufb-reports-enable.md @@ -6,13 +6,12 @@ description: How to enable Windows Update for Business reports through the Azure ms.prod: windows-client author: mestew ms.author: mstewart -ms.collection: M365-analytics ms.topic: article -ms.date: 06/06/2022 +ms.date: 11/15/2022 ms.technology: itpro-updates --- -# Enable Windows Update for Business reports (preview) +# Enable Windows Update for Business reports ***(Applies to: Windows 11 & Windows 10)*** diff --git a/windows/deployment/update/wufb-reports-help.md b/windows/deployment/update/wufb-reports-help.md index 719cb3b0e4..982e826da1 100644 --- a/windows/deployment/update/wufb-reports-help.md +++ b/windows/deployment/update/wufb-reports-help.md @@ -6,13 +6,12 @@ description: Windows Update for Business reports support information. ms.prod: windows-client author: mestew ms.author: mstewart -ms.collection: M365-analytics ms.topic: article -ms.date: 08/10/2022 +ms.date: 11/15/2022 ms.technology: itpro-updates --- -# Windows Update for Business reports (preview) feedback, support, and troubleshooting +# Windows Update for Business reports feedback, support, and troubleshooting ***(Applies to: Windows 11 & Windows 10)*** @@ -51,9 +50,9 @@ You can open support requests directly from the Azure portal. If the **Help + S - **Issue type** - ***Technical*** - **Subscription** - Select the subscription used for Windows Update for Business reports - **Service** - ***My services*** - - **Service type** - ***Log Analytics*** - - **Problem type** - ***Solutions or Insights*** - - **Problem subtype** - ***Update Compliance*** + - **Service type** - Select ***Windows Update for Business reports*** under ***Monitoring and Management*** + + 1. Based on the information you provided, you'll be shown some **Recommended solutions** you can use to try to resolve the problem. 1. Complete the **Additional details** tab and then create the request on the **Review + create** tab. diff --git a/windows/deployment/update/wufb-reports-overview.md b/windows/deployment/update/wufb-reports-overview.md index 960d5ade58..6653c0c587 100644 --- a/windows/deployment/update/wufb-reports-overview.md +++ b/windows/deployment/update/wufb-reports-overview.md @@ -6,13 +6,12 @@ description: Overview of Windows Update for Business reports to explain what it' ms.prod: windows-client author: mestew ms.author: mstewart -ms.collection: M365-analytics ms.topic: article -ms.date: 08/09/2022 +ms.date: 11/15/2022 ms.technology: itpro-updates --- -# Windows Update for Business reports (preview) overview +# Windows Update for Business reports overview ***(Applies to: Windows 11 & Windows 10)*** @@ -40,10 +39,11 @@ Currently, Windows Update for Business reports contains the following features: - UCClientReadinessStatus - UCClientUpdateStatus - UCDeviceAlert + - UCDOAggregatedStatus + - UCDOStatus - UCServiceUpdateStatus - UCUpdateAlert - - UCDOStatus - - UCDOAggregatedStatus + - Client data collection to populate the Windows Update for Business reports tables :::image type="content" source="media/wufb-reports-query-table.png" alt-text="Screenshot of using a custom Kusto (KQL) query on Windows Update for Business reports data in Log Analytics." lightbox="media/wufb-reports-query-table.png"::: diff --git a/windows/deployment/update/wufb-reports-prerequisites.md b/windows/deployment/update/wufb-reports-prerequisites.md index 06347a1910..9159f0c74d 100644 --- a/windows/deployment/update/wufb-reports-prerequisites.md +++ b/windows/deployment/update/wufb-reports-prerequisites.md @@ -6,13 +6,12 @@ description: Prerequisites for Windows Update for Business reports ms.prod: windows-client author: mestew ms.author: mstewart -ms.collection: M365-analytics ms.topic: article -ms.date: 06/30/2022 +ms.date: 11/15/2022 ms.technology: itpro-updates --- -# Windows Update for Business reports (preview) prerequisites +# Windows Update for Business reports prerequisites ***(Applies to: Windows 11 & Windows 10)*** diff --git a/windows/deployment/update/wufb-reports-schema-ucclient.md b/windows/deployment/update/wufb-reports-schema-ucclient.md index 4b3720677c..b3606b35cc 100644 --- a/windows/deployment/update/wufb-reports-schema-ucclient.md +++ b/windows/deployment/update/wufb-reports-schema-ucclient.md @@ -6,7 +6,6 @@ description: UCClient schema ms.prod: windows-client author: mestew ms.author: mstewart -ms.collection: M365-analytics ms.topic: reference ms.date: 06/06/2022 ms.technology: itpro-updates diff --git a/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus.md b/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus.md index d625c2745e..3505563197 100644 --- a/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus.md +++ b/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus.md @@ -6,7 +6,6 @@ description: UCClientReadinessStatus schema ms.prod: windows-client author: mestew ms.author: mstewart -ms.collection: M365-analytics ms.topic: reference ms.date: 06/06/2022 ms.technology: itpro-updates diff --git a/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md b/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md index 534dabde67..826add8c73 100644 --- a/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md +++ b/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md @@ -6,7 +6,6 @@ description: UCClientUpdateStatus schema ms.prod: windows-client author: mestew ms.author: mstewart -ms.collection: M365-analytics ms.topic: reference ms.date: 06/06/2022 ms.technology: itpro-updates diff --git a/windows/deployment/update/wufb-reports-schema-ucdevicealert.md b/windows/deployment/update/wufb-reports-schema-ucdevicealert.md index 9c737aa85d..79f1a9ec5b 100644 --- a/windows/deployment/update/wufb-reports-schema-ucdevicealert.md +++ b/windows/deployment/update/wufb-reports-schema-ucdevicealert.md @@ -6,7 +6,6 @@ description: UCDeviceAlert schema ms.prod: windows-client author: mestew ms.author: mstewart -ms.collection: M365-analytics ms.topic: reference ms.date: 06/06/2022 ms.technology: itpro-updates diff --git a/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md b/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md new file mode 100644 index 0000000000..796bbb75e2 --- /dev/null +++ b/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md @@ -0,0 +1,34 @@ +--- +title: Windows Update for Business reports Data Schema - UCDOAggregatedStatus +ms.reviewer: +manager: naengler +description: UCDOAggregatedStatus schema +ms.prod: windows-client +author: cmknox +ms.author: carmenf +ms.topic: reference +ms.date: 11/17/2022 +ms.technology: itpro-updates +--- + +# UCDOAggregatedStatus + +***(Applies to: Windows 11 & Windows 10)*** + +UCDOAggregatedStatus is an aggregation of all individual UDDOStatus records across the tenant and summarizes bandwidth savings across all devices enrolled using [Delivery Optimization and Microsoft Connected Cache](/windows/deployment/do). + +|Field |Type |Example |Description | +|---|---|---|---| +| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Azure AD Device ID | +| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Azure AD Tenant ID | +| **BWOptPercent28Days** | [real](/azure/kusto/query/scalar-data-types/real) | `10.61` | Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) for this device. A rolling 28-day basis.| +| **BytesFromCache** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes that were delivered from Microsoft Connected Cache (MCC). | +| **BytesFromCDN** | [long](/azure/kusto/query/scalar-data-types/long) | `11463008693388` | Total number of bytes that were delivered from a Content Delivery Network (CDN). | +| **BytesFromGroupPeers** | [long](/azure/kusto/query/scalar-data-types/long) | `30830657175` | Total number of bytes that were delivered from Group peers, sharing the same GroupId. | +| **BytesFromIntPeers** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes that were delivered from Internet peers. | +| **BytesFromPeers** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes delivered via all peers. | +| **ContentType** | [string](/azure/kusto/query/scalar-data-types/string) | `Driver Updates` | One of the supported types of content. | +| **DeviceCount** | [long](/azure/kusto/query/scalar-data-types/long) | `27077` | Number of devices. | +| **TenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `6yy5y416-2d35-3yyf-ab5f-aea713e489d2` | Tenant ID | +| **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2022-11-17T22:11:40.1132971Z` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. | +| **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `UCDOAggregatedStatus` | The entity type. | diff --git a/windows/deployment/update/wufb-reports-schema-ucdostatus.md b/windows/deployment/update/wufb-reports-schema-ucdostatus.md new file mode 100644 index 0000000000..9eadfa7eb6 --- /dev/null +++ b/windows/deployment/update/wufb-reports-schema-ucdostatus.md @@ -0,0 +1,54 @@ +--- +title: Windows Update for Business reports Data Schema - UCDOStatus +ms.reviewer: +manager: naengler +description: UCDOStatus schema +ms.prod: windows-client +author: cmknox +ms.author: carmenf +ms.topic: reference +ms.date: 11/17/2022 +ms.technology: itpro-updates +--- + +# UCDOStatus + +***(Applies to: Windows 11 & Windows 10)*** + +UCDOStatus provides information, for a single device, on its bandwidth utilization across content types in the event they use [Delivery Optimization and Microsoft Connected Cache](/windows/deployment/do). + +|Field |Type |Example |Description | +|---|---|---|---| +| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Azure AD Device ID | +| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Azure AD Tenant ID | +| **BWOptPercent28Days** | [real](/azure/kusto/query/scalar-data-types/real) | `10.61` | Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) for this device. A rolling 28-day basis.| +| **BWOptPercent7Days** | [real](/azure/kusto/query/scalar-data-types/real) | `10.61` | Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) for this device. A rolling 7-day basis.| +| **BytesFromCache** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes that were delivered from Microsoft Connected Cache (MCC). | +| **BytesFromCDN** | [long](/azure/kusto/query/scalar-data-types/long) | `11463008693388` | Total number of bytes that were delivered from a Content Delivery Network (CDN). | +| **BytesFromGroupPeers** | [long](/azure/kusto/query/scalar-data-types/long) | `30830657175` | Total number of bytes that were delivered from Group peers, sharing the same GroupId. | +| **BytesFromIntPeers** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes that were delivered from Internet peers. | +| **BytesFromPeers** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes delivered via all peers. | +| **City** | [string](/azure/kusto/query/scalar-data-types/string) | `Redmond` | Approximate city where device was located while downloading content, based on IP address. | +| **ContentDownloadMode** | [int](/azure/kusto/query/scalar-data-types/int) | `1` | Device's Delivery Optimization Download Mode used to download content. | +| **ContentType** | [string](/azure/kusto/query/scalar-data-types/string) | `Driver Updates` | One of the supported types of content. | +| **Country** | [string](/azure/kusto/query/scalar-data-types/string) | `US` | Approximate country where device was located while downloading content, based on IP address. | +| **DeviceName** | [string](/azure/kusto/query/scalar-data-types/string) | `DESKTOP-DO` | User or organization provided device name. If the value appears as '#', configure the device to send device name. | +| **DOStatusDescription** | [string](/azure/kusto/query/scalar-data-types/string) | `Downloading` | A short description of Delivery Optimization status, if any. | +| **DownloadMode** | [string](/azure/kusto/query/scalar-data-types/string) | `LAN (1)` | Delivery Optimization Download Mode configured on the device. | +| **DownloadModeSrc** | [string](/azure/kusto/query/scalar-data-types/string) | `MDM` | The source of the Download Mode configuration. | +| **GlobalDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `g:9832741921341` | Microsoft global device identifier. This identifier is used by Microsoft internally. | +| **GroupID** | [string](/azure/kusto/query/scalar-data-types/string) | `3suvw1efol0nmy8y9g8tfhtj1onwpsk9g9swpwnvfra=` | Delivery Optimization Group ID GUID value. | +| **ISP** | [string](/azure/kusto/query/scalar-data-types/string) | `Microsoft Corporation` | Internet Service Provider estimation. | +| **LastCensusSeenTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The last time this device performed a successful census scan, if any. | +| **NoPeersCount** | [long](/azure/kusto/query/scalar-data-types/long) | `4` | Count of peers device interacted with. | +| **OSVersion** | [string](/azure/kusto/query/scalar-data-types/string) | `1909` | The Windows 10/11 operating system version currently installed on the device, such as 20H1, 21H2. | +| **PeerEligibleTransfers** | [long](/azure/kusto/query/scalar-data-types/long) | `5` | Total count of eligible transfers by peers. | +| **PeeringStatus** | [string](/azure/kusto/query/scalar-data-types/string) | `On` | Delivery Optimization peering status. | +| **PeersCannotConnectCount** | [long](/azure/kusto/query/scalar-data-types/long) | `1` | Count of peers Delivery Optimization couldn't connect to. | +| **PeersSuccessCount** | [long](/azure/kusto/query/scalar-data-types/long) | `2` | Count of peers Delivery Optimization successfully connected to. | +| **PeersUnknownCount** | [long](/azure/kusto/query/scalar-data-types/long) | `0` | Count of peers with an unknown relation. | +| **TenantId** | [string](/azure/kusto/query/scalar-data-types/string) |`6yy5y416-2d35-3yyf-ab5f-aea713e489d2` | Tenant ID | +| **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2022-11-17T22:11:40.1132971Z` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. | +| **TotalTimeForDownload** | [string](/azure/kusto/query/scalar-data-types/string) | `00:02:11` | Total time to download content. | +| **TotalTransfers** | [long](/azure/kusto/query/scalar-data-types/long) | `304` | Total count of data transfers needed to download content. | +| **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `UCDOAggregatedStatus` | The entity type. | diff --git a/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md b/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md index 8f9c85e225..bc5677f9d8 100644 --- a/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md +++ b/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md @@ -6,7 +6,6 @@ description: UCServiceUpdateStatus schema ms.prod: windows-client author: mestew ms.author: mstewart -ms.collection: M365-analytics ms.topic: reference ms.date: 06/06/2022 ms.technology: itpro-updates diff --git a/windows/deployment/update/wufb-reports-schema-ucupdatealert.md b/windows/deployment/update/wufb-reports-schema-ucupdatealert.md index 93487fbca2..fa14e12358 100644 --- a/windows/deployment/update/wufb-reports-schema-ucupdatealert.md +++ b/windows/deployment/update/wufb-reports-schema-ucupdatealert.md @@ -6,7 +6,6 @@ description: UCUpdateAlert schema ms.prod: windows-client author: mestew ms.author: mstewart -ms.collection: M365-analytics ms.topic: reference ms.date: 06/06/2022 ms.technology: itpro-updates diff --git a/windows/deployment/update/wufb-reports-schema.md b/windows/deployment/update/wufb-reports-schema.md index cf7eb1c89c..1afd09b646 100644 --- a/windows/deployment/update/wufb-reports-schema.md +++ b/windows/deployment/update/wufb-reports-schema.md @@ -6,13 +6,12 @@ description: An overview of Windows Update for Business reports data schema ms.prod: windows-client author: mestew ms.author: mstewart -ms.collection: M365-analytics ms.topic: reference -ms.date: 06/06/2022 +ms.date: 11/15/2022 ms.technology: itpro-updates --- -# Windows Update for Business reports (preview)schema +# Windows Update for Business reports schema ***(Applies to: Windows 11 & Windows 10)*** @@ -31,5 +30,7 @@ The following table summarizes the different tables that are part of the Windows |[**UCClientReadinessStatus**](wufb-reports-schema-ucclientreadinessstatus.md) | Device record | UCClientReadinessStatus is an individual device's record about its readiness for updating to Windows 11. If the device isn't capable of running Windows 11, the record includes which Windows 11 hardware requirements the device doesn't meet.| | [**UCClientUpdateStatus**](wufb-reports-schema-ucclientupdatestatus.md) | Device record | Update Event that combines the latest client-based data with the latest service-based data to create a complete picture for one device (client) and one update. | | [**UCDeviceAlert**](wufb-reports-schema-ucdevicealert.md)| Service and device record | These alerts are activated as a result of an issue that is device-specific. It isn't specific to the combination of a specific update and a specific device. Like UpdateAlerts, the AlertType indicates where the Alert comes from such as a ServiceDeviceAlert or ClientDeviceAlert. | +| [**UCDOAggregatedStatus**](wufb-reports-schema-ucdoaggregatedstatus.md)| Device record | UCDOAggregatedStatus is an aggregation of all individual UDDOStatus records across the tenant and summarizes bandwidth savings across all devices enrolled using Delivery Optimization and Microsoft Connected Cache. | +| [**UCDOStatus**](wufb-reports-schema-ucdostatus.md)| Device record | UCDOStatus provides information, for a single device, on its bandwidth utilization across content types in the event they use Delivery Optimization and Microsoft Connected Cache. | | [**UCServiceUpdateStatus**](wufb-reports-schema-ucserviceupdatestatus.md) | Service record | Update Event that comes directly from the service-side. The event has only service-side information for one device (client), and one update, in one deployment. | | [**UCUpdateAlert**](wufb-reports-schema-ucupdatealert.md) | Service and device records | Alert for both client and service update. Contains information that needs attention, relative to one device (client), one update, and one deployment, if relevant. Certain fields may be blank depending on the UpdateAlert's AlertType field. For example, ServiceUpdateAlert won't necessarily contain client-side statuses and may be blank. | diff --git a/windows/deployment/update/wufb-reports-use.md b/windows/deployment/update/wufb-reports-use.md index befe5a0d99..eb4d607c10 100644 --- a/windows/deployment/update/wufb-reports-use.md +++ b/windows/deployment/update/wufb-reports-use.md @@ -6,13 +6,12 @@ description: How to use the Windows Update for Business reports data for custom ms.prod: windows-client author: mestew ms.author: mstewart -ms.collection: M365-analytics ms.topic: article -ms.date: 06/06/2022 +ms.date: 11/15/2022 ms.technology: itpro-updates --- -# Use Windows Update for Business reports (preview) +# Use Windows Update for Business reports ***(Applies to: Windows 11 & Windows 10)*** diff --git a/windows/deployment/update/wufb-reports-workbook.md b/windows/deployment/update/wufb-reports-workbook.md index e81b473707..585d03adb9 100644 --- a/windows/deployment/update/wufb-reports-workbook.md +++ b/windows/deployment/update/wufb-reports-workbook.md @@ -6,13 +6,12 @@ description: How to use the Windows Update for Business reports workbook. ms.prod: windows-client author: mestew ms.author: mstewart -ms.collection: M365-analytics ms.topic: article -ms.date: 10/24/2022 +ms.date: 11/15/2022 ms.technology: itpro-updates --- -# Windows Update for Business reports (preview) workbook +# Windows Update for Business reports workbook ***(Applies to: Windows 11 & Windows 10)*** @@ -141,7 +140,7 @@ The **Device status** group for feature updates contains the following items: ## Delivery Optimization (preview tab) -The **Delivery Optimization** tab provides a summarized view of bandwidth efficiencies. This new revised report also includes Microsoft Connected Cache (MCC) information. +The **Delivery Optimization** tab provides a summarized view of bandwidth efficiencies. This new revised report also includes [Microsoft Connected Cache](/windows/deployment/do/waas-microsoft-connected-cache) information. At the top of the report, tiles display the following information: @@ -156,6 +155,8 @@ The Delivery Optimization tab is further divided into the following groups: - **Content Distribution**: Includes charts showing percentage volumes and GB volumes by source by content types. All content types are linked to a table for deeper filtering by **ContentType**, **AzureADTenantId**, and **GroupID**. - **Efficiency By Group**: This view provides filters commonly used ways of grouping devices. The provided filters include: **GroupID**, **City**, **Country**, and **ISP**. +:::image type="content" source="images/wufb-do-overview.png" alt-text="Screenshot of the summary tab in the Windows Update for Business reports workbook for Delivery Optimization." lightbox="images/wufb-do-overview.png"::: + ## Customize the workbook Since the Windows Update for Business reports workbook is an [Azure Workbook template](/azure/azure-monitor/visualize/workbooks-templates), it can be customized to suit your needs. If you open a template, make some adjustments, and save it, the template is saved as a workbook. This workbook appears in green. The original template is left untouched. For more information about workbooks, see [Get started with Azure Workbooks](/azure/azure-monitor/visualize/workbooks-getting-started). diff --git a/windows/deployment/update/wufb-wsus.md b/windows/deployment/update/wufb-wsus.md index 2e772ed3ce..2d25f4fcc0 100644 --- a/windows/deployment/update/wufb-wsus.md +++ b/windows/deployment/update/wufb-wsus.md @@ -5,11 +5,10 @@ ms.prod: windows-client author: arcarley ms.localizationpriority: medium ms.author: arcarley -ms.collection: - - m365initiative-coredeploy manager: dougeby ms.topic: article ms.technology: itpro-updates +ms.date: 12/31/2017 --- # Use Windows Update for Business and WSUS together diff --git a/windows/deployment/upgrade/log-files.md b/windows/deployment/upgrade/log-files.md index 07c1cb0fb4..2e9259fece 100644 --- a/windows/deployment/upgrade/log-files.md +++ b/windows/deployment/upgrade/log-files.md @@ -13,22 +13,25 @@ ms.technology: itpro-deploy ms.date: 10/28/2022 --- -# Log files +# Windows upgrade log files **Applies to** -- Windows 10 ->[!NOTE] ->This is a 400 level topic (advanced).
    ->See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. +- Windows 10 +> [!NOTE] +> This is a 400-level topic (advanced).
    + +> See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. Several log files are created during each phase of the upgrade process. These log files are essential for troubleshooting upgrade problems. By default, the folders that contain these log files are hidden on the upgrade target computer. To view the log files, configure Windows Explorer to view hidden items, or use a tool to automatically gather these logs. The most useful log is **setupact.log**. The log files are located in a different folder depending on the Windows Setup phase. Recall that you can determine the phase from the extend code. ->[!NOTE] ->Also see the [Windows Error Reporting](windows-error-reporting.md) section in this document for help locating error codes and log files. +> [!NOTE] +> Also see the [Windows Error Reporting](windows-error-reporting.md) section in this document for help locating error codes and log files. + +The following table describes some log files and how to use them for troubleshooting purposes: + -The following table describes some log files and how to use them for troubleshooting purposes:
    |Log file |Phase: Location |Description |When to use| |---|---|---|---| @@ -46,15 +49,19 @@ The following table describes some log files and how to use them for troubleshoo A setupact.log or setuperr.log entry (files are located at C:\Windows) includes the following elements: -1. **The date and time** - 2016-09-08 09:20:05. +1. **The date and time** - 2016-09-08 09:20:05 -2. **The log level** - Info, Warning, Error, Fatal Error. -3. **The logging component** - CONX, MOUPG, PANTHR, SP, IBSLIB, MIG, DISM, CSI, CBS. +2. **The log level** - Info, Warning, Error, Fatal Error - The logging components SP (setup platform), MIG (migration engine), and CONX (compatibility information) are useful for troubleshooting Windows Setup errors. -4. **The message** - Operation completed successfully. +3. **The logging component** - CONX, MOUPG, PANTHR, SP, IBSLIB, MIG, DISM, CSI, CBS + + + The logging components SP (setup platform), MIG (migration engine), and CONX (compatibility information) are useful for troubleshooting Windows Setup errors. + + +4. **The message** - Operation completed successfully. See the following example: @@ -62,47 +69,47 @@ See the following example: |------|------------|------------|------------| |2016-09-08 09:23:50,| Warning | MIG | Couldn't replace object C:\Users\name\Cookies. Target Object can't be removed.| - ## Analyze log files The following instructions are meant for IT professionals. Also see the [Upgrade error codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json) section in this guide to familiarize yourself with [result codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#result-codes) and [extend codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#extend-codes). To analyze Windows Setup log files: -1. Determine the Windows Setup error code. This code should be returned by Windows Setup if it isn't successful with the upgrade process. +1. Determine the Windows Setup error code. This code should be returned by Windows Setup if it isn't successful with the upgrade process. -2. Based on the [extend code](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#extend-codes) portion of the error code, determine the type and location of a [log files](#log-files) to investigate. +2. Based on the [extend code](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#extend-codes) portion of the error code, determine the type and location of a log file to investigate. -3. Open the log file in a text editor, such as notepad. +3. Open the log file in a text editor, such as notepad. -4. Using the [result code](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#result-codes) portion of the Windows Setup error code, search for the result code in the file and find the last occurrence of the code. Alternatively search for the "abort" and abandoning" text strings described in step 7 below. +4. Using the [result code](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#result-codes) portion of the Windows Setup error code, search for the result code in the file and find the last occurrence of the code. Alternatively search for the "abort" and abandoning" text strings described in step 7 below. -5. To find the last occurrence of the result code: +5. To find the last occurrence of the result code: - 1. Scroll to the bottom of the file and select after the last character. - 2. Select **Edit**. - 3. Select **Find**. - 4. Type the result code. - 5. Under **Direction** select **Up**. - 6. Select **Find Next**. + 1. Scroll to the bottom of the file and select after the last character. + 2. Select **Edit**. + 3. Select **Find**. + 4. Type the result code. + 5. Under **Direction** select **Up**. + 6. Select **Find Next**. -6. When you've located the last occurrence of the result code, scroll up a few lines from this location in the file and review the processes that failed prior to generating the result code. +6. When you've located the last occurrence of the result code, scroll up a few lines from this location in the file and review the processes that failed prior to generating the result code. -7. Search for the following important text strings: +7. Search for the following important text strings: - * **Shell application requested abort** - * **Abandoning apply due to error for object** + - `Shell application requested abort` + - `Abandoning apply due to error for object` -8. Decode Win32 errors that appear in this section. +8. Decode Win32 errors that appear in this section. -9. Write down the timestamp for the observed errors in this section. +9. Write down the timestamp for the observed errors in this section. 10. Search other log files for additional information matching these timestamps or errors. For example, assume that the error code for an error is 0x8007042B - 0x2000D. Searching for "8007042B" reveals the following content from the setuperr.log file: -> [!Note] +> [!NOTE] > Some lines in the text below are shortened to enhance readability. For example +> > - The date and time at the start of each line (ex: 2016-10-05 15:27:08) is shortened to minutes and seconds > - The certificate file name, which is a long text string, is shortened to just "CN." diff --git a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md index 816ce09308..d9550203d8 100644 --- a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md +++ b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md @@ -2,83 +2,87 @@ title: User State Migration Tool (USMT) - Getting Started (Windows 10) description: Plan, collect, and prepare your source computer for migration using the User State Migration Tool (USMT). ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski +author: frankroj ms.topic: article ms.technology: itpro-deploy +ms.date: 11/01/2022 --- -# Getting Started with the User State Migration Tool (USMT) -This topic outlines the general process that you should follow to migrate files and settings. +# Getting started with the User State Migration Tool (USMT) -## In this topic -- [Step 1: Plan Your Migration](#step-1-plan-your-migration) - -- [Step 2: Collect files and settings from the source computer](#step-2-collect-files-and-settings-from-the-source-computer) - -- [Step 3: Prepare the destination computer and restore files and settings](#step-3-prepare-the-destination-computer-and-restore-files-and-settings) +This article outlines the general process that you should follow to migrate files and settings. ## Step 1: Plan your migration -1. [Plan Your Migration](usmt-plan-your-migration.md). Depending on whether your migration scenario is refreshing or replacing computers, you can choose an online migration or an offline migration using Windows Preinstallation Environment (WinPE) or the files in the Windows.old directory. For more information, see [Common Migration Scenarios](usmt-common-migration-scenarios.md). -2. [Determine What to Migrate](usmt-determine-what-to-migrate.md). Data you might consider migrating includes end-user information, applications settings, operating-system settings, files, folders, and registry keys. +1. [Plan Your Migration](usmt-plan-your-migration.md). Depending on whether your migration scenario is refreshing or replacing computers, you can choose an online migration or an offline migration using Windows Preinstallation Environment (WinPE) or the files in the Windows.old directory. For more information, see [Common Migration Scenarios](usmt-common-migration-scenarios.md). -3. Determine where to store data. Depending on the size of your migration store, you can store the data remotely, locally in a hard-link migration store or on a local external storage device, or directly on the destination computer. For more information, see [Choose a Migration Store Type](usmt-choose-migration-store-type.md). +2. [Determine What to Migrate](usmt-determine-what-to-migrate.md). Data you might consider migrating includes end-user information, applications settings, operating-system settings, files, folders, and registry keys. -4. Use the **/GenMigXML** command-line option to determine which files will be included in your migration, and to determine whether any modifications are necessary. For more information see [ScanState Syntax](usmt-scanstate-syntax.md) +3. Determine where to store data. Depending on the size of your migration store, you can store the data remotely, locally in a hard-link migration store or on a local external storage device, or directly on the destination computer. For more information, see [Choose a Migration Store Type](usmt-choose-migration-store-type.md). -5. Modify copies of the Migration.xml and MigDocs.xml files and create custom .xml files, if it is required. To modify the migration behavior, such as migrating the **Documents** folder but not the **Music** folder, you can create a custom .xml file or modify the rules in the existing migration .xml files. The document finder, or **MigXmlHelper.GenerateDocPatterns** helper function, can be used to automatically find user documents on a computer without creating extensive custom migration .xml files. +4. Use the `/GenMigXML` command-line option to determine which files will be included in your migration, and to determine whether any modifications are necessary. For more information, see [ScanState Syntax](usmt-scanstate-syntax.md) - **Important**   - We recommend that you always make and modify copies of the .xml files included in User State Migration Tool (USMT) 10.0. Never modify the original .xml files. - - You can use the MigXML.xsd file to help you write and validate the .xml files. For more information about how to modify these files, see [USMT XML Reference](usmt-xml-reference.md). +5. Modify copies of the `Migration.xml` and `MigDocs.xml` files and create custom .xml files, if it's required. To modify the migration behavior, such as migrating the **Documents** folder but not the **Music** folder, you can create a custom .xml file or modify the rules in the existing migration .xml files. The document finder, or `MigXmlHelper.GenerateDocPatterns` helper function, can be used to automatically find user documents on a computer without creating extensive custom migration .xml files. -6. Create a [Config.xml File](usmt-configxml-file.md) if you want to exclude any components from the migration. To create this file, use the [ScanState Syntax](usmt-scanstate-syntax.md) option together with the other .xml files when you use the **ScanState** command. For example, the following command creates a Config.xml file by using the MigDocs and MigApp.xml files: + > [!IMPORTANT] + > We recommend that you always make and modify copies of the .xml files included in User State Migration Tool (USMT) 10.0. Never modify the original .xml files. - `scanstate /genconfig:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:scanstate.log` + You can use the `MigXML.xsd` file to help you write and validate the .xml files. For more information about how to modify these files, see [USMT XML Reference](usmt-xml-reference.md). -7. Review the migration state of the components listed in the Config.xml file, and specify `migrate=no` for any components that you do not want to migrate. +6. Create a [Config.xml File](usmt-configxml-file.md) if you want to exclude any components from the migration. To create this file, use the [ScanState Syntax](usmt-scanstate-syntax.md) option together with the other .xml files when you use the `ScanState.exe` command. For example, the following command creates a `Config.xml` file by using the `MigDocs.xml` and `MigApp.xml` files: + + ```cmd + ScanState.exe /genconfig:Config.xml /i:MigDocs.xml /i:MigApp.xml /v:13 /l:ScanState.log + ``` + +7. Review the migration state of the components listed in the `Config.xml` file, and specify `migrate=no` for any components that you don't want to migrate. ## Step 2: Collect files and settings from the source computer -1. Back up the source computer. -2. Close all applications. If some applications are running when you run the **ScanState** command, USMT might not migrate all of the specified data. For example, if Microsoft® Office Outlook® is open, USMT might not migrate PST files. +1. Back up the source computer. - **Note**   - USMT will fail if it cannot migrate a file or setting unless you specify the **/C** option. When you specify the **/C** option, USMT will ignore the errors, and log an error every time that it encounters a file that is being used that USMT did not migrate. You can use the **<ErrorControl>** section in the Config.xml file to specify which errors should be ignored, and which should cause the migration to fail. +2. Close all applications. If some applications are running when you run the `ScanState.exe` command, USMT might not migrate all of the specified data. For example, if Microsoft Office Outlook is open, USMT might not migrate PST files. -3. Run the **ScanState** command on the source computer to collect files and settings. You should specify all of the .xml files that you want the **ScanState** command to use. For example, + > [!NOTE] + > USMT will fail if it cannot migrate a file or setting unless you specify the `/C` option. When you specify the `/C` option, USMT will ignore the errors, and log an error every time that it encounters a file that is being used that USMT did not migrate. You can use the `` section in the `Config.xml` file to specify which errors should be ignored, and which should cause the migration to fail. - `scanstate \\server\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:scan.log` +3. Run the `ScanState.exe` command on the source computer to collect files and settings. You should specify all of the .xml files that you want the `ScanState.exe` command to use. For example, - **Note**   - If the source computer is running Windows 7, or Windows 8, you must run the **ScanState** command in **Administrator** mode. To run in **Administrator** mode, right-click **Command Prompt**, and then click **Run As Administrator**. If the source computer is running Windows XP, you must run the **ScanState** command from an account that has administrative credentials. For more information about the how the **ScanState** command processes and stores the data, see [How USMT Works](usmt-how-it-works.md). + ```cmd + ScanState.exe \\server\migration\mystore /config:Config.xml /i:MigDocs.xml /i:MigApp.xml /v:13 /l:ScanState.log + ``` -4. Run the **USMTUtils** command with the **/Verify** option to ensure that the store you created is not corrupted. + > [!NOTE] + > If the source computer is running Windows 7, or Windows 8, you must run the `ScanState.exe` command in **Administrator** mode. To run in **Administrator** mode, right-click **Command Prompt**, and then select **Run As Administrator**. For more information about the how the `ScanState.exe` command processes and stores the data, see [How USMT Works](usmt-how-it-works.md). + +4. Run the `UsmtUtils.exe` command with the `/Verify` option to ensure that the store you created isn't corrupted. ## Step 3: Prepare the destination computer and restore files and settings -1. Install the operating system on the destination computer. -2. Install all applications that were on the source computer. Although it is not always required, we recommend installing all applications on the destination computer before you restore the user state. This makes sure that migrated settings are preserved. +1. Install the operating system on the destination computer. - **Note**   - The application version that is installed on the destination computer should be the same version as the one on the source computer. USMT does not support migrating the settings for an older version of an application to a newer version. The exception to this is Microsoft® Office, which USMT can migrate from an older version to a newer version. +2. Install all applications that were on the source computer. Although it isn't always required, we recommend installing all applications on the destination computer before you restore the user state. This makes sure that migrated settings are preserved. -3. Close all applications. If some applications are running when you run the **LoadState** command, USMT might not migrate all of the specified data. For example, if Microsoft Office Outlook is open, USMT might not migrate PST files. + > [!NOTE] + > The application version that is installed on the destination computer should be the same version as the one on the source computer. USMT does not support migrating the settings for an older version of an application to a newer version. The exception to this is Microsoft Office, which USMT can migrate from an older version to a newer version. - **Note**   - Use **/C** to continue your migration if errors are encountered, and use the **<ErrorControl>** section in the Config.xml file to specify which errors should be ignored, and which errors should cause the migration to fail. +3. Close all applications. If some applications are running when you run the `LoadState.exe ` command, USMT might not migrate all of the specified data. For example, if Microsoft Office Outlook is open, USMT might not migrate PST files. -4. Run the **LoadState** command on the destination computer. Specify the same set of .xml files that you specified when you used the **ScanState** command. However, you do not have to specify the Config.xml file, unless you want to exclude some of the files and settings that you migrated to the store. For example, you might want to migrate the My Documents folder to the store, but not to the destination computer. To do this, modify the Config.xml file and specify the updated file by using the **LoadState** command. Then, the **LoadState** command will migrate only the files and settings that you want to migrate. For more information about the how the **LoadState** command processes and migrates data, see [How USMT Works](usmt-how-it-works.md). + > [!NOTE] + > Use `/C` to continue your migration if errors are encountered, and use the `` section in the `Config.xml` file to specify which errors should be ignored, and which errors should cause the migration to fail. + +4. Run the `LoadState.exe ` command on the destination computer. Specify the same set of .xml files that you specified when you used the `ScanState.exe` command. However, you don't have to specify the `Config.xml` file, unless you want to exclude some of the files and settings that you migrated to the store. For example, you might want to migrate the My Documents folder to the store, but not to the destination computer. To do this, modify the `Config.xml` file and specify the updated file by using the `LoadState.exe ` command. Then, the `LoadState.exe ` command will migrate only the files and settings that you want to migrate. For more information about how the `LoadState.exe ` command processes and migrates data, see [How USMT Works](usmt-how-it-works.md). For example, the following command migrates the files and settings: - `loadstate \\server\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:load.log` + ```cmd + LoadState.exe \\server\migration\mystore /config:Config.xml /i:MigDocs.xml /i:MigApp.xml /v:13 /l:LoadState.log + ``` - **Note**   - Run the **LoadState** command in administrator mode. To do this, right-click **Command Prompt**, and then click **Run As Administrator**. + > [!NOTE] + > Run the `LoadState.exe ` command in administrator mode. To do this, right-click **Command Prompt**, and then click **Run As Administrator**. -5. Log off after you run the **LoadState** command. Some settings (for example, fonts, wallpaper, and screen saver settings) will not take effect until the next time that the user logs on. +5. Sign out after you run the `LoadState.exe ` command. Some settings, such as fonts, wallpaper, and screen saver settings, won't take effect until the next time that the user logs on. diff --git a/windows/deployment/usmt/migrate-application-settings.md b/windows/deployment/usmt/migrate-application-settings.md index 5814c465d8..677f59ca0c 100644 --- a/windows/deployment/usmt/migrate-application-settings.md +++ b/windows/deployment/usmt/migrate-application-settings.md @@ -2,163 +2,147 @@ title: Migrate Application Settings (Windows 10) description: Learn how to author a custom migration .xml file that migrates the settings of an application that isn't migrated by default using MigApp.xml. ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/19/2017 +author: frankroj +ms.date: 11/01/2022 ms.topic: article ms.technology: itpro-deploy --- # Migrate Application Settings +You can create a custom .xml file to migrate specific line-of-business application settings or to change the default migration behavior of the User State Migration Tool (USMT) 10.0. For ScanState and LoadState to use this file, you must specify the custom .xml file on both command lines. -You can create a custom .xml file to migrate specific line-of-business application settings or to change the default migration behavior of the User State Migration Tool (USMT) 10.0. For ScanState and LoadState to use this file, you must specify the custom .xml file on both command lines. +This article defines how to author a custom migration .xml file that migrates the settings of an application that isn't migrated by default using `MigApp.xml`. You should migrate the settings after you install the application, but before the user runs the application for the first time. -This topic defines how to author a custom migration .xml file that migrates the settings of an application that is not migrated by default using MigApp.xml. You should migrate the settings after you install the application, but before the user runs the application for the first time. +This article doesn't contain information about how to migrate applications that store settings in an application-specific store, only the applications that store the information in files or in the registry. It also doesn't contain information about how to migrate the data that users create using the application. For example, if the application creates .doc files using a specific template, this article doesn't discuss how to migrate the .doc files and templates themselves. -This topic does not contain information about how to migrate applications that store settings in an application-specific store, only the applications that store the information in files or in the registry. It also does not contain information about how to migrate the data that users create using the application. For example, if the application creates .doc files using a specific template, this topic does not discuss how to migrate the .doc files and templates themselves. +## Before you begin -## In this Topic +You should identify a test computer that contains the operating system of your source computers, and the application whose settings you want to migrate. For example, if you're planning on migrating from Windows 7 to Windows 10, install Windows 7 on your test computer and then install the application. +## Step 1: Verify that the application is installed on the source computer, and that it's the same version as the version to be installed on the destination computer -- [Before You Begin](#bkmk-beforebegin) +Before USMT migrates the settings, you need it to check whether the application is installed on the source computer, and that it's the correct version. If the application isn't installed on the source computer, you probably don't want USMT to spend time searching for the application's settings. More importantly, if USMT collects settings for an application that isn't installed, it may migrate settings that will cause the destination computer to function incorrectly. You should also investigate whether there's more than one version of the application because the new version may not store the settings in the same place. Mismatched application versions may lead to unexpected results on the destination computer. -- [Step 1: Verify that the application is installed on the source computer, and that it is the same version as the version to be installed on the destination computer](#bkmk-step1). +There are many ways to detect if an application is installed. The best practice is to check for an application uninstall key in the registry, and then search the computer for the executable file that installed the application. It's important that you check for both of these items, because sometimes different versions of the same application share the same uninstall key. So even if the key is there, it may not correspond to the version of the application that you want. -- [Step 2: Identify settings to collect and determine where each setting is stored on the computer](#bkmk-step2). +### Check the registry for an application uninstall key -- [Step 3: Identify how to apply the gathered settings](#bkmk-step3). +When many applications are installed (especially those installed using the Microsoft® Windows® Installer technology), an application uninstall key is created under: -- [Step 4: Create the migration XML component for the application](#bkmk-step4). +`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall` -- [Step 5: Test the application settings migration](#bkmk-step5). +For example, when Adobe Acrobat Reader 7 is installed, it creates a key named: -## Before You Begin +`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall \{AC76BA86-7AD7-1033-7B44-A70000000000}` +Therefore, if a computer contains this key, then Adobe Acrobat Reader 7 is installed on the computer. You can check for the existence of a registry key using the `DoesObjectExist` helper function. -You should identify a test computer that contains the operating system of your source computers, and the application whose settings you want to migrate. For example, if you are planning on migrating from Windows 7 to Windows 10, install Windows 7 on your test computer and then install the application. +Usually, you can find this key by searching under -## Step 1: Verify that the application is installed on the source computer, and that it is the same version as the version to be installed on the destination computer. +`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall` +for the name of the application, the name of the application executable file, or for the name of the company that makes the application. You can use the Registry Editor, `Regedit.exe` located in the `%SystemRoot%`, to search the registry. -Before USMT migrates the settings, you need it to check whether the application is installed on the source computer, and that it is the correct version. If the application is not installed on the source computer, you probably do not want USMT to spend time searching for the application’s settings. More importantly, if USMT collects settings for an application that is not installed, it may migrate settings that will cause the destination computer to function incorrectly. You should also investigate whether there is more than one version of the application. This is because the new version may not store the settings in the same place, which may lead to unexpected results on the destination computer. +### Check the file system for the application executable file -There are many ways to detect if an application is installed. The best practice is to check for an application uninstall key in the registry, and then search the computer for the executable file that installed the application. It is important that you check for both of these items, because sometimes different versions of the same application share the same uninstall key. So even if the key is there, it may not correspond to the version of the application that you want. +You should also check the application binaries for the executable that installed the application. To check for application binaries, you'll first need to determine where the application is installed and what the name of the executable is. Most applications store the installation location of the application binaries in the registry. You should search the registry for the name of the application, the name of the application executable, or for the name of the company that makes the application, until you find the registry value that contains the installation path. Once you've determined the path to the application executable, you can use the `DoesFileVersionMatch` helper function to check for the correct version of the application executable. For an example of how to use the `DoesFileVersionMatch` helper function, see the Windows Live™ Messenger section of the `MigApp.xml` file. -### Check the registry for an application uninstall key. +## Step 2: Identify settings to collect and determine where each setting is stored on the computer -When many applications are installed (especially those installed using the Microsoft® Windows® Installer technology), an application uninstall key is created under **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall**. For example, when Adobe Acrobat Reader 7 is installed, it creates a key named **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall \\{AC76BA86-7AD7-1033-7B44-A70000000000}**. Therefore, if a computer contains this key, then Adobe Acrobat Reader 7 is installed on the computer. You can check for the existence of a registry key using the **DoesObjectExist** helper function. +Next, you should go through the user interface and make a list of all of the available settings. You can reduce the list if there are settings that you don't want to migrate. To determine where each setting is stored, you'll need to change each setting and monitor the activity on the registry and the file system. You don't need to migrate the binary files and registry settings that are made when the application is installed because you'll need to reinstall the application onto the destination computer. You only need to migrate those settings that are customizable. -Usually, you can find this key by searching under **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall** for the name of the application, the name of the application executable file, or for the name of the company that makes the application. You can use the Registry Editor (**Regedit.exe** located in the %**SystemRoot**%) to search the registry. +### How to determine where each setting is stored -### Check the file system for the application executable file. +1. Download a file and registry monitoring tool, such as the Regmon and Filemon tools, from the [Windows Sysinternals Web site](/sysinternals/). -You should also check the application binaries for the executable that installed the application. To do this, you will first need to determine where the application is installed and what the name of the executable is. Most applications store the installation location of the application binaries in the registry. You should search the registry for the name of the application, the name of the application executable, or for the name of the company that makes the application, until you find the registry value that contains the installation path. Once you have determined the path to the application executable, you can use the **DoesFileVersionMatch** helper function to check for the correct version of the application executable. For an example of how to do this, see the Windows Live™ Messenger section of the MigApp.xml file. +2. Shut down as many applications as possible to limit the registry and file system activity on the computer. -## Step 2: Identify settings to collect and determine where each setting is stored on the computer. +3. Filter the output of the tools so it only displays changes being made by the application. + > [!NOTE] + > Most applications store their settings under the user profile. That is, the settings stored in the file system are under the `%UserProfile%` directory, and the settings stored in the registry are under the `HKEY_CURRENT_USER` hive. For these applications you can filter the output of the file and registry monitoring tools to show activity only under these locations. This will considerably reduce the amount of output that you will need to examine. -Next, you should go through the user interface and make a list of all of the available settings. You can reduce the list if there are settings that you do not want to migrate. To determine where each setting is stored, you will need to change each setting and monitor the activity on the registry and the file system. You do not need to migrate the binary files and registry settings that are made when the application is installed. This is because you will need to reinstall the application onto the destination computer. You only need to migrate those settings that are customizable. +4. Start the monitoring tool(s), change a setting, and look for registry and file system writes that occurred when you changed the setting. Make sure the changes you make actually take effect. For example, if you're changing a setting in Microsoft Word by selecting a check box in the **Options** dialog box, the change typically won't take effect until you close the dialog box by clicking **OK**. -### +5. When the setting is changed, note the changes to the file system and registry. There may be more than one file or registry values for each setting. You should identify the minimal set of file and registry changes that are required to change this setting. This set of files and registry keys is what you will need to migrate in order to migrate the setting. -**How To Determine Where Each Setting is Stored** + > [!NOTE] + > Changing an application setting invariably leads to writing to registry keys. If possible, filter the output of the file and registry monitor tool to display only writes to files and registry keys/values. -1. Download a file and registry monitoring tool, such as the Regmon and Filemon tools, from the [Windows Sysinternals Web site](/sysinternals/). +## Step 3: Identify how to apply the gathered settings -2. Shut down as many applications as possible to limit the registry and file system activity on the computer. +If the version of the application on the source computer is the same as the one on the destination computer, then you don't have to modify the collected files and registry keys. By default, USMT migrates the files and registry keys from the source location to the corresponding location on the destination computer. For example, if a file was collected from the `C:\Documents and Settings\User1\My Documents` folder and the profile directory on the destination computer is located at `D:\Users\User1`, then USMT will automatically migrate the file to `D:\Users\User1\My Documents`. However, you may need to modify the location of some settings in the following three cases: -3. Filter the output of the tools so it only displays changes being made by the application. +### Case 1: The version of the application on the destination computer is newer than the one on the source computer - **Note**   - Most applications store their settings under the user profile. That is, the settings stored in the file system are under the %**UserProfile**% directory, and the settings stored in the registry are under the **HKEY\_CURRENT\_USER** hive. For these applications you can filter the output of the file and registry monitoring tools to show activity only under these locations. This will considerably reduce the amount of output that you will need to examine. +In this case, the newer version of the application may be able to read the settings from the source computer without modification. That is, the data collected from an older version of the application is sometimes compatible with the newer version of the application. However, you may need to modify the setting location if either of the following conditions is true: - +- **The newer version of the application has the ability to import settings from an older version.** This mapping usually happens the first time a user runs the newer version after the settings have been migrated. Some applications import settings automatically after settings are migrated. However, other applications will only do import settings if the application was upgraded from the older version. When the application is upgraded, a set of files and/or registry keys is installed that indicates the older version of the application was previously installed. If you perform a clean installation of the newer version (which is the case in most migrations), the computer doesn't contain this set of files and registry keys so the mapping doesn't occur. In order to trick the newer version of the application into initiating this import process, your migration script may need to create these files and/or registry keys on the destination computer. -4. Start the monitoring tool(s), change a setting, and look for registry and file system writes that occurred when you changed the setting. Make sure the changes you make actually take effect. For example, if you are changing a setting in Microsoft Word by selecting a check box in the **Options** dialog box, the change typically will not take effect until you close the dialog box by clicking **OK**. + To identify which files and/or registry keys/values need to be created to cause the import, you should upgrade the older version of the application to the newer one and monitor the changes made to the file system and registry by using the same process described in [How to determine where each setting is stored](#how-to-determine-where-each-setting-is-stored). Once you know the set of files that the computer needs, you can use the **<addObjects>** element to add them to the destination computer. -5. When the setting is changed, note the changes to the file system and registry. There may be more than one file or registry values for each setting. You should identify the minimal set of file and registry changes that are required to change this setting. This set of files and registry keys is what you will need to migrate in order to migrate the setting. +- **The newer version of the application can't read settings from the source computer and it's also unable to import the settings into the new format.** In this case, you'll need to create a mapping for each setting from the old locations to the new locations. To create the mapping, determine where the newer version stores each setting using the process described in [How to determine where each setting is stored](#how-to-determine-where-each-setting-is-stored). After you've created the mapping, apply the settings to the new location on the destination computer using the **<locationModify>** element, and the `RelativeMove` and `ExactMove` helper functions. - **Note**   - Changing an application setting invariably leads to writing to registry keys. If possible, filter the output of the file and registry monitor tool to display only writes to files and registry keys/values. +### Case 2: The destination computer already contains settings for the application - +We recommend that you migrate the settings after you install the application, but before the user runs the application for the first time. We recommend this process because this process ensures that there are no settings on the destination computer when you migrate the settings. If you must install the application before the migration, you should delete any existing settings using the **<destinationCleanup>** element. If for any reason you want to preserve the settings that are on the destination computer, you can use the **<merge>** element and `DestinationPriority` helper function. -## Step 3: Identify how to apply the gathered settings. +### Case 3: The application overwrites settings when it's installed +We recommend that you migrate the settings after you install the application, but before the user runs the application for the first time. We recommend this process because this process ensures that there are no settings on the destination computer when you migrate the settings. Also, when some applications are installed, they overwrite any existing settings that are on the computer. In this scenario, if you migrated the data before you installed the application, your customized settings would be overwritten. This scenario is common for applications that store settings in locations that are outside of the user profile (typically these settings are settings that apply to all users). These universal settings are sometimes overwritten when an application is installed, and they're replaced by default values. To avoid this problem, you must install these applications before migrating the files and settings to the destination computer. By default with USMT, data from the source computer overwrites data that already exists in the same location on the destination computer. -If the version of the application on the source computer is the same as the one on the destination computer, then you do not have to modify the collected files and registry keys. By default, USMT migrates the files and registry keys from the source location to the corresponding location on the destination computer. For example, if a file was collected from the C:\\Documents and Settings\\User1\\My Documents folder and the profile directory on the destination computer is located at D:\\Users\\User1, then USMT will automatically migrate the file to D:\\Users\\User1\\My Documents. However, you may need to modify the location of some settings in the following three cases: +## Step 4: Create the migration XML component for the application -### Case 1: The version of the application on the destination computer is newer than the one on the source computer. +After you have completed steps 1 through 3, you'll need to create a custom migration .xml file that migrates the application based on the information that you now have. You can use the `MigApp.xml` file as a model because it contains examples of many of the concepts discussed in this article. You can also see [Custom XML Examples](usmt-custom-xml-examples.md) for another sample .xml file. -In this case, the newer version of the application may be able to read the settings from the source computer without modification. That is, the data collected from an older version of the application is sometimes compatible with the newer version of the application. However, you may need to modify the setting location if either of the following is true: + > [!NOTE] + > We recommend that you create a separate .xml file instead of adding your script to the `MigApp.xml` file. This is because the `MigApp.xml` file is a very large file and it will be difficult to read and edit. In addition, if you reinstall USMT for some reason, the `MigApp.xml` file will be overwritten by the default version of the file and you will lose your customized version. -- **The newer version of the application has the ability to import settings from an older version.** This mapping usually happens the first time a user runs the newer version after the settings have been migrated. Some applications do this automatically after settings are migrated; however, other applications will only do this if the application was upgraded from the older version. When the application is upgraded, a set of files and/or registry keys is installed that indicates the older version of the application was previously installed. If you perform a clean installation of the newer version (which is the case in most migrations), the computer does not contain this set of files and registry keys so the mapping does not occur. In order to trick the newer version of the application into initiating this import process, your migration script may need to create these files and/or registry keys on the destination computer. +> [!IMPORTANT] +> Some applications store information in the user profile, such as application installation paths, the computer name, etc., should not be migrated. You should make sure to exclude these files and registry keys from the migration. - To identify which files and/or registry keys/values need to be created to cause the import, you should upgrade the older version of the application to the newer one and monitor the changes made to the file system and registry by using the same process described in [How To determine where each setting is stored](#bkmkdetermine). Once you know the set of files that the computer needs, you can use the <`addObjects`> element to add them to the destination computer. +Your script should do the following actions: -- [The newer version of the application cannot read settings from the source computer and it is also unable to import the settings into the new format.](#bkmkdetermine) In this case, you will need to create a mapping for each setting from the old locations to the new locations. To do this, determine where the newer version stores each setting using the process described in How to determine where each setting is stored. After you have created the mapping, apply the settings to the new location on the destination computer using the <`locationModify`> element, and the **RelativeMove** and **ExactMove** helper functions. +1. Check whether the application and correct version is installed by: -### Case 2: The destination computer already contains settings for the application. + - Searching for the installation uninstall key under `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall` using the `DoesObjectExist` helper function. -We recommend that you migrate the settings after you install the application, but before the user runs the application for the first time. We recommend this because this ensures that there are no settings on the destination computer when you migrate the settings. If you must install the application before the migration, you should delete any existing settings using the <`destinationCleanup`> element. If for any reason you want to preserve the settings that are on the destination computer, you can use the <`merge`> element and **DestinationPriority** helper function. + - Checking for the correct version of the application executable file using the `DoesFileVersionMatch` helper function. -### Case 3: The application overwrites settings when it is installed. +2. If the correct version of the application is installed, then ensure that each setting is migrated to the appropriate location on the destination computer. -We recommend that you migrate the settings after you install the application, but before the user runs the application for the first time. We recommend this because this ensures that there are no settings on the destination computer when you migrate the settings. Also, when some applications are installed, they overwrite any existing settings that are on the computer. In this scenario, if you migrated the data before you installed the application, your customized settings would be overwritten. This is common for applications that store settings in locations that are outside of the user profile (typically these are settings that apply to all users). These universal settings are sometimes overwritten when an application is installed, and they are replaced by default values. To avoid this, you must install these applications before migrating the files and settings to the destination computer. By default with USMT, data from the source computer overwrites data that already exists in the same location on the destination computer. + - If the versions of the applications are the same on both the source and destination computers, migrate each setting using the **<include>** and **<exclude>** elements. -## Step 4: Create the migration XML component for the application + - If the version of the application on the destination computer is newer than the one on the source computer, and the application can't import the settings, your script should either: + 1. Add the set of files that trigger the import using the **<addObjects>** element + 2. Create a mapping that applies the old settings to the correct location on the destination computer using the **<locationModify>** element, and the `RelativeMove` and `ExactMove` helper functions. - -After you have completed steps 1 through 3, you will need to create a custom migration .xml file that migrates the application based on the information that you now have. You can use the MigApp.xml file as a model because it contains examples of many of the concepts discussed in this topic. You can also see [Custom XML Examples](usmt-custom-xml-examples.md) for another sample .xml file. - -**Note**   -We recommend that you create a separate .xml file instead of adding your script to the **MigApp.xml** file. This is because the **MigApp.xml** file is a very large file and it will be difficult to read and edit. In addition, if you reinstall USMT for some reason, the **MigApp.xml** file will be overwritten by the default version of the file and you will lose your customized version. - - - -**Important**   -Some applications store information in the user profile that should not be migrated (for example, application installation paths, the computer name, and so on). You should make sure to exclude these files and registry keys from the migration. - - - -Your script should do the following: - -1. Check whether the application and correct version is installed by: - - - Searching for the installation uninstall key under **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall** using the **DoesObjectExist** helper function. - - - Checking for the correct version of the application executable file using the **DoesFileVersionMatch** helper function. - -2. If the correct version of the application is installed, then ensure that each setting is migrated to the appropriate location on the destination computer. - - - If the versions of the applications are the same on both the source and destination computers, migrate each setting using the <`include`> and <`exclude`> elements. - - - If the version of the application on the destination computer is newer than the one on the source computer, and the application cannot import the settings, your script should either 1) add the set of files that trigger the import using the <`addObjects`> element or 2) create a mapping that applies the old settings to the correct location on the destination computer using the <`locationModify`> element, and the **RelativeMove** and **ExactMove** helper functions. - - - If you must install the application before migrating the settings, delete any settings that are already on the destination computer using the <`destinationCleanup`> element. + - If you must install the application before migrating the settings, delete any settings that are already on the destination computer using the **<destinationCleanup>** element. For information about the .xml elements and helper functions, see [XML Elements Library](usmt-xml-elements-library.md). -## Step 5: Test the application settings migration +## Step 5: Test the application settings migration +On a test computer, install the operating system that will be installed on the destination computers. For example, if you're planning on migrating from Windows 7 to Windows 10, install Windows 10 and the application. Next, run LoadState on the test computer and verify that all settings migrate. Make corrections if necessary and repeat the process until all the necessary settings are migrated correctly. -On a test computer, install the operating system that will be installed on the destination computers. For example, if you are planning on migrating from Windows 7 to Windows 10, install Windows 10 and the application. Next, run LoadState on the test computer and verify that all settings migrate. Make corrections if necessary and repeat the process until all the necessary settings are migrated correctly. +To speed up the time it takes to collect and migrate the data, you can migrate only one user at a time, and you can exclude all other components from the migration except the application that you're testing. To specify only **User1** in the migration, enter: -To speed up the time it takes to collect and migrate the data, you can migrate only one user at a time, and you can exclude all other components from the migration except the application that you are testing. To specify only User1 in the migration, type: **/ue:\*\\\* /ui:user1**. For more information, see [Exclude Files and Settings](usmt-exclude-files-and-settings.md) and User options in the [ScanState Syntax](usmt-scanstate-syntax.md) topic. To troubleshoot a problem, check the progress log, and the ScanState and LoadState logs, which contain warnings and errors that may point to problems with the migration. +```cmd +/ue:*\* /ui:user1 +``` -## Related topics +For more information, see the [Exclude files and settings](usmt-exclude-files-and-settings.md) article and the [User options](usmt-scanstate-syntax.md#user-options) section in the [ScanState syntax](usmt-scanstate-syntax.md) article. To troubleshoot a problem, check the progress log, and the ScanState and LoadState logs, which contain warnings and errors that may point to problems with the migration. +## Related articles -[USMT XML Reference](usmt-xml-reference.md) +[USMT XML reference](usmt-xml-reference.md) -[Conflicts and Precedence](usmt-conflicts-and-precedence.md) +[Conflicts and precedence](usmt-conflicts-and-precedence.md) -[XML Elements Library](usmt-xml-elements-library.md) - -[Log Files](usmt-log-files.md) - - +[XML elements library](usmt-xml-elements-library.md) +[Log files](usmt-log-files.md) diff --git a/windows/deployment/usmt/migration-store-types-overview.md b/windows/deployment/usmt/migration-store-types-overview.md index aec69b1dd2..9059505be0 100644 --- a/windows/deployment/usmt/migration-store-types-overview.md +++ b/windows/deployment/usmt/migration-store-types-overview.md @@ -2,78 +2,60 @@ title: Migration Store Types Overview (Windows 10) description: Learn about the migration store types and how to determine which migration store type best suits your needs. ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/19/2017 +author: frankroj +ms.date: 11/01/2022 ms.topic: article ms.technology: itpro-deploy --- # Migration Store Types Overview +When planning your migration, you should determine which migration store type best meets your needs. As part of these considerations, determine how much space is required to run the User State Migration Tool (USMT) 10.0 components on your source and destination computers. You should also determine the space needed to create and host the migration store, whether you're using a local share, network share, or storage device. -When planning your migration, you should determine which migration store type best meets your needs. As part of these considerations, determine how much space is required to run the User State Migration Tool (USMT) 10.0 components on your source and destination computers. You should also determine the space needed to create and host the migration store, whether you are using a local share, network share, or storage device. - -## In This Topic - - -[Migration Store Types](#bkmk-types) - -[Local Store vs. Remote Store](#bkmk-localvremote) - -[The /localonly Command-Line Option](#bkmk-localonly) - -## Migration Store Types - +## Migration store types This section describes the three migration store types available in USMT. ### Uncompressed (UNC) -The uncompressed (UNC) migration store is an uncompressed directory with a mirror image of the folder hierarchy being migrated. Each directory and file retains the same access permissions that it has on the local file system. You can use Windows Explorer to view this migration store type. Settings are stored in a catalog file that also describes how to restore files on the destination computer. +The uncompressed (UNC) migration store is an uncompressed directory with a mirror image of the folder hierarchy being migrated. Each directory and file retains the same access permissions that it has on the local file system. You can use Windows Explorer to view this migration store type. Settings are stored in a catalog file that also describes how to restore files on the destination computer. ### Compressed -The compressed migration store is a single image file that contains all files being migrated and a catalog file. This image file is often encrypted and protected with a password, and cannot be navigated with Windows Explorer. +The compressed migration store is a single image file that contains all files being migrated and a catalog file. This image file is often encrypted and protected with a password, and can't be navigated with Windows Explorer. ### Hard-Link -A hard-link migration store functions as a map that defines how a collection of bits on the hard disk are “wired” into the file system. You use the new USMT hard-link migration store in the PC Refresh scenario only. This is because the hard-link migration store is maintained on the local computer while the old operating system is removed and the new operating system is installed. Using a hard-link migration store saves network bandwidth and minimizes the server use needed to accomplish the migration. +A hard-link migration store functions as a map that defines how a collection of bits on the hard disk are "wired" into the file system. You use the new USMT hard-link migration store in the PC Refresh scenario only. You only use hard-link migration stores in Refresh scenarios because the hard-link migration store is maintained on the local computer while the old operating system is removed and the new operating system is installed. Using a hard-link migration store saves network bandwidth and minimizes the server use needed to accomplish the migration. -You use a command-line option,**/hardlink** , to create a hard-link migration store, which functions the same as an uncompressed migration store. Files are not duplicated on the local computer when user state is captured, nor are they duplicated when user state is restored. For more information, see [Hard-Link Migration Store](usmt-hard-link-migration-store.md). +You use the command-line option `/hardlink` to create a hard-link migration store, which functions the same as an uncompressed migration store. Files aren't duplicated on the local computer when user state is captured, nor are they duplicated when user state is restored. For more information, see [Hard-Link Migration Store](usmt-hard-link-migration-store.md). The following flowchart illustrates the procedural differences between a local migration store and a remote migration store. In this example, a hard-link migration store is used for the local store. ![migration store comparison.](images/dep-win8-l-usmt-migrationcomparemigstores.gif) -## Local Store vs. Remote Store +## Local store vs. remote store +If you have enough space and you're migrating the user state back to the same computer, storing data on a local device is normally the best option to reduce server storage costs and network performance issues. You can store the data locally either on a different partition or on a removable device such as a USB flash drive (UFD). Also, depending on the imaging technology that you're using, you might be able to store the data on the partition that is being re-imaged, if the data will be protected from deletion during the process. To increase performance, store the data on high-speed drives that use a high-speed network connection. It's also good practice to ensure that the migration is the only task the server is performing. -If you have enough space and you are migrating the user state back to the same computer, storing data on a local device is normally the best option to reduce server storage costs and network performance issues. You can store the data locally either on a different partition or on a removable device such as a USB flash drive (UFD). Also, depending on the imaging technology that you are using, you might be able to store the data on the partition that is being re-imaged, if the data will be protected from deletion during the process. To increase performance, store the data on high-speed drives that use a high-speed network connection. It is also good practice to ensure that the migration is the only task the server is performing. +If there isn't enough local disk space, or if you're moving the user state to another computer, then you must store the data remotely such as on a shared folder, on removable media, or you can store it directly on the destination computer. For example: -If there is not enough local disk space, or if you are moving the user state to another computer, then you must store the data remotely. For example, you can store it in on a shared folder, on removable media such as a UFD drive, or you can store it directly on the destination computer. For example, create and share C:\\store on the destination computer. Then run the ScanState command on the source computer and save the files and settings to \\\\*DestinationComputerName*\\store. Then, run the **LoadState** command on the destination computer and specify **C:\\Store** as the store location. By doing this, you do not need to save the files to a server. +1. Create and share `C:\store` on the destination computer +2. Run the `ScanState.exe` command on the source computer and save the files and settings to `\\\store` +3. Run the `LoadState.exe ` command on the destination computer and specify `C:\Store` as the store location. -**Important**   -If possible, have users store their data within their %UserProfile%\\My Documents and %UserProfile%\\Application Data folders. This will reduce the chance of USMT missing critical user data that is located in a directory that USMT is not configured to check. - - - -### The /localonly Command-Line Option - -You should use this option to exclude the data from removable drives and network drives mapped on the source computer. For more information about what is excluded when you specify **/LocalOnly**, see [ScanState Syntax](usmt-scanstate-syntax.md). - -## Related topics - - -[Plan Your Migration](usmt-plan-your-migration.md) - - - - +By doing this process, you don't need to save the files to a server. +> [!IMPORTANT] +> If possible, have users store their data within their `%UserProfile%\My Documents` and `%UserProfile%\Application Data` folders. This will reduce the chance of USMT missing critical user data that is located in a directory that USMT is not configured to check. +### The /localonly command-line option +You should use this option to exclude the data from removable drives and network drives mapped on the source computer. For more information about what is excluded when you specify `/LocalOnly`, see [ScanState Syntax](usmt-scanstate-syntax.md). +## Related articles +[Plan your migration](usmt-plan-your-migration.md) diff --git a/windows/deployment/usmt/offline-migration-reference.md b/windows/deployment/usmt/offline-migration-reference.md index 4e6416a3c3..390cc4ad37 100644 --- a/windows/deployment/usmt/offline-migration-reference.md +++ b/windows/deployment/usmt/offline-migration-reference.md @@ -2,80 +2,66 @@ title: Offline Migration Reference (Windows 10) description: Offline migration enables the ScanState tool to run inside a different Windows OS than the Windows OS from which ScanState is gathering files and settings. ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/19/2017 +author: frankroj +ms.date: 11/01/2022 ms.topic: article ms.technology: itpro-deploy --- # Offline Migration Reference -Offline migration enables the ScanState tool to run inside a different Windows® operating system than the Windows operating system from which ScanState is gathering files and settings. There are two primary offline scenarios: +Offline migration enables the ScanState tool to run inside a different Windows operating system than the Windows operating system from which ScanState is gathering files and settings. There are two primary offline scenarios: -- **Windows PE.** The ScanState tool can be run from within Windows PE, gathering files and settings from the offline Windows operating system on that machine. +- **Windows PE.** The ScanState tool can be run from within Windows PE, gathering files and settings from the offline Windows operating system on that machine. -- **Windows.old.** The ScanState tool can now gather files and settings from the Windows.old directory that is created during Windows installation on a partition that contains a previous installation of Windows. For example, the ScanState tool can run in Windows 10, gathering files from a previous Windows 7or Windows 8 installation contained in the Windows.old directory. +- **Windows.old.** The ScanState tool can now gather files and settings from the Windows.old directory that is created during Windows installation on a partition that contains a previous installation of Windows. For example, the ScanState tool can run in Windows 10, gathering files from a previous Windows 7or Windows 8 installation contained in the Windows.old directory. -When you use User State Migration Tool (USMT) 10.0 to gather and restore user state, offline migration reduces the cost of deployment by: +When you use User State Migration Tool (USMT) 10.0 to gather and restore user state, offline migration reduces the cost of deployment by: -- **Reducing complexity.** In computer-refresh scenarios, migrations from the Windows.old directory reduce complexity by eliminating the need for the ScanState tool to be run before the operating system is deployed. Also, migrations from the Windows.old directory enable ScanState and LoadState to be run successively. +- **Reducing complexity.** In computer-refresh scenarios, migrations from the Windows.old directory reduce complexity by eliminating the need for the ScanState tool to be run before the operating system is deployed. Also, migrations from the Windows.old directory enable ScanState and LoadState to be run successively. -- **Improving performance.** When USMT runs in an offline Windows Preinstallation Environment (WinPE) environment, it has better access to the hardware resources. This may increase performance on older machines with limited hardware resources and numerous installed software applications. +- **Improving performance.** When USMT runs in an offline Windows Preinstallation Environment (WinPE) environment, it has better access to the hardware resources. Running USMT in WinPE may increase performance on older machines with limited hardware resources and numerous installed software applications. -- **New recovery scenario.** In scenarios where a machine no longer restarts properly, it might be possible to gather user state with the ScanState tool from within WinPE. +- **New recovery scenario.** In scenarios where a machine no longer restarts properly, it might be possible to gather user state with the ScanState tool from within WinPE. -## In This topic - -- [What Will Migrate Offline?](#bkmk-whatwillmigrate) - -- [What Offline Environments are Supported?](#bkmk-offlineenvironments) - -- [User-Group Membership and Profile Control](#bkmk-usergroupmembership) - -- [Command-Line Options](#bkmk-commandlineoptions) - -- [Environment Variables](#bkmk-environmentvariables) - -- [Offline.xml Elements](#bkmk-offlinexml) - -## What Will Migrate Offline? +## What will migrate offline? The following user data and settings migrate offline, similar to an online migration: -- Data and registry keys specified in MigXML +- Data and registry keys specified in MigXML -- User accounts +- User accounts -- Application settings +- Application settings -- Limited set of operating-system settings +- Limited set of operating-system settings -- EFS files +- EFS files -- Internet Explorer® Favorites +- Internet Explorer Favorites For exceptions to what you can migrate offline, see [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md) -## What Offline Environments are Supported? +## What offline environments are supported? The following table defines the supported combination of online and offline operating systems in USMT. |Running Operating System|Offline Operating System| |--- |--- | -|WinPE 5.0 or greater, with the MSXML library|Windows Vista, Windows 7, Windows 8, Windows 10| -|Windows 7, Windows 8, Windows 10|Windows.old directory| +|WinPE 5.0 or greater, with the MSXML library|Windows 7, Windows 8, Windows 10| +|Windows 7, Windows 8, Windows 10|Windows.old directory| -**Note**   -It is possible to run the ScanState tool while the drive remains encrypted by suspending Windows BitLocker Drive Encryption before booting into WinPE. For more information, see [this Microsoft site](/previous-versions/windows/it-pro/windows-7/ee424315(v=ws.10)). +> [!NOTE] +> It is possible to run the ScanState tool while the drive remains encrypted by suspending Windows BitLocker Drive Encryption before booting into WinPE. For more information, see [this Microsoft site](/previous-versions/windows/it-pro/windows-7/ee424315(v=ws.10)). -## User-Group Membership and Profile Control +## User-group membership and profile control -User-group membership is not preserved during offline migrations. You must configure a **<ProfileControl>** section in the Config.xml file to specify the groups that the migrated users should be made members of. The following example places all migrated users into the Users group: +User-group membership isn't preserved during offline migrations. You must configure a **<ProfileControl>** section in the `Config.xml` file to specify the groups that the migrated users should be made members of. The following example places all migrated users into the Users group: -``` xml +```xml @@ -91,72 +77,76 @@ User-group membership is not preserved during offline migrations. You must confi ``` -For information about the format of a Config.xml file, see [Config.xml File](usmt-configxml-file.md). +For information about the format of a `Config.xml` file, see [Config.xml File](usmt-configxml-file.md). -## Command-Line Options +## Command-line options An offline migration can either be enabled by using a configuration file on the command line, or by using one of the following command line options: |Component|Option|Description| |--- |--- |--- | -|ScanState.exe|**/offline:***<path to offline.xml>*|This command-line option enables the offline-migration mode and requires a path to an Offline.xml configuration file.| -|ScanState.exe|**/offlineWinDir:***<Windows directory>*|This command-line option enables the offline-migration mode and starts the migration from the location specified. It is only for use in WinPE offline scenarios where the migration is occurring from a Windows directory.| -|ScanState.exe|**/OfflineWinOld:***<Windows.old directory>*|This command-line option enables the offline migration mode and starts the migration from the location specified. It is only intended to be used in Windows.old migration scenarios, where the migration is occurring from a Windows.old directory.| +|*ScanState.exe*|**/offline:***<path to Offline.xml>*|This command-line option enables the offline-migration mode and requires a path to an Offline.xml configuration file.| +|*ScanState.exe*|**/offlineWinDir:***<Windows directory>*|This command-line option enables the offline-migration mode and starts the migration from the location specified. It's only for use in WinPE offline scenarios where the migration is occurring from a Windows directory.| +|*ScanState.exe*|**/OfflineWinOld:***<Windows.old directory>*|This command-line option enables the offline migration mode and starts the migration from the location specified. It's only intended to be used in Windows.old migration scenarios, where the migration is occurring from a Windows.old directory.| -You can use only one of the **/offline**, **/offlineWinDir**, or **/OfflineWinOld** command-line options at a time; USMT does not support using more than one together. +You can use only one of the `/offline`, `/offlineWinDir`, or `/OfflineWinOld` command-line options at a time. USMT doesn't support using more than one together. -## Environment Variables +## Environment variables The following system environment variables are necessary in the scenarios outlined below. |Variable|Value|Scenario| |--- |--- |--- | -|USMT_WORKING_DIR|Full path to a working directory|Required when USMT binaries are located on read-only media, which does not support the creation of log files or temporary storage. To set the system environment variable, at a command prompt type the following: 
    Set USMT_WORKING_DIR=[path to working directory]
    | -|MIG_OFFLINE_PLATFORM_ARCH|32 or 64|While operating offline, this environment variable defines the architecture of the offline system, if the system does not match the WinPE and Scanstate.exe architecture. This environment variable enables the 32-bit ScanState application to gather data from a computer with 64-bit architecture, or the 64-bit ScanState application to gather data from a computer with 32-bit architecture. This is required when auto-detection of the offline architecture doesn't function properly, for example, when the source system is running a 64-bit version of Windows XP. For example, to set this system environment variable for a 32-bit architecture, at a command prompt type the following: 
    Set MIG_OFFLINE_PLATFORM_ARCH=32
    | +|*USMT_WORKING_DIR*|Full path to a working directory|Required when USMT binaries are located on read-only media, which doesn't support the creation of log files or temporary storage. To set the system environment variable, at a command prompt type the following command: 
    Set USMT_WORKING_DIR=[path to working directory]
    | +*|MIG_OFFLINE_PLATFORM_ARCH*|32 or 64|While operating offline, this environment variable defines the architecture of the offline system, if the system doesn't match the WinPE and `ScanState.exe` architecture. This environment variable enables the 32-bit ScanState application to gather data from a computer with 64-bit architecture, or the 64-bit ScanState application to gather data from a computer with 32-bit architecture. Specifying the architecture is required when auto-detection of the offline architecture doesn't function properly. For example, to set this system environment variable for a 32-bit architecture, at a command prompt type the following command: 
    Set MIG_OFFLINE_PLATFORM_ARCH=32
    | -## Offline.xml Elements +## Offline.xml elements -Use an offline.xml file when running the ScanState tool on a computer that has multiple Windows directories. The offline.xml file specifies which directories to scan for windows files. An offline.xml file can be used with the /offline option as an alternative to specifying a single Windows directory path with the /offlineDir option. +Use an `Offline.xml` file when running the ScanState tool on a computer that has multiple Windows directories. The `Offline.xml` file specifies which directories to scan for windows files. An `Offline.xml` file can be used with the `/offline` option as an alternative to specifying a single Windows directory path with the `/offlineDir` option. -### <offline> +### <offline> This element contains other elements that define how an offline migration is to be performed. -Syntax: <offline> </offline> +Syntax: `` `` -### <winDir> +### <winDir> This element is a required child of **<offline>** and contains information about how the offline volume can be selected. The migration will be performed from the first element of **<winDir>** that contains a valid Windows system volume. -Syntax: < winDir > </ winDir > +Syntax: `` `` -### <path> +### <path> This element is a required child of **<winDir>** and contains a file path pointing to a valid Windows directory. Relative paths are interpreted from the ScanState tool's working directory. -Syntax: <path> c:\\windows </path> +Syntax: ` C:\Windows ` -or- -Syntax, when used with the **<mappings>** element: <path> C:\\, D:\\ </path> +Syntax, when used with the **<mappings>** element: ` C:\, D:\ ` -### <mappings> +### <mappings> This element is an optional child of **<offline>**. When specified, the **<mappings>** element will override the automatically detected WinPE drive mappings. Each child **<path>** element will provide a mapping from one system volume to another. Additionally, mappings between folders can be provided, since an entire volume can be mounted to a specific folder. -Syntax: <mappings> </mappings> +Syntax: `` `` -### <failOnMultipleWinDir> +### <failOnMultipleWinDir> -This element is an optional child of **<offline>**. The **<failOnMultipleWinDir>** element allows the user to specify that the migration should fail when USMT detects that there are multiple instances of Windows installed on the source machine. When the **<failOnMultipleWinDir>** element isn't present, the default behavior is that the migration does not fail. +This element is an optional child of **<offline>**. The **<failOnMultipleWinDir>** element allows the user to specify that the migration should fail when USMT detects that there are multiple instances of Windows installed on the source machine. When the **<failOnMultipleWinDir>** element isn't present, the default behavior is that the migration doesn't fail. -Syntax: <failOnMultipleWinDir>1</failOnMultipleWinDir> or Syntax: <failOnMultipleWinDir>0</failOnMultipleWinDir> +Syntax: `1` + +-or- + +Syntax: `0` ### Offline .xml Example -The following XML example illustrates some of the elements discussed earlier in this topic. +The following XML example illustrates some of the elements discussed earlier in this article. -``` xml +```xml C:\Windows @@ -167,6 +157,6 @@ The following XML example illustrates some of the elements discussed earlier in ``` -## Related topics +## Related articles -[Plan Your Migration](usmt-plan-your-migration.md) +[Plan your migration](usmt-plan-your-migration.md) diff --git a/windows/deployment/usmt/understanding-migration-xml-files.md b/windows/deployment/usmt/understanding-migration-xml-files.md index a8500e179f..64fe549a96 100644 --- a/windows/deployment/usmt/understanding-migration-xml-files.md +++ b/windows/deployment/usmt/understanding-migration-xml-files.md @@ -2,242 +2,228 @@ title: Understanding Migration XML Files (Windows 10) description: Learn how to modify the behavior of a basic User State Migration Tool (USMT) 10.0 migration by using XML files. ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/19/2017 +author: frankroj +ms.date: 11/23/2022 ms.topic: article ms.technology: itpro-deploy --- -# Understanding Migration XML Files +# Understanding migration XML files -You can modify the behavior of a basic User State Migration Tool (USMT) 10.0 migration by using XML files; these files provide instructions on where and how the USMT tools should gather and apply files and settings. USMT includes three XML files that you can use to customize a basic migration: the MigDocs.xml and MigUser.xml files, which modify how files are discovered on the source computer, and the MigApps.xml file, which is required in order to migrate supported application settings. You can also create and edit custom XML files and a Config.xml file to further customize your migration. +You can modify the behavior of a basic User State Migration Tool (USMT) 10.0 migration by using XML files; these files provide instructions on where and how the USMT tools should gather and apply files and settings. USMT includes three XML files that you can use to customize a basic migration: the `MigDocs.xml` and `MigUser.xml` files, which modify how files are discovered on the source computer, and the MigApps.xml file, which is required in order to migrate supported application settings. You can also create and edit custom XML files and a `Config.xml` file to further customize your migration. -This topic provides an overview of the default and custom migration XML files and includes guidelines for creating and editing a customized version of the MigDocs.xml file. The MigDocs.xml file uses the new **GenerateDocPatterns** function available in USMT to automatically find user documents on a source computer. +This article provides an overview of the default and custom migration XML files and includes guidelines for creating and editing a customized version of the `MigDocs.xml` file. The `MigDocs.xml` file uses the new `GenerateDocPatterns` function available in USMT to automatically find user documents on a source computer. -## In This topic +## Overview of the Config.xml file -[Overview of the Config.xml file](#bkmk-config) +The `Config.xml` file is the configuration file created by the `/genconfig` option of the ScanState tool; it can be used to modify which operating-system components are migrated by USMT. The `Config.xml` file can be used with other XML files, such as in the following example: -[Overview of the MigApp.xml file](#bkmk-migapp) +`ScanState.exe /i:migapps.xml /i:MigDocs.xml /genconfig:c:\myFolder\Config.xml` -[Overview of the MigDocs.xml file](#bkmk-migdocs) - -[Overview of the MigUser.xml file](#bkmk-miguser) - -[Using multiple XML files](#bkmk-multiple) - -[XML rules for migrating user files](#bkmk-userfiles) - -[The GenerateDocPatterns function](#bkmk-generate) - -[Understanding the system and user context](#bkmk-context) - -[Sample migration rules for customized versions of XML files](#bkmk-samples) - -[Exclude rules usage examples](#bkmk-exclude) - -[Include rules usage examples](#bkmk-include) - -[Next Steps](#bkmk-next) - -## Overview of the Config.xml file - -The Config.xml file is the configuration file created by the `/genconfig` option of the ScanState tool; it can be used to modify which operating-system components are migrated by USMT. The Config.xml file can be used with other XML files, such as in the following example: `scanstate /i:migapps.xml /i:migdocs.xml /genconfig:c:\myFolder\config.xml`. When used this way, the Config.xml file tightly controls aspects of the migration, including user profiles, data, and settings, without modifying or creating other XML files. For more information about the Config.xml file, see [Customize USMT XML Files](usmt-customize-xml-files.md) and [Config.xml File](usmt-configxml-file.md). +When used this way, the `Config.xml` file tightly controls aspects of the migration, including user profiles, data, and settings, without modifying or creating other XML files. For more information about the `Config.xml` file, see [Customize USMT XML Files](usmt-customize-xml-files.md) and [Config.xml File](usmt-configxml-file.md). > [!NOTE] -> When modifying the XML elements in the Config.xml file, you should edit an element and set the **migrate** property to **no**, rather than deleting the element from the file. If you delete the element instead of setting the property, the component may still be migrated by rules in other XML files. +> When modifying the XML elements in the `Config.xml` file, you should edit an element and set the **migrate** property to **no**, rather than deleting the element from the file. If you delete the element instead of setting the property, the component may still be migrated by rules in other XML files. -## Overview of the MigApp.xml file +## Overview of the MigApp.xml file -The MigApp.xml file installed with USMT includes instructions to migrate the settings for the applications listed in [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md). You must include the MigApp.xml file when using the ScanState and LoadState tools, by using the `/i` option in order to migrate application settings. The MigDocs.xml and MigUser.xml files do not migrate application settings. You can create a custom XML file to include additional applications. For more information, see [Customize USMT XML Files](usmt-customize-xml-files.md). +The `MigApp.xml` file installed with USMT includes instructions to migrate the settings for the applications listed in [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md). You must include the `MigApp.xml` file when using the ScanState and LoadState tools, by using the `/i` option in order to migrate application settings. The `MigDocs.xml` and `MigUser.xml` files don't migrate application settings. You can create a custom XML file to include additional applications. For more information, see [Customize USMT XML Files](usmt-customize-xml-files.md). -> [!Important] -> The MigApps.xml file will only detect and migrate .pst files that are linked to Microsoft Office Outlook. For more information about migrating .pst files that are not linked to Outlook, see the [Sample migration rules for customized versions of XML files](#bkmk-samples). +> [!IMPORTANT] +> The MigApps.xml file will only detect and migrate .pst files that are linked to Microsoft Office Outlook. For more information about migrating .pst files that are not linked to Outlook, see [Sample migration rules for customized versions of XML files](#sample-migration-rules-for-customized-versions-of-xml-files). -## Overview of the MigDocs.xml file +## Overview of the MigDocs.xml file -The MigDocs.xml file uses the new **GenerateDocPatterns** helper function to create instructions for USMT to migrate files from the source computer, based on the location of the files. You can use the MigDocs.xml file with the ScanState and LoadState tools to perform a more targeted migration than using USMT without XML instructions. +The `MigDocs.xml` file uses the new `GenerateDocPatterns` helper function to create instructions for USMT to migrate files from the source computer, based on the location of the files. You can use the `MigDocs.xml` file with the ScanState and LoadState tools to perform a more targeted migration than using USMT without XML instructions. -The default MigDocs.xml file migrates the following: +The default `MigDocs.xml` file migrates the following data: -- All files on the root of the drive except %WINDIR%, %PROGRAMFILES%, %PROGRAMDATA%, or %USERS%. +- All files on the root of the drive except `%WINDIR%`, `%PROGRAMFILES%`, `%PROGRAMDATA%`, or `%USERS%`. -- All folders in the root directory of all fixed drives. For example: c:\\data\_mail\\\*\[\*\] +- All folders in the root directory of all fixed drives. For example: `c:\data_mail\*[*]` -- All files from the root of the Profiles folder, except for files in the system profile. For example: c:\\users\\name\[mail.pst\] +- All files from the root of the Profiles folder, except for files in the system profile. For example: `c:\users\name[mail.pst]` -- All folders from the root of the Profiles folder, except for the system-profile folders. For example: c:\\users\\name\\new folder\\\*\[\*\] +- All folders from the root of the Profiles folder, except for the system-profile folders. For example: `c:\users\name\new folder\*[*]` -- Standard shared folders: +- Standard shared folders: - - CSIDL\_COMMON\_DESKTOPDIRECTORY + - CSIDL_COMMON_DESKTOPDIRECTORY - - CSIDL\_COMMON\_FAVORITES + - CSIDL_COMMON_FAVORITES - - CSIDL\_COMMON\_DOCUMENTS + - CSIDL_COMMON_DOCUMENTS - - CSIDL\_COMMON\_MUSIC + - CSIDL_COMMON_MUSIC - - CSIDL\_COMMON\_PICTURES + - CSIDL_COMMON_PICTURES - - CSIDL\_COMMON\_VIDEO + - CSIDL_COMMON_VIDEO - - FOLDERID\_PublicDownloads + - FOLDERID_PublicDownloads -- Standard user-profile folders for each user: +- Standard user-profile folders for each user: - - CSIDL\_MYDOCUMENTS + - CSIDL_MYDOCUMENTS - - CSIDL\_MYPICTURES + - CSIDL_MYPICTURES - - FOLDERID\_OriginalImages + - FOLDERID_OriginalImages - - CSIDL\_MYMUSIC + - CSIDL_MYMUSIC - - CSIDL\_MYVIDEO + - CSIDL_MYVIDEO - - CSIDL\_FAVORITES + - CSIDL_FAVORITES - - CSIDL\_DESKTOP + - CSIDL_DESKTOP - - CSIDL\_QUICKLAUNCH + - CSIDL_QUICKLAUNCH - - FOLDERID\_Contacts + - FOLDERID_Contacts - - FOLDERID\_Libraries + - FOLDERID_Libraries - - FOLDERID\_Downloads + - FOLDERID_Downloads - - FOLDERID\_SavedGames + - FOLDERID_SavedGames - - FOLDERID\_RecordedTV + - FOLDERID_RecordedTV -The default MigDocs.xml file will not migrate the following: +The default `MigDocs.xml` file won't migrate the following data: -- Files tagged with both the **hidden** and **system** attributes. +- Files tagged with both the **hidden** and **system** attributes. -- Files and folders on removable drives. +- Files and folders on removable drives. -- Data from the %WINDIR%, %PROGRAMDATA%, and %PROGRAMFILES% folders. +- Data from the %WINDIR%, %PROGRAMDATA%, and %PROGRAMFILES% folders. -- Folders that contain installed applications. +- Folders that contain installed applications. -You can also use the **/genmigxml** option with the ScanState tool to review and modify what files will be migrated. +You can also use the `/genmigxml` option with the ScanState tool to review and modify what files will be migrated. -## Overview of the MigUser.xml file +## Overview of the MigUser.xml file -The MigUser.xml file includes instructions for USMT to migrate user files based on file name extensions. You can use the MigUser.xml file with the ScanState and LoadState tools to perform a more targeted migration than using USMT without XML instructions. The MigUser.xml file will gather all files from the standard user-profile folders, and any files on the computer with the specified file name extensions. +The `MigUser.xml` file includes instructions for USMT to migrate user files based on file name extensions. You can use the `MigUser.xml` file with the ScanState and LoadState tools to perform a more targeted migration than using USMT without XML instructions. The `MigUser.xml` file will gather all files from the standard user-profile folders, and any files on the computer with the specified file name extensions. -The default MigUser.xml file migrates the following: +The default `MigUser.xml` file migrates the following data: -- All files from the standard user-profile folders, which are described as: +- All files from the standard user-profile folders, which are described as: - - CSIDL\_MYVIDEO + - CSIDL_MYVIDEO - - CSIDL\_MYMUSIC + - CSIDL_MYMUSIC - - CSIDL\_DESKTOP + - CSIDL_DESKTOP - - CSIDL\_STARTMENU + - CSIDL_STARTMENU - - CSIDL\_PERSONAL + - CSIDL_PERSONAL - - CSIDL\_MYPICTURES + - CSIDL_MYPICTURES - - CSIDL\_FAVORITES + - CSIDL_FAVORITES - - CSIDL\_QUICK LAUNCH + - CSIDL_QUICK LAUNCH -- Files with the following extensions: +- Files with the following extensions: - `.qdf`, `.qsd`, `.qel`, `.qph`, `.doc\*`, `.dot\*`, `.rtf`, `.mcw`, `.wps`, `.scd`, `.wri`, `.wpd`, `.xl\*`, `.csv`, `.iqy`, `.dqy`, `.oqy`, `.rqy`, `.wk\*`, `.wq1`, `.slk`, `.dif`, `.ppt\*`, `.pps\*`, `.pot\*`, `.sh3`, `.ch3`, `.pre`, `.ppa`, `.txt`, `.pst`, `.one\*`, `.vl\*`, `.vsd`, `.mpp`, `.or6`, `.accdb`, `.mdb`, `.pub` + `.accdb`, `.ch3`, `.csv`, `.dif`, `.doc*`, `.dot*`, `.dqy`, `.iqy`, `.mcw`, `.mdb*`, `.mpp`, `.one*`, `.oqy`, `.or6`, `.pot*`, `.ppa`, `.pps*`, `.ppt*`, `.pre`, `.pst`, `.pub`, `.qdf`, `.qel`, `.qph`, `.qsd`, `.rqy`, `.rtf`, `.scd`, `.sh3`, `.slk`, `.txt`, `.vl*`, `.vsd`, `.wk*`, `.wpd`, `.wps`, `.wq1`, `.wri`, `.xl*`, `.xla`, `.xlb`, `.xls*` -The default MigUser.xml file does not migrate the following: + > [!NOTE] + > The asterisk (`*`) stands for zero or more characters. -- Files tagged with both the **hidden** and **system** attributes. + > [!NOTE] + > The OpenDocument extensions (`*.odt`, `*.odp`, `*.ods`) that Microsoft Office applications can use aren't migrated by default. -- Files and folders on removable drives, +The default `MigUser.xml` file doesn't migrate the following data: -- Data from the %WINDIR%, %PROGRAMFILES%, %PROGRAMDATA% folders. +- Files tagged with both the **Hidden** and **System** attributes. -- ACLS for files in folders outside the user profile. +- Files and folders on removable drives, -You can make a copy of the MigUser.xml file and modify it to include or exclude standard user-profile folders and file name extensions. If you know all of the extensions for the files you want to migrate from the source computer, use the MigUser.xml file to move all of your relevant data, regardless of the location of the files. However, this provision may result in a migration that contains more files than intended. For example, if you choose to migrate all .jpg files, you may migrate image files such as thumbnails and logos from legacy applications that are installed on the source computer. +- Data from the `%WINDIR%`, `%PROGRAMFILES%`, `%PROGRAMDATA%` folders. + +- ACLS for files in folders outside the user profile. + +You can make a copy of the `MigUser.xml` file and modify it to include or exclude standard user-profile folders and file name extensions. If you know all of the extensions for the files you want to migrate from the source computer, use the `MigUser.xml` file to move all of your relevant data, regardless of the location of the files. However, this provision may result in a migration that contains more files than intended. For example, if you choose to migrate all .jpg files, you may migrate image files such as thumbnails and logos from legacy applications that are installed on the source computer. > [!NOTE] -> Each file name extension you include in the rules within the MigUser.xml file increases the amount of time needed for the ScanState tool to gather the files for the migration. If you are migrating more than 300 file types, you may experience a slow migration. For more information about other ways to organize the migration of your data, see the [Using multiple XML files](#bkmk-multiple) section of this document. +> Each file name extension you include in the rules within the `MigUser.xml` file increases the amount of time needed for the ScanState tool to gather the files for the migration. If you are migrating more than 300 file types, you may experience a slow migration. For more information about other ways to organize the migration of your data, see the [Using multiple XML files](#using-multiple-xml-files) section of this article. -## Using multiple XML files +## Using multiple XML files You can use multiple XML files with the ScanState and LoadState tools. Each of the default XML files included with or generated by USMT is configured for a specific component of the migration. You can also use custom XML files to supplement these default files with more migration rules. |XML migration file|Modifies the following components:| |--- |--- | -|Config.xml file|Operating-system components such as desktop wallpaper and background theme.
    You can also overload config.xml to include some application and document settings by generating the config.xml file with the other default XML files. For more information, see [Customize USMT XML Files](usmt-customize-xml-files.md) and [Config.xml File](usmt-configxml-file.md).| -|MigApps.xml file|Applications settings.| -|MigUser.xml or MigDocs.xml files|User files and profile settings.| -|Custom XML files|Application settings, user profile settings, or user files, beyond the rules contained in the other XML files.| +|*Config.xml file*|Operating-system components such as desktop wallpaper and background theme.
    You can also overload `Config.xml` to include some application and document settings by generating the `Config.xml` file with the other default XML files. For more information, see [Customize USMT XML Files](usmt-customize-xml-files.md) and [Config.xml File](usmt-configxml-file.md).| +|*MigApps.xml file*|Applications settings.| +|*MigUser.xml* or *MigDocs.xml* files|User files and profile settings.| +|*Custom XML files*|Application settings, user profile settings, or user files, beyond the rules contained in the other XML files.| For example, you can use all of the XML migration file types for a single migration, as in the following example: -```console -Scanstate /config:c:\myFolder\config.xml /i:migapps.xml /i:migdocs.xml /i:customrules.xml +```cmd +ScanState.exe /config:c:\myFolder\Config.xml /i:migapps.xml /i:MigDocs.xml /i:CustomRules.xml ``` -### XML rules for migrating user files +### XML rules for migrating user files > [!IMPORTANT] -> You should not use the MigUser.xml and MigDocs.xml files together in the same command. Using both XML files can result in duplication of some migrated files. This occurs when conflicting target-location instructions are given in each XML file. The target file will be stored once during the migration, but will be applied by each XML file to a different location on the destination computer. +> You should not use the `MigUser.xml` and `MigDocs.xml` files together in the same command. Using both XML files can result in duplication of some migrated files. This occurs when conflicting target-location instructions are given in each XML file. The target file will be stored once during the migration, but will be applied by each XML file to a different location on the destination computer. -If your data set is unknown or if many files are stored outside of the standard user-profile folders, the MigDocs.xml is a better choice than the MigUser.xml file, because the MigDocs.xml file will gather a broader scope of data. The MigDocs.xml file migrates folders of data based on location. The MigUser.xml file migrates only the files with the specified file name extensions. +If your data set is unknown or if many files are stored outside of the standard user-profile folders, the `MigDocs.xml` is a better choice than the `MigUser.xml` file, because the `MigDocs.xml` file will gather a broader scope of data. The `MigDocs.xml` file migrates folders of data based on location. The `MigUser.xml` file migrates only the files with the specified file name extensions. -If you want more control over the migration, you can create custom XML files. See the [Creating and editing a custom ,xml file](#bkmk-createxml) section of this document. +If you want more control over the migration, you can create custom XML files. See [Creating and editing a custom XML file](#creating-and-editing-a-custom-xml-file) for more information. -## Creating and editing a custom XML file +## Creating and editing a custom XML file -You can use the **/genmigxml** command-line option to determine which files will be included in your migration. The **/genmigxml** option creates a file in a location you specify, so that you can review the XML rules and make modifications as necessary. +You can use the `/genmigxml` command-line option to determine which files will be included in your migration. The `/genmigxml` option creates a file in a location you specify, so that you can review the XML rules and make modifications as necessary. > [!NOTE] > If you reinstall USMT, the default migration XML files will be overwritten and any customizations you make directly to these files will be lost. Consider creating separate XML files for your custom migration rules and saving them in a secure location. To generate the XML migration rules file for a source computer: -1. Click **Start**, click **All Programs**, click **Accessories**, right-click **Command Prompt**, and then click **Run as**. +1. Select **Start** > **All Programs** > **Accessories** -2. Select an account with administrator privileges, supply a password, and then click **OK**. +2. Right-click **Command Prompt**, and then select **Run as**. -3. At the command prompt, type: +3. Select an account with administrator privileges, supply a password, and then select **OK**. - ```console +4. At the command prompt, enter: + + ```cmd cd /d - scanstate.exe /genmigxml: + ScanState.exe /genmigxml: ``` - Where *<USMTpath>* is the location on your source computer where you have saved the USMT files and tools, and *<filepath.xml>* is the full path to a file where you can save the report. For example, type: + Where *<USMTpath>* is the location on your source computer where you've saved the USMT files and tools, and *<filepath.xml>* is the full path to a file where you can save the report. For example, enter: - ```console + ```cmd cd /d c:\USMT - scanstate.exe /genmigxml:"C:\Documents and Settings\USMT Tester\Desktop\genMig.xml" + ScanState.exe /genmigxml:"C:\Documents and Settings\USMT Tester\Desktop\genMig.xml" ``` -### The GenerateDocPatterns function +### The GenerateDocPatterns function -The MigDocs.xml file calls the **GenerateDocPatterns** function, which takes three Boolean values. You can change the settings to modify the way the MigDocs.xml file generates the XML rules for migration. +The `MigDocs.xml` file calls the `GenerateDocPatterns` function, which takes three Boolean values. You can change the settings to modify the way the `MigDocs.xml` file generates the XML rules for migration. -- `ScanProgramFiles`: This argument is valid only when the **GenerateDocPatterns** function is called in a system context. This argument determines whether or not to scan the Program Files directory to gather registered file name extensions for known applications. +- `ScanProgramFiles`: This argument is valid only when the `GenerateDocPatterns` function is called in a system context. This argument determines whether or not to scan the Program Files directory to gather registered file name extensions for known applications. **Default value**: False - For example, when set to **TRUE**, the function discovers and migrates .doc files under the Microsoft Office directory, because .doc is a file name extension registered to a Microsoft Office application. The **GenerateDocPatterns** function generates this inclusion pattern for `.doc` files: + For example, when set to **TRUE**, the function discovers and migrates .doc files under the Microsoft Office directory, because .doc is a file name extension registered to a Microsoft Office application. The `GenerateDocPatterns` function generates this inclusion pattern for `.doc` files: `C:\Program Files\Microsoft Office[.doc]` If a child folder of an included folder contains an installed application, ScanProgramFiles will also create an exclusion rule for the child folder. All folders under the application folder will be scanned recursively for registered file name extensions. -- `IncludePatterns`: This argument determines whether to generate exclude or include patterns in the XML. When this argument is set to **TRUE**, the **GenerateDocPatterns** function generates include patterns and the function must be added under the `` element. Changing this argument to **FALSE** generates exclude patterns and the function must be added under the `` element. +- `IncludePatterns`: This argument determines whether to generate exclude or include patterns in the XML. When this argument is set to **TRUE**, the `GenerateDocPatterns` function generates include patterns, and the function must be added under the `` element. Changing this argument to **FALSE** generates exclude patterns and the function must be added under the `` element. **Default value**: True @@ -247,13 +233,13 @@ The MigDocs.xml file calls the **GenerateDocPatterns** function, which takes thr **Usage:** -```console +```cmd MigXmlHelper.GenerateDocPatterns ("", "", "") ``` To create include data patterns for only the system drive: -``` xml +```xml @@ -263,7 +249,7 @@ To create include data patterns for only the system drive: To create an include rule to gather files for registered extensions from the %PROGRAMFILES% directory: -``` xml +```xml @@ -273,7 +259,7 @@ To create an include rule to gather files for registered extensions from the %PR To create exclude data patterns: -``` xml +```xml @@ -281,82 +267,82 @@ To create exclude data patterns: ``` -### Understanding the system and user context +### Understanding the system and user context -The migration XML files contain two <component> elements with different **context** settings. The system context applies to files on the computer that are not stored in the User Profiles directory, while the user context applies to files that are particular to an individual user. +The migration XML files contain two <component> elements with different **context** settings. The system context applies to files on the computer that aren't stored in the User Profiles directory, while the user context applies to files that are particular to an individual user. -**System context** +#### System context -The system context includes rules for data outside of the User Profiles directory. For example, when called in a system context in the MigDocs.xml file, the **GenerateDocPatterns** function creates patterns for all common shell folders, files in the root directory of hard drives, and folders located at the root of hard drives. The following folders are included: +The system context includes rules for data outside of the User Profiles directory. For example, when called in a system context in the `MigDocs.xml` file, the `GenerateDocPatterns` function creates patterns for all common shell folders, files in the root directory of hard drives, and folders located at the root of hard drives. The following folders are included: -- CSIDL\_COMMON\_DESKTOPDIRECTORY +- CSIDL_COMMON_DESKTOPDIRECTORY -- CSIDL\_COMMON\_FAVORITES +- CSIDL_COMMON_FAVORITES -- CSIDL\_COMMON\_DOCUMENTS +- CSIDL_COMMON_DOCUMENTS -- CSIDL\_COMMON\_MUSIC +- CSIDL_COMMON_MUSIC -- CSIDL\_COMMON\_PICTURES +- CSIDL_COMMON_PICTURES -- CSIDL\_COMMON\_VIDEO +- CSIDL_COMMON_VIDEO -- FOLDERID\_PublicDownloads +- FOLDERID_PublicDownloads -**User context** +#### User context -The user context includes rules for data in the User Profiles directory. When called in a user context in the MigDocs.xml file, the **GenerateDocPatterns** function creates patterns for all user shell folders, files located at the root of the profile, and folders located at the root of the profile. The following folders are included: +The user context includes rules for data in the User Profiles directory. When called in a user context in the `MigDocs.xml` file, the `GenerateDocPatterns` function creates patterns for all user shell folders, files located at the root of the profile, and folders located at the root of the profile. The following folders are included: -- CSIDL\_MYDOCUMENTS +- CSIDL_MYDOCUMENTS -- CSIDL\_MYPICTURES +- CSIDL_MYPICTURES -- FOLDERID\_OriginalImages +- FOLDERID_OriginalImages -- CSIDL\_MYMUSIC +- CSIDL_MYMUSIC -- CSIDL\_MYVIDEO +- CSIDL_MYVIDEO -- CSIDL\_FAVORITES +- CSIDL_FAVORITES -- CSIDL\_DESKTOP +- CSIDL_DESKTOP -- CSIDL\_QUICKLAUNCH +- CSIDL_QUICKLAUNCH -- FOLDERID\_Contacts +- FOLDERID_Contacts -- FOLDERID\_Libraries +- FOLDERID_Libraries -- FOLDERID\_Downloads +- FOLDERID_Downloads -- FOLDERID\_SavedGames +- FOLDERID_SavedGames -- FOLDERID\_RecordedTV +- FOLDERID_RecordedTV > [!NOTE] -> Rules contained in a component that is assigned the user context will be run for each user profile on the computer. Files that are scanned multiple times by the MigDocs.xml files will only be copied to the migration store once; however, a large number of rules in the user context can slow down the migration. Use the system context when it is applicable. +> Rules contained in a component that is assigned the user context will be run for each user profile on the computer. Files that are scanned multiple times by the `MigDocs.xml` files will only be copied to the migration store once; however, a large number of rules in the user context can slow down the migration. Use the system context when it is applicable. - ### Sample migration rules for customized versions of XML files +### Sample migration rules for customized versions of XML files > [!NOTE] > For best practices and requirements for customized XML files in USMT, see [Customize USMT XML Files](usmt-customize-xml-files.md) and [General Conventions](usmt-general-conventions.md). -### Exclude rules usage examples +### Exclude rules usage examples -In the examples below, the source computer has a .txt file called "new text document" in a directory called "new folder". The default MigDocs.xml behavior migrates the new text document.txt file and all files contained in the "new folder" directory. The rules generated by the function are: +In the examples below, the source computer has a .txt file called "new text document" in a directory called "new folder". The default `MigDocs.xml` behavior migrates the new text document.txt file and all files contained in the "new folder" directory. The rules generated by the function are: | Rule | Syntax | |--- |--- | |Rule 1|`d:\new folder[new text document.txt]`| |Rule 2|`d:\new folder[]`| -To exclude the new text document.txt file and any .txt files in "new folder", you can do the following: +To exclude the new text document.txt file and any .txt files in "new folder", you can do the following modification: -**Example 1: Exclude all .txt files in a folder** +#### Example 1: Exclude all .txt files in a folder To exclude Rule 1, there needs to be an exact match of the file name. However, for Rule 2, you can create a pattern to exclude files by using the file name extension. -``` xml +```xml D:\Newfolder\[new text document.txt] @@ -365,11 +351,11 @@ To exclude Rule 1, there needs to be an exact match of the file name. However, f ``` -**Example 2: Use the UnconditionalExclude element to give a rule precedence over include rules** +#### Example 2: Use the UnconditionalExclude element to give a rule precedence over include rules -If you do not know the file name or location of the file, but you do know the file name extension, you can use the **GenerateDrivePatterns** function. However, the rule will be less specific than the default include rule generated by the MigDocs.xml file, so it will not have precedence. You must use the <UnconditionalExclude> element to give this rule precedence over the default include rule. For more information about the order of precedence for XML migration rules, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md). +If you don't know the file name or location of the file, but you do know the file name extension, you can use the `GenerateDrivePatterns` function. However, the rule will be less specific than the default include rule generated by the `MigDocs.xml` file, so it will not have precedence. You must use the <UnconditionalExclude> element to give this rule precedence over the default include rule. For more information about the order of precedence for XML migration rules, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md). -``` xml +```xml @@ -377,11 +363,11 @@ If you do not know the file name or location of the file, but you do know the fi ``` -**Example 3 : Use a UserandSystem context component to run rules in both contexts** +#### Example 3: Use a UserandSystem context component to run rules in both contexts -If you want the <UnconditionalExclude> element to apply to both the system and user context, you can create a third component using the **UserandSystem** context. Rules in this component will be run in both contexts. +If you want the **<UnconditionalExclude>** element to apply to both the system and user context, you can create a third component using the **UserandSystem** context. Rules in this component will be run in both contexts. -``` xml +```xml MigDocExcludes @@ -398,15 +384,15 @@ If you want the <UnconditionalExclude> element to apply to both the system For more examples of exclude rules that you can use in custom migration XML files, see [Exclude Files and Settings](usmt-exclude-files-and-settings.md). -### Include rules usage examples +### Include rules usage examples -The application data directory is the most common location that you would need to add an include rule for. The **GenerateDocPatterns** function excludes this location by default. If your company uses an application that saves important data to this location, you can create include rules to migrate the data. For example, the default location for .pst files is: `%CSIDL_LOCAL_APPDATA%\Microsoft\Outlook`. The Migapp.xml file contains migration rules to move only those .pst files that are linked to Microsoft Outlook. To include .pst files that are not linked, you can do the following: +The application data directory is the most common location that you would need to add an include rule for. The `GenerateDocPatterns` function excludes this location by default. If your company uses an application that saves important data to this location, you can create include rules to migrate the data. For example, the default location for .pst files is: `%CSIDL_LOCAL_APPDATA%\Microsoft\Outlook`. The `MigApp.xml` file contains migration rules to move only those .pst files that are linked to Microsoft Outlook. To include .pst files that aren't linked, you can do the following modification: -**Example 1: Include a file name extension in a known user folder** +#### Example 1: Include a file name extension in a known user folder -This rule will include .pst files that are located in the default location, but are not linked to Microsoft Outlook. Use the user context to run this rule for each user on the computer. +This rule will include .pst files that are located in the default location, but aren't linked to Microsoft Outlook. Use the user context to run this rule for each user on the computer. -``` xml +```xml %CSIDL_LOCAL_APPDATA%\Microsoft\Outlook\*[*.pst] @@ -414,11 +400,11 @@ This rule will include .pst files that are located in the default location, but ``` -**Example 2: Include a file name extension in Program Files** +#### Example 2: Include a file name extension in Program Files For locations outside the user profile, such as the Program Files folder, you can add the rule to the system context component. -``` xml +```xml %CSIDL_PROGRAM_FILES%\*[*.pst] @@ -431,14 +417,14 @@ For more examples of include rules that you can use in custom migration XML file > [!NOTE] > For more information about the order of precedence for XML migration rules, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md). -## Next steps +## Next steps -You can include additional rules for the migration in the MigDocs.xml file or other XML migration files. For example, you can use the `` element to move files from the folder where they were gathered to a different folder, when they are applied to the destination computer. +You can include additional rules for the migration in the `MigDocs.xml` file or other XML migration files. For example, you can use the `` element to move files from the folder where they were gathered to a different folder, when they're applied to the destination computer. You can use an XML schema (MigXML.xsd) file to validate the syntax of your customized XML files. For more information, see [USMT Resources](usmt-resources.md). -## Related topics +## Related articles -[Exclude Files and Settings](usmt-exclude-files-and-settings.md) +[Exclude files and settings](usmt-exclude-files-and-settings.md) -[Include Files and Settings](usmt-include-files-and-settings.md) +[Include files and settings](usmt-include-files-and-settings.md) diff --git a/windows/deployment/usmt/usmt-best-practices.md b/windows/deployment/usmt/usmt-best-practices.md index 20736f2108..cebdc6bf49 100644 --- a/windows/deployment/usmt/usmt-best-practices.md +++ b/windows/deployment/usmt/usmt-best-practices.md @@ -1,118 +1,112 @@ --- title: USMT Best Practices (Windows 10) -description: This article discusses general and security-related best practices when using User State Migration Tool (USMT) 10.0. +description: This article discusses general and security-related best practices when using User State Migration Tool (USMT) 10.0. ms.custom: seo-marvel-apr2020 ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/19/2017 +author: frankroj +ms.date: 11/01/2022 ms.topic: article ms.technology: itpro-deploy --- -# USMT Best Practices +# USMT best practices +This article discusses general and security-related best practices when using User State Migration Tool (USMT) 10.0. -This topic discusses general and security-related best practices when using User State Migration Tool (USMT) 10.0. +## General best practices -## General Best Practices +- **Install applications before running the LoadState tool** + Though it isn't always essential, it's best practice to install all applications on the destination computer before restoring the user state. Installing applications before restoring user state helps ensure that migrated settings are preserved. -- **Install applications before running the LoadState tool** +- **Don't use MigUser.xml and MigDocs.xml together** - Though it is not always essential, it is best practice to install all applications on the destination computer before restoring the user state. This helps ensure that migrated settings are preserved. + If you use both .xml files, some migrated files may be duplicated if conflicting instructions are given about target locations. You can use the `/genmigxml` command-line option to determine which files will be included in your migration, and to determine if any modifications are necessary. For more information, see [Identify file types, files, and folders](usmt-identify-file-types-files-and-folders.md). -- **Do not use MigUser.xml and MigDocs.xml together** +- **Use MigDocs.xml for a better migration experience** - If you use both .xml files, some migrated files may be duplicated if conflicting instructions are given about target locations. You can use the **/genmigxml** command-line option to determine which files will be included in your migration, and to determine if any modifications are necessary. For more information, see [Identify File Types, Files, and Folders](usmt-identify-file-types-files-and-folders.md). + If your data set is unknown or if many files are stored outside of the standard user-profile folders, the `MigDocs.xml` file is a better choice than the `MigUser.xml` file, because the `MigDocs.xml` file will gather a broader scope of data. The `MigDocs.xml` file migrates folders of data based on location, and on registered file type by querying the registry for registered application extensions. The `MigUser.xml` file migrates only the files with the specified file extensions. -- **Use MigDocs.xml for a better migration experience** +- **Close all applications before running either the ScanState or LoadState tools** - If your data set is unknown or if many files are stored outside of the standard user-profile folders, the MigDocs.xml file is a better choice than the MigUser.xml file, because the MigDocs.xml file will gather a broader scope of data. The MigDocs.xml file migrates folders of data based on location, and on registered file type by querying the registry for registered application extensions. The MigUser.xml file migrates only the files with the specified file extensions. + Although using the `/vsc` switch can allow the migration of many files that are open with another application, it's a best practice to close all applications in order to ensure all files and settings migrate. Without the `/vsc` or `/c` switch USMT will fail when it can't migrate a file or setting. When you use the `/c` option, USMT will ignore any files or settings that it can't migrate and log an error each time. -- **Close all applications before running either the ScanState or LoadState tools** +- **Log off after you run the LoadState** - Although using the **/vsc** switch can allow the migration of many files that are open with another application it is a best practice to close all applications in order to ensure all files and settings migrate. Without the **/vsc** or **/c** switch USMT will fail when it cannot migrate a file or setting. When you use the **/c** option USMT will ignore any files or settings that it cannot migrate and log an error each time. + Some settings, such as fonts, wallpaper, and screensaver settings, won't take effect until the next time the user logs on. For this reason, you should sign out after you run the LoadState tool. -- **Log off after you run the LoadState** +- **Managed environment** - Some settings, such as fonts, wallpaper, and screensaver settings, will not take effect until the next time the user logs on. For this reason, you should log off after you run the LoadState tool. + To create a managed environment, you can move all of the end user's documents into My Documents (%CSIDL\_PERSONAL%). We recommend that you migrate files into the smallest-possible number of folders on the destination computer. Minimizing folders will help you to clean up files on the destination computer, if the `LoadState.exe` command fails before completion. -- **Managed environment** +- **Chkdsk.exe** - To create a managed environment, you can move all of the end user’s documents into My Documents (%CSIDL\_PERSONAL%). We recommend that you migrate files into the smallest-possible number of folders on the destination computer. This will help you to clean up files on the destination computer, if the LoadState command fails before completion. + We recommend that you run **Chkdsk.exe** before running the ScanState and LoadState tools. **Chkdsk.exe** creates a status report for a hard disk drive and lists and corrects common errors. For more information about the **Chkdsk.exe** tool, see [Chkdsk](/previous-versions/windows/it-pro/windows-xp/bb490876(v=technet.10)). -- **Chkdsk.exe** +- **Migrate in groups** - We recommend that you run Chkdsk.exe before running the ScanState and LoadState tools. Chkdsk.exe creates a status report for a hard disk drive and lists and corrects common errors. For more information about the Chkdsk.exe tool, see [Chkdsk](/previous-versions/windows/it-pro/windows-xp/bb490876(v=technet.10)). - -- **Migrate in groups** - - If you decide to perform the migration while users are using the network, it is best to migrate user accounts in groups. To minimize the impact on network performance, determine the size of the groups based on the size of each user account. Migrating in phases also allows you to make sure each phase is successful before starting the next phase. Using this method, you can make any necessary modifications to your plan between groups. - -## Security Best Practices + If you decide to perform the migration while users are using the network, it's best to migrate user accounts in groups. To minimize the impact on network performance, determine the size of the groups based on the size of each user account. Migrating in phases also allows you to make sure each phase is successful before starting the next phase. Using this method, you can make any necessary modifications to your plan between groups. +## Security best practices As the authorized administrator, it is your responsibility to protect the privacy of the users and maintain security during and after the migration. In particular, you must consider the following issues: -- **Encrypting File System (EFS)** +- **Encrypting File System (EFS)** - Take extreme caution when migrating encrypted files, because the end user does not need to be logged on to capture the user state. By default, USMT fails if an encrypted file is found. For specific instructions about EFS best practices, see [Migrate EFS Files and Certificates](usmt-migrate-efs-files-and-certificates.md). + Take extreme caution when migrating encrypted files, because the end user doesn't need to be logged on to capture the user state. By default, USMT fails if an encrypted file is found. For specific instructions about EFS best practices, see [Migrate EFS Files and Certificates](usmt-migrate-efs-files-and-certificates.md). - **Important**   - If you migrate an encrypted file without also migrating the certificate, end users will not be able to access the file after the migration. + > [!NOTE] + > If you migrate an encrypted file without also migrating the certificate, end users will not be able to access the file after the migration. - +- **Encrypt the store** -- **Encrypt the store** + Consider using the `/encrypt` option with the `ScanState.exe` command and the `/decrypt` option with the `LoadState.exe` command. However, use extreme caution with this set of options, because anyone who has access to the `ScanState.exe` command-line script also has access to the encryption key. - Consider using the **/encrypt** option with the ScanState command and the **/decrypt** option with the LoadState command. However, use extreme caution with this set of options, because anyone who has access to the ScanState command-line script also has access to the encryption key. - -- **Virus Scan** +- **Virus Scan** We recommend that you scan both the source and destination computers for viruses before running USMT. In addition, you should scan the destination computer image. To help protect data from viruses, we strongly recommend running an antivirus utility before migration. -- **Maintain security of the file server and the deployment server** +- **Maintain security of the file server and the deployment server** - We recommend that you manage the security of the file and deployment servers. It is important to make sure that the file server where you save the store is secure. You must also secure the deployment server, to ensure that the user data that is in the log files is not exposed. We also recommend that you only transmit data over a secure Internet connection, such as a virtual private network. For more information about network security, see [Microsoft Security Compliance Manager](https://go.microsoft.com/fwlink/p/?LinkId=215657). + We recommend that you manage the security of the file and deployment servers. It's important to make sure that the file server where you save the store is secure. You must also secure the deployment server, to ensure that the user data that is in the log files isn't exposed. We also recommend that you only transmit data over a secure Internet connection, such as a virtual private network. For more information about network security, see [Microsoft Security Compliance Manager](https://go.microsoft.com/fwlink/p/?LinkId=215657). -- **Password Migration** +- **Password Migration** - To ensure the privacy of the end users, USMT does not migrate passwords, including those for applications such as Windows Live™ Mail, Microsoft Internet Explorer®, as well as Remote Access Service (RAS) connections and mapped network drives. It is important to make sure that end users know their passwords. + To ensure the privacy of the end users, USMT doesn't migrate passwords, including passwords for applications such as Windows Live™ Mail, Microsoft Internet Explorer®, and Remote Access Service (RAS) connections and mapped network drives. It's important to make sure that end users know their passwords. -- **Local Account Creation** +- **Local Account Creation** - Before you migrate local accounts, see the Migrating Local Accounts section in the [Identify Users](usmt-identify-users.md) topic. + Before you migrate local accounts, see the Migrating Local Accounts section in the [Identify Users](usmt-identify-users.md) article. -## XML File Best Practices +## XML file best practices +- **Specify the same set of mig\*.xml files in both the ScanState and the LoadState tools** -- **Specify the same set of mig\*.xml files in both the ScanState and the LoadState tools** + If you used a particular set of mig\*.xml files in the ScanState tool, either called through the `/auto` option, or individually through the `/i` option, then you should use same option to call the exact same mig\*.xml files in the LoadState tool. - If you used a particular set of mig\*.xml files in the ScanState tool, either called through the "/auto" option, or individually through the "/i" option, then you should use same option to call the exact same mig\*.xml files in the LoadState tool. +- **The <CustomFileName> in the migration urlid should match the name of the file** -- **The <CustomFileName> in the migration urlid should match the name of the file** + Although it isn't a requirement, it's good practice for **<CustomFileName>** to match the name of the file. For example, the following example is from the `MigApp.xml` file: - Although it is not a requirement, it is good practice for <CustomFileName> to match the name of the file. For example, the following is from the MigApp.xml file: - - ``` xml + ```xml ``` -- **Use the XML Schema (MigXML.xsd) when authoring .xml files to validate syntax** +- **Use the XML Schema (MigXML.xsd) when authoring .xml files to validate syntax** - The MigXML.xsd schema file should not be included on the command line or in any of the .xml files. + The `MigXML.xsd` schema file shouldn't be included on the command line or in any of the .xml files. -- **Use the default migration XML files as models** +- **Use the default migration XML files as models** - To create a custom .xml file, you can use the migration .xml files as models to create your own. If you need to migrate user data files, model your custom .xml file on MigUser.xml. To migrate application settings, model your custom .xml file on the MigApp.xml file. + To create a custom .xml file, you can use the migration .xml files as models to create your own. If you need to migrate user data files, model your custom .xml file on `MigUser.xml`. To migrate application settings, model your custom .xml file on the `MigApp.xml` file. -- **Consider the impact on performance when using the <context> parameter** +- **Consider the impact on performance when using the <context> parameter** - Your migration performance can be affected when you use the <context> element with the <component> element; for example, as in when you want to encapsulate logical units of file- or path-based <include> and <exclude> rules. + Your migration performance can be affected when you use the **<context>** element with the **<component>** element; for example, as in when you want to encapsulate logical units of file- or path-based **<include>** and **<exclude>** rules. In the **User** context, a rule is processed one time for each user on the system. @@ -120,32 +114,24 @@ As the authorized administrator, it is your responsibility to protect the privac In the **UserAndSystem** context, a rule is processed one time for each user on the system and one time for the system. - **Note**   - The number of times a rule is processed does not affect the number of times a file is migrated. The USMT migration engine ensures that each file migrates only once. + > [!NOTE] + > The number of times a rule is processed does not affect the number of times a file is migrated. The USMT migration engine ensures that each file migrates only once. - +- **We recommend that you create a separate .xml file instead of adding your .xml code to one of the existing migration .xml files** -- **We recommend that you create a separate .xml file instead of adding your .xml code to one of the existing migration .xml files** + For example, if you have code that migrates the settings for an application, you shouldn't just add the code to the `MigApp.xml` file. - For example, if you have code that migrates the settings for an application, you should not just add the code to the MigApp.xml file. +- **You should not create custom .xml files to alter the operating system settings that are migrated** -- **You should not create custom .xml files to alter the operating system settings that are migrated** + These settings are migrated by manifests and you can't modify those files. If you want to exclude certain operating system settings from the migration, you should create and modify a `Config.xml` file. - These settings are migrated by manifests and you cannot modify those files. If you want to exclude certain operating system settings from the migration, you should create and modify a Config.xml file. +- **You can use the asterisk (\*) wildcard character in any migration XML file that you create** -- **You can use the asterisk (\*) wildcard character in any migration XML file that you create** + > [!NOTE] + > The question mark is not valid as a wildcard character in USMT .xml files. - **Note**   - The question mark is not valid as a wildcard character in USMT .xml files. +## Related articles - - -## Related topics - - -[Migration Store Encryption](usmt-migration-store-encryption.md) - -[Plan Your Migration](usmt-plan-your-migration.md) - - +[Migration store encryption](usmt-migration-store-encryption.md) +[Plan your migration](usmt-plan-your-migration.md) diff --git a/windows/deployment/usmt/usmt-choose-migration-store-type.md b/windows/deployment/usmt/usmt-choose-migration-store-type.md index fb9d196086..72982b364a 100644 --- a/windows/deployment/usmt/usmt-choose-migration-store-type.md +++ b/windows/deployment/usmt/usmt-choose-migration-store-type.md @@ -2,30 +2,30 @@ title: Choose a Migration Store Type (Windows 10) description: Learn how to choose a migration store type and estimate the amount of disk space needed for computers in your organization. ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/19/2017 +author: frankroj +ms.date: 11/01/2022 ms.topic: article ms.technology: itpro-deploy --- -# Choose a Migration Store Type +# Choose a migration store type -One of the main considerations for planning your migration is to determine which migration store type best meets your needs. As part of these considerations, determine how much space is required to run the User State Migration Tool (USMT) 10.0 components on your source and destination computers, and how much space is needed to create and host the migration store, whether you are using a local share, network share, or storage device. The final consideration is ensuring that user date integrity is maintained by encrypting the migration store. +One of the main considerations for planning your migration is to determine which migration store type best meets your needs. As part of these considerations, determine how much space is required to run the User State Migration Tool (USMT) 10.0 components on your source and destination computers, and how much space is needed to create and host the migration store, whether you're using a local share, network share, or storage device. The final consideration is ensuring that user date integrity is maintained by encrypting the migration store. -## In This Section +## In this section | Link | Description | |--- |--- | -|[Migration Store Types Overview](migration-store-types-overview.md)|Choose the migration store type that works best for your needs and migration scenario.| -|[Estimate Migration Store Size](usmt-estimate-migration-store-size.md)|Estimate the amount of disk space needed for computers in your organization based on information about your organization's infrastructure.| -|[Hard-Link Migration Store](usmt-hard-link-migration-store.md)|Learn about hard-link migration stores and the scenarios in which they are used.| -|[Migration Store Encryption](usmt-migration-store-encryption.md)|Learn about the using migration store encryption to protect user data integrity during a migration.| +|[Migration store types overview](migration-store-types-overview.md)|Choose the migration store type that works best for your needs and migration scenario.| +|[Estimate migration store size](usmt-estimate-migration-store-size.md)|Estimate the amount of disk space needed for computers in your organization based on information about your organization's infrastructure.| +|[Hard-link migration store](usmt-hard-link-migration-store.md)|Learn about hard-link migration stores and the scenarios in which they're used.| +|[Migration store encryption](usmt-migration-store-encryption.md)|Learn about the using migration store encryption to protect user data integrity during a migration.| -## Related topics +## Related articles -[Plan Your Migration](usmt-plan-your-migration.md) +[Plan your migration](usmt-plan-your-migration.md) -[User State Migration Tool (USMT) How-to topics](usmt-how-to.md) +[User State Migration Tool (USMT) how-to topics](usmt-how-to.md) diff --git a/windows/deployment/usmt/usmt-command-line-syntax.md b/windows/deployment/usmt/usmt-command-line-syntax.md index 4ee45cbdca..d7332ed880 100644 --- a/windows/deployment/usmt/usmt-command-line-syntax.md +++ b/windows/deployment/usmt/usmt-command-line-syntax.md @@ -2,23 +2,23 @@ title: User State Migration Tool (USMT) Command-line Syntax (Windows 10) description: Learn about the User State Migration Tool (USMT) command-line syntax for using the ScanState tool, LoadState tool, and UsmtUtils tool. ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/19/2017 +author: frankroj +ms.date: 11/01/2022 ms.topic: article ms.technology: itpro-deploy --- -# User State Migration Tool (USMT) Command-line Syntax +# User State Migration Tool (USMT) command-line syntax -The User State Migration Tool (USMT) 10.0 migrates user files and settings during large deployments of Windows. To improve and simplify the migration process, USMT captures desktop, network, and application settings in addition to a user's files. USMT then migrates these items to a new Windows installation. +The User State Migration Tool (USMT) 10.0 migrates user files and settings during large deployments of Windows. To improve and simplify the migration process, USMT captures desktop, network, and application settings in addition to a user's files. USMT then migrates these items to a new Windows installation. -## In This Section +## In this Section | Link | Description | |--- |--- | -|[ScanState Syntax](usmt-scanstate-syntax.md)|Lists the command-line options for using the ScanState tool.| -|[LoadState Syntax](usmt-loadstate-syntax.md)|Lists the command-line options for using the LoadState tool.| -|[UsmtUtils Syntax](usmt-utilities.md)|Lists the command-line options for using the UsmtUtils tool.| +|[ScanState syntax](usmt-scanstate-syntax.md)|Lists the command-line options for using the ScanState tool.| +|[LoadState syntax](usmt-loadstate-syntax.md)|Lists the command-line options for using the LoadState tool.| +|[UsmtUtils syntax](usmt-utilities.md)|Lists the command-line options for using the UsmtUtils tool.| diff --git a/windows/deployment/usmt/usmt-common-issues.md b/windows/deployment/usmt/usmt-common-issues.md deleted file mode 100644 index 32ab6268e2..0000000000 --- a/windows/deployment/usmt/usmt-common-issues.md +++ /dev/null @@ -1,332 +0,0 @@ ---- -title: Common Issues (Windows 10) -description: Learn about common issues that you might see when you run the User State Migration Tool (USMT) 10.0 tools. -ms.reviewer: -manager: dougeby -ms.author: aaroncz -ms.prod: windows-client -ms.date: 09/19/2017 -author: aczechowski -ms.topic: article -ms.technology: itpro-deploy ---- - -# Common Issues - - -The following sections discuss common issues that you might see when you run the User State Migration Tool (USMT) 10.0 tools. USMT produces log files that describe in further detail any errors that occurred during the migration process. These logs can be used to troubleshoot migration failures. - -## In This Topic - - -[User Account Problems](#user) - -[Command-line Problems](#command) - -[XML File Problems](#xml) - -[Migration Problems](#migration) - -[Offline Migration Problems](#bkmk-offline) - -[Hard Link Migration Problems](#bkmk-hardlink) - -[USMT does not migrate the Start layout](#usmt-does-not-migrate-the-start-layout) - -## General Guidelines for Identifying Migration Problems - - -When you encounter a problem or error message during migration, you can use the following general guidelines to help determine the source of the problem: - -- Examine the ScanState, LoadState, and UsmtUtils logs to obtain the exact USMT error messages and Windows® application programming interface (API) error messages. For more information about USMT return codes and error messages, see [Return Codes](usmt-return-codes.md). For more information about Windows API error messages, type **nethelpmsg** on the command line. - - In most cases, the ScanState and LoadState logs indicate why a USMT migration is failing. We recommend that you use the **/v**:5 option when testing your migration. This verbosity level can be adjusted in a production migration; however, reducing the verbosity level might make it more difficult to diagnose failures that are encountered during production migrations. You can use a verbosity level higher than 5 if you want the log files output to go to a debugger. - - **Note** - Running the ScanState and LoadState tools with the **/v**:5 option creates a detailed log file. Although this option makes the log file large, the extra detail can help you determine where migration errors occurred. - - - -- Use the **/Verify** option in the UsmtUtils tool to determine whether any files in a compressed migration store are corrupted. For more information, see [Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md). - -- Use the **/Extract** option in the UsmtUtils tool to extract files from a compressed migration store. For more information, see [Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md). - -- Create a progress log using the **/Progress** option to monitor your migration. - -- For the source and destination computers, obtain operating system information, and versions of applications such as Internet Explorer and any other relevant programs. Then verify the exact steps that are needed to reproduce the problem. This information might help you to understand what is wrong and to reproduce the issue in your testing environment. - -- Log off after you run the LoadState tool. Some settings—for example, fonts, desktop backgrounds, and screen-saver settings—will not take effect until the next time the end user logs on. - -- Close all applications before running ScanState or LoadState tools. If some applications are running during the ScanState or LoadState process, USMT might not migrate some data. For example, if Microsoft Outlook® is open, USMT might not migrate PST files. - - **Note** - USMT will fail if it cannot migrate a file or setting unless you specify the **/c** option. When you specify the **/c** option, USMT ignores errors. However, it logs an error when it encounters a file that is in use that did not migrate. - - - -## User Account Problems - - -The following sections describe common user account problems. Expand the section to see recommended solutions. - -### I'm having problems creating local accounts on the destination computer. - -**Resolution:** For more information about creating accounts and migrating local accounts, see [Migrate User Accounts](usmt-migrate-user-accounts.md). - -### Not all of the user accounts were migrated to the destination computer. - -**Causes/Resolutions** There are two possible causes for this problem: - -When running the ScanState tool on Windows Vista, or the ScanState and LoadState tools on Windows 7, Windows 8, or Windows 10, you must run them in Administrator mode from an account with administrative credentials to ensure that all specified users are migrated. To run in Administrator mode: - -1. Click **Start**. - -2. Click **All Programs**. - -3. Click **Accessories**. - -4. Right-click **Command Prompt**. - -5. Click **Run as administrator**. - -Then specify your LoadState or ScanState command. If you do not run USMT in Administrator mode, only the user profile that is logged on will be included in the migration. - -Any user accounts on the computer that have not been used will not be migrated. For example, if you add User1 to the computer, but User1 never logs on, then USMT will not migrate the User1 account. - -### User accounts that I excluded were migrated to the destination computer. - -**Cause:** The command that you specified might have had conflicting **/ui** and **/ue** options. If a user is specified with the **/ui** option and is also specified to be excluded with either the **/ue** or **/uel** options, the user will be included in the migration. For example, if you specify `/ui:domain1\* /ue:domain1\user1`, then User1 will be migrated because the **/ui** option takes precedence. - -**Resolution:** For more information about how to use the **/ui** and **/ue** options together, see the examples in the [ScanState Syntax](usmt-scanstate-syntax.md) topic. - -### I am using the /uel option, but many accounts are still being included in the migration. - -**Cause** The **/uel** option depends on the last modified date of the users' NTUser.dat file. There are scenarios in which this last modified date might not match the users' last logon date. - -**Resolution** This is a limitation of the **/uel** option. You might need to exclude these users manually with the **/ue** option. - -### The LoadState tool reports an error as return code 71 and fails to restore a user profile during a migration test. - -**Cause:** During a migration test, if you run the ScanState tool on your test computer and then delete user profiles in order to test the LoadState tool on the same computer, you may have a conflicting key present in the registry. Using the **net use** command to remove a user profile will delete folders and files associated with that profile, but will not remove the registry key. - -**Resolution:** To delete a user profile, use the **User Accounts** item in Control Panel. To correct an incomplete deletion of a user profile: - -1. Open the registry editor by typing `regedit` at an elevated command prompt. - -2. Navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList`. - - Each user profile is stored in a System Identifier key under `ProfileList`. - -3. Delete the key for the user profile you are trying to remove. - -### Files that were not encrypted before the migration are now encrypted with the account used to run the LoadState tool. - -**Cause:** The ScanState tool was run using the **/EFS: copyraw** option to migrate encrypted files and Encrypting File System (EFS) certificates. The encryption attribute was set on a folder that was migrated, but the attribute was removed from file contents of that folder prior to migration. - -**Resolution:** Before using the ScanState tool for a migration that includes encrypted files and EFS certificates, you can run the Cipher tool at the command prompt to review and change encryption settings on files and folders. You must remove the encryption attribute from folders that contain unencrypted files or encrypt the contents of all files within an encrypted folder. - -To remove encryption from files that have already been migrated incorrectly, you must log on to the computer with the account that you used to run the LoadState tool and then remove the encryption from the affected files. - -### The LoadState tool reports an error as return code 71 and a Windows Error 2202 in the log file. - -**Cause:** The computer name was changed during an offline migration of a local user profile. - -**Resolution:** You can use the **/mu** option when you run the LoadState tool to specify a new name for the user. For example, - -``` syntax -loadstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore -/progress:prog.log /l:load.log /mu:fareast\user1:farwest\user1 -``` - -## Command-line Problems - - -The following sections describe common command-line problems. Expand the section to see recommended solutions. - -### I received the following error message: "Usage Error: You cannot specify a file path with any of the command-line options that exceeds 256 characters." - -**Cause:** You might receive this error message in some cases even if you do not specify a long store or file path, because the path length is calculated based on the absolute path. For example, if you run the **scanstate.exe /o store** command from C:\\Program Files\\USMT40, then each character in "`C:\Program Files\USMT40`" will be added to the length of "store" to get the length of the path. - -**Resolution:** Ensure that the total path length—the store path plus the current directory—does not exceed 256 characters. - -### I received the following error message: "USMT was unable to create the log file(s). Ensure that you have write access to the log directory." - -**Cause:** If you are running the ScanState or LoadState tools from a shared network resource, you will receive this error message if you do not specify **/l**. - -**Resolution:** To fix this issue in this scenario, specify the **/l:scan.log** or **/l:load.log** option. - -## XML File Problems - - -The following sections describe common XML file problems. Expand the section to see recommended solutions. - -### I used the /genconfig option to create a Config.xml file, but I see only a few applications and components that are in MigApp.xml. Why does Config.xml not contain all of the same applications? - -**Cause:** Config.xml will contain only operating system components, applications, and the user document sections that are in both of the .xml files and are installed on the computer when you run the **/genconfig** option. Otherwise, these applications and components will not appear in the Config.xml file. - -**Resolution:** Install all of the desired applications on the computer before running the **/genconfig** option. Then run ScanState with all of the .xml files. For example, run the following: - -`scanstate /genconfig:config.xml /i:migdocs.xml /i:migapp.xml /v:5 /l:scanstate.log` - -### I am having problems with a custom .xml file that I authored, and I cannot verify that the syntax is correct. - -**Resolution:** You can load the XML schema (MigXML.xsd), included with USMT, into your XML authoring tool. For examples, see the [Visual Studio Development Center](https://go.microsoft.com/fwlink/p/?LinkId=74513). Then, load your .xml file in the authoring tool to see if there is a syntax error. In addition, see [USMT XML Reference](usmt-xml-reference.md) for more information about using the XML elements. - -### I am using a MigXML helper function, but the migration isn’t working the way I expected it to.  How do I troubleshoot this issue? - -**Cause:** Typically, this issue is caused by incorrect syntax used in a helper function. You receive a Success return code, but the files you wanted to migrate did not get collected or applied, or weren’t collected or applied in the way you expected. - -**Resolution:** You should search the ScanState or LoadState log for either the component name which contains the MigXML helper function, or the MigXML helper function title, so that you can locate the related warning in the log file. - -## Migration Problems - - -The following sections describe common migration problems. Expand the section to see recommended solutions. - -### Files that I specified to exclude are still being migrated. - -**Cause:** There might be another rule that is including the files. If there is a more specific rule or a conflicting rule, the files will be included in the migration. - -**Resolution:** For more information, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md) and the Diagnostic Log section in [Log Files](usmt-log-files.md). - -### I specified rules to move a folder to a specific location on the destination computer, but it has not migrated correctly. - -**Cause:** There might be an error in the XML syntax. - -**Resolution:** You can use the USMT XML schema (MigXML.xsd) to write and validate migration .xml files. Also see the XML examples in the following topics: - -[Conflicts and Precedence](usmt-conflicts-and-precedence.md) - -[Exclude Files and Settings](usmt-exclude-files-and-settings.md) - -[Reroute Files and Settings](usmt-reroute-files-and-settings.md) - -[Include Files and Settings](usmt-include-files-and-settings.md) - -[Custom XML Examples](usmt-custom-xml-examples.md) - -### After LoadState completes, the new desktop background does not appear on the destination computer. - -There are three typical causes for this issue. - -**Cause \#1:**: Some settings such as fonts, desktop backgrounds, and screen-saver settings are not applied by LoadState until after the destination computer has been restarted. - -**Resolution:** To fix this issue, log off, and then log back on to see the migrated desktop background. - -**Cause \#2:** If the source computer was running Windows® XP and the desktop background was stored in the *Drive*:\\WINDOWS\\Web\\Wallpaper folder—the default folder where desktop backgrounds are stored in Windows XP—the desktop background will not be migrated. Instead, the destination computer will have the default Windows® desktop background. This will occur even if the desktop background was a custom picture that was added to the \\WINDOWS\\Web\\Wallpaper folder. However, if the end user sets a picture as the desktop background that was saved in another location, for example, My Pictures, then the desktop background will migrate. - -**Resolution:** Ensure that the desktop background images that you want to migrate are not in the \\WINDOWS\\Web\\Wallpaper folder on the source computer. - -**Cause \#3:** If ScanState was not run on Windows XP from an account with administrative credentials, some operating system settings will not migrate. For example, desktop background settings, screen-saver selections, modem options, media-player settings, and Remote Access Service (RAS) connection phone book (.pbk) files and settings will not migrate. - -**Resolution:** Run the ScanState and LoadState tools from within an account with administrative credentials. - -### I included MigApp.xml in the migration, but some PST files aren’t migrating. - -**Cause:** The MigApp.xml file migrates only the PST files that are linked to Outlook profiles. - -**Resolution:** To migrate PST files that are not linked to Outlook profiles, you must create a separate migration rule to capture these files. - -### USMT does not migrate the Start layout - -**Description:** You are using USMT to migrate profiles from one installation of Windows 10 to another installation of Windows 10 on different hardware. After migration, the user signs in on the new device and does not have the Start menu layout they had previously configured. - -**Cause:** A code change in the Start Menu with Windows 10 version 1607 and later is incompatible with this USMT function. - -**Resolution:** The following workaround is available: - -1. With the user signed in, back up the Start layout using the following Windows PowerShell command. You can specify a different path if desired: - - ``` - Export-StartLayout -Path "C:\Layout\user1.xml" - ``` -2. Migrate the user's profile with USMT. -3. Before the user signs in on the new device, import the Start layout using the following Windows PowerShell command: - - ``` - Import-StartLayout –LayoutPath "C:\Layout\user1.xml" –MountPath %systemdrive% - ``` - -This workaround changes the Default user's Start layout. The workaround does not scale to a mass migrations or multiuser devices, but it can potentially unblock some scenarios. If other users will sign on to the device you should delete layoutmodification.xml from the Default user profile. Otherwise, all users who sign on to that device will use the imported Start layout. - -## Offline Migration Problems - - -The following sections describe common offline migration problems. Expand the section to see recommended solutions. - -### Some of my system settings do not migrate in an offline migration. - -**Cause:** Some system settings, such as desktop backgrounds and network printers, are not supported in an offline migration. For more information, see [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md) - -**Resolution:** In an offline migration, these system settings must be restored manually. - -### The ScanState tool fails with return code 26. - -**Cause:** A common cause of return code 26 is that a temp profile is active on the source computer. This profile maps to c:\\users\\temp. The ScanState log shows a MigStartupOfflineCaught exception that includes the message "User profile duplicate SID error". - -**Resolution:** You can reboot the computer to get rid of the temp profile or you can set MIG\_FAIL\_ON\_PROFILE\_ERROR=0 to skip the error and exclude the temp profile. - -### Include and Exclude rules for migrating user profiles do not work the same offline as they do online. - -**Cause:** When offline, the DNS server cannot be queried to resolve the user name and SID mapping. - -**Resolution:** Use a Security Identifier (SID) to include a user when running the ScanState tool. For example: - -``` syntax -Scanstate /ui:S1-5-21-124525095-708259637-1543119021* -``` - -The wild card (\*) at the end of the SID will migrate the *SID*\_Classes key as well. - -You can also use patterns for SIDs that identify generic users or groups. For example, you can use the */ue:\*-500* option to exclude the local administrator accounts. For more information about Windows SIDs, see [this Microsoft Web site](/troubleshoot/windows-server/identity/security-identifiers-in-windows). - -### My script to wipe the disk fails after running the ScanState tool on a 64-bit system. - -**Cause:** The HKLM registry hive is not unloaded after the ScanState tool has finished running. - -**Resolution:** Reboot the computer or unload the registry hive at the command prompt after the ScanState tool has finished running. For example, at a command prompt, type: - -``` syntax -reg.exe unload hklm\$dest$software -``` - -## Hard-Link Migration Problems - - -The following sections describe common hard-link migration problems. Expand the section to see recommended solutions. - -### EFS files are not restored to the new partition. - -**Cause:** EFS files cannot be moved to a new partition with a hard link. The **/efs:hardlink** command-line option is only applicable to files migrated on the same partition. - -**Resolution:** Use the **/efs:copyraw** command-line option to copy EFS files during the migration instead of creating hard links, or manually copy the EFS files from the hard-link store. - -### The ScanState tool cannot delete a previous hard-link migration store. - -**Cause:** The migration store contains hard links to locked files. - -**Resolution:** Use the UsmtUtils tool to delete the store or change the store name. For example, at a command prompt, type: - -``` syntax -USMTutils /rd -``` - -You should also reboot the machine. - - - - - -## Related topics - - -[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md) - -[Frequently Asked Questions](usmt-faq.yml) - -[Return Codes](usmt-return-codes.md) - -[UsmtUtils Syntax](usmt-utilities.md) - - - diff --git a/windows/deployment/usmt/usmt-common-migration-scenarios.md b/windows/deployment/usmt/usmt-common-migration-scenarios.md index 2a26886c73..4f68b4b46e 100644 --- a/windows/deployment/usmt/usmt-common-migration-scenarios.md +++ b/windows/deployment/usmt/usmt-common-migration-scenarios.md @@ -1,152 +1,110 @@ --- title: Common Migration Scenarios (Windows 10) -description: See how the User State Migration Tool (USMT) 10.0 is used when planning hardware and/or operating system upgrades. +description: See how the User State Migration Tool (USMT) 10.0 is used when planning hardware and/or operating system upgrades. ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/19/2017 +author: frankroj +ms.date: 11/01/2022 ms.topic: article ms.technology: itpro-deploy --- # Common Migration Scenarios +You use the User State Migration Tool (USMT) 10.0 when hardware and/or operating system upgrades are planned for a large number of computers. USMT manages the migration of an end-user's digital identity by capturing the user's operating-system settings, application settings, and personal files from a source computer and reinstalling them on a destination computer after the upgrade has occurred. -You use the User State Migration Tool (USMT) 10.0 when hardware and/or operating system upgrades are planned for a large number of computers. USMT manages the migration of an end-user's digital identity by capturing the user's operating-system settings, application settings, and personal files from a source computer and reinstalling them on a destination computer after the upgrade has occurred. - -One common scenario when only the operating system, and not the hardware, is being upgraded is referred to as *PC refresh*. A second common scenario is known as *PC replacement*, where one piece of hardware is being replaced, typically by newer hardware and a newer operating system. - -## In this topic - - -[PC Refresh](#bkmk-pcrefresh) - -[Scenario One: PC-refresh offline using Windows PE and a hard-link migration store](#bkmk-onepcrefresh) - -[Scenario Two: PC-refresh using a compressed migration store](#bkmk-twopcrefresh) - -[Scenario Three: PC-refresh using a hard-link migration store](#bkmk-threepcrefresh) - -[Scenario Four: PC-refresh using Windows.old folder and a hard-link migration store](#bkmk-fourpcrefresh) - -[PC Replacement](#bkmk-pcreplace) - -[Scenario One: Offline migration using Windows PE and an external migration store](#bkmk-onepcreplace) - -[Scenario Two: Manual network migration](#bkmk-twopcreplace) - -[Scenario Three: Managed network migration](#bkmk-threepcreplace) - -## PC-Refresh +One common scenario is when the operating system is upgraded on existing hardware without the hardware being replaced. This scenario is referred to as *PC-refresh*. A second common scenario is known as *PC replacement*, where one piece of hardware is being replaced, typically by newer hardware and a newer operating system. +## PC-refresh The following diagram shows a PC-refresh migration, also known as a computer refresh migration. First, the administrator migrates the user state from a source computer to an intermediate store. After installing the operating system, the administrator migrates the user state back to the source computer. -  - ![usmt pc refresh scenario.](images/dep-win8-l-usmt-pcrefresh.jpg) -  +### Scenario One: PC-refresh offline using Windows PE and a hard-link migration store -### Scenario One: PC-refresh offline using Windows PE and a hard-link migration store +A company has received funds to update the operating system on all of its computers in the accounting department to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, the update is being handled offline, without a network connection. An administrator uses Windows Preinstallation Environment (WinPE) and a hard-link migration store to save each user state to their respective computer. -A company has just received funds to update the operating system on all of its computers in the accounting department to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, the update is being handled completely offline, without a network connection. An administrator uses Windows Preinstallation Environment (WinPE) and a hard-link migration store to save each user state to their respective computer. +1. On each computer, the administrator boots the machine into WinPE and runs the **ScanState** command-line tool, specifying the `/hardlink /nocompress` command-line options. **ScanState** saves the user state to a hard-link migration store on each computer, improving performance by minimizing network traffic and minimizing migration failures on computers with limited space available on the hard drive. -1. On each computer, the administrator boots the machine into WinPE and runs the ScanState command-line tool, specifying the **/hardlink /nocompress** command-line options. ScanState saves the user state to a hard-link migration store on each computer, improving performance by minimizing network traffic as well as minimizing migration failures on computers with very limited space available on the hard drive. +2. On each computer, the administrator installs the company's standard operating environment (SOE) which includes Windows 10 and other company applications. -2. On each computer, the administrator installs the company's standard operating environment (SOE) which includes Windows 10 and other company applications. +3. The administrator runs the **LoadState** command-line tool on each computer. **LoadState** restores each user state back to each computer. -3. The administrator runs the LoadState command-line tool on each computer. LoadState restores each user state back to each computer. +### Scenario Two: PC-refresh using a compressed migration store -### Scenario Two: PC-refresh using a compressed migration store +A company has received funds to update the operating system on all of its computers to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, an administrator uses a compressed migration store to save the user states to a server. -A company has just received funds to update the operating system on all of its computers to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, an administrator uses a compressed migration store to save the user states to a server. +1. The administrator runs the **ScanState** command-line tool on each computer. **ScanState** saves each user state to a server. -1. The administrator runs the ScanState command-line tool on each computer. ScanState saves each user state to a server. +2. On each computer, the administrator installs the company's standard SOE that includes Windows 10 and other company applications. -2. On each computer, the administrator installs the company's standard SOE which includes Windows 10 and other company applications. +3. The administrator runs the **LoadState** command-line tool on each source computer, and **LoadState** restores each user state back to the computer. -3. The administrator runs the LoadState command-line tool on each source computer, and LoadState restores each user state back to the computer. +### Scenario Three: PC-refresh using a hard-link migration store -### Scenario Three: PC-refresh using a hard-link migration store +A company has received funds to update the operating system on all of its computers to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, an administrator uses a hard-link migration store to save each user state to their respective computer. -A company has just received funds to update the operating system on all of its computers to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, an administrator uses a hard-link migration store to save each user state to their respective computer. +1. The administrator runs the **ScanState** command-line tool on each computer, specifying the `/hardlink /nocompress` command-line options. **ScanState** saves the user state to a hard-link migration store on each computer, improving performance by minimizing network traffic and minimizing migration failures on computers with limited space available on the hard drive. -1. The administrator runs the ScanState command-line tool on each computer, specifying the **/hardlink /nocompress** command-line options. ScanState saves the user state to a hard-link migration store on each computer, improving performance by minimizing network traffic as well as minimizing migration failures on computers with very limited space available on the hard drive. +2. On each computer, the administrator installs the company's SOE that includes Windows 10 and other company applications. -2. On each computer, the administrator installs the company's SOE which includes Windows 10 and other company applications. +3. The administrator runs the **LoadState** command-line tool on each computer. **LoadState** restores each user state back on each computer. -3. The administrator runs the LoadState command-line tool on each computer. LoadState restores each user state back on each computer. +### Scenario Four: PC-refresh using Windows.old folder and a hard-link migration store -### Scenario Four: PC-refresh using Windows.old folder and a hard-link migration store +A company has decided to update the operating system on all of its computers to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, an administrator uses Windows.old and a hard-link migration store to save each user state to their respective computer. -A company has decided to update the operating system on all of its computers to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, an administrator uses Windows.old and a hard-link migration store to save each user state to their respective computer. +1. The administrator clean installs Windows 10 on each computer, making sure that the Windows.old directory is created by installing Windows 10 without formatting or repartitioning and by selecting a partition that contains the previous version of Windows. -1. The administrator clean installs Windows 10 on each computer, making sure that the Windows.old directory is created by installing Windows 10 without formatting or repartitioning and by selecting a partition that contains the previous version of Windows. +2. On each computer, the administrator installs the company's SOE that includes company applications. -2. On each computer, the administrator installs the company's SOE which includes company applications. - -3. The administrator runs the ScanState and LoadState command-line tools successively on each computer while specifying the **/hardlink /nocompress** command-line options. - -## PC-Replacement +3. The administrator runs the **ScanState** and **LoadState** command-line tools successively on each computer while specifying the `/hardlink /nocompress` command-line options. +## PC-replacement The following diagram shows a PC-replacement migration. First, the administrator migrates the user state from the source computer to an intermediate store. After installing the operating system on the destination computer, the administrator migrates the user state from the store to the destination computer. -  - ![usmt pc replace scenario.](images/dep-win8-l-usmt-pcreplace.jpg) -  +### Scenario One: Offline migration using Windows PE and an external migration store -### Scenario One: Offline migration using WinPE and an external migration store +A company is allocating 20 new computers to users in the accounting department. The users each have a source computer with their files and settings. In this scenario, migration is being handled offline, without a network connection. -A company is allocating 20 new computers to users in the accounting department. The users each have a source computer with their files and settings. In this scenario, migration is being handled completely offline, without a network connection. +1. On each source computer, an administrator boots the machine into WinPE and runs **ScanState** to collect the user state to either a server or an external hard disk. -1. On each source computer, an administrator boots the machine into WinPE and runs ScanState to collect the user state to either a server or an external hard disk. +2. On each new computer, the administrator installs the company's SOE that includes Windows 10 and other company applications. -2. On each new computer, the administrator installs the company's SOE which includes Windows 10 and other company applications. +3. On each of the new computers, the administrator runs the **LoadState** tool, restoring each user state from the migration store to one of the new computers. -3. On each of the new computers, the administrator runs the LoadState tool, restoring each user state from the migration store to one of the new computers. +### Scenario Two: Manual network migration -### Scenario Two: Manual network migration +A company receives 50 new laptops for their managers and needs to reallocate 50 older laptops to new employees. In this scenario, an administrator runs the **ScanState** tool from the cmd prompt on each computer to collect the user states and save them to a server in a compressed migration store. -A company receives 50 new laptops for their managers and needs to reallocate 50 older laptops to new employees. In this scenario, an administrator runs the ScanState tool from the cmd prompt on each computer to collect the user states and save them to a server in a compressed migration store. +1. The administrator runs the **ScanState** tool on each of the manager's old laptops, and saves each user state to a server. -1. The administrator runs the ScanState tool on each of the manager's old laptops, and saves each user state to a server. +2. On the new laptops, the administrator installs the company's SOE, which includes Windows 10 and other company applications. -2. On the new laptops, the administrator installs the company's SOE, which includes Windows 10 and other company applications. +3. The administrator runs the **LoadState** tool on the new laptops to migrate the managers' user states to the appropriate computer. The new laptops are now ready for the managers to use. -3. The administrator runs the LoadState tool on the new laptops to migrate the managers' user states to the appropriate computer. The new laptops are now ready for the managers to use. +4. On the old computers, the administrator installs the company's SOE, which includes Windows 10, Microsoft Office, and other company applications. The old computers are now ready for the new employees to use. -4. On the old computers, the administrator installs the company's SOE, which includes Windows 10, Microsoft Office, and other company applications. The old computers are now ready for the new employees to use. +### Scenario Three: Managed network migration -### Scenario Three: Managed network migration +A company is allocating 20 new computers to users in the accounting department. The users each have a source computer that contains their files and settings. An administrator uses a management technology such as a sign-in script or a batch file to run **ScanState** on each source computer to collect the user states and save them to a server in a compressed migration store. -A company is allocating 20 new computers to users in the accounting department. The users each have a source computer that contains their files and settings. An administrator uses a management technology such as a logon script or a batch file to run ScanState on each source computer to collect the user states and save them to a server in a compressed migration store. +1. On each source computer, the administrator runs the **ScanState** tool using Microsoft Configuration Manager, Microsoft Deployment Toolkit (MDT), a sign-in script, a batch file, or a non-Microsoft management technology. **ScanState** collects the user state from each source computer and then saves it to a server. -1. On each source computer, the administrator runs the ScanState tool using Microsoft Configuration Manager, Microsoft Deployment Toolkit (MDT), a logon script, a batch file, or a non-Microsoft management technology. ScanState collects the user state from each source computer and then saves it to a server. - -2. On each new computer, the administrator installs the company's SOE, which includes Windows 10 and other company applications. - -3. On each of the new computers, the administrator runs the LoadState tool using Microsoft Configuration Manager, a logon script, a batch file, or a non-Microsoft management technology. LoadState migrates each user state from the migration store to one of the new computers. - -## Related topics - - -[Plan Your Migration](usmt-plan-your-migration.md) - -[Choose a Migration Store Type](usmt-choose-migration-store-type.md) - -[Offline Migration Reference](offline-migration-reference.md) - -  - -  +2. On each new computer, the administrator installs the company's SOE, which includes Windows 10 and other company applications. +3. On each of the new computers, the administrator runs the **LoadState** tool using Microsoft Configuration Manager, a sign-in script, a batch file, or a non-Microsoft management technology. **LoadState** migrates each user state from the migration store to one of the new computers. +## Related articles +[Plan your migration](usmt-plan-your-migration.md) +[Choose a migration store type](usmt-choose-migration-store-type.md) +[Offline migration reference](offline-migration-reference.md) diff --git a/windows/deployment/usmt/usmt-configxml-file.md b/windows/deployment/usmt/usmt-configxml-file.md index 55ce65391a..96846a8e88 100644 --- a/windows/deployment/usmt/usmt-configxml-file.md +++ b/windows/deployment/usmt/usmt-configxml-file.md @@ -1,92 +1,56 @@ --- title: Config.xml File (Windows 10) -description: Learn how the Config.xml file is an optional User State Migration Tool (USMT) 10.0 file that you can create using the /genconfig option with the ScanState.exe tool. +description: Learn how the Config.xml file is an optional User State Migration Tool (USMT) 10.0 file that you can create using the /genconfig option with the ScanState.exe tool. ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/19/2017 +author: frankroj +ms.date: 11/01/2022 ms.topic: article ms.technology: itpro-deploy --- # Config.xml File -## Config.xml File +The `Config.xml` file is an optional User State Migration Tool (USMT) 10.0 file that you can create using the `/genconfig` option with the ScanState tool. If you want to include all of the default components, and don't want to change the default store-creation or profile-migration behavior, you don't need to create a `Config.xml` file. -The Config.xml file is an optional User State Migration Tool (USMT) 10.0 file that you can create using the **/genconfig** option with the ScanState.exe tool. If you want to include all of the default components, and do not want to change the default store-creation or profile-migration behavior, you do not need to create a Config.xml file. +However, if you're satisfied with the default migration behavior defined in the `MigApp.xml`, `MigUser.xml` and `MigDocs.xml` files, but you want to exclude certain components, you can create and modify a `Config.xml` file and leave the other .xml files unchanged. For example, you must create and modify the `Config.xml` file if you want to exclude any of the operating-system settings that are migrated. It's necessary to create and modify this file if you want to change any of the default store-creation or profile-migration behavior. -However, if you are satisfied with the default migration behavior defined in the MigApp.xml, MigUser.xml and MigDocs.xml files, but you want to exclude certain components, you can create and modify a Config.xml file and leave the other .xml files unchanged. For example, you must create and modify the Config.xml file if you want to exclude any of the operating-system settings that are migrated. It is necessary to create and modify this file if you want to change any of the default store-creation or profile-migration behavior. +The `Config.xml` file has a different format than the other migration .xml files, because it doesn't contain any migration rules. It contains only a list of the operating-system components, applications, user documents that can be migrated, and user-profile policy and error-control policy. For this reason, excluding components using the `Config.xml` file is easier than modifying the migration .xml files, because you don't need to be familiar with the migration rules and syntax. However, you can't use wildcard characters in this file. -The Config.xml file has a different format than the other migration .xml files, because it does not contain any migration rules. It contains only a list of the operating-system components, applications, user documents that can be migrated, as well as user-profile policy and error-control policy. For this reason, excluding components using the Config.xml file is easier than modifying the migration .xml files, because you do not need to be familiar with the migration rules and syntax. However, you cannot use wildcard characters in this file. +For more information about using the `Config.xml` file with other migration files, such as the `MigDocs.xml` and `MigApps.xml` files, see [Understanding Migration XML Files](understanding-migration-xml-files.md). -For more information about using the Config.xml file with other migration files, such as the MigDocs.xml and MigApps.xml files, see [Understanding Migration XML Files](understanding-migration-xml-files.md). +> [!NOTE] +> To exclude a component from the `Config.xml` file, set the **migrate** value to **no**. Deleting the XML tag for the component from the `Config.xml` file will not exclude the component from your migration. -**Note**   -To exclude a component from the Config.xml file, set the **migrate** value to **"no"**. Deleting the XML tag for the component from the Config.xml file will not exclude the component from your migration. +## Migration Policies -## In this topic +In USMT there are new migration policies that can be configured in the `Config.xml` file. For example, you can configure additional **<ErrorControl>**, **<ProfileControl>**, and **<HardLinkStoreControl>** options. The following elements and parameters are for use in the `Config.xml` file only. -In USMT there are new migration policies that can be configured in the Config.xml file. For example, you can configure additional **<ErrorControl>**, **<ProfileControl>**, and **<HardLinkStoreControl>** options. The following elements and parameters are for use in the Config.xml file only. - -[<Policies>](#bkmk-policies) - -[<ErrorControl>](#bkmk-errorcontrol) - -[<fatal>](#bkmk-fatal) - -[<fileError>](#bkmk-fileerror) - -[<nonfatal>](#bkmk-nonfatal) - -[<registryError>](#bkmk-registryerror) - -[<HardLinkStoreControl>](#bkmk-hardlinkstorecontrol) - -[<fileLocked>](#bkmk-filelock) - -[<createHardLink>](#bkmk-createhardlink) - -[<errorHardLink>](#bkmk-errorhardlink) - -[<ProfileControl>](#bkmk-profilecontrol) - -[<localGroups>](#bkmk-localgroups) - -[<mappings>](#bkmk-mappings) - -[<changeGroup>](#bkmk-changegrou) - -[<include>](#bkmk-include) - -[<exclude>](#bkmk-exclude) - -[Sample Config.xml File](#bkmk-sampleconfigxjmlfile) - -## <Policies> +### <Policies> The **<Policies>** element contains elements that describe the policies that USMT follows while creating a migration store. Valid children of the **<Policies>** element are **<ErrorControl>** and **<HardLinkStoreControl>**. The **<Policies>** element is a child of **<Configuration>**. -Syntax: ` ` +Syntax: `` `` -## <ErrorControl> +### <ErrorControl> -The **<ErrorControl>** element is an optional element you can configure in the Config.xml file. The configurable **<ErrorControl>** rules support only the environment variables for the operating system that is running and the currently logged-on user. As a workaround, you can specify a path using the (\*) wildcard character. +The **<ErrorControl>** element is an optional element you can configure in the `Config.xml` file. The configurable **<ErrorControl>** rules support only the environment variables for the operating system that is running and the currently logged-on user. As a workaround, you can specify a path using the (\*) wildcard character. -- **Number of occurrences**: Once for each component +- **Number of occurrences**: Once for each component -- **Parent elements**: The **<Policies>** element +- **Parent elements**: The **<Policies>** element -- **Child elements**: The **<fileError>** and **<registryError>** element +- **Child elements**: The **<fileError>** and **<registryError>** element -Syntax: `` +Syntax: `` `` -The following example specifies that all locked files, regardless of their location (including files in C:\\Users), should be ignored. However, the migration fails if any file in C:\\Users cannot be accessed because of any other reason. In the example below, the **<ErrorControl>** element ignores any problems in migrating registry keys that match the supplied pattern, and it resolves them to an **Access denied** error. +The following example specifies that all locked files, regardless of their location (including files in C:\\Users), should be ignored. However, the migration fails if any file in C:\\Users can't be accessed because of any other reason. In the example below, the **<ErrorControl>** element ignores any problems in migrating registry keys that match the supplied pattern, and it resolves them to an **Access denied** error. Additionally, the order in the **<ErrorControl>** section implies priority. In this example, the first **<nonFatal>** tag takes precedence over the second **<fatal>** tag. This precedence is applied, regardless of how many tags are listed. -``` xml +```xml * [*] @@ -101,17 +65,17 @@ Additionally, the order in the **<ErrorControl>** section implies priority > [!IMPORTANT] > The configurable **<ErrorControl>** rules support only the environment variables for the operating system that is running and the currently logged-on user. As a workaround, you can specify a path using the (\*) wildcard character. -### <fatal> +### <fatal> -The **<fatal>** element is not required. +The **<fatal>** element isn't required. -- **Number of occurrences**: Once for each component +- **Number of occurrences**: Once for each component -- **Parent elements**: **<fileError>** and **<registryError>** +- **Parent elements**: **<fileError>** and **<registryError>** -- **Child elements**: None. +- **Child elements**: None. -Syntax: ``*<pattern>*`` +Syntax: `` *<pattern>* `` |Parameter|Required|Value| |--- |--- |--- | @@ -119,76 +83,76 @@ Syntax: ``*<pattern>*`` You use the **<fatal>** element to specify that errors matching a specific pattern should cause USMT to halt the migration. -## <fileError> +### <fileError> -The **<fileError>** element is not required. +The **<fileError>** element isn't required. -- **Number of occurrences**: Once for each component +- **Number of occurrences**: Once for each component -- **Parent elements**: **<ErrorControl>** +- **Parent elements**: **<ErrorControl>** -- **Child elements**: **<nonFatal>** and **<fatal>** +- **Child elements**: **<nonFatal>** and **<fatal>** -Syntax: `` +Syntax: `` `` You use the **<fileError>** element to represent the behavior associated with file errors. -## <nonFatal> +### <nonFatal> -The **<nonFatal>** element is not required. +The **<nonFatal>** element isn't required. -- **Number of occurrences**: Once for each component +- **Number of occurrences**: Once for each component -- **Parent elements**: The **<fileError>** and **<registryError>** elements. +- **Parent elements**: The **<fileError>** and **<registryError>** elements. -- **Child elements**: None. +- **Child elements**: None. -Syntax: ``*<pattern>*`` +Syntax: `` *<pattern>* `` |Parameter|Required|Value| |--- |--- |--- | -|**<errorCode>**|No|"any" or "*specify system error message here*". If system error messages are not specified, the default behavior applies the parameter to all system error messages.| +|**<errorCode>**|No|"any" or "*specify system error message here*". If system error messages aren't specified, the default behavior applies the parameter to all system error messages.| -You use the **<nonFatal>** element to specify that errors matching a specific pattern should not cause USMT to halt the migration. +You use the **<nonFatal>** element to specify that errors matching a specific pattern shouldn't cause USMT to halt the migration. -## <registryError> +### <registryError> -The <registryError>element is not required. +The **<registryError>** element isn't required. -- **Number of occurrences**: Once for each component +- **Number of occurrences**: Once for each component -- **Parent elements**: **<ErrorControl>** +- **Parent elements**: **<ErrorControl>** -- **Child elements**: **<nonfatal>** and **<fatal>** +- **Child elements**: **<nonfatal>** and **<fatal>** -Syntax: `` +Syntax: `` `` |Parameter|Required|Value| |--- |--- |--- | -|**<errorCode>**|No|"any" or "*specify system error message here*". If system error messages are not specified, the default behavior applies the parameter to all system error messages.| +|**<errorCode>**|No|"any" or "*specify system error message here*". If system error messages aren't specified, the default behavior applies the parameter to all system error messages.| -You use the **<registryError>** element to specify that errors matching a specific pattern should not cause USMT to halt the migration. +You use the **<registryError>** element to specify that errors matching a specific pattern shouldn't cause USMT to halt the migration. -## <HardLinkStoreControl> +### <HardLinkStoreControl> The **<HardLinkStoreControl>** element contains elements that describe how to handle files during the creation of a hard-link migration store. Its only valid child is **<fileLocked>**. -Syntax: ` ` +Syntax: `` `` -- **Number of occurrences**: Once for each component +- **Number of occurrences**: Once for each component -- **Parent elements**: **<Policies>** +- **Parent elements**: **<Policies>** -- **Child elements**: **<fileLocked>** +- **Child elements**: **<fileLocked>** -Syntax: `` +Syntax: `` `` -The **<HardLinkStoreControl>** sample code below specifies that hard links can be created to locked files only if the locked file resides somewhere under C:\\Users\\. Otherwise, a file-access error occurs when a locked file is encountered that cannot be copied, even though is technically possible for the link to be created. +The **<HardLinkStoreControl>** sample code below specifies that hard links can be created to locked files only if the locked file resides somewhere under C:\\Users\\. Otherwise, a file-access error occurs when a locked file is encountered that can't be copied, even though is technically possible for the link to be created. > [!IMPORTANT] -> The **<ErrorControl>** section can be configured to conditionally ignore file access errors, based on the file’s location. +> The **<ErrorControl>** section can be configured to conditionally ignore file access errors, based on the file's location. -``` xml +```xml @@ -202,45 +166,45 @@ The **<HardLinkStoreControl>** sample code below specifies that hard links ``` -## <fileLocked> +### <fileLocked> The **<fileLocked>** element contains elements that describe how to handle files that are locked for editing. The rules defined by the **<fileLocked>** element are processed in the order in which they appear in the XML file. -Syntax: `` +Syntax: `` `` -## <createHardLink> +### <createHardLink> The **<createHardLink>** element defines a standard MigXML pattern that describes file paths where hard links should be created, even if the file is locked for editing by another application. -Syntax: ``*<pattern>*`` +Syntax: `` *<pattern>* `` -## <errorHardLink> +### <errorHardLink> -The **<errorHardLink>** element defines a standard MigXML pattern that describes file paths where hard links should not be created if the file is locked for editing by another application. USMT will attempt to copy files under these paths into the migration store. However, if that is not possible, **Error\_Locked** is thrown. This is a standard Windows application programming interface (API) error that can be captured by the **<ErrorControl>** section to either cause USMT to skip the file or abort the migration. +The **<errorHardLink>** element defines a standard MigXML pattern that describes file paths where hard links shouldn't be created if the file is locked for editing by another application. USMT will attempt to copy files under these paths into the migration store. However, if that isn't possible, **Error\_Locked** is thrown. This error is a standard Windows application programming interface (API) error that can be captured by the **<ErrorControl>** section to either cause USMT to skip the file or abort the migration. -Syntax: ``*<pattern>*`` +Syntax: `` *<pattern>* `` -## <ProfileControl> +### <ProfileControl> This element is used to contain other elements that establish rules for migrating profiles, users, and policies around local group membership during the migration. **<ProfileMigration>** is a child of **<Configuration>**. -Syntax: <`ProfileControl> ` +Syntax: <`ProfileControl>` `` -## <localGroups> +### <localGroups> This element is used to contain other elements that establish rules for how to migrate local groups. **<localGroups>** is a child of **<ProfileControl>**. -Syntax: ` ` +Syntax: `` `` -## <mappings> +### <mappings> This element is used to contain other elements that establish mappings between groups. -Syntax: ` ` +Syntax: `` `` -## <changeGroup> +### <changeGroup> -This element describes the source and destination groups for a local group membership change during the migration. It is a child of **<localGroups>**. The following parameters are defined: +This element describes the source and destination groups for a local group membership change during the migration. It's a child of **<localGroups>**. The following parameters are defined: |Parameter|Required|Value| |--- |--- |--- | @@ -250,23 +214,27 @@ This element describes the source and destination groups for a local group membe The valid and required children of **<changeGroup>** are **<include>** and **<exclude>**. Although both can be children at the same time, only one is required. -Syntax: ` ` +Syntax: `` `` -## <include> +### <include> This element specifies that its required child, *<pattern>*, should be included in the migration. -Syntax: ```` +Syntax: `` `` -## <exclude> +### <exclude> This element specifies that its required child, *<pattern>*, should be excluded from the migration. -Syntax: ``` ` +Syntax: `` `` -## Sample Config.xml File +## Sample Config.xml File -Refer to the following sample Config.xml file for additional details about items you can choose to exclude from a migration. +Refer to the following sample `Config.xml` file for more details about items you can choose to exclude from a migration. +
    +
    +
    + Expand for sample Config.xml file: ```xml @@ -459,6 +427,8 @@ Refer to the following sample Config.xml file for additional details about items ``` -## Related topics +
    -[USMT XML Reference](usmt-xml-reference.md) +## Related articles + +[USMT XML reference](usmt-xml-reference.md) diff --git a/windows/deployment/usmt/usmt-conflicts-and-precedence.md b/windows/deployment/usmt/usmt-conflicts-and-precedence.md index c14de7c5c9..e12ed6ff62 100644 --- a/windows/deployment/usmt/usmt-conflicts-and-precedence.md +++ b/windows/deployment/usmt/usmt-conflicts-and-precedence.md @@ -1,69 +1,43 @@ --- title: Conflicts and Precedence (Windows 10) -description: In this article, learn how User State Migration Tool (USMT) 10.0 deals with conflicts and precedence. +description: In this article, learn how User State Migration Tool (USMT) 10.0 deals with conflicts and precedence. ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/19/2017 +author: frankroj +ms.date: 11/01/2022 ms.topic: article ms.technology: itpro-deploy --- -# Conflicts and Precedence +# Conflicts and precedence -When you include, exclude, and reroute files and settings, it is important to know how User State Migration Tool (USMT) 10.0 deals with conflicts and precedence. When working with USMT, the following are the most important conflicts and precedence guidelines to keep in mind. +When you include, exclude, and reroute files and settings, it's important to know how User State Migration Tool (USMT) 10.0 deals with conflicts and precedence. When working with USMT, the following are the most important conflicts and precedence guidelines to keep in mind. -- **If there are conflicting rules within a component, the most specific rule is applied.** However, the <unconditionalExclude> rule is an exception because it takes precedence over all others. Directory names take precedence over file extensions. For examples, see [What happens when there are conflicting include and exclude rules?](#bkmk1) and the first example in [Include and exclude precedence examples](#precexamples)****later in this topic. +- **If there are conflicting rules within a component, the most specific rule is applied.** However, the **<unconditionalExclude>** rule is an exception because it takes precedence over all others. Directory names take precedence over file extensions. For examples, see [What happens when there are conflicting <include> and <exclude> rules?](#what-happens-when-there-are-conflicting-include-and-exclude-rules) and the first example in [<include> and <exclude> rules precedence examples](#include-and-exclude-rules-precedence-examples) later in this article. -- **Only rules inside the same component can affect each other, depending on specificity.** Rules that are in different components do not affect each other, except for the <unconditionalExclude> rule. +- **Only rules inside the same component can affect each other, depending on specificity.** Rules that are in different components don't affect each other, except for the **<unconditionalExclude>** rule. -- **If the rules are equally specific, <exclude> takes precedence over <include>.** For example, if you use the <exclude> rule to exclude a file and use the <include> rule to include the same file, the file will be excluded. +- **If the rules are equally specific, <exclude> takes precedence over <include>.** For example, if you use the **<exclude>** rule to exclude a file and use the **<include>** rule to include the same file, the file will be excluded. -- **The ordering of components does not matter.** It does not matter which components are listed in which .xml file, because each component is processed independently of the other components across all of the .xml files. +- **The ordering of components does not matter.** It doesn't matter which components are listed in which .xml file, because each component is processed independently of the other components across all of the .xml files. -- **The ordering of the <include> and <exclude> rules within a component does not matter.** +- **The ordering of the <include> and <exclude> rules within a component does not matter.** -- **You can use the <unconditionalExclude> element to globally exclude data.** This element excludes objects, regardless of any other <include> rules that are in the .xml files. For example, you can use the <unconditionalExclude> element to exclude all MP3 files on the computer or to exclude all files from C:\\UserData. - -## In this topic - -**General** - -- [What is the relationship between rules that are located within different components?](#bkmk2) - -- [How does precedence work with the Config.xml file?](#bkmk3) - -- [How does USMT process each component in an .xml file with multiple components?](#bkmk4) - -- [How are rules processed?](#bkmk5) - -- [How does USMT combine all of the .xml files that I specify on the command line?](#bkmk6) - -**The <include> and <exclude> rules** - -- [What happens when there are conflicting include and exclude rules?](#bkmk1) - -- [<include> and <exclude> precedence examples](#precexamples) - -**File collisions** - -- [What is the default behavior when there are file collisions?](#collisions) - -- [How does the <merge> rule work when there are file collisions?](#bkmk11) +- **You can use the <unconditionalExclude> element to globally exclude data.** This element excludes objects, regardless of any other **<include>** rules that are in the .xml files. For example, you can use the **<unconditionalExclude>** element to exclude all MP3 files on the computer or to exclude all files from `C:\UserData`. ## General -### What is the relationship between rules that are located within different components? +### What is the relationship between rules that are located within different components? -Only rules inside the same component can affect each other, depending on specificity, except for the <unconditionalExclude> rule. Rules that are in different components do not affect each other. If there is an <include> rule in one component and an identical <exclude> rule in another component, the data will be migrated because the two rules are independent of each other. +Only rules inside the same component can affect each other, depending on specificity, except for the **<unconditionalExclude>** rule. Rules that are in different components don't affect each other. If there's an **<include>** rule in one component and an identical **<exclude>** rule in another component, the data will be migrated because the two rules are independent of each other. -If you have an <include> rule in one component and a <locationModify> rule in another component for the same file, the file will be migrated in both places. That is, it will be included based on the <include> rule, and it will be migrated based on the <locationModify> rule. +If you have an **<include>** rule in one component and a **<locationModify>** rule in another component for the same file, the file will be migrated in both places. That is, it will be included based on the **<include>** rule, and it will be migrated based on the **<locationModify>** rule. -The following .xml file migrates all files from C:\\Userdocs, including .mp3 files, because the <exclude> rule is specified in a separate component. +The following .xml file migrates all files from C:\\Userdocs, including .mp3 files, because the **<exclude>** rule is specified in a separate component. -``` xml +```xml User Documents @@ -93,11 +67,11 @@ The following .xml file migrates all files from C:\\Userdocs, including .mp3 fil ``` -### How does precedence work with the Config.xml file? +### How does precedence work with the Config.xml file? -Specifying `migrate="no"` in the Config.xml file is the same as deleting the corresponding component from the migration .xml file. However, if you set `migrate="no"` for My Documents, but you have a rule similar to the one shown below in a migration .xml file (which includes all of the .doc files from My Documents), then only the .doc files will be migrated, and all other files will be excluded. +Specifying `migrate="no"` in the `Config.xml` file is the same as deleting the corresponding component from the migration .xml file. However, if you set `migrate="no"` for My Documents, but you have a rule similar to the one shown below in a migration .xml file (which includes all of the .doc files from My Documents), then only the .doc files will be migrated, and all other files will be excluded. -``` xml +```xml %CSIDL_PERSONAL%\* [*.doc] @@ -105,31 +79,31 @@ Specifying `migrate="no"` in the Config.xml file is the same as deleting the cor ``` -### How does USMT process each component in an .xml file with multiple components? +### How does USMT process each component in an .xml file with multiple components? -The ordering of components does not matter. Each component is processed independently of other components. For example, if you have an <include> rule in one component and a <locationModify> rule in another component for the same file, the file will be migrated in both places. That is, it will be included based on the <include> rule, and it will be migrated based on the <locationModify> rule. +The ordering of components doesn't matter. Each component is processed independently of other components. For example, if you have an **<include>** rule in one component and a **<locationModify>** rule in another component for the same file, the file will be migrated in both places. That is, it will be included based on the **<include>** rule, and it will be migrated based on the **<locationModify>** rule. -### How are rules processed? +### How are rules processed? There are two broad categories of rules. -- **Rules that affect the behavior of both the ScanState and LoadState tools**. For example, the <include>, <exclude>, and <unconditionalExclude> rules are processed for each component in the .xml files. For each component, USMT creates an include list and an exclude list. Some of the rules in the component might be discarded due to specificity, but all of the remaining rules are processed. For each <include> rule, USMT iterates through the elements to see if any of the locations need to be excluded. USMT enumerates all of the objects and creates a list of objects it is going to collect for each user. Once the list is complete, each of the objects is stored or migrated to the destination computer. +- **Rules that affect the behavior of both the ScanState and LoadState tools**. For example, the **<include>**, **<exclude>**, and **<unconditionalExclude>** rules are processed for each component in the .xml files. For each component, USMT creates an include list and an exclude list. Some of the rules in the component might be discarded due to specificity, but all of the remaining rules are processed. For each **<include>** rule, USMT iterates through the elements to see if any of the locations need to be excluded. USMT enumerates all of the objects and creates a list of objects it's going to collect for each user. Once the list is complete, each of the objects is stored or migrated to the destination computer. -- **Rules that affect the behavior of only the LoadState tool**. For example, the <locationModify>, <contentModify>, and <destinationCleanup> rules do not affect ScanState. They are processed only with LoadState. First, the LoadState tool determines the content and location of each component based on the <locationModify>and <contentModify> rules. Then, LoadState processes all of the <destinationCleanup> rules and deletes data from the destination computer. Lastly, LoadState applies the components to the computer. +- **Rules that affect the behavior of only the LoadState tool**. For example, the **<locationModify>**, **<contentModify>**, and **<destinationCleanup>** rules don't affect ScanState. They're processed only with LoadState. First, the LoadState tool determines the content and location of each component based on the **<locationModify>** and **<contentModify>** rules. Then, LoadState processes all of the **<destinationCleanup>** rules and deletes data from the destination computer. Lastly, LoadState applies the components to the computer. -### How does USMT combine all of the .xml files that I specify on the command line? +### How does USMT combine all of the .xml files that I specify on the command line? -USMT does not distinguish the .xml files based on their name or content. It processes each component within the files separately. USMT supports multiple .xml files only to make it easier to maintain and organize the components within them. Because USMT uses a urlid to distinguish each component from the others, be sure that each .xml file that you specify on the command line has a unique migration urlid. +USMT doesn't distinguish the .xml files based on their name or content. It processes each component within the files separately. USMT supports multiple .xml files only to make it easier to maintain and organize the components within them. Because USMT uses a urlid to distinguish each component from the others, be sure that each .xml file that you specify on the command line has a unique migration urlid. -## The <include> and <exclude> rules +## The <include> and <exclude> rules -### What happens when there are conflicting <include> and <exclude> rules? +### What happens when there are conflicting <include> and <exclude> rules? -If there are conflicting rules within a component, the most specific rule is applied, except with the <unconditionalExclude> rule, which takes precedence over all other rules. If the rules are equally specific, then the data will be not be migrated. For example if you exclude a file, and include the same file, the file will not be migrated. If there are conflicting rules within different components, the rules do not affect each other because each component is processed independently. +If there are conflicting rules within a component, the most specific rule is applied, except with the **<unconditionalExclude>** rule, which takes precedence over all other rules. If the rules are equally specific, then the data won't be migrated. For example if you exclude a file, and include the same file, the file won't be migrated. If there are conflicting rules within different components, the rules don't affect each other because each component is processed independently. -In the following example, mp3 files will not be excluded from the migration. This is because directory names take precedence over the file extensions. +In the following example, mp3 files won't be excluded from the migration. The mp3 files won't be excluded because directory names take precedence over the file extensions. -``` xml +```xml C:\Data\* [*] @@ -142,72 +116,72 @@ In the following example, mp3 files will not be excluded from the migration. Thi     ``` -### <include> and <exclude> rules precedence examples +### <include> and <exclude> rules precedence examples -These examples explain how USMT deals with <include> and <exclude> rules. When the rules are in different components, the resulting behavior will be the same regardless of whether the components are in the same or in different migration .xml files. +These examples explain how USMT deals with **<include>** and **<exclude>** rules. When the rules are in different components, the resulting behavior will be the same regardless of whether the components are in the same or in different migration .xml files. -- [Including and excluding files](#filesex) +- [Including and excluding files](#including-and-excluding-files) -- [Including and excluding registry objects](#regex) +- [Including and excluding registry objects](#including-and-excluding-registry-objects) -### Including and excluding files +### Including and excluding files | If you have the following code in the same component | Resulting behavior | Explanation | |-----|-----|-----| -|
    • Include rule: <pattern type="File">C:\Dir1* []</pattern>
    • Exclude rule: <pattern type="File">C:* [.txt]</pattern>
    | Migrates all files and subfolders in Dir1 (including all .txt files in C:). | The <exclude> rule does not affect the migration because the <include> rule is more specific. | +|
    • Include rule: <pattern type="File">C:\Dir1* []</pattern>
    • Exclude rule: <pattern type="File">C:* [.txt]</pattern>
    | Migrates all files and subfolders in Dir1 (including all .txt files in C:). | The **<exclude>** rule doesn't affect the migration because the **<include>** rule is more specific. | |
    • Include rule: <pattern type="File">C:\Dir1* []</pattern>
    • Exclude rule: <pattern type="File">C:\Dir1\Dir2* [.txt]</pattern>
    | Migrates all files and subfolders in C:\Dir1, except the .txt files in C:\Dir1\Dir2 and its subfolders. | Both rules are processed as intended. | |
    • Include rule: <pattern type="File">C:\Dir1* []</pattern>
    • Exclude rule: <pattern type="File">C:\Dir1\ * [.txt]</pattern>
    | Migrates all files and subfolders in C:\Dir1, except the .txt files in C:\Dir1 and its subfolders. | Both rules are processed as intended. | -|
    • Include rule: <pattern type="File">C:\Dir1\Dir2* [.txt]</pattern>
    • Exclude rule: <pattern type="File">C:\Dir1\Dir2* [.txt]</pattern>
    | Nothing will be migrated. | The rules are equally specific, so the <exclude> rule takes precedence over the <include> rule. | +|
    • Include rule: <pattern type="File">C:\Dir1\Dir2* [.txt]</pattern>
    • Exclude rule: <pattern type="File">C:\Dir1\Dir2* [.txt]</pattern>
    | Nothing will be migrated. | The rules are equally specific, so the **<exclude>** rule takes precedence over the **<include>** rule. | |
    • Include rule: C:\Dir1* [.txt]
    • Exclude rule: C:\Dir1\Dir2* []
    | Migrates the .txt files in Dir1 and the .txt files from subfolders other than Dir2.
    No files are migrated from Dir2 or its subfolders. | Both rules are processed as intended. | |
    • Include rule: C:\Dir1\Dir2* []
    • Exclude rule: C:\Dir1* [.txt]
    | Migrates all files and subfolders of Dir2, except the .txt files from Dir1 and any subfolders of Dir1 (including Dir2). | Both rules are processed as intended. | | If you have the following code in different components | Resulting behavior | Explanation | |-----|----|----| -| Component 1:
    • Include rule: <pattern type="File">C:\Dir1* []</pattern>
    • Exclude rule: <pattern type="File">C:\Dir1\Dir2* [.txt]</pattern>

    Component 2:
    • Include rule: <pattern type="File">C:\Dir1\Dir2* [.txt]</pattern>
    • Exclude rule: <pattern type="File">C:\Dir1* []</pattern>
    | Migrates all files and subfolders of C:\Dir1\ (including C:\Dir1\Dir2). | Rules that are in different components do not affect each other, except for the <unconditionalExclude> rule. Therefore, in this example, although some .txt files were excluded when Component 1 was processed, they were included when Component 2 was processed. | +| Component 1:
    • Include rule: <pattern type="File">C:\Dir1* []</pattern>
    • Exclude rule: <pattern type="File">C:\Dir1\Dir2* [.txt]</pattern>

    Component 2:
    • Include rule: <pattern type="File">C:\Dir1\Dir2* [.txt]</pattern>
    • Exclude rule: <pattern type="File">C:\Dir1* []</pattern>
    | Migrates all files and subfolders of C:\Dir1\ (including C:\Dir1\Dir2). | Rules that are in different components don't affect each other, except for the **<unconditionalExclude>** rule. Therefore, in this example, although some .txt files were excluded when Component 1 was processed, they were included when Component 2 was processed. | | Component 1:
    • Include rule: C:\Dir1\Dir2* []

    Component 2:
    • Exclude rule: C:\Dir1* [.txt]
    | Migrates all files and subfolders from Dir2 except the .txt files in C:\Dir1 and its subfolders. | Both rules are processed as intended. | -| Component 1:
    • Exclude rule: C:\Dir1\Dir2* []

    Component 2:
    • Include rule: C:\Dir1* [.txt]
    | Migrates all .txt files in Dir1 and any subfolders. | Component 1 does not contain an <include> rule, so the <exclude> rule is not processed. | +| Component 1:
    • Exclude rule: C:\Dir1\Dir2* []

    Component 2:
    • Include rule: C:\Dir1* [.txt]
    | Migrates all .txt files in Dir1 and any subfolders. | Component 1 doesn't contain an **<include>** rule, so the **<exclude>** rule isn't processed. | -### Including and excluding registry objects +### Including and excluding registry objects | If you have the following code in the same component | Resulting behavior | Explanation | |-----|-----|-----| |
    • Include rule:
      HKLM\Software\Microsoft\Command Processor* []
    • Exclude Rule:
      HKLM\Software\Microsoft\Command Processor [DefaultColor]
    | Migrates all keys in HKLM\Software\Microsoft\Command Processor except DefaultColor. | Both rules are processed as intended. | -|
    • Include rule:
      HKLM\Software\Microsoft\Command Processor [DefaultColor]
    • Exclude Rule:
      HKLM\Software\Microsoft\Command Processor* []
    | Migrates only DefaultColor in HKLM\Software\Microsoft\Command Processor. | DefaultColor is migrated because the <include> rule is more specific than the <exclude> rule. | -|
    • Include rule:
      HKLM\Software\Microsoft\Command Processor [DefaultColor]
    • Exclude rule:
      HKLM\Software\Microsoft\Command Processor [DefaultColor]
    | Does not migrate DefaultColor. | The rules are equally specific, so the <exclude> rule takes precedence over the <include> rule. | +|
    • Include rule:
      HKLM\Software\Microsoft\Command Processor [DefaultColor]
    • Exclude Rule:
      HKLM\Software\Microsoft\Command Processor* []
    | Migrates only DefaultColor in HKLM\Software\Microsoft\Command Processor. | DefaultColor is migrated because the **<include>** rule is more specific than the **<exclude>** rule. | +|
    • Include rule:
      HKLM\Software\Microsoft\Command Processor [DefaultColor]
    • Exclude rule:
      HKLM\Software\Microsoft\Command Processor [DefaultColor]
    | Doesn't migrate DefaultColor. | The rules are equally specific, so the **<exclude>** rule takes precedence over the <include> rule. | | If you have the following code in different components | Resulting behavior | Explanation | |-----|-----|-----| -| Component 1:
    • Include rule:
      HKLM\Software\Microsoft\Command Processor [DefaultColor]
    • Exclude rule:
      HKLM\Software\Microsoft\Command Processor* []

    Component 2:
    • Include rule:
      HKLM\Software\Microsoft\Command Processor* []
    • Exclude rule:
      HKLM\Software\Microsoft\Command Processor [DefaultColor]
    | Migrates all the keys/values under HKLM\Software\Microsoft\Command Processor. | Rules that are in different components do not affect each other, except for the <unconditionalExclude> rule. Therefore, in this example, the objects that were excluded when Component 1 was processed were included when Component 2 was processed. | +| Component 1:
    • Include rule:
      HKLM\Software\Microsoft\Command Processor [DefaultColor]
    • Exclude rule:
      HKLM\Software\Microsoft\Command Processor* []

    Component 2:
    • Include rule:
      HKLM\Software\Microsoft\Command Processor* []
    • Exclude rule:
      HKLM\Software\Microsoft\Command Processor [DefaultColor]
    | Migrates all the keys/values under HKLM\Software\Microsoft\Command Processor. | Rules that are in different components don't affect each other, except for the **<unconditionalExclude>** rule. Therefore, in this example, the objects that were excluded when Component 1 was processed were included when Component 2 was processed. | ## File collisions -### What is the default behavior when there are file collisions? +### What is the default behavior when there are file collisions? -If there is not a <merge> rule, the default behavior for the registry is for the source to overwrite the destination. The default behavior for files is for the source to be renamed incrementally: for example, OriginalFileName(1).OriginalExtension, OriginalFileName(2).OriginalExtension, and so on. +If there isn't a **<merge>** rule, the default behavior for the registry is for the source to overwrite the destination. The default behavior for files is for the source to be renamed incrementally: for example, OriginalFileName(1).OriginalExtension, OriginalFileName(2).OriginalExtension, and so on. -### How does the <merge> rule work when there are file collisions? +### How does the <merge> rule work when there are file collisions? -When a collision is detected, USMT will select the most specific <merge> rule and apply it to resolve the conflict. For example, if you have a <merge> rule for C:\\\* \[\*\] set to **sourcePriority()** and another <merge> rule for C:\\subfolder\\\* \[\*\] set to **destinationPriority()** , then USMT uses the destinationPriority() rule because it is the most specific. +When a collision is detected, USMT will select the most specific **<merge>** rule and apply it to resolve the conflict. For example, if you have a **<merge>** rule for **C:\\\* \[\*\]** set to **sourcePriority()** and another **<merge>** rule for **C:\\subfolder\\\* \[\*\]** set to **destinationPriority()** , then USMT uses the **destinationPriority()** rule because it's the most specific. ### Example scenario The source computer contains the following files: -- C:\\Data\\SampleA.txt +- `C:\Data\SampleA.txt` -- C:\\Data\\SampleB.txt +- `C:\Data\SampleB.txt` -- C:\\Data\\Folder\\SampleB.txt +- `C:\Data\Folder\SampleB.txt` The destination computer contains the following files: -- C:\\Data\\SampleB.txt +- `C:\Data\SampleB.txt` -- C:\\Data\\Folder\\SampleB.txt +- `C:\Data\SampleB.txt` You have a custom .xml file that contains the following code: -``` xml +```xml c:\data\* [*] @@ -217,7 +191,7 @@ You have a custom .xml file that contains the following code: For this example, the following information describes the resulting behavior if you add the code to your custom .xml file. -**Example 1** +#### Example 1 ```xml @@ -227,9 +201,9 @@ For this example, the following information describes the resulting behavior if ``` -**Result**: During ScanState, all the files will be added to the store. During LoadState, only C:\Data\SampleA.txt will be restored. +**Result**: During ScanState, all the files will be added to the store. During LoadState, only `C:\Data\SampleA.txt` will be restored. -**Example 2** +#### Example 2 ```xml @@ -242,7 +216,7 @@ For this example, the following information describes the resulting behavior if **Result**: During ScanState, all the files will be added to the store. During LoadState, all the files will be restored, overwriting the existing files on the destination computer. -**Example 3** +#### Example 3 ```xml @@ -252,12 +226,12 @@ During LoadState, all the files will be restored, overwriting the existing files ``` -**Result**: During ScanState, all the files will be added to the store. During LoadState, the following will occur: +**Result**: During ScanState, all the files will be added to the store. During LoadState, the following actions will occur: -- C:\Data\SampleA.txt will be restored. -- C:\Data\SampleB.txt will be restored, overwriting the existing file on the destination computer. -- C:\Data\Folder\SampleB.txt will not be restored. +- `C:\Data\SampleA.txt` will be restored. +- `C:\Data\SampleB.txt` will be restored, overwriting the existing file on the destination computer. +- `C:\Data\Folder\SampleB.txt` won't be restored. -## Related topics +## Related articles -[USMT XML Reference](usmt-xml-reference.md) +[USMT XML reference](usmt-xml-reference.md) diff --git a/windows/deployment/usmt/usmt-custom-xml-examples.md b/windows/deployment/usmt/usmt-custom-xml-examples.md index 5531154de7..88db104333 100644 --- a/windows/deployment/usmt/usmt-custom-xml-examples.md +++ b/windows/deployment/usmt/usmt-custom-xml-examples.md @@ -2,21 +2,27 @@ title: Custom XML Examples (Windows 10) description: Use custom XML examples to learn how to migrate an unsupported application, migrate files and registry keys, and migrate the My Videos folder. ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski +author: frankroj ms.topic: article ms.technology: itpro-deploy +ms.date: 11/01/2022 --- # Custom XML Examples -## Example 1: Migrating an Unsupported Application +## Example 1: Migrating an unsupported application -The following is a template for the sections that you need to migrate your application. The template isn't functional on its own, but you can use it to write your own .xml file. +The following template is a template for the sections that you need to migrate your application. The template isn't functional on its own, but you can use it to write your own .xml file. -``` xml +**Template** +
    +
    + Expand to show Example 1 application template: + +```xml @@ -80,25 +86,30 @@ The following is a template for the sections that you need to migrate your appli ``` -## Example 2: Migrating the My Videos Folder +
    -The following sample is a custom .xml file named CustomFile.xml that migrates My Videos for all users, if the folder exists on the source computer. +## Example 2: Migrating the My Videos folder -- **Sample condition**: Verifies that My Videos exists on the source computer: +The following sample is a custom .xml file named `CustomFile.xml` that migrates **My Videos** for all users, if the folder exists on the source computer. + +- **Sample condition**: Verifies that **My Videos** exists on the source computer: `MigXmlHelper.DoesObjectExist("File","%CSIDL_MYVIDEO%")` -- **Sample filter**: Filters out the shortcuts in My Videos that don't resolve on the destination computer: +- **Sample filter**: Filters out the shortcuts in **My Videos** that don't resolve on the destination computer: `` - This has no effect on files that aren't shortcuts. For example, if there's a shortcut in My Videos on the source computer that points to C:\Folder1, that shortcut will be migrated only if C:\Folder1 exists on the destination computer. However, all other files, such as .mp3 files, migrate without any filtering. + This filter has no effect on files that aren't shortcuts. For example, if there's a shortcut in **My Videos** on the source computer that points to `C:\Folder1`, that shortcut will be migrated only if `C:\Folder1` exists on the destination computer. However, all other files, such as .mp3 files, migrate without any filtering. -- **Sample pattern**: Migrates My Videos for all users: +- **Sample pattern**: Migrates **My Videos** for all users: `%CSIDL_MYVIDEO%* [*]` **XML file** +
    +
    + Expand to show Example 2 XML file: ```xml @@ -123,11 +134,13 @@ The following sample is a custom .xml file named CustomFile.xml that migrates My ``` -## Example 3: Migrating Files and Registry Keys +
    + +## Example 3: Migrating files and registry keys The sample patterns describe the behavior in the following example .xml file. -- **Sample pattern**: Migrates all instances of the file Usmttestfile.txt from all subdirectories under `%ProgramFiles%\USMTTestFolder`: +- **Sample pattern**: Migrates all instances of the file `Usmttestfile.txt` from all subdirectories under `%ProgramFiles%\USMTTestFolder`: `%ProgramFiles%\USMTTestFolder* [USMTTestFile.txt]` @@ -144,8 +157,11 @@ The sample patterns describe the behavior in the following example .xml file. `HKLM\Software\USMTTESTKEY* []` **XML file** +
    +
    + Expand to show Example 3 XML file: -``` xml +```xml File Migration Test @@ -176,12 +192,18 @@ The sample patterns describe the behavior in the following example .xml file. ``` -## Example 4: Migrating Specific Folders from Various Locations +
    +## Example 4: Migrating specific folders from various locations The behavior for this custom .xml file is described within the `` tags in the code. -``` xml +**XML file** +
    +
    + Expand to show Example 4 XML file: + +```xml @@ -250,8 +272,10 @@ The behavior for this custom .xml file is described within the `` t ``` -## Related topics +
    -[USMT XML Reference](usmt-xml-reference.md) +## Related articles -[Customize USMT XML Files](usmt-customize-xml-files.md) +[USMT XML reference](usmt-xml-reference.md) + +[Customize USMT XML files](usmt-customize-xml-files.md) diff --git a/windows/deployment/usmt/usmt-customize-xml-files.md b/windows/deployment/usmt/usmt-customize-xml-files.md index 9092cef4af..9b4a91454c 100644 --- a/windows/deployment/usmt/usmt-customize-xml-files.md +++ b/windows/deployment/usmt/usmt-customize-xml-files.md @@ -2,135 +2,102 @@ title: Customize USMT XML Files (Windows 10) description: Learn how to customize USMT XML files. Also, learn about the migration XML files that are included with USMT. ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/19/2017 +author: frankroj +ms.date: 11/01/2022 ms.topic: article ms.technology: itpro-deploy --- -# Customize USMT XML Files +# Customize USMT XML files +## Overview -## In This Topic +If you want the ScanState and LoadState tools to use any of the migration .xml files, specify these files at the command line using the `/i` option. Because the ScanState and LoadState tools need the .xml files to control the migration, specify the same set of .xml files for both the `ScanState.exe` and `LoadState.exe` commands. However, you don't have to specify the `Config.xml` file with the `/config` option, unless you want to exclude some of the files and settings that you migrated to the store. For example, you might want to migrate the My Documents folder to the store but not to the destination computer. To achieve this scenario, modify the `Config.xml` file and specify the updated file with the `LoadState.exe` command. Then the `LoadState.exe` command will migrate only the files and settings that you want to migrate. +If you leave out an .xml file from the `LoadState.exe` command, all of the data in the store that was migrated with the missing .xml files will be migrated. However, the migration rules that were specified with the `ScanState.exe` command won't apply. For example, if you leave out an .xml file, and it contains a rerouting rule such as: -[Overview](#bkmk-overview) +`MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")` -[Migration .xml Files](#bkmk-migxml) - -[Custom .xml Files](#bkmk-customxmlfiles) - -[The Config.xml File](#bkmk-configxml) - -[Examples](#bkmk-examples) - -[Additional Information](#bkmk-addlinfo) - -## Overview - - -If you want the **ScanState** and **LoadState** tools to use any of the migration .xml files, specify these files at the command line using the **/i** option. Because the **ScanState** and **LoadState** tools need the .xml files to control the migration, specify the same set of .xml files for both the **ScanState** and **LoadState** commands. However, you do not have to specify the Config.xml file with the **/config** option, unless you want to exclude some of the files and settings that you migrated to the store. For example, you might want to migrate the My Documents folder to the store but not to the destination computer. To do this, modify the Config.xml file and specify the updated file with the **LoadState** command. Then the **LoadState** command will migrate only the files and settings that you want to migrate. - -If you leave out an .xml file from the **LoadState** command, all of the data in the store that was migrated with the missing .xml files will be migrated. However, the migration rules that were specified with the **ScanState** command will not apply. For example, if you leave out an .xml file, and it contains a rerouting rule such as: `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`, USMT will not reroute the files, and they will be migrated to C:\\data. +USMT won't reroute the files, and they'll be migrated to `C:\data`. To modify the migration, do one or more of the following. -- **Modify the migration .xml files.** If you want to exclude a portion of a component—for example, you want to migrate C:\\ but exclude all of the .mp3 files—or if you want to move data to a new location on the destination computer, modify the .xml files. To modify these files, you must be familiar with the migration rules and syntax. If you want **ScanState** and **LoadState** to use these files, specify them at the command line when each command is entered. +- **Modify the migration .xml files.** If you want to exclude a portion of a component, for example, you want to migrate C:\\ but exclude all of the .mp3 files, or if you want to move data to a new location on the destination computer, modify the .xml files. To modify these files, you must be familiar with the migration rules and syntax. If you want ScanState and LoadState to use these files, specify them at the command line when each command is entered. -- **Create a custom .xml file.** You can also create a custom .xml file to migrate settings for another application, or to change the migration behavior to suit your needs. For **ScanState** and **LoadState** to use this file, specify them on both command lines. +- **Create a custom .xml file.** You can also create a custom .xml file to migrate settings for another application, or to change the migration behavior to suit your needs. For ScanState and LoadState to use this file, specify them on both command lines. -- **Create and modify a Config.xml file.** Do this if you want to exclude an entire component from the migration. For example, you can use a Config.xml file to exclude the entire My Documents folder, or exclude the settings for an application. Excluding components using a Config.xml file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. In addition, using a Config.xml file is the only way to exclude the operating system settings from being migrated. +- **Create and modify a Config.xml file.** Create and modify a `Config.xml` file if you want to exclude an entire component from the migration. For example, you can use a `Config.xml` file to exclude the entire My Documents folder, or exclude the settings for an application. Excluding components using a `Config.xml` file is easier than modifying the migration .xml files because you don't need to be familiar with the migration rules and syntax. In addition, using a `Config.xml` file is the only way to exclude the operating system settings from being migrated. -For more information about excluding data, see the [Exclude Files and Settings](usmt-exclude-files-and-settings.md) topic. +For more information about excluding data, see the [Exclude Files and Settings](usmt-exclude-files-and-settings.md) article. -## Migration .xml Files +## Migration .xml files +This section describes the migration .xml files that are included with USMT. Each file contains migration rules that control which components are migrated and where they're migrated to on the destination computer. -This section describes the migration .xml files that are included with USMT. Each file contains migration rules that control which components are migrated and where they are migrated to on the destination computer. +> [!NOTE] +> You can use the asterisk (\*) wildcard character in each of these files. However, you cannot use a question mark (?) as a wildcard character. -**Note**   -You can use the asterisk (\*) wildcard character in each of these files. However, you cannot use a question mark (?) as a wildcard character. +- **The MigApp.xml file.** Specify this file with both the `ScanState.exe` and `LoadState.exe` commands to migrate application settings. - +- **The MigDocs.xml file.** Specify this file with both the ScanState and LoadState tools to migrate all user folders and files that are found by the **MigXmlHelper.GenerateDocPatterns** helper function. This helper function finds user data that resides on the root of any drive and in the Users directory. However, it doesn't find and migrate any application data, program files, or any files in the Windows directory. You can modify the `MigDocs.xml` file. -- **The MigApp.xml file.** Specify this file with both the **ScanState** and **LoadState** commands to migrate application settings. +- **The MigUser.xml file.** Specify this file with both the `ScanState.exe` and `LoadState.exe` commands to migrate user folders, files, and file types. You can modify the `MigUser.xml` file. This file doesn't contain rules that migrate specific user accounts. The only way to specify which user accounts to migrate is on the command line using the ScanState and the LoadState user options. -- **The MigDocs.xml file.** Specify this file with both the **ScanState** and **LoadState** tools to migrate all user folders and files that are found by the **MigXmlHelper.GenerateDocPatterns** helper function. This helper function finds user data that resides on the root of any drive and in the Users directory. However, it does not find and migrate any application data, program files, or any files in the Windows directory. You can modify the MigDocs.xml file. +> [!NOTE] +> Don't use the `MigUser.xml` and `MigDocs.xml` files together. For more information, see the [Identify file types, files, and folders](usmt-identify-file-types-files-and-folders.md) and [USMT best practices](usmt-best-practices.md) articles. -- **The MigUser.xml file.** Specify this file with both the **ScanState** and **LoadState** commands to migrate user folders, files, and file types. You can modify the MigUser.xml file. This file does not contain rules that migrate specific user accounts. The only way to specify which user accounts to migrate is on the command line using the **ScanState** and the **LoadState** user options. +## Custom .xml files - **Note**   - Do not use the MigUser.xml and MigDocs.xml files together. For more information, see the [Identify File Types, Files, and Folders](usmt-identify-file-types-files-and-folders.md) and [USMT Best Practices](usmt-best-practices.md) topics. +You can create custom .xml files to customize the migration for your unique needs. For example, you may want to create a custom file to migrate a line-of-business application or to modify the default migration behavior. If you want `ScanState.exe` and `LoadState.exe` to use this file, specify it with both commands. For more information, see the [Custom XML examples](usmt-custom-xml-examples.md) article. - +## The Config.xml file -## Custom .xml Files +The `Config.xml` file is an optional file that you create using the `/genconfig` option with the `ScanState.exe` command. You should create and modify this file if you want to exclude certain components from the migration. In addition, you must create and modify this file if you want to exclude any of the operating system settings from being migrated. The `Config.xml` file format is different from the migration .xml files because it doesn't contain any migration rules. It contains only a list of the operating system components, applications, and the user documents that can be migrated. For an example, see the [Config.xml File](usmt-configxml-file.md) article. For this reason, excluding components using this file is easier than modifying the migration .xml files because you don't need to be familiar with the migration rules and syntax. However, you can't use wildcard characters in a `Config.xml` file. +If you want to include all of the default components, you don't need to create the `Config.xml` file. Alternatively, if you're satisfied with the default migration behavior defined in the `MigApp.xml`, `MigDocs.xml`, and `MigUser.xml` files, and you want to exclude only some components, you can create and modify a `Config.xml` file and leave the other .xml files in their original state. -You can create custom .xml files to customize the migration for your unique needs. For example, you may want to create a custom file to migrate a line-of-business application or to modify the default migration behavior. If you want **ScanState** and **LoadState** to use this file, specify it with both commands. For more information, see the How to Create a Custom .xml File topic. +When you run the `ScanState.exe` command with the `/genconfig` option, `ScanState.exe` reads the other .xml files that you specify using the `/i` option to create a custom list of components that can be migrated from the computer. This file will contain only operating system components, applications, and the user document sections that are in both of the .xml files and that are installed on the computer when you run the `ScanState.exe` command with the `/genconfig` option. Therefore, you should create this file on a source computer that contains all of the components, applications, and settings that will be present on the destination computers. Creating the file on the source computer will ensure that this file contains every component that can be migrated. The components are organized into sections: <Applications>, <WindowsComponents>, and <Documents>. To choose not to migrate a component, change its entry to `migrate="no"`. -## The Config.xml File +After you create this file, you need to specify it only with the `ScanState.exe` command using the `/Config` option for it to affect the migration. However, if you want to exclude additional data that you migrated to the store, modify the `Config.xml` file and specify the updated file with the `LoadState.exe` command. For example, if you collected the My Documents folder in the store, but you decide that you don't want to migrate the My Documents folder to a destination computer, you can modify the `Config.xml` file to indicate `migrate="no"` before you run the `LoadState.exe` command, and the file won't be migrated. For more information about the precedence that takes place when excluding data, see the [Exclude files and settings](usmt-exclude-files-and-settings.md) article. +In addition, note the following functionality with the `Config.xml` file: -The Config.xml file is an optional file that you create using the **/genconfig** option with the **ScanState** command. You should create and modify this file if you want to exclude certain components from the migration. In addition, you must create and modify this file if you want to exclude any of the operating system settings from being migrated. The Config.xml file format is different from that of the migration .xml files because it does not contain any migration rules. It contains only a list of the operating system components, applications, and the user documents that can be migrated. For an example, see the [Config.xml File](usmt-configxml-file.md) topic. For this reason, excluding components using this file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. However, you cannot use wildcard characters in a Config.xml file. +- If a parent component is removed from the migration in the `Config.xml` file by specifying `migrate="no"`, all of its child components will automatically be removed from the migration, even if the child component is set to `migrate="yes"`. -If you want to include all of the default components, you do not need to create the Config.xml file. Alternatively, if you are satisfied with the default migration behavior defined in the MigApp.xml, MigDocs.xml, and MigUser.xml files, and you want to exclude only some components, you can create and modify a Config.xml file and leave the other .xml files in their original state. +- If you mistakenly have two lines of code for the same component where one line specifies `migrate="no"` and the other line specifies `migrate="yes"`, the component will be migrated. -When you run the **ScanState** command with the **/genconfig** option, **ScanState** reads the other .xml files that you specify using the **/i** option to create a custom list of components that can be migrated from the computer. This file will contain only operating system components, applications, and the user document sections that are in both of the .xml files and that are installed on the computer when you run the **ScanState** command with the **/genconfig** option. Therefore, you should create this file on a source computer that contains all of the components, applications, and settings that will be present on the destination computers. This will ensure that this file contains every component that can be migrated. The components are organized into sections: <Applications>, <WindowsComponents>, and <Documents>. To choose not to migrate a component, change its entry to `migrate="no"`. +- In USMT, there are several migration policies that can be configured in the `Config.xml` file. For example, you can configure additional **<ErrorControl>**, **<ProfileControl>**, and **<HardLinkStoreControl>** options. For more information, see the [Config.xml File](usmt-configxml-file.md) article. -After you create this file, you need to specify it only with the **ScanState** command using the **/Config** option for it to affect the migration. However, if you want to exclude additional data that you migrated to the store, modify the Config.xml file and specify the updated file with the **LoadState** command. For example, if you collected the My Documents folder in the store, but you decide that you do not want to migrate the My Documents folder to a destination computer, you can modify the Config.xml file to indicate `migrate="no"` before you run the **LoadState** command, and the file will not be migrated. For more information about the precedence that takes place when excluding data, see the [Exclude Files and Settings](usmt-exclude-files-and-settings.md) topic. +> [!NOTE] +> To exclude a component from the `Config.xml` file, set the **migrate** value to **"no"**. Deleting the XML tag for the component from the `Config.xml` file will not exclude the component from your migration. -In addition, note the following functionality with the Config.xml file: +### Examples -- If a parent component is removed from the migration in the Config.xml file by specifying `migrate="no"`, all of its child components will automatically be removed from the migration, even if the child component is set to `migrate="yes"`. +- The following command creates a `Config.xml` file in the current directory, but it doesn't create a store: -- If you mistakenly have two lines of code for the same component where one line specifies `migrate="no"` and the other line specifies `migrate="yes"`, the component will be migrated. + `ScanState.exe /i:MigApp.xml /i:MigDocs.xml /genconfig:Config.xml /v:5` -- In USMT there are several migration policies that can be configured in the Config.xml file. For example, you can configure additional **<ErrorControl>**, **<ProfileControl>**, and **<HardLinkStoreControl>** options. For more information, see the [Config.xml File](usmt-configxml-file.md) topic. +- The following command creates an encrypted store using the `Config.xml` file and the default migration .xml files: -**Note**   -To exclude a component from the Config.xml file, set the **migrate** value to **"no"**. Deleting the XML tag for the component from the Config.xml file will not exclude the component from your migration. + `ScanState.exe \\server\share\migration\mystore /i:MigApp.xml /i:MigDocs.xml /o /config:Config.xml /v:5 /encrypt /key:"mykey"` - +- The following command decrypts the store and migrates the files and settings: -### Examples + `LoadState.exe \\server\share\migration\mystore /i:MigApp.xml /i:MigDocs.xml /v:5 /decrypt /key:"mykey"` -- The following command creates a Config.xml file in the current directory, but it does not create a store: +## Additional information - `scanstate /i:migapp.xml /i:migdocs.xml /genconfig:config.xml /v:5` - -- The following command creates an encrypted store using the Config.xml file and the default migration .xml files: - - `scanstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /o /config:config.xml /v:5 /encrypt /key:"mykey"` - -- The following command decrypts the store and migrates the files and settings: - - `loadstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /v:5 /decrypt /key:"mykey"` - -## Additional Information - - -- For more information about how to change the files and settings that are migrated, see the [User State Migration Tool (USMT) How-to topics](usmt-how-to.md). - -- For more information about each .xml element, see the [XML Elements Library](usmt-xml-elements-library.md) topic. - -- For answers to common questions, see ".xml files" in the [Frequently Asked Questions](usmt-faq.yml) topic. - -## Related topics - - -[User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md) - -[USMT Resources](usmt-resources.md) - - - - +- For more information about how to change the files and settings that are migrated, see the [User State Migration Tool (USMT) how-to topics](usmt-how-to.md). +- For more information about each .xml element, see the [XML elements library](usmt-xml-elements-library.md) article. +- For answers to common questions, see ".xml files" in the [Frequently asked questions](usmt-faq.yml) article. +## Related articles +[User State Migration Tool (USMT) command-line syntax](usmt-command-line-syntax.md) +[USMT resources](usmt-resources.md) diff --git a/windows/deployment/usmt/usmt-determine-what-to-migrate.md b/windows/deployment/usmt/usmt-determine-what-to-migrate.md index 5f9cda4b77..ed6b5bc177 100644 --- a/windows/deployment/usmt/usmt-determine-what-to-migrate.md +++ b/windows/deployment/usmt/usmt-determine-what-to-migrate.md @@ -1,33 +1,41 @@ --- title: Determine What to Migrate (Windows 10) -description: Determine migration settings for standard or customized for the User State Migration Tool (USMT) 10.0. +description: Determine migration settings for standard or customized for the User State Migration Tool (USMT) 10.0. ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/19/2017 +author: frankroj +ms.date: 11/01/2022 ms.topic: article ms.technology: itpro-deploy --- -# Determine What to Migrate +# Determine what to migrate -By default, User State Migration Tool (USMT) 10.0 migrates the items listed in [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md), depending on the migration .xml files you specify. These default settings are often enough for a basic migration. +By default, User State Migration Tool (USMT) 10.0 migrates the items listed in [What does USMT migrate?](usmt-what-does-usmt-migrate.md), depending on the migration .xml files you specify. These default settings are often enough for a basic migration. However, when considering what settings to migrate, you should also consider what settings you would like the user to be able to configure, if any, and what settings you would like to standardize. Many organizations use their migration as an opportunity to create and begin enforcing a better-managed environment. Some of the settings that users can configure on unmanaged computers prior to the migration can be locked on the new, managed computers. For example, standard wallpaper, Internet Explorer security settings, and desktop configuration are some of the items you can choose to standardize. -To reduce complexity and increase standardization, your organization should consider creating a *standard operating environment (SOE)*. An SOE is a combination of hardware and software that you distribute to all users. This means selecting a baseline for all computers, including standard hardware drivers; core operating system features; core productivity applications, especially if they are under volume licensing; and core utilities. This environment should also include a standard set of security features, as outlined in the organization’s corporate policy. Using a standard operating environment can vastly simplify the migration and reduce overall deployment challenges. +To reduce complexity and increase standardization, your organization should consider creating a *standard operating environment (SOE)*. An SOE is a combination of hardware and software that you distribute to all users. Creating an SOE means selecting: -## In This Section +- A baseline for all computers, including standard hardware drivers +- Core operating system features +- Core productivity applications, especially if they are under volume licensing +- Core utilities. +- A standard set of security features, as outlined in the organization's corporate policy + +Using an SOE can vastly simplify the migration and reduce overall deployment challenges. + +## In this section | Link | Description | |--- |--- | -|[Identify Users](usmt-identify-users.md)|Use command-line options to specify which users to migrate and how they should be migrated.| -|[Identify Applications Settings](usmt-identify-application-settings.md)|Determine which applications you want to migrate and prepare a list of application settings to be migrated.| -|[Identify Operating System Settings](usmt-identify-operating-system-settings.md)|Use migration to create a new standard environment on each of the destination computers.| -|[Identify File Types, Files, and Folders](usmt-identify-file-types-files-and-folders.md)|Determine and locate the standard, company-specified, and non-standard locations of the file types, files, folders, and settings that you want to migrate.| +|[Identify users](usmt-identify-users.md)|Use command-line options to specify which users to migrate and how they should be migrated.| +|[Identify applications settings](usmt-identify-application-settings.md)|Determine which applications you want to migrate and prepare a list of application settings to be migrated.| +|[Identify operating system settings](usmt-identify-operating-system-settings.md)|Use migration to create a new standard environment on each of the destination computers.| +|[Identify file types, files, and folders](usmt-identify-file-types-files-and-folders.md)|Determine and locate the standard, company-specified, and non-standard locations of the file types, files, folders, and settings that you want to migrate.| -## Related topics +## Related articles -[What Does USMT Migrate?](usmt-what-does-usmt-migrate.md) +[What does USMT migrate?](usmt-what-does-usmt-migrate.md) diff --git a/windows/deployment/usmt/usmt-estimate-migration-store-size.md b/windows/deployment/usmt/usmt-estimate-migration-store-size.md index 28acdba266..2e1ddfc773 100644 --- a/windows/deployment/usmt/usmt-estimate-migration-store-size.md +++ b/windows/deployment/usmt/usmt-estimate-migration-store-size.md @@ -2,91 +2,77 @@ title: Estimate Migration Store Size (Windows 10) description: Estimate the disk space requirement for a migration so that you can use User State Migration Tool (USMT). ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/19/2017 +author: frankroj +ms.date: 11/01/2022 ms.topic: article ms.technology: itpro-deploy --- -# Estimate Migration Store Size - +# Estimate migration store size The disk space requirements for a migration are dependent on the size of the migration store and the type of migration. You can estimate the amount of disk space needed for computers in your organization based on information about your organization's infrastructure. You can also calculate the disk space requirements using the ScanState tool. -## In This Topic +## Hard disk space requirements +- **Store**: For non-hard-link migrations, you should ensure that there's enough available disk space at the location where you'll save your store to contain the data being migrated. You can save your store to another partition, an external storage device such as a USB flash drive or a server. For more information, see [Choose a Migration Store Type](usmt-choose-migration-store-type.md). -- [Hard Disk Space Requirements](#bkmk-spacereqs). Describes the disk space requirements for the migration store and other considerations on the source and destination computers. +- **Source Computer**: The source computer needs enough available space for the following items: -- [Calculate Disk Space Requirements Using the ScanState Tool](#bkmk-calcdiskspace). Describes how to use the ScanState tool to determine how large the migration store will be on a particular computer. + - **E250 megabytes (MB) minimum of hard disk space**: Space is needed to support the User State Migration Tool (USMT) 10.0 operations, for example, growth in the page file. If every volume involved in the migration is formatted as NTFS, 250 MB should be enough space to ensure success for almost every hard-link migration, regardless of the size of the migration. The USMT tools won't create the migration store if 250 MB of disk space isn't available. -- [Estimate Migration Store Size](#bkmk-estmigstoresize). Describes how to estimate the average size of migration stores for the computers in your organization, based on your infrastructure. + - **Temporary space for USMT to run**: Extra disk space for the USMT tools to operate is required. This disk space requirement doesn't include the minimum 250 MB needed to create the migration store. The amount of temporary space required can be calculated using the ScanState tool. -## Hard Disk Space Requirements + - **Hard-link migration store**: It isn't necessary to estimate the size of a hard-link migration store. The only case where the hard-link store can be large is when non-NTFS file volumes exist on the system and those volumes contain data being migrated. +- **Destination computer**: The destination computer needs enough available space for the following components: -- **Store.** For non-hard-link migrations, you should ensure that there is enough available disk space at the location where you will save your store to contain the data being migrated. You can save your store to another partition, an external storage device such as a USB flash drive or a server. For more information, see [Choose a Migration Store Type](usmt-choose-migration-store-type.md). + - **Operating system** -- **Source Computer.** The source computer needs enough available space for the following: + - **Applications** - - [E250 megabytes (MB) minimum of hard disk space.](#bkmk-estmigstoresize) Space is needed to support the User State Migration Tool (USMT) 10.0 operations, for example, growth in the page file. If every volume involved in the migration is formatted as NTFS, 250 MB should be enough space to ensure success for almost every hard-link migration, regardless of the size of the migration. The USMT tools will not create the migration store if 250 MB of disk space is not available. + - **Data being migrated**: Data being migrated includes files and registry information. - - [Temporary space for USMT to run.](#bkmk-estmigstoresize) Extra disk space for the USMT tools to operate is required. This does not include the minimum 250 MB needed to create the migration store. The amount of temporary space required can be calculated using the ScanState tool. + - **Temporary space for USMT to run**: Extra disk space for the USMT tools to operate is required. The amount of temporary space required can be calculated using the ScanState tool. - - [Hard-link migration store.](#bkmk-estmigstoresize) It is not necessary to estimate the size of a hard-link migration store. The only case where the hard-link store can be large is when non-NTFS file systems exist on the system and contain data being migrated. +## Calculate disk space requirements using the ScanState tool -- [Destination computer.](#bkmk-estmigstoresize) The destination computer needs enough available space for the following components: +You can use the ScanState tool to calculate the disk space requirements for a particular compressed or uncompressed migration. It isn't necessary to estimate the migration store size for a hard-link migration since this method doesn't create a separate migration store. The ScanState tool provides disk space requirements for the state of the computer at the time the tool is run. The state of the computer may change during day-to-day use so it's recommended that you use the calculations as an estimate when planning your migration. - - [Operating system.](#bkmk-estmigstoresize) +To run the ScanState tool on the source computer with USMT installed: - - [Applications.](#bkmk-estmigstoresize) +1. Open a command prompt with administrator privileges. - - [Data being migrated.](#bkmk-estmigstoresize) It is important to consider that in addition to the files being migrated, registry information will also require hard disk space for storage. +2. Navigate to the USMT tools. For example, enter: - - [Temporary space for USMT to run.](#bkmk-estmigstoresize) Extra disk space for the USMT tools to operate is required. The amount of temporary space required can be calculated using the ScanState tool. - -## Calculate Disk Space Requirements using the ScanState Tool - - -You can use the ScanState tool to calculate the disk space requirements for a particular compressed or uncompressed migration. It is not necessary to estimate the migration store size for a hard-link migration since this method does not create a separate migration store. The ScanState tool provides disk space requirements for the state of the computer at the time the tool is run. The state of the computer may change during day-to-day use so it is recommended that you use the calculations as an estimate when planning your migration. - -**To run the ScanState tool on the source computer with USMT installed,** - -1. Open a command prompt with administrator privileges. - -2. Navigate to the USMT tools. For example, type - - ``` syntax + ```cmd cd /d "C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\User State Migration Tool\" ``` - Where *<architecture>* is x86 or amd64. + where *<architecture>* is x86 or amd64. -3. Run the **ScanState** tool to generate an XML report of the space requirements. At the command prompt, type +3. Run the **ScanState** tool to generate an XML report of the space requirements. At the command prompt, enter: - ``` syntax + ```cmd ScanState.exe /p: ``` - Where *<StorePath>* is a path to a directory where the migration store will be saved and *<path to a file>* is the path and filename where the XML report for space requirements will be saved. For example, + Where *<StorePath>* is a path to a directory where the migration store will be saved and *<path to a file>* is the path and filename where the XML report for space requirements will be saved. For example: - ``` syntax + ```cmd ScanState.exe c:\store /p:c:\spaceRequirements.xml ``` - The migration store will not be created by running this command, but `StorePath` is a required parameter. + Although a migration store isn't created by running this command, the *<StorePath>* is still a required parameter. -The ScanState tool also allows you to estimate disk space requirements based on a customized migration. For example, you might not want to migrate the My Documents folder to the destination computer. You can specify this condition in a configuration file when you run the ScanState tool. For more information, see [Customize USMT XML Files](usmt-customize-xml-files.md). +The ScanState tool also allows you to estimate disk space requirements based on a customized migration. For example, you might not want to migrate the My Documents folder to the destination computer. You can specify this condition in a configuration file when you run the ScanState tool. For more information, see [Customize USMT XML files](usmt-customize-xml-files.md). -**Note**   -To preserve the functionality of existing applications or scripts that require the previous behavior of USMT, the **/p** option, without specifying *<path to a file>* is still available in USMT. +> [!NOTE] +> To preserve the functionality of existing applications or scripts that require the previous behavior of USMT, the `/p` option is still available in USMT without having to specify the path to a file. See [Monitoring Options](usmt-scanstate-syntax.md#monitoring-options) for more information. - - -The space requirements report provides two elements, <**storeSize**> and <**temporarySpace**>. The <**temporarySpace**> value shows the disk space, in bytes, that USMT uses to operate during the migration—this does not include the minimum 250 MB needed to support USMT. The <**storeSize**> value shows the disk space, in bytes, required to host the migration store contents on both the source and destination computers. The following example shows a report generated using **/p:***<path to a file>*. +The space requirements report provides two elements, <**storeSize**> and <**temporarySpace**>. The <**temporarySpace**> value shows the disk space, in bytes, that USMT uses to operate during the migration but it doesn't include the minimum 250 MB needed to support USMT. The <**storeSize**> value shows the disk space, in bytes, required to host the migration store contents on both the source and destination computers. The following example shows a report generated using `/p:`*<path to a file>*. ```xml @@ -100,38 +86,25 @@ The space requirements report provides two elements, <**storeSize**> and & ``` -Additionally, USMT performs a compliance check for a required minimum of 250 MB of available disk space and will not create a store if the compliance check fails. +Additionally, USMT performs a compliance check for a required minimum of 250 MB of available disk space and won't create a store if the compliance check fails. -## Estimate Migration Store Size +## Estimating migration store size - -Determine how much space you will need to store the migrated data. You should base your calculations on the volume of e-mail, personal documents, and system settings for each user. The best way to estimate the required space is to survey several computers to arrive at an average for the size of the store that you will need. +Determine how much space you'll need to store the migrated data. You should base your calculations on the volume of e-mail, personal documents, and system settings for each user. The best way to estimate the required space is to survey several computers to arrive at an average for the size of the store that you'll need. The amount of space that is required in the store will vary, depending on the local storage strategies your organization uses. For example, one key element that determines the size of migration data sets is e-mail storage. If e-mail is stored centrally, data sets will be smaller. If e-mail is stored locally, such as offline-storage files, data sets will be larger. Mobile users will typically have larger data sets than workstation users. You should perform tests and inventory the network to determine the average data set size in your organization. -**Note**   -You can create a space-estimate file (Usmtsize.txt), by using the legacy **/p** command-line option to estimate the size of the store. +> [!NOTE] +> You can create a space-estimate file (`Usmtsize.txt`) to estimate the size of the store by using the legacy `/p` command-line option . - - -When trying to determine how much disk space you will need, consider the following issues: - -- **E-mail** : If users deal with a large volume of e-mail or keep e-mail on their local computers instead of on a mail server, the e-mail can take up as much disk space as all other user files combined. Prior to migrating user data, make sure that users who store e-mail locally synchronize their inboxes with their mail server. - -- **User documents**: Frequently, all of a user's documents fit into less than 50 MB of space, depending on the types of files involved. This estimate assumes typical office work, such as word-processing documents and spreadsheets. This estimate can vary substantially based on the types of documents that your organization uses. For example, an architectural firm that predominantly uses computer-aided design (CAD) files needs much more space than a law firm that primarily uses word-processing documents. You do not need to migrate the documents that users store on file servers through mechanisms such as Folder Redirection, as long as users will have access to these locations after the migration. - -- **User system settings** Five megabytes is adequate space to save the registry settings. This requirement can fluctuate, however, based on the number of applications that have been installed. It is rare, however, for the user-specific portion of the registry to exceed 5 MB. - -## Related topics - - -[Common Migration Scenarios](usmt-common-migration-scenarios.md) - - - - +When trying to determine how much disk space you'll need, consider the following issues: +- **E-mail**: If users deal with a large volume of e-mail or keep e-mail on their local computers instead of on a mail server, the e-mail can take up as much disk space as all other user files combined. Prior to migrating user data, make sure that users who store e-mail locally synchronize their inboxes with their mail server. +- **User documents**: Frequently, all of a user's documents fit into less than 50 MB of space, depending on the types of files involved. This estimate assumes typical office work, such as word-processing documents and spreadsheets. This estimate can vary substantially based on the types of documents that your organization uses. For example, an architectural firm that predominantly uses computer-aided design (CAD) files needs much more space than a law firm that primarily uses word-processing documents. You don't need to migrate the documents that users store on file servers through mechanisms such as Folder Redirection, as long as users will have access to these locations after the migration. +- **User system settings**: Five megabytes is adequate space to save the registry settings. This requirement can fluctuate, however, based on the number of applications that have been installed. It's rare, however, for the user-specific portion of the registry to exceed 5 MB. +## Related articles +[Common migration scenarios](usmt-common-migration-scenarios.md) diff --git a/windows/deployment/usmt/usmt-exclude-files-and-settings.md b/windows/deployment/usmt/usmt-exclude-files-and-settings.md index 22b7169df1..0956d47d63 100644 --- a/windows/deployment/usmt/usmt-exclude-files-and-settings.md +++ b/windows/deployment/usmt/usmt-exclude-files-and-settings.md @@ -1,52 +1,56 @@ --- title: Exclude Files and Settings (Windows 10) -description: In this article, learn how to exclude files and settings when creating a custom .xml file and a config.xml file. +description: In this article, learn how to exclude files and settings when creating a custom .xml file and a Config.xml file. ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/19/2017 +author: frankroj +ms.date: 11/01/2022 ms.topic: article ms.technology: itpro-deploy --- -# Exclude Files and Settings -When you specify the migration .xml files, MigApp.xml, Migdocs, and MigUser.xml, the User State Migration Tool (USMT) 10.0 migrates the settings and components listed, as discussed in [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md) You can create a custom .xml file to further specify what to include or exclude in the migration. In addition you can create a Config.xml file to exclude an entire component from a migration. You cannot, however, exclude users by using the migration .xml files or the Config.xml file. The only way to specify which users to include and exclude is by using the User options on the command line in the ScanState tool. For more information, see [ScanState Syntax](usmt-scanstate-syntax.md). +# Exclude files and settings -In this topic: +When you specify the migration .xml files, `MigApp.xml`, `MigDocs.xml`, and `MigUser.xml`, the User State Migration Tool (USMT) 10.0 migrates the settings and components listed, as discussed in [What does USMT migrate?](usmt-what-does-usmt-migrate.md) You can create a custom .xml file to further specify what to include or exclude in the migration. In addition you can create a `Config.xml` file to exclude an entire component from a migration. You can't, however, exclude users by using the migration .xml files or the `Config.xml` file. The only way to specify which users to include and exclude is by using the user options on the command line in the ScanState tool. For more information, see the [User options](usmt-scanstate-syntax.md#user-options) section of the [ScanState syntax](usmt-scanstate-syntax.md) article. -- [Create a custom .xml file](#create-a-custom-xml-file). You can use the following elements to specify what to exclude: +Methods to customize the migration and include and exclude files and settings include: - - include and exclude: You can use the <include> and <exclude> elements to exclude objects with conditions. For example, you can migrate all files located in the C:\\ drive, except any .mp3 files. It is important to remember that [Conflicts and Precedence](usmt-conflicts-and-precedence.md) apply to these elements. +- [Create a custom .xml file](#create-a-custom-xml-file). You can use the following elements to specify what to exclude: - - [unconditionalExclude](#example-1-how-to-migrate-all-files-from-c-except-mp3-files): You can use the <unconditionalExclude> element to globally exclude data. This element takes precedence over all other include and exclude rules in the .xml files. Therefore, this element excludes objects regardless of any other <include> rules that are in the .xml files. For example, you can exclude all .mp3 files on the computer, or you can exclude all files from C:\\UserData. + - [Include and exclude](#include-and-exclude): You can use the **<include>** and **<exclude>** elements to exclude objects with conditions. For example, you can migrate all files located in the `C:\` drive, except any `.mp3` files. It's important to remember that [Conflicts and precedence](usmt-conflicts-and-precedence.md) apply to these elements. -- [Create a Config.xml File](#create-a-config-xml-file): You can create and modify a Config.xml file to exclude an entire component from the migration. For example, you can use this file to exclude the settings for one of the default applications. In addition, creating and modifying a Config.xml file is the only way to exclude the operating-system settings that are migrated to computers running Windows. Excluding components using this file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. + - [unconditionalExclude](#example-1-how-to-migrate-all-files-from-c-except-mp3-files): You can use the **<unconditionalExclude>** element to globally exclude data. This element takes precedence over all other include and exclude rules in the .xml files. Therefore, this element excludes objects regardless of any other **<include>** rules that are in the .xml files. For example, you can exclude all .mp3 files on the computer, or you can exclude all files from C:\\UserData. + +- [Create a Config.xml file](#create-a-config-xml-file): You can create and modify a `Config.xml` file to exclude an entire component from the migration. For example, you can use this file to exclude the settings for one of the default applications. In addition, creating and modifying a `Config.xml` file is the only way to exclude the operating-system settings that are migrated to computers running Windows. Excluding components using this file is easier than modifying the migration .xml files because you don't need to be familiar with the migration rules and syntax. ## Create a custom .xml file -We recommend that you create a custom .xml file instead of modifying the default migration .xml files. When you use a custom .xml file, you can keep your changes separate from the default .xml files, which makes it easier to track your modifications. + +We recommend that you create a custom .xml file instead of modifying the default migration .xml files. When you use a custom .xml file, you can keep your changes separate from the default .xml file, which makes it easier to track your modifications. ### <include> and <exclude> -The migration .xml files, MigApp.xml, MigDocs, and MigUser.xml, contain the <component> element, which typically represents a self-contained component or an application such as Microsoft® Office Outlook® and Word. To exclude the files and registry settings that are associated with these components, use the <include> and <exclude> elements. For example, you can use these elements to migrate all files and settings with pattern X except files and settings with pattern Y, where Y is more specific than X. For the syntax of these elements, see [USMT XML Reference](usmt-xml-reference.md). -**Note**   -If you specify an <exclude> rule, always specify a corresponding <include> rule. Otherwise, if you do not specify an <include> rule, the specific files or settings will not be included. They will already be excluded from the migration. Thus, an unaccompanied <exclude> rule is unnecessary. +The migration .xml files, `MigApp.xml`, `MigDocs.xml`, and `MigUser.xml`, contain the **<component>** element, which typically represents a self-contained component or an application such as Microsoft® Office Outlook® and Word. To exclude the files and registry settings that are associated with these components, use the **<include>** and **<exclude>** elements. For example, you can use these elements to migrate all files and settings with pattern X except files and settings with pattern Y, where Y is more specific than X. For the syntax of these elements, see [USMT XML Reference](usmt-xml-reference.md). -- [Example 1: How to migrate all files from C:\\ except .mp3 files](#example-1-how-to-migrate-all-files-from-c-except-mp3-files) +> [!NOTE] +> If you specify an **<exclude>** rule, always specify a corresponding **<include>** rule. Otherwise, if you do not specify an **<include>** rule, the specific files or settings will not be included. They will already be excluded from the migration. Thus, an unaccompanied **<exclude>** rule is unnecessary. -- [Example 2: How to migrate all files located in C:\\Data except files in C:\\Data\\tmp](#example-2-how-to-migrate-all-files-located-in-cdata-except-files-in-cdatatmp) +- [Example 1: How to migrate all files from C:\\ except .mp3 files](#example-1-how-to-migrate-all-files-from-c-except-mp3-files) -- [Example 3: How to exclude the files in a folder but include all subfolders](#example-3-how-to-exclude-the-files-in-a-folder-but-include-all-subfolders) +- [Example 2: How to migrate all files located in C:\\Data except files in C:\\Data\\tmp](#example-2-how-to-migrate-all-files-located-in-cdata-except-files-in-cdatatmp) -- [Example 4: How to exclude a file from a specific folder](#example-4-how-to-exclude-a-file-from-a-specific-folder) +- [Example 3: How to exclude the files in a folder but include all subfolders](#example-3-how-to-exclude-the-files-in-a-folder-but-include-all-subfolders) -- [Example 5: How to exclude a file from any location](#example-5-how-to-exclude-a-file-from-any-location) +- [Example 4: How to exclude a file from a specific folder](#example-4-how-to-exclude-a-file-from-a-specific-folder) + +- [Example 5: How to exclude a file from any location](#example-5-how-to-exclude-a-file-from-any-location) + +### Example 1: How to migrate all files from `C:\` except `.mp3` files -### Example 1: How to migrate all files from C:\\ except .mp3 files The following .xml file migrates all files located on the C: drive, except any .mp3 files. -``` xml +```xml @@ -68,10 +72,12 @@ The following .xml file migrates all files located on the C: drive, except any . ``` -### Example 2: How to migrate all files located in C:\\Data except files in C:\\Data\\tmp -The following .xml file migrates all files and subfolders in C:\\Data, except the files and subfolders in C:\\Data\\tmp. -``` xml +### Example 2: How to migrate all files located in `C:\Data` except files in `C:\Data\tmp` + +The following .xml file migrates all files and subfolders in `C:\Data`, except the files and subfolders in `C:\Data\tmp`. + +```xml Test component @@ -94,9 +100,10 @@ The following .xml file migrates all files and subfolders in C:\\Data, except th ``` ### Example 3: How to exclude the files in a folder but include all subfolders -The following .xml file migrates any subfolders in C:\\EngineeringDrafts, but excludes all files that are in C:\\EngineeringDrafts. -``` xml +The following .xml file migrates any subfolders in `C:\`EngineeringDrafts`, but excludes all files that are in `C:\EngineeringDrafts`. + +```xml Component to migrate all Engineering Drafts Documents without subfolders @@ -119,9 +126,10 @@ The following .xml file migrates any subfolders in C:\\EngineeringDrafts, but ex ``` ### Example 4: How to exclude a file from a specific folder -The following .xml file migrates all files and subfolders in C:\\EngineeringDrafts, except for the Sample.doc file in C:\\EngineeringDrafts. -``` xml +The following .xml file migrates all files and subfolders in `C:\EngineeringDrafts`, except for the `Sample.doc` file in `C:\EngineeringDrafts`. + +```xml Component to migrate all Engineering Drafts Documents except Sample.doc @@ -144,24 +152,28 @@ The following .xml file migrates all files and subfolders in C:\\EngineeringDraf ``` ### Example 5: How to exclude a file from any location -To exclude a Sample.doc file from any location on the C: drive, use the <pattern> element. If multiple files exist with the same name on the C: drive, all of these files will be excluded. -``` xml +To exclude a Sample.doc file from any location on the C: drive, use the **<pattern>** element. If multiple files exist with the same name on the C: drive, all of these files will be excluded. + +```xml C:\* [Sample.doc] ``` -To exclude a Sample.doc file from any drive on the computer, use the <script> element. If multiple files exist with the same name, all of these files will be excluded. +To exclude a Sample.doc file from any drive on the computer, use the **<script>** element. If multiple files exist with the same name, all of these files will be excluded. -``` xml +```xml ``` + #### Examples of how to use XML to exclude files, folders, and registry keys + Here are some examples of how to use XML to exclude files, folders, and registry keys. For more info, see [USMT XML Reference](usmt-xml-reference.md) -**Example 1: How to exclude all .mp3 files**
    -The following .xml file excludes all .mp3 files from the migration: +##### Example 1: How to exclude all `.mp3` files -``` xml +The following .xml file excludes all `.mp3` files from the migration: + +```xml Test @@ -177,10 +189,12 @@ The following .xml file excludes all .mp3 files from the migration: ``` -**Example 2: How to exclude all of the files on a specific drive**
    + +##### Example 2: How to exclude all of the files on a specific drive + The following .xml file excludes only the files located on the C: drive. -``` xml +```xml Test @@ -196,10 +210,12 @@ The following .xml file excludes only the files located on the C: drive. ``` -**Example 3: How to exclude registry keys**
    -The following .xml file unconditionally excludes the HKEY_CURRENT_USER registry key and all of its subkeys. -``` xml +##### Example 3: How to exclude registry keys + +The following .xml file unconditionally excludes the `HKEY_CURRENT_USER` registry key and all of its subkeys. + +```xml @@ -221,10 +237,12 @@ The following .xml file unconditionally excludes the HKEY_CURRENT_USER registry ``` -**Example 4: How to Exclude `C:\Windows` and `C:\Program Files`**
    -The following .xml file unconditionally excludes the system folders of `C:\Windows` and `C:\Program Files`. Note that all \*.docx, \*.xls and \*.ppt files will not be migrated because the <unconditionalExclude> element takes precedence over the <include> element. -``` xml +##### Example 4: How to Exclude `C:\Windows` and `C:\Program Files` + +The following .xml file unconditionally excludes the system folders of `C:\Windows` and `C:\Program Files`. Note that all `*.docx`, `*.xls` and `*.ppt` files won't be migrated because the **<unconditionalExclude>** element takes precedence over the **<include>** element. + +```xml @@ -249,29 +267,24 @@ The following .xml file unconditionally excludes the system folders of `C:\Windo ``` + ## Create a Config XML File -You can create and modify a Config.xml file if you want to exclude components from the migration. Excluding components using this file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. Config.xml is an optional file that you can create using the **/genconfig** command-line option with the ScanState tool. For example, you can use the Config.xml file to exclude the settings for one of the default applications. In addition, creating and modifying this file is the only way to exclude the operating-system settings that are migrated to computers running Windows. -- **To exclude the settings for a default application:** Specify `migrate="no"` for the application under the <Applications> section of the Config.xml file. +You can create and modify a `Config.xml` file if you want to exclude components from the migration. Excluding components using this file is easier than modifying the migration .xml files because you don't need to be familiar with the migration rules and syntax. `Config.xml` is an optional file that you can create using the `/genconfig` command-line option with the ScanState tool. For example, you can use the `Config.xml` file to exclude the settings for one of the default applications. In addition, creating and modifying this file is the only way to exclude the operating-system settings that are migrated to computers running Windows. -- **To exclude an operating system setting:** Specify `migrate="no"` for the setting under the <WindowsComponents> section. +- **To exclude the settings for a default application:** Specify `migrate="no"` for the application under the **<Applications>** section of the `Config.xml` file. -- **To exclude My Documents:** Specify `migrate="no"` for My Documents under the <Documents> section. Note that any <include> rules in the .xml files will still apply. For example, if you have a rule that includes all the .docx files in My Documents, then only the .docx files will be migrated, but the rest of the files will not. +- **To exclude an operating system setting:** Specify `migrate="no"` for the setting under the **<WindowsComponents>** section. -See [Config.xml File](usmt-configxml-file.md) for more information. - -**Note**   -To exclude a component from the Config.xml file, set the **migrate** value to **"no"**. Deleting the XML tag for the component from the Config.xml file will not exclude the component from your migration. - -## Related topics -- [Customize USMT XML Files](usmt-customize-xml-files.md) -- [USMT XML Reference](usmt-xml-reference.md) - - - - +- **To exclude My Documents:** Specify `migrate="no"` for **My Documents** under the **<Documents>** section. Note that any **<include>** rules in the .xml files will still apply. For example, if you have a rule that includes all the .docx files in My Documents, then only the .docx files will be migrated, but the rest of the files won't. +For more information, see [Config.xml File](usmt-configxml-file.md). +> [!NOTE] +> To exclude a component from the `Config.xml` file, set the **migrate** value to **"no"**. Deleting the XML tag for the component from the `Config.xml` file will not exclude the component from your migration. +## Related articles +- [Customize USMT XML files](usmt-customize-xml-files.md) +- [USMT XML reference](usmt-xml-reference.md) diff --git a/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md b/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md index 7d5909b79a..b5b02016d8 100644 --- a/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md +++ b/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md @@ -2,119 +2,97 @@ title: Extract Files from a Compressed USMT Migration Store (Windows 10) description: In this article, learn how to extract files from a compressed User State Migration Tool (USMT) migration store. ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/19/2017 +author: frankroj +ms.date: 11/01/2022 ms.topic: article ms.technology: itpro-deploy --- -# Extract Files from a Compressed USMT Migration Store +# Extract files from a compressed USMT migration store +When you migrate files and settings during a typical PC-refresh migration, you usually create a compressed migration store file on the intermediate store. This migration store is a single image file that contains all files being migrated as well as a catalog file. To protect the compressed file, you can encrypt it by using different encryption algorithms. When you migrate the file back to the source computer after the operating system is installed, you can run the **UsmtUtils** command with the `/extract` option to recover the files from the compressed migration store. You can also use the **UsmtUtils** command with the `/extract` option any time you need to recover data from a migration store. -When you migrate files and settings during a typical PC-refresh migration, you usually create a compressed migration store file on the intermediate store. This migration store is a single image file that contains all files being migrated as well as a catalog file. To protect the compressed file, you can encrypt it by using different encryption algorithms. When you migrate the file back to the source computer after the operating system is installed, you can run the **Usmtutils** command with the **/extract** option to recover the files from the compressed migration store. You can also use the **Usmtutils** command with the **/extract** option any time you need to recover data from a migration store. +Options used with the `/extract` option can specify: -Options used with the **/extract** option can specify: +- The cryptographic algorithm that was used to create the migration store. -- The cryptographic algorithm that was used to create the migration store. +- The encryption key or the text file that contains the encryption key. -- The encryption key or the text file that contains the encryption key. +- Include and exclude patterns for selective data extraction. -- Include and exclude patterns for selective data extraction. +In addition, you can specify the file patterns that you want to extract by using the `/i` option to include file patterns or the `/e` option to exclude file patterns. When both the `/i` option and the `/e` option are used in the same command, include patterns take precedence over exclude patterns. Note that this is different from the include and exclude rules used in the **ScanState** and **LoadState** tools. -In addition, you can specify the file patterns that you want to extract by using the **/i** option to include file patterns or the **/e** option to exclude file patterns. When both the **/i** option and the **/e** option are used in the same command, include patterns take precedence over exclude patterns. Note that this is different from the include and exclude rules used in the ScanState and LoadState tools. +## To run the UsmtUtils tool with the /extract option -## In this topic +To extract files from the compressed migration store onto the destination computer, use the following UsmtUtils syntax: - -- [To run the USMTutils tool with the /extract option](#bkmk-extractsyntax) - -- [To extract all files from a compressed migration store](#bkmk-extractallfiles) - -- [To extract specific file types from an encrypted compressed migration store](#bkmk-extractspecificfiles) - -- [To extract all but one, or more, file types from an encrypted compressed migration store](#bkmk-excludefilepattern) - -- [To extract file types using the include pattern and the exclude pattern](#bkmk-includeexcludefiles) - -### To run the USMTutils tool with the /extract option - -To extract files from the compressed migration store onto the destination computer, use the following USMTutils syntax: - -Cd /d <USMTpath> usmtutils /extract <filePath> <destinationPath> \[/i:<includePattern>\] \[/e:<excludePattern>\] \[/l:<logfile>\] \[/decrypt\[:<AlgID>\] {/key:<keystring> | /keyfile:<filename>}\] \[/o\] +```cmd +UsmtUtils.exe /extract [/i:] [/e:] [/l:] [/decrypt[:] {/key: | /keyfile:}] [/o] +``` Where the placeholders have the following values: -- *<USMTpath>* is the location where you have saved the USMT files and tools. +- **<USMTpath>** is the location where you have saved the USMT files and tools. -- *<filePath>* is the location of the migration store. +- **<filePath>** is the location of the migration store. -- *<destination path>* is the location of the file where you want the **/extract** option to put the extracted migration store contents. +- **<destination path>** is the location of the file where you want the **/extract** option to put the extracted migration store contents. -- *<includePattern>* specifies the pattern for the files to include in the extraction. +- **<includePattern>** specifies the pattern for the files to include in the extraction. -- *<excludePattern>* specifies the pattern for the files to omit from the extraction. +- **<excludePattern>** specifies the pattern for the files to omit from the extraction. -- *<AlgID>* is the cryptographic algorithm that was used to create the migration store on the **ScanState** command line. +- **<AlgID>** is the cryptographic algorithm that was used to create the migration store on the `ScanState.exe` command line. -- *<logfile>* is the location and name of the log file. +- **<logfile>** is the location and name of the log file. -- *<keystring>* is the encryption key that was used to encrypt the migration store. +- **<keystring>** is the encryption key that was used to encrypt the migration store. -- *<filename>* is the location and name of the text file that contains the encryption key. +- **<filename>** is the location and name of the text file that contains the encryption key. -### To extract all files from a compressed migration store +### To extract all files from a compressed migration store -To extract everything from a compressed migration store to a file on the C:\\ drive, type: +To extract everything from a compressed migration store to a file on the `C:\` drive, enter: -``` syntax -usmtutils /extract D:\MyMigrationStore\USMT\store.mig C:\ExtractedStore +```cmd +UsmtUtils.exe /extract D:\MyMigrationStore\USMT\store.mig C:\ExtractedStore ``` -### To extract specific file types from an encrypted compressed migration store +### To extract specific file types from an encrypted compressed migration store -To extract specific files, such as .txt and .pdf files, from an encrypted compressed migration store, type: +To extract specific files, such as `.txt` and `.pdf` files, from an encrypted compressed migration store, enter: -``` syntax -usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:"*.txt,*.pdf" C:\ExtractedStore /decrypt /keyfile:D:\encryptionKey.txt +```cmd +UsmtUtils.exe /extract D:\MyMigrationStore\USMT\store.mig /i:"*.txt,*.pdf" C:\ExtractedStore /decrypt /keyfile:D:\encryptionKey.txt ``` In this example, the file is encrypted and the encryption key is located in a text file called encryptionKey. -### To extract all but one, or more, file types from an encrypted compressed migration store +### To extract all but one, or more, file types from an encrypted compressed migration store -To extract all files except for one file type, such as .exe files, from an encrypted compressed migration store, type: +To extract all files except for one file type, such as `.exe` files, from an encrypted compressed migration store, enter: -``` syntax -usmtutils /extract D:\MyMigrationStore\USMT\store.mig /e:*.exe C:\ExtractedStore /decrypt:AES_128 /key:password /l:C:\usmtutilslog.txt +```cmd +UsmtUtils.exe /extract D:\MyMigrationStore\USMT\store.mig /e:*.exe C:\ExtractedStore /decrypt:AES_128 /key:password /l:C:\usmtutilslog.txt ``` -### To extract file types using the include pattern and the exclude pattern +### To extract file types using the include pattern and the exclude pattern To extract files from a compressed migration store, and to exclude files of one type (such as .exe files) while including only specific files, use both the include pattern and the exclude pattern, as in this example: -``` syntax -usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:myProject.* /e:*.exe C:\ExtractedStore /o +```cmd +UsmtUtils.exe /extract D:\MyMigrationStore\USMT\store.mig /i:myProject.* /e:*.exe C:\ExtractedStore /o ``` In this example, if there is a myProject.exe file, it will also be extracted because the include pattern option takes precedence over the exclude pattern option. -## Related topics - - -[UsmtUtils Syntax](usmt-utilities.md) - -[Return Codes](usmt-return-codes.md) - -[Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md) - -  - -  - - +## Related articles +[UsmtUtils syntax](usmt-utilities.md) +[Return codes](/troubleshoot/windows-client/deployment/usmt-return-codes) +[Verify the condition of a compressed migration store](verify-the-condition-of-a-compressed-migration-store.md) diff --git a/windows/deployment/usmt/usmt-faq.yml b/windows/deployment/usmt/usmt-faq.yml index 024d9e89be..f22b052e29 100644 --- a/windows/deployment/usmt/usmt-faq.yml +++ b/windows/deployment/usmt/usmt-faq.yml @@ -1,21 +1,21 @@ ### YamlMime:FAQ metadata: title: 'Frequently Asked Questions (Windows 10)' - description: 'Learn about frequently asked questions and recommended solutions for migrations using User State Migration Tool (USMT) 10.0.' + description: 'Learn about frequently asked questions and recommended solutions for migrations using User State Migration Tool (USMT) 10.0.' ms.assetid: 813c13a7-6818-4e6e-9284-7ee49493241b - ms.reviewer: - author: aczechowski - ms.author: aaroncz - manager: dougeby - ms.prod: w10 + ms.prod: windows-client + ms.technology: itpro-deploy + author: frankroj + ms.author: frankroj + manager: aaroncz ms.mktglfcycl: deploy ms.sitesec: library audience: itpro - ms.date: 04/19/2017 + ms.date: 11/01/2022 ms.topic: faq title: Frequently Asked Questions summary: | - The following sections provide frequently asked questions and recommended solutions for migrations using User State Migration Tool (USMT) 10.0. + The following sections provide frequently asked questions and recommended solutions for migrations using User State Migration Tool (USMT) 10.0. sections: @@ -24,7 +24,7 @@ sections: - question: | How much space is needed on the destination computer? answer: | - The destination computer needs enough available space for the following: + The destination computer needs enough available space for the following items: - Operating system @@ -35,100 +35,100 @@ sections: - question: | Can I store the files and settings directly on the destination computer or do I need a server? answer: | - You do not need to save the files to a server. If you are moving the user state to a new computer, you can create the store on a shared folder, on media that you can remove, such as a USB flash drive (UFD), or you can store it directly on the destination computer, as in the following steps: + You don't need to save the files to a server. If you're moving the user state to a new computer, you can create the store on a shared folder, on media that you can remove, such as a USB flash drive (UFD), or you can store it directly on the destination computer, as in the following steps: - 1. Create and share the directory C:\\store on the destination computer. + 1. Create and share the directory `C:\store` on the destination computer. - 2. Run the ScanState tool on the source computer and save the files and settings to \\\\*DestinationComputerName*\\store + 2. Run the **ScanState** tool on the source computer and save the files and settings to `\\\store` - 3. Run the LoadState tool on the destination computer and specify C:\\store as the store location. + 3. Run the **LoadState** tool on the destination computer and specify `C:\store` as the store location. - question: | Can I migrate data between operating systems with different languages? answer: | - No. USMT does not support migrating data between operating systems with different languages; the source computer's operating-system language must match the destination computer's operating-system language. + No. USMT doesn't support migrating data between operating systems with different languages; the source computer's operating-system language must match the destination computer's operating-system language. - question: | Can I change the location of the temporary directory on the destination computer? answer: | - Yes. The environment variable USMT\_WORKING\_DIR can be changed to an alternative temporary directory. There are some offline migration scenarios where this is necessary, for example, when the USMT binaries are located on read-only Windows Preinstallation Environment (WinPE) boot media. + Yes. The environment variable `USMT\_WORKING\_DIR` can be changed to an alternative temporary directory. There are some offline migration scenarios where changing the temporary directory is necessary, for example, when the USMT binaries are located on read-only Windows Preinstallation Environment (WinPE) boot media. - question: | How do I install USMT? answer: | - Because USMT is included in Windows Assessment and Deployment Kit (Windows ADK), you need to install the Windows ADK package on at least one computer in your environment. However, the USMT binaries are designed to be deployed using xcopy. This means that they are installed on a computer simply by recursively copying the USMT directory from the computer containing the Windows ADK to each client computer. + Because USMT is included in Windows Assessment and Deployment Kit (Windows ADK), you need to install the Windows ADK package on at least one computer in your environment. The USMT binaries can then be copied from the USMT directory located on the original computer where the Windows ADK was installed to additional client computers. - question: | How do I uninstall USMT? answer: | - If you have installed the Windows ADK on the computer, uninstalling Windows ADK will uninstall USMT. For client computers that do not have the Windows ADK installed, you can simply delete the USMT directory to uninstall USMT. + If you've installed the Windows ADK on the computer, uninstalling Windows ADK will uninstall USMT. For client computers that don't have the Windows ADK installed, you can delete the USMT directory to uninstall USMT. - name: Files and Settings questions: - question: | How can I exclude a folder or a certain type of file from the migration? answer: | - You can use the **<unconditionalExclude>** element to globally exclude data from the migration. For example, you can use this element to exclude all MP3 files on the computer or to exclude all files from C:\\UserData. This element excludes objects regardless of any other <include> rules that are in the .xml files. For an example, see <unconditionalExclude> in the [Exclude Files and Settings](usmt-exclude-files-and-settings.md) topic. For the syntax of this element, see [XML Elements Library](usmt-xml-elements-library.md). + You can use the **<unconditionalExclude>** element to globally exclude data from the migration. For example, you can use this element to exclude all MP3 files on the computer or to exclude all files from `C:\UserData`. This element excludes objects regardless of any other **<include>** rules that are in the .xml files. For an example, see **<unconditionalExclude>** in the [Exclude files and settings](usmt-exclude-files-and-settings.md) article. For the syntax of this element, see [XML elements library](usmt-xml-elements-library.md). - question: | - What happens to files that were located on a drive that does not exist on the destination computer? + What happens to files that were located on a drive that don't exist on the destination computer? answer: | - USMT migrates the files to the %SystemDrive% while maintaining the correct folder hierarchy. For example, if E:\\data\\File.pst is on the source computer, but the destination computer does not have an E:\\ drive, the file will be migrated to C:\\data\\File.pst, if C:\\ is the system drive. This holds true even when <locationModify> rules attempt to move data to a drive that does not exist on the destination computer. + USMT migrates the files to the `%SystemDrive%` while maintaining the correct folder hierarchy. For example, if `E:\data\File.pst` is on the source computer, but the destination computer doesn't have an E:\\ drive, the file will be migrated to `C:\data\File.pst`, if C:\\ is the system drive. This behavior holds true even when **<locationModify>** rules attempt to move data to a drive that doesn't exist on the destination computer. - name: USMT .xml Files questions: - question: | Where can I get examples of USMT .xml files? answer: | - The following topics include examples of USMT .xml files: + The following articles include examples of USMT .xml files: - - [Exclude Files and Settings](usmt-exclude-files-and-settings.md) + - [Exclude files and settings](usmt-exclude-files-and-settings.md) - - [Reroute Files and Settings](usmt-reroute-files-and-settings.md) + - [Reroute files and settings](usmt-reroute-files-and-settings.md) - - [Include Files and Settings](usmt-include-files-and-settings.md) + - [Include files and settings](usmt-include-files-and-settings.md) - - [Custom XML Examples](usmt-custom-xml-examples.md) + - [Custom XML examples](usmt-custom-xml-examples.md) - question: | Can I use custom .xml files that were written for USMT 5.0? answer: | - Yes. You can use custom .xml files that were written for USMT 5.0 with USMT for Windows 10. However, in order to use new USMT functionality, you must revisit your custom USMT files and refresh them to include the new command-line options and XML elements. + Yes. You can use custom .xml files that were written for USMT 5.0 with USMT for Windows 10. However, in order to use new USMT functionality, you must revisit your custom USMT files and refresh them to include the new command-line options and XML elements. - question: | How can I validate the .xml files? answer: | - You can use the USMT XML Schema (MigXML.xsd) to write and validate migration .xml files. + You can use the USMT XML Schema (`MigXML.xsd`) to write and validate migration .xml files. - question: | - Why must I list the .xml files with both the ScanState and LoadState commands? + Why must I list the .xml files with both the `ScanState.exe` and `LoadState.exe` commands? answer: | - The .xml files are not copied to the store as in previous versions of USMT. Because the ScanState and LoadState tools need the .xml files to control the migration, you must specify the same set of .xml files for the **ScanState** and **LoadState** commands. If you used a particular set of mig\*.xml files in the ScanState tool, either called through the "/auto" option, or individually through the "/i" option, then you should use same option to call the exact same mig\*.xml files in the LoadState tool. However, you do not have to specify the Config.xml file, unless you want to exclude some of the files and settings that you migrated to the store. For example, you might want to migrate the My Documents folder to the store, but not to the destination computer. To do this, modify the Config.xml file and specify the updated file with the **LoadState** command. **LoadState** will migrate only the files and settings that you want to migrate. + The .xml files aren't copied to the store as in previous versions of USMT. Because the **ScanState** and **LoadState** tools need the .xml files to control the migration, you must specify the same set of .xml files for the `ScanState.exe` and `LoadState.exe` commands. If you used a particular set of mig\*.xml files in the **ScanState** tool, either called through the `/auto` option, or individually through the `/i` option, then you should use same option to call the exact same mig\*.xml files in the **LoadState** tool. However, you don't have to specify the `Config.xml` file, unless you want to exclude some of the files and settings that you migrated to the store. For example, you might want to migrate the **My Documents** folder to the store, but not to the destination computer. To do this type of migration, modify the `Config.xml` file and specify the updated file with the `LoadState.exe` command. **LoadState** will migrate only the files and settings that you want to migrate. - If you exclude an .xml file from the **LoadState** command, then all of the data that is in the store that was migrated with the missing .xml files will be migrated. However, the migration rules that were specified for the **ScanState** command will not apply. For example, if you exclude a MigApp.xml file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`, USMT will not reroute the files. Instead, it will migrate them to C:\\data. + If you exclude an .xml file from the `LoadState.exe` command, then all of the data that is in the store that was migrated with the missing .xml files will be migrated. However, the migration rules that were specified for the `ScanState.exe` command won't apply. For example, if you exclude a `MigApp.xml` file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`, USMT won't reroute the files. Instead, it will migrate them to `C:\data`. - question: | Which files can I modify and specify on the command line? answer: | - You can specify the MigUser.xml and MigApp.xml files on the command line. You can modify each of these files. The migration of operating system settings is controlled by the manifests, which you cannot modify. If you want to exclude certain operating-system settings or any other components, create and modify the Config.xml file. + You can specify the `MigUser.xml` and `MigApp.xml` files on the command line. You can modify each of these files. The migration of operating system settings is controlled by the manifests, which you can't modify. If you want to exclude certain operating-system settings or any other components, create and modify the `Config.xml` file. - question: | - What happens if I do not specify the .xml files on the command line? + What happens if I don't specify the .xml files on the command line? answer: | - **ScanState** - If you do not specify any files with the **ScanState** command, all user accounts and default operating system components are migrated. + If you don't specify any files with the `ScanState.exe` command, all user accounts and default operating system components are migrated. - **LoadState** - If you do not specify any files with the **LoadState** command, all data that is in the store is migrated. However, any target-specific migration rules that were specified in .xml files with the **ScanState** command will not apply. For example, if you exclude a MigApp.xml file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`, USMT will not reroute the files. Instead, it will migrate them to C:\\data. + If you don't specify any files with the `LoadState.exe` command, all data that is in the store is migrated. However, any target-specific migration rules that were specified in .xml files with the `ScanState.exe` command won't apply. For example, if you exclude a `MigApp.xml` file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`, USMT won't reroute the files. Instead, it will migrate them to `C:\data`. - name: Conflicts and Precedence questions: - question: | What happens when there are conflicting XML rules or conflicting objects on the destination computer? answer: | - For more information, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md). + For more information, see [Conflicts and precedence](usmt-conflicts-and-precedence.md). additionalContent: | @@ -137,6 +137,6 @@ additionalContent: | [User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md) - [Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md) + [Extract files from a compressed USMT migration store](usmt-extract-files-from-a-compressed-migration-store.md) - [Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md) + [Verify the condition of a compressed migration store](verify-the-condition-of-a-compressed-migration-store.md) diff --git a/windows/deployment/usmt/usmt-general-conventions.md b/windows/deployment/usmt/usmt-general-conventions.md index 6ccaaa68cf..98148b856d 100644 --- a/windows/deployment/usmt/usmt-general-conventions.md +++ b/windows/deployment/usmt/usmt-general-conventions.md @@ -2,62 +2,52 @@ title: General Conventions (Windows 10) description: Learn about general XML guidelines and how to use XML helper functions in the XML Elements library to change migration behavior. ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/19/2017 +author: frankroj +ms.date: 11/01/2022 ms.topic: article ms.technology: itpro-deploy --- -# General Conventions - +# General conventions This topic describes the XML helper functions. -## In This Topic - - -[General XML Guidelines](#bkmk-general) - -[Helper Functions](#bkmk-helperfunctions) - -## General XML Guidelines - +## General XML guidelines Before you modify the .xml files, become familiar with the following guidelines: -- **XML schema** +- **XML schema** - You can use the User State Migration Tool (USMT) 10.0 XML schema, MigXML.xsd, to write and validate migration .xml files. + You can use the User State Migration Tool (USMT) 10.0 XML schema, MigXML.xsd, to write and validate migration .xml files. -- **Conflicts** +- **Conflicts** - In general, when there are conflicts within the XML schema, the most specific pattern takes precedence. For more information, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md). + In general, when there are conflicts within the XML schema, the most specific pattern takes precedence. For more information, see [Conflicts and precedence](usmt-conflicts-and-precedence.md). -- **Required elements** +- **Required elements** The required elements for a migration .xml file are **<migration>**, **<component>**, **<role>**, and **<rules>**. -- **Required child elements** +- **Required child elements** - - USMT does not fail with an error if you do not specify the required child elements. However, you must specify the required child elements for the parent element to affect the migration. + - USMT doesn't fail with an error if you don't specify the required child elements. However, you must specify the required child elements for the parent element to affect the migration. - - The required child elements apply only to the first definition of the element. If these elements are defined and then referred to using their name, the required child elements do not apply. For example, if you define `` in **<namedElements>**, and you specify `` in **<component>** to refer to this element, the definition inside **<namedElements>** must have the required child elements, but the **<component>** element does not need to have the required child elements. + - The required child elements apply only to the first definition of the element. If these elements are defined and then referred to using their name, the required child elements don't apply. For example, if you define `` in **<namedElements>**, and you specify `` in **<component>** to refer to this element, the definition inside **<namedElements>** must have the required child elements, but the **<component>** element doesn't need to have the required child elements. -- **File names with brackets** +- **File names with brackets** - If you are migrating a file that has a bracket character (\[ or \]) in the file name, you must insert a carat (^) character directly before the bracket for the bracket character to be valid. For example, if there is a file named **file].txt**, you must specify `c:\documents\mydocs [file^].txt]` instead of `c:\documents\mydocs [file].txt]`. + If you're migrating a file that has a bracket character (\[ or \]) in the file name, you must insert a carat (^) character directly before the bracket for the bracket character to be valid. For example, if there's a file named **file].txt**, you must specify `c:\documents\mydocs [file^].txt]` instead of `c:\documents\mydocs [file].txt]`. -- **Using quotation marks** +- **Using quotation marks** When you surround code in quotation marks, you can use either double ("") or single (') quotation marks. -## Helper Functions +## Helper functions - -You can use the XML helper functions in the [XML Elements Library](usmt-xml-elements-library.md) to change migration behavior. Before you use these functions in an .xml file, note the following: +You can use the XML helper functions in the [XML elements library](usmt-xml-elements-library.md) to change migration behavior. Before you use these functions in an .xml file, note the following items: - **All of the parameters are strings** @@ -65,40 +55,30 @@ You can use the XML helper functions in the [XML Elements Library](usmt-xml-elem As with parameters with a default value convention, if you have a NULL parameter at the end of a list, you can leave it out. For example, the following function: - ``` syntax + ```cmd SomeFunction("My String argument",NULL,NULL) ``` is equivalent to: - ``` syntax + ```cmd SomeFunction("My String argument") ``` - **The encoded location used in all the helper functions is an unambiguous string representation for the name of an object** - It is composed of the node part, optionally followed by the leaf enclosed in square brackets. This makes a clear distinction between nodes and leaves. + It's composed of the node part, optionally followed by the leaf enclosed in square brackets. This format makes a clear distinction between nodes and leaves. - For example, specify the file C:\\Windows\\Notepad.exe: **c:\\Windows\[Notepad.exe\]**. Similarly, specify the directory C:\\Windows\\System32 like this: **c:\\Windows\\System32**; note the absence of the \[\] characters. + For example, specify the file `C:\Windows\Notepad.exe`: **c:\\Windows\[Notepad.exe\]**. Similarly, specify the directory `C:\Windows\System32` like this: **c:\\Windows\\System32**; note the absence of the **\[\]** characters. - The registry is represented in a similar way. The default value of a registry key is represented as an empty \[\] construct. For example, the default value for the HKLM\\SOFTWARE\\MyKey registry key is **HKLM\\SOFTWARE\\MyKey\[\]**. + The registry is represented in a similar way. The default value of a registry key is represented as an empty **\[\]** construct. For example, the default value for the `HKLM\SOFTWARE\MyKey` registry key is **HKLM\\SOFTWARE\\MyKey\[\]**. - **You specify a location pattern in a way that is similar to how you specify an actual location** - The exception is that both the node and leaf part accept patterns. However, a pattern from the node does not extend to the leaf. - - For example, the pattern **c:\\Windows\\\\*** will match the \\Windows directory and all subdirectories, but it will not match any of the files in those directories. To match the files as well, you must specify **c:\\Windows\\\*\[\*\]**. - -## Related topics - - -[USMT XML Reference](usmt-xml-reference.md) - - - - - - + The exception is that both the node and leaf part accept patterns. However, a pattern from the node doesn't extend to the leaf. + For example, the pattern **c:\\Windows\\\\\*** will match the `\Windows` directory and all subdirectories, but it will not match any of the files in those directories. To match the files as well, you must specify **c:\\Windows\\\*\[\*\]**. +## Related articles +[USMT XML reference](usmt-xml-reference.md) diff --git a/windows/deployment/usmt/usmt-hard-link-migration-store.md b/windows/deployment/usmt/usmt-hard-link-migration-store.md index 5b98c857bf..b4790b2a5a 100644 --- a/windows/deployment/usmt/usmt-hard-link-migration-store.md +++ b/windows/deployment/usmt/usmt-hard-link-migration-store.md @@ -2,171 +2,149 @@ title: Hard-Link Migration Store (Windows 10) description: Use of a hard-link migration store for a computer-refresh scenario drastically improves migration performance and significantly reduces hard-disk utilization. ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/19/2017 +author: frankroj +ms.date: 11/01/2022 ms.topic: article ms.technology: itpro-deploy --- # Hard-Link Migration Store -A *hard-link migration store* enables you to perform an in-place migration where all user state is maintained on the computer while the old operating system is removed and the new operating system is installed; this functionality is what makes *hard-link migration store* best suited for the computer-refresh scenario. Use of a hard-link migration store for a computer-refresh scenario drastically improves migration performance and significantly reduces hard-disk utilization, reduces deployment costs, and enables entirely new migration scenarios. +A **hard-link migration store** enables you to perform an in-place migration where all user state is maintained on the computer while the old operating system is removed and the new operating system is installed. This functionality is what makes **hard-link migration store** best suited for the computer-refresh scenario. Use of a hard-link migration store for a computer-refresh scenario drastically improves migration performance and significantly reduces hard-disk utilization, reduces deployment costs, and enables entirely new migration scenarios. -## In this topic - -[When to Use a Hard-Link Migration](#bkmk-when) - -[Understanding a Hard-Link Migration](#bkmk-understandhardlinkmig) - -[Scenario](#bkmk-scenario) - -[Hard-Link Migration Store Details](#bkmk-hardlinkstoredetails) - -[Hard Disk Space](#bkmk-harddiskspace) - -[Hard-Link Store Size Estimation](#bkmk-hardlinkstoresizeest) - -[Migration Store Path on Multiple Volumes](#bkmk-migstoremultvolumes) - -[Location Modifications](#bkmk-locationmodify) - -[Migrating Encrypting File System (EFS) Certificates and Files](#bkmk-efs) - -[Migrating Locked Files With the Hard-Link Migration Store](#bkmk-miglockedfiles) - -[XML Elements in the Config.xml File](#bkmk-xmlelementsinconfig) - -## When to Use a Hard-Link Migration +## When to use a hard-link migration You can use a hard-link migration store when your planned migration meets both of the following criteria: -- You are upgrading the operating system on existing hardware rather than migrating to new computers. +- You're upgrading the operating system on existing hardware rather than migrating to new computers. -- You are upgrading the operating system on the same volume of the computer. +- You're upgrading the operating system on the same volume of the computer. -You cannot use a hard-link migration store if your planned migration includes any of the following tasks: +You can't use a hard-link migration store if your planned migration includes any of the following tasks: -- You are migrating data from one computer to a second computer. +- You're migrating data from one computer to a second computer. -- You are migrating data from one volume on a computer to another volume, for example from `C:` to `D:`. +- You're migrating data from one volume on a computer to another volume, for example from `C:` to `D:`. -- You are formatting or repartitioning the disk outside of Windows Setup, or specifying a disk format or repartition during Windows Setup that will remove the migration store. +- You're formatting or repartitioning the disk outside of Windows Setup, or specifying a disk format or repartition during Windows Setup that will remove the migration store. -## Understanding a Hard-Link Migration +## Understanding a hard-link migration -The hard-link migration store is created using the command-line option, **/hardlink**, and is equivalent to other migration-store types. However, it differs in that hard links are utilized to keep files stored on the source computer during the migration. Keeping the files in place on the source computer eliminates the redundant work of duplicating files. It also enables the performance benefits and reduction in disk utilization that define this scenario. +The hard-link migration store is created using the command-line option, `/hardlink`, and is equivalent to other migration-store types. However, it differs in that hard links are utilized to keep files stored on the source computer during the migration. Keeping the files in place on the source computer eliminates the redundant work of duplicating files. It also enables the performance benefits and reduction in disk utilization that define this scenario. -When you create a hard link, you give an existing file one more path. For instance, you could create a hard link to c:\\file1.txt called c:\\hard link\\myFile.txt. These two paths relate to the same file. If you open c:\\file1.txt, make changes, and save the file, you will see those changes when you open c:\\hard link\\myFile.txt. If you delete c:\\file1.txt, the file still exists on your computer as c:\\hardlink\\myFile.txt. You must delete both references to the file in order to delete the file. +When you create a hard link, you give an existing file one more path. For instance, you could create a hard link to `c:\file1.txt` called `c:\hard link\myFile.txt`. These two paths relate to the same file. If you open `c:\file1.txt`, make changes, and save the file, you'll see those changes when you open `c:\hard link\myFile.txt`. If you delete `c:\file1.txt`, the file still exists on your computer as `c:\hardlink\myFile.txt`. You must delete both references to the file in order to delete the file. > [!NOTE] > A hard link can only be created for a file on the same volume. If you copy a hard-link migration store to another drive or external device, the files, and not the links, are copied, as in a non-compressed migration-store scenario. For more information about hard links, see [Hard Links and Junctions](/windows/win32/fileio/hard-links-and-junctions) -In most aspects, a hard-link migration store is identical to an uncompressed migration store. It is located where specified by the Scanstate command-line tool and you can view the contents of the store by using Windows® Explorer. Once created, it can be deleted or copied to another location without changing user state. Restoring a hard-link migration store is similar to restoring any other migration store; however, as with creating the store, the same hard-link functionality is used to keep files in-place. +In most aspects, a hard-link migration store is identical to an uncompressed migration store. It's located where specified by the **ScanState.exe** command-line tool and you can view the contents of the store by using Windows Explorer. Once created, it can be deleted or copied to another location without changing user state. Restoring a hard-link migration store is similar to restoring any other migration store. However, as with creating the store, the same hard-link functionality is used to keep files in-place. -As a best practice, we recommend that you delete the hard-link migration store after you confirm that the Loadstate tool has successfully migrated the files. Since Loadstate has created new paths to the files on your new installation of a Windows operating system, deleting the hard links in the migration store will only delete one path to the files and will not delete the actual files or the paths to them from your new operating system. +As a best practice, it's recommended that you delete the hard-link migration store after you confirm that the **LoadState** tool has successfully migrated the files. Since **LoadState** has created new paths to the files on the new installation of a Windows operating system, deleting the hard links in the migration store will only delete one path to the files, and won't delete the actual files or the paths to them from the new operating system. > [!IMPORTANT] -> Using the **/c** option will force the Loadstate tool to continue applying files when non-fatal errors occur. If you use the **/c** option, you should verify that no errors are reported in the logs before deleting the hard-link migration store in order to avoid data loss. +> Using the `/c` option will force the **LoadState** tool to continue applying files when non-fatal errors occur. If you use the `/c` option, you should verify that no errors are reported in the logs before deleting the hard-link migration store in order to avoid data loss. Keeping the hard-link migration store can result in extra disk space being consumed or problems with some applications for the following reasons: -- Applications reporting file-system statistics, for example, space used and free space, might incorrectly report these statistics while the hard-link migration store is present. The file may be reported twice because of the two paths that reference that file. +- Applications reporting file-system statistics, for example, space used and free space, might incorrectly report these statistics while the hard-link migration store is present. The file may be reported twice because of the two paths that reference that file. -- A hard link may lose its connection to the original file. Some applications save changes to a file by creating a temporary file and then renaming the original to a backup filename. The path that was not used to open the file in this application will continue to refer to the unmodified file. The unmodified file that is not in use is taking up more disk space. You should create the hard-link migration store just before you perform the migration, and not use applications once the store is created, in order to make sure you are migrating the latest versions of all files. +- A hard link may lose its connection to the original file. Some applications save changes to a file by creating a temporary file and then renaming the original to a backup filename. The path that wasn't used to open the file in this application will continue to refer to the unmodified file. The unmodified file that isn't in use is taking up more disk space. You should create the hard-link migration store just before you perform the migration, and not use applications once the store is created, in order to make sure you're migrating the latest versions of all files. -- Editing the file by using different paths simultaneously may result in data corruption. +- Editing the file by using different paths simultaneously may result in data corruption. > [!IMPORTANT] > The read-only file attribute on migrated files is lost when the hard-link migration store is deleted. This is due to a limitation in NTFS file system hard links. -## Hard-Link Migration Scenario +## Hard-link migration scenario -For example, a company has decided to deploy Windows 10 on all of their computers. Each employee will keep the same computer, but the operating system on each computer will be updated. +For example, a company has decided to deploy Windows 10 on all of their computers. Each employee will keep the same computer, but the operating system on each computer will be updated. -1. An administrator runs the ScanState command-line tool on each computer, specifying the **/hardlink** command-line option. The ScanState tool saves the user state to a hard-link migration store on each computer, improving performance by reducing file duplication, except in certain specific instances. +1. An administrator runs the **ScanState** command-line tool on each computer, specifying the `/hardlink` command-line option. The **ScanState** tool saves the user state to a hard-link migration store on each computer, improving performance by reducing file duplication, except in certain specific instances. > [!NOTE] - > As a best practice, we recommend that you do not create your hard-link migration store until just before you perform the migration in order to migrate the latest versions of your files. You should not use your software applications on the computer after creating the migration store until you have finished migrating your files with Loadstate. + > As a best practice, we recommend that you do not create your hard-link migration store until just before you perform the migration in order to migrate the latest versions of your files. You should not use your software applications on the computer after creating the migration store until you have finished migrating your files with **LoadState**. -2. On each computer, an administrator installs the company's standard operating environment (SOE), which includes Windows 7 and other applications the company currently uses. +2. On each computer, an administrator installs the company's standard operating environment (SOE), which includes Windows 7 and other applications the company currently uses. -3. An administrator runs the LoadState command-line tool on each computer. The LoadState tool restores user state back on each computer. +3. An administrator runs the **LoadState** command-line tool on each computer. The **LoadState** tool restores user state back on each computer. > [!NOTE] > During the update of a domain-joined computer, the profiles of users whose SID cannot be resolved will not be migrated. When using a hard-link migration store, it could cause a data loss. -## Hard-Link Migration Store Details +## Hard-link migration store details This section provides details about hard-link migration stores. -### Hard Disk Space +### Hard disk space -The **/hardlink** command-line option proceeds with creating the migration store only if there are 250 megabytes (MB) of free space on the hard disk. If every volume involved in the migration is formatted as NTFS, 250 MB should be enough space to ensure success for almost every hard-link migration, regardless on the size of the migration. +The `/hardlink` command-line option proceeds with creating the migration store only if there are 250 megabytes (MB) of free space on the hard disk. If every volume involved in the migration is formatted as NTFS, 250 MB should be enough space to ensure success for almost every hard-link migration, regardless on the size of the migration. -### Hard-Link Store Size Estimation +### Hard-link store size estimation -It is not necessary to estimate the size of a hard-link migration store. Estimating the size of a migration store is only useful in scenarios where the migration store is large, and on NTFS volumes the hard-link migration store will require much less incremental space than other store options. The only case where the local store can be large is when non-NTFS file systems exist on the system and contain data being migrated. Since NTFS has been the default file system format for Windows XP and newer operating systems, this situation is unusual. +It isn't necessary to estimate the size of a hard-link migration store since hard-link migration store on NTFS volumes will be relatively small and require much less incremental space than other store options. Estimating the size of a migration store is only useful in scenarios where the migration store is large. The only case where the local store can be large with hard-link migrations is when non-NTFS file systems exist on the system and the non-NTFS files system contain data that needs to be migrated. Since NTFS has been the default file system format for Windows XP and newer operating systems, this situation is unusual. -### Migration Store Path on Multiple Volumes +### Migration store path on multiple volumes Separate hard-link migration stores are created on each NTFS volume that contain data being migrated. In this scenario, the primary migration-store location will be specified on the command line, and should be the operating-system volume. Migration stores with identical names and directory names will be created on every volume containing data being migrated. For example: -`Scanstate /hardlink c:\USMTMIG […]` + ```cmd + ScanState.exe /hardlink c:\USMTMIG […] + ``` Running this command on a system that contains the operating system on the C: drive and the user data on the D: drive will generate migration stores in the following locations, assuming that both drives are NTFS: -C:\\USMTMIG\\ +`C:\USMTMIG\` -D:\\USMTMIG\\ +`D:\USMTMIG\` -The drive you specify on the command line for the hard-link migration store is important, because it defines where the *master migration store* should be placed. The *master migration store* is the location where data migrating from non-NTFS volumes is stored. This volume must have enough space to contain all of the data that comes from non-NTFS volumes. As in other scenarios, if a migration store already exists at the specified path, the **/o** option must be used to overwrite the existing data in the store. +The drive you specify on the command line for the hard-link migration store is important, because it defines where the **master migration store** should be placed. The **master migration store** is the location where data migrating from non-NTFS volumes is stored. This volume must have enough space to contain all of the data that comes from non-NTFS volumes. As in other scenarios, if a migration store already exists at the specified path, the `/o` option must be used to overwrite the existing data in the store. -### Location Modifications +### Location modifications -Location modifications that redirect migrated content from one volume to a different volume have an adverse impact on the performance of a hard-link migration. This impact is because the migrating data that must cross system volumes cannot remain in the hard-link migration store, and must be copied across the system volumes. +Location modifications that redirect migrated content from one volume to a different volume have an adverse impact on the performance of a hard-link migration. This impact is because the migrating data that must cross system volumes can't remain in the hard-link migration store, and must be copied across the system volumes. -### Migrating Encrypting File System (EFS) Certificates and Files +### Migrating Encrypting File System (EFS) certificates and files -To migrate Encrypting File System (EFS) files to a new installation of an operating system on the same volume of the computer, specify the **/efs:hardlink** option in the Scanstate command-line syntax. +To migrate Encrypting File System (EFS) files to a new installation of an operating system on the same volume of the computer, specify the `/efs:hardlink` option in the `ScanState.exe` command-line syntax. -If the EFS files are being restored to a different partition, you should use the **/efs:copyraw** option instead of the **/efs:hardlink** option. Hard links can only be created for files on the same volume. Moving the files to another partition during the migration requires a copy of the files to be created on the new partition. The **/efs:copyraw** option will copy the files to the new partition in encrypted format. +If the EFS files are being restored to a different partition, you should use the `/efs:copyraw` option instead of the `/efs:hardlink` option. Hard links can only be created for files on the same volume. Moving the files to another partition during the migration requires a copy of the files to be created on the new partition. The `/efs:copyraw` option will copy the files to the new partition in encrypted format. -For more information, see [Migrate EFS Files and Certificates](usmt-migrate-efs-files-and-certificates.md) and the Encrypted File Options in [ScanState Syntax](usmt-scanstate-syntax.md). +For more information, see [Migrate EFS files and certificates](usmt-migrate-efs-files-and-certificates.md) and [Encrypted file options](usmt-scanstate-syntax.md#encrypted-file-options). -### Migrating Locked Files with the Hard-Link Migration Store +### Migrating locked files with the hard-link migration store Files that are locked by an application or the operating system are handled differently when using a hard-link migration store. -Files that are locked by the operating system cannot remain in place and must be copied into the hard-link migration store. As a result, selecting many operating-system files for migration significantly reduces performance during a hard-link migration. As a best practice, we recommend that you do not migrate any files out of the \\Windows directory, which minimizes performance-related issues. +Files that are locked by the operating system can't remain in place and must be copied into the hard-link migration store. As a result, selecting many operating-system files for migration significantly reduces performance during a hard-link migration. As a best practice, we recommend that you don't migrate any files out of the `\Windows directory`, which minimizes performance-related issues. -Files that are locked by an application are treated the same in hard-link migrations as in other scenarios when the volume shadow-copy service is not being utilized. The volume shadow-copy service cannot be used with hard-link migrations. However, by modifying the new `` section in the Config.xml file, it is possible to enable the migration of files locked by an application. +Files that are locked by an application are treated the same in hard-link migrations as in other scenarios when the volume shadow-copy service isn't being utilized. The volume shadow-copy service can't be used with hard-link migrations. However, by modifying the new **<HardLinkStoreControl>** section in the `Config.xml` file, it's possible to enable the migration of files locked by an application. > [!IMPORTANT] -> There are some scenarios in which modifying the `` section in the Config.xml file makes it more difficult to delete a hard-link migration store. In these scenarios, you must use USMTutils.exe to schedule the migration store for deletion on the next restart. +> There are some scenarios in which modifying the **<HardLinkStoreControl>** section in the `Config.xml` file makes it more difficult to delete a hard-link migration store. In these scenarios, you must use `UsmtUtils.exe` to schedule the migration store for deletion on the next restart. -## XML Elements in the Config.xml File +## XML elements in the Config.xml file -A new section in the Config.xml file allows optional configuration of some of the hard-link migration behavior introduced with the **/HardLink** option. +A new section in the `Config.xml` file allows optional configuration of some of the hard-link migration behavior introduced with the `/HardLink` option. | Element | Description | |--- |--- | -| `` | This element contains elements that describe the policies that USMT follows while creating a migration store. | -| `` | This element contains elements that describe how to handle files during the creation of a hard link migration store. | -| `` | This element contains elements that describe how to handle files that are locked for editing. | -| `` | This element defines a standard MigXML pattern that describes file paths where hard links should be created, even if the file is locked for editing by another application.

    Syntax: `` [pattern] `` | -| `` | This element defines a standard MigXML pattern that describes file paths where hard links should not be created, if the file is locked for editing by another application.

    `` [pattern] `` | +| **<Policies>** | This element contains elements that describe the policies that USMT follows while creating a migration store. | +| **<HardLinkStoreControl>** | This element contains elements that describe how to handle files during the creation of a hard link migration store. | +| **<fileLocked>** | This element contains elements that describe how to handle files that are locked for editing. | +| **<createHardLink>** | This element defines a standard MigXML pattern that describes file paths where hard links should be created, even if the file is locked for editing by another application.

    Syntax: `` [pattern] `` | +| **<errorHardLink>** | This element defines a standard MigXML pattern that describes file paths where hard links shouldn't be created, if the file is locked for editing by another application.

    `` [pattern] `` | > [!IMPORTANT] -> You must use the **/nocompress** option with the **/HardLink** option. +> You must use the `/nocompress` option with the `/HardLink` option. -The following XML sample specifies that files locked by an application under the \\Users directory can remain in place during the migration. It also specifies that locked files that are not located in the \\Users directory should result in the **File in Use** error. It is important to exercise caution when specifying the paths using the **File in Use``** tag in order to minimize scenarios that make the hard-link migration store more difficult to delete. +The following XML sample specifies that files locked by an application under the `\Users` directory can remain in place during the migration. It also specifies that locked files that aren't located in the `\Users` directory should result in the **File in Use** error. It's important to exercise caution when specifying the paths using the ``** tag in order to minimize scenarios that make the hard-link migration store more difficult to delete. -``` xml +```xml @@ -177,6 +155,6 @@ The following XML sample specifies that files locked by an application under the ``` -## Related topics +## Related articles -[Plan Your Migration](usmt-plan-your-migration.md) +[Plan your migration](usmt-plan-your-migration.md) diff --git a/windows/deployment/usmt/usmt-how-it-works.md b/windows/deployment/usmt/usmt-how-it-works.md index 37ea9bd0bc..23bb493204 100644 --- a/windows/deployment/usmt/usmt-how-it-works.md +++ b/windows/deployment/usmt/usmt-how-it-works.md @@ -2,131 +2,121 @@ title: How USMT Works (Windows 10) description: Learn how USMT works and how it includes two tools that migrate settings and data - ScanState and LoadState. ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski +author: frankroj ms.topic: article ms.technology: itpro-deploy +ms.date: 11/01/2022 --- -# How USMT Works +# How USMT works +USMT includes two tools that migrate settings and data: **ScanState** and **LoadState**. **ScanState** collects information from the source computer, and **LoadState** applies that information to the destination computer. -USMT includes two tools that migrate settings and data: ScanState and LoadState. ScanState collects information from the source computer, and LoadState applies that information to the destination computer. +- [How USMT works](#how-usmt-works) + - [The ScanState process](#the-scanstate-process) + - [The LoadState process](#the-loadstate-process) + - [Related articles](#related-articles) -- [ScanState Process](#the-scanstate-process) -- [LoadState Process](#the-loadstate-process) + > [!NOTE] + > For more information about how USMT processes the rules and the XML files, see [Conflicts and precedence](usmt-conflicts-and-precedence.md). - **Note**   - For more information about how USMT processes the rules and the XML files, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md). +## The ScanState process -## The ScanState Process +When you run the **ScanState** tool on the source computer, it goes through the following process: -When you run the ScanState tool on the source computer, it goes through the following process: +1. It parses and validates the command-line parameters, creates the `ScanState.log` file, and then begins logging. -1. It parses and validates the command-line parameters, creates the ScanState.log file, and then begins logging. - -2. It collects information about all of the migration components that need to be migrated. A *migration component* is a logical group of files, registry keys, and values. For example, the set of files, registry keys, and values that store the settings of Adobe Acrobat is grouped into a single migration component. +2. It collects information about all of the migration components that need to be migrated. A *migration component* is a logical group of files, registry keys, and values. For example, the set of files, registry keys, and values that store the settings of Adobe Acrobat is grouped into a single migration component. There are three types of components: - - Components that migrate the operating system settings - - Components that migrate application settings - - Components that migrate users’ files + - Components that migrate the operating system settings + + - Components that migrate application settings - The ScanState tool collects information about the application settings and user data components from the .xml files that are specified on the command line. + - Components that migrate users' files - In Windows 7, and Windows 8, the manifest files control how the operating-system settings are migrated. You cannot modify these files. If you want to exclude certain operating-system settings, you must create and modify a Config.xml file. + The **ScanState** tool collects information about the application settings and user data components from the .xml files that are specified on the command line. -3. ScanState determines which user profiles should be migrated. By default, all user profiles on the source computer are migrated. However, you can include and exclude users using the User Options. The public profile in a source computer running Windows 7, Windows 8, and Windows 10 is always migrated, and you cannot exclude these profiles from the migration. + In Windows 7, and Windows 8, the manifest files control how the operating-system settings are migrated. You can't modify these files. If you want to exclude certain operating-system settings, you must create and modify a `Config.xml` file. -4. In the "Scanning" phase, ScanState does the following for each user profile selected for migration: +3. **ScanState** determines which user profiles should be migrated. By default, all user profiles on the source computer are migrated. However, you can include and exclude users using the User Options. The public profile in a source computer running Windows 7, Windows 8, and Windows 10 is always migrated, and you can't exclude these profiles from the migration. - 1. For each component, ScanState checks the type of the component. If the current user profile is the system profile and the component type is “System” or “UserAndSystem”, the component is selected for this user. Otherwise, the component is ignored. Alternatively, if the current user profile is not the system profile and the component type is “User” or “UserAndSystem”, the component is selected for this user. Otherwise, this component is ignored. +4. In the **Scanning** phase, **ScanState** does the following for each user profile selected for migration: - **Note**   - From this point on, ScanState does not distinguish between components that migrate operating-system settings, those that migrate application settings, and those that migrate users’ files. ScanState processes all components in the same way. + 1. For each component, **ScanState** checks the type of the component. If the current user profile is the system profile and the component type is **System** or **UserAndSystem**, the component is selected for this user. Otherwise, the component is ignored. Alternatively, if the current user profile isn't the system profile and the component type is **User** or **UserAndSystem**, the component is selected for this user. Otherwise, this component is ignored. - 2. Each component that is selected in the previous step is processed further. Any profile-specific variables (such as CSIDL\_PERSONAL) are evaluated in the context of the current profile. For example, if the profile that is being processed belongs to “User1”, then CSIDL\_PERSONAL would expand to C:\\Users\\User1\\Documents, assuming that the user profiles are stored in the C:\\Users directory. + > [!NOTE] + > From this point on, **ScanState** does not distinguish between components that migrate operating-system settings, those that migrate application settings, and those that migrate users' files. **ScanState** processes all components in the same way. - 3. For each selected component, ScanState evaluates the <detects> section. If the condition in the <detects> section evaluates to false, the component is not processed any further. Otherwise, the processing of this component continues. + 2. Each component that is selected in the previous step is processed further. Any profile-specific variables (such as **CSIDL_PERSONAL**) are evaluated in the context of the current profile. For example, if the profile that is being processed belongs to **User1**, then **CSIDL_PERSONAL** would expand to `C:\Users\User1\Documents`, assuming that the user profiles are stored in the `C:\Users` directory. - 4. For each selected component, ScanState evaluates the <rules> sections. For each <rules> section, if the current user profile is the system profile and the context of the <rules> section is “System” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored. Alternatively, if the current user profile is not the system profile and the context of the <rules> section is “User” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored. + 3. For each selected component, **ScanState** evaluates the **<detects>** section. If the condition in the **<detects>** section evaluates to false, the component isn't processed any further. Otherwise, the processing of this component continues. - 5. ScanState creates a list of migration units that need to be migrated by processing the various subsections under this <rules> section. Each unit is collected if it is mentioned in an <include> subsection, as long as there is not a more specific rule for it in an <exclude> subsection in the same <rules> section. For more information about precedence in the .xml files, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md). + 4. For each selected component, **ScanState** evaluates the **<rules>** sections. For each **<rules>** section, if the current user profile is the system profile and the context of the **<rules>** section is **System** or **UserAndSystem**, the rule is processed further. Otherwise, this rule is ignored. Alternatively, if the current user profile isn't the system profile and the context of the **<rules>** section is **User** or **UserAndSystem**, the rule is processed further. Otherwise, this rule is ignored. - In addition, any migration unit (such as a file, registry key, or set of registry values) that is in an <UnconditionalExclude> section is not migrated. + 5. **ScanState** creates a list of migration units that need to be migrated by processing the various subsections under this **<rules>** section. Each unit is collected if it's mentioned in an **<include>** subsection, as long as there isn't a more specific rule for it in an **<exclude>** subsection in the same **<rules>** section. For more information about precedence in the .xml files, see [Conflicts and precedence](usmt-conflicts-and-precedence.md). - **Note**   - ScanState ignores some subsections such as <destinationCleanup> and <locationModify>. These sections are evaluated only on the destination computer. + In addition, any migration unit (such as a file, registry key, or set of registry values) that is in an <UnconditionalExclude> section isn't migrated. -5. In the "Collecting" phase, ScanState creates a master list of the migration units by combining the lists that were created for each selected user profile. + > [!NOTE] + > **ScanState** ignores some subsections such as <destinationCleanup> and <locationModify>. These sections are evaluated only on the destination computer. -6. In the "Saving" phase, ScanState writes the migration units that were collected to the store location. +5. In the **Collecting** phase, **ScanState** creates a master list of the migration units by combining the lists that were created for each selected user profile. - **Note**   - ScanState does not modify the source computer in any way. +6. In the **Saving** phase, **ScanState** writes the migration units that were collected to the store location. -## The LoadState Process + > [!NOTE] + > **ScanState** does not modify the source computer in any way. +## The LoadState process -The LoadState process is very similar to the ScanState process. The ScanState tool collects migration units such as file, registry key, or registry values from the source computer and saves them to the store. Similarly, the LoadState tool collects migration units from the store and applies them to the destination computer. +The **LoadState** process is similar to the **ScanState** process. The **ScanState** tool collects migration units such as file, registry key, or registry values from the source computer and saves them to the store. Similarly, the **LoadState** tool collects migration units from the store and applies them to the destination computer. -1. ScanState parses and validates the command-line parameters, creates the ScanState.log file, and then begins logging. +1. **ScanState** parses and validates the command-line parameters, creates the `ScanState.log` file, and then begins logging. -2. LoadState collects information about the migration components that need to be migrated. +2. **LoadState** collects information about the migration components that need to be migrated. - LoadState obtains information for the application-settings components and user-data components from the migration .xml files that are specified by the LoadState command. + **LoadState** obtains information for the application-settings components and user-data components from the migration .xml files that are specified by the `LoadState.exe` command. - In Windows 7, and Windows 8, the manifest files control how the operating-system settings are migrated. You cannot modify these files. If you want to exclude certain operating-system settings, you must create and modify a Config.xml file. + In Windows 7, Windows 8, and Windows 10, the manifest files control how the operating-system settings are migrated. You can't modify these files. If you want to exclude certain operating-system settings, you must create and modify a `Config.xml` file. -3. LoadState determines which user profiles should be migrated. By default, all user profiles present on the source computer are migrated. However, you can include and exclude users using the User Options. The system profile, the "All users" profile in a source computer running Windows XP, or the Public profile in a source computer running Windows Vista, Windows 7, and Windows 8, is always migrated and you cannot exclude these profiles from the migration. +3. **LoadState** determines which user profiles should be migrated. By default, all user profiles present on the source computer are migrated. However, you can include and exclude users using the **User Options**. The system profile, the Public profile in a source computer running Windows 7, Windows 8, and Windows 10 is always migrated and you can't exclude these profiles from the migration. - - If you are migrating local user accounts and if the accounts do not already exist on the destination computer, you must use the/lac command-line option. If you do not specify the **/lac** option, any local user accounts that are not already present on the destination computer, are not migrated. + - If you're migrating local user accounts and if the accounts don't already exist on the destination computer, you must use the `/lac` command-line option. If you don't specify the `/lac` option, any local user accounts that aren't already present on the destination computer, aren't migrated. - - The **/md** and **/mu** options are processed to rename the user profile on the destination computer, if they have been included when the LoadState command was specified. + - The `/md` and `/mu` options are processed to rename the user profile on the destination computer, if they've been included when the `LoadState.exe` command was specified. - - For each user profile selected from the store, LoadState creates a corresponding user profile on the destination computer. The destination computer does not need to be connected to the domain for domain user profiles to be created. If USMT cannot determine a domain, it attempts to apply the settings to a local account. For more information, see [Identify Users](usmt-identify-users.md). + - For each user profile selected from the store, **LoadState** creates a corresponding user profile on the destination computer. The destination computer doesn't need to be connected to the domain for domain user profiles to be created. If USMT can't determine a domain, it attempts to apply the settings to a local account. For more information, see [Identify Users](usmt-identify-users.md). -4. In the "Scanning" phase, LoadState does the following for each user profile: +4. In the **Scanning** phase, **LoadState** does the following for each user profile: - 1. For each component, LoadState checks the type of the component. If the current user profile is the system profile and the component type is “System” or “UserAndSystem”, the component is selected for this user. Otherwise, the component is ignored. Alternatively, if the current user profile is not the system profile and the component type is “User” or “UserAndSystem”, the component is selected for this user. Otherwise, this component is ignored. + 1. For each component, **LoadState** checks the type of the component. If the current user profile is the system profile and the component type is **System** or **UserAndSystem**, the component is selected for this user. Otherwise, the component is ignored. Alternatively, if the current user profile isn't the system profile and the component type is **User** or **UserAndSystem**, the component is selected for this user. Otherwise, this component is ignored. - **Note** - From this point on, LoadState does not distinguish between components that migrate operating-system settings, those that migrate application settings, and those that migrate users’ files. LoadState evaluates all components in the same way. + > [!NOTE] + > From this point on, **LoadState** does not distinguish between components that migrate operating-system settings, those that migrate application settings, and those that migrate users' files. **LoadState** evaluates all components in the same way. - + 2. Each component that is selected is processed further. Any profile-specific variables (such as **CSIDL_PERSONAL**) are evaluated in the context of the current profile. For example, if the profile being processed belongs to **User1**, then **CSIDL_PERSONAL** would expand to `C:\Users\User1\Documents` (assuming that the user profiles are stored in the `C:\Users` directory). - 2. Each component that is selected is processed further. Any profile-specific variables (such as CSIDL\_PERSONAL) are evaluated in the context of the current profile. For example, if the profile being processed belongs to “User1”, then CSIDL\_PERSONAL would expand to C:\\Users\\User1\\Documents (assuming that the user profiles are stored in the C:\\Users directory). + > [!NOTE] + > **LoadState** ignores the **<detects>** section specified in a component. At this point, all specified components are considered to be detected and are selected for migration. - **Note** - LoadState ignores the <detects> section specified in a component. At this point, all specified components are considered to be detected and are selected for migration. + 3. For each selected component, **LoadState** evaluates the **<rules>** sections. For each **<rules>** section, if the current user profile is the system profile and the context of the **<rules>** section is **System** or **UserAndSystem**, the rule is processed further. Otherwise, this rule is ignored. Alternatively, if the current user profile isn't the system profile and the context of the **<rules>** section is **User** or **UserAndSystem**, the rule is processed further. Otherwise, this rule is ignored. - + 4. **LoadState** creates a master list of migration units by processing the various subsections under the **<rules>** section. Each migration unit that is in an **<include>** subsection is migrated as long, as there isn't a more specific rule for it in an **<exclude>** subsection in the same **<rules>** section. For more information about precedence, see [Conflicts and precedence](usmt-conflicts-and-precedence.md). - 3. For each selected component, LoadState evaluates the <rules> sections. For each <rules> section, if the current user profile is the system profile and the context of the <rules> section is “System” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored. Alternatively, if the current user profile is not the system profile and the context of the <rules> section is “User” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored. - - 4. LoadState creates a master list of migration units by processing the various subsections under the <rules> section. Each migration unit that is in an <include> subsection is migrated as long, as there is not a more specific rule for it in an <exclude> subsection in the same <rules> section. For more information about precedence, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md). - - 5. LoadState evaluates the destination computer-specific subsections; for example, the <destinationCleanup> and <locationModify> subsections. - - 6. If the destination computer is running Windows 7 or Windows 8 then the migunits that were collected by ScanState using downlevel manifest files are processed by LoadState using the corresponding Component Manifest for Windows 7. The downlevel manifest files are not used during LoadState. - - **Important** - It is important to specify the .xml files with the LoadState command if you want LoadState to use them. Otherwise, any destination-specific rules, such as <locationModify>, in these .xml files are ignored, even if the same .xml files were provided when the ScanState command ran. - -5. In the "Apply" phase, LoadState writes the migration units that were collected to the various locations on the destination computer. If there are conflicts and there is not a <merge> rule for the object, the default behavior for the registry is for the source to overwrite the destination. The default behavior for files is for the source to be renamed incrementally, for example, OriginalFileName(1).OriginalExtension. Some settings, such as fonts, wallpaper, and screen-saver settings, do not take effect until the next time the user logs on. For this reason, you should log off when the LoadState command actions have completed. - -## Related topics - -[User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md) - - - - + 5. **LoadState** evaluates the destination computer-specific subsections, for example, the **<destinationCleanup>** and **<locationModify>** subsections. + 6. If the destination computer is running Windows 7, Windows 8, or Windows 10, then the migunits that were collected by **ScanState** using downlevel manifest files are processed by **LoadState** using the corresponding Component Manifest for Windows 7. The downlevel manifest files aren't used during **LoadState**. + > [!IMPORTANT] + > It is important to specify the .xml files with the `LoadState.exe` command if you want **LoadState** to use them. Otherwise, any destination-specific rules, such as **<locationModify>**, in these .xml files are ignored, even if the same .xml files were provided when the `ScanState.exe` command ran. +5. In the **Apply** phase, **LoadState** writes the migration units that were collected to the various locations on the destination computer. If there are conflicts and there isn't a **<merge>** rule for the object, the default behavior for the registry is for the source to overwrite the destination. The default behavior for files is for the source to be renamed incrementally, for example, OriginalFileName(1).OriginalExtension. Some settings, such as fonts, wallpaper, and screen-saver settings, don't take effect until the next time the user logs on. For this reason, you should sign out when the `LoadState.exe` command actions have completed. +## Related articles +[User State Migration Tool (USMT) command-line syntax](usmt-command-line-syntax.md) diff --git a/windows/deployment/usmt/usmt-how-to.md b/windows/deployment/usmt/usmt-how-to.md index 673ccff26e..e234211ca1 100644 --- a/windows/deployment/usmt/usmt-how-to.md +++ b/windows/deployment/usmt/usmt-how-to.md @@ -1,33 +1,35 @@ --- -title: User State Migration Tool (USMT) How-to topics (Windows 10) -description: Reference the topics in this article to learn how to use User State Migration Tool (USMT) 10.0 to perform specific tasks. +title: User State Migration Tool (USMT) How-to articles (Windows 10) +description: Reference the articles in this article to learn how to use User State Migration Tool (USMT) 10.0 to perform specific tasks. ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/19/2017 +author: frankroj +ms.date: 11/01/2022 ms.topic: article ms.technology: itpro-deploy --- -# User State Migration Tool (USMT) How-to topics -The following table lists topics that describe how to use User State Migration Tool (USMT) 10.0 to perform specific tasks. +# User State Migration Tool (USMT) how-to articles -## In This Section +The following table lists articles that describe how to use User State Migration Tool (USMT) 10.0 to perform specific tasks. -|Topic |Description| -|------|-----------| -|[Exclude Files and Settings](usmt-exclude-files-and-settings.md)|Create a custom .xml file to exclude files, file types, folders, or registry settings from your migration.| -|[Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md)|Recover files from a compressed migration store after installing the operating system.| -|[Include Files and Settings](usmt-include-files-and-settings.md)|Create a custom .xml file to include files, file types, folders, or registry settings in your migration.| -|[Migrate Application Settings](migrate-application-settings.md)|Migrate the settings of an application that the MigApp.xml file does not include by default.| -|[Migrate EFS Files and Certificates](usmt-migrate-efs-files-and-certificates.md)|Migrate Encrypting File System (EFS) certificates by using USMT.| -|[Migrate User Accounts](usmt-migrate-user-accounts.md)|Specify the users to include and exclude in your migration.| -|[Reroute Files and Settings](usmt-reroute-files-and-settings.md)|Create a custom .xml file to reroute files and settings during a migration.| -|[Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md)|Determine whether a compressed migration store is intact, or whether it contains corrupt files or a corrupt catalog.| +## In this section -## Related topics -- [User State Migration Tool (USMT) Overview Topics](usmt-topics.md) -- [User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md) -- [User State Migration Toolkit (USMT) Reference](usmt-reference.md) +| Link | Description | +|------ |----------- | +|[Exclude files and settings](usmt-exclude-files-and-settings.md)|Create a custom .xml file to exclude files, file types, folders, or registry settings from your migration.| +|[Extract files from a compressed USMT migration store](usmt-extract-files-from-a-compressed-migration-store.md)|Recover files from a compressed migration store after installing the operating system.| +|[Include files and settings](usmt-include-files-and-settings.md)|Create a custom .xml file to include files, file types, folders, or registry settings in your migration.| +|[Migrate application settings](migrate-application-settings.md)|Migrate the settings of an application that the MigApp.xml file doesn't include by default.| +|[Migrate EFS files and certificates](usmt-migrate-efs-files-and-certificates.md)|Migrate Encrypting File System (EFS) certificates by using USMT.| +|[Migrate user accounts](usmt-migrate-user-accounts.md)|Specify the users to include and exclude in your migration.| +|[Reroute files and settings](usmt-reroute-files-and-settings.md)|Create a custom .xml file to reroute files and settings during a migration.| +|[Verify the condition of a compressed migration store](verify-the-condition-of-a-compressed-migration-store.md)|Determine whether a compressed migration store is intact, or whether it contains corrupt files or a corrupt catalog.| + +## Related articles + +- [User State Migration Tool (USMT) overview topics](usmt-topics.md) +- [User State Migration Tool (USMT) troubleshooting](usmt-troubleshooting.md) +- [User State Migration Toolkit (USMT) reference](usmt-reference.md) diff --git a/windows/deployment/usmt/usmt-identify-application-settings.md b/windows/deployment/usmt/usmt-identify-application-settings.md index 586733f45e..24278e020b 100644 --- a/windows/deployment/usmt/usmt-identify-application-settings.md +++ b/windows/deployment/usmt/usmt-identify-application-settings.md @@ -1,60 +1,46 @@ --- title: Identify Applications Settings (Windows 10) -description: Identify which applications and settings you want to migrate before using the User State Migration Tool (USMT). +description: Identify which applications and settings you want to migrate before using the User State Migration Tool (USMT). ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/19/2017 +author: frankroj +ms.date: 11/01/2022 ms.topic: article ms.technology: itpro-deploy --- -# Identify Applications Settings +# Identify applications settings - -When planning for your migration, you should identify which applications and settings you want to migrate. For more information about how to create a custom .xml file to migrate the settings of another application, see [Customize USMT XML Files](usmt-customize-xml-files.md). +When planning for your migration, you should identify which applications and settings you want to migrate. For more information about how to create a custom .xml file to migrate the settings of another application, see [Customize USMT XML files](usmt-customize-xml-files.md). ## Applications +First, create and prioritize a list of applications that need to be migrated. It may be helpful to review the application lists and decide which applications will be redeployed and which applications will be retired. Often, what applications are migrated are prioritized based on a combination of how widely the application is used and how complex the application is. -First, create and prioritize a list of applications that to be migrated. It may be helpful to review the application lists and decide which applications will be redeployed and which applications will be retired. Often, the applications are prioritized based on a combination of how widely the application is used and how complex the application is. +Next, identify an application owner to be in charge of each application. Application ownership identification is necessary because the developers won't be experts on all of the applications in the organization. The application owner should have the most experience with an application. The application owner provides insight into how the organization installs, configures, and uses the application. -Next, identify an application owner to be in charge of each application. This is necessary because the developers will not be experts on all of the applications in the organization. The application owner should have the most experience with an application. The application owner provides insight into how the organization installs, configures, and uses the application. +## Application settings -## Application Settings +Next, determine and locate the application settings to be migrated. You can acquire much of the information that you need for this step when you're testing the new applications for compatibility with the new operating system. +After completing the list of applications to be migrated, review the list, and work with each application owner on a list of settings to be migrated. For each setting, determine whether it needs to be migrated or if the default settings are adequate. Then, determine where the setting is located, for example, in the registry or in an .ini file. Next, consider the following questions to determine what needs to be done to migrate the setting successfully: -Next, determine and locate the application settings to be migrated. You can acquire much of the information that you need for this step when you are testing the new applications for compatibility with the new operating system. +- Is the destination version of the application newer than the source version? -After completing the list of applications to be migrated, review the list and work with each application owner on a list of settings to be migrated. For each setting, determine whether it needs to be migrated or if the default settings are adequate. Then, determine where the setting is located; for example, in the registry or in an .ini file. Next, consider the following questions to determine what needs to be done to migrate the setting successfully: +- Do these settings work with the new version? -- Is the destination version of the application newer than the source version? +- Do the settings need to be moved or altered? -- Do these settings work with the new version? - -- Do the settings need to be moved or altered? - -- Can the first-run process force the application to appear as if it had run already? If so, does this work correctly, or does it break the application? +- Can the first-run process force the application to appear as if it had run already? If so, does this work correctly, or does it break the application? After answering these questions, create a custom .xml file to migrate settings. Work with the application owner to develop test cases and to determine the file types that need to be migrated for the application. -## Locating Where Settings Are Stored - - -See [Migrate Application Settings](migrate-application-settings.md) and follow the directions. - -## Related topics - - -[Determine What to Migrate](usmt-determine-what-to-migrate.md) - -  - -  - - +## Locating where settings are stored +See [Migrate application settings](migrate-application-settings.md) and follow the directions. +## Related articles +[Determine what to migrate](usmt-determine-what-to-migrate.md) diff --git a/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md b/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md index 86e1f15aa7..01625d4d37 100644 --- a/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md +++ b/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md @@ -2,48 +2,40 @@ title: Identify File Types, Files, and Folders (Windows 10) description: Learn how to identify the file types, files, folders, and settings that you want to migrate when you're planning your migration. ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/19/2017 +author: frankroj +ms.date: 11/01/2022 ms.topic: article ms.technology: itpro-deploy --- -# Identify File Types, Files, and Folders +# Identify file types, files, and folders +When planning for your migration, if not using MigDocs.xml, you should identify the file types, files, folders, and settings that you want to migrate. First, you should determine the standard file locations on each computer, such as **My Documents** , `C:\Data` , and company-specified locations, such as `\\EngineeringDrafts`. Next, you should determine and locate the non-standard locations. For non-standard locations, consider the following items: -When planning for your migration, if not using MigDocs.xml, you should identify the file types, files, folders, and settings that you want to migrate. First, you should determine the standard file locations on each computer, such as **My Documents.** , **C:\\Data** , and company-specified locations, such as **\\EngineeringDrafts**. Next, you should determine and locate the non-standard locations. For non-standard locations, consider the following: +- **File types**. Consider which file types need to be included and excluded from the migration. You can create this list based on common applications used in your organization. Applications normally use specific file name extensions. For example, Microsoft Office Word primarily uses `.doc`, `.docx` and `.dotx` file name extension. However, it also uses other file types, such as templates (`.dot` files), on a less frequent basis. -- **File types**. Consider which file types need to be included and excluded from the migration. You can create this list based on common applications used in your organization. Applications normally use specific file name extensions. For example, Microsoft Office Word primarily uses .doc, .docx and .dotx file name extension. However, it also uses other file types, such as templates (.dot files), on a less frequent basis. +- **Excluded locations**. Consider the locations on the computer that should be excluded from the migration (for example, `%WINDIR%` and **Program Files**). -- **Excluded locations**. Consider the locations on the computer that should be excluded from the migration (for example, %WINDIR% and Program Files). +- **New locations**. Decide where files should be migrated to on the destination computer, such as **My Documents**, a designated folder, or a folder matching the files' name and location on the source computer. For example, you might have shared data on source machine or you might wish to clean up documents outside the user profiles on the source system. Identify any data that needs to be redirected to a new location in the apply phase. Redirection can be accomplished with location modify rules. -- **New locations**. Decide where files should be migrated to on the destination computer for example, \\My Documents, a designated folder, or a folder matching the files' name and location on the source computer. For example, you might have shared data on source machine or you might wish to clean up documents outside the user profiles on the source system. Identify any data that needs to be redirected to a new location in the apply phase. This can be accomplished with location modify rules. +Once you've verified which files and file types that the end users work with regularly, you'll need to locate them. Files may be saved to a single folder or scattered across a drive. A good starting point for finding files types to include is to look at the registered file types on the computer. -Once you have verified which files and file types that the end users work with regularly, you will need to locate them. Files may be saved to a single folder or scattered across a drive. A good starting point for finding files types to include is to look at the registered file types on the computer. +To find the registered file types on a computer running Windows 7, Windows 8, Windows 10, or Windows 11: -**To find the registered file types on a computer running Windows 7 or Windows 8** +1. Open **Control Panel** +2. Make sure **View by:** is set to **Category** and then select **Programs**. -1. Click **Start**. Open **Control Panel**, click **Control Panel Home**, and click **Programs**. - -2. Click **Default Programs**, and click **Associate a file type or protocol with a program**. - -3. On this screen, the registered file types are displayed. - -For more information about how to change the file types, files, and folders that are migrated when you specify the MigUser.xml file, see [User State Migration Tool (USMT) How-to topics](usmt-how-to.md). - -## Related topics - - -[Determine What to Migrate](usmt-determine-what-to-migrate.md) - -  - -  +3. Select **Default Programs** +4. select **Associate a file type or protocol with a program**. +5. On this screen, the registered file types are displayed. +For more information about how to change the file types, files, and folders that are migrated when you specify the MigUser.xml file, see [User State Migration Tool (USMT) how-to topics](usmt-how-to.md). +## Related articles +[Determine what to migrate](usmt-determine-what-to-migrate.md) diff --git a/windows/deployment/usmt/usmt-identify-operating-system-settings.md b/windows/deployment/usmt/usmt-identify-operating-system-settings.md index 71a553ad8f..9b3d93da8e 100644 --- a/windows/deployment/usmt/usmt-identify-operating-system-settings.md +++ b/windows/deployment/usmt/usmt-identify-operating-system-settings.md @@ -2,57 +2,44 @@ title: Identify Operating System Settings (Windows 10) description: Identify which system settings you want to migrate, then use the User State Migration Tool (USMT) to select settings and keep the default values for all others. ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/19/2017 +author: frankroj +ms.date: 11/01/2022 ms.topic: article ms.technology: itpro-deploy --- -# Identify Operating System Settings +# Identify operating system settings +When planning for your migration, you should identify which operating system settings you want to migrate and to what extent you want to create a new standard environment on each of the computers. User State Migration Tool (USMT) 10.0 enables you to migrate select settings and keep the default values for all others. The operating system settings include the following parameters: -When planning for your migration, you should identify which operating system settings you want to migrate and to what extent you want to create a new standard environment on each of the computers. User State Migration Tool (USMT) 10.0 enables you to migrate select settings and keep the default values for all others. The operating system settings include the following parameters: - -- **Appearance.** +- **Appearance** The appearance factor includes items such as wallpaper, colors, sounds, and the location of the taskbar. -- **Action.** +- **Action** The action factor includes items such as the key-repeat rate, whether double-clicking a folder opens it in a new window or the same window, and whether you need to single-click or double-click an item to open it. -- **Internet.** +- **Internet** The Internet factor includes the settings that let you connect to the Internet and control how your browser operates. The settings include items such as your home page URL, favorites, bookmarks, cookies, security settings, dial-up connections, and proxy settings. -- **Mail.** +- **Mail** The mail factor includes the information that you need to connect to your mail server, your signature file, views, mail rules, local mail, and contacts. -To help you decide which settings to migrate, you should consider any previous migration experiences and the results of any surveys and tests that you have conducted. You should also consider the number of help-desk calls related to operating-system settings that you have had in the past, and are able to handle in the future. Also decide how much of the new operating-system functionality you want to take advantage of. +To help you decide which settings to migrate, you should consider any previous migration experiences and the results of any surveys and tests that you've conducted. You should also consider the number of help-desk calls related to operating-system settings that you've had in the past, and are able to handle in the future. Also decide how much of the new operating-system functionality you want to take advantage of. -You should migrate any settings that users need to get their jobs done, those settings that make the work environment comfortable, and those settings that will reduce help-desk calls after the migration. Although it is easy to dismiss migrating user preferences, you should consider the factor of users spending a significant amount of time restoring items such as wallpaper, screen savers, and other customizable user-interface features. Most users do not remember how these settings were applied. Although these items are not critical to migration success, migrating these items increases user productivity and overall satisfaction of the migration process. +You should migrate any settings that users need to get their jobs done, those settings that make the work environment comfortable, and those settings that will reduce help-desk calls after the migration. Although it's easy to dismiss migrating user preferences, you should consider the factor of users spending a significant amount of time restoring items such as wallpaper, screen savers, and other customizable user-interface features. Most users don't remember how these settings were applied. Although these items aren't critical to migration success, migrating these items increases user productivity and overall satisfaction of the migration process. -**Note**   -For more information about how to change the operating-system settings that are migrated, see [User State Migration Tool (USMT) How-to topics](usmt-how-to.md). +> [!NOTE] +> For more information about how to change the operating-system settings that are migrated, see [User State Migration Tool (USMT) how-to topics](usmt-how-to.md). -For information about the operating-system settings that USMT migrates, see [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md) - - - -## Related topics +For information about the operating-system settings that USMT migrates, see [What does USMT migrate?](usmt-what-does-usmt-migrate.md) +## Related articles [Determine What to Migrate](usmt-determine-what-to-migrate.md) - - - - - - - - - diff --git a/windows/deployment/usmt/usmt-identify-users.md b/windows/deployment/usmt/usmt-identify-users.md index 59be0df0d4..270b1902c3 100644 --- a/windows/deployment/usmt/usmt-identify-users.md +++ b/windows/deployment/usmt/usmt-identify-users.md @@ -1,63 +1,58 @@ --- title: Identify Users (Windows 10) -description: Learn how to identify users you plan to migrate, as well as how to migrate local accounts and domain accounts. +description: Learn how to identify users you plan to migrate, and how to migrate local accounts and domain accounts. ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski +author: frankroj ms.topic: article ms.localizationpriority: medium ms.technology: itpro-deploy +ms.date: 11/01/2022 --- -# Identify Users +# Identify users -It is important to carefully consider how you plan to migrate users. By default, all users are migrated by User State Migration Tool (USMT) 5.0. You must specify which users to include by using the command line. You cannot specify users in the .xml files. For instructions on how to migrate users, see [Migrate User Accounts](usmt-migrate-user-accounts.md). +It's important to carefully consider how you plan to migrate users. By default, all users are migrated by User State Migration Tool (USMT) 5.0. You must specify which users to include by using the command line. You can't specify users in the .xml files. For instructions on how to migrate users, see [Migrate user accounts](usmt-migrate-user-accounts.md). -## In this topic +## Migrating local accounts -- [Migrating Local Accounts](#bkmk-8) -- [Migrating Domain Accounts](#bkmk-9) -- [Command-Line Options](#bkmk-7) +Before migrating local accounts, be aware of the following items: -## Migrating Local Accounts +- **You must explicitly specify that local accounts that are not on the destination computer should be migrated**. If you're migrating local accounts and the local account doesn't exist on the destination computer, you must use the `/lac` option when using the `LoadState.exe` command. If the `/lac` option isn't specified, no local user accounts will be migrated. -Before migrating local accounts, note the following: +- **Consider whether to enable user accounts that are new to the destination computer.** The `/lae` option enables the account that was created with the `/lac` option. However, if you create a disabled local account by using only the `/lac` option, a local administrator must enable the account on the destination computer. -- [You must explicitly specify that local accounts that are not on the destination computer should be migrated.](#bkmk-8) If you are migrating local accounts and the local account does not exist on the destination computer, you must use the **/lac** option when using the LoadState command. If the **/lac** option is not specified, no local user accounts will be migrated. +- **Be careful when specifying a password for local accounts.** If you create the local account with a blank password, anyone could sign in that account on the destination computer. If you create the local account with a password, the password is available to anyone with access to the USMT command-line tools. -- [Consider whether to enable user accounts that are new to the destination computer.](#bkmk-8) The **/lae** option enables the account that was created with the **/lac** option. However, if you create a disabled local account by using only the **/lac** option, a local administrator must enable the account on the destination computer. +> [!NOTE] +> If there are multiple users on a computer, and you specify a password with the `/lac` option, all migrated users will have the same password. -- [Be careful when specifying a password for local accounts.](#bkmk-8) If you create the local account with a blank password, anyone could log on to that account on the destination computer. If you create the local account with a password, the password is available to anyone with access to the USMT command-line tools. +## Migrating domain accounts ->[!NOTE] ->If there are multiple users on a computer, and you specify a password with the **/lac** option, all migrated users will have the same password. +The source and destination computers don't need to be connected to the domain for domain user profiles to be migrated. -## Migrating Domain Accounts - -The source and destination computers do not need to be connected to the domain for domain user profiles to be migrated. - -## Command-Line Options +## Command-line options USMT provides several options to migrate multiple users on a single computer. The following command-line options specify which users to migrate. -- [Specifying users.](#bkmk-8) You can specify which users to migrate with the **/all**, **/ui**, **/uel**, and **/ue** options with both the ScanState and LoadState command-line tools. +- **Specifying users.** You can specify which users to migrate with the `/all`, `/ui`, `/uel`, and `/ue` options with both the **ScanState** and **LoadState** command-line tools. - >[!IMPORTANT] - >The **/uel** option excludes users based on the **LastModified** date of the Ntuser.dat file. The **/uel** option is not valid in offline migrations. + > [!IMPORTANT] + > The `/uel` option excludes users based on the **LastModified** date of the `Ntuser.dat` file. The `/uel` option is not valid in offline migrations. -- [Moving users to another domain.](#bkmk-8) You can move user accounts to another domain using the **/md** option with the LoadState command-line tool. +- **Moving users to another domain.** You can move user accounts to another domain using the `/md` option with the **LoadState** command-line tool. -- [Creating local accounts.](#bkmk-8) You can create and enable local accounts using the **/lac** and **/lae** options with the LoadState command-line tool. +- **Creating local accounts.** You can create and enable local accounts using the `/lac` and `/lae` options with the **LoadState** command-line tool. -- [Renaming user accounts.](#bkmk-8) You can rename user accounts using the **/mu** option. +- **Renaming user accounts.** You can rename user accounts using the `/mu` option. - >[!NOTE] + > [!NOTE] >By default, if a user name is not specified in any of the command-line options, the user will be migrated. -## Related topics +## Related articles -[Determine What to Migrate](usmt-determine-what-to-migrate.md)
    -[ScanState Syntax](usmt-scanstate-syntax.md)
    -[LoadState Syntax](usmt-loadstate-syntax.md) +- [Determine what to migrate](usmt-determine-what-to-migrate.md) +- [ScanState syntax](usmt-scanstate-syntax.md) +- [LoadState syntax](usmt-loadstate-syntax.md) diff --git a/windows/deployment/usmt/usmt-include-files-and-settings.md b/windows/deployment/usmt/usmt-include-files-and-settings.md index c6ef4174e5..7249c768be 100644 --- a/windows/deployment/usmt/usmt-include-files-and-settings.md +++ b/windows/deployment/usmt/usmt-include-files-and-settings.md @@ -1,41 +1,25 @@ --- title: Include Files and Settings (Windows 10) -description: Specify the migration .xml files you want, then use the User State Migration Tool (USMT) 10.0 to migrate the settings and components specified. +description: Specify the migration .xml files you want, then use the User State Migration Tool (USMT) 10.0 to migrate the settings and components specified. ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/19/2017 +author: frankroj +ms.date: 11/01/2022 ms.topic: article ms.technology: itpro-deploy --- # Include Files and Settings +When you specify the migration .xml files, User State Migration Tool (USMT) 10.0 migrates the settings and components specified in [What does USMT migrate?](usmt-what-does-usmt-migrate.md). To include additional files and settings, we recommend that you create a custom .xml file, and then include this file when using both the `ScanState.exe` and `LoadState.exe` commands. By creating a custom .xml file, you can keep your changes separate from the default .xml files, which makes it easier to track your modifications. -When you specify the migration .xml files, User State Migration Tool (USMT) 10.0 migrates the settings and components specified in [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md) To include additional files and settings, we recommend that you create a custom .xml file and then include this file when using both the ScanState and LoadState commands. By creating a custom .xml file, you can keep your changes separate from the default .xml files, which makes it easier to track your modifications. - -In this topic: - -[Migrate a Single Registry Key](#bkmk-migsingleregkey) - -[Migrate a Specific Folder](#bkmk-migspecificfolder) - -[Migrate a Folder from a Specific Drive](#bkmk-migfoldspecdrive) - -[Migrate a Folder from Any Location](#bkmk-migfolderanyloc) - -[Migrate a File Type Into a Specific Folder](#bkmk-migfiletypetospecificfolder) - -[Migrate a Specific File](#bkmk-migspecificfile) - -## Migrate a Single Registry Key - +## Migrate a single registry key The following .xml file migrates a single registry key. -``` xml +```xml Component to migrate only registry value string @@ -52,56 +36,55 @@ The following .xml file migrates a single registry key. ``` -## Migrate a Specific Folder - +## Migrate a specific folder The following examples show how to migrate a folder from a specific drive, and from any location on the computer. -### Migrate a Folder from a Specific Drive +### Migrate a folder from a specific drive -- **Including subfolders.** The following .xml file migrates all files and subfolders from C:\\EngineeringDrafts to the destination computer. +- **Including subfolders.** The following .xml file migrates all files and subfolders from `C:\EngineeringDrafts` to the destination computer. - ``` xml + ```xml Component to migrate all Engineering Drafts Documents including subfolders -    -       + + C:\EngineeringDrafts\* [*] -     -    + + ``` -- **Excluding subfolders.** The following .xml file migrates all files from C:\\EngineeringDrafts, but it does not migrate any subfolders within C:\\EngineeringDrafts. +- **Excluding subfolders.** The following .xml file migrates all files from `C:\EngineeringDrafts`, but it doesn't migrate any subfolders within `C:\EngineeringDrafts`. - ``` xml + ```xml Component to migrate all Engineering Drafts Documents without subfolders -    -       + + C:\EngineeringDrafts\ [*] -     -    + + ``` -### Migrate a Folder from Any Location +### Migrate a folder from any location -The following .xml file migrates all files and subfolders of the EngineeringDrafts folder from any drive on the computer. If multiple folders exist with the same name, then all files with this name are migrated. +The following .xml file migrates all files and subfolders of the `EngineeringDrafts` folder from any drive on the computer. If multiple folders exist with the same name, then all files with this name are migrated. -``` xml +```xml Component to migrate all Engineering Drafts Documents folder on any drive on the computer @@ -119,9 +102,9 @@ The following .xml file migrates all files and subfolders of the EngineeringDraf ``` -The following .xml file migrates all files and subfolders of the EngineeringDrafts folder from any location on the C:\\ drive. If multiple folders exist with the same name, they are all migrated. +The following .xml file migrates all files and subfolders of the `EngineeringDrafts` folder from any location on the `C:\` drive. If multiple folders exist with the same name, they're all migrated. -``` xml +```xml Component to migrate all Engineering Drafts Documents EngineeringDrafts folder from where ever it exists on the C: drive @@ -139,12 +122,11 @@ The following .xml file migrates all files and subfolders of the EngineeringDraf ``` -## Migrate a File Type Into a Specific Folder +## Migrate a file type into a specific folder +The following .xml file migrates `.mp3` files located in the specified drives on the source computer into the `C:\Music` folder on the destination computer. -The following .xml file migrates .mp3 files located in the specified drives on the source computer into the C:\\Music folder on the destination computer. - -``` xml +```xml All .mp3 files to My Documents @@ -167,58 +149,47 @@ The following .xml file migrates .mp3 files located in the specified drives on t ``` -## Migrate a Specific File - +## Migrate a specific file The following examples show how to migrate a file from a specific folder, and how to migrate a file from any location. -- **To migrate a file from a folder.** The following .xml file migrates only the Sample.doc file from C:\\EngineeringDrafts on the source computer to the destination computer. +- **To migrate a file from a folder.** The following .xml file migrates only the `Sample.doc` file from `C:\EngineeringDrafts` on the source computer to the destination computer. - ``` xml + ```xml Component to migrate all Engineering Drafts Documents -    -       + + C:\EngineeringDrafts\ [Sample.doc] -     -    + + ``` -- **To migrate a file from any location.** To migrate the Sample.doc file from any location on the C:\\ drive, use the <pattern> element, as the following example shows. If multiple files exist with the same name on the C:\\ drive, all of files with this name are migrated. +- **To migrate a file from any location.** To migrate the `Sample.doc` file from any location on the `C:\` drive, use the **<pattern>** element, as the following example shows. If multiple files exist with the same name on the `C:\` drive, all of files with this name are migrated. - ``` xml + ```xml C:\* [Sample.doc] ``` To migrate the Sample.doc file from any drive on the computer, use <script> as the following example shows. If multiple files exist with the same name, all files with this name are migrated. - ``` xml + ```xml ``` -## Related topics - - -[Customize USMT XML Files](usmt-customize-xml-files.md) - -[Custom XML Examples](usmt-custom-xml-examples.md) - -[Conflicts and Precedence](usmt-conflicts-and-precedence.md) - -[USMT XML Reference](usmt-xml-reference.md) - -  - -  - +## Related articles +[Customize USMT XML files](usmt-customize-xml-files.md) +[Custom XML examples](usmt-custom-xml-examples.md) +[Conflicts and precedence](usmt-conflicts-and-precedence.md) +[USMT XML reference](usmt-xml-reference.md) diff --git a/windows/deployment/usmt/usmt-loadstate-syntax.md b/windows/deployment/usmt/usmt-loadstate-syntax.md index ebd2d4e5ed..b6238044f2 100644 --- a/windows/deployment/usmt/usmt-loadstate-syntax.md +++ b/windows/deployment/usmt/usmt-loadstate-syntax.md @@ -2,99 +2,101 @@ title: LoadState Syntax (Windows 10) description: Learn about the syntax and usage of the command-line options available when you use the LoadState command. ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/19/2017 +author: frankroj +ms.date: 11/01/2022 ms.topic: article ms.technology: itpro-deploy --- -# LoadState Syntax +# LoadState syntax -This topic discusses the **LoadState** command syntax and options available with it. +The `LoadState.exe` command is used with the User State Migration Tool (USMT) 10.0 to restore a store previously captured by the `ScanState.exe` command onto a destination computer. This article discusses the `LoadState.exe` command syntax and the options available with it. -## Before You Begin +## Before you begin -Before you run the **LoadState** command, note the following: +Before you run the `LoadState.exe` command, note the following items: -- To ensure that all operating system settings migrate, we recommend that you run the **LoadState** commands in administrator mode from an account with administrative credentials. +- To ensure that all operating system settings migrate, we recommend that you run the `LoadState.exe` commands in administrator mode from an account with administrative credentials. -- For information about software requirements for running the **LoadState** command, see [USMT Requirements](usmt-requirements.md). +- For information about software requirements for running the `LoadState.exe` command, see [USMT requirements](usmt-requirements.md). -- You should log off after you run the **LoadState** command. Some settings (for example, fonts, wallpaper, and screensaver settings) will not take effect until the next time the user logs in. +- You should sign out after you run the `LoadState.exe` command. Some settings, such as example, fonts, wallpaper, and screensaver settings, won't take effect until the next time the user logs in. -- Unless otherwise specified, you can use each option only once when running a tool on the command line. +- Unless otherwise specified, you can use each option only once when running a tool on the command line. -- **LoadState** does not require domain controller access to apply domain profiles. This functionality is available without any additional configuration. It is not necessary for the source computer to have had domain controller access when the user profile was gathered using **ScanState**. However, domain profiles are inaccessible until the destination computer is joined to the domain. +- **LoadState** doesn't require domain controller access to apply domain profiles. This functionality is available without any additional configuration. It isn't necessary for the source computer to have had domain controller access when the user profile was gathered using **ScanState**. However, domain profiles are inaccessible until the destination computer is joined to the domain. -- The [Incompatible Command-Line Options](#bkmk-cloi) table lists which options you can use together and which command-line options are incompatible. +- The [Incompatible command-line options](#incompatible-command-line-options) table lists which options you can use together and which command-line options are incompatible. -## Syntax +## Syntax -This section explains the syntax and usage of the command-line options available when you use the **LoadState** command. The options can be specified in any order. If the option contains a parameter, you can specify either a colon or space separator. +This section explains the syntax and usage of the command-line options available when you use the `LoadState.exe` command. The options can be specified in any order. If the option contains a parameter, you can specify either a colon or space separator. -The **LoadState** command's syntax is: +The `LoadState.exe` command's syntax is: -loadstate *StorePath* \[/i:\[*Path*\\\]*FileName*\] \[/v:*VerbosityLevel*\] \[/nocompress\] \[/decrypt /key:*KeyString*|/keyfile:\[Path\\\]*FileName*\] \[/l:\[*Path*\\\]*FileName*\] \[/progress:\[*Path*\\\]*FileName*\] \[/r:*TimesToRetry*\] \[/w:*SecondsToWait*\] \[/c\] \[/all\] \[/ui:\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/ue:\[\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/uel:*NumberOfDays*|*YYYY/MM/DD*|0\] \[/md:*OldDomain*:*NewDomain*\] \[/mu:*OldDomain*\\*OldUserName*:\[*NewDomain*\\\]*NewUserName*\] \[/lac:\[*Password*\]\] \[/lae\] \[/config:\[*Path*\\\]*FileName*\] \[/?|help\] + -For example, to decrypt the store and migrate the files and settings to a computer running Windows 7 type the following on the command line: +> LoadState.exe *StorePath* \[/i:\[*Path*\\\]*FileName*\] \[/v:*VerbosityLevel*\] \[/nocompress\] \[/decrypt /key:*KeyString*|/keyfile:\[Path\\\]*FileName*\] \[/l:\[*Path*\\\]*FileName*\] \[/progress:\[*Path*\\\]*FileName*\] \[/r:*TimesToRetry*\] \[/w:*SecondsToWait*\] \[/c\] \[/all\] \[/ui:\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/ue:\[\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/uel:*NumberOfDays*|*YYYY/MM/DD*|0\] \[/md:*OldDomain*:*NewDomain*\] \[/mu:*OldDomain*\\*OldUserName*:\[*NewDomain*\\\]*NewUserName*\] \[/lac:\[*Password*\]\] \[/lae\] \[/config:\[*Path*\\\]*FileName*\] \[/?|help\] -`loadstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /v:13 /decrypt /key:"mykey"` +For example, to decrypt the store and migrate the files and settings to a computer, type the following command: -## Storage Options +`LoadState.exe \\server\share\migration\mystore /i:MigApp.xml /i:MigDocs.xml /v:13 /decrypt /key:"mykey"` +## Storage options USMT provides the following options that you can use to specify how and where the migrated data is stored. | Command-Line Option | Description | |--- |--- | -| `StorePath` | Indicates the folder where the files and settings data are stored. You must specify *StorePath* when using the **LoadState** command. You cannot specify more than one *StorePath*. | -| `/decrypt /key`:*KeyString*
    or
    `/decrypt /key`:"*Key String*"
    or
    `/decrypt /keyfile`:[*Path*]*FileName* | Decrypts the store with the specified key. With this option, you will need to specify the encryption key in one of the following ways:
    • `/key:`*KeyString* specifies the encryption key. If there is a space in *KeyString*, you must surround the argument with quotation marks.
    • `/keyfile:`*FilePathAndName* specifies a text (.txt) file that contains the encryption key

    *KeyString* cannot exceed 256 characters.
    The `/key` and `/keyfile` options cannot be used on the same command line.
    The `/decrypt` and `/nocompress` options cannot be used on the same command line.
    **Important**
    Use caution with this option, because anyone who has access to the **LoadState** command-line script will also have access to the encryption key.

    For example:
    `loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /decrypt /key:mykey` | -| `/decrypt:`*"encryption strength"* | The `/decrypt` option accepts a command-line parameter to define the encryption strength specified for the migration store encryption. For more information about supported encryption algorithms, see [Migration Store Encryption](usmt-migration-store-encryption.md). | -| `/hardlink` | Enables user-state data to be restored from a hard-link migration store. The `/nocompress` parameter must be specified with `/hardlink` option. | -| `/nocompress` | Specifies that the store is not compressed. You should only use this option in testing environments. We recommend that you use a compressed store during your actual migration. This option cannot be used with the `/decrypt` option.
    For example:
    `loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /nocompress` | +| **StorePath** | Indicates the folder where the files and settings data are stored. You must specify *StorePath* when using the `LoadState.exe` command. You can't specify more than one *StorePath*. | +| **/decrypt /key**:*KeyString*
    or
    **/decrypt /key**:"*Key String*"
    or
    **/decrypt /keyfile**:[*Path*]*FileName* | Decrypts the store with the specified key. With this option, you'll need to specify the encryption key in one of the following ways:
    • `/key`:*KeyString* specifies the encryption key. If there's a space in *KeyString*, you must surround the argument with quotation marks (`"`).
    • `/keyfile`:*FilePathAndName* specifies a text (`.txt`) file that contains the encryption key

    *KeyString* can't exceed 256 characters.
    The `/key` and `/keyfile` options can't be used on the same command line.
    The `/decrypt` and `/nocompress` options can't be used on the same command line.
    **Important**
    Use caution when using the `/key` or `keyfile` options. For example, anyone who has access to scripts that run the `LoadState.exe` command with these options will also have access to the encryption key.

    For example:
    `LoadState.exe /i:MigApp.xml /i:MigDocs.xml \server\share\migration\mystore /decrypt /key:mykey` | +| **/decrypt**:*"encryption strength"* | The `/decrypt` option accepts a command-line parameter to define the encryption strength specified for the migration store encryption. For more information about supported encryption algorithms, see [Migration Store Encryption](usmt-migration-store-encryption.md). | +| **/hardlink** | Enables user-state data to be restored from a hard-link migration store. The `/nocompress` parameter must be specified with `/hardlink` option. | +| **/nocompress** | Specifies that the store isn't compressed. You should only use this option in testing environments. We recommend that you use a compressed store during your actual migration. This option can't be used with the `/decrypt` option.
    For example:
    `LoadState.exe /i:MigApp.xml /i:MigDocs.xml \server\share\migration\mystore /nocompress` | -## Migration Rule Options +## Migration rule options USMT provides the following options to specify what files you want to migrate. | Command-Line Option | Description | |--- |--- | -| `/i`:[*Path*]*FileName* | **(include)**
    Specifies an .xml file that contains rules that define what state to migrate. You can specify this option multiple times to include all of your .xml files (MigApp.xml, MigSys.xml, MigDocs.xml and any custom .xml files that you create). *Path* can be either a relative or full path. If you do not specify the *Path* variable, then *FileName* must be located in the current directory.

    For more information about which files to specify, see the "XML files" section of the [Frequently Asked Questions](usmt-faq.yml) topic. | -| `/config:`[*Path*]*FileName* | Specifies the Config.xml file that the **LoadState** command should use. You cannot specify this option more than once on the command line. *Path* can be either a relative or full path. If you do not specify the *Path* variable, then the *FileName* must be located in the current directory.

    This example migrates the files and settings based on the rules in the Config.xml, MigDocs.xml, and MigApp.xml files:

    `loadstate \server\share\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:5 /l:loadstate.log` | -| `/auto:`*"path to script files"* | This option enables you to specify the location of the default .xml files and then launch your migration. If no path is specified, USMT will use the directory where the USMT binaries are located. The `/auto` option has the same effect as using the following options: `/i:MigDocs.xml` `/i:MigApp.xml /v:5`. | +| **/i**:[*Path*]*FileName* | **(include)**
    Specifies an .xml file that contains rules that define what state to migrate. You can specify this option multiple times to include all of your .xml files (`MigApp.xml`, `MigSys.xml`, `MigDocs.xml` and any custom .xml files that you create). *Path* can be either a relative or full path. If you don't specify the *Path* variable, then *FileName* must be located in the current directory.

    For more information about which files to specify, see the "XML files" section of the [Frequently Asked Questions](usmt-faq.yml) article. | +| **/config**:[*Path*]*FileName* | Specifies the `Config.xml` file that the `LoadState.exe` command should use. You can't specify this option more than once on the command line. *Path* can be either a relative or full path. If you don't specify the *Path* variable, then the *FileName* must be located in the current directory.

    This example migrates the files and settings based on the rules in the `Config.xml`, `MigDocs.xml`, and `MigApp.xml` files:

    `LoadState.exe \server\share\migration\mystore /config:Config.xml /i:MigDocs.xml /i:MigApp.xml /v:5 /l:LoadState.log` | +| **/auto**:*"path to script files"* | This option enables you to specify the location of the default .xml files and then launch your migration. If no path is specified, USMT will use the directory where the USMT binaries are located. The `/auto` option has the same effect as using the following options: `/i:MigDocs.xml` `/i:MigApp.xml /v:5`. | -## Monitoring Options +## Monitoring options USMT provides several command-line options that you can use to analyze problems that occur during migration. | Command-Line Option | Description | |--- |--- | -| `/l:`[*Path*]*FileName* | Specifies the location and name of the **LoadState** log. You cannot store any of the log files in *StorePath*. *Path* can be either a relative or full path. If you do not specify the *Path* variable, then the log will be created in the current directory. You can specify the **/v** option to adjust the amount of output.

    If you run the **LoadState** command from a shared network resource, you must specify this option or USMT will fail with the error: "USMT was unable to create the log file(s)". To fix this issue, use the **/l:load.log** option. | -| `/v:`*``* | **(Verbosity)**

    Enables verbose output in the LoadState log file. The default value is 0.
    You can set the *VerbosityLevel* to one of the following levels:
    • **0** - Only the default errors and warnings are enabled.
    • **1** - Enables verbose output.
    • **4** - Enables error and status output.
    • **5** - Enables verbose and status output.
    • **8** - Enables error output to a debugger.
    • **9** - Enables verbose output to a debugger.
    • **12** - Enables error and status output to a debugger.
    • **13** - Enables verbose, status, and debugger output.

    For example:
    `loadstate \server\share\migration\mystore /v:5 /i:migdocs.xml /i:migapp.xml` | -| `/progress:`[*Path*]*FileName* | Creates the optional progress log. You cannot store any of the log files in *StorePath*. *Path* can be either a relative or full path. If you do not specify the *Path* variable, then *FileName* will be created in the current directory.

    For example:
    `loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /progress:prog.log /l:loadlog.log` | -| `/c` | When this option is specified, the **LoadState** command will continue to run, even if non-fatal errors occur. Any files or settings that cause an error are logged in the progress log. For example, if there is a large file that will not fit on the computer, the **LoadState** command will log an error and continue with the migration. Without the **/c** option, the **LoadState** command will exit on the first error. You can use the new <**ErrorControl**> section in the Config.xml file to specify which file or registry read/write errors can be safely ignored and which might cause the migration to fail. This enables the **/c** command-line option to safely skip all input/output (I/O) errors in your environment. In addition, the **/genconfig** option now generates a sample <**ErrorControl**> section that is enabled by specifying error messages and desired behaviors in the Config.xml file. | -| `/r:`*``* | **(Retry)**

    Specifies the number of times to retry when an error occurs while migrating the user state from a server. The default is three times. This option is useful in environments where network connectivity is not reliable.

    While restoring the user state, the **/r** option will not recover data that is lost due to a network-hardware failure, such as a faulty or disconnected network cable, or when a virtual private network (VPN) connection fails. The retry option is intended for large, busy networks where connectivity is satisfactory, but communication latency is a problem. | -| `/w:`*``* | **(Wait)**

    Specifies the time to wait, in seconds, before retrying a network file operation. The default is 1 second. | -| `/?` or `/help` | Displays Help on the command line. | +| **/l**:[*Path*]*FileName* | Specifies the location and name of the **LoadState** log. You can't store any of the log files in *StorePath*. *Path* can be either a relative or full path. If you don't specify the *Path* variable, then the log will be created in the current directory. You can specify the `/v` option to adjust the verbosity of the log.

    If you run the `LoadState.exe` command from a shared network resource, you must specify the `l` option, or USMT will fail with the error:

    ***USMT was unable to create the log file(s)***

    To fix this issue, make sure to specify the `/l` option when running `LoadState.exe` from a shared network resource. | +| **/v**:*``* | **(Verbosity)**

    Enables verbose output in the **LoadState** log file. The default value is 0.
    You can set the *VerbosityLevel* to one of the following levels:
    • **0** - Only the default errors and warnings are enabled.
    • **1** - Enables verbose output.
    • **4** - Enables error and status output.
    • **5** - Enables verbose and status output.
    • **8** - Enables error output to a debugger.
    • **9** - Enables verbose output to a debugger.
    • **12** - Enables error and status output to a debugger.
    • **13** - Enables verbose, status, and debugger output.

    For example:
    `LoadState.exe \server\share\migration\mystore /v:5 /i:MigDocs.xml /i:MigApp.xml` | +| **/progress**:[*Path*]*FileName* | Creates the optional progress log. You can't store any of the log files in *StorePath*. *Path* can be either a relative or full path. If you don't specify the *Path* variable, then *FileName* will be created in the current directory.

    For example:
    `LoadState.exe /i:MigApp.xml /i:MigDocs.xml \server\share\migration\mystore /progress:Progress.log /l:loadlog.log` | +| **/c** | When this option is specified, the `LoadState.exe` command will continue to run, even if non-fatal errors occur. Any files or settings that cause an error are logged in the progress log. For example, if there's a large file that won't fit on the computer, the `LoadState.exe` command will log an error and continue with the migration. Without the `/c` option, the `LoadState.exe` command will exit on the first error. You can use the new <**ErrorControl**> section in the `Config.xml` file to specify which file or registry read/write errors can be safely ignored and which might cause the migration to fail. This error control enables the `/c` command-line option to safely skip all input/output (I/O) errors in your environment. In addition, the `/genconfig` option now generates a sample <**ErrorControl**> section that is enabled by specifying error messages and desired behaviors in the `Config.xml` file. | +| **/r**:*``* | **(Retry)**

    Specifies the number of times to retry when an error occurs while migrating the user state from a server. The default is three times. This option is useful in environments where network connectivity isn't reliable.

    While restoring the user state, the `/r` option won't recover data that is lost due to a network-hardware failure, such as a faulty or disconnected network cable, or when a virtual private network (VPN) connection fails. The retry option is intended for large, busy networks where connectivity is satisfactory, but communication latency is a problem. | +| **/w**:*``* | **(Wait)**

    Specifies the time to wait, in seconds, before retrying a network file operation. The default is 1 second. | +| **/?** or **/help** | Displays Help on the command line. | -## User Options +## User options -By default, all users are migrated. The only way to specify which users to include and exclude is by using the following options. You cannot exclude users in the migration .xml files or by using the Config.xml file. For more information, see [Identify Users](usmt-identify-users.md). +By default, all users are migrated. The only way to specify which users to include and exclude is by using the following options. You can't exclude users in the migration .xml files or by using the `Config.xml` file. For more information, see [Identify Users](usmt-identify-users.md). | Command-Line Option | Description | |--- |--- | -| `/all` | Migrates all of the users on the computer.

    USMT migrates all user accounts on the computer, unless you specifically exclude an account with the **/ue** or **/uel** options. For this reason, you do not need to specify this option on the command line. However, if you choose to use the **/all** option, you cannot also use the **/ui**, **/ue** or **/uel** options. | -| `/ui:`*DomainName UserName*
    or
    `/ui:`*"DomainName User Name"*
    or
    `/ui:`*ComputerName LocalUserName* | **(User include)**

    Migrates the specified user. By default, all users are included in the migration. Therefore, this option is helpful only when used with the **/ue** option. You can specify multiple **/ui** options, but you cannot use the **/ui** option with the **/all** option. *DomainName* and *UserName* can contain the asterisk () wildcard character. When you specify a user name that contains spaces, you will need to surround it with quotations marks.
    For example:
    • To include only User2 from the Corporate domain, type:
      `/ue:* /ui:corporate\user2`
    **Note**
    If a user is specified for inclusion with the **/ui** option, and also is specified to be excluded with either the **/ue** or **/uel** options, the user will be included in the migration.

    For more examples, see the descriptions of the **/uel**, **/ue**, and **/ui** options in this table. | -| `/uel:`*``*
    or
    `/uel:`*``*
    or
    `/uel:0` | **(User exclude based on last logon)**

    Migrates only the users that logged onto the source computer within the specified time period, based on the **Last Modified** date of the Ntuser.dat file on the source computer. The **/uel** option acts as an include rule. For example, the **/uel:30** option migrates users who logged on, or whose user account was modified, within the last 30 days from the date when the ScanState command is run. You can specify a number of days or you can specify a date. You cannot use this option with the **/all** option. USMT retrieves the last logon information from the local computer, so the computer does not need to be connected to the network when you run this option. In addition, if a domain user has logged onto another computer, that logon instance is not considered by USMT.
    **Note**
    The **/uel** option is not valid in offline migrations.

    Examples:
    • `/uel:0` migrates accounts that were logged on to the source computer when the **ScanState** command was run.
    • `/uel:90` migrates users who have logged on, or whose accounts have been otherwise modified, within the last 90 days.
    • `/uel:1` migrates users whose accounts have been modified within the last 24 hours.
    • `/uel:2002/1/15` migrates users who have logged on or whose accounts have been modified since January 15, 2002.

    For example:
    `loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /uel:0` | -| `/ue`:*DomainName UserName*
    or
    `/ue`*"DomainName User Name"*
    or
    `/ue`:*ComputerName LocalUserName* | **(User exclude)**

    Excludes the specified users from the migration. You can specify multiple **/ue** options but you cannot use the **/ue** option with the **/all** option. *DomainName* and *UserName* can contain the asterisk () wildcard character. When you specify a user name that contains spaces, you will need to surround it with quotation marks.

    For example:
    `loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /ue:contoso\user1`
    For more examples, see the descriptions of the **/uel**, **/ue**, and **/ui** options in this table. | -| `/md:`*OldDomain*:*NewDomain*
    or
    `/md:`*LocalComputerName:NewDomain* | **(move domain)**
    Specifies a new domain for the user. Use this option to change the domain for users on a computer or to migrate a local user to a domain account. *OldDomain* may contain the asterisk () wildcard character.

    You can specify this option more than once. You may want to specify multiple **/md** options if you are consolidating users across multiple domains to a single domain. For example, you could specify the following to consolidate the users from the Corporate and FarNorth domains into the Fabrikam domain: `/md:corporate:fabrikam` and `/md:farnorth:fabrikam`.

    If there are conflicts between two **/md** commands, the first rule that you specify is applied. For example, if you specify the `/md:corporate:fabrikam` and `/md:corporate:farnorth` commands, then Corporate users would be mapped to the Fabrikam domain.
    **Note**
    If you specify an *OldDomain* that did not exist on the source computer, the **LoadState** command will appear to complete successfully, without an error or warning. However, in this case, users will not be moved to *NewDomain* but will remain in their original domain. For example, if you misspell "contoso" and you specify "/md:contso:fabrikam", the users will remain in contoso on the destination computer.

    For example:
    `loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore`
    ` /progress:prog.log /l:load.log /md:contoso:fabrikam` | -| `/mu:`*OldDomain OldUserName*:[*NewDomain*]*NewUserName*
    or
    `/mu:`*OldLocalUserName*:*NewDomain NewUserName* | Specifies a new user name for the specified user. If the store contains more than one user, you can specify multiple **/mu** options. You cannot use wildcard characters with this option.

    For example:
    `loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore`
    `/progress:prog.log /l:load.log /mu:contoso\user1:fabrikam\user1` | -| `/lac:`[*Password*] | **(local account create)**

    Specifies that if a user account is a local (non-domain) account, and it does not exist on the destination computer, USMT will create the account on the destination computer but it will be disabled. To enable the account, you must also use the **/lae** option.

    If the **/lac** option is not specified, any local user accounts that do not already exist on the destination computer will not be migrated.

    *Password* is the password for the newly created account. An empty password is used by default.
    **Caution**
    Use the *Password* variable with caution because it is provided in plain text and can be obtained by anyone with access to the computer that is running the **LoadState** command.
    Also, if the computer has multiple users, all migrated users will have the same password.

    For example:
    `loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore`
    For instructions, see [Migrate User Accounts](usmt-migrate-user-accounts.md). | -| `/lae` | **(local account enable)**

    Enables the account that was created with the **/lac** option. You must specify the **/lac** option with this option.

    For example:
    `loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore`
    `/progress:prog.log /l:load.log /lac:password /lae`

    For instructions, see [Migrate User Accounts](usmt-migrate-user-accounts.md). | - +| **/all** | Migrates all of the users on the computer.

    USMT migrates all user accounts on the computer, unless you specifically exclude an account with the `/ue` or `/uel` options. For this reason, you don't need to specify this option on the command line. However, if you choose to use the `/all` option, you can't also use the `/ui`, `/ue` or `/uel` options. | +| **/ui**:*DomainName UserName*
    or
    **/ui**:*"DomainName User Name"*
    or
    **/ui**:*ComputerName LocalUserName* | **(User include)**

    Migrates the specified user. By default, all users are included in the migration. Therefore, this option is helpful only when used with the `/ue` option. You can specify multiple `/ui` options, but you can't use the `/ui` option with the `/all` option. *DomainName* and *UserName* can contain the asterisk (`*`) wildcard character. When you specify a user name that contains spaces, you'll need to surround it with quotations marks (`"`).

    For example, to include only **User2** from the Corporate domain, enter:

    `/ue:* /ui:corporate\user2`

    **Note**
    If a user is specified for inclusion with the `/ui` option and also specified to be excluded with either the `/ue` or `/uel` options, the user will be included in the migration.

    For more examples, see the descriptions of the `/uel`, `/ue`, and `/ui` options in this table. | +| **/uel**:*``*
    or
    **/uel**:*``*
    or
    **/uel**:0 | **(User exclude based on last logon)**

    Migrates only the users that logged onto the source computer within the specified time period, based on the **Last Modified** date of the Ntuser.dat file on the source computer. The `/uel` option acts as an include rule. For example, the `/uel:30` option migrates users who logged on, or whose user account was modified, within the last 30 days from the date when the `ScanState.exe` command is run. You can specify the number of days or you can specify a date. You can't use this option with the `/all` option. USMT retrieves the last sign-in information from the local computer, so the computer doesn't need to be connected to the network when you run this option. In addition, if a domain user has signed into another computer, that sign-in instance isn't considered by USMT.
    **Note**
    The `/uel` option isn't valid in offline migrations.

    Examples:
    • `/uel:0` migrates accounts that were logged on to the source computer when the `ScanState.exe` command was run.
    • `/uel:90` migrates users who have logged on, or whose accounts have been otherwise modified, within the last 90 days.
    • `/uel:1` migrates users whose accounts have been modified within the last 24 hours.
    • `/uel:2020/2/15` migrates users who have logged on or whose accounts have been modified since February 15, 2020.

    For example:
    `LoadState.exe /i:MigApp.xml /i:MigDocs.xml \server\share\migration\mystore /uel:0` | +| **/ue**:*DomainName\UserName*
    or
    **/ue** *"DomainName\User Name"*
    or
    **/ue**:*ComputerName\LocalUserName* | **(User exclude)**

    Excludes the specified users from the migration. You can specify multiple `/ue` options but you can't use the `/ue` option with the `/all` option. *DomainName* and *UserName* can contain the asterisk (`*`) wildcard character. When you specify a user name that contains spaces, you'll need to surround it with quotation marks (`"`).

    For example:
    `LoadState.exe /i:MigApp.xml /i:MigDocs.xml \server\share\migration\mystore /ue:contoso\user1`
    For more examples, see the descriptions of the `/uel`, `/ue`, and `/ui` options in this table. | +| **/md**:*OldDomain*:*NewDomain*
    or
    **/md**:*LocalComputerName:NewDomain* | **(Move domain)**

    Specifies a new domain for the user. Use this option to change the domain for users on a computer or to migrate a local user to a domain account. *OldDomain* may contain the asterisk () wildcard character.

    You can specify this option more than once. You may want to specify multiple `/md` options if you're consolidating users across multiple domains to a single domain. For example, you could specify the following to consolidate the users from the Corporate and FarNorth domains into the Fabrikam domain: `/md:corporate:fabrikam` and `/md:farnorth:fabrikam`.

    If there are conflicts between two `/md` commands, the first rule that you specify is applied. For example, if you specify the `/md:corporate:fabrikam` and `/md:corporate:farnorth` commands, then Corporate users would be mapped to the Fabrikam domain.
    **Note**
    If you specify an *OldDomain* that didn't exist on the source computer, the `LoadState.exe` command will appear to complete successfully, without an error or warning. However, in this case, users won't be moved to *NewDomain* but will remain in their original domain. For example, if you misspell **contoso** and you instead specify **/md:contso:fabrikam**, the users will remain in **contoso** on the destination computer.

    For example:
    `LoadState.exe /i:MigApp.xml /i:MigDocs.xml \server\share\migration\mystore`
    ` /progress:Progress.log /l:LoadState.log /md:contoso:fabrikam` | +| **/mu**:*OldDomain OldUserName*:[*NewDomain*]*NewUserName*
    or
    **/mu**:*OldLocalUserName*:*NewDomain NewUserName* | **(Move user)**

    Specifies a new user name for the specified user. If the store contains more than one user, you can specify multiple `/mu` options. You can't use wildcard characters with this option.

    For example:
    `LoadState.exe /i:MigApp.xml /i:MigDocs.xml \server\share\migration\mystore`
    `/progress:Progress.log /l:LoadState.log /mu:contoso\user1:fabrikam\user1` | +| **/lac**:[*Password*] | **(Local account create)**

    Specifies that if a user account is a local (non-domain) account, and it doesn't exist on the destination computer, USMT will create the account on the destination computer but it will be disabled. To enable the account, you must also use the `/lae` option.

    If the `/lac` option isn't specified, any local user accounts that don't already exist on the destination computer won't be migrated.

    *Password* is the password for the newly created account. An empty password is used by default.
    **Caution**
    Use the *Password* variable with caution because it's provided in plain text and can be obtained by anyone with access to the computer that is running the `LoadState.exe` command.
    Also, if the computer has multiple users, all migrated users will have the same password.

    For example:
    `LoadState.exe /i:MigApp.xml /i:MigDocs.xml \server\share\migration\mystore`

    For instructions, see [Migrate user accounts](usmt-migrate-user-accounts.md). | +| `/lae` | **(Local account enable)**

    Enables the account that was created with the `/lac` option. You must specify the `/lac` option with this option.

    For example:
    `LoadState.exe /i:MigApp.xml /i:MigDocs.xml \server\share\migration\mystore`
    `/progress:Progress.log /l:LoadState.log /lac:password /lae`

    For instructions, see [Migrate user accounts](usmt-migrate-user-accounts.md). | ### Examples for the /ui and /ue options @@ -109,24 +111,24 @@ The following examples apply to both the **/ui** and **/ue** options. You can re | Exclude all local users. | `/ue:%computername%` | | Exclude users in all domains named User1, User2, and so on. | `/ue:\user` | -### Using the Options Together +### Using the options together -You can use the **/uel**, **/ue** and **/ui** options together to migrate only the users that you want migrated. +You can use the `/uel`, `/ue` and `/ui` options together to migrate only the users that you want migrated. -**The /ui option has precedence over the /ue and /uel options.** If a user is specified to be included using the **/ui** option, and also specified to be excluded using either the **/ue** or **/uel** options, the user will be included in the migration. For example, if you specify `/ui:contoso\* /ue:contoso\user1`, then User1 will be migrated, because the **/ui** option takes precedence over the **/ue** option. +**The /ui option has precedence over the /ue and /uel options.** If a user is included using the `/ui` option and also excluded using either the `/ue` or `/uel` options, the user will be included in the migration. For example, if you specify `/ui:contoso\* /ue:contoso\user1`, then User1 will be migrated, because the `/ui` option takes precedence over the `/ue` option. -**The /uel option takes precedence over the /ue option.** If a user has logged on within the specified time period set by the **/uel** option, that user's profile will be migrated even if they are excluded by using the **/ue** option. For example, if you specify `/ue:contoso\user1 /uel:14`, the User1 will be migrated if they have logged on to the computer within the last 14 days. +**The /uel option takes precedence over the /ue option.** If a user has logged on within the specified time period set by the `/uel` option, that user's profile will be migrated even if they're excluded by using the `/ue` option. For example, if you specify `/ue:contoso\user1 /uel:14`, the User1 will be migrated if they've logged on to the computer within the last 14 days. | Behavior | Command | |--- |--- | | Include only User2 from the Fabrikam domain and exclude all other users. | `/ue:* /ui:fabrikam\user2` | | Include only the local user named User1 and exclude all other users. | `/ue:* /ui:user1` | -| Include only the domain users from Contoso, except Contoso\User1. | This behavior cannot be completed using a single command. Instead, to migrate this set of users, you will need to specify the following:
    • Using the **ScanState** command-line tool, type: `/ue:* /ui:contoso`
    • Using the **LoadState** command-line tool, type: `/ue:contoso\user1`
    | +| Include only the domain users from Contoso, except Contoso\User1. | This behavior can't be completed using a single command. Instead, to migrate this set of users, you'll need to specify the following options:
    • Using the **ScanState** command-line tool, enter:
      `/ue:* /ui:contoso`
    • Using the **LoadState** command-line tool, enter:
      `/ue:contoso\user1`
    | | Include only local (non-domain) users. | `/ue: /ui:%computername%*` | -## Incompatible Command-Line Options +## Incompatible command-line options -The following table indicates which command-line options are not compatible with the **LoadState** command. If the table entry for a particular combination is blank, the options are compatible and you can use them together. The X symbol means that the options are not compatible. For example, you cannot use the **/nocompress** option with the **/encrypt** option. +The following table indicates which command-line options aren't compatible with the `LoadState.exe` command. If the table entry for a particular combination is blank, the options are compatible, and you can use them together. The X symbol means that the options aren't compatible. For example, you can't use the `/nocompress` option with the `/encrypt` option. | Command-Line Option | /keyfile | /nocompress | /genconfig | /all | |--- |--- |--- |--- |--- | @@ -155,8 +157,8 @@ The following table indicates which command-line options are not compatible with | **/lac** | | | | | > [!NOTE] -> You must specify either the **/key** or **/keyfile** option with the **/encrypt** option. +> You must specify either the `/key` or `/keyfile` option with the `/encrypt` option. -## Related topics +## Related articles -[XML Elements Library](usmt-xml-elements-library.md) +[XML elements library](usmt-xml-elements-library.md) diff --git a/windows/deployment/usmt/usmt-log-files.md b/windows/deployment/usmt/usmt-log-files.md index 86e3f5ec0b..06ccc91749 100644 --- a/windows/deployment/usmt/usmt-log-files.md +++ b/windows/deployment/usmt/usmt-log-files.md @@ -1,108 +1,108 @@ --- title: Log Files (Windows 10) -description: Learn how to use User State Migration Tool (USMT) 10.0 logs to monitor your migration and to troubleshoot errors and failed migrations. +description: Learn how to use User State Migration Tool (USMT) 10.0 logs to monitor your migration and to troubleshoot errors and failed migrations. ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/19/2017 +author: frankroj +ms.date: 11/01/2022 ms.topic: article ms.technology: itpro-deploy --- -# Log Files +# USMT log files -You can use User State Migration Tool (USMT) 10.0 logs to monitor your migration and to troubleshoot errors and failed migrations. This topic describes the available command-line options to enable USMT logs, and new XML elements that configure which types of errors are fatal and should halt the migration, which types are non-fatal and should be skipped so that the migration can continue. +You can use User State Migration Tool (USMT) 10.0 logs to monitor your migration and to troubleshoot errors and failed migrations. This article describes the available command-line options to enable USMT logs, and new XML elements that configure which types of errors are fatal and should halt the migration, which types are non-fatal and should be skipped so that the migration can continue. -[Log Command-Line Options](#bkmk-commandlineoptions) +[Log command-line options](#log-command-line-options) -[ScanState and LoadState Logs](#bkmk-scanloadstatelogs) +[ScanState and LoadState logs](#scanstate-and-loadstate-logs) -[Progress Log](#bkmk-progresslog) +[Progress log](#progress-log) -[List Files Log](#bkmk-listfileslog) +[List files log](#list-files-log) -[Diagnostic Log](#bkmk-diagnosticlog) +[Diagnostic log](#diagnostic-log) -## Log Command-Line Options +## Log command-line options The following table describes each command-line option related to logs, and it provides the log name and a description of what type of information each log contains. |Command line Option|File Name|Description| |--- |--- |--- | -|**/l** *[Path]FileName*|Scanstate.log or LoadState.log|Specifies the path and file name of the ScanState.log or LoadState log.| -|**/progress** *[Path]FileName*|Specifies the path and file name of the Progress log.|Provides information about the status of the migration, by percentage complete.| -|**/v** *[VerbosityLevel]*|Not applicable|See the "Monitoring Options" section in [ScanState Syntax](usmt-scanstate-syntax.md).| -|**/listfiles** *[Path]FileName*|Specifies the path and file name of the Listfiles log.|Provides a list of the files that were migrated.| -|Set the environment variable MIG_ENABLE_DIAG to a path to an XML file.|USMTDiag.xml|The diagnostic log contains detailed system environment information, user environment information, and information about the migration units (migunits) being gathered and their contents.| +|**/l**"*[Path]FileName*|`ScanState.exe.log` or `LoadState.log`|Specifies the path and file name of the **ScanState** log or **LoadState** log.| +|**/progress**:*[Path]FileName*|Specifies the path and file name of the Progress log.|Provides information about the status of the migration, by percentage complete.| +|**/v**:*[VerbosityLevel]*|Not applicable|See [Monitoring options](usmt-scanstate-syntax.md#monitoring-options) in [ScanState syntax](usmt-scanstate-syntax.md).| +|**/listfiles**:*[Path]FileName*|Specifies the path and file name of the Listfiles log.|Provides a list of the files that were migrated.| +|Set the environment variable **MIG_ENABLE_DIAG** to a path to an XML file.|`USMTDiag.xml`|The diagnostic log contains detailed system environment information, user environment information, and information about the migration units (migunits) being gathered and their contents.| > [!NOTE] > You cannot store any of the log files in *StorePath*. If you do, the log will be overwritten when USMT is run. -## ScanState and LoadState Logs +## ScanState and LoadState logs -ScanState and LoadState logs are text files that are create when you run the ScanState and LoadState tools. You can use these logs to help monitor your migration. The content of the log depends on the command-line options that you use and the verbosity level that you specify. For more information about verbosity levels, see Monitoring Options in [ScanState Syntax](usmt-scanstate-syntax.md). + **ScanState** and **LoadState** logs are text files that are create when you run the **ScanState** and **LoadState** tools. You can use these logs to help monitor your migration. The content of the log depends on the command-line options that you use and the verbosity level that you specify. For more information about verbosity levels, see [Monitoring options](usmt-scanstate-syntax.md#monitoring-options) in [ScanState syntax](usmt-scanstate-syntax.md). -## Progress Log +## Progress log -You can create a progress log using the **/progress** option. External tools, such as Microsoft System Center Operations Manager 2007, can parse the progress log to update your monitoring systems. The first three fields in each line are fixed as follows: +You can create a progress log using the `/progress` option. External tools, such as Microsoft System Center Operations Manager, can parse the progress log to update your monitoring systems. The first three fields in each line are fixed as follows: -- **Date:** Date, in the format of *day* *shortNameOfTheMonth* *year*. For example: 08 Jun 2006. +- **Date:** Date, in the format of *day* *shortNameOfTheMonth* *year*. For example: 08 Jun 2006. -- **Local time:** Time, in the format of *hrs*:*minutes*:*seconds* (using a 24-hour clock). For example: 13:49:13. +- **Local time:** Time, in the format of *hrs*:*minutes*:*seconds* (using a 24-hour clock). For example: 13:49:13. -- **Migration time:** Duration of time that USMT was run, in the format of *hrs:minutes:seconds*. For example: 00:00:10. +- **Migration time:** Duration of time that USMT was run, in the format of *hrs:minutes:seconds*. For example: 00:00:10. The remaining fields are key/value pairs as indicated in the following table. | Key | Value | |-----|-------| -| program | ScanState.exe or LoadState.exe. | -| productVersion | The full product version number of USMT. | -| computerName | The name of the source or destination computer on which USMT was run. | -| commandLine | The full command used to run USMT. | -| PHASE | Reports that a new phase in the migration is starting. This can be one of the following:
    • Initializing
    • Scanning
    • Collecting
    • Saving
    • Estimating
    • Applying
    | -| detectedUser |
    • For the ScanState tool, these are the users USMT detected on the source computer that can be migrated.
    • For the LoadState tool, these are the users USMT detected in the store that can be migrated.
    | -| includedInMigration | Defines whether the user profile/component is included for migration. Valid values are Yes or No. | -| forUser | Specifies either of the following:
    • The user state being migrated.
    • *This Computer*, meaning files and settings that are not associated with a user.
    | -| detectedComponent | Specifies a component detected by USMT.
    • For ScanState, this is a component or application that is installed on the source computer.
    • For LoadState, this is a component or application that was detected in the store.
    | -| totalSizeInMBToTransfer | Total size of the files and settings to migrate in megabytes (MB). | -| totalPercentageCompleted | Total percentage of the migration that has been completed by either ScanState or LoadState. | -| collectingUser | Specifies which user ScanState is collecting files and settings for. | -| totalMinutesRemaining | Time estimate, in minutes, for the migration to complete. | -| error | Type of non-fatal error that occurred. This can be one of the following:
    • **UnableToCopy**: Unable to copy to store because the disk on which the store is located is full.
    • **UnableToOpen**: Unable to open the file for migration because the file is opened in non-shared mode by another application or service.
    • **UnableToCopyCatalog**: Unable to copy because the store is corrupted.
    • **UnableToAccessDevice**: Unable to access the device.
    • **UnableToApply**: Unable to apply the setting to the destination computer.
    | -| objectName | The name of the file or setting that caused the non-fatal error. | -| action | Action taken by USMT for the non-fatal error. The values are:
    • **Ignore**: Non-fatal error ignored and the migration continued because the **/c** option was specified on the command line.
    • **Abort**: Stopped the migration because the **/c** option was not specified.
    | -| errorCode | The errorCode or return value. | -| numberOfIgnoredErrors | The total number of non-fatal errors that USMT ignored. | -| message | The message corresponding to the errorCode. | +| *program* | `ScanState.exe` or `LoadState.exe`. | +| *productVersion* | The full product version number of USMT. | +| *computerName* | The name of the source or destination computer on which USMT was run. | +| *commandLine* | The full command used to run USMT. | +| *PHASE* | Reports that a new phase in the migration is starting. This key can be one of the following values:
    • Initializing
    • Scanning
    • Collecting
    • Saving
    • Estimating
    • Applying
    | +| *detectedUser* |
    • For the **ScanState** tool, this key are the users USMT detected on the source computer that can be migrated.
    • For the **LoadState** tool, this key are the users USMT detected in the store that can be migrated.
    | +| *includedInMigration* | Defines whether the user profile/component is included for migration. Valid values are **Yes** or **No**. | +| *forUser* | Specifies either of the following values:
    • The user state being migrated.
    • *This Computer*, meaning files and settings that aren't associated with a user.
    | +| *detectedComponent* | Specifies a component detected by USMT.
    • For *ScanState*, this key is a component or application that is installed on the source computer.
    • For **LoadState**, this key is a component or application that was detected in the store.
    | +| *totalSizeInMBToTransfer* | Total size of the files and settings to migrate in megabytes (MB). | +| *totalPercentageCompleted* | Total percentage of the migration that has been completed by either **ScanState** or **LoadState**. | +| *collectingUser* | Specifies which user **ScanState** is collecting files and settings for. | +| *totalMinutesRemaining* | Time estimate, in minutes, for the migration to complete. | +| *error* | Type of non-fatal error that occurred. This key can be one of the following values:
    • **UnableToCopy**: Unable to copy to store because the disk on which the store is located is full.
    • **UnableToOpen**: Unable to open the file for migration because the file is opened in non-shared mode by another application or service.
    • **UnableToCopyCatalog**: Unable to copy because the store is corrupted.
    • **UnableToAccessDevice**: Unable to access the device.
    • **UnableToApply**: Unable to apply the setting to the destination computer.
    | +| *objectName* | The name of the file or setting that caused the non-fatal error. | +| *action* | Action taken by USMT for the non-fatal error. The values are:
    • **Ignore**: Non-fatal error ignored and the migration continued because the **/c** option was specified on the command line.
    • **Abort**: Stopped the migration because the **/c** option wasn't specified.
    | +| *errorCode* | The errorCode or return value. | +| *numberOfIgnoredErrors* | The total number of non-fatal errors that USMT ignored. | +| *message** | The message corresponding to the errorCode. | -## List Files Log +## List files log -The List files log (Listfiles.txt) provides a list of the files that were migrated. This list can be used to troubleshoot XML issues or can be retained as a record of the files that were gathered into the migration store. The List Files log is only available for ScanState.exe. +The List files log (`Listfiles.txt`) provides a list of the files that were migrated. This list can be used to troubleshoot XML issues or can be retained as a record of the files that were gathered into the migration store. The List Files log is only available for `ScanState.exe`. -## Diagnostic Log +## Diagnostic log -You can obtain the diagnostic log by setting the environment variable MIG\_ENABLE\_DIAG to a path to an XML file. +You can obtain the diagnostic log by setting the environment variable **MIG_ENABLE_DIAG** to a path to an XML file. The diagnostic log contains: -- Detailed system environment information +- Detailed system environment information -- Detailed user environment information +- Detailed user environment information -- Information about the migration units (migunits) being gathered and their contents +- Information about the migration units (migunits) being gathered and their contents ## Using the Diagnostic Log -The diagnostic log is essentially a report of all the migration units (migunits) included in the migration. A migunit is a collection of data that is identified by the component it is associated with in the XML files. The migration store is made up of all the migunits in the migration. The diagnostic log can be used to verify which migunits were included in the migration and can be used for troubleshooting while authoring migration XML files. +The diagnostic log is essentially a report of all the migration units (migunits) included in the migration. A migunit is a collection of data that is identified by the component it's associated with in the XML files. The migration store is made up of all the migunits in the migration. The diagnostic log can be used to verify which migunits were included in the migration and can be used for troubleshooting while authoring migration XML files. The following examples describe common scenarios in which you can use the diagnostic log. **Why is this file not migrating when I authored an "include" rule for it?** -Let's imagine that we have the following directory structure and that we want the "data" directory to be included in the migration along with the "New Text Document.txt" file in the "New Folder." The directory of **C:\\data** contains: +Let's imagine that we have the following directory structure and that we want the **data** directory to be included in the migration along with the **New Text Document.txt** file in the **New Folder**. The directory of `C:\data` contains: ```console 01/21/2009 10:08 PM . @@ -113,7 +113,7 @@ Let's imagine that we have the following directory structure and that we want th 2 File(s) 26 bytes ``` -The directory of **C:\\data\\New Folder** contains: +The directory of `C:\data\New Folder` contains: ```console 01/21/2009 10:08 PM . @@ -144,59 +144,59 @@ To migrate these files you author the following migration XML: ``` -However, upon testing the migration you notice that the "New Text Document.txt" file isn't included in the migration. To troubleshoot this failure, the migration can be repeated with the environment variable MIG\_ENABLE\_DIAG set such that the diagnostic log is generated. Upon searching the diagnostic log for the component "DATA1", the following XML section is discovered: +However, upon testing the migration you notice that the **New Text Document.txt** file isn't included in the migration. To troubleshoot this failure, the migration can be repeated with the environment variable **MIG_ENABLE_DIAG** set such that the diagnostic log is generated. Upon searching the diagnostic log for the component **DATA1**, the following XML section is discovered: ```xml - - - - - + + + + + - - - - - + + + + + ``` -Analysis of this XML section reveals the migunit that was created when the migration rule was processed. The <Perform> section details the actual files that were scheduled for gathering and the result of the gathering operation. The "New Text Document.txt" file doesn't appear in this section, which confirms that the migration rule was not correctly authored. +Analysis of this XML section reveals the migunit that was created when the migration rule was processed. The **<Perform>** section details the actual files that were scheduled for gathering and the result of the gathering operation. The **New Text Document.txt** file doesn't appear in this section, which confirms that the migration rule wasn't correctly authored. -An analysis of the XML elements reference topic reveals that the <pattern> tag needs to be modified as follows: +An analysis of the [XML elements library](usmt-xml-elements-library.md) reference article reveals that the [**<pattern>**](usmt-xml-elements-library.md#pattern) tag needs to be modified as follows: ```xml c:\data\* [*] ``` -When the migration is preformed again with the modified tag, the diagnostic log reveals the following: +When the migration is performed again with the modified tag, the diagnostic log reveals the following information: ```xml - - - - - + + + + + - - - - - - - + + + + + + + ``` -This diagnostic log confirms that the modified <pattern> value enables the migration of the file. +This diagnostic log confirms that the modified **<pattern>** value enables the migration of the file. **Why is this file migrating when I authored an exclude rule excluding it?** -In this scenario, you have the following directory structure and you want all files in the "data" directory to migrate, except for text files. The **C:\\Data** folder contains: +In this scenario, you have the following directory structure and you want all files in the **Data** directory to migrate, except for text files. The `C:\Data` folder contains: ```console Directory of C:\Data @@ -209,7 +209,7 @@ Directory of C:\Data 2 File(s) 26 bytes ``` -The **C:\\Data\\New Folder\\** contains: +The `C:\Data\New Folder\` contains: ```console 01/21/2009 10:08 PM . @@ -246,33 +246,33 @@ You author the following migration XML: ``` -However, upon testing the migration you notice that all the text files are still included in the migration. In order to troubleshoot this issue, the migration can be performed with the environment variable MIG\_ENABLE\_DIAG set so that the diagnostic log is generated. Upon searching the diagnostic log for the component "DATA1", the following XML section is discovered: +However, upon testing the migration you notice that all the text files are still included in the migration. In order to troubleshoot this issue, the migration can be performed with the environment variable **MIG_ENABLE_DIAG** set so that the diagnostic log is generated. Upon searching the diagnostic log for the component **DATA1**, the following XML section is discovered: ```xml - - - - - - - - + + + + + + + + - - - - - - - - - + + + + + + + + + ``` -Upon reviewing the diagnostic log, you confirm that the files are still migrating, and that it is a problem with the authored migration XML rule. You author an update to the migration XML script as follows: +Upon reviewing the diagnostic log, you confirm that the files are still migrating, and that it's a problem with the authored migration XML rule. You author an update to the migration XML script as follows: ```xml @@ -307,31 +307,30 @@ Your revised migration XML script excludes the files from migrating, as confirme ```xml - - - - - - - - + + + + + + + + - - - - - - + + + + + + ``` -## Related topics +## Related articles +[XML elements library](usmt-xml-elements-library.md) -[XML Elements Library](usmt-xml-elements-library.md) +[ScanState syntax](usmt-scanstate-syntax.md) -[ScanState Syntax](usmt-scanstate-syntax.md) - -[LoadState Syntax](usmt-loadstate-syntax.md) +[LoadState syntax](usmt-loadstate-syntax.md) diff --git a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md index f0a495a6f9..7b8526be55 100644 --- a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md +++ b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md @@ -2,52 +2,46 @@ title: Migrate EFS Files and Certificates (Windows 10) description: Learn how to migrate Encrypting File System (EFS) certificates. Also, learn where to find information about how to identify file types, files, and folders. ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/19/2017 +author: frankroj +ms.date: 11/01/2022 ms.topic: article ms.technology: itpro-deploy --- -# Migrate EFS Files and Certificates +# Migrate EFS files and certificates +This article describes how to migrate Encrypting File System (EFS) certificates. For more information about the `/efs` option, see [Encrypted file options](usmt-scanstate-syntax.md#encrypted-file-options) in [ScanState syntax](usmt-scanstate-syntax.md). -This topic describes how to migrate Encrypting File System (EFS) certificates. For more information about the **/efs** For options, see [ScanState Syntax](usmt-scanstate-syntax.md). +## To migrate EFS files and certificates -## To Migrate EFS Files and Certificates +Encrypting File System (EFS) certificates will be migrated automatically. However, by default, the User State Migration Tool (USMT) 10.0 fails if an encrypted file is found unless you specify an `/efs` option. Therefore when a device has EFS encrypted files, you must specify the `/efs` option with any one of the following parameters: +- `abort` +- `skip` +- `decryptcopy` +- `copyraw` +- `hardlink` -Encrypting File System (EFS) certificates will be migrated automatically. However, by default, the User State Migration Tool (USMT) 10.0 fails if an encrypted file is found (unless you specify an **/efs** option). Therefore, you must specify **/efs:abort | skip | decryptcopy | copyraw | hardlink** with the ScanState command to migrate the encrypted files. Then, when you run the LoadState command on the destination computer, the encrypted file and the EFS certificate will be automatically migrated. +when running the `ScanState.exe` command to migrate the encrypted files. Then, when you run the `LoadState.exe` command on the destination computer, the encrypted file and the EFS certificate will be automatically migrated. -**Note**   -The **/efs** options are not used with the LoadState command. +> [!NOTE] +> The `/efs` options are not used with the `LoadState.exe` command. - +Before using the **ScanState** tool for a migration that includes encrypted files and EFS certificates, you must ensure that all files in an encrypted folder are encrypted as well or remove the encryption attribute from folders that contain unencrypted files. If the encryption attribute has been removed from a file but not from the parent folder, the file will be encrypted during the migration using the credentials of the account used to run the **LoadState** tool. -Before using the ScanState tool for a migration that includes encrypted files and EFS certificates, you must ensure that all files in an encrypted folder are encrypted as well or remove the encryption attribute from folders that contain unencrypted files. If the encryption attribute has been removed from a file but not from the parent folder, the file will be encrypted during the migration using the credentials of the account used to run the LoadState tool. +You can run the [Cipher.exe](/windows-server/administration/windows-commands/cipher) tool at a Windows command prompt to review and change encryption settings on files and folders. For example, to remove encryption from a folder, at a command prompt enter: -You can run the Cipher tool at a Windows command prompt to review and change encryption settings on files and folders. For example, to remove encryption from a folder, at a command prompt type: - -``` syntax -Cipher /D /S: +```cmd +cipher.exe /D /S: ``` -Where *<Path>* is the full path of the topmost parent directory where the encryption attribute is set. - -## Related topics - - -[What Does USMT Migrate?](usmt-what-does-usmt-migrate.md) - -[Identify File Types, Files, and Folders](usmt-identify-file-types-files-and-folders.md) - - - - - - +where *<Path>* is the full path of the topmost parent directory where the encryption attribute is set. +## Related articles +[What does USMT migrate?](usmt-what-does-usmt-migrate.md) +[Identify file types, files, and folders](usmt-identify-file-types-files-and-folders.md) diff --git a/windows/deployment/usmt/usmt-migrate-user-accounts.md b/windows/deployment/usmt/usmt-migrate-user-accounts.md index 206ef57db5..518b93c468 100644 --- a/windows/deployment/usmt/usmt-migrate-user-accounts.md +++ b/windows/deployment/usmt/usmt-migrate-user-accounts.md @@ -2,93 +2,94 @@ title: Migrate User Accounts (Windows 10) description: Learn how to migrate user accounts and how to specify which users to include and exclude by using the User options on the command line. ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/19/2017 +author: frankroj +ms.date: 11/01/2022 ms.topic: article ms.technology: itpro-deploy --- # Migrate User Accounts +By default, all users are migrated. The only way to specify which users to include and exclude is on the command line by using the User options. You can't specify users in the migration XML files or by using the `Config.xml` file. -By default, all users are migrated. The only way to specify which users to include and exclude is on the command line by using the User options. You cannot specify users in the migration XML files or by using the Config.xml file. +## To migrate all user accounts and user settings -## In this Topic +Links to detailed explanations of commands are available in the [Related articles](#related-articles) section. +1. Sign into the source computer as an administrator. -- [To migrate all user accounts and user settings](#bkmk-migrateall) +2. Enter the following `ScanState.exe` command line in a command prompt window: -- [To migrate two domain accounts (User1 and User2)](#bkmk-migratetwo) + ```cmd + ScanState.exe \\server\share\migration\mystore /i:MigDocs.xml /i:MigApp.xml /o + ```` -- [To migrate two domain accounts (User1 and User2) and move User1 from the Contoso domain to the Fabrikam domain](#bkmk-migratemoveuserone) +3. Sign into the destination computer as an administrator. -## To migrate all user accounts and user settings -Links to detailed explanations of commands are available in the Related Topics section. +4. Enter one of the following `LoadState.exe ` command lines in a command prompt window: -1. Log on to the source computer as an administrator, and specify the following in a **Command-Prompt** window: + - If you're migrating domain accounts, enter: - `scanstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml /o` + ```cmd + LoadState.exe \\server\share\migration\mystore /i:MigDocs.xml /i:MigApp.xml + ``` -2. Log on to the destination computer as an administrator. + - If you're migrating local accounts along with domain accounts, enter: -3. Do one of the following: + ```cmd + LoadState.exe \\server\share\migration\mystore /i:MigDocs.xml /i:MigApp.xml /lac /lae + ``` - - If you are migrating domain accounts, specify: + > [!NOTE] + > You do not have to specify the `/lae` option, which enables the account that was created with the `/lac` option. Instead, you can create a disabled local account by specifying only the `/lac` option, and then a local administrator needs to enable the account on the destination computer. - `loadstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml` +## To migrate two domain accounts (User1 and User2) - - If you are migrating local accounts along with domain accounts, specify: +Links to detailed explanations of commands are available in the [Related articles](#related-articles) section. - `loadstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml /lac /lae` +1. Sign into the source computer as an administrator. - **Note**   - You do not have to specify the **/lae** option, which enables the account that was created with the **/lac** option. Instead, you can create a disabled local account by specifying only the **/lac** option, and then a local administrator needs to enable the account on the destination computer. +2. Enter the following `ScanState.exe` command line in a command prompt window: - + ```cmd + ScanState.exe \\server\share\migration\mystore /ue:*\* /ui:contoso\user1 /ui:fabrikam\user2 /i:MigDocs.xml /i:MigApp.xml /o + ``` -## To migrate two domain accounts (User1 and User2) -Links to detailed explanations of commands are available in the Related Topics section. +3. Sign into the destination computer as an administrator. -1. Log on to the source computer as an administrator, and specify: +4. Enter the following `LoadState.exe ` command line in a command prompt window: - `scanstate \\server\share\migration\mystore /ue:*\* /ui:contoso\user1 /ui:fabrikam\user2 /i:migdocs.xml /i:migapp.xml /o` + ```cmd + LoadState.exe \\server\share\migration\mystore /i:MigDocs.xml /i:MigApp.xml + ``` -2. Log on to the destination computer as an administrator. +## To migrate two domain accounts (User1 and User2) and move both accounts from the Contoso domain to the Fabrikam domain -3. Specify the following: +Links to detailed explanations of commands are available in the [Related articles](#related-articles) section. - `loadstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml` +1. Sign into the source computer as an administrator. -## To migrate two domain accounts (User1 and User2) and move User1 from the Contoso domain to the Fabrikam domain -Links to detailed explanations of commands are available in the Related Topics section. +2. Enter the following `ScanState.exe` command line in a command prompt window: -1. Log on to the source computer as an administrator, and type the following at the command-line prompt: + ```cmd + ScanState.exe \\server\share\migration\mystore /ue:*\* /ui:contoso\user1 /ui:contoso\user2 /i:MigDocs.xml /i:MigApp.xml /o + ``` - `scanstate \\server\share\migration\mystore /ue:*\* /ui:contoso\user1 /ui:contoso\user2 /i:migdocs.xml /i:migapp.xml /o` +3. Sign into the destination computer as an administrator. -2. Log on to the destination computer as an administrator. - -3. Specify the following: - - `loadstate \\server\share\migration\mystore /mu:contoso\user1:fabrikam\user2 /i:migdocs.xml /i:migapp.xml` - -## Related topics - - -[Identify Users](usmt-identify-users.md) - -[ScanState Syntax](usmt-scanstate-syntax.md) - -[LoadState Syntax](usmt-loadstate-syntax.md) - - - - +4. Enter the following `LoadState.exe ` command line in a command prompt window: + ```cmd + LoadState.exe \\server\share\migration\mystore /mu:contoso\user1:fabrikam\user1 /mu:contoso\user2:fabrikam\user2 /i:MigDocs.xml /i:MigApp.xml + ``` +## Related articles +[Identify users](usmt-identify-users.md) +[ScanState syntax](usmt-scanstate-syntax.md) +[LoadState syntax](usmt-loadstate-syntax.md) diff --git a/windows/deployment/usmt/usmt-migration-store-encryption.md b/windows/deployment/usmt/usmt-migration-store-encryption.md index a5721b75b6..07c5b088c8 100644 --- a/windows/deployment/usmt/usmt-migration-store-encryption.md +++ b/windows/deployment/usmt/usmt-migration-store-encryption.md @@ -1,36 +1,36 @@ --- title: Migration Store Encryption (Windows 10) -description: Learn how the User State Migration Tool (USMT) enables support for stronger encryption algorithms, called Advanced Encryption Standard (AES). +description: Learn how the User State Migration Tool (USMT) enables support for stronger encryption algorithms, called Advanced Encryption Standard (AES). ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/19/2017 +author: frankroj +ms.date: 11/01/2022 ms.topic: article ms.technology: itpro-deploy --- -# Migration Store Encryption +# Migration store encryption -This topic discusses User State Migration Tool (USMT) 10.0 options for migration store encryption to protect the integrity of user data during a migration. +This article discusses User State Migration Tool (USMT) 10.0 options for migration store encryption to protect the integrity of user data during a migration. -## USMT Encryption Options +## USMT encryption options USMT enables support for stronger encryption algorithms, called Advanced Encryption Standard (AES), in several bit-level options. AES is a National Institute of Standards and Technology (NIST) specification for the encryption of electronic data. -The encryption algorithm you choose must be specified for both the **ScanState** and the **LoadState** commands, so that these commands can create or read the store during encryption and decryption. The new encryption algorithms can be specified on the **ScanState** and the **LoadState** command lines by using the **/encrypt**:*"encryptionstrength"* and the **/decrypt**:*"encryptionstrength"* command-line options. All of the encryption application programming interfaces (APIs) used by USMT are available in Windows 7, Windows 8, and Windows 10 operating systems. However, export restrictions might limit the set of algorithms that are available to computers in certain locales. You can use the Usmtutils.exe file to determine which encryption algorithms are available to the computers' locales before you begin the migration. +The encryption algorithm you choose must be specified for both the `ScanState.exe` and the `LoadState.exe` commands, so that these commands can create or read the store during encryption and decryption. The new encryption algorithms can be specified on the `ScanState.exe` and the `LoadState.exe` command lines by using the `/encrypt`:*encryptionstrength* and the `/decrypt`:*encryptionstrength* command-line options. All of the encryption application programming interfaces (APIs) used by USMT are available in Windows 7, Windows 8, and Windows 10 operating systems. However, export restrictions might limit the set of algorithms that are available to computers in certain locales. You can use the `UsmtUtils.exe` file to determine which encryption algorithms are available to the computers' locales before you begin the migration. The following table describes the command-line encryption options in USMT. |Component|Option|Description| |--- |--- |--- | -|**ScanState**|**/encrypt**<*AES, AES_128, AES_192, AES_256, 3DES, 3DES_112*>|This option and argument specify that the migration store is encrypted and which algorithm to use. When the algorithm argument is not provided, the **ScanState** tool employs the 3DES algorithm.| -|**LoadState**|**/decrypt**<*AES, AES_128, AES_192, AES_256, 3DES, 3DES_112*>|This option and argument specify that the store must be decrypted and which algorithm to use. When the algorithm argument is not provided, the **LoadState** tool employs the 3DES algorithm.| +|*ScanState*|**/encrypt**<*AES, AES_128, AES_192, AES_256, 3DES, 3DES_112*>|This option and argument specify that the migration store is encrypted and which algorithm to use. When the algorithm argument isn't provided, the **ScanState** tool employs the **3DES** algorithm.| +|*LoadState*|**/decrypt**<*AES, AES_128, AES_192, AES_256, 3DES, 3DES_112*>|This option and argument specify that the store must be decrypted and which algorithm to use. When the algorithm argument isn't provided, the **LoadState** tool employs the **3DES** algorithm.| -**Important**   -Some encryption algorithms may not be available on your systems. You can verify which algorithms are available by running the UsmtUtils command with the **/ec** option. For more information see [UsmtUtils Syntax](usmt-utilities.md) +> [!IMPORTANT] +> Some encryption algorithms may not be available on your systems. You can verify which algorithms are available by running the `UsmtUtils.exe` command with the `/ec` option. For more information, see [UsmtUtils syntax](usmt-utilities.md). -## Related topics +## Related articles -[Plan Your Migration](usmt-plan-your-migration.md) +[Plan your migration](usmt-plan-your-migration.md) diff --git a/windows/deployment/usmt/usmt-overview.md b/windows/deployment/usmt/usmt-overview.md index ddecca1043..7609e4e147 100644 --- a/windows/deployment/usmt/usmt-overview.md +++ b/windows/deployment/usmt/usmt-overview.md @@ -1,46 +1,46 @@ --- title: User State Migration Tool (USMT) Overview (Windows 10) description: Learn about using User State Migration Tool (USMT) 10.0 to streamline and simplify user state migration during large deployments of Windows operating systems. -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 10/16/2017 +author: frankroj +ms.date: 11/01/2022 ms.topic: article ms.collection: highpri ms.technology: itpro-deploy --- -# User State Migration Tool (USMT) Overview +# User State Migration Tool (USMT) overview -You can use User State Migration Tool (USMT) 10.0 to streamline and simplify user state migration during large deployments of Windows operating systems. USMT captures user accounts, user files, operating system settings, and application settings, and then migrates them to a new Windows installation. You can use USMT for both PC replacement and PC refresh migrations. For more information, see [Common Migration Scenarios](usmt-common-migration-scenarios.md). +You can use User State Migration Tool (USMT) 10.0 to streamline and simplify user state migration during large deployments of Windows operating systems. USMT captures user accounts, user files, operating system settings, and application settings, and then migrates them to a new Windows installation. You can use USMT for both PC replacement and PC refresh migrations. For more information, see [Common migration scenarios](usmt-common-migration-scenarios.md). -USMT enables you to do the following: +USMT enables you to do the following actions: -- Configure your migration according to your business needs by using the migration rule (.xml) files to control exactly which files and settings are migrated and how they are migrated. For more information about how to modify these files, see [USMT XML Reference](usmt-xml-reference.md). -- Fit your customized migration into your automated deployment process by using the ScanState and LoadState tools, which control collecting and restoring the user files and settings. For more information, see [User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md). -- Perform offline migrations. You can run migrations offline by using the ScanState command in Windows Preinstallation Environment (WinPE) or you can perform migrations from previous installations of Windows contained in Windows.old directories. For more information about migration types, see [Choose a Migration Store Type](usmt-choose-migration-store-type.md) and [Offline Migration Reference](offline-migration-reference.md). +- Configure your migration according to your business needs by using the migration rule (.xml) files to control exactly which files and settings are migrated and how they're migrated. For more information about how to modify these files, see [USMT XML reference](usmt-xml-reference.md). +- Fit your customized migration into your automated deployment process by using the **ScanState** and **LoadState** tools, which control collecting and restoring the user files and settings. For more information, see [User State Migration Tool (USMT) command-line syntax](usmt-command-line-syntax.md). +- Perform offline migrations. You can run migrations offline by using the ScanState command in Windows Preinstallation Environment (WinPE) or you can perform migrations from previous installations of Windows contained in Windows.old directories. For more information about migration types, see [Choose a migration store Type](usmt-choose-migration-store-type.md) and [Offline migration reference](offline-migration-reference.md). ## Benefits USMT provides the following benefits to businesses that are deploying Windows operating systems: -- Safely migrates user accounts, operating system and application settings. -- Lowers the cost of deploying Windows by preserving user state. -- Reduces end-user downtime required to customize desktops and find missing files. -- Reduces help-desk calls. -- Reduces the time needed for the user to become familiar with the new operating system. -- Increases employee satisfaction with the migration experience. +- Safely migrates user accounts, operating system and application settings. +- Lowers the cost of deploying Windows by preserving user state. +- Reduces end-user downtime required to customize desktops and find missing files. +- Reduces help-desk calls. +- Reduces the time needed for the user to become familiar with the new operating system. +- Increases employee satisfaction with the migration experience. ## Limitations -USMT is intended for administrators who are performing large-scale automated deployments. If you are only migrating the user states of a few computers, you can use [PCmover Express](https://go.microsoft.com/fwlink/?linkid=620915). PCmover is not a free utility. PCmover Express is a tool created by Microsoft's partner, Laplink. +USMT is intended for administrators who are performing large-scale automated deployments. If you're only migrating the user states of a few computers, you can use [PCmover Express](https://go.microsoft.com/fwlink/?linkid=620915). PCmover isn't a free utility. PCmover Express is a tool created by Microsoft's partner, Laplink. -There are some scenarios in which the use of USMT is not recommended. These include: +There are some scenarios in which the use of USMT isn't recommended. These scenarios include: -- Migrations that require end-user interaction. -- Migrations that require customization on a machine-by-machine basis. +- Migrations that require end-user interaction. +- Migrations that require customization on a machine-by-machine basis. -## Related topics +## Related articles -- [User State Migration Tool (USMT) Technical Reference](usmt-technical-reference.md) +- [User State Migration Tool (USMT) technical reference](usmt-technical-reference.md) diff --git a/windows/deployment/usmt/usmt-plan-your-migration.md b/windows/deployment/usmt/usmt-plan-your-migration.md index d66afb281e..6559990881 100644 --- a/windows/deployment/usmt/usmt-plan-your-migration.md +++ b/windows/deployment/usmt/usmt-plan-your-migration.md @@ -2,33 +2,33 @@ title: Plan Your Migration (Windows 10) description: Learn how to your plan your migration carefully so your migration can proceed smoothly and so that you reduce the risk of migration failure. ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/19/2017 +author: frankroj +ms.date: 11/01/2022 ms.topic: article ms.technology: itpro-deploy --- -# Plan Your Migration +# Plan your migration -Before you use the User State Migration Tool (USMT) 10.0 to perform your migration, we recommend that you plan your migration carefully. Planning can help your migration proceed smoothly and can reduce the risk of migration failure. +Before you use the User State Migration Tool (USMT) 10.0 to perform your migration, we recommend that you plan your migration carefully. Planning can help your migration proceed smoothly and can reduce the risk of migration failure. In migration planning, both organizations and individuals must first identify what to migrate, including user settings, applications and application settings, and personal data files and folders. Identifying the applications to migrate is especially important so that you can avoid capturing data about applications that may be phased out. -One of the most important requirements for migrating settings and data is restoring only the information that the destination computer requires. Although the data that you capture on the source computer may be more comprehensive than the restoration data for backup purposes, restoring data or settings for applications that you will not install on the destination system is redundant. This can also introduce instability in a newly deployed computer. +One of the most important requirements for migrating settings and data is restoring only the information that the destination computer requires. Although the data that you capture on the source computer may be more comprehensive than the restoration data for backup purposes, restoring data or settings for applications that you won't install on the destination system is redundant. Restoring data or settings for applications that aren't installed can also introduce instability in a newly deployed computer. -## In This Section +## In this section | Link | Description | |--- |--- | -|[Common Migration Scenarios](usmt-common-migration-scenarios.md)|Determine whether you will perform a refresh migration or a replace migration.| -|[What Does USMT Migrate?](usmt-what-does-usmt-migrate.md)|Learn which applications, user data, and operating system components USMT migrates.| -|[Choose a Migration Store Type](usmt-choose-migration-store-type.md)|Choose an uncompressed, compressed, or hard-link migration store.| -|[Determine What to Migrate](usmt-determine-what-to-migrate.md)|Identify user accounts, application settings, operating system settings, and files that you want to migrate inside your organization.| -|[Test Your Migration](usmt-test-your-migration.md)|Test your migration before you deploy Windows to all users.| +|[Common migration scenarios](usmt-common-migration-scenarios.md)|Determine whether you'll perform a refresh migration or a replace migration.| +|[What does USMT migrate?](usmt-what-does-usmt-migrate.md)|Learn which applications, user data, and operating system components USMT migrates.| +|[Choose a migration store type](usmt-choose-migration-store-type.md)|Choose an uncompressed, compressed, or hard-link migration store.| +|[Determine what to migrate](usmt-determine-what-to-migrate.md)|Identify user accounts, application settings, operating system settings, and files that you want to migrate inside your organization.| +|[Test your migration](usmt-test-your-migration.md)|Test your migration before you deploy Windows to all users.| -## Related topics +## Related articles -[USMT XML Reference](usmt-xml-reference.md) +[USMT XML reference](usmt-xml-reference.md) diff --git a/windows/deployment/usmt/usmt-recognized-environment-variables.md b/windows/deployment/usmt/usmt-recognized-environment-variables.md index bab5c90ed1..37172c925e 100644 --- a/windows/deployment/usmt/usmt-recognized-environment-variables.md +++ b/windows/deployment/usmt/usmt-recognized-environment-variables.md @@ -1,140 +1,131 @@ --- title: Recognized Environment Variables (Windows 10) description: Learn how to use environment variables to identify folders that may be different on different computers. -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/19/2017 +author: frankroj +ms.date: 11/01/2022 ms.topic: article ms.collection: highpri ms.technology: itpro-deploy --- -# Recognized Environment Variables +# Recognized environment variables +When using the XML files `MigDocs.xml`, `MigApp.xml`, and `MigUser.xml`, you can use environment variables to identify folders that may be different on different computers. Constant special item ID list (CSIDL) values provide a way to identify folders that applications use frequently but may not have the same name or location on any given computer. For example, the **Documents** folder may be `C:\Users\\My Documents` on one computer and `C:\Documents and Settings\\My Documents` on another. You can use the asterisk (\*) wildcard character in `MigUser.xml`, `MigApp.xml` and `MigDoc.xml` files. However, you can't use the asterisk (\*) wildcard characters in the `Config.xml` file. -When using the XML files MigDocs.xml, MigApp.xml, and MigUser.xml, you can use environment variables to identify folders that may be different on different computers. Constant special item ID list (CSIDL) values provide a way to identify folders that applications use frequently but may not have the same name or location on any given computer. For example, the documents folder may be C:\\Users\\<Username>\\My Documents on one computer and C:\\Documents and Settings on another. You can use the asterisk (\*) wildcard character in MigUser.xml, MigApp.xml and MigDoc.xml files. However, you cannot use the asterisk (\*) wildcard characters in the Config.xml file. - -## In This Topic - - -- [Variables that are processed for the operating system and in the context of each user](#bkmk-1) - -- [Variables that are recognized only in the user context](#bkmk-2) - -## Variables that are processed for the operating system and in the context of each user - +## Variables that are processed for the operating system and in the context of each user You can use these variables within sections in the .xml files with `context=UserAndSystem`, `context=User`, and `context=System`. |Variable|Explanation| |--- |--- | -|**ALLUSERSAPPDATA**|Same as **CSIDL_COMMON_APPDATA**.| -|**ALLUSERSPROFILE**|Refers to %**PROFILESFOLDER**%\Public or %**PROFILESFOLDER**%\all users.| -|**COMMONPROGRAMFILES**|Same as **CSIDL_PROGRAM_FILES_COMMON**.| -|**COMMONPROGRAMFILES**(X86)|Refers to the C:\Program Files (x86)\Common Files folder on 64-bit systems.| -|**CSIDL_COMMON_ADMINTOOLS**|Version 10.0. The file-system directory that contains administrative tools for all users of the computer.| -|**CSIDL_COMMON_ALTSTARTUP**|The file-system directory that corresponds to the non-localized Startup program group for all users.| -|**CSIDL_COMMON_APPDATA**|The file-system directory that contains application data for all users. A typical path Windows is C:\ProgramData.| -|**CSIDL_COMMON_DESKTOPDIRECTORY**|The file-system directory that contains files and folders that appear on the desktop for all users. A typical Windows® XP path is C:\Documents and Settings\All Users\Desktop. A typical path is C:\Users\Public\Desktop.| -|**CSIDL_COMMON_DOCUMENTS**|The file-system directory that contains documents that are common to all users. A typical path in Windows XP is C:\Documents and Settings\All Users\Documents. A typical path is C:\Users\Public\Documents.| -|**CSIDL_COMMON_FAVORITES**|The file-system directory that serves as a common repository for favorites common to all users. A typical path is C:\Users\Public\Favorites.| -|**CSIDL_COMMON_MUSIC**|The file-system directory that serves as a repository for music files common to all users. A typical path is C:\Users\Public\Music.| -|**CSIDL_COMMON_PICTURES**|The file-system directory that serves as a repository for image files common to all users. A typical path is C:\Users\Public\Pictures.| -|**CSIDL_COMMON_PROGRAMS**|The file-system directory that contains the directories for the common program groups that appear on the **Start** menu for all users. A typical path is C:\ProgramData\Microsoft\Windows\Start Menu\Programs.| -|**CSIDL_COMMON_STARTMENU**|The file-system directory that contains the programs and folders which appear on the **Start** menu for all users. A typical path in Windows is C:\ProgramData\Microsoft\Windows\Start Menu.| -|**CSIDL_COMMON_STARTUP**|The file-system directory that contains the programs that appear in the Startup folder for all users. A typical path in Windows XP is C:\Documents and Settings\All Users\Start Menu\Programs\Startup. A typical path is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup.| -|**CSIDL_COMMON_TEMPLATES**|The file-system directory that contains the templates that are available to all users. A typical path is C:\ProgramData\Microsoft\Windows\Templates.| -|**CSIDL_COMMON_VIDEO**|The file-system directory that serves as a repository for video files common to all users. A typical path is C:\Users\Public\Videos.| -|**CSIDL_DEFAULT_APPDATA**|Refers to the Appdata folder inside %**DEFAULTUSERPROFILE**%.| -|C**SIDL_DEFAULT_LOCAL_APPDATA**|Refers to the local Appdata folder inside %**DEFAULTUSERPROFILE**%.| -|**CSIDL_DEFAULT_COOKIES**|Refers to the Cookies folder inside %**DEFAULTUSERPROFILE**%.| -|**CSIDL_DEFAULT_CONTACTS**|Refers to the Contacts folder inside %**DEFAULTUSERPROFILE**%.| -|**CSIDL_DEFAULT_DESKTOP**|Refers to the Desktop folder inside %**DEFAULTUSERPROFILE**%.| -|**CSIDL_DEFAULT_DOWNLOADS**|Refers to the Downloads folder inside %**DEFAULTUSERPROFILE**%.| -|**CSIDL_DEFAULT_FAVORITES**|Refers to the Favorites folder inside %**DEFAULTUSERPROFILE**%.| -|**CSIDL_DEFAULT_HISTORY**|Refers to the History folder inside %**DEFAULTUSERPROFILE**%.| -|**CSIDL_DEFAULT_INTERNET_CACHE**|Refers to the Internet Cache folder inside %**DEFAULTUSERPROFILE**%.| -|**CSIDL_DEFAULT_PERSONAL**|Refers to the Personal folder inside %**DEFAULTUSERPROFILE**%.| -|**CSIDL_DEFAULT_MYDOCUMENTS**|Refers to the My Documents folder inside %**DEFAULTUSERPROFILE**%.| -|**CSIDL_DEFAULT_MYPICTURES**|Refers to the My Pictures folder inside %**DEFAULTUSERPROFILE**%.| -|**CSIDL_DEFAULT_MYMUSIC**|Refers to the My Music folder inside %**DEFAULTUSERPROFILE**%.| -|**CSIDL_DEFAULT_MYVIDEO**|Refers to the My Videos folder inside %**DEFAULTUSERPROFILE**%.| -|**CSIDL_DEFAULT_RECENT**|Refers to the Recent folder inside %**DEFAULTUSERPROFILE**%.| -|**CSIDL_DEFAULT_SENDTO**|Refers to the Send To folder inside %**DEFAULTUSERPROFILE**%.| -|**CSIDL_DEFAULT_STARTMENU**|Refers to the Start Menu folder inside %**DEFAULTUSERPROFILE**%.| -|**CSIDL_DEFAULT_PROGRAMS**|Refers to the Programs folder inside %**DEFAULTUSERPROFILE**%.| -|**CSIDL_DEFAULT_STARTUP**|Refers to the Startup folder inside %**DEFAULTUSERPROFILE**%.| -|**CSIDL_DEFAULT_TEMPLATES**|Refers to the Templates folder inside %**DEFAULTUSERPROFILE**%.| -|**CSIDL_DEFAULT_QUICKLAUNCH**|Refers to the Quick Launch folder inside %**DEFAULTUSERPROFILE**%.| -|**CSIDL_FONTS**|A virtual folder containing fonts. A typical path is C:\Windows\Fonts.| -|**CSIDL_PROGRAM_FILESX86**|The Program Files folder on 64-bit systems. A typical path is C:\Program Files(86).| -|**CSIDL_PROGRAM_FILES_COMMONX86**|A folder for components that are shared across applications on 64-bit systems. A typical path is C:\Program Files(86)\Common.| -|**CSIDL_PROGRAM_FILES**|The Program Files folder. A typical path is C:\Program Files.| -|**CSIDL_PROGRAM_FILES_COMMON**|A folder for components that are shared across applications. A typical path is C:\Program Files\Common.| -|**CSIDL_RESOURCES**|The file-system directory that contains resource data. A typical path is C:\Windows\Resources.| -|**CSIDL_SYSTEM**|The Windows System folder. A typical path is C:\Windows\System32.| -|**CSIDL_WINDOWS**|The Windows directory or system root. This corresponds to the %**WINDIR**% or %**SYSTEMROOT**% environment variables. A typical path is C:\Windows.| -|**DEFAULTUSERPROFILE**|Refers to the value in **HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList [DefaultUserProfile]**.| -|**PROFILESFOLDER**|Refers to the value in **HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList [ProfilesDirectory]**.| -|**PROGRAMFILES**|Same as **CSIDL_PROGRAM_FILES**.| -|**PROGRAMFILES(X86)**|Refers to the C:\Program Files (x86) folder on 64-bit systems.| -|**SYSTEM**|Refers to %**WINDIR**%\system32.| -|**SYSTEM16**|Refers to %**WINDIR**%\system.| -|**SYSTEM32**|Refers to %**WINDIR**%\system32.| -|**SYSTEMDRIVE**|The drive that holds the Windows folder. Note that this is a drive name and not a folder name (`C:` not `C:\`).| -|**SYSTEMPROFILE**|Refers to the value in **HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18 [ProfileImagePath]**.| -|**SYSTEMROOT**|Same as **WINDIR**.| -|**WINDIR**|Refers to the Windows folder located on the system drive.| +|*ALLUSERSAPPDATA*|Same as **CSIDL_COMMON_APPDATA**.| +|*ALLUSERSPROFILE*|Refers to `%PROFILESFOLDER%\Public` or `%PROFILESFOLDER%\all users`.| +|*COMMONPROGRAMFILES*|Same as **CSIDL_PROGRAM_FILES_COMMON**.| +|*COMMONPROGRAMFILES*(X86)|Refers to the `C:\Program Files (x86)\Common Files` folder on 64-bit systems.| +|*CSIDL_COMMON_ADMINTOOLS*|Version 10.0. The file-system directory that contains administrative tools for all users of the computer.| +|*CSIDL_COMMON_ALTSTARTUP*|The file-system directory that corresponds to the non-localized Startup program group for all users.| +|*CSIDL_COMMON_APPDATA*|The file-system directory that contains application data for all users. A typical path Windows is `C:\ProgramData`.| +|*CSIDL_COMMON_DESKTOPDIRECTORY*|The file-system directory that contains files and folders that appear on the desktop for all users. A typical path is `C:\Users\Public\Desktop`.| +|*CSIDL_COMMON_DOCUMENTS*|The file-system directory that contains documents that are common to all users. A typical path is `C:\Users\Public\Documents`.| +|*CSIDL_COMMON_FAVORITES*|The file-system directory that serves as a common repository for favorites common to all users. A typical path is C:\Users\Public\Favorites.| +|*CSIDL_COMMON_MUSIC*|The file-system directory that serves as a repository for music files common to all users. A typical path is `C:\Users\Public\Music`.| +|*CSIDL_COMMON_PICTURES*|The file-system directory that serves as a repository for image files common to all users. A typical path is `C:\Users\Public\Pictures`.| +|*CSIDL_COMMON_PROGRAMS*|The file-system directory that contains the directories for the common program groups that appear on the **Start** menu for all users. A typical path is `C:\ProgramData\Microsoft\Windows\Start Menu\Programs`.| +|*CSIDL_COMMON_STARTMENU*|The file-system directory that contains the programs and folders that appear on the **Start** menu for all users. A typical path in Windows is `C:\ProgramData\Microsoft\Windows\Start Menu`.| +|*CSIDL_COMMON_STARTUP*|The file-system directory that contains the programs that appear in the Startup folder for all users. A typical path is `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup`.| +|*CSIDL_COMMON_TEMPLATES*|The file-system directory that contains the templates that are available to all users. A typical path is `C:\ProgramData\Microsoft\Windows\Templates`.| +|*CSIDL_COMMON_VIDEO*|The file-system directory that serves as a repository for video files common to all users. A typical path is `C:\Users\Public\Videos`.| +|*CSIDL_DEFAULT_APPDATA*|Refers to the Appdata folder inside `%DEFAULTUSERPROFILE%`.| +|C*SIDL_DEFAULT_LOCAL_APPDATA*|Refers to the local Appdata folder inside `%DEFAULTUSERPROFILE%`.| +|*CSIDL_DEFAULT_COOKIES*|Refers to the Cookies folder inside `%DEFAULTUSERPROFILE%`.| +|*CSIDL_DEFAULT_CONTACTS*|Refers to the Contacts folder inside `%DEFAULTUSERPROFILE%`.| +|*CSIDL_DEFAULT_DESKTOP*|Refers to the Desktop folder inside `%DEFAULTUSERPROFILE%`.| +|*CSIDL_DEFAULT_DOWNLOADS*|Refers to the Downloads folder inside `%DEFAULTUSERPROFILE%`.| +|*CSIDL_DEFAULT_FAVORITES*|Refers to the Favorites folder inside `%DEFAULTUSERPROFILE%`.| +|*CSIDL_DEFAULT_HISTORY*|Refers to the History folder inside `%DEFAULTUSERPROFILE%`.| +|*CSIDL_DEFAULT_INTERNET_CACHE*|Refers to the Internet Cache folder inside `%DEFAULTUSERPROFILE%`.| +|*CSIDL_DEFAULT_PERSONAL*|Refers to the Personal folder inside `%DEFAULTUSERPROFILE%`.| +|*CSIDL_DEFAULT_MYDOCUMENTS*|Refers to the My Documents folder inside `%DEFAULTUSERPROFILE%`.| +|*CSIDL_DEFAULT_MYPICTURES*|Refers to the My Pictures folder inside `%DEFAULTUSERPROFILE%`.| +|*CSIDL_DEFAULT_MYMUSIC*|Refers to the My Music folder inside `%DEFAULTUSERPROFILE%`.| +|*CSIDL_DEFAULT_MYVIDEO*|Refers to the My Videos folder inside `%DEFAULTUSERPROFILE%`.| +|*CSIDL_DEFAULT_RECENT*|Refers to the Recent folder inside `%DEFAULTUSERPROFILE%`.| +|*CSIDL_DEFAULT_SENDTO*|Refers to the Send To folder inside `%DEFAULTUSERPROFILE%`.| +|*CSIDL_DEFAULT_STARTMENU*|Refers to the Start Menu folder inside `%DEFAULTUSERPROFILE%`.| +|*CSIDL_DEFAULT_PROGRAMS*|Refers to the Programs folder inside `%DEFAULTUSERPROFILE%`.| +|*CSIDL_DEFAULT_STARTUP*|Refers to the Startup folder inside `%DEFAULTUSERPROFILE%`.| +|*CSIDL_DEFAULT_TEMPLATES*|Refers to the Templates folder inside `%DEFAULTUSERPROFILE%`.| +|*CSIDL_DEFAULT_QUICKLAUNCH*|Refers to the Quick Launch folder inside `%DEFAULTUSERPROFILE%`.| +|*CSIDL_FONTS*|A virtual folder containing fonts. A typical path is `C:\Windows\Fonts`.| +|*CSIDL_PROGRAM_FILESX86*|The Program Files folder on 64-bit systems. A typical path is `C:\Program Files(86)`.| +|*CSIDL_PROGRAM_FILES_COMMONX86*|A folder for components that are shared across applications on 64-bit systems. A typical path is `C:\Program Files(86)\Common`.| +|*CSIDL_PROGRAM_FILES*|The Program Files folder. A typical path is `C:\Program Files`.| +|*CSIDL_PROGRAM_FILES_COMMON*|A folder for components that are shared across applications. A typical path is `C:\Program Files\Common`.| +|*CSIDL_RESOURCES*|The file-system directory that contains resource data. A typical path is `C:\Windows\Resources`.| +|*CSIDL_SYSTEM*|The Windows System folder. A typical path is `C:\Windows\System32`.| +|*CSIDL_WINDOWS*|The Windows directory or system root path. This value corresponds to the `%WINDIR%` or `%SYSTEMROOT%` environment variables. A typical path is `C:\Windows`.| +|*DEFAULTUSERPROFILE*|Refers to the value in `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList [DefaultUserProfile]`.| +|*PROFILESFOLDER*|Refers to the value in `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList [ProfilesDirectory]`.| +|*PROGRAMFILES*|Same as **CSIDL_PROGRAM_FILES**.| +|*PROGRAMFILES(X86)*|Refers to the `C:\Program Files (x86)` folder on 64-bit systems.| +|*SYSTEM*|Refers to `%WINDIR%\system32`.| +|*SYSTEM16*|Refers to `%WINDIR%\system`.| +|*SYSTEM32*|Refers to `%WINDIR%\system32`.| +|*SYSTEMDRIVE*|The drive that holds the Windows folder. This value is a drive name and not a folder name (`C:` not `C:\`).| +|*SYSTEMPROFILE*|Refers to the value in `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18 [ProfileImagePath]`.| +|*SYSTEMROOT*|Same as **WINDIR**.| +|*WINDIR*|Refers to the Windows folder located on the system drive.| -## Variables that are recognized only in the user context +## Variables that are recognized only in the user context You can use these variables in the .xml files within sections with `context=User` and `context=UserAndSystem`. |Variable|Explanation| |--- |--- | -|**APPDATA**|Same as **CSIDL_APPDATA**.| -|**CSIDL_ADMINTOOLS**|The file-system directory that is used to store administrative tools for an individual user. The Microsoft® Management Console (MMC) saves customized consoles to this directory, which roams with the user profile.| -|**CSIDL_ALTSTARTUP**|The file-system directory that corresponds to the user's non-localized Startup program group.| -|**CSIDL_APPDATA**|The file-system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\username\Application Data or C:\Users\username\AppData\Roaming.| -|**CSIDL_BITBUCKET**|The virtual folder that contains the objects in the user's Recycle Bin.| -|**CSIDL_CDBURN_AREA**|The file-system directory acting as a staging area for files waiting to be written to CD. A typical path is C:\Users\username\AppData\Local\Microsoft\Windows\MasteredBurning\Disc Burning.| -|**CSIDL_CONNECTIONS**|The virtual folder representing Network Connections that contains network and dial-up connections.| -|**CSIDL_CONTACTS**|This refers to the Contacts folder in %**CSIDL_PROFILE**%.| -|**CSIDL_CONTROLS**|The virtual folder that contains icons for the Control Panel items.| -|**CSIDL_COOKIES**|The file-system directory that serves as a common repository for Internet cookies. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies.| -|**CSIDL_DESKTOP**|The virtual folder representing the Windows desktop.| -|**CSIDL_DESKTOPDIRECTORY**|The file-system directory used to physically store file objects on the desktop, which should not be confused with the desktop folder itself. A typical path is C:\Users\username\Desktop.| -|**CSIDL_DRIVES**|The virtual folder representing My Computer that contains everything on the local computer: storage devices, printers, and Control Panel. The folder may also contain mapped network drives.| -|**CSIDL_FAVORITES**|The file-system directory that serves as a common repository for the user's favorites. A typical path is C:\Users\Username\Favorites.| -|**CSIDL_HISTORY**|The file-system directory that serves as a common repository for Internet history items.| -|**CSIDL_INTERNET**|A virtual folder for Internet Explorer.| -|**CSIDL_INTERNET_CACHE**|The file-system directory that serves as a common repository for temporary Internet files. A typical path is C:\Users\username\AppData\Local\Microsoft\Windows\Temporary Internet Files| -|**CSIDL_LOCAL_APPDATA**|The file-system directory that serves as a data repository for local, non-roaming applications. A typical path is C:\Users\username\AppData\Local.| -|**CSIDL_MYDOCUMENTS**|The virtual folder representing My Documents.A typical path is C:\Users\Username\Documents.| -|**CSIDL_MYMUSIC**|The file-system directory that serves as a common repository for music files. A typical path is C:\Users\Username\Music.| -|**CSIDL_MYPICTURES**|The file-system directory that serves as a common repository for image files. A typical path is C:\Users\Username\Pictures.| -|**CSIDL_MYVIDEO**|The file-system directory that serves as a common repository for video files. A typical path is C:\Users\Username\Videos.| -|**CSIDL_NETHOOD**|A file-system directory that contains the link objects that may exist in the My Network Places virtual folder. It is not the same as CSIDL_NETWORK, which represents the network namespace root. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Network Shortcuts.| -|**CSIDL_NETWORK**|A virtual folder representing My Network Places, the root of the network namespace hierarchy.| -|**CSIDL_PERSONAL**|The virtual folder representing the My Documents desktop item. This is equivalent to **CSIDL_MYDOCUMENTS**.
    A typical path is C:\Documents and Settings\username\My Documents.| -|**CSIDL_PLAYLISTS**|The virtual folder used to store play albums, typically C:\Users\username\My Music\Playlists.| -|**CSIDL_PRINTERS**|The virtual folder that contains installed printers.| -|**CSIDL_PRINTHOOD**|The file-system directory that contains the link objects that can exist in the Printers virtual folder. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\Printer Shortcuts.| -|**CSIDL_PROFILE**|The user's profile folder. A typical path is C:\Users\Username.| -|**CSIDL_PROGRAMS**|The file-system directory that contains the user's program groups, which are themselves file-system directories. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs.| -|**CSIDL_RECENT**|The file-system directory that contains shortcuts to the user's most recently used documents. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Recent.| -|**CSIDL_SENDTO**|The file-system directory that contains **Send To** menu items. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\SendTo.| -|**CSIDL_STARTMENU**|The file-system directory that contains **Start** menu items. A typical path in Windows XP is C:\Documents and Settings\username\Start Menu. A typical path in Windows Vista, Windows 7, or Windows 8 is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu.| -|**CSIDL_STARTUP**|The file-system directory that corresponds to the user's Startup program group. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.| -|**CSIDL_TEMPLATES**|The file-system directory that serves as a common repository for document templates. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\Templates.| -|**HOMEPATH**|Same as the standard environment variable.| -|**TEMP**|The temporary folder on the computer. A typical path is %**USERPROFILE**%\AppData\Local\Temp.| -|**TMP**|The temporary folder on the computer. A typical path is %**USERPROFILE**%\AppData\Local\Temp.| -|**USERPROFILE**|Same as **CSIDL_PROFILE**.| -|**USERSID**|Represents the current user-account security identifier (SID). For example,
    S-1-5-21-1714567821-1326601894-715345443-1026.| +|*APPDATA*|Same as **CSIDL_APPDATA**.| +|*CSIDL_ADMINTOOLS*|The file-system directory that is used to store administrative tools for an individual user. The Microsoft® Management Console (MMC) saves customized consoles to this directory, which roams with the user profile.| +|*CSIDL_ALTSTARTUP*|The file-system directory that corresponds to the user's non-localized Startup program group.| +|*CSIDL_APPDATA*|The file-system directory that serves as a common repository for application-specific data. A typical path is `C:\Users\\AppData\Roaming`.| +|*CSIDL_BITBUCKET*|The virtual folder that contains the objects in the user's Recycle Bin.| +|*CSIDL_CDBURN_AREA*|The file-system directory acting as a staging area for files waiting to be written to CD. A typical path is `C:\Users\\AppData\Local\Microsoft\Windows\MasteredBurning\Disc Burning`.| +|*CSIDL_CONNECTIONS*|The virtual folder representing Network Connections that contains network and dial-up connections.| +|*CSIDL_CONTACTS*|This value refers to the Contacts folder in **%CSIDL_PROFILE%**.| +|*CSIDL_CONTROLS*|The virtual folder that contains icons for the Control Panel items.| +|*CSIDL_COOKIES*|The file-system directory that serves as a common repository for Internet cookies. A typical path is `C:\Users\\AppData\Roaming\Microsoft\Windows\Cookies`.| +|*CSIDL_DESKTOP*|The virtual folder representing the Windows desktop.| +|*CSIDL_DESKTOPDIRECTORY*|The file-system directory used to physically store file objects on the desktop, which shouldn't be confused with the desktop folder itself. A typical path is `C:\Users\\Desktop`.| +|*CSIDL_DRIVES*|The virtual folder representing My Computer that contains everything on the local computer: storage devices, printers, and Control Panel. The folder may also contain mapped network drives.| +|*CSIDL_FAVORITES*|The file-system directory that serves as a common repository for the user's favorites. A typical path is `C:\Users\\Favorites`.| +|*CSIDL_HISTORY*|The file-system directory that serves as a common repository for Internet history items.| +|*CSIDL_INTERNET*|A virtual folder for Internet Explorer.| +|*CSIDL_INTERNET_CACHE*|The file-system directory that serves as a common repository for temporary Internet files. A typical path is `C:\Users\\AppData\Local\Microsoft\Windows\Temporary Internet Files`| +|*CSIDL_LOCAL_APPDATA*|The file-system directory that serves as a data repository for local, non-roaming applications. A typical path is `C:\Users\\AppData\Local`.| +|*CSIDL_MYDOCUMENTS*|The virtual folder representing My Documents.A typical path is `C:\Users\\Documents`.| +|*CSIDL_MYMUSIC*|The file-system directory that serves as a common repository for music files. A typical path is `C:\Users\\Music`.| +|*CSIDL_MYPICTURES*|The file-system directory that serves as a common repository for image files. A typical path is `C:\Users\\Pictures`.| +|*CSIDL_MYVIDEO*|The file-system directory that serves as a common repository for video files. A typical path is `C:\Users\\Videos`.| +|*CSIDL_NETHOOD*|A file-system directory that contains the link objects that may exist in the My Network Places virtual folder. It isn't the same as *CSIDL_NETWORK*, which represents the network namespace root. A typical path is `C:\Users\\AppData\Roaming\Microsoft\Windows\Network Shortcuts`.| +|*CSIDL_NETWORK*|A virtual folder representing My Network Places, the root of the network namespace hierarchy.| +|*CSIDL_PERSONAL*|The virtual folder representing the My Documents desktop item. This value is equivalent to **CSIDL_MYDOCUMENTS**. A typical path is `C:\Documents and Settings\\My Documents`.| +|*CSIDL_PLAYLISTS*|The virtual folder used to store play albums, typically `C:\Users\\My Music\Playlists`.| +|*CSIDL_PRINTERS*|The virtual folder that contains installed printers.| +|*CSIDL_PRINTHOOD*|The file-system directory that contains the link objects that can exist in the Printers virtual folder. A typical path is `C:\Users\\AppData\Roaming\Microsoft\Windows\Printer Shortcuts`.| +|*CSIDL_PROFILE*|The user's profile folder. A typical path is `C:\Users\`.| +|*CSIDL_PROGRAMS*|The file-system directory that contains the user's program groups, which are themselves file-system directories. A typical path is `C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs`.| +|*CSIDL_RECENT*|The file-system directory that contains shortcuts to the user's most recently used documents. A typical path is `C:\Users\\AppData\Roaming\Microsoft\Windows\Recent`.| +|*CSIDL_SENDTO*|The file-system directory that contains **Send To** menu items. A typical path is `C:\Users\\AppData\Roaming\Microsoft\Windows\SendTo`.| +|*CSIDL_STARTMENU*|The file-system directory that contains **Start** menu items. A typical path is `C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu`.| +|*CSIDL_STARTUP*|The file-system directory that corresponds to the user's Startup program group. A typical path is `C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup`.| +|*CSIDL_TEMPLATES*|The file-system directory that serves as a common repository for document templates. A typical path is `C:\Users\\AppData\Roaming\Microsoft\Windows\Templates`.| +|*HOMEPATH*|Same as the standard environment variable.| +|*TEMP*|The temporary folder on the computer. A typical path is `%USERPROFILE%\AppData\Local\Temp`.| +|*TMP*|The temporary folder on the computer. A typical path is `%USERPROFILE%\AppData\Local\Temp`.| +|*USERPROFILE*|Same as **CSIDL_PROFILE**.| +|*USERSID*|Represents the current user-account security identifier (SID). For example, `S-1-5-21-1714567821-1326601894-715345443-1026`.| -## Related topics +## Related articles -[USMT XML Reference](usmt-xml-reference.md) +[USMT XML reference](usmt-xml-reference.md) diff --git a/windows/deployment/usmt/usmt-reference.md b/windows/deployment/usmt/usmt-reference.md index f7a3cc1d14..9c2604adf1 100644 --- a/windows/deployment/usmt/usmt-reference.md +++ b/windows/deployment/usmt/usmt-reference.md @@ -2,33 +2,33 @@ title: User State Migration Toolkit (USMT) Reference (Windows 10) description: Use this User State Migration Toolkit (USMT) article to learn details about USMT, like operating system, hardware, and software requirements, and user prerequisites. ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/19/2017 +author: frankroj +ms.date: 11/01/2022 ms.topic: article ms.technology: itpro-deploy --- -# User State Migration Toolkit (USMT) Reference +# User State Migration Toolkit (USMT) reference -## In This Section +## In this section | Link | Description | |--- |--- | -|[USMT Requirements](usmt-requirements.md)|Describes operating system, hardware, and software requirements, and user prerequisites.| -|[USMT Best Practices](usmt-best-practices.md)|Discusses general and security-related best practices when using USMT.| -|[How USMT Works](usmt-how-it-works.md)|Learn about the processes behind the ScanState and LoadState tools.| -|[Plan Your Migration](usmt-plan-your-migration.md)|Choose what to migrate and the best migration scenario for your enterprise.| -|[User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md)|Explore command-line options for the ScanState, LoadState, and UsmtUtils tools.| -|[USMT XML Reference](usmt-xml-reference.md)|Learn about customizing a migration with XML files.| -|[Offline Migration Reference](offline-migration-reference.md)|Find requirements, best practices, and other considerations for performing a migration offline.| +|[USMT requirements](usmt-requirements.md)|Describes operating system, hardware, and software requirements, and user prerequisites.| +|[USMT best practices](usmt-best-practices.md)|Discusses general and security-related best practices when using USMT.| +|[How USMT works](usmt-how-it-works.md)|Learn about the processes behind the ScanState and LoadState tools.| +|[Plan your migration](usmt-plan-your-migration.md)|Choose what to migrate and the best migration scenario for your enterprise.| +|[User State Migration Tool (USMT) command-line syntax](usmt-command-line-syntax.md)|Explore command-line options for the ScanState, LoadState, and UsmtUtils tools.| +|[USMT XML reference](usmt-xml-reference.md)|Learn about customizing a migration with XML files.| +|[Offline Migration reference](offline-migration-reference.md)|Find requirements, best practices, and other considerations for performing a migration offline.| -## Related topics +## Related articles -[User State Migration Tool (USMT) Overview Topics](usmt-topics.md) +[User State Migration Tool (USMT) overview topics](usmt-topics.md) -[User State Migration Tool (USMT) How-to topics](usmt-how-to.md) +[User State Migration Tool (USMT) how-to topics](usmt-how-to.md) -[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md) +[User State Migration Tool (USMT) troubleshooting](usmt-troubleshooting.md) diff --git a/windows/deployment/usmt/usmt-requirements.md b/windows/deployment/usmt/usmt-requirements.md index d0cc3d2e50..d0f86bfc08 100644 --- a/windows/deployment/usmt/usmt-requirements.md +++ b/windows/deployment/usmt/usmt-requirements.md @@ -2,101 +2,93 @@ title: USMT Requirements (Windows 10) description: While the User State Migration Tool (USMT) doesn't have many requirements, these tips and tricks can help smooth the migration process. ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 05/03/2017 +author: frankroj +ms.date: 11/01/2022 ms.topic: article ms.technology: itpro-deploy --- -# USMT Requirements +# USMT requirements -## In This Topic +## Supported operating systems -- [Supported Operating Systems](#bkmk-1) -- [Windows PE](#windows-pe) -- [Credentials](#credentials) -- [Config.xml](#configxml) -- [LoadState](#loadstate) -- [Hard Disk Requirements](#bkmk-3) -- [User Prerequisites](#bkmk-userprereqs) - -## Supported Operating Systems - -The User State Migration Tool (USMT) 10.0 does not have any explicit RAM or CPU speed requirements for either the source or destination computers. If your computer complies with the system requirements of the operating system, it also complies with the requirements for USMT. You need an intermediate store location large enough to hold all of the migrated data and settings, and the same amount of hard disk space on the destination computer for the migrated files and settings. +The User State Migration Tool (USMT) 10.0 doesn't have any explicit RAM or CPU speed requirements for either the source or destination computers. If your computer complies with the system requirements of the operating system, it also complies with the requirements for USMT. You need an intermediate store location large enough to hold all of the migrated data and settings, and the same amount of hard disk space on the destination computer for the migrated files and settings. The following table lists the operating systems supported in USMT. -|Operating Systems|ScanState (source computer)|LoadState (destination computer)| +|Operating Systems|ScanState (source computer)|LoadState (destination computer)| |--- |--- |--- | -|32-bit versions of Windows 7|✔️|✔️| -|64-bit versions of Windows 7|✔️|✔️| -|32-bit versions of Windows 8|✔️|✔️| -|64-bit versions of Windows 8|✔️|✔️| -|32-bit versions of Windows 10|✔️|✔️| -|64-bit versions of Windows 10|✔️|✔️| +|32-bit versions of Windows 7|✔️|✔️| +|64-bit versions of Windows 7|✔️|✔️| +|32-bit versions of Windows 8|✔️|✔️| +|64-bit versions of Windows 8|✔️|✔️| +|32-bit versions of Windows 10|✔️|✔️| +|64-bit versions of Windows 10|✔️|✔️| > [!NOTE] > You can migrate a 32-bit operating system to a 64-bit operating system. However, you cannot migrate a 64-bit operating system to a 32-bit operating system. -USMT does not support any of the Windows Server® operating systems, Windows 2000, Windows XP, or any of the starter editions for Windows Vista or Windows 7. +## Unsupported scenarios -USMT for Windows 10 should not be used for migrating from Windows 7 to Windows 8.1. It is meant to migrate to Windows 10. -For more information about previous releases of the USMT tools, see [User State Migration Tool (USMT) 4.0 User’s Guide](/previous-versions/windows/server/dd560801(v=ws.10)). +- USMT doesn't support any of the Windows Server® operating systems. +- USMT for Windows 10 shouldn't be used for migrating between previous versions of Windows. USMT for Windows 10 is only meant to migrate to Windows 10 or between Windows 10 versions. For more information about previous releases of the USMT tools, see [User State Migration Tool (USMT) overview](/previous-versions/windows/hh825227(v=win.10)). ## Windows PE -- **Must use latest version of Windows PE.** For example, to migrate to Windows 10, you'll need Windows PE 5.1. For more info, see [What's New in Windows PE](/windows-hardware/manufacture/desktop/whats-new-in-windows-pe-s14). +- **Must use latest version of Windows PE.** For example, to migrate to Windows 10, you'll need Windows PE 5.1. For more info, see [What's New in Windows PE](/windows-hardware/manufacture/desktop/whats-new-in-windows-pe-s14). ## Credentials - **Run as administrator** - When manually running the **ScanState** and **LoadState** tools on Windows 7, Windows 8, or Windows 10 you must run them from an elevated command prompt to ensure that all specified users are migrated. If you do not run USMT from an elevated prompt, only the user profile that is logged on will be included in the migration. + When manually running the **ScanState** and **LoadState** tools on Windows 7, Windows 8, or Windows 10 you must run them from an elevated command prompt to ensure that all specified users are migrated. If you don't run USMT from an elevated prompt, only the user profile that is logged on will be included in the migration. To open an elevated command prompt: -1. Click **Start**. -2. Enter **cmd** in the search function. -3. Depending on the OS you are using, **cmd** or **Command Prompt** is displayed. -3. Right-click **cmd** or **Command Prompt**, and then click **Run as administrator**. -4. If the current user is not already an administrator, you will be prompted to enter administrator credentials. +1. Select **Start**. +2. Enter `cmd` in the search function. +3. Depending on the OS you're using, **cmd** or **Command Prompt** is displayed. +4. Right-click **cmd** or **Command Prompt**, and then select **Run as administrator**. +5. If the current user isn't already an administrator, you'll be prompted to enter administrator credentials. > [!IMPORTANT] > You must run USMT using an account with full administrative permissions, including the following privileges: - -- SeBackupPrivilege (Back up files and directories) -- SeDebugPrivilege (Debug programs) -- SeRestorePrivilege (Restore files and directories) -- SeSecurityPrivilege (Manage auditing and security log) -- SeTakeOwnership Privilege (Take ownership of files or other objects) +> +> - SeBackupPrivilege (Back up files and directories) +> - SeDebugPrivilege (Debug programs) +> - SeRestorePrivilege (Restore files and directories) +> - SeSecurityPrivilege (Manage auditing and security log) +> - SeTakeOwnership Privilege (Take ownership of files or other objects) ## Config.xml -- **Specify the /c option and <ErrorControl> settings in the Config.xml file.**
    - USMT will fail if it cannot migrate a file or setting, unless you specify the **/c** option. When you specify the **/c** option, USMT logs an error each time it encounters a file that is in use that did not migrate, but the migration will not be interrupted. In USMT, you can specify in the Config.xml file, which types of errors should allow the migration to continue, and which should cause the migration to fail. For more information about error reporting, and the **<ErrorControl>** element, see [Config.xml File](usmt-configxml-file.md), [Log Files](usmt-log-files.md), and [XML Elements Library](usmt-xml-elements-library.md). +### Specify the `/c` option and <ErrorControl> settings in the `Config.xml` file + +USMT will fail if it can't migrate a file or setting, unless you specify the `/c` option. When you specify the `/c` option, USMT logs an error each time it encounters a file that is in use that didn't migrate, but the migration won't be interrupted. In USMT, you can specify in the `Config.xml` file, which types of errors should allow the migration to continue, and which should cause the migration to fail. For more information about error reporting, and the **<ErrorControl>** element, see [Config.xml file](usmt-configxml-file.md#errorcontrol), [Log files](usmt-log-files.md), and [XML elements library](usmt-xml-elements-library.md). ## LoadState -- **Install applications before running the LoadState command.**
    - Install all applications on the destination computer before restoring the user state. This ensures that migrated settings are preserved. +### Install applications before running the LoadState command -## Hard-Disk Requirements +Install all applications on the destination computer before restoring the user state. Installing applications before running the `LoadState.exe` command ensures that migrated settings are preserved. -Ensure that there is enough available space in the migration-store location and on the source and destination computers. For more information, see [Estimate Migration Store Size](usmt-estimate-migration-store-size.md). +## Hard-disk requirements -## User Prerequisites +Ensure that there's enough available space in the migration-store location and on the source and destination computers. For more information, see [Estimate Migration Store Size](usmt-estimate-migration-store-size.md). -This documentation assumes that IT professionals using USMT understand command-line tools. The documentation also assumes that IT professionals using USMT to author MigXML rules understand the following: +## User prerequisites -- The navigation and hierarchy of the Windows registry. -- The files and file types that applications use. -- The methods to extract application and setting information manually from applications created by internal software-development groups and non-Microsoft software vendors. -- XML-authoring basics. +This documentation assumes that IT professionals using USMT understand command-line tools. The documentation also assumes that IT professionals using USMT to author MigXML rules understand the following concepts: -## Related topics +- The navigation and hierarchy of the Windows registry. +- The files and file types that applications use. +- The methods to extract application and setting information manually from applications created by internal software-development groups and non-Microsoft software publishers. +- XML-authoring basics. -[Plan Your Migration](usmt-plan-your-migration.md)
    -[Estimate Migration Store Size](usmt-estimate-migration-store-size.md)
    -[User State Migration Tool (USMT) Overview Topics](usmt-topics.md)
    +## Related articles + +- [Plan your migration](usmt-plan-your-migration.md) +- [Estimate migration store size](usmt-estimate-migration-store-size.md) +- [User State Migration Tool (USMT) overview topics](usmt-topics.md) diff --git a/windows/deployment/usmt/usmt-reroute-files-and-settings.md b/windows/deployment/usmt/usmt-reroute-files-and-settings.md index c059c077b9..026a457ea7 100644 --- a/windows/deployment/usmt/usmt-reroute-files-and-settings.md +++ b/windows/deployment/usmt/usmt-reroute-files-and-settings.md @@ -1,64 +1,53 @@ --- title: Reroute Files and Settings (Windows 10) -description: Learn how to create a custom .xml file and specify this file name on both the ScanState and LoadState commandlines to reroute files and settings. +description: Learn how to create a custom .xml file and specify this file name on both the ScanState and LoadState command lines to reroute files and settings. ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/19/2017 +author: frankroj +ms.date: 11/01/2022 ms.topic: article ms.technology: itpro-deploy --- # Reroute Files and Settings +To reroute files and settings, create a custom .xml file and specify the .xml file name on both the `ScanState.exe` and `LoadState.exe` command-lines. Th custom .xml file enables you to keep your changes separate from the default .xml files, so that it's easier to track your modifications. -To reroute files and settings, create a custom .xml file and specify this file name on both the ScanState and LoadState commandlines. This enables you to keep your changes separate from the default .xml files, so that it is easier to track your modifications. +## Reroute a folder -In this topic: +The following custom .xml file migrates the directories and files from `C:\EngineeringDrafts` into the **My Documents** folder of every user. **%CSIDL_PERSONAL%** is the virtual folder representing the **My Documents** desktop item, which is equivalent to **CSIDL_MYDOCUMENTS**. -- [Reroute a Folder](#bkmk-reroutefolder) - -- [Reroute a Specific File Type](#bkmk-reroutespecfiletype) - -- [Reroute a Specific File](#bkmk-reroutespecificfile) - -## Reroute a Folder - - -The following custom .xml file migrates the directories and files from C:\\EngineeringDrafts into the My Documents folder of every user. %CSIDL\_PERSONAL% is the virtual folder representing the My Documents desktop item, which is equivalent to CSIDL\_MYDOCUMENTS. - -``` xml +```xml Engineering Drafts Documents to Personal Folder -   + C:\EngineeringDrafts\* [*] -     - + + C:\EngineeringDrafts\* [*] -     -   + + ``` -## Reroute a Specific File Type +## Reroute a specific file type +The following custom .xml file reroutes .mp3 files located in the fixed drives on the source computer into the `C:\Music` folder on the destination computer. -The following custom .xml file reroutes .mp3 files located in the fixed drives on the source computer into the C:\\Music folder on the destination computer. - -``` xml +```xml All .mp3 files to My Documents @@ -81,12 +70,11 @@ The following custom .xml file reroutes .mp3 files located in the fixed drives o ``` -## Reroute a Specific File +## Reroute a specific file +The following custom .xml file migrates the `Sample.doc` file from `C:\EngineeringDrafts` into the **My Documents** folder of every user. **%CSIDL_PERSONAL%** is the virtual folder representing the **My Documents** desktop item, which is equivalent to **CSIDL_MYDOCUMENTS**. -The following custom .xml file migrates the Sample.doc file from C:\\EngineeringDrafts into the My Documents folder of every user. %CSIDL\_PERSONAL% is the virtual folder representing the My Documents desktop item, which is equivalent to CSIDL\_MYDOCUMENTS. - -``` xml +```xml Sample.doc into My Documents @@ -108,20 +96,10 @@ The following custom .xml file migrates the Sample.doc file from C:\\Engineering ``` -## Related topics - - -[Customize USMT XML Files](usmt-customize-xml-files.md) - -[Conflicts and Precedence](usmt-conflicts-and-precedence.md) - -[USMT XML Reference](usmt-xml-reference.md) - -  - -  - - +## Related articles +[Customize USMT XML files](usmt-customize-xml-files.md) +[Conflicts and precedence](usmt-conflicts-and-precedence.md) +[USMT XML reference](usmt-xml-reference.md) diff --git a/windows/deployment/usmt/usmt-resources.md b/windows/deployment/usmt/usmt-resources.md index 4ce47e1590..ac1cc27168 100644 --- a/windows/deployment/usmt/usmt-resources.md +++ b/windows/deployment/usmt/usmt-resources.md @@ -2,42 +2,35 @@ title: USMT Resources (Windows 10) description: Learn about User State Migration Tool (USMT) online resources, including Microsoft Visual Studio and forums. ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/19/2017 +author: frankroj +ms.date: 11/01/2022 ms.topic: article ms.technology: itpro-deploy --- -# USMT Resources +# USMT resources +## USMT online resources -## USMT Online Resources +- [ADK Release Notes](/windows-hardware/get-started/what-s-new-in-kits-and-tools) +- Microsoft Visual Studio -- [ADK Release Notes](/windows-hardware/get-started/what-s-new-in-kits-and-tools) + - You can use the User State Migration Tool (USMT) XML schema (the `MigXML.xsd` file) to validate the migration .xml files using an XML authoring tool such as Microsoft® Visual Studio®. + + For more information about how to use the schema with your XML authoring environment, see the environment's documentation. -- Microsoft Visual Studio +- [Ask the Directory Services Team blog](https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/bg-p/AskDS) - - You can use the User State Migration Tool (USMT) XML schema (the MigXML.xsd file) to validate the migration .xml files using an XML authoring tool such as Microsoft® Visual Studio®. +- Forums: - For more information about how to use the schema with your XML authoring environment, see the environment’s documentation. + - [Microsoft Deployment Toolkit forum](/answers/topics/mem-mdt.html) -- [Ask the Directory Services Team blog](/archive/blogs/askds/) + - [Configuration Manager Operating System Deployment forum](/answers/topics/mem-cm-osd.html) -- Forums: +## Related articles - - [Microsoft Deployment Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=226386) - - - [Configuration Manager Operating System Deployment](https://go.microsoft.com/fwlink/p/?LinkId=226388) - -## Related topics - - -[User State Migration Tool (USMT) Overview Topics](usmt-topics.md) - -  - -  +[User State Migration Tool (USMT) overview topics](usmt-topics.md) diff --git a/windows/deployment/usmt/usmt-return-codes.md b/windows/deployment/usmt/usmt-return-codes.md deleted file mode 100644 index 551ed21158..0000000000 --- a/windows/deployment/usmt/usmt-return-codes.md +++ /dev/null @@ -1,275 +0,0 @@ ---- -title: Return Codes (Windows 10) -description: Learn about User State Migration Tool (USMT) 10.0 return codes and error messages. Also view a list of USMT return codes and their associated migration steps. -ms.reviewer: -manager: dougeby -ms.author: aaroncz -ms.prod: windows-client -author: aczechowski -ms.date: 04/19/2017 -ms.topic: article -ms.technology: itpro-deploy ---- - -# Return Codes - -This topic describes User State Migration Tool (USMT) 10.0 return codes and error messages. Also included is a table listing the USMT return codes with their associated mitigation steps. In addition, this topic provides tips to help you use the logfiles to determine why you received an error. - -Understanding the requirements for running USMT can help minimize errors in your USMT migrations. For more information, see [USMT Requirements](usmt-requirements.md). - -## In This Topic - -[USMT Return Codes](#bkmk-returncodes) - -[USMT Error Messages](#bkmk-errormessages) - -[Troubleshooting Return Codes and Error Messages](#bkmk-tscodeserrors) - -## USMT Return Codes - -If you encounter an error in your USMT migration, you can use return codes and the more specific information provided in the associated USMT error messages to troubleshoot the issue and to identify mitigation steps. - -Return codes are grouped into the following broad categories that describe their area of error reporting: - -Success or User Cancel - -Invalid Command Lines - -Setup and Initialization - -Non-fatal Errors - -Fatal Errors - -As a best practice, we recommend that you set verbosity level to 5, **/v**:5, on the **ScanState**, **LoadState**, and **USMTUtils** command lines so that the most detailed reporting is available in the respective USMT logs. You can use a higher verbosity level if you want the log files output to go to a debugger. - -## USMT Error Messages - -Error messages provide more detailed information about the migration problem than the associated return code. For example, the **ScanState**, **LoadState**, or **USMTUtils** tool might return a code of "11” (for “USMT\_INVALID\_PARAMETERS") and a related error message that reads "/key and /keyfile both specified". The error message is displayed at the command prompt and is identified in the **ScanState**, **LoadState**, or **USMTUtils** log files to help you determine why the return code was received. - -You can obtain more information about any listed Windows application programming interface (API) system error codes by typing **net helpmsg** on the command line and, then typing the error code number. For more information about System Error Codes, see [this Microsoft Web site](/windows/win32/debug/system-error-codes--0-499-). - -## Troubleshooting Return Codes and Error Messages - -The following information lists each return code by numeric value, along with the associated error messages and suggested troubleshooting actions. - -- **0: USMT_SUCCESS** - - **Error message**: Successful run - -- **1: USMT_DISPLAY_HELP** - - **Error message**: Command line help requested - -- **2: USMT_STATUS_CANCELED** - - **Error message**: - - Gather was aborted because of an EFS file - - User chose to cancel (such as pressing CTRL+C) - -- **3: USMT_WOULD_HAVE_FAILED** - - **Error message**: At least one error was skipped as a result of /c. - - **Troubleshooting, mitigation, workarounds**: Review ScanState, LoadState, or UsmtUtils log for details about command-line errors. - -- **11: USMT_INVALID_PARAMETERS** - - | Error message | Troubleshooting, mitigation, workarounds | - | --- | --- | - | /all conflicts with /ui, /ue or /uel | Review ScanState log or LoadState log for details about command-line errors. | - | /auto expects an optional parameter for the script folder | Review ScanState log or LoadState log for details about command-line errors. | - | /encrypt can't be used with /nocompress | Review ScanState log or LoadState log for details about command-line errors. | - | /encrypt requires /key or /keyfile | Review ScanState log or LoadState log for details about command-line errors. | - | /genconfig can't be used with most other options | Review ScanState log or LoadState log for details about command-line errors. | - | /genmigxml can't be used with most other options | Review ScanState log or LoadState log for details about command-line errors. | - | /hardlink requires /nocompress | Review ScanState log or LoadState log for details about command-line errors. | - | /key and /keyfile both specified | Review ScanState log or LoadState log for details about command-line errors. | - | /key or /keyfile used without enabling encryption | Review ScanState log or LoadState log for details about command-line errors. | - | /lae is only used with /lac | Review ScanState log or LoadState log for details about command-line errors. | - | /listfiles cannot be used with /p | Review ScanState log or LoadState log for details about command-line errors. | - | /offline requires a valid path to an XML file describing offline paths | Review ScanState log or LoadState log for details about command-line errors. | - | /offlinewindir requires a valid path to offline windows folder | Review ScanState log or LoadState log for details about command-line errors. | - | /offlinewinold requires a valid path to offline windows folder | Review ScanState log or LoadState log for details about command-line errors. | - | A command was already specified | Verify that the command-line syntax is correct and that there are no duplicate commands. | - | An option argument is missing | Review ScanState log or LoadState log for details about command-line errors. | - | An option is specified more than once and is ambiguous | Review ScanState log or LoadState log for details about command-line errors. | - | By default /auto selects all users and uses the highest log verbosity level. Switches like /all, /ui, /ue, /v are not allowed. | Review ScanState log or LoadState log for details about command-line errors. | - | Command line arguments are required. Specify /? for options. | Review ScanState log or LoadState log for details about command-line errors. | - | Command line option is not valid | Review ScanState log or LoadState log for details about command-line errors. | - | EFS parameter specified is not valid for /efs | Review ScanState log or LoadState log for details about command-line errors. | - | File argument is invalid for /genconfig | Review ScanState log or LoadState log for details about command-line errors. | - | File argument is invalid for /genmigxml | Review ScanState log or LoadState log for details about command-line errors. | - | Invalid space estimate path. Check the parameters and/or file system permissions | Review ScanState log or LoadState log for details about command-line errors. | - | List file path argument is invalid for /listfiles | Review ScanState log or LoadState log for details about command-line errors. | - | Retry argument must be an integer | Review ScanState log or LoadState log for details about command-line errors. | - | Settings store argument specified is invalid | Review ScanState log or LoadState log for details about command-line errors. Make sure that the store path is accessible and that the proper permission levels are set. | - | Specified encryption algorithm is not supported | Review ScanState log or LoadState log for details about command-line errors. | - | The /efs:hardlink requires /hardlink | Review ScanState log or LoadState log for details about command-line errors. | - | The /targetWindows7 option is only available for Windows XP, Windows Vista, and Windows 7 | Review ScanState log or LoadState log for details about command-line errors. | - | The store parameter is required but not specified | Review ScanState log or LoadState log for details about command-line errors. | - | The source-to-target domain mapping is invalid for /md | Review ScanState log or LoadState log for details about command-line errors. | - | The source-to-target user account mapping is invalid for /mu | Review ScanState log or LoadState log for details about command-line errors. | - | Undefined or incomplete command line option | Review ScanState log or LoadState log for details about command-line errors.

    Category: Invalid Command Lines| - | Use /nocompress, or provide an XML file path with /p"pathtoafile" to get a compressed store size estimate | Review ScanState log or LoadState log for details about command-line errors. | - | User exclusion argument is invalid | Review ScanState log or LoadState log for details about command-line errors. | - | Verbosity level must be specified as a sum of the desired log options: Verbose (0x01), Record Objects (0x04), Echo to debug port (0x08) | Review ScanState log or LoadState log for details about command-line errors. | - | Volume shadow copy feature is not supported with a hardlink store | Review ScanState log or LoadState log for details about command-line errors. | - | Wait delay argument must be an integer | Review ScanState log or LoadState log for details about command-line errors. | - -- **12: USMT_ERROR_OPTION_PARAM_TOO_LARGE** - - | Error message | Troubleshooting, mitigation, workarounds | - | --- | --- | - | Command line arguments cannot exceed 256 characters | Review ScanState log or LoadState log for details about command-line errors.

    Category: Invalid Command Lines | - | Specified settings store path exceeds the maximum allowed length of 256 characters | Review ScanState log or LoadState log for details about command-line errors. | - -- **13: USMT_INIT_LOGFILE_FAILED** - - **Error message**: Log path argument is invalid for /l - - **Troubleshooting, mitigation, workarounds**: When /l is specified in the ScanState command line, USMT validates the path. Verify that the drive and other information, for example file system characters, are correct. - - **Category**: Invalid Command Lines - -- **14: USMT_ERROR_USE_LAC** - - **Error message**: Unable to create a local account because /lac was not specified - - **Troubleshooting, mitigation, workarounds**: When creating local accounts, the command-line options /lac and /lae should be used. - - **Category**: Invalid Command Lines - -- **26: USMT_INIT_ERROR** - - | Error message | Troubleshooting, mitigation, workarounds | - | --- | --- | - | Multiple Windows installations found | Listfiles.txt could not be created. Verify that the location you specified for the creation of this file is valid.

    Category: Setup and Initialization | - | Software malfunction or unknown exception | Check all loaded .xml files for errors, common error when using /I to load the Config.xml file. | - | Unable to find a valid Windows directory to proceed with requested offline operation; Check if offline input file is present and has valid entries | Verify that the offline input file is present and that it has valid entries. USMT could not find valid offline operating system. Verify your offline directory mapping. | - -- **27: USMT_INVALID_STORE_LOCATION** - - | Error message | Troubleshooting, mitigation, workarounds | - | --- | --- | - | A store path can't be used because an existing store exists; specify /o to overwrite | Specify /o to overwrite an existing intermediate or migration store.

    Category: Setup and Initialization | - | A store path is missing or has incomplete data | Make sure that the store path is accessible and that the proper permission levels are set. | - | An error occurred during store creation | Make sure that the store path is accessible and that the proper permission levels are set. Specify /o to overwrite an existing intermediate or migration store. | - | An inappropriate device such as a floppy disk was specified for the store | Make sure that the store path is accessible and that the proper permission levels are set. | - | Invalid store path; check the store parameter and/or file system permissions | Invalid store path; check the store parameter and/or file system permissions. | - | The file layout and/or file content is not recognized as a valid store | Make sure that the store path is accessible and that the proper permission levels are set. Specify /o to overwrite an existing intermediate or migration store. | - | The store path holds a store incompatible with the current USMT version | Make sure that the store path is accessible and that the proper permission levels are set. | - | The store save location is read-only or does not support a requested storage option | Make sure that the store path is accessible and that the proper permission levels are set. | - -- **28: USMT_UNABLE_GET_SCRIPTFILES** - - | Error message | Troubleshooting, mitigation, workarounds | - | --- | --- | - | Script file is invalid for /i | Check all specified migration .xml files for errors. This is a common error when using /i to load the Config.xml file.

    Category: Setup and Initialization | - | Unable to find a script file specified by /i | Verify the location of your script files, and ensure that the command-line options are correct. | - -- **29: USMT_FAILED_MIGSTARTUP** - - | Error message | Troubleshooting, mitigation, workarounds | - | --- | --- | - | A minimum of 250 MB of free space is required for temporary files | Verify that the system meets the minimum temporary disk space requirement of 250 MB. As a workaround, you can set the environment variable `USMT_WORKING_DIR=` to redirect the temporary files working directory.

    Category: Setup and Initialization | - | Another process is preventing migration; only one migration tool can run at a time | Check the ScanState log file for migration .xml file errors. | - | Failed to start main processing, look in log for system errors or check the installation | Check the ScanState log file for migration .xml file errors. | - | Migration failed because of an XML error; look in the log for specific details | Check the ScanState log file for migration .xml file errors. | - | Unable to automatically map the drive letters to match the online drive letter layout; Use /offline to provide a mapping table | Check the ScanState log file for migration .xml file errors. | - -- **31: USMT_UNABLE_FINDMIGUNITS** - - - **Error message**: An error occurred during the discover phase; the log should have more specific information - - **Troubleshooting, mitigation, workarounds**: Check the ScanState log file for migration .xml file errors. - - **Category**: Setup and Initialization - -- **32: USMT_FAILED_SETMIGRATIONTYPE** - - **Error message**: An error occurred processing the migration system - - **Troubleshooting, mitigation, workarounds**: Check the ScanState log file for migration .xml file errors, or use online Help by typing /? on the command line. - - **Category**: Setup and Initialization - -- **33: USMT_UNABLE_READKEY** - - | Error message | Troubleshooting, mitigation, workarounds | - | --- | --- | - | Error accessing the file specified by the /keyfile parameter | Check the ScanState log file for migration .xml file errors, or use online Help by typing /? on the command line.

    Category: Setup and Initialization | - | The encryption key must have at least one character | Check the ScanState log file for migration .xml file errors, or use online Help by typing /? on the command line. | - -- **34: USMT_ERROR_INSUFFICIENT_RIGHTS** - - | Error message | Troubleshooting, mitigation, workarounds | - | --- | --- | - | Directory removal requires elevated privileges | Log on as Administrator, and run with elevated privileges.

    Category: Setup and Initialization | - | No rights to create user profiles; log in as Administrator; run with elevated privileges | Log on as Administrator, and run with elevated privileges. | - | No rights to read or delete user profiles; log in as Administrator, run with elevated privileges | Log on as Administrator, and run with elevated privileges. | - -- **35: USMT_UNABLE_DELETE_STORE** - - | Error message | Troubleshooting, mitigation, workarounds | - | --- | --- | - | A reboot is required to remove the store | Reboot to delete any files that could not be deleted when the command was executed.

    Category: Setup and Initialization | - | A store path can't be used because it contains data that could not be overwritten | A migration store could not be deleted. If you are using a hardlink migration store you might have a locked file in it. You should manually delete the store, or use **USMTUtils /rd** command to delete the store. | - | There was an error removing the store | Review ScanState log or LoadState log for details about command-line errors. | - -- **36: USMT_ERROR_UNSUPPORTED_PLATFORM** - - | Error message | Troubleshooting, mitigation, workarounds | - | --- | --- | - | Compliance check failure; please check the logs for details | Investigate whether there is an active temporary profile on the system.

    Category: Setup and Initialization | - | Use of /offline is not supported during apply | The **/offline** command was not used while running in the Windows Preinstallation Environment (WinPE). | - | Use /offline to run gather on this platform | The **/offline** command was not used while running in WinPE. | - -- **37: USMT_ERROR_NO_INVALID_KEY** - - **Error message**: The store holds encrypted data but the correct encryption key was not provided - - **Troubleshooting, mitigation, workarounds**: Verify that you have included the correct encryption /key or /keyfile. - - **Category**: Setup and Initialization - -- **38: USMT_ERROR_CORRUPTED_NOTENCRYPTED_STORE** - - **Error message**: An error occurred during store access - - **Troubleshooting, mitigation, workarounds**: Review ScanState log or LoadState log for details about command-line errors. Make sure that the store path is accessible and that the proper permission levels are set. - - **Category**: Setup and Initialization - -- **39: USMT_UNABLE_TO_READ_CONFIG_FILE** - - | Error message | Troubleshooting, mitigation, workarounds | - | --- | --- | - | Error reading Config.xml | Review ScanState log or LoadState log for details about command-line errors in the Config.xml file.

    Category: Setup and Initialization | - | File argument is invalid for /config | Check the command line you used to load the Config.xml file. You can use online Help by typing /? on the command line. | - -- **40: USMT_ERROR_UNABLE_CREATE_PROGRESS_LOG** - - | Error message | Troubleshooting, mitigation, workarounds | - | --- | --- | - | Error writing to the progress log | The Progress log could not be created. Verify that the location is valid and that you have write access.

    Category: Setup and Initialization | - | Progress log argument is invalid for /progress | The Progress log could not be created. Verify that the location is valid and that you have write access. | - -- **41: USMT_PREFLIGHT_FILE_CREATION_FAILED** - - | Error message | Troubleshooting, mitigation, workarounds | - | --- | --- | - | Can't overwrite existing file | The Progress log could not be created. Verify that the location is valid and that you have write access.

    Category: Setup and Initialization | - | Invalid space estimate path. Check the parameters and/or file system permissions | Review ScanState log or LoadState log for details about command-line errors. | - -- **42: USMT_ERROR_CORRUPTED_STORE** - - **Error message**: The store contains one or more corrupted files - - **Troubleshooting, mitigation, workarounds**: Review UsmtUtils log for details about the corrupted files. For information on how to extract the files that are not corrupted, see [Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md). - -- **61: USMT_MIGRATION_STOPPED_NONFATAL** - - **Error message**: Processing stopped due to an I/O error - - **Troubleshooting, mitigation, workarounds**: USMT exited but can continue with the /c command-line option, with the optional configurable <ErrorControl> section or by using the /vsc command-line option. - - **Category**: Non-fatal Errors - -- **71: USMT_INIT_OPERATING_ENVIRONMENT_FAILED** - - | Error message | Troubleshooting, mitigation, workarounds | - | --- | --- | - | A Windows Win32 API error occurred | Data transfer has begun, and there was an error during the creation of migration store or during the apply phase. Review the ScanState log or LoadState log for details.

    Category: Fatal Errors | - | An error occurred when attempting to initialize the diagnostic mechanisms such as the log | Data transfer has begun, and there was an error during the creation of migration store or during the apply phase. Review the ScanState log or LoadState log for details. | - | Failed to record diagnostic information | Data transfer has begun, and there was an error during the creation of migration store or during the apply phase. Review the ScanState log or LoadState log for details. | - | Unable to start. Make sure you are running USMT with elevated privileges | Exit USMT and log in again with elevated privileges. | - -- **72: USMT_UNABLE_DOMIGRATION** - - | Error message | Troubleshooting, mitigation, workarounds | - | --- | --- | - | An error occurred closing the store | Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.

    Category: Fatal Errors| - | An error occurred in the apply process | Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details. | - | An error occurred in the gather process | Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details. | - | Out of disk space while writing the store | Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details. | - | Out of temporary disk space on the local system | Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details. | - -## Related topics - -[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md) - -[Log Files](usmt-log-files.md) diff --git a/windows/deployment/usmt/usmt-scanstate-syntax.md b/windows/deployment/usmt/usmt-scanstate-syntax.md index 88a99b7a43..14b65a281f 100644 --- a/windows/deployment/usmt/usmt-scanstate-syntax.md +++ b/windows/deployment/usmt/usmt-scanstate-syntax.md @@ -2,163 +2,147 @@ title: ScanState Syntax (Windows 10) description: The ScanState command is used with the User State Migration Tool (USMT) 10.0 to scan the source computer, collect the files and settings, and create a store. ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/19/2017 +author: frankroj +ms.date: 11/01/2022 ms.topic: article ms.technology: itpro-deploy --- -# ScanState Syntax +# ScanState syntax -The ScanState command is used with the User State Migration Tool (USMT) 10.0 to scan the source computer, collect the files and settings, and create a store. +The `ScanState.exe` command is used with the User State Migration Tool (USMT) 10.0 to scan the source computer, collect the files and settings, and create a store. This article discusses the `ScanState.exe` command syntax and the options available with it. -## In This Topic +## Before you begin -[Before You Begin](#bkmk-beforeyoubegin) +Before you run the `ScanState.exe` command, note the items: -[Syntax](#bkmk-syntax) +- To ensure that all operating system settings migrate, in most cases you must run the `ScanState.exe` commands in administrator mode from an account with administrative credentials. -[Storage Options](#bkmk-storageoptions) +- If you encrypt the migration store, you'll be required to enter an encryption key or a path to a file containing the encryption key. Be sure to make note of the key or the key file location, because this information isn't kept anywhere in the migration store. You'll need this information when you run the `LoadState.exe` command to decrypt the migration store, or if you need to run the recovery utility. An incorrect or missing key or key file results in an error message. -[Migration Rule Options](#bkmk-migrationruleoptions) +- For information about software requirements for running the `ScanState.exe` command, see [USMT requirements](usmt-requirements.md). -[Monitoring Options](#bkmk-monitoringoptions) +- Unless otherwise noted, you can use each option only once when running a tool on the command line. -[User Options](#bkmk-useroptions) +- You can gather domain accounts without the source computer having domain controller access. This functionality is available without any extra configuration. -[Encrypted File Options](#bkmk-efs) +- The [Incompatible command-line options](#incompatible-command-line-options) table lists which options you can use together and which command-line options are incompatible. -[Incompatible Command-Line Options](#bkmk-iclo) +- The directory location where you save the migration store will be excluded from the scan. For example, if you save the migration store to the root of the D drive, the D drive and all of its subdirectories will be excluded from the scan. -## Before You Begin +## Syntax -Before you run the **ScanState** command, note the following: +This section explains the syntax and usage of the command-line options available when you use the `ScanState.exe` command. The options can be specified in any order. If the option contains a parameter, you can use either a colon or a space separator. -- To ensure that all operating system settings migrate, in most cases you must run the **ScanState** commands in administrator mode from an account with administrative credentials. +The `ScanState.exe` command's syntax is: -- If you encrypt the migration store, you will be required to enter an encryption key or a path to a file containing the encryption key. Be sure to make note of the key or the key file location, because this information is not kept anywhere in the migration store. You will need this information when you run the LoadState command to decrypt the migration store, or if you need to run the recovery utility. An incorrect or missing key or key file results in an error message. +> ScanState.exe \[*StorePath*\] \[/apps\] \[/ppkg:*FileName*\] \[/i:\[*Path*\\\]*FileName*\] \[/o\] \[/v:*VerbosityLevel*\] \[/nocompress\] \[/localonly\] \[/encrypt /key:*KeyString*|/keyfile:\[Path\\\]*FileName*\] \[/l:\[*Path*\\\]*FileName*\] \[/progress:\[*Path*\\\]*FileName*\] \[/r:*TimesToRetry*\] \[/w:*SecondsBeforeRetry*\] \[/c\] \[/p\] \[/all\] \[/ui:\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/ue:\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/uel:*NumberOfDays*|*YYYY/MM/DD*|0\] \[/efs:abort|skip|decryptcopy|copyraw\] \[/genconfig:\[*Path*\\\]*FileName*\[/config:\[*Path*\\\]*FileName*\] \[/?|help\] -- For information about software requirements for running the **ScanState** command, see [USMT Requirements](usmt-requirements.md). +For example, to create a `Config.xml` file in the current directory, use: -- Unless otherwise noted, you can use each option only once when running a tool on the command line. +```cmd +ScanState.exe /i:MigApp.xml /i:MigDocs.xml /genconfig:Config.xml /v:13 +``` -- You can gather domain accounts without the source computer having domain controller access. This functionality is available without any extra configuration. +To create an encrypted store using the `Config.xml` file and the default migration .xml files, use: -- The [Incompatible Command-Line Options](#bkmk-iclo) table lists which options you can use together and which command-line options are incompatible. +`ScanState.exe \\server\share\migration\mystore /i:MigApp.xml /i:MigDocs.xml /o /config:Config.xml /v:13 /encrypt /key:"mykey"` -- The directory location where you save the migration store will be excluded from the scan. For example, if you save the migration store to the root of the D drive, the D drive and all of its subdirectories will be excluded from the scan. - -## Syntax - -This section explains the syntax and usage of the **ScanState** command-line options. The options can be specified in any order. If the option contains a parameter, you can use either a colon or a space separator. - -The **ScanState** command's syntax is: - -> scanstate \[*StorePath*\] \[/apps\] \[/ppkg:*FileName*\] \[/i:\[*Path*\\\]*FileName*\] \[/o\] \[/v:*VerbosityLevel*\] \[/nocompress\] \[/localonly\] \[/encrypt /key:*KeyString*|/keyfile:\[Path\\\]*FileName*\] \[/l:\[*Path*\\\]*FileName*\] \[/progress:\[*Path*\\\]*FileName*\] \[/r:*TimesToRetry*\] \[/w:*SecondsBeforeRetry*\] \[/c\] \[/p\] \[/all\] \[/ui:\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/ue:\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/uel:*NumberOfDays*|*YYYY/MM/DD*|0\] \[/efs:abort|skip|decryptcopy|copyraw\] \[/genconfig:\[*Path*\\\]*FileName*\[/config:\[*Path*\\\]*FileName*\] \[/?|help\] - -For example, to create a Config.xml file in the current directory, use: - -`scanstate /i:migapp.xml /i:migdocs.xml /genconfig:config.xml /v:13` - -To create an encrypted store using the Config.xml file and the default migration .xml files, use: - -`scanstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /o /config:config.xml /v:13 /encrypt /key:"mykey"` - -## Storage Options +## Storage options | Command-Line Option | Description | |-----|-----| -| *StorePath* | Indicates a folder where files and settings will be saved. Note that *StorePath* cannot be **C:\**. You must specify the *StorePath* option in the **ScanState** command, except when using the **/genconfig** option. You cannot specify more than one *StorePath* location. | +| *StorePath* | Indicates a folder where files and settings will be saved. *StorePath* can't be `C:\`. You must specify the *StorePath* option in the `ScanState.exe` command, except when using the `/genconfig` option. You can't specify more than one *StorePath* location. | | **/apps** | Scans the image for apps and includes them and their associated registry settings. | | **/ppkg** [*<FileName>*] | Exports to a specific file location. | -| **/o** | Required to overwrite any existing data in the migration store or Config.xml file. If not specified, the **ScanState** command will fail if the migration store already contains data. You cannot use this option more than once on a command line. | -| **/vsc** | This option enables the volume shadow-copy service to migrate files that are locked or in use. This command-line option eliminates most file-locking errors that are typically encountered by the **<ErrorControl>** section.

    This option can be used only with the ScanState executable file and cannot be combined with the **/hardlink** option. | -| **/hardlink** | Enables the creation of a hard-link migration store at the specified location. The **/nocompress** option must be specified with the **/hardlink** option. | -| **/encrypt** [{**/key:** *<KeyString>* | **/keyfile**:*<file>*]} | Encrypts the store with the specified key. Encryption is disabled by default. With this option, you will need to specify the encryption key-in one of the following ways:
    • **/key:** *KeyString* specifies the encryption key. If there is a space in *KeyString*, you will need to surround *KeyString* with quotation marks.
    • **/keyfile:** *FilePathAndName* specifies a text (.txt) file that contains the encryption key.

    We recommend that *KeyString* be at least eight characters long, but it cannot exceed 256 characters. The **/key** and **/keyfile** options cannot be used on the same command line. The **/encrypt** and **/nocompress** options cannot be used on the same command line.
    **Important**
    You should use caution with this option, because anyone who has access to the **ScanState** command-line script will also have access to the encryption key.

    The following example shows the ScanState command and the **/key** option:
    `scanstate /i:migdocs.xml /i:migapp.xml \server\share\migration\mystore /encrypt /key:mykey` | -| **/encrypt**:*<EncryptionStrength>* | The **/encrypt** option accepts a command-line parameter to define the encryption strength to be used for encryption of the migration store. For more information about supported encryption algorithms, see [Migration Store Encryption](usmt-migration-store-encryption.md). | -| **/nocompress** | Disables compression of data and saves the files to a hidden folder named "File" at *StorePath*\USMT. Compression is enabled by default. Combining the **/nocompress** option with the **/hardlink** option generates a hard-link migration store. You can use the uncompressed store to view what USMT stored, troubleshoot a problem, or run an antivirus utility against the files. You should use this option only in testing environments, because we recommend that you use a compressed store during your actual migration, unless you are combining the **/nocompress** option with the **/hardlink** option.

    The **/nocompress** and **/encrypt** options cannot be used together in one statement on the command line. However, if you do choose to migrate an uncompressed store, the **LoadState** command will migrate each file directly from the store to the correct location on the destination computer without a temporary location.

    For example:
    `scanstate /i:migdocs.xml /i:migapp.xml \server\share\migration\mystore /nocompress` | +| **/o** | Required to overwrite any existing data in the migration store or `Config.xml` file. If not specified, the `ScanState.exe` command will fail if the migration store already contains data. You can't use this option more than once on a command line. | +| **/vsc** | This option enables the volume shadow-copy service to migrate files that are locked or in use. This command-line option eliminates most file-locking errors that are typically encountered by the **<ErrorControl>** section.

    This option is only used with the **ScanState** executable file and can't be combined with the `/hardlink` option. | +| **/hardlink** | Enables the creation of a hard-link migration store at the specified location. The `/nocompress` option must be specified with the `/hardlink` option. | +| **/encrypt** [{**/key:** *<KeyString>* | **/keyfile**:*<file>*]} | Encrypts the store with the specified key. Encryption is disabled by default. With this option, you'll need to specify the encryption key-in one of the following ways:
    • `/key`: *KeyString* specifies the encryption key. If there's a space in *KeyString*, you'll need to surround *KeyString* with quotation marks (`"`).
    • `/keyfile`: *FilePathAndName* specifies a text (`.txt`) file that contains the encryption key.

    *KeyString* is recommended to be at least eight characters long, but it can't exceed 256 characters. The `/key` and `/keyfile` options can't be used on the same command line. The `/encrypt` and `/nocompress` options can't be used on the same command line.
    **Important**
    Use caution when using the `/key` or `keyfile` options. For example, anyone who has access to scripts that run the `ScanState.exe` command with these options will also have access to the encryption key.

    The following example shows the `ScanState.exe` command and the `/key` option:
    `ScanState.exe /i:MigDocs.xml /i:MigApp.xml \server\share\migration\mystore /encrypt /key:mykey` | +| **/encrypt**:*<EncryptionStrength>* | The `/encrypt` option accepts a command-line parameter to define the encryption strength to be used for encryption of the migration store. For more information about supported encryption algorithms, see [Migration Store Encryption](usmt-migration-store-encryption.md). | +| **/nocompress** | Disables compression of data and saves the files to a hidden folder named "File" at *StorePath*\USMT. Compression is enabled by default. Combining the `/nocompress` option with the `/hardlink` option generates a hard-link migration store. You can use the uncompressed store to view what USMT stored, troubleshoot a problem, or run an antivirus utility against the files. You should use this option only in testing environments, because we recommend that you use a compressed store during your actual migration, unless you're combining the `/nocompress` option with the `/hardlink` option.

    The `/nocompress` and `/encrypt` options can't be used together in one statement on the command line. However, if you do choose to migrate an uncompressed store, the `LoadState.exe` command will migrate each file directly from the store to the correct location on the destination computer without a temporary location.

    For example:
    `ScanState.exe /i:MigDocs.xml /i:MigApp.xml \server\share\migration\mystore /nocompress` | -## Run the ScanState Command on an Offline Windows System +## Run the ScanState command on an offline Windows system -You can run the **ScanState** command in Windows Preinstallation Environment (WinPE). In addition, USMT supports migrations from previous installations of Windows contained in Windows.old directories. The offline directory can be a Windows directory when you run the **ScanState** command in WinPE or a Windows.old directory when you run the **ScanState** command in Windows. +You can run the `ScanState.exe` command in Windows Preinstallation Environment (WinPE). In addition, USMT supports migrations from previous installations of Windows contained in Windows.old directories. The offline directory can be a Windows directory when you run the `ScanState.exe` command in WinPE or a Windows.old directory when you run the `ScanState.exe` command in Windows. -There are several benefits to running the **ScanState** command on an offline Windows image, including: +There are several benefits to running the `ScanState.exe` command on an offline Windows image, including: -- **Improved Performance.** +- **Improved performance.** - Because WinPE is a thin operating system, there are fewer running services. In this environment, the **ScanState** command has more access to the local hardware resources, enabling **ScanState** to perform migration operations more quickly. + Because WinPE is a thin operating system, there are fewer running services. In this environment, the `ScanState.exe` command has more access to the local hardware resources, enabling **ScanState** to perform migration operations more quickly. -- **Simplified end to end deployment process.** +- **Simplified end to end deployment process.** Migrating data from Windows.old simplifies the end-to-end deployment process by enabling the migration process to occur after the new operating system is installed. -- **Improved success of migration.** +- **Improved success of migration.** - The migration success rate is increased because files will not be locked for editing while offline, and because WinPE provides administrator access to files in the offline Windows file system, eliminating the need for administrator-level access to the online system. + The migration success rate is increased because files won't be locked for editing while offline, and because WinPE provides administrator access to files in the offline Windows file system, eliminating the need for administrator-level access to the online system. -- **Ability to recover an unbootable computer.** +- **Ability to recover an unbootable computer.** It might be possible to recover and migrate data from an unbootable computer. -## Offline Migration Options +## Offline migration options |Command-Line Option|Definition| |--- |--- | -|**/offline:** *"path to an offline.xml file"*|This option is used to define a path to an offline .xml file that might specify other offline migration options, for example, an offline Windows directory or any domain or folder redirection required in your migration.| -|**/offlinewindir:** *"path to a Windows directory"*|This option specifies the offline Windows directory that the **ScanState** command gathers user state from. The offline directory can be Windows.old when you run the **ScanState** command in Windows or a Windows directory when you run the **ScanState** command in WinPE.| -|**/offlinewinold:** *"Windows.old directory"*|This command-line option enables the offline migration mode and starts the migration from the location specified. It is only intended to be used in Windows.old migration scenarios, where the migration is occurring from a Windows.old directory.| +|**/offline:** *"path to an Offline.xml file"*|This option is used to define a path to an offline .xml file that might specify other offline migration options, for example, an offline Windows directory or any domain or folder redirection required in your migration.| +|**/offlinewindir:** *"path to a Windows directory"*|This option specifies the offline Windows directory that the `ScanState.exe` command gathers user state from. The offline directory can be Windows.old when you run the `ScanState.exe` command in Windows or a Windows directory when you run the `ScanState.exe` command in WinPE.| +|**/offlinewinold:** *"Windows.old directory"*|This command-line option enables the offline migration mode and starts the migration from the location specified. It's only intended to be used in Windows.old migration scenarios, where the migration is occurring from a Windows.old directory.| -## Migration Rule Options +## Migration rule options USMT provides the following options to specify what files you want to migrate. | Command-Line Option | Description | |-----|-----| -| **/i:**[*Path*]*FileName* | **(include)**

    Specifies an .xml file that contains rules that define what user, application, or system state to migrate. You can specify this option multiple times to include all of your .xml files (MigApp.xml, MigDocs.xml, and any custom .xml files that you create). *Path* can be either a relative or full path. If you do not specify the *Path* variable, then *FileName* must be located in the current directory. For more information about which files to specify, see the "XML Files" section of the [Frequently Asked Questions](usmt-faq.yml) topic. | -| **/genconfig:**[*Path*]*FileName* | (Generate **Config.xml**)

    Generates the optional Config.xml file, but does not create a migration store. To ensure that this file contains every component, application and setting that can be migrated, you should create this file on a source computer that contains all the components, applications, and settings that will be present on the destination computers. In addition, you should specify the other migration .xml files, using the **/i** option, when you specify this option.

    After you create this file, you will need to make use of it with the **ScanState** command using the **/config** option.

    The only options that you can specify with this option are the **/i**, **/v**, and **/l** options. You cannot specify *StorePath*, because the **/genconfig** option does not create a store. *Path* can be either a relative or full path. If you do not specify the *Path* variable, then *FileName* will be created in the current directory.

    Examples:
    • The following example creates a Config.xml file in the current directory:
      `scanstate /i:migapp.xml /i:migdocs.xml /genconfig:config.xml /v:13`
    | -| **/config:**[*Path*]*FileName* | Specifies the Config.xml file that the **ScanState** command should use to create the store. You cannot use this option more than once on the command line. *Path* can be either a relative or full path. If you do not specify the *Path* variable, then *FileName* must be located in the current directory.

    The following example creates a store using the Config.xml file, MigDocs.xml, and MigApp.xml files:
    `scanstate \server\share\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:scan.log`

    The following example migrates the files and settings to the destination computer using the **Config.xml**, **MigDocs.xml**, and **MigApp.xml** files:
    `loadstate \server\share\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:load.log` | -| **/auto:** *path to script files* | This option enables you to specify the location of the default .xml files and then begin the migration. If no path is specified, USMT will reference the directory where the USMT binaries are located. The **/auto** option has the same effect as using the following options: **/i: MigDocs.xml** **/i:MigApp.xml /v:5**. | -| **/genmigxml:** *path to a file* | This option specifies that the **ScanState** command should use the document finder to create and export an .xml file that defines how to migrate all of the files on the computer on which the **ScanState** command is running. | -| **/targetwindows8** | Optimizes Scanstate.exe when using USMT 10.0 to migrate a user state to Windows 8 or Windows 8.1 instead of Windows 10. You should use this command-line option in the following scenarios:
    • **To create a Config.xml file by using the /genconfig option.** Using the **/targetwindows8** option optimizes the Config.xml file so that it only contains components that relate to Windows 8 or Windows 8.1.
    • **To create a migration store.** Using the **/targetwindows8** option ensures that the ScanState tool gathers the correct set of operating system settings. Without the **/targetwindows8** command-line option, some settings can be lost during the migration.
    | -| **/targetwindows7** | Optimizes Scanstate.exe when using USMT 10.0 to migrate a user state to Windows 7 instead of Windows 10. You should use this command-line option in the following scenarios:
    • **To create a Config.xml file by using the /genconfig option.** Using the **/targetwindows7** option optimizes the Config.xml file so that it only contains components that relate to Windows 7.
    • **To create a migration store.** Using the **/targetwindows7** option ensures that the ScanState tool gathers the correct set of operating system settings. Without the **/targetwindows7** command-line option, some settings can be lost during the migration.
    | -| **/localonly** | Migrates only files that are stored on the local computer, regardless of the rules in the .xml files that you specify on the command line. You should use this option when you want to exclude the data from removable drives on the source computer, such as USB flash drives (UFDs), some external hard drives, and so on, and when there are network drives mapped on the source computer. If the **/localonly** option is not specified, then the **ScanState** command will copy files from these removable or network drives into the store.

    Anything that is not considered a fixed drive by the OS will be excluded by **/localonly**. In some cases large external hard drives are considered fixed drives. These drives can be explicitly excluded from migration by using a custom.xml file. For more information about how to exclude all files on a specific drive, see [Exclude Files and Settings](usmt-exclude-files-and-settings.md).

    The **/localonly** command-line option includes or excludes data in the migration as identified in the following:
    • **Removable drives such as a USB flash drive** - Excluded
    • **Network drives** - Excluded
    • **Fixed drives** - Included
    | +| **/i:**[*Path*]*FileName* | **(include)**

    Specifies an .xml file that contains rules that define what user, application, or system state to migrate. You can specify this option multiple times to include all of your .xml files (`MigApp.xml`, `MigDocs.xml`, and any custom .xml files that you create). *Path* can be either a relative or full path. If you don't specify the *Path* variable, then *FileName* must be located in the current directory. For more information about which files to specify, see the "XML Files" section of the [Frequently asked questions](usmt-faq.yml) article. | +| **/genconfig:**[*Path*]*FileName* | (Generate **Config.xml**)

    Generates the optional `Config.xml` file, but doesn't create a migration store. To ensure that this file contains every component, application and setting that can be migrated, you should create this file on a source computer that contains all the components, applications, and settings that will be present on the destination computers. In addition, you should specify the other migration .xml files, using the **/i** option, when you specify this option.

    After you create this file, you'll need to make use of it with the `ScanState.exe` command using the **/config** option.

    The only options that you can specify with this option are the `/i`, `/v`, and `/l` options. You can't specify *StorePath*, because the `/genconfig` option doesn't create a store. *Path* can be either a relative or full path. If you don't specify the *Path* variable, then *FileName* will be created in the current directory.

    Examples:
    • The following example creates a `Config.xml` file in the current directory:
      `ScanState.exe /i:MigApp.xml /i:MigDocs.xml /genconfig:Config.xml /v:13`
    | +| **/config:**[*Path*]*FileName* | Specifies the `Config.xml` file that the `ScanState.exe` command should use to create the store. You can't use this option more than once on the command line. *Path* can be either a relative or full path. If you don't specify the *Path* variable, then *FileName* must be located in the current directory.

    The following example creates a store using the `Config.xml` file, `MigDocs.xml`, and `MigApp.xml` files:
    `ScanState.exe \server\share\migration\mystore /config:Config.xml /i:MigDocs.xml /i:MigApp.xml /v:13 /l:ScanState.log`

    The following example migrates the files and settings to the destination computer using the `Config.xml`, `MigDocs.xml`, and `MigApp.xml` files:
    `LoadState.exe \server\share\migration\mystore /config:Config.xml /i:MigDocs.xml /i:MigApp.xml /v:13 /l:LoadState.log` | +| **/auto:** *path to script files* | This option enables you to specify the location of the default .xml files and then begin the migration. If no path is specified, USMT will reference the directory where the USMT binaries are located. The `/auto` option has the same effect as using the following options: `/i: MigDocs.xml /i:MigApp.xml /v:5`. | +| **/genmigxml:** *path to a file* | This option specifies that the `ScanState.exe` command should use the document finder to create and export an .xml file that defines how to migrate all of the files on the computer on which the `ScanState.exe` command is running. | +| **/targetwindows8** | Optimizes `ScanState.exe` when using USMT 10.0 to migrate a user state to Windows 8 or Windows 8.1 instead of Windows 10. You should use this command-line option in the following scenarios:
    • **To create a `Config.xml` file by using the `/genconfig` option.** Using the `/targetwindows8` option optimizes the `Config.xml` file so that it only contains components that relate to Windows 8 or Windows 8.1.
    • **To create a migration store.** Using the `/targetwindows8` option ensures that the **ScanState** tool gathers the correct set of operating system settings. Without the `/targetwindows8` command-line option, some settings can be lost during the migration.
    | +| **/targetwindows7** | Optimizes `ScanState.exe` when using USMT 10.0 to migrate a user state to Windows 7 instead of Windows 10. You should use this command-line option in the following scenarios:
    • **To create a `Config.xml` file by using the `/genconfig` option.** Using the **/targetwindows7** option optimizes the `Config.xml` file so that it only contains components that relate to Windows 7.
    • **To create a migration store.** Using the `/targetwindows7` option ensures that the **ScanState** tool gathers the correct set of operating system settings. Without the `/targetwindows7` command-line option, some settings can be lost during the migration.
    | +| **/localonly** | Migrates only files that are stored on the local computer, regardless of the rules in the .xml files that you specify on the command line. You should use this option when you want to exclude the data from removable drives on the source computer, such as USB flash drives (UFDs), some external hard drives, and so on, and when there are network drives mapped on the source computer. If the `/localonly` option isn't specified, then the `ScanState.exe` command will copy files from these removable or network drives into the store.

    Anything that isn't considered a fixed drive by the OS will be excluded by `/localonly`. In some cases, large external hard drives are considered fixed drives. These drives can be explicitly excluded from migration by using a custom .xml file. For more information about how to exclude all files on a specific drive, see [Exclude files and settings](usmt-exclude-files-and-settings.md).

    The `/localonly` command-line option includes or excludes data in the migration as identified in the following storage locations:
    • **Removable drives such as a USB flash drive** - Excluded
    • **Network drives** - Excluded
    • **Fixed drives** - Included
    | -## Monitoring Options +## Monitoring options USMT provides several options that you can use to analyze problems that occur during migration. > [!NOTE] -> The ScanState log is created by default, but you can specify the name and location of the log with the **/l** option. +> The **ScanState** log is created by default, but you can specify the name and location of the log with the **/l** option. | Command-Line Option | Description | |-----|-----| -| **/listfiles**:<FileName> | You can use the **/listfiles** command-line option with the **ScanState** command to generate a text file that lists all of the files included in the migration. | -| **/l:**[*Path*]*FileName* | Specifies the location and name of the ScanState log.

    You cannot store any of the log files in *StorePath*. *Path* can be either a relative or full path. If you do not specify the *Path* variable, then the log will be created in the current directory. You can use the **/v** option to adjust the amount of output.

    If you run the **ScanState** or **LoadState** commands from a shared network resource, you must specify this option or USMT will fail with the following error: "USMT was unable to create the log file(s)". To fix this issue, use the /**l: scan.log** command. | -| **/v:***<VerbosityLevel>* | **(Verbosity)**

    Enables verbose output in the ScanState log file. The default value is 0.

    You can set the *VerbosityLevel* to one of the following levels:
    • **0** - Only the default errors and warnings are enabled.
    • **1** - Enables verbose output.
    • **4** - Enables error and status output.
    • **5** - Enables verbose and status output.
    • **8** - Enables error output to a debugger.
    • **9** - Enables verbose output to a debugger.
    • **12** - Enables error and status output to a debugger.
    • **13** - Enables verbose, status, and debugger output.

    For example:
    `scanstate \server\share\migration\mystore /v:13 /i:migdocs.xml /i:migapp.xml`| -| /**progress**:[*Path*]*FileName* | Creates the optional progress log. You cannot store any of the log files in *StorePath*. *Path* can be either a relative or full path. If you do not specify the *Path* variable, then *FileName* will be created in the current directory.

    For example:
    `scanstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /progress:prog.log /l:scanlog.log` | -| **/c** | When this option is specified, the **ScanState** command will continue to run, even if non-fatal errors occur. Any files or settings that cause an error are logged in the progress log. For example, if there is a large file that will not fit in the store, the **ScanState** command will log an error and continue with the migration. In addition, if a file is open or in use by an application, USMT may not be able to migrate the file and will log an error. Without the **/c** option, the **ScanState** command will exit on the first error.

    You can use the new <**ErrorControl**> section in the Config.xml file to specify which file or registry read/write errors can be safely ignored and which might cause the migration to fail. This advantage in the Config.xml file enables the /**c** command-line option to safely skip all input/output (I/O) errors in your environment. In addition, the /**genconfig** option now generates a sample <**ErrorControl**> section that is enabled by specifying error messages and desired behaviors in the Config.xml file. | -| **/r:***<TimesToRetry>* | **(Retry)**

    Specifies the number of times to retry when an error occurs while saving the user state to a server. The default is three times. This option is useful in environments where network connectivity is not reliable.

    While storing the user state, the **/r** option will not be able to recover data that is lost due to a network-hardware failure, such as a faulty or disconnected network cable, or when a virtual private network (VPN) connection fails. The retry option is intended for large, busy networks where connectivity is satisfactory, but communication latency is a problem. | +| **/listfiles**:<FileName> | You can use the `/listfiles` command-line option with the `ScanState.exe` command to generate a text file that lists all of the files included in the migration. | +| **/l:**[*Path*]*FileName* | Specifies the location and name of the **ScanState** log.

    You can't store any of the log files in *StorePath*. *Path* can be either a relative or full path. If you don't specify the *Path* variable, then the log will be created in the current directory. You can use the `/v` option to adjust the amount of output.

    If you run the `ScanState.exe` command from a shared network resource, you must specify the `/l` option, or USMT will fail with the following error:

    ***USMT was unable to create the log file(s)***

    To fix this issue, make sure to specify the `/l` option when running `ScanState.exe` from a shared network resource. | +| **/v:***<VerbosityLevel>* | **(Verbosity)**

    Enables verbose output in the **ScanState** log file. The default value is 0.

    You can set the *VerbosityLevel* to one of the following levels:
    • **0** - Only the default errors and warnings are enabled.
    • **1** - Enables verbose output.
    • **4** - Enables error and status output.
    • **5** - Enables verbose and status output.
    • **8** - Enables error output to a debugger.
    • **9** - Enables verbose output to a debugger.
    • **12** - Enables error and status output to a debugger.
    • **13** - Enables verbose, status, and debugger output.

    For example:
    `ScanState.exe \server\share\migration\mystore /v:13 /i:MigDocs.xml /i:MigApp.xml`| +| **/progress**:[*Path*]*FileName* | Creates the optional progress log. You can't store any of the log files in *StorePath*. *Path* can be either a relative or full path. If you don't specify the *Path* variable, then *FileName* will be created in the current directory.

    For example:
    `ScanState.exe /i:MigApp.xml /i:MigDocs.xml \server\share\migration\mystore /progress:Progress.log /l:scanlog.log` | +| **/c** | When this option is specified, the `ScanState.exe` command will continue to run, even if non-fatal errors occur. Any files or settings that cause an error are logged in the progress log. For example, if there's a large file that won't fit in the store, the `ScanState.exe` command will log an error and continue with the migration. In addition, if a file is open or in use by an application, USMT may not be able to migrate the file and will log an error. Without the `/c` option, the `ScanState.exe` command will exit on the first error.

    You can use the new <**ErrorControl**> section in the `Config.xml` file to specify which file or registry read/write errors can be safely ignored and which might cause the migration to fail. This advantage in the `Config.xml` file enables the `/c` command-line option to safely skip all input/output (I/O) errors in your environment. In addition, the /`genconfig` option now generates a sample <**ErrorControl**> section that is enabled by specifying error messages and desired behaviors in the `Config.xml` file. | +| **/r:***<TimesToRetry>* | **(Retry)**

    Specifies the number of times to retry when an error occurs while saving the user state to a server. The default is three times. This option is useful in environments where network connectivity isn't reliable.

    While storing the user state, the `/r` option won't be able to recover data that is lost due to a network-hardware failure, such as a faulty or disconnected network cable, or when a virtual private network (VPN) connection fails. The retry option is intended for large, busy networks where connectivity is satisfactory, but communication latency is a problem. | | **/w:***<SecondsBeforeRetry>* | **(Wait)**

    Specifies the time to wait, in seconds, before retrying a network file operation. The default is 1 second. | -| **/p:***<pathToFile>* | When the **ScanState** command runs, it will create an .xml file in the path specified. This .xml file includes improved space estimations for the migration store. The following example shows how to create this .xml file:
    `Scanstate.exe C:\MigrationLocation [additional parameters]`
    `/p:"C:\MigrationStoreSize.xml"`

    For more information, see [Estimate Migration Store Size](usmt-estimate-migration-store-size.md).

    To preserve the functionality of existing applications or scripts that require the previous behavior of USMT, you can use the **/p** option, without specifying *"pathtoafile"*, in USMT. If you specify only the **/p** option, the storage space estimations are created in the same manner as with USMT3.x releases. | -| /**?** or /**help** | Displays Help at the command line. | +| **/p:***<pathToFile>* | When the `ScanState.exe` command runs, it will create an .xml file in the path specified. This .xml file includes improved space estimations for the migration store. The following example shows how to create this .xml file:
    `ScanState.exe C:\MigrationLocation [additional parameters]`
    `/p:"C:\MigrationStoreSize.xml"`

    For more information, see [Estimate Migration Store Size](usmt-estimate-migration-store-size.md).

    To preserve the functionality of existing applications or scripts that require the previous behavior of USMT, you can use the `/p` option, without specifying *"pathtoafile"*, in USMT. If you specify only the `/p` option, the storage space estimations are created in the same manner as with USMT3.x releases. | +| **/?** or **/help** | Displays Help at the command line. | -## User Options +## User options -By default, all users are migrated. The only way to specify which users to include and exclude is by using the following options. You cannot exclude users in the migration .xml files or using the Config.xml file. For more information, see [Identify Users](usmt-identify-users.md) and [Migrate User Accounts](usmt-migrate-user-accounts.md). +By default, all users are migrated. The only way to specify which users to include and exclude is by using the following options. You can't exclude users in the migration .xml files or using the `Config.xml` file. For more information, see [Identify users](usmt-identify-users.md) and [Migrate user accounts](usmt-migrate-user-accounts.md). | Command-Line Option | Description | |-----|-----| -| /**all** | Migrates all of the users on the computer.

    USMT migrates all user accounts on the computer, unless you specifically exclude an account with either the /**ue** or /**uel** options. For this reason, you do not need to specify this option on the command line. However, if you choose to specify the /**all** option, you cannot also use the /**ui**, /**ue** or /**uel** options. | -| /**ui**:*<DomainName>*\*<UserName>*
    or
    /**ui**:*<ComputerName>*\*<LocalUserName>* | **(User include)**

    Migrates the specified users. By default, all users are included in the migration. Therefore, this option is helpful only when used with the /**ue** or /**uel** options. You can specify multiple /**ui** options, but you cannot use the /**ui** option with the /**all** option. *DomainName* and *UserName* can contain the asterisk () wildcard character. When you specify a user name that contains spaces, you will need to surround it with quotation marks.
    **Note**
    If a user is specified for inclusion with the /**ui** option, and also is specified to be excluded with either the /**ue** or /**uel** options, the user will be included in the migration.

    For example:
    • To include only User2 from the Fabrikam domain, type:
      `/ue:*\* /ui:fabrikam\user2`
    • To migrate all users from the Fabrikam domain, and only the user accounts from other domains that have been active or otherwise modified in the last 30 days, type:
      `/uel:30 /ui:fabrikam\*`
      In this example, a user account from the Contoso domain that was last modified two months ago will not be migrated.

    For more examples, see the descriptions of the /**ue** and /**ui** options in this table. | -| /**uel**:*<NumberOfDays>*
    or
    /**uel**:*<YYYY/MM/DD>*
    or
    **/uel:0** | **(User exclude based on last logon)**

    Migrates the users that logged on to the source computer within the specified time period, based on the **Last Modified** date of the Ntuser.dat file on the source computer. The /**uel** option acts as an include rule. For example, the **/uel:30** option migrates users who logged on, or whose account was modified, within the last 30 days from the date when the ScanState command is run.

    You can specify the number of days or you can specify a date. You cannot use this option with the /**all** option. USMT retrieves the last logon information from the local computer, so the computer does not need to be connected to the network when you run this option. In addition, if a domain user has signed in to another computer, that sign-in instance is not considered by USMT.
    **Note**
    The /**uel** option is not valid in offline migrations.
    • **/uel:0** migrates any users who are currently logged on.
    • **/uel:90** migrates users who have logged on, or whose accounts have been otherwise modified, within the last 90 days.
    • **/uel:1** migrates users whose account has been modified within the last 24 hours.
    • **/uel:2002/1/15** migrates users who have logged on or been modified January 15, 2002 or afterwards.

    For example:
    `scanstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore /uel:0` | -| /**ue**:*<DomainName>*\*<UserName>*
    -or-

    /**ue**:*<ComputerName>*\*<LocalUserName>* | **(User exclude)**

    Excludes the specified users from the migration. You can specify multiple /**ue** options. You cannot use this option with the /**all** option. *<DomainName>* and *<UserName>* can contain the asterisk (    ) wildcard character. When you specify a user name that contains spaces, you need to surround it with quotation marks.

    For example:
    `scanstate /i:migdocs.xml /i:migapp.xml \\server\share\migration\mystore /ue:contoso\user1` | +| **/all** | Migrates all of the users on the computer.

    USMT migrates all user accounts on the computer, unless you specifically exclude an account with either the `/ue` or `/uel` options. For this reason, you don't need to specify this option on the command line. However, if you choose to specify the `/all` option, you can't also use the `/ui`, `/ue` or `/uel` options. | +| **/ui**:*<DomainName>*\*<UserName>*
    or
    **/ui**:*<ComputerName>*\*<LocalUserName>* | **(User include)**

    Migrates the specified users. By default, all users are included in the migration. Therefore, this option is helpful only when used with the `/ue` or `/uel` options. You can specify multiple `/ui` options, but you can't use the `/ui` option with the `/all` option. *DomainName* and *UserName* can contain the asterisk (`*`) wildcard character. When you specify a user name that contains spaces, you'll need to surround it with quotation marks (`"`).
    **Note**
    If a user is specified for inclusion with the `/ui` option and also specified to be excluded with either the `/ue` or `/uel` options, the user will be included in the migration.

    For example:
    • To include only **User2** from the Fabrikam domain, enter:

      `/ue:*\* /ui:fabrikam\user2`

    • To migrate all users from the Fabrikam domain, and only the user accounts from other domains that have been active or otherwise modified in the last 30 days, enter:

      `/uel:30 /ui:fabrikam\*`

      In this example, a user account from the Contoso domain that was last modified two months ago won't be migrated.

    For more examples, see the descriptions of the `/ue` and `/ui` options in this table. | +| **/uel**:*<NumberOfDays>*
    or
    **/uel**:*<YYYY/MM/DD>*
    or
    **/uel:0** | **(User exclude based on last logon)**

    Migrates the users that logged on to the source computer within the specified time period, based on the **Last Modified** date of the Ntuser.dat file on the source computer. The `/uel` option acts as an include rule. For example, the `/uel:30` option migrates users who logged on, or whose account was modified, within the last 30 days from the date when the `ScanState.exe` command is run.

    You can specify the number of days or you can specify a date. You can't use this option with the `/all` option. USMT retrieves the last sign-in information from the local computer, so the computer doesn't need to be connected to the network when you run this option. In addition, if a domain user has signed in to another computer, that sign-in instance isn't considered by USMT.
    **Note**
    The `/uel` option isn't valid in offline migrations.
    • `/uel:0` migrates any users who are currently logged on.
    • `/uel:90` migrates users who have logged on, or whose accounts have been otherwise modified, within the last 90 days.
    • `/uel:1` migrates users whose account has been modified within the last 24 hours.
    • `/uel:2020/2/15` migrates users who have logged on or been modified February 15, 2020 or afterwards.

    For example:
    `ScanState.exe /i:MigApp.xml /i:MigDocs.xml \\server\share\migration\mystore /uel:0` | +| **/ue**:*<DomainName>*\*<UserName>*
    -or-

    **/ue**:*<ComputerName>*\*<LocalUserName>* | **(User exclude)**

    Excludes the specified users from the migration. You can specify multiple `/ue` options. You can't use this option with the `/all` option. *<DomainName>* and *<UserName>* can contain the asterisk (`*`) wildcard character. When you specify a user name that contains spaces, you need to surround it with quotation marks (`"`).

    For example:
    `ScanState.exe /i:MigDocs.xml /i:MigApp.xml \\server\share\migration\mystore /ue:contoso\user1` | -## How to Use /ui and /ue +## How to use /ui and /ue -The following examples apply to both the /**ui** and /**ue** options. You can replace the /**ue** option with the /**ui** option to include, rather than exclude, the specified users. +The following examples apply to both the `/ui` and `/ue` options. You can replace the `/ue` option with the `/ui` option to include, rather than exclude, the specified users. |Behavior|Command| |--- |--- | @@ -169,73 +153,74 @@ The following examples apply to both the /**ui** and /**ue** options. You can re |Exclude all local users.|`/ue:%computername%\*`| |Exclude users in all domains named User1, User2, and so on.|`/ue:*\user*`| -## Using the Options Together +## Using the options together -You can use the /**uel**, /**ue** and /**ui** options together to migrate only the users that you want migrated. +You can use the `/uel`, `/ue` and `/ui` options together to migrate only the users that you want migrated. -The /**ui** option has precedence over the /**ue** and /**uel** options. If a user is specified to be included using the /**ui** option, and also specified to be excluded using either the /**ue** or /**uel** options, the user will be included in the migration. For example, if you specify `/ui:contoso\* /ue:contoso\user1`, then User1 will be migrated, because the /**ui** option takes precedence over the /**ue** option. +The `/ui` option has precedence over the `/ue` and `/uel` options. If a user is specified for inclusion with the `/ui` option and also specified to be excluded with either the `/ue` or `/uel` options, the user will be included in the migration. For example, if you specify `/ui:contoso\* /ue:contoso\user1`, then **User1** will be migrated, because the `/ui` option takes precedence over the `/ue` option. -The /**uel** option takes precedence over the /**ue** option. If a user has logged on within the specified time period set by the /**uel** option, that user’s profile will be migrated even if they are excluded by using the /**ue** option. For example, if you specify `/ue:fixed\user1 /uel:14`, the User1 will be migrated if they have logged on to the computer within the last 14 days. +The `/uel` option takes precedence over the `/ue` option. If a user has logged on within the specified time period set by the `/uel` option, that user's profile will be migrated even if they're excluded by using the `/ue` option. For example, if you specify `/ue:fixed\user1 /uel:14`, the User1 will be migrated if they've logged on to the computer within the last 14 days. |Behavior|Command| |--- |--- | |Include only User2 from the Fabrikam domain and exclude all other users.|`/ue:*\* /ui:fabrikam\user2`| |Include only the local user named User1 and exclude all other users.|`/ue:*\* /ui:user1`| -|Include only the domain users from Contoso, except Contoso\User1.|This behavior cannot be completed using a single command. Instead, to migrate this set of users, you will need to specify the following commands:
    • On the **ScanState** command line, type: `/ue:*\* /ui:contoso\*`
    • On the **LoadState** command line, type: `/ue:contoso\user1`
    | +|Include only the domain users from Contoso, except Contoso\User1.|This behavior can't be completed using a single command. Instead, to migrate this set of users, you'll need to specify the following commands:
    • On the `ScanState.exe` command line, enter:
      `/ue:*\* /ui:contoso\*`
    • On the `LoadState.exe` command line, enter:
      `/ue:contoso\user1`
    | |Include only local (non-domain) users.|`/ue:*\* /ui:%computername%\*`| -## Encrypted File Options +## Encrypted file options -You can use the following options to migrate encrypted files. In all cases, by default, USMT fails if an encrypted file is found unless you specify an /**efs** option. To migrate encrypted files, you must change the default behavior. +You can use the following options to migrate encrypted files. In all cases, by default, USMT fails if an encrypted file is found unless you specify an `/efs` option. To migrate encrypted files, you must change the default behavior. For more information, see [Migrate EFS Files and Certificates](usmt-migrate-efs-files-and-certificates.md). -> [!NOTE] -> EFS certificates will be migrated automatically when migrating to Windows 7, Windows 8 or Windows 10. Therefore, you should specify the /**efs:copyraw** option with the **ScanState** command to migrate the encrypted files +> [!NOTE] +> EFS certificates will be migrated automatically when migrating to Windows 7, Windows 8 or Windows 10. Therefore, you should specify the `/efs:copyraw` option with the `ScanState.exe` command to migrate the encrypted files -> [!CAUTION] +> [!CAUTION] > Take caution when migrating encrypted files. If you migrate an encrypted file without also migrating the certificate, end users will not be able to access the file after the migration. | Command-Line Option | Explanation | |----|----| -| **/efs:hardlink** | Creates a hard link to the EFS file instead of copying it. Use only with the **/hardlink** and the **/nocompress** options. | -| **/efs:abort** | Causes the **ScanState** command to fail with an error code, if an Encrypting File System (EFS) file is found on the source computer. Enabled by default. | -| **/efs:skip** | Causes the **ScanState** command to ignore EFS files. | -| /**efs:decryptcopy** | Causes the **ScanState** command to decrypt the file, if possible, before saving it to the migration store, and to fail if the file cannot be decrypted. If the **ScanState** command succeeds, the file will be unencrypted in the migration store, and once you run the **LoadState** command, the file will be copied to the destination computer. | -| **/efs:copyraw** | Causes the **ScanState** command to copy the files in the encrypted format. The files will be inaccessible on the destination computer until the EFS certificates are migrated. EFS certificates will be automatically migrated; however, by default USMT fails if an encrypted file is found, unless you specify an **/efs** option. Therefore you should specify the **/efs:copyraw** option with the **ScanState** command to migrate the encrypted file. Then, when you run the **LoadState** command, the encrypted file and the EFS certificate will be automatically migrated.

    For example:
    `ScanState /i:migdocs.xml /i:migapp.xml \server\share\migration\mystore /efs:copyraw`
    **Important**
    All files must be encrypted if the parent folder is encrypted. If the encryption attribute on a file inside an encrypted folder has been removed, the file will be encrypted during the migration using the credentials of the account used to run the LoadState tool. For more information, see [Migrate EFS Files and Certificates](usmt-migrate-efs-files-and-certificates.md).
    | +| **/efs:hardlink** | Creates a hard link to the EFS file instead of copying it. Use only with the `/hardlink` and the `/nocompress` options. | +| **/efs:abort** | Causes the `ScanState.exe` command to fail with an error code, if an Encrypting File System (EFS) file is found on the source computer. Enabled by default. | +| **/efs:skip** | Causes the `ScanState.exe` command to ignore EFS files. | +| **/efs:decryptcopy** | Causes the `ScanState.exe` command to decrypt the file, if possible, before saving it to the migration store, and to fail if the file can't be decrypted. If the `ScanState.exe` command succeeds, the file will be unencrypted in the migration store, and once you run the `LoadState.exe` command, the file will be copied to the destination computer. | +| **/efs:copyraw** | Causes the `ScanState.exe` command to copy the files in the encrypted format. The files will be inaccessible on the destination computer until the EFS certificates are migrated. EFS certificates will be automatically migrated; however, by default USMT fails if an encrypted file is found, unless you specify an `/efs` option. Therefore you should specify the `/efs:copyraw` option with the `ScanState.exe` command to migrate the encrypted file. Then, when you run the `LoadState.exe` command, the encrypted file and the EFS certificate will be automatically migrated.

    For example:
    `ScanState.exe /i:MigDocs.xml /i:MigApp.xml \server\share\migration\mystore /efs:copyraw`
    **Important**
    All files must be encrypted if the parent folder is encrypted. If the encryption attribute on a file inside an encrypted folder has been removed, the file will be encrypted during the migration using the credentials of the account used to run the **LoadState** tool. For more information, see [Migrate EFS files and certificates](usmt-migrate-efs-files-and-certificates.md).
    | -## Incompatible Command-Line Options +## Incompatible command-line options -The following table indicates which command-line options are not compatible with the **ScanState** command. If the table entry for a particular combination is blank, the options are compatible and you can use them together. The X symbol means that the options are not compatible. For example, you cannot use the **/nocompress** option with the **/encrypt** option. +The following table indicates which command-line options aren't compatible with the `ScanState.exe` command. If the table entry for a particular combination is blank, the options are compatible and you can use them together. The X symbol means that the options aren't compatible. For example, you can't use the `/nocompress` option with the `/encrypt` option. |Command-Line Option|/keyfile|/nocompress|/genconfig|/all| |--- |--- |--- |--- |--- | |**/i**||||| |**/o**||||| |**/v**||||| -|/**nocompress**||||N/A| -|/**localonly**|||X|| -|/**key**|X||X|| -|/**encrypt**|Required*|X|X|| -|/**keyfile**|N/A||X|| -|/**l**||||| -|/**progress**|||X|| -|/**r**|||X|| -|/**w**|||X|| -|/**c**|||X|| -|/**p**|||X|N/A| -|/**all**|||X|| -|/**ui**|||X|X| -|/**ue**|||X|X| -|/**uel**|||X|X| -|/**efs**:*<option>*|||X|| -|/**genconfig**|||N/A|| -|/**config**|||X|| +|**/nocompress**||||N/A| +|**/localonly**|||X|| +|**/key**|X||X|| +|**/encrypt**|Required*|X|X|| +|**/keyfile**|N/A||X|| +|**/l**||||| +|**/listfiles**|||X|| +|**/progress**|||X|| +|**/r**|||X|| +|**/w**|||X|| +|**/c**|||X|| +|**/p**|||X|N/A| +|**/all**|||X|| +|**/ui**|||X|X| +|**/ue**|||X|X| +|**/uel**|||X|X| +|**/efs**:*<option>*|||X|| +|**/genconfig**|||N/A|| +|**/config**|||X|| |*<StorePath>*|||X|| -> [!NOTE] -> You must specify either the /**key** or /**keyfile** option with the /**encrypt** option. +> [!NOTE] +> You must specify either the `/key` or `/keyfile` option with the `/encrypt` option. -## Related topics +## Related articles [XML Elements Library](usmt-xml-elements-library.md) diff --git a/windows/deployment/usmt/usmt-technical-reference.md b/windows/deployment/usmt/usmt-technical-reference.md index e28e3bc9ca..2504eabb75 100644 --- a/windows/deployment/usmt/usmt-technical-reference.md +++ b/windows/deployment/usmt/usmt-technical-reference.md @@ -2,52 +2,53 @@ title: User State Migration Tool (USMT) Technical Reference (Windows 10) description: The User State Migration Tool (USMT) provides a highly customizable user-profile migration experience for IT professionals. ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/19/2017 +author: frankroj +ms.date: 11/01/2022 ms.topic: article ms.custom: seo-marvel-apr2020 ms.technology: itpro-deploy --- -# User State Migration Tool (USMT) Technical Reference -The User State Migration Tool (USMT) is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals. +# User State Migration Tool (USMT) technical reference -Download the Windows ADK [from this website](/windows-hardware/get-started/adk-install). +The User State Migration Tool (USMT) is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals. -**USMT support for Microsoft Office** ->USMT in the Windows ADK for Windows 10, version 1511 (10.1.10586.0) supports migration of user settings for installations of Microsoft Office 2003, 2007, 2010, and 2013.
    ->USMT in the Windows ADK for Windows 10, version 1607 (10.1.14393.0) adds support for migration of user settings for installations of Microsoft Office 2016. +Download the Windows ADK [from this website](/windows-hardware/get-started/adk-install). + +## USMT support for Microsoft Office + +- USMT in the Windows ADK for Windows 10, version 1511 (10.1.10586.0) supports migration of user settings for installations of Microsoft Office 2003, 2007, 2010, and 2013. + +- USMT in the Windows ADK for Windows 10, version 1607 (10.1.14393.0) adds support for migration of user settings for installations of Microsoft Office 2016. USMT includes three command-line tools: -- ScanState.exe
    -- LoadState.exe
    -- UsmtUtils.exe +- ScanState.exe +- LoadState.exe +- UsmtUtils.exe USMT also includes a set of three modifiable .xml files: -- MigApp.xml
    -- MigDocs.xml
    -- MigUser.xml +- MigApp.xml +- MigDocs.xml +- MigUser.xml -Additionally, you can create custom .xml files to support your migration needs. You can also create a Config.xml file to specify files or settings to exclude from the migration. +Additionally, you can create custom .xml files to support your migration needs. You can also create a `Config.xml` file to specify files or settings to exclude from the migration. -USMT tools can be used on several versions of Windows operating systems, for more information, see [USMT Requirements](usmt-requirements.md). For more information about previous releases of the USMT tools, see [User State Migration Tool (USMT) 4.0 User's Guide](/previous-versions/windows/server/dd560801(v=ws.10)). +USMT tools can be used on several versions of Windows operating systems, for more information, see [USMT requirements](usmt-requirements.md). For more information about previous releases of the USMT tools, see [User State Migration Tool (USMT) overview](/previous-versions/windows/hh825227(v=win.10)). ## In this section -|Topic |Description| -|------|-----------| -|[User State Migration Tool (USMT) Overview Topics](usmt-topics.md)|Describes what's new in USMT, how to get started with USMT, and the benefits and limitations of using USMT.| -|[User State Migration Tool (USMT) How-to topics](usmt-how-to.md)|Includes step-by-step instructions for using USMT, as well as how-to topics for conducting tasks in USMT.| -|[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)|Provides answers to frequently asked questions and common issues in USMT, as well as a reference for return codes used in USMT.| -|[User State Migration Toolkit (USMT) Reference](usmt-reference.md)|Includes reference information for migration planning, migration best practices, command-line syntax, using XML, and requirements for using USMT.| -## Related topics +| Link | Description | +|------ |----------- | +|[User State Migration Tool (USMT) overview topics](usmt-topics.md)|Describes what's new in USMT, how to get started with USMT, and the benefits and limitations of using USMT.| +|[User State Migration Tool (USMT) how-to topics](usmt-how-to.md)|Includes step-by-step instructions for using USMT and how-to topics for conducting tasks in USMT.| +|[User State Migration Tool (USMT) troubleshooting](usmt-troubleshooting.md)|Provides answers to frequently asked questions and common issues in USMT and a reference for return codes used in USMT.| +|[User State Migration Toolkit (USMT) reference](usmt-reference.md)|Includes reference information for migration planning, migration best practices, command-line syntax, using XML, and requirements for using USMT.| + +## Related articles + - [Windows Assessment and Deployment Kit](/previous-versions/windows/it-pro/windows-8.1-and-8/dn247001(v=win.10)) - -  - -  diff --git a/windows/deployment/usmt/usmt-test-your-migration.md b/windows/deployment/usmt/usmt-test-your-migration.md index de59c64bd1..a26c2a25cd 100644 --- a/windows/deployment/usmt/usmt-test-your-migration.md +++ b/windows/deployment/usmt/usmt-test-your-migration.md @@ -2,41 +2,35 @@ title: Test Your Migration (Windows 10) description: Learn about testing your migration plan in a controlled laboratory setting before you deploy it to your entire organization. ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/19/2017 +author: frankroj +ms.date: 11/01/2022 ms.topic: article ms.technology: itpro-deploy --- -# Test Your Migration +# Test your migration +Always test your migration plan in a controlled laboratory setting before you deploy it to your entire organization. In your test environment, you need at least one computer for each type of operating system from which you're migrating data. -Always test your migration plan in a controlled laboratory setting before you deploy it to your entire organization. In your test environment, you need at least one computer for each type of operating system from which you are migrating data. +After you've thoroughly tested the entire migration process on a single computer running each of your source operating systems, conduct a pilot migration with a small group of users. After migrating a few typical user states to the intermediate store, note the space required and adjust your initial calculations accordingly. For details about estimating the space needed for your migration, see [Estimate migration store size](usmt-estimate-migration-store-size.md). You might also need to adjust the registry-setting and file-location information in your migration-rule files. If you make changes, test the migration again. Then verify that all data and settings have migrated as expected. A pilot migration also gives you an opportunity to test your space estimates for the intermediate store. -After you have thoroughly tested the entire migration process on a single computer running each of your source operating systems, conduct a pilot migration with a small group of users. After migrating a few typical user states to the intermediate store, note the space required and adjust your initial calculations accordingly. For details about estimating the space needed for your migration, see [Estimate Migration Store Size](usmt-estimate-migration-store-size.md). You might also need to adjust the registry-setting and file-location information in your migration-rule files. If you make changes, test the migration again. Then verify that all data and settings have migrated as expected. A pilot migration also gives you an opportunity to test your space estimates for the intermediate store. +If your test migration encounters any errors, examine the **ScanState** and **LoadState** logs to obtain the exact User State Migration Tool (USMT) 10.0 return code and associated error messages or Windows application programming interface (API) error message. For more information about USMT return codes and error messages, see [Return codes](/troubleshoot/windows-client/deployment/usmt-return-codes). You can obtain more information about any listed **Windows** system error codes by typing in a command prompt window `net.exe helpmsg ` where ** is the error code number generated by the error message. For more information about System Error Codes, see [System Error Codes (0-499)](/windows/win32/debug/system-error-codes--0-499-). -If your test migration encounters any errors, examine the ScanState and LoadState logs to obtain the exact User State Migration Tool (USMT) 10.0 return code and associated error messages or Windows application programming interface (API) error message. For more information about USMT return codes and error messages, see [Return Codes](usmt-return-codes.md). You can also obtain more information about a Windows API error message by typing **net helpmsg** and the error message number on the command line. +In most cases, the **ScanState** and **LoadState** logs indicate why a USMT migration is failing. We recommend that you use the `/v:5` option when testing your migration. This verbosity level can be adjusted in a production migration. Reducing the verbosity level might make it more difficult to diagnose failures that are encountered during production migrations. You can use a higher verbosity level if you want the log files output to go to a debugger. -In most cases, the ScanState and LoadState logs indicate why a USMT migration is failing. We recommend that you use the **/v**:5 option when testing your migration. This verbosity level can be adjusted in a production migration. Reducing the verbosity level might make it more difficult to diagnose failures that are encountered during production migrations. You can use a higher verbosity level if you want the log files output to go to a debugger. +> [!NOTE] +> Running the **ScanState** and **LoadState** tools with the `/v:5` option creates a detailed log file. Although this option makes the log file large, it is helpful in determining where migration errors occurred. -**Note**   -Running the ScanState and LoadState tools with the **/v**:5 option creates a detailed log file. Although this option makes the log file large, it is helpful in determining where migration errors occurred. +After you've determined that the pilot migration successfully migrated the specified files and settings, you're ready to add USMT to the server that is running Microsoft Configuration Manager, or a non-Microsoft management technology. For more information, see [Manage user state in Configuration Manager](/configmgr/osd/get-started/manage-user-state). - +> [!NOTE] +> For testing purposes, you can create an uncompressed store using the `/hardlink /nocompress` option. When compression is disabled, the **ScanState** tool saves the files and settings to a hidden folder named **File** at `\USMT`. You can use the uncompressed store to view what USMT has stored or to troubleshoot a problem, or you can run an antivirus utility against the files. Additionally, you can also use the `/listfiles` command-line option and the diagnostic log to list the files that were gathered and to troubleshoot problems with your migration. -After you have determined that the pilot migration successfully migrated the specified files and settings, you are ready to add USMT to the server that is running Microsoft Configuration Manager, or a non-Microsoft management technology. For more information, see [Manage user state in Configuration Manager](/configmgr/osd/get-started/manage-user-state). +## Related articles -**Note**   -For testing purposes, you can create an uncompressed store using the **/hardlink /nocompress** option. When compression is disabled, the ScanState tool saves the files and settings to a hidden folder named "File" at *StorePath*\\USMT. You can use the uncompressed store to view what USMT has stored or to troubleshoot a problem, or you can run an antivirus utility against the files. Additionally, you can also use the **/listfiles** command-line option and the diagnostic log to list the files that were gathered and to troubleshoot problems with your migration. +[Plan your migration](usmt-plan-your-migration.md) - - -## Related topics - - -[Plan Your Migration](usmt-plan-your-migration.md) - -[Log Files](usmt-log-files.md) +[Log files](usmt-log-files.md) diff --git a/windows/deployment/usmt/usmt-topics.md b/windows/deployment/usmt/usmt-topics.md index e3a456a033..755df2c928 100644 --- a/windows/deployment/usmt/usmt-topics.md +++ b/windows/deployment/usmt/usmt-topics.md @@ -1,28 +1,30 @@ --- title: User State Migration Tool (USMT) Overview Topics (Windows 10) -description: Learn about User State Migration Tool (USMT) overview topics that describe USMT as a highly customizable user-profile migration experience for IT professionals. +description: Learn about User State Migration Tool (USMT) overview articles that describe USMT as a highly customizable user-profile migration experience for IT professionals. ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/19/2017 +author: frankroj +ms.date: 11/01/2022 ms.topic: article ms.technology: itpro-deploy --- -# User State Migration Tool (USMT) Overview Topics -The User State Migration Tool (USMT) 10.0 provides a highly customizable user-profile migration experience for IT professionals. USMT includes three command-line tools: ScanState.exe, LoadState.exe, and UsmtUtils.exe. USMT also includes a set of three modifiable .xml files: MigApp.xml, MigDocs.xml, and MigUser.xml. Additionally, you can create custom .xml files to support your migration needs. You can also create a Config.xml file to specify files or settings to exclude from the migration. +# User State Migration Tool (USMT) overview topics -## In This Section +The User State Migration Tool (USMT) 10.0 provides a highly customizable user-profile migration experience for IT professionals. USMT includes three command-line tools: `ScanState.exe`, `LoadState.exe`, and `UsmtUtils.exe`. USMT also includes a set of three modifiable .xml files: `MigApp.xml`, `MigDocs.xml`, and `MigUser.xml`. Additionally, you can create custom .xml files to support your migration needs. You can also create a `Config.xml` file to specify files or settings to exclude from the migration. -|Topic |Description| -|------|-----------| -|[User State Migration Tool (USMT) Overview](usmt-overview.md)|Describes the benefits and limitations of using USMT.| -|[Getting Started with the User State Migration Tool (USMT)](getting-started-with-the-user-state-migration-tool.md)|Describes the general process to follow to migrate files and settings, and provides links to more information.| -|[Windows Upgrade and Migration Considerations](../upgrade/windows-upgrade-and-migration-considerations.md)|Discusses the Microsoft® tools you can use to move files and settings between installations, as well as special considerations for performing an upgrade or migration.| +## In this section -## Related topics -- [User State Migration Tool (USMT) How-to topics](usmt-how-to.md) -- [User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md) -- [User State Migration Toolkit (USMT) Reference](usmt-reference.md) +| Link | Description | +|------ |----------- | +|[User State Migration Tool (USMT) overview](usmt-overview.md)|Describes the benefits and limitations of using USMT.| +|[Getting started with the User State Migration Tool (USMT)](getting-started-with-the-user-state-migration-tool.md)|Describes the general process to follow to migrate files and settings, and provides links to more information.| +|[Windows upgrade and migration considerations](../upgrade/windows-upgrade-and-migration-considerations.md)|Discusses the Microsoft® tools you can use to move files and settings between installations and special considerations for performing an upgrade or migration.| + +## Related articles + +- [User State Migration Tool (USMT) how-to topics](usmt-how-to.md) +- [User State Migration Tool (USMT) troubleshooting](usmt-troubleshooting.md) +- [User State Migration Toolkit (USMT) reference](usmt-reference.md) diff --git a/windows/deployment/usmt/usmt-troubleshooting.md b/windows/deployment/usmt/usmt-troubleshooting.md index e3b1162419..ede8f237ec 100644 --- a/windows/deployment/usmt/usmt-troubleshooting.md +++ b/windows/deployment/usmt/usmt-troubleshooting.md @@ -1,36 +1,36 @@ --- title: User State Migration Tool (USMT) Troubleshooting (Windows 10) -description: Learn about topics that address common User State Migration Tool (USMT) 10.0 issues and questions to assist in troubleshooting. +description: Learn about topics that address common User State Migration Tool (USMT) 10.0 issues and questions to help troubleshooting. ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/19/2017 +author: frankroj +ms.date: 11/01/2022 ms.topic: article ms.technology: itpro-deploy --- -# User State Migration Tool (USMT) Troubleshooting +# User State Migration Tool (USMT) troubleshooting -The following table describes topics that address common User State Migration Tool (USMT) 10.0 issues and questions. These topics describe tools that you can use to troubleshoot issues that arise during your migration. +The following table describes articles that address common User State Migration Tool (USMT) 10.0 issues and questions. These articles describe tools that you can use to troubleshoot issues that arise during your migration. -## In This Section +## In this section | Link | Description | |--- |--- | -|[Common Issues](usmt-common-issues.md)|Find troubleshooting solutions for common problems in USMT.| +|[Common Issues](/troubleshoot/windows-client/deployment/usmt-common-issues)|Find troubleshooting solutions for common problems in USMT.| |[Frequently Asked Questions](usmt-faq.yml)|Find answers to questions about how to use USMT.| |[Log Files](usmt-log-files.md)|Learn how to enable logging to help you troubleshoot issues in USMT.| -|[Return Codes](usmt-return-codes.md)|Learn how to use return codes to identify problems in USMT.| +|[Return Codes](/troubleshoot/windows-client/deployment/usmt-return-codes)|Learn how to use return codes to identify problems in USMT.| |[USMT Resources](usmt-resources.md)|Find more information and support for using USMT.| -## Related topics +## Related articles -[USMT Best Practices](usmt-best-practices.md) +[USMT best practices](usmt-best-practices.md) -[User State Migration Tool (USMT) Overview Topics](usmt-topics.md) +[User State Migration Tool (USMT) overview topics](usmt-topics.md) -[User State Migration Tool (USMT) How-to topics](usmt-how-to.md) +[User State Migration Tool (USMT) how-to topics](usmt-how-to.md) -[User State Migration Toolkit (USMT) Reference](usmt-reference.md) +[User State Migration Toolkit (USMT) reference](usmt-reference.md) diff --git a/windows/deployment/usmt/usmt-utilities.md b/windows/deployment/usmt/usmt-utilities.md index feac03f881..cb67fc466b 100644 --- a/windows/deployment/usmt/usmt-utilities.md +++ b/windows/deployment/usmt/usmt-utilities.md @@ -1,109 +1,100 @@ --- title: UsmtUtils Syntax (Windows 10) -description: Learn about the syntax for the utilities available in User State Migration Tool (USMT) 10.0 through the command-line interface. +description: Learn about the syntax for the utilities available in User State Migration Tool (USMT) 10.0 through the command-line interface. ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/19/2017 +author: frankroj +ms.date: 11/01/2022 ms.topic: article ms.technology: itpro-deploy --- # UsmtUtils Syntax -This topic describes the syntax for the utilities available in User State Migration Tool (USMT) 10.0 through the command-line interface. These utilities: +This article describes the syntax for the utilities available in User State Migration Tool (USMT) 10.0 through the command-line interface. These utilities: -- Improve your ability to determine cryptographic options for your migration. +- Improve your ability to determine cryptographic options for your migration. -- Assist in removing hard-link stores that cannot otherwise be deleted due to a sharing lock. +- Help removing hard-link stores that can't otherwise be deleted due to a sharing lock. -- Verify whether the catalog file or any of the other files in the compressed migration store have become corrupted. +- Verify whether the catalog file or any of the other files in the compressed migration store have become corrupted. -- Extract files from the compressed migration store when you migrate files and settings to the destination computer. +- Extract files from the compressed migration store when you migrate files and settings to the destination computer. -## In This Topic +## UsmtUtils.exe -[Usmtutils.exe](#bkmk-usmtutils-exe) +The following table lists command-line options for `UsmtUtils.exe`. The sections that follow provide further command-line options for the `/verify` and the `/extract` options. -[Verify Options](#bkmk-verifyoptions) +The syntax for `UsmtUtils.exe` is: -[Extract Options](#bkmk-extractoptions) - -## Usmtutils.exe - -The following table lists command-line options for USMTutils.exe. The sections that follow provide further command-line options for the **/verify** and the **/extract** options. - -The syntax for UsmtUtils.exe is: - -usmtutils \[/ec | /rd *<storeDir>* | /verify *<filepath>* \[options\] | /extract *<filepath>* *<destinationPath>* \[options\]\] +> UsmtUtils.exe \[/ec | /rd *<storeDir>* | /verify *<filepath>* \[options\] | /extract *<filepath>* *<destinationPath>* \[options\]\] |Command-line Option|Description| |--- |--- | -|**/ec**|Returns a list of supported cryptographic algorithms (AlgIDs) on the current system. You can use this on a destination computer to determine which algorithm to use with the **/encrypt** command before you run the ScanState tool on the source computer.| -|**/rd** *<storeDir>* |Removes the directory path specified by the *<storeDir>* argument on the computer. You can use this command to delete hard-link migration stores that cannot otherwise be deleted at a command prompt due to a sharing lock. If the migration store spans multiple volumes on a given drive, it will be deleted from all of these volumes.

    For example:
    `usmtutils /rd D:\MyHardLinkStore`| -|**/y**|Overrides the accept deletions prompt when used with the **/rd** option. When you use the **/y** option with the **/rd** option, you will not be prompted to accept the deletions before USMT deletes the directories.| -|**/verify**|Returns information on whether the compressed migration store is intact or whether it contains corrupted files or a corrupted catalog.

    See [Verify Options](#bkmk-verifyoptions) for syntax and options to use with **/verify**.| -|**/extract**|Recovers files from a compressed USMT migration store.

    See [Extract Options](#bkmk-extractoptions) for syntax and options to use with **/extract**.| +|**/ec**|Returns a list of supported cryptographic algorithms (AlgIDs) on the current system. You can use this option on a destination computer to determine which algorithm to use with the `/encrypt` command before you run the **ScanState** tool on the source computer.| +|**/rd** *<storeDir>* |Removes the directory path specified by the *<storeDir>* argument on the computer. You can use this command to delete hard-link migration stores that can't otherwise be deleted at a command prompt due to a sharing lock. If the migration store spans multiple volumes on a given drive, it will be deleted from all of these volumes.

    For example:
    `UsmtUtils.exe /rd D:\MyHardLinkStore`| +|**/y**|Overrides the accept deletions prompt when used with the `/rd` option. When you use the `/y` option with the `/rd` option, you won't be prompted to accept the deletions before USMT deletes the directories.| +|**/verify**|Returns information on whether the compressed migration store is intact or whether it contains corrupted files or a corrupted catalog.

    See [Verify options](#verify-options) for syntax and options to use with `/verify`.| +|**/extract**|Recovers files from a compressed USMT migration store.

    See [Extract options](#extract-options) for syntax and options to use with `/extract`.| -## Verify Options +## Verify options -Use the **/verify** option when you want to determine whether a compressed migration store is intact or whether it contains corrupted files or a corrupted catalog. For more information on how to use the **/verify** option, see [Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md). +Use the `/verify` option when you want to determine whether a compressed migration store is intact or whether it contains corrupted files or a corrupted catalog. For more information on how to use the `/verify` option, see [Verify the condition of a compressed migration store](verify-the-condition-of-a-compressed-migration-store.md). -The syntax for **/verify** is: +The syntax for `/verify` is: -usmtutils /verify\[:*<reportType>*\] *<filePath>* \[/l:*<logfile>*\] \[/v:*VerbosityLevel*\] \[/decrypt \[:*<AlgID>*\] {/key:*<keystring>* | /keyfile:*<filename>*}\] +> UsmtUtils.exe /verify\[:*<reportType>*\] *<filePath>* \[/l:*<logfile>*\] \[/v:*VerbosityLevel*\] \[/decrypt \[:*<AlgID>*\] {/key:*<keystring>* | /keyfile:*<filename>*}\] | Command-line Option | Description | |-----|--------| -| *<reportType>* | Specifies whether to report on all files, corrupted files only, or the status of the catalog.
    • **Summary**. Returns both the number of files that are intact and the number of files that are corrupted in the migration store. If no algorithm is specified, the summary report is displayed as a default.
    • **all**. Returns a tab-delimited list of all of the files in the compressed migration store and the status for each file. Each line contains the file name followed by a tab spacing, and either “CORRUPTED” or “OK” depending on the status of the file. The last entry reports the corruption status of the "CATALOG" of the store. A catalog file contains metadata for all files in a migration store. The LoadState tool requires a valid catalog file in order to open the migration store. Returns "OK" if the catalog file is intact and LoadState can open the migration store and "CORRUPTED" if the migration store is corrupted.
    • **failureonly**. Returns a tab-delimited list of only the files that are corrupted in the compressed migration store.
    • **Catalog**. Returns only the status of the catalog file.
    | +| *<reportType>* | Specifies whether to report on all files, corrupted files only, or the status of the catalog.
    • **Summary**. Returns both the number of files that are intact and the number of files that are corrupted in the migration store. If no algorithm is specified, the summary report is displayed as a default.
    • **all**. Returns a tab-delimited list of all of the files in the compressed migration store and the status for each file. Each line contains the file name followed by a tab spacing, and either **CORRUPTED** or **OK** depending on the status of the file. The last entry reports the corruption status of the **CATALOG** of the store. A catalog file contains metadata for all files in a migration store. The **LoadState** tool requires a valid catalog file in order to open the migration store. Returns "OK" if the catalog file is intact and **LoadState** can open the migration store and "CORRUPTED" if the migration store is corrupted.
    • **failureonly**. Returns a tab-delimited list of only the files that are corrupted in the compressed migration store.
    • **Catalog**. Returns only the status of the catalog file.
    | | **/l:**
    *<logfilePath>* | Specifies the location and name of the log file. | -| **/v:** *<VerbosityLevel>* | **(Verbosity)**

    Enables verbose output in the UsmtUtils log file. The default value is 0.

    You can set the *VerbosityLevel* to one of the following levels:
    • **0** - Only the default errors and warnings are enabled.
    • **1** - Enables verbose output.
    • **4** - Enables error and status output.
    • **5** - Enables verbose and status output.
    • **8** - Enables error output to a debugger.
    • **9** - Enables verbose output to a debugger.
    • **12** - Enables error and status output to a debugger.
    • **13** - Enables verbose, status, and debugger output.
    | -| **/decrypt** *<AlgID>* **/**:*<KeyString>*
    or
    **/decrypt** *<AlgID>* **/**:*<“Key String”>*
    or
    **/decrypt:** *<AlgID>* **/keyfile**:*<FileName>* | Specifies that the **/encrypt** option was used to create the migration store with the ScanState tool. To decrypt the migration store, specify a **/key** or **/keyfile** option as follows:
    • *<AlgID>* specifies the cryptographic algorithm that was used to create the migration store on the ScanState command line. If no algorithm is specified, ScanState and UsmtUtils use the 3DES algorithm as a default.
      *<AlgID>* valid values include: AES_128, AES_192, AES_256, 3DES, or 3DES_112.
    • **/key:** *<KeyString>* specifies the encryption key. If there is a space in *<KeyString>*, you must surround the argument with quotation marks.
    • **/keyfile**: *<FileName>* specifies the location and name of a text (.txt) file that contains the encryption key.

    For more information about supported encryption algorithms, see [Migration Store Encryption](usmt-migration-store-encryption.md) | +| **/v:** *<VerbosityLevel>* | **(Verbosity)**

    Enables verbose output in the **UsmtUtils** log file. The default value is 0.

    You can set the *VerbosityLevel* to one of the following levels:
    • **0** - Only the default errors and warnings are enabled.
    • **1** - Enables verbose output.
    • **4** - Enables error and status output.
    • **5** - Enables verbose and status output.
    • **8** - Enables error output to a debugger.
    • **9** - Enables verbose output to a debugger.
    • **12** - Enables error and status output to a debugger.
    • **13** - Enables verbose, status, and debugger output.
    | +| **/decrypt** *<AlgID>* **/**:*<KeyString>*
    or
    **/decrypt** *<AlgID>* **/**:*<"Key String">*
    or
    **/decrypt:** *<AlgID>* **/keyfile**:*<FileName>* | Specifies that the `/encrypt` option was used to create the migration store with the **ScanState** tool. To decrypt the migration store, specify a `/key` or `/keyfile` option as follows:
    • *<AlgID>* specifies the cryptographic algorithm that was used to create the migration store on the `ScanState.exe` command line. If no algorithm is specified, **ScanState** and **UsmtUtils** use the 3DES algorithm as a default.
      *<AlgID>* valid values include: `AES_128`, `AES_192`, `AES_256`, `3DES`, or `3DES_112`.
    • `/key:` *<KeyString>* specifies the encryption key. If there's a space in *<KeyString>*, you must surround the argument with quotation marks.
    • `/keyfile`: *<FileName>* specifies the location and name of a text (.txt) file that contains the encryption key.

    For more information about supported encryption algorithms, see [Migration Store Encryption](usmt-migration-store-encryption.md) | -Some examples of **/verify** commands: +Some examples of `/verify` commands: -- `usmtutils /verify D:\MyMigrationStore\store.mig` +- `UsmtUtils.exe /verify D:\MyMigrationStore\store.mig` -- `usmtutils /verify:catalog D:\MyMigrationStore\store.mig` +- `UsmtUtils.exe /verify:catalog D:\MyMigrationStore\store.mig` -- `usmtutils /verify:all D:\MyMigrationStore\store.mig /decrypt /l:D:\UsmtUtilsLog.txt` +- `UsmtUtils.exe /verify:all D:\MyMigrationStore\store.mig /decrypt /l:D:\UsmtUtilsLog.txt` -- `usmtutils /verify:failureonly D:\MyMigrationStore\store.mig /decrypt:AES_192 /keyfile:D:\encryptionKey.txt` +- `UsmtUtils.exe /verify:failureonly D:\MyMigrationStore\store.mig /decrypt:AES_192 /keyfile:D:\encryptionKey.txt` -## Extract Options +## Extract options +Use the `/extract` option to recover files from a compressed USMT migration store if it will not restore normally with **LoadState**. For more information on how to use the `/extract` option, see [Extract files from a compressed USMT migration store](usmt-extract-files-from-a-compressed-migration-store.md). -Use the **/extract** option to recover files from a compressed USMT migration store if it will not restore normally with loadstate. For more information on how to use the **/extract** option, see [Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md). +The syntax for `/extract` is: -The syntax for **/extract** is: - -/extract *<filePath>* *<destinationPath>* \[/i:*<includePattern>*\] \[/e: *<excludePattern>*\] \[/l: *<logfile>*\] \[/v: *VerbosityLevel>*\] \[/decrypt\[:*<AlgID>*\] {key: *<keystring>* | /keyfile: *<filename>*}\] \[/o\] +> /extract *<filePath>* *<destinationPath>* \[/i:*<includePattern>*\] \[/e: *<excludePattern>*\] \[/l: *<logfile>*\] \[/v: *VerbosityLevel>*\] \[/decrypt\[:*<AlgID>*\] {key: *<keystring>* | /keyfile: *<filename>*}\] \[/o\] | Command-line Option | Description | |-------|-----| | *<filePath>* | Path to the USMT migration store.

    For example:
    `D:\MyMigrationStore\USMT\store.mig` | | *<destinationPath>* | Path to the folder where the tool puts the individual files. | -| **/i**:*<includePattern>* | Specifies a pattern for files to include in the extraction. You can specify more than one pattern. Separate patterns with a comma or a semicolon. You can use **/i**: *<includePattern>* and **/e**: *<excludePattern>* options in the same command. When both include and exclude patterns are used on the command line, include patterns take precedence over exclude patterns. | -| **/e**:*<excludePattern>* | Specifies a pattern for files to omit from the extraction. You can specify more than one pattern. Separate patterns with a comma or a semicolon. You can use **/i**: *<includePattern>* and **/e**: *<excludePattern>* options in the same command. When both include and exclude patterns are used on the command line, include patterns take precedence over exclude patterns. | +| **/i**:*<includePattern>* | Specifies a pattern for files to include in the extraction. You can specify more than one pattern. Separate patterns with a comma or a semicolon. You can use `/i`: *<includePattern>* and `/e`: *<excludePattern>* options in the same command. When both include and exclude patterns are used on the command line, include patterns take precedence over exclude patterns. | +| **/e**:*<excludePattern>* | Specifies a pattern for files to omit from the extraction. You can specify more than one pattern. Separate patterns with a comma or a semicolon. You can use `/i`: *<includePattern>* and `/e`: *<excludePattern>* options in the same command. When both include and exclude patterns are used on the command line, include patterns take precedence over exclude patterns. | | **/l**:*<logfilePath>* | Specifies the location and name of the log file. | -| **/v:***<VerbosityLevel>* | **(Verbosity)**

    Enables verbose output in the UsmtUtils log file. The default value is 0.

    You can set the *VerbosityLevel* to one of the following levels:
    • **0** - Only the default errors and warnings are enabled.
    • **1** - Enables verbose output.
    • **4** - Enables error and status output.
    • **5** - Enables verbose and status output.
    • **8** - Enables error output to a debugger.
    • **9** - Enables verbose output to a debugger.
    • **12** - Enables error and status output to a debugger.
    • **13** - Enables verbose, status, and debugger output.
    | -| **/decrypt***<AlgID>***/key**:*<KeyString>*
    or
    **/decrypt***<AlgID>***/**:*<“Key String”>*
    or
    **/decrypt:***<AlgID>***/keyfile**:*<FileName>* | Specifies that the **/encrypt** option was used to create the migration store with the ScanState tool. To decrypt the migration store, you must also specify a **/key** or **/keyfile** option as follows:
    • *<AlgID>* specifies the cryptographic algorithm that was used to create the migration store on the ScanState command line. If no algorithm is specified, ScanState and UsmtUtils use the 3DES algorithm as a default.
      *<AlgID>* valid values include: AES_128, AES_192, AES_256, 3DES, or 3DES_112.
    • **/key**: *<KeyString>* specifies the encryption key. If there is a space in *<KeyString>*, you must surround the argument with quotation marks.
    • **/keyfile**:*<FileName>* specifies a text (.txt) file that contains the encryption key

    For more information about supported encryption algorithms, see [Migration Store Encryption](usmt-migration-store-encryption.md). | +| **/v:***<VerbosityLevel>* | **(Verbosity)**

    Enables verbose output in the **UsmtUtils** log file. The default value is 0.

    You can set the *VerbosityLevel* to one of the following levels:
    • **0** - Only the default errors and warnings are enabled.
    • **1** - Enables verbose output.
    • **4** - Enables error and status output.
    • **5** - Enables verbose and status output.
    • **8** - Enables error output to a debugger.
    • **9** - Enables verbose output to a debugger.
    • **12** - Enables error and status output to a debugger.
    • **13** - Enables verbose, status, and debugger output.
    | +| **/decrypt***<AlgID>***/key**:*<KeyString>*
    or
    **/decrypt***<AlgID>***/**:*<"Key String">*
    or
    **/decrypt:***<AlgID>***/keyfile**:*<FileName>* | Specifies that the `/encrypt` option was used to create the migration store with the **ScanState** tool. To decrypt the migration store, you must also specify the `/key` or `/keyfile` option as follows:
    • *<AlgID>* specifies the cryptographic algorithm that was used to create the migration store on the `ScanState.exe` command line. If no algorithm is specified, **ScanState** and **UsmtUtils** use the 3DES algorithm as a default.
      *<AlgID>* valid values include: `AES_128`, `AES_192`, `AES_256`, `3DES`, or `3DES_112`.
    • `/key`: *<KeyString>* specifies the encryption key. If there's a space in *<KeyString>*, you must surround the argument with quotation marks.
    • `/keyfile`:*<FileName>* specifies a text (.txt) file that contains the encryption key

    For more information about supported encryption algorithms, see [Migration store encryption](usmt-migration-store-encryption.md). | | **/o** | Overwrites existing output files. | -Some examples of **/extract** commands: +Some examples of `/extract` commands: -- `usmtutils /extract D:\MyMigrationStore\USMT\store.mig C:\ExtractedStore` +- `UsmtUtils.exe /extract D:\MyMigrationStore\USMT\store.mig C:\ExtractedStore` -- `usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:"*.txt, *.pdf" C:\ExtractedStore /decrypt /keyfile:D:\encryptionKey.txt` +- `UsmtUtils.exe /extract D:\MyMigrationStore\USMT\store.mig /i:"*.txt, *.pdf" C:\ExtractedStore /decrypt /keyfile:D:\encryptionKey.txt` -- `usmtutils /extract D:\MyMigrationStore\USMT\store.mig /e:*.exe C:\ExtractedStore /decrypt:AES_128 /key:password /l:C:\usmtlog.txt` +- `UsmtUtils.exe /extract D:\MyMigrationStore\USMT\store.mig /e:*.exe C:\ExtractedStore /decrypt:AES_128 /key:password /l:C:\usmtlog.txt` -- `usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:myProject.* /e:*.exe C:\ExtractedStore /o` +- `UsmtUtils.exe /extract D:\MyMigrationStore\USMT\store.mig /i:myProject.* /e:*.exe C:\ExtractedStore /o` -## Related topics +## Related articles -[User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md) +[User State Migration Tool (USMT) command-line syntax](usmt-command-line-syntax.md) -[Return Codes](usmt-return-codes.md) +[Return codes](/troubleshoot/windows-client/deployment/usmt-return-codes) diff --git a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md index 92b200dc38..be20a22816 100644 --- a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md +++ b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md @@ -1,146 +1,164 @@ --- title: What does USMT migrate (Windows 10) -description: Learn how User State Migration Tool (USMT) 10.0 is designed so that an IT engineer can precisely define migrations using the USMT .xml scripting language. +description: Learn how User State Migration Tool (USMT) 10.0 is designed so that an IT engineer can precisely define migrations using the USMT .xml scripting language. ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 09/12/2017 +author: frankroj +ms.date: 11/23/2022 ms.topic: article ms.technology: itpro-deploy --- # What does USMT migrate? -## Default migration scripts +## Default migration scripts -The User State Migration Tool (USMT) 10.0 is designed so that an IT engineer can precisely define migrations using the USMT .xml scripting language. USMT provides the following sample scripts: +The User State Migration Tool (USMT) 10.0 is designed so that an IT engineer can precisely define migrations using the USMT .xml scripting language. USMT provides the following sample scripts: -- **MigApp.XML.** Rules to migrate application settings. +- **MigApp.XML** - Rules to migrate application settings. -- **MigDocs.XML.** Rules that use the **MigXmlHelper.GenerateDocPatterns** helper function, which can be used to automatically find user documents on a computer without the need to author extensive custom migration .xml files. +- **MigDocs.XML** - Rules that use the **MigXmlHelper.GenerateDocPatterns** helper function, which can be used to automatically find user documents on a computer without the need to author extensive custom migration .xml files. -- **MigUser.XML.** Rules to migrate user profiles and user data. +- **MigUser.XML** - Rules to migrate user profiles and user data. - MigUser.xml gathers everything in a user’s profile and then does a file extension- based search of most of the system for other user data. If data doesn’t match either of these criteria, the data won’t be migrated. For the most part, this file describes a "core" migration. + `MigUser.xml` gathers everything in a user's profile and then does a file extension- based search of most of the system for other user data. If data doesn't match either of these criteria, the data won't be migrated. Usually, this file describes a core migration. - The following data does not migrate with MigUser.xml: + The following data doesn't migrate with `MigUser.xml`: - - Files outside the user profile that don’t match one of the file extensions in MigUser.xml. + - Files outside the user profile that don't match one of the file extensions in `MigUser.xml`. - Access control lists (ACLs) for folders outside the user profile. -## User data +## User data -This section describes the user data that USMT migrates by default, using the MigUser.xml file. It also defines how to migrate ACLs. +This section describes the user data that USMT migrates by default, using the `MigUser.xml` file. It also defines how to migrate access control lists (ACLs). -- **Folders from each user profile.** When you specify the MigUser.xml file, USMT migrates everything in a user’s profiles including the following: +- **Folders from each user profile.** When you specify the `MigUser.xml` file, USMT migrates everything in a user's profiles including the following items: - My Documents, My Video, My Music, My Pictures, desktop files, Start menu, Quick Launch settings, and Favorites. + - My Documents + + - My Video + + - My Music + + - My Pictures + + - Desktop files + + - Start menu + + - Quick Launch settings + + - Favorites > [!IMPORTANT] - > Starting in Windows 10, version 1607 the USMT does not migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](./usmt-common-issues.md#usmt-does-not-migrate-the-start-layout). + > Starting in Windows 10, version 1607 the USMT does not migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](/troubleshoot/windows-client/deployment/usmt-common-issues#usmt-doesnt-migrate-the-start-layout). -- **Folders from the All Users and Public profiles.** When you specify the MigUser.xml file, USMT also migrates the following from the **All Users** profile in Windows® XP, or the **Public** profile in Windows Vista, Windows 7, or Windows 8: +- **Folders from the All Users and Public profiles.** When you specify the `MigUser.xml` file, USMT also migrates the following from the **Public** profile in Windows Vista, Windows 7, Windows 8, or Windows 10: - - Shared Documents + - Shared Documents - - Shared Video + - Shared Video - - Shared Music + - Shared Music - - Shared desktop files + - Shared desktop files - - Shared Pictures + - Shared Pictures - - Shared Start menu + - Shared Start menu - - Shared Favorites + - Shared Favorites -- **File types.** When you specify the MigUser.xml file, the ScanState tool searches the fixed drives, collects, and then migrates files with any of the following file extensions: +- **File types.** When you specify the `MigUser.xml` file, the **ScanState** tool searches the fixed drives, collects, and then migrates files with any of the following file extensions: - **.accdb, .ch3, .csv, .dif, .doc\*, .dot\*, .dqy, .iqy, .mcw, .mdb\*, .mpp, .one\*, .oqy, .or6, .pot\*, .ppa, .pps\*, .ppt\*, .pre, .pst, .pub, .qdf, .qel, .qph, .qsd, .rqy, .rtf, .scd, .sh3, .slk, .txt, .vl\*, .vsd, .wk\*, .wpd, .wps, .wq1, .wri, .xl\*, .xla, .xlb, .xls\*.** + `.accdb`, `.ch3`, `.csv`, `.dif`, `.doc*`, `.dot*`, `.dqy`, `.iqy`, `.mcw`, `.mdb*`, `.mpp`, `.one*`, `.oqy`, `.or6`, `.pot*`, `.ppa`, `.pps*`, `.ppt*`, `.pre`, `.pst`, `.pub`, `.qdf`, `.qel`, `.qph`, `.qsd`, `.rqy`, `.rtf`, `.scd`, `.sh3`, `.slk`, `.txt`, `.vl*`, `.vsd`, `.wk*`, `.wpd`, `.wps`, `.wq1`, `.wri`, `.xl*`, `.xla`, `.xlb`, `.xls*` > [!NOTE] - > The asterisk (\*) stands for zero or more characters. + > The asterisk (`*`) stands for zero or more characters. -- **Access control lists.** USMT migrates ACLs for specified files and folders from computers running both Windows® XP and Windows Vista. For example, if you migrate a file named File1.txt that is read-only for User1 and read/write for User2, these settings will still apply on the destination computer after the migration. + > [!NOTE] + > The OpenDocument extensions (`*.odt`, `*.odp`, `*.ods`) that Microsoft Office applications can use aren't migrated by default. -> [!IMPORTANT] -> To migrate ACLs, you must specify the directory to migrate in the MigUser.xml file. Using file patterns like \*.doc will not migrate a directory. The source ACL information is migrated only when you explicitly specify the directory. For example, `c:\test docs`. +- **Access control lists.** USMT migrates access control lists (ACLs) for specified files and folders from computers running both Windows® XP and Windows Vista. For example, if you migrate a file named `File1.txt` that is **read-only** for **User1** and **read/write** for **User2**, these settings will still apply on the destination computer after the migration. -## Operating-system components + > [!IMPORTANT] + > To migrate ACLs, you must specify the directory to migrate in the MigUser.xml file. Using file patterns like \*.doc will not migrate a directory. The source ACL information is migrated only when you explicitly specify the directory. For example, `c:\test docs`. -USMT migrates operating-system components to a destination computer from computers running Windows 7 and Windows 8 +## Operating-system components + +USMT migrates operating-system components to a destination computer from computers running Windows 7 and Windows 8 The following components are migrated by default using the manifest files: -- Accessibility settings +- Accessibility settings -- Address book +- Address book -- Command-prompt settings +- Command-prompt settings -- \*Desktop wallpaper +- Desktop wallpaper **¹** -- EFS files +- EFS files -- Favorites +- Favorites -- Folder options +- Folder options -- Fonts +- Fonts -- Group membership. USMT migrates users’ group settings. The groups to which a user belongs can be found by right-clicking **My Computer** on the Start menu and then selecting **Manage**. When running an offline migration, the use of a **<ProfileControl>** section in the Config.xml file is required. +- Group membership. USMT migrates users' group settings. The groups to which a user belongs can be found by right-clicking **My Computer** on the Start menu and then selecting **Manage**. When running an offline migration, the use of a **<ProfileControl>** section in the `Config.xml` file is required. -- \*Windows Internet Explorer® settings +- Windows Internet Explorer® settings **¹** -- Microsoft® Open Database Connectivity (ODBC) settings +- Microsoft® Open Database Connectivity (ODBC) settings -- Mouse and keyboard settings +- Mouse and keyboard settings -- Network drive mapping +- Network drive mapping -- \*Network printer mapping +- Network printer mapping **¹** -- \*Offline files +- Offline files **¹** -- \*Phone and modem options +- Phone and modem options **¹** -- RAS connection and phone book (.pbk) files +- RAS connection and phone book (.pbk) files -- \*Regional settings +- Regional settings **¹** -- Remote Access +- Remote Access -- \*Taskbar settings +- Taskbar settings **¹** -- User personal certificates (all) +- User personal certificates (all) -- Windows Mail. +- Windows Mail -- \*Windows Media Player +- Windows Media Player **¹** -- Windows Rights Management +- Windows Rights Management -\* These settings aren't available for an offline migration. For more information, see [Offline Migration Reference](offline-migration-reference.md). + **¹** These settings aren't available for an offline migration. For more information, see [Offline migration reference](offline-migration-reference.md). > [!IMPORTANT] > This list may not be complete. There may be additional components that are migrated. > [!NOTE] -> Some settings, such as fonts, aren't applied by the LoadState tool until after the destination computer has been restarted. For this reason, restart the destination computer after you run the LoadState tool. +> Some settings, such as fonts, aren't applied by the **LoadState** tool until after the destination computer has been restarted. For this reason, restart the destination computer after you run the **LoadState** tool. -## Supported applications +## Supported applications Even though it's not required for all applications, it's good practice to install all applications on the destination computer before restoring the user state. Installing applications before migrating settings helps to ensure that migrated settings aren't overwritten by the application installers. > [!NOTE] -> -> - The versions of installed applications must match on the source and destination computers. USMT does not support migrating the settings of an earlier version of an application to a later version, except for Microsoft Office. -> - USMT migrates only the settings that have been used or modified by the user. If there is an application setting on the source computer that was not touched by the user, the setting may not migrate. +> The versions of installed applications must match on the source and destination computers. USMT does not support migrating the settings of an earlier version of an application to a later version, except for Microsoft Office. -When you specify the MigApp.xml file, USMT migrates the settings for the following applications: +> [!NOTE] +> USMT migrates only the settings that have been used or modified by the user. If there is an application setting on the source computer that was not touched by the user, the setting may not migrate. + +When you specify the `MigApp.xml` file, USMT migrates the settings for the following applications: |Product|Version| |--- |--- | @@ -156,7 +174,7 @@ When you specify the MigApp.xml file, USMT migrates the settings for the followi |Google Picasa|3| |Google Talk|beta| |IBM Lotus 1-2-3|9| -|IBM Lotus Notes|6,7, 8| +|IBM Lotus Notes|6, 7, 8| |IBM Lotus Organizer|5| |IBM Lotus WordPro|9.9| |Intuit Quicken Deluxe|2009| @@ -189,54 +207,52 @@ When you specify the MigApp.xml file, USMT migrates the settings for the followi |Yahoo Messenger|9| |Microsoft Zune™ Software|3| -## What USMT doesn't migrate +## What USMT doesn't migrate -The following is a list of the settings that USMT doesn't migrate. If you are having a problem that isn't listed here, see [Common Issues](usmt-common-issues.md). +The following items are settings that USMT doesn't migrate. If you're having a problem that isn't listed here, see [Common issues](/troubleshoot/windows-client/deployment/usmt-common-issues). ### Application settings -USMT does not migrate the following application settings: +USMT doesn't migrate the following application settings: -- Settings from earlier versions of an application. The versions of each application must match on the source and destination computers. USMT does not support migrating the settings of an earlier version of an application to a later version, except for Microsoft Office. USMT can migrate from an earlier version of Microsoft Office to a later version. +- Settings from earlier versions of an application. The versions of each application must match on the source and destination computers. USMT doesn't support migrating the settings of an earlier version of an application to a later version, except for Microsoft Office. USMT can migrate from an earlier version of Microsoft Office to a later version. -- Application settings and some operating-system settings when a local account is created. For example, if you run /lac to create a local account on the destination computer, USMT will migrate the user data, but only some of the operating-system settings, such as wallpaper and screensaver settings, and no application settings will migrate. +- Application settings and some operating-system settings when a local account is created. For example, if you run `/lac` to create a local account on the destination computer, USMT will migrate the user data, but only some of the operating-system settings, such as wallpaper and screensaver settings, and no application settings will migrate. -- Microsoft Project settings, when migrating from Office 2003 to Office 2007 system. +- Microsoft Project settings, when migrating from Office 2003 to Office 2007 system. -- ICQ Pro settings, if ICQ Pro is installed in a different location on the destination computer. To successfully migrate the settings of ICQ Pro, you must install ICQ Pro in the same location on the destination computer as it was on the source computer. Otherwise, after you run the LoadState tool, the application won't start. You may encounter problems when: +- ICQ Pro settings, if ICQ Pro is installed in a different location on the destination computer. To successfully migrate the settings of ICQ Pro, you must install ICQ Pro in the same location on the destination computer as it was on the source computer. Otherwise, after you run the **LoadState** tool, the application won't start. You may encounter problems when: - - You change the default installation location on 32-bit destination computers. + - You change the default installation location on 32-bit destination computers. - - You attempt to migrate from a 32-bit computer to a 64-bit computer. This is because the ICQ Pro default installation directory is different on the two types of computers. When you install ICQ Pro on a 32-bit computer, the default location is "C:\\Program Files\\...". The ICQ Pro default installation directory on an x64-based computer, however, is “C:\\Program Files (x86)\\...”. + - You attempt to migrate from a 32-bit computer to a 64-bit computer. Attempting to migrate settings between different architectures doesn't work because the ICQ Pro default installation directory is different on the two types of computers. When you install ICQ Pro on a 32-bit computer, the default location is `C:\Program Files\...`. The ICQ Pro default installation directory on an x64-based computer, however, is `C:\Program Files (x86)\...`. ### Operating-System settings -USMT does not migrate the following operating-system settings. +USMT doesn't migrate the following operating-system settings. -- Local printers, hardware-related settings, drivers, passwords, application binary files, synchronization files, DLL files, or other executable files. +- Local printers, hardware-related settings, drivers, passwords, application binary files, synchronization files, DLL files, or other executable files. -- Permissions for shared folders. After migration, you must manually reshare any folders that were shared on the source computer. +- Permissions for shared folders. After migration, you must manually re-share any folders that were shared on the source computer. -- Files and settings migrating between operating systems with different languages. The operating system of the source computer must match the language of the operating system on the destination computer. +- Files and settings migrating between operating systems with different languages. The operating system of the source computer must match the language of the operating system on the destination computer. -- Customized icons for shortcuts may not migrate. +- Customized icons for shortcuts may not migrate. -- Taskbar settings, when the source computer is running Windows XP. +You should also note the following items: -You should also note the following: +- You should run USMT from an account with administrative credentials. Otherwise, some data won't migrate. When running the **ScanState** and **LoadState** tools, you must run the tools in Administrator mode from an account with administrative credentials. If you don't run USMT in Administrator mode, only the user profile that is logged on will be included in the migration. -- You should run USMT from an account with administrative credentials. Otherwise, some data will not migrate. When running the ScanState and LoadState tools you must run the tools in Administrator mode from an account with administrative credentials. If you don't run USMT in Administrator mode, only the user profile that is logged on will be included in the migration. In addition, you must run the ScanState tool on Windows XP from an account with administrative credentials. Otherwise, some operating-system settings will not migrate. To run in Administrator mode, select **Start**, **All Programs**, **Accessories**, right-click **Command Prompt**, and then select **Run as administrator**. - -- You can use the /**localonly** option to exclude the data from removable drives and network drives mapped on the source computer. For more information about what is excluded when you specify /**localonly**, see [ScanState Syntax](usmt-scanstate-syntax.md). +- You can use the `/localonly` option to exclude the data from removable drives and network drives mapped on the source computer. For more information about what is excluded when you specify `/localonly`, see [ScanState syntax](usmt-scanstate-syntax.md). ### Start menu layout -Starting in Windows 10, version 1607 the USMT does not migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](./usmt-common-issues.md#usmt-does-not-migrate-the-start-layout). +Starting in Windows 10, version 1607 the USMT doesn't migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](/troubleshoot/windows-client/deployment/usmt-common-issues#usmt-doesnt-migrate-the-start-layout). ### User profiles from Active Directory to Azure Active Directory USMT doesn't support migrating user profiles from Active Directory to Azure Active Directory. -## Related topics +## Related articles [Plan your migration](usmt-plan-your-migration.md) diff --git a/windows/deployment/usmt/usmt-xml-elements-library.md b/windows/deployment/usmt/usmt-xml-elements-library.md index 5537ec22e6..34115d72da 100644 --- a/windows/deployment/usmt/usmt-xml-elements-library.md +++ b/windows/deployment/usmt/usmt-xml-elements-library.md @@ -2,52 +2,40 @@ title: XML Elements Library (Windows 10) description: Learn about the XML elements and helper functions that you can employ to author migration .xml files to use with User State Migration Tool (USMT). ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/19/2017 +author: frankroj +ms.date: 11/01/2022 ms.topic: article ms.technology: itpro-deploy --- -# XML Elements Library +# XML elements library This topic describes the XML elements and helper functions that you can employ to author migration .xml files to use with User State Migration Tool (USMT). It is assumed that you understand the basics of XML. -## In this topic +In addition to XML elements and helper functions, this article describes how to specify encoded locations and locations patterns, functions that are for internal USMT use only, and the version tags that you can use with helper functions. -In addition to XML elements and helper functions, this topic describes how to specify encoded locations and locations patterns, functions that are for internal USMT use only, and the version tags that you can use with helper functions. - -- [Elements and helper functions](#elements) - -- [Appendix](#appendix) - - - [Specifying locations](#locations) - - - [Internal USMT functions](#internalusmtfunctions) - - - [Valid version tags](#allowed) - -## Elements and Helper Functions +## Elements and helper functions The following table describes the XML elements and helper functions you can use with USMT. | Elements A-K | Elements L-Z | Helper functions | |-----|----|-----| -| [<addObjects>](#addobjects)
    [<attributes>](#attribute)
    [<bytes>](#bytes)
    [<commandLine>](#commandline)
    [<component>](#component)
    [<condition>](#condition)
    [<conditions>](#conditions)
    [<content>](#content)
    [<contentModify>](#contentmodify)
    [<description>](#description)
    [<destinationCleanup>](#destinationcleanup)
    [<detect>](#detect)
    [<detects>](#detects)
    [<detection>](#detection)
    [<displayName>](#displayname)
    [<environment>](#bkmk-environment)
    [<exclude>](#exclude)
    [<excludeAttributes>](#excludeattributes)
    [<extensions>](#extensions)
    [<extension>](#extension)
    [<externalProcess>](#externalprocess)
    [<icon>](#icon)
    [<include>](#include)
    [<includeAttribute>](#includeattributes) | [<library>](#library)
    [<location>](#location)
    [<locationModify>](#locationmodify)
    [<_locDefinition>](#locdefinition)
    [<manufacturer>](#manufacturer)
    [<merge>](#merge)
    [<migration>](#migration)
    [<namedElements>](#namedelements)
    [<object>](#object)
    [<objectSet>](#objectset)
    [<path>](#path)
    [<paths>](#paths)
    [<pattern>](#pattern)
    [<processing>](#processing)
    [<plugin>](#plugin)
    [<role>](#role)
    [<rules>](#rules)
    [<script>](#script)
    [<text>](#text)
    [<unconditionalExclude>](#unconditionalexclude)
    [<variable>](#variable)
    [<version>](#version)
    [<windowsObjects>](#windowsobjects) | [<condition> functions](#conditionfunctions)
    [<content> functions](#contentfunctions)
    [<contentModify> functions](#contentmodifyfunctions)
    [<include> and <exclude> filter functions](#persistfilterfunctions)
    [<locationModify> functions](#locationmodifyfunctions)
    [<merge> functions](#mergefunctions)
    [<script> functions](#scriptfunctions)
    [Internal USMT functions](#internalusmtfunctions) | +| [<addObjects>](#addobjects)
    [<attributes>](#attributes)
    [<bytes>](#bytes)
    [<commandLine>](#commandline)
    [<component>](#component)
    [<condition>](#condition)
    [<conditions>](#conditions)
    [<content>](#content)
    [<contentModify>](#contentmodify)
    [<description>](#description)
    [<destinationCleanup>](#destinationcleanup)
    [<detect>](#detect)
    [<detects>](#detects)
    [<detection>](#detection)
    [<displayName>](#displayname)
    [<environment>](#environment)
    [<exclude>](#exclude)
    [<excludeAttributes>](#excludeattributes)
    [<extensions>](#extensions)
    [<extension>](#extension)
    [<externalProcess>](#externalprocess)
    [<icon>](#icon)
    [<include>](#include)
    [<includeAttribute>](#includeattributes) | [<library>](#library)
    [<location>](#location)
    [<locationModify>](#locationmodify)
    [<_locDefinition>](#_locdefinition)
    [<manufacturer>](#manufacturer)
    [<merge>](#merge)
    [<migration>](#migration)
    [<namedElements>](#namedelements)
    [<object>](#object)
    [<objectSet>](#objectset)
    [<path>](#path)
    [<paths>](#paths)
    [<pattern>](#pattern)
    [<processing>](#processing)
    [<plugin>](#plugin)
    [<role>](#role)
    [<rules>](#rules)
    [<script>](#script)
    [<text>](#text)
    [<unconditionalExclude>](#unconditionalexclude)
    [<variable>](#variable)
    [<version>](#version)
    [<windowsObjects>](#windowsobjects) | [<condition> functions](#condition-functions)
    [<content> functions](#content-functions)
    [<contentModify> functions](#contentmodify-functions)
    [<include> and <exclude> filter functions](#include-and-exclude-filter-functions)
    [<locationModify> functions](#locationmodify-functions)
    [<merge> functions](#merge-functions)
    [<script> functions](#script-functions)
    [Internal USMT functions](#internal-usmt-functions) | -## <addObjects> +## <addObjects> -The <addObjects> element emulates the existence of one or more objects on the source computer. The child <object> elements provide the details of the emulated objects. If the content is a <script> element, the result of the invocation will be an array of objects. +The **<addObjects>** element emulates the existence of one or more objects on the source computer. The child **<object>** elements provide the details of the emulated objects. If the content is a **<script>** element, the result of the invocation will be an array of objects. -- **Number of occurrences:** unlimited +- **Number of occurrences:** unlimited -- **Parent elements:**[<rules>](#rules) +- **Parent elements:** [<rules>](#rules) -- **Required child elements:** [<object>](#object) In addition, you must specify [<location>](#location) and [<attribute>](#attribute) as child elements of this <object> element. +- **Required child elements:** [<object>](#object) In addition, you must specify [<location>](#location) and [<attribute>](#attributes) as child elements of this **<object>** element. -- **Optional child elements:**[<conditions>](#conditions), <condition>, [<script>](#script) +- **Optional child elements:** [<conditions>](#conditions), [<condition>](#condition), [<script>](#script) Syntax: @@ -56,7 +44,7 @@ Syntax: ``` -The following example is from the MigApp.xml file: +The following example is from the `MigApp.xml` file: ```xml @@ -73,15 +61,15 @@ The following example is from the MigApp.xml file: ``` -## <attributes> +## <attributes> -The <attributes> element defines the attributes for a registry key or file. +The **<attributes>** element defines the attributes for a registry key or file. -- **Number of occurrences:** once for each <object> +- **Number of occurrences:** once for each [<object>](#object) -- **Parent elements:**[<object>](#object) +- **Parent elements:** [<object>](#object) -- **Child elements:** none +- **Child elements:** none Syntax: @@ -93,7 +81,7 @@ Syntax: |------|-----|----| | *Content* | Yes | The content depends on the type of object specified.
    • For files, the content can be a string containing any of the following attributes separated by commas:
      • Archive
      • Read-only
      • System
      • Hidden
    • For registry keys, the content can be one of the following types:
      • None
      • String
      • ExpandString
      • Binary
      • Dword
      • REG_SZ
    | -The following example is from the MigApp.xml file: +The following example is from the `MigApp.xml` file: ```xml @@ -103,15 +91,15 @@ The following example is from the MigApp.xml file: ``` -## <bytes> +## <bytes> -You must specify the <bytes> element only for files because, if <location> corresponds to a registry key or a directory, then <bytes> will be ignored. +You must specify the **<bytes>** element only for files because, if **<location>** corresponds to a registry key or a directory, then **<bytes>** will be ignored. -- **Number of occurrences:** zero or one +- **Number of occurrences:** zero or one -- **Parent elements:**[<object>](#object) +- **Parent elements:** [<object>](#object) -- **Child elements:** none +- **Child elements:** none Syntax: @@ -122,10 +110,10 @@ Syntax: |Setting|Required?|Value| |--- |--- |--- | |string|No, default is No|Determines whether *Content* should be interpreted as a string or as bytes.| -|expand|No (default = Yes|When the expand parameter is Yes, the content of the <bytes> element is first expanded in the context of the source computer and then interpreted.| -|*Content*|Yes|Depends on the value of the string.
    • When the string is Yes: the content of the <bytes> element is interpreted as a string.
    • When the string is No: the content of the <bytes> element is interpreted as bytes. Each two characters represent the hexadecimal value of a byte. For example, "616263" is the representation for the "abc" ANSI string. A complete representation of the UNICODE string "abc" including the string terminator would be: "6100620063000000".
    | +|expand|No (default = Yes|When the expand parameter is **Yes**, the content of the **<bytes>** element is first expanded in the context of the source computer and then interpreted.| +|*Content*|Yes|Depends on the value of the string.
    • When the string is **Yes**: the content of the **<bytes>** element is interpreted as a string.
    • When the string is **No**: the content of the **<bytes>** element is interpreted as bytes. Each two characters represent the hexadecimal value of a byte. For example, `616263` is the representation for the `abc` ANSI string. A complete representation of the UNICODE string `abc` including the string terminator would be: `6100620063000000`.
    | -The following example is from the MigApp.xml file: +The following example is from the `MigApp.xml` file: ```xml @@ -135,16 +123,15 @@ The following example is from the MigApp.xml file: ``` -## <commandLine> +## <commandLine> +You might want to use the **<commandLine>** element if you want to start or stop a service or application before or after you run the **ScanState** and **LoadState** tools. -You might want to use the <commandLine> element if you want to start or stop a service or application before or after you run the ScanState and LoadState tools. +- **Number of occurrences:** unlimited -- **Number of occurrences:** unlimited +- **Parent elements:** [<externalProcess>](#externalprocess) -- **Parent elements:**[<externalProcess>](#externalprocess) - -- **Child elements:** none**** +- **Child elements:** none Syntax: @@ -156,19 +143,22 @@ Syntax: |--- |--- |--- | |*CommandLineString*|Yes|A valid command line.| -## <component> +## <component> -The <component> element is required in a custom .xml file. This element defines the most basic construct of a migration .xml file. For example, in the MigApp.xml file, "Microsoft® Office 2003" is a component that contains another component, "Microsoft Office Access® 2003". You can use the child elements to define the component. +The **<component>** element is required in a custom .xml file. This element defines the most basic construct of a migration .xml file. For example, in the `MigApp.xml` file, "Microsoft Office 2003" is a component that contains another component, "Microsoft Office Access 2003". You can use the child elements to define the component. -A component can be nested inside another component; that is, the <component> element can be a child of the <role> element within the <component> element in two cases: 1) when the parent <component> element is a container or 2) if the child <component> element has the same role as the parent <component> element. +A component can be nested inside another component; that is, the **<component>** element can be a child of the **<role>** element within the **<component>** element in two cases: -- **Number of occurrences:** Unlimited +1. When the parent **<component>** element is a container +2. If the child **<component>** element has the same role as the parent **<component>** element. -- **Parent elements:**[<migration>](#migration), [<role>](#role) +- **Number of occurrences:** Unlimited -- **Required child elements:**[<role>](#role), [<displayName>](#displayname) +- **Parent elements:** [<migration>](#migration), [<role>](#role) -- **Optional child elements:**[<manufacturer>](#manufacturer), [<version>](#version), [<description>](#description), [<paths>](#paths), [<icon>](#icon), [<environment>](#bkmk-environment), [<extensions>](#extensions) +- **Required child elements:** [<role>](#role), [<displayName>](#displayname) + +- **Optional child elements:** [<manufacturer>](#manufacturer), [<version>](#version), [<description>](#description), [<paths>](#paths), [<icon>](#icon), [<environment>](#environment), [<extensions>](#extensions) Syntax: @@ -180,26 +170,26 @@ hidden="Yes|No"> |Setting|Required?|Value| |--- |--- |--- | -| type | Yes | You can use the following to group settings, and define the type of the component.
    • **System:** Operating system settings. All Windows® components are defined by this type.
      When type="System" and defaultSupported="FALSE" the settings will not migrate unless there is an equivalent component in the .xml files that is specified on the LoadState command line. For example, the default MigSys.xml file contains components with type="System" and defaultSupported="FALSE". If you specify this file on the ScanState command line, you must also specify the file on the LoadState command line for the settings to migrate. This is because the LoadState tool must detect an equivalent component. That is, the component must have the same migration urlid of the .xml file and an identical display name. Otherwise, the LoadState tool will not migrate those settings from the store. This is helpful when the source computer is running Windows XP, and you are migrating to both Windows Vista and Windows XP because you can use the same store for both destination computers.
    • **Application:** Settings for an application.
    • **Device:** Settings for a device.
    • **Documents:** Specifies files.
    | -| context | No
    Default = UserAndSystem | Defines the scope of this parameter; that is, whether to process this component in the context of the specific user, across the entire operating system, or both.
    The largest possible scope is set by the <component> element. For example, if a <component> element has a context of User and a <rules> element had a context of UserAndSystem, then the <rules> element would act as though it has a context of User. If a <rules> element has a context of System, it would act as though the <rules> element is not there.
    • **User**. Evaluates the component for each user.
    • **System**. Evaluates the component only once for the system.
    • **UserAndSystem**. Evaluates the component for the entire operating system and each user.
    | -| defaultSupported | No
    (default = TRUE) | Can be any of TRUE, FALSE, YES, or NO. If this parameter is FALSE (or NO), the component will not be migrated unless there is an equivalent component on the destination computer.
    When type="System" and defaultSupported="FALSE" the settings will not migrate unless there is an equivalent component in the .xml files that are specified on the LoadState command line. For example, the default MigSys.xml file contains components with type="System" and defaultSupported="FALSE". If you specify this file on the ScanState command line, you must also specify the file on the LoadState command line for the settings to migrate. This is because the LoadState tool must detect an equivalent component. That is, the component must have the same migration urlid of the .xml file and an identical display name or the LoadState tool will not migrate those settings from the store. This is helpful when the source computer is running Windows XP, and you are migrating to both Windows Vista and Windows XP because you can use the same store for both destination computers. | +| type | Yes | You can use the following to group settings, and define the type of the component.
    • **System:** Operating system settings. All Windows components are defined by this type.
      When **type="System"** and **defaultSupported="FALSE"** the settings will not migrate unless there is an equivalent component in the .xml files that is specified on the `LoadState.exe` command line. For example, the default `MigSys.xml` file contains components with **type="System"** and **defaultSupported="FALSE"**. If you specify this file on the `ScanState.exe` command line, you must also specify the file on the `LoadState.exe` command line for the settings to migrate. This is because the `LoadState.exe` tool must detect an equivalent component. That is, the component must have the same migration urlid of the .xml file and an identical display name. Otherwise, the **LoadState** tool will not migrate those settings from the store. This is helpful because you can use the same store for destination computers that are the same version of Windows and a different version of Windows as the source computer.
    • **Application:** Settings for an application.
    • **Device:** Settings for a device.
    • **Documents:** Specifies files.
    | +| context | No
    Default = UserAndSystem | Defines the scope of this parameter; that is, whether to process this component in the context of the specific user, across the entire operating system, or both.
    The largest possible scope is set by the **<component>** element. For example, if a **<component>** element has a context of **User** and a **<rules>** element had a context of **UserAndSystem**, then the **<rules>** element would act as though it has a context of **User**. If a **<rules>** element has a context of **System**, it would act as though the **<rules>** element is not there.
    • **User**: Evaluates the component for each user.
    • **System**: Evaluates the component only once for the system.
    • **UserAndSystem**: Evaluates the component for the entire operating system and each user.
    | +| defaultSupported | No
    (default = TRUE) | Can be any of **TRUE**, **FALSE**, **YES**, or **NO**. If this parameter is **FALSE** (or **NO**), the component will not be migrated unless there is an equivalent component on the destination computer.
    When **type="System"** and **defaultSupported="FALSE"** the settings will not migrate unless there is an equivalent component in the .xml files that are specified on the `LoadState.exe` command line. For example, the default `MigSys.xml` file contains components with **type="System"** and **defaultSupported="FALSE"**. If you specify this file on the `ScanState.exe` command line, you must also specify the file on the `LoadState.exe` command line for the settings to migrate. This is because the **LoadState** tool must detect an equivalent component. That is, the component must have the same migration urlid of the .xml file and an identical display name or the **LoadState** tool will not migrate those settings from the store. This is helpful because you can use the same store for destination computers that are the same version of Windows and a different version of Windows as the source computer. | | hidden | | This parameter is for internal USMT use only. | For an example, see any of the default migration .xml files. -## <condition> +## <condition> -Although the <condition> element under the <detect>, <objectSet>, and <addObjects> elements is supported, we recommend that you do not use it. This element might be deprecated in future versions of USMT, requiring you to rewrite your scripts. We recommend that, if you need to use a condition within the <objectSet> and <addObjects> elements, you use the more powerful [<conditions>](#conditions) element, which allows you to formulate complex Boolean statements. +Although the **<condition>** element under the **<detect>**, **<objectSet>**, and **<addObjects>** elements is still supported, it is recommend to no longer use the **<condition>** element because it may be deprecated in future versions of USMT. If the **<condition>** element were depecated, it would require a rewrite of any scripts that use the **<condition>** element. Instead, if you need to use a condition within the **<objectSet>** and **<addObjects>** elements, it is recommended to use the more powerful **[<conditions>](#conditions)** element. The **<conditions>** element allows for formulation of complex Boolean statements. -The <condition> element has a Boolean result. You can use this element to specify the conditions in which the parent element will be evaluated. If any of the present conditions return FALSE, the parent element will not be evaluated. +The **<condition>** element has a Boolean result. You can use this element to specify the conditions in which the parent element will be evaluated. If any of the present conditions return **FALSE**, the parent element will not be evaluated. -- **Number of occurrences:** unlimited. +- **Number of occurrences:** unlimited. -- **Parent elements:**[<conditions>](#conditions), <detect>, <objectSet>, <addObjects> +- **Parent elements:** [<conditions>](#conditions), [<detect>](#detect), [<objectSet>](#objectset), [<addObjects>](#addobjects) -- **Child elements:** none +- **Child elements:** none -- **Helper functions:** You can use the following [<condition> functions](#conditionfunctions) with this element: DoesOSMatch, IsNative64Bit(), IsOSLaterThan, IsOSEarlierThan, DoesObjectExist, DoesFileVersionMatch, IsFileVersionAbove, IsFileVersionBelow, IsSystemContext, DoesStringContentEqual, DoesStringContentContain, IsSameObject, IsSameContent, and IsSameStringContent. +- **Helper functions:** You can use the following [<condition> functions](#condition-functions) with this element: `DoesOSMatch`, `IsNative64Bit()`, `IsOSLaterThan`, `IsOSEarlierThan`, `DoesObjectExist`, `DoesFileVersionMatch`, `IsFileVersionAbove`, `IsFileVersionBelow`, `IsSystemContext`, `DoesStringContentEqual`, `DoesStringContentContain`, `IsSameObject`, `IsSameContent`, and `IsSameStringContent`. Syntax: @@ -209,12 +199,10 @@ Syntax: |Setting|Required?|Value| |--- |--- |--- | -|negation|No
    Default = No|"Yes" reverses the True/False value of the condition.| +|negation|No
    Default = No|**"Yes"** reverses the True/False value of the condition.| |*ScriptName*|Yes|A script that has been defined within this migration section.| -For example, - -In the code sample below, the <condition> elements, A and B, are joined together by the AND operator because they are in separate <conditions> sections. For example: +For example, in the code sample below, the **<condition>** elements, **A** and **B**, are joined together by the **AND** operator because they are in separate **<conditions>** sections: ```xml @@ -227,7 +215,7 @@ In the code sample below, the <condition> elements, A and B, are joined to ``` -However, in the code sample below, the <condition> elements, A and B, are joined together by the OR operator because they are in the same <conditions> section. +However, in the code sample below, the **<condition>** elements, **A** and **B**, are joined together by the **OR** operator because they are in the same **<conditions>** section. ```xml @@ -238,17 +226,17 @@ However, in the code sample below, the <condition> elements, A and B, are ``` -### <condition> functions +### <condition> functions -The <condition> functions return a Boolean value. You can use these elements in <addObjects> conditions. +The **<condition>** functions return a Boolean value. You can use these elements in **<addObjects>** conditions. -- [Operating system version functions](#operatingsystemfunctions) +- [Operating system version functions](#operating-system-version-functions) -- [Object content functions](#objectcontentfunctions) +- [Object content functions](#object-content-functions) -### Operating system version functions +### Operating system version functions -- **DoesOSMatch** +- **DoesOSMatch** All matches are case insensitive. @@ -256,8 +244,8 @@ The <condition> functions return a Boolean value. You can use these elemen |Setting|Required?|Value| |--- |--- |--- | - |*OSType*|Yes|The only valid value for this setting is **NT**. Note, however, that you must set this setting for the <condition> functions to work correctly.| - |*OSVersion*|Yes|The major version, minor version, build number and corrected service diskette version separated by periods. For example, `5.0.2600.Service Pack 1`. You can also specify partial specification of the version with a pattern. For example, `5.0.*`.| + |*OSType*|Yes|The only valid value for this setting is **NT**. Note, however, that you must set this setting for the **<condition>** functions to work correctly.| + |*OSVersion*|Yes|The major version, minor version, build number and corrected service diskette version separated by periods. For example, `5.0.2600.Service Pack 1`. You can also specify partial specification of the version with a pattern such as `5.0.*`.| For example: @@ -265,11 +253,11 @@ The <condition> functions return a Boolean value. You can use these elemen MigXmlHelper.DoesOSMatch("NT","\*") ``` -- **IsNative64Bit** +- **IsNative64Bit** - The IsNative64Bit function returns TRUE if the migration process is running as a native 64-bit process; that is, a process running on a 64-bit system without Windows on Windows (WOW). Otherwise, it returns FALSE. + The **IsNative64Bit** function returns **TRUE** if the migration process is running as a native 64-bit process; that is, a process running on a 64-bit system without Windows on Windows (WOW). Otherwise, it returns **FALSE**. -- **IsOSLaterThan** +- **IsOSLaterThan** All comparisons are case insensitive. @@ -277,8 +265,8 @@ The <condition> functions return a Boolean value. You can use these elemen |Setting|Required?|Value| |--- |--- |--- | - |*OSType*|Yes|Can be **9x** or **NT**. If *OSType* does not match the type of the current operating system, then it returns FALSE. For example, if the current operating system is Windows NT-based and *OSType* is "9x", the result will be FALSE.| - |*OSVersion*|Yes|The major version, minor version, build number, and corrected service diskette version separated by periods. For example, `5.0.2600.Service Pack 1`. You can also specify partial specification of the version but no pattern is allowed. For example, `5.0`.

    The IsOSLaterThan function returns TRUE if the current operating system is later than or equal to *OSVersion*.| + |*OSType*|Yes|Can be **9x** or **NT**. If *OSType* does not match the type of the current operating system, then it returns **FALSE**. For example, if the current operating system is Windows NT-based and *OSType* is **"9x"**, the result will be **FALSE**.| + |*OSVersion*|Yes|The major version, minor version, build number, and corrected service diskette version separated by periods. For example, `5.0.2600.Service Pack 1`. You can also specify partial specification of the version but no pattern is allowed such as `5.0`.

    The **IsOSLaterThan** function returns **TRUE** if the current operating system is later than or equal to *OSVersion*.| For example: @@ -286,7 +274,7 @@ The <condition> functions return a Boolean value. You can use these elemen MigXmlHelper.IsOSLaterThan("NT","6.0") ``` -- **IsOSEarlierThan** +- **IsOSEarlierThan** All comparisons are case insensitive. @@ -294,24 +282,23 @@ The <condition> functions return a Boolean value. You can use these elemen |Setting|Required?|Value| |--- |--- |--- | - |*OSType*|Yes|Can be **9x** or **NT**. If *OSType* does not match the type of the current operating system, then it returns FALSE. For example, if the current operating system is Windows NT-based and *OSType* is "9x" the result will be FALSE.| - |*OSVersion*|Yes|The major version, minor version, build number, and corrected service diskette version separated by periods. For example, `5.0.2600.Service Pack 1`. You can also specify partial specification of the version but no pattern is allowed. For example, `5.0`.

    The IsOSEarlierThan function returns TRUE if the current operating system is earlier than *OSVersion*.| + |*OSType*|Yes|Can be **9x** or **NT**. If *OSType* does not match the type of the current operating system, then it returns **FALSE**. For example, if the current operating system is Windows NT-based and *OSType* is **"9x"** the result will be **FALSE**.| + |*OSVersion*|Yes|The major version, minor version, build number, and corrected service diskette version separated by periods. For example, `5.0.2600.Service Pack 1`. You can also specify partial specification of the version but no pattern is allowed such as `5.0`.

    The **IsOSEarlierThan** function returns **TRUE** if the current operating system is earlier than *OSVersion*.| - -### Object content functions +### Object content functions - **DoesObjectExist** - The DoesObjectExist function returns TRUE if any object exists that matches the location pattern. Otherwise, it returns FALSE. The location pattern is expanded before attempting the enumeration. + The DoesObjectExist function returns **TRUE** if any object exists that matches the location pattern. Otherwise, it returns **FALSE**. The location pattern is expanded before attempting the enumeration. Syntax: `DoesObjectExist("ObjectType","EncodedLocationPattern")` |Setting|Required?|Value| |--- |--- |--- | |*ObjectType*|Yes|Defines the object type. Can be File or Registry.| - |*EncodedLocationPattern*|Yes|The [location pattern](#locations). Environment variables are allowed.| + |*EncodedLocationPattern*|Yes|The **[location pattern](#specifying-locations)**. Environment variables are allowed.| - For an example of this element, see the MigApp.xml file. + For an example of this element, see the `MigApp.xml` file. - **DoesFileVersionMatch** @@ -321,8 +308,8 @@ The <condition> functions return a Boolean value. You can use these elemen |Setting|Required?|Value| |--- |--- |--- | - |*EncodedFileLocation*|Yes|The [location pattern](#locations) for the file that will be checked. Environment variables are allowed.| - |*VersionTag*|Yes|The [version tag](#allowed) value that will be checked.| + |*EncodedFileLocation*|Yes|The **[location pattern](#specifying-locations)** for the file that will be checked. Environment variables are allowed.| + |*VersionTag*|Yes|The **[version tag](#valid-version-tags)** value that will be checked.| |*VersionValue*|Yes|A string pattern. For example, "Microsoft*".| For example: @@ -333,14 +320,14 @@ The <condition> functions return a Boolean value. You can use these elemen - **IsFileVersionAbove** - The IsFileVersionAbove function returns TRUE if the version of the file is higher than *VersionValue*. + The **IsFileVersionAbove** function returns **TRUE** if the version of the file is higher than *VersionValue*. Syntax: `IsFileVersionAbove("EncodedFileLocation","VersionTag","VersionValue")` |Setting|Required?|Value| |--- |--- |--- | - |*EncodedFileLocation*|Yes|The [location pattern](#locations) for the file that will be checked. Environment variables are allowed.| - |*VersionTag*|Yes|The [version tag](#allowed) value that will be checked.| + |*EncodedFileLocation*|Yes|The **[location pattern](#specifying-locations)** for the file that will be checked. Environment variables are allowed.| + |*VersionTag*|Yes|The **[version tag](#valid-version-tags)** value that will be checked.| |*VersionValue*|Yes|The value to compare to. You cannot specify a pattern.| - **IsFileVersionBelow** @@ -349,26 +336,26 @@ The <condition> functions return a Boolean value. You can use these elemen |Setting|Required?|Value| |--- |--- |--- | - |*EncodedFileLocation*|Yes|The [location pattern](#locations) for the file that will be checked. Environment variables are allowed.| - |*VersionTag*|Yes|The [version tag](#allowed) value that will be checked.| + |*EncodedFileLocation*|Yes|The **[location pattern](#specifying-locations)** for the file that will be checked. Environment variables are allowed.| + |*VersionTag*|Yes|The **[version tag](#valid-version-tags)** value that will be checked.| |*VersionValue*|Yes|The value to compare to. You cannot specify a pattern.| - **IsSystemContext** - The IsSystemContext function returns TRUE if the current context is "System". Otherwise, it returns FALSE. + The **IsSystemContext** function returns **TRUE** if the current context is **"System"**. Otherwise, it returns **FALSE**. Syntax: `IsSystemContext()` - **DoesStringContentEqual** - The DoesStringContentEqual function returns TRUE if the string representation of the given object is identical to `StringContent`. + The **DoesStringContentEqual** function returns **TRUE** if the string representation of the given object is identical to `StringContent`. Syntax: `DoesStringContentEqual("ObjectType","EncodedLocation","StringContent")` |Setting|Required?|Value| |--- |--- |--- | |*ObjectType*|Yes|Defines the type of object. Can be File or Registry.| - |*EncodedLocationPattern*|Yes|The [encoded location](#locations) for the object that will be examined. You can specify environment variables.| + |*EncodedLocationPattern*|Yes|The **[encoded location](#specifying-locations)** for the object that will be examined. You can specify environment variables.| |StringContent|Yes|The string that will be checked against.| For example: @@ -379,27 +366,27 @@ The <condition> functions return a Boolean value. You can use these elemen - **DoesStringContentContain** - The DoesStringContentContain function returns TRUE if there is at least one occurrence of *StrToFind* in the string representation of the object. + The **DoesStringContentContain** function returns **TRUE** if there is at least one occurrence of *StrToFind* in the string representation of the object. Syntax: `DoesStringContentContain("ObjectType","EncodedLocation","StrToFind")` |Setting|Required?|Value| |--- |--- |--- | |*ObjectType*|Yes|Defines the type of object. Can be File or Registry.| - |*EncodedLocationPattern*|Yes|The [encoded location](#locations) for the object that will be examined. You can specify environment variables.| + |*EncodedLocationPattern*|Yes|The **[encoded location](#specifying-locations)** for the object that will be examined. You can specify environment variables.| |*StrToFind*|Yes|A string that will be searched inside the content of the given object.| - **IsSameObject** - The IsSameObject function returns TRUE if the given encoded locations resolve to the same physical object. Otherwise, it returns FALSE. + The **IsSameObject** function returns **TRUE** if the given encoded locations resolve to the same physical object. Otherwise, it returns **FALSE**. Syntax: `IsSameObject("ObjectType","EncodedLocation1","EncodedLocation2")` |Setting|Required?|Value| |--- |--- |--- | |*ObjectType*|Yes|Defines the type of object. Can be File or Registry.| - |*EncodedLocation1*|Yes|The [encoded location](#locations) for the first object. You can specify environment variables.| - |*EncodedLocation2*|Yes|The [encoded location](#locations) for the second object. You can specify environment variables.| + |*EncodedLocation1*|Yes|The **[encoded location](#specifying-locations)** for the first object. You can specify environment variables.| + |*EncodedLocation2*|Yes|The **[encoded location](#specifying-locations)** for the second object. You can specify environment variables.| For example: @@ -412,39 +399,39 @@ The <condition> functions return a Boolean value. You can use these elemen - **IsSameContent** - The IsSameContent function returns TRUE if the given objects have the same content. Otherwise, it returns FALSE. The content will be compared byte by byte. + The **IsSameContent** function returns **TRUE** if the given objects have the same content. Otherwise, it returns **FALSE**. The content will be compared byte by byte. Syntax: `IsSameContent("ObjectType1","EncodedLocation1","ObjectType2","EncodedLocation2")` |Setting|Required?|Value| |--- |--- |--- | |*ObjectType1*|Yes|Defines the type of the first object. Can be File or Registry.| - |*EncodedLocation1*|Yes|The [encoded location](#locations) for the first object. You can specify environment variables.| + |*EncodedLocation1*|Yes|The **[encoded location](#specifying-locations)** for the first object. You can specify environment variables.| |*ObjectType2*|Yes|Defines the type of the second object. Can be File or Registry.| - |*EncodedLocation2*|Yes|The [encoded location](#locations) for the second object. You can specify environment variables.| + |*EncodedLocation2*|Yes|The **[encoded location](#specifying-locations)** for the second object. You can specify environment variables.| - **IsSameStringContent** - The IsSameStringContent function returns TRUE if the given objects have the same content. Otherwise, it returns FALSE. The content will be interpreted as a string. + The **IsSameStringContent** function returns **TRUE** if the given objects have the same content. Otherwise, it returns **FALSE**. The content will be interpreted as a string. Syntax: `IsSameStringContent("ObjectType1","EncodedLocation1","ObjectType2","EncodedLocation2")` |Setting|Required?|Value| |--- |--- |--- | |*ObjectType1*|Yes|Defines the type of the first object. Can be File or Registry.| - |*EncodedLocation1*|Yes|The [encoded location](#locations) for the first object. You can specify environment variables.| + |*EncodedLocation1*|Yes|The **[encoded location](#specifying-locations)** for the first object. You can specify environment variables.| |*ObjectType2*|Yes|Defines the type of the second object. Can be File or Registry.| - |*EncodedLocation2*|Yes|The [encoded location](#locations) for the second object. You can specify environment variables.| + |*EncodedLocation2*|Yes|The **[encoded location](#specifying-locations)** for the second object. You can specify environment variables.| -## <conditions> +## <conditions> -The <conditions> element returns a Boolean result that is used to specify the conditions in which the parent element is evaluated. USMT evaluates the child elements, and then joins their results using the operators AND or OR according to the **operation** parameter. +The **<conditions>** element returns a Boolean result that is used to specify the conditions in which the parent element is evaluated. USMT evaluates the child elements, and then joins their results using the operators **AND** or **OR** according to the operation parameter. -- **Number of occurrences:** Unlimited inside another <conditions> element. Limited to one occurrence in [<detection>](#detection), [<rules>](#rules), [<addObjects>](#addobjects), and [<objectSet>](#objectset) +- **Number of occurrences:** Unlimited inside another **<conditions>** element. Limited to one occurrence in [<detection>](#detection), [<rules>](#rules), [<addObjects>](#addobjects), and [<objectSet>](#objectset) -- **Parent elements:**[<conditions>](#conditions), [<detection>](#detection), [<environment>](#bkmk-environment), [<rules>](#rules), [<addObjects>](#addobjects), and [<objectSet>](#objectset) +- **Parent elements:** [<conditions>](#conditions), [<detection>](#detection), [<environment>](#environment), [<rules>](#rules), [<addObjects>](#addobjects), and [<objectSet>](#objectset) -- **Child elements:**[<conditions>](#conditions), [<condition>](#condition) +- **Child elements:** [<conditions>](#conditions), [<condition>](#condition) Syntax: @@ -457,7 +444,7 @@ Syntax: |--- |--- |--- | |operation|No, default = AND|Defines the Boolean operation that is performed on the results that are obtained from the child elements.| -The following example is from the MigApp.xml file: +The following example is from the `MigApp.xml` file: ```xml @@ -470,17 +457,17 @@ The following example is from the MigApp.xml file: ``` -## <content> +## <content> -You can use the <content> element to specify a list of object patterns to obtain an object set from the source computer. Each <objectSet> within a <content> element is evaluated. For each resulting object pattern list, the objects that match it are enumerated and their content is filtered by the filter parameter. The resulting string array is the output for the <content> element. The filter script returns an array of locations. The parent <objectSet> element can contain multiple child <content> elements. +You can use the **<content>** element to specify a list of object patterns to obtain an object set from the source computer. Each **<objectSet>** within a **<content>** element is evaluated. For each resulting object pattern list, the objects that match it are enumerated and their content is filtered by the filter parameter. The resulting string array is the output for the **<content>** element. The filter script returns an array of locations. The parent **<objectSet>** element can contain multiple child **<content>** elements. -- **Number of occurrences:** unlimited +- **Number of occurrences:** unlimited -- **Parent elements:**[<objectSet>](#objectset) +- **Parent elements:** [<objectSet>](#objectset) -- **Child elements:**[<objectSet>](#objectset) +- **Child elements:** [<objectSet>](#objectset) -- **Helper functions:** You can use the following [<content> functions](#contentfunctions) with this element: ExtractSingleFile, ExtractMultipleFiles, and ExtractDirectory. +- **Helper functions:** You can use the following [<content> functions](#content-functions) with this element: `ExtractSingleFile`, `ExtractMultipleFiles`, and `ExtractDirectory`. Syntax: @@ -491,22 +478,22 @@ Syntax: |Setting|Required?|Value| |--- |--- |--- | -|filter|Yes|A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example, `MyScripts.AScript ("Arg1","Arg2")`.
    The script is called for each object that is enumerated by the object sets in the <include> rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated.| +|filter|Yes|A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example, `MyScripts.AScript ("Arg1","Arg2")`.
    The script is called for each object that is enumerated by the object sets in the **<include>** rule. The filter script returns a Boolean value. If the return value is **TRUE**, the object will be migrated. If it is **FALSE**, it will not be migrated.| -### <content> functions +### <content> functions -The following functions generate patterns out of the content of an object. These functions are called for every object that the parent <ObjectSet> element is enumerating. +The following functions generate patterns out of the content of an object. These functions are called for every object that the parent **<ObjectSet>** element is enumerating. -- **ExtractSingleFile** +- **ExtractSingleFile** - If the registry value is a MULTI-SZ, only the first segment is processed. The returned pattern is the encoded location for a file that must exist on the system. If the specification is correct in the registry value, but the file does not exist, this function returns NULL. + If the registry value is a **MULTI-SZ**, only the first segment is processed. The returned pattern is the encoded location for a file that must exist on the system. If the specification is correct in the registry value, but the file does not exist, this function returns **NULL**. Syntax: `ExtractSingleFile(Separators,PathHints)` |Setting|Required?|Value| |--- |--- |--- | - |*Separators*|Yes|A list of possible separators that might follow the file specification in this registry value name. For example, if the content is "C:\Windows\Notepad.exe,-2", the separator is a comma. You can specify NULL.| - |*PathHints*|Yes|A list of extra paths, separated by colons (;), where the function will look for a file matching the current content. For example, if the content is "Notepad.exe" and the path is the %Path% environment variable, the function will find Notepad.exe in %windir% and returns "c:\Windows [Notepad.exe]". You can specify NULL.| + |*Separators*|Yes|A list of possible separators that might follow the file specification in this registry value name. For example, if the content is **"C:\Windows\Notepad.exe,-2"**, the separator is a comma. You can specify **NULL**.| + |*PathHints*|Yes|A list of extra paths, separated by colons (`;`), where the function will look for a file matching the current content. For example, if the content is **"Notepad.exe"** and the path is the **%Path%** environment variable, the function will find **Notepad.exe** in `%windir%` and returns **"c:\Windows [Notepad.exe]"**. You can specify **NULL**.| For example: @@ -520,9 +507,9 @@ The following functions generate patterns out of the content of an object. These ``` -- **ExtractMultipleFiles** +- **ExtractMultipleFiles** - The ExtractMultipleFiles function returns multiple patterns, one for each file that is found in the content of the given registry value. If the registry value is a MULTI-SZ, the MULTI-SZ separator is considered a separator by default. therefore, for MULTI-SZ, the <Separators> argument must be NULL. + The **ExtractMultipleFiles** function returns multiple patterns, one for each file that is found in the content of the given registry value. If the registry value is a **MULTI-SZ**, the **MULTI-SZ** separator is considered a separator by default. therefore, for **MULTI-SZ**, the **<Separators>** argument must be **NULL**. The returned patterns are the encoded locations for files that must exist on the source computer. If the specification is correct in the registry value but the file does not exist, it will not be included in the resulting list. @@ -530,18 +517,18 @@ The following functions generate patterns out of the content of an object. These |Setting|Required?|Value| |--- |--- |--- | - |*Separators*|Yes|A list of possible separators that might follow the file specification in this registry value name. For example, if the content is "C:\Windows\Notepad.exe,-2", the separator is a comma. This parameter must be NULL when processing MULTI-SZ registry values.| - |*PathHints*|Yes|A list of extra paths, separated by colons (;), where the function will look for a file matching the current content. For example, if the content is "Notepad.exe" and the path is the %Path% environment variable, the function will find Notepad.exe in %windir% and returns "c:\Windows [Notepad.exe]". You can specify NULL.| + |*Separators*|Yes|A list of possible separators that might follow the file specification in this registry value name. For example, if the content is **"C:\Windows\Notepad.exe,-2"**, the separator is a comma. This parameter must be NULL when processing **MULTI-SZ** registry values.| + |*PathHints*|Yes|A list of extra paths, separated by colons (`;`), where the function will look for a file matching the current content. For example, if the content is **"Notepad.exe"** and the path is the **%Path%** environment variable, the function will find **Notepad.exe** in `%windir%` and returns **"c:\Windows [Notepad.exe]"**. You can specify **NULL**.| -- **ExtractDirectory** +- **ExtractDirectory** - The ExtractDirectory function returns a pattern that is the encoded location for a directory that must exist on the source computer. If the specification is correct in the registry value, but the directory does not exist, this function returns NULL. If it is processing a registry value that is a MULTI-SZ, only the first segment will be processed. + The **ExtractDirectory** function returns a pattern that is the encoded location for a directory that must exist on the source computer. If the specification is correct in the registry value, but the directory does not exist, this function returns **NULL**. If it is processing a registry value that is a **MULTI-SZ**, only the first segment will be processed. Syntax: `ExtractDirectory(Separators,LevelsToTrim,PatternSuffix)` |Setting|Required?|Value| |--- |--- |--- | - |*Separators*|No|A list of possible separators that might follow the file specification in this registry value name. For example, if the content is "C:\Windows\Notepad.exe,-2", the separator is a comma. You must specify NULL when processing MULTI-SZ registry values.| + |*Separators*|No|A list of possible separators that might follow the file specification in this registry value name. For example, if the content is **"C:\Windows\Notepad.exe,-2"**, the separator is a comma. You must specify **NULL** when processing **MULTI-SZ** registry values.| |*LevelsToTrim*|Yes|The number of levels to delete from the end of the directory specification. Use this function to extract a root directory when you have a registry value that points inside that root directory in a known location.| |*PatternSuffix*|Yes|The pattern to add to the directory specification. For example, `* [*]`.| @@ -557,17 +544,17 @@ The following functions generate patterns out of the content of an object. These ``` -## <contentModify> +## <contentModify> -The <contentModify> element modifies the content of an object before it is written to the destination computer. For each <contentModify> element there can be multiple <objectSet> elements. This element returns the new content of the object that is being processed. +The **<contentModify>** element modifies the content of an object before it is written to the destination computer. For each **<contentModify>** element there can be multiple **<objectSet>** elements. This element returns the new content of the object that is being processed. -- **Number of occurrences:** Unlimited +- **Number of occurrences:** Unlimited -- **Parent elements:**[<rules>](#rules) +- **Parent elements:** [<rules>](#rules) -- **Required child elements:**[<objectSet>](#objectset) +- **Required child elements:** [<objectSet>](#objectset) -- **Helper functions**: You can use the following [<contentModify> functions](#contentmodifyfunctions) with this element: ConvertToDWORD, ConvertToString, ConvertToBinary, KeepExisting, OffsetValue, SetValueByTable, MergeMultiSzContent, and MergeDelimitedContent. +- **Helper functions**: You can use the following [<contentModify> functions](#contentmodify-functions) with this element: **ConvertToDWORD**, **ConvertToString**, **ConvertToBinary**, **KeepExisting**, **OffsetValue**, **SetValueByTable**, **MergeMultiSzContent**, and **MergeDelimitedContent**. Syntax: @@ -578,31 +565,31 @@ Syntax: |Setting|Required?|Value| |--- |--- |--- | -|script|Yes|A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example, `MyScripts.AScript ("Arg1","Arg2").`

    The script will be called for each object that is enumerated by the object sets in the include rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated.| +|script|Yes|A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example, `MyScripts.AScript ("Arg1","Arg2").`

    The script will be called for each object that is enumerated by the object sets in the include rule. The filter script returns a Boolean value. If the return value is **TRUE**, the object will be migrated. If it is **FALSE**, it will not be migrated.| -### <contentModify> functions +### <contentModify> functions -The following functions change the content of objects as they are migrated. These functions are called for every object that the parent <ObjectSet> element is enumerating. +The following functions change the content of objects as they are migrated. These functions are called for every object that the parent **<ObjectSet>** element is enumerating. -- **ConvertToDWORD** +- **ConvertToDWORD** - The ConvertToDWORD function converts the content of registry values that are enumerated by the parent <ObjectSet> element to a DWORD. For example, ConvertToDWORD will convert the string "1" to the DWORD 0x00000001. If the conversion fails, then the value of DefaultValueOnError will be applied. + The **ConvertToDWORD** function converts the content of registry values that are enumerated by the parent **<ObjectSet>** element to a DWORD. For example, **ConvertToDWORD** will convert the string `"1"` to the DWORD `0x00000001`. If the conversion fails, then the value of **DefaultValueOnError** will be applied. Syntax: `ConvertToDWORD(DefaultValueOnError)` |Setting|Required?|Value| |--- |--- |--- | - |*DefaultValueOnError*|No|The value that will be written into the value name if the conversion fails. You can specify NULL, and 0 will be written if the conversion fails.| + |*DefaultValueOnError*|No|The value that will be written into the value name if the conversion fails. You can specify **NULL**, and `0` will be written if the conversion fails.| -- **ConvertToString** +- **ConvertToString** - The ConvertToString function converts the content of registry values that match the parent <ObjectSet> element to a string. For example, it will convert the DWORD 0x00000001 to the string "1". If the conversion fails, then the value of DefaultValueOnError will be applied. + The **ConvertToString** function converts the content of registry values that match the parent **<ObjectSet>** element to a string. For example, it will convert the DWORD `0x00000001` to the string **"1"**. If the conversion fails, then the value of **DefaultValueOnError** will be applied. Syntax: `ConvertToString(DefaultValueOnError)` |Setting|Required?|Value| |--- |--- |--- | - |*DefaultValueOnError*|No|The value that will be written into the value name if the conversion fails. You can specify NULL, and 0 will be written if the conversion fails.| + |*DefaultValueOnError*|No|The value that will be written into the value name if the conversion fails. You can specify **NULL**, and `0` will be written if the conversion fails.| For example: @@ -614,15 +601,15 @@ The following functions change the content of objects as they are migrated. Thes ``` -- **ConvertToBinary** +- **ConvertToBinary** - The ConvertToBinary function converts the content of registry values that match the parent <ObjectSet> element to a binary type. + The **ConvertToBinary** function converts the content of registry values that match the parent **<ObjectSet>** element to a binary type. Syntax: `ConvertToBinary ()` -- **OffsetValue** +- **OffsetValue** - The OffsetValue function adds or subtracts *Value* from the value of the migrated object, and then writes the result back into the registry value on the destination computer. For example, if the migrated object is a DWORD with a value of 14, and the *Value* is "-2", the registry value will be 12 on the destination computer. + The **OffsetValue** function adds or subtracts *Value* from the value of the migrated object, and then writes the result back into the registry value on the destination computer. For example, if the migrated object is a DWORD with a value of `14`, and the *Value* is **"-2"**, the registry value will be `12` on the destination computer. Syntax: `OffsetValue(Value)` @@ -630,9 +617,9 @@ The following functions change the content of objects as they are migrated. Thes |--- |--- |--- | |*Value*|Yes|The string representation of a numeric value. It can be positive or negative. For example, `OffsetValue(2)`.| -- **SetValueByTable** +- **SetValueByTable** - The SetValueByTable function matches the value from the source computer to the source table. If the value is there, the equivalent value in the destination table will be applied. If the value is not there, or if the destination table has no equivalent value, the *DefaultValueOnError* will be applied. + The **SetValueByTable** function matches the value from the source computer to the source table. If the value is there, the equivalent value in the destination table will be applied. If the value is not there, or if the destination table has no equivalent value, the *DefaultValueOnError* will be applied. Syntax: `SetValueByTable(SourceTable,DestinationTable,DefaultValueOnError)` @@ -640,21 +627,21 @@ The following functions change the content of objects as they are migrated. Thes |--- |--- |--- | |*SourceTable*|Yes|A list of values separated by commas that are possible for the source registry values.| |*DestinationTable*|No|A list of translated values separated by commas.| - |*DefaultValueOnError*|No|The value that will be applied to the destination computer if either 1) the value for the source computer does not match *SourceTable*, or 2) *DestinationTable* has no equivalent value.

    If DefaultValueOnError is NULL, the value will not be changed on the destination computer.| + |*DefaultValueOnError*|No|The value that will be applied to the destination computer if either
    1. The value for the source computer does not match *SourceTable*
    2. *DestinationTable* has no equivalent value.

    If **DefaultValueOnError** is **NULL**, the value will not be changed on the destination computer.| -- **KeepExisting** +- **KeepExisting** - You can use the KeepExisting function when there are conflicts on the destination computer. This function will keep (not overwrite) the specified attributes for the object that is on the destination computer. + You can use the **KeepExisting** function when there are conflicts on the destination computer. This function will keep (not overwrite) the specified attributes for the object that is on the destination computer. Syntax: `KeepExisting("OptionString","OptionString","OptionString",…)` |Setting|Required?|Value| |--- |--- |--- | - | *OptionString* | Yes | *OptionString* can be **Security**, **TimeFields**, or **FileAttrib**:*Letter*. You can specify one of each type of *OptionStrings*. Do not specify multiple *OptionStrings* with the same value. If you do, the right-most option of that type will be kept. For example, do not specify **("FileAttrib:H", "FileAttrib:R")** because only Read-only will be evaluated. Instead specify **("FileAttrib:HR")** and both Hidden and Read-only attributes will be kept on the destination computer.
    • **Security**. Keeps the destination object's security descriptor if it exists.
    • **TimeFields**. Keeps the destination object's time stamps. This parameter is for files only.
    • **FileAttrib:** *Letter*. Keeps the destination object's attribute value, either On or OFF, for the specified set of file attributes. This parameter is for files only. The following are case-insensitive, but USMT will ignore any values that are invalid, repeated, or if there is a space after "FileAttrib:". You can specify any combination of the following attributes:
      • **A** = Archive
      • **C** = Compressed
      • **E** = Encrypted
      • **H** = Hidden
      • **I** = Not Content Indexed
      • **O** = Offline
      • **R** = Read-Only
      • **S** = System
      • **T** = Temporary
    | + | *OptionString* | Yes | *OptionString* can be **Security**, **TimeFields**, or **FileAttrib**:*Letter*. You can specify one of each type of *OptionStrings*. Do not specify multiple *OptionStrings* with the same value. If you do, the right-most option of that type will be kept. For example, do not specify **("FileAttrib:H", "FileAttrib:R")** because only Read-only will be evaluated. Instead specify **("FileAttrib:HR")** and both Hidden and Read-only attributes will be kept on the destination computer.
    • **Security**: Keeps the destination object's security descriptor if it exists.
    • **TimeFields**: Keeps the destination object's time stamps. This parameter is for files only.
    • **FileAttrib:<Letter>**: Keeps the destination object's attribute value, either **ON** or **OFF**, for the specified set of file attributes. This parameter is for files only. The following are case-insensitive, but USMT will ignore any values that are invalid, repeated, or if there is a space after **FileAttrib:**. You can specify any combination of the following attributes:
      • **A** = Archive
      • **C** = Compressed
      • **E** = Encrypted
      • **H** = Hidden
      • **I** = Not Content Indexed
      • **O** = Offline
      • **R** = Read-Only
      • **S** = System
      • **T** = Temporary
    | -- **MergeMultiSzContent** +- **MergeMultiSzContent** - The MergeMultiSzContent function merges the MULTI-SZ content of the registry values that are enumerated by the parent <ObjectSet> element with the content of the equivalent registry values that already exist on the destination computer. `Instruction` and `String` either remove or add content to the resulting MULTI-SZ. Duplicate elements will be removed. + The **MergeMultiSzContent** function merges the **MULTI-SZ** content of the registry values that are enumerated by the parent **<ObjectSet>** element with the content of the equivalent registry values that already exist on the destination computer. `Instruction` and `String` either remove or add content to the resulting **MULTI-SZ**. Duplicate elements will be removed. Syntax: `MergeMultiSzContent (Instruction,String,Instruction,String,…)` @@ -663,27 +650,27 @@ The following functions change the content of objects as they are migrated. Thes | *Instruction* | Yes | Can be one of the following:
    • **Add**. Adds the corresponding String to the resulting MULTI-SZ if it is not already there.
    • **Remove**. Removes the corresponding String from the resulting MULTI-SZ.
    | | *String* | Yes | The string to be added or removed. | -- **MergeDelimitedContent** +- **MergeDelimitedContent** - The MergeDelimitedContent function merges the content of the registry values that are enumerated by the parent <ObjectSet> element with the content of the equivalent registry values that already exist on the destination computer. The content is considered a list of elements separated by one of the characters in the Delimiters parameter. Duplicate elements will be removed. + The **MergeDelimitedContent** function merges the content of the registry values that are enumerated by the parent **<ObjectSet>** element with the content of the equivalent registry values that already exist on the destination computer. The content is considered a list of elements separated by one of the characters in the Delimiters parameter. Duplicate elements will be removed. Syntax: `MergeDelimitedContent(Delimiters,Instruction,String,…)` |Setting|Required?|Value| |--- |--- |--- | - | *Delimiters* | Yes | A single character that will be used to separate the content of the object that is being processed. The content will be considered as a list of elements that is separated by the *Delimiters*.
    For example, "." will separate the string based on a period. | - | *Instruction* | Yes | Can one of the following:
    • **Add.** Adds *String* to the resulting MULTI-SZ if it is not already there.
    • **Remove.** Removes *String* from the resulting MULTI-SZ.
    | + | *Delimiters* | Yes | A single character that will be used to separate the content of the object that is being processed. The content will be considered as a list of elements that is separated by the *Delimiters*.
    For example, `"."` will separate the string based on a period. | + | *Instruction* | Yes | Can be one of the following:
    • **Add**: Adds *String* to the resulting MULTI-SZ if it is not already there.
    • **Remove**: Removes *String* from the resulting MULTI-SZ.
    | | *String* | Yes | The string to be added or removed. | -## <description> +## <description> -The <description> element defines a description for the component but does not affect the migration. +The **<description>** element defines a description for the component but does not affect the migration. -- **Number of occurrences:** zero or one +- **Number of occurrences:** zero or one -- **Parent elements:**[<component>](#component) +- **Parent elements:** [<component>](#component) -- **Child elements:** none +- **Child elements:** none Syntax: @@ -701,22 +688,20 @@ The following code sample shows how the <description> element defines the My custom component ``` -## <destinationCleanup> +## <destinationCleanup> -The <destinationCleanup> element deletes objects, such as files and registry keys, from the destination computer before applying the objects from the source computer. This element is evaluated only when the LoadState tool is run on the destination computer. That is, this element is ignored by the ScanState tool. +The **<destinationCleanup>** element deletes objects, such as files and registry keys, from the destination computer before applying the objects from the source computer. This element is evaluated only when the **LoadState** tool is run on the destination computer. That is, this element is ignored by the **ScanState** tool. > [!IMPORTANT] > Use this option with extreme caution because it will delete objects from the destination computer. +For each **<destinationCleanup>** element there can be multiple **<objectSet>** elements. A common use for this element is if there is a missing registry key on the source computer and you want to ensure that a component is migrated. In this case, you can delete all of the component's registry keys before migrating the source registry keys. This will ensure that if there is a missing key on the source computer, it will also be missing on the destination computer. +- **Number of occurrences:** Unlimited -For each <destinationCleanup> element there can be multiple <objectSet> elements. A common use for this element is if there is a missing registry key on the source computer and you want to ensure that a component is migrated. In this case, you can delete all of the component's registry keys before migrating the source registry keys. This will ensure that if there is a missing key on the source computer, it will also be missing on the destination computer. +- **Parent elements:** [<rules>](#rules) -- **Number of occurrences:** Unlimited - -- **Parent elements:**[<rules>](#rules) - -- **Child elements:**[<objectSet>](#objectset) (Note that the destination computer will delete all child elements.) +- **Child elements:** [<objectSet>](#objectset) (Note that the destination computer will delete all child elements.) Syntax: @@ -727,7 +712,7 @@ Syntax: |Setting|Required?|Value| |--- |--- |--- | -|filter|Yes|A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example, `MyScripts.AScript ("Arg1","Arg2")`.

    The script will be called for each object that is enumerated by the object sets in the include rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated.| +|filter|Yes|A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example, `MyScripts.AScript ("Arg1","Arg2")`.

    The script will be called for each object that is enumerated by the object sets in the include rule. The filter script returns a Boolean value. If the return value is **TRUE**, the object will be migrated. If it is **FALSE**, it will not be migrated.| For example: @@ -740,21 +725,21 @@ For example: ``` -## <detect> +## <detect> -Although the <detect> element is still supported, we do not recommend using it because it may be deprecated in future versions of USMT. In that case, you would have to rewrite your scripts. Instead, we recommend that you use the [<detection>](#detection)**element.** +Although the **<detect>** element is still supported, it is recommend to no longer use the **<detect>** element because it may be deprecated in future versions of USMT. If the **<detect>** element were depecated, it would require a rewrite of any scripts that use the **<detect>** element. Instead, it is recommend to use the **[<detection>](#detection)** element. The **<detection>** element allows for more clearly formulated complex Boolean statements -You use the <detect> element to determine if the component is present on a system. If all child <detect> elements within a <detect> element resolve to TRUE, then the <detect> element resolves to TRUE. If any child <detect> elements resolve to FALSE, then their parent <detect> element resolves to FALSE. If there is no <detect> element section, then USMT will assume that the component is present. +The **<detect>** element can be used to determine if the component is present on a system. If all child **<detect>** elements within a **<detect>** element resolve to **TRUE**, then the **<detect>** element resolves to **TRUE**. If any child **<detect>** elements resolve to **FALSE**, then their parent **<detect>** element resolves to **FALSE**. If there is no **<detect>** element section, then USMT will assume that the component is present. -For each <detect> element there can be multiple child <condition> or <objectSet> elements, which will be logically joined by an OR operator. If at least one <condition> or <objectSet> element evaluates to TRUE, then the <detect> element evaluates to TRUE. +For each **<detect>** element there can be multiple child **<condition>** or **<objectSet>** elements, which will be logically joined by an **OR** operator. If at least one **<condition>** or **<objectSet>** element evaluates to **TRUE**, then the **<detect>** element evaluates to **TRUE**. -- **Number of occurrences:** unlimited +- **Number of occurrences:** unlimited -- **Parent elements:** <detects>, [<namedElements>](#namedelements) +- **Parent elements:** [<detects>](#detects), [<namedElements>](#namedelements) -- **Required child elements:**[<condition>](#condition) +- **Required child elements:** [<condition>](#condition) -- **Optional child elements:**[<objectSet>](#objectset) +- **Optional child elements:** [<objectSet>](#objectset) Syntax: @@ -765,16 +750,16 @@ Syntax: |Setting|Required?|Value| |--- |--- |--- | -| name | Yes, when <detect> is a child to <namedElements>
    No, when <detect> is a child to <detects> | When *ID* is specified, any child elements are not processed. Instead, any other <detect> elements with the same name that are declared within the <namedElements> element are processed. | -| context | No
    (default = UserAndSystem) | Defines the scope of this parameter: whether to process this component in the context of the specific user, across the entire operating system, or both.
    The largest possible scope is set by the component element. For example, if a <component> element has a context of User, and a <rules> element had a context of UserAndSystem, then the <rules> element would act as though it had a context of User. If the <rules> element had a context of System, it would act as though the <rules> element were not there.
    • **User.** Evaluates the variables for each user.
    • **System.** Evaluates the variables only once for the system.
    • **UserAndSystem.** Evaluates the variables for the entire operating system and each user.
    | +| name | Yes, when **<detect>** is a child to **<namedElements>**
    No, when **<detect>** is a child to <detects> | When *ID* is specified, any child elements are not processed. Instead, any other **<detect>** elements with the same name that are declared within the **<namedElements>** element are processed. | +| context | No
    (default = UserAndSystem) | Defines the scope of this parameter which are whether to process this component in the context of the specific user, across the entire operating system, or both.
    The largest possible scope is set by the component element. For example, if a **<component>** element has a context of **User**, and a **<rules>** element had a context of **UserAndSystem**, then the **<rules>** element would act as though it had a context of **User**. If the **<rules>** element had a context of **System**, it would act as though the **<rules>** element were not there.
    • **User**: Evaluates the variables for each user.
    • **System**: Evaluates the variables only once for the system.
    • **UserAndSystem**: Evaluates the variables for the entire operating system and each user.
    | For examples, see the examples for [<detection>](#detection). -## <detects> +## <detects> -Although the <detects> element is still supported, we recommend that you do not use it because it may be deprecated in future versions of USMT, which would require you to rewrite your scripts. Instead, we recommend that you use the [<detection>](#detection) element if the parent element is <role> or <namedElements>, and we recommend that you use the <conditions> element if the parent element is <rules>. Using <detection> allows you to more clearly formulate complex Boolean statements. +Although the **<detects>** element is still supported, it is recommend to no longer use the **<detects>** element because it may be deprecated in future versions of USMT. If the **<detects>** element were deprecated, it would require a rewrite of any scripts that use the **<detects>** element. Instead, it is recommend to use the **[<detection>](#detection)** element if the parent element is **<role>** or **<namedElements>**, or use the **[<conditions>](#conditions)** element if the parent element is **<rules>**. The **<detection>** element allows for more clearly formulated complex Boolean statements and the **<conditions>** element allows for formulation of complex Boolean statements. -The <detects> element is a container for one or more <detect> elements. If all of the child <detect> elements within a <detects> element resolve to TRUE, then <detects> resolves to TRUE. If any of the child <detect> elements resolve to FALSE, then <detects> resolves to FALSE. If you do not want to write the <detects> elements within a component, then you can create the <detects> element under the <namedElements> element, and then refer to it. If there is no <detects> element section, then USMT will assume that the component is present. The results from each <detects> element are joined together by the OR operator to form the rule used to detect the parent element. +The **<detects>** element is a container for one or more **<detect>** elements. If all of the child **<detect>** elements within a **<detects>** element resolve to **TRUE**, then **<detects>** resolves to **TRUE**. If any of the child **<detect>** elements resolve to **FALSE**, then **<detects>** resolves to **FALSE**. If you do not want to write the **<detects>** elements within a component, then you can create the **<detects>** element under the **<namedElements>** element, and then refer to it. If there is no **<detects>** element section, then USMT will assume that the component is present. The results from each **<detects>** element are joined together by the **OR** operator to form the rule used to detect the parent element. Syntax: @@ -783,18 +768,18 @@ Syntax: ``` -- **Number of occurrences:** Unlimited. +- **Number of occurrences:** Unlimited. -- **Parent elements:**[<role>](#role), [<rules>](#rules), [<namedElements>](#namedelements) +- **Parent elements:** [<role>](#role), [<rules>](#rules), [<namedElements>](#namedelements) -- **Required child elements:** <detect> +- **Required child elements:** [<detect>](#detect) |Setting|Required?|Value| |--- |--- |--- | -| name | Yes, when <detects> is a child to <namedElements>
    No, when <detects> is a child to <role> or <rules> | When *ID* is specified, no child <detect> elements are processed. Instead, any other <detects> elements with the same name that are declared within the <namedElements> element are processed. | -| context | No
    (default = UserAndSystem) | Defines the scope of this parameter: whether to process this component in the context of the specific user, across the entire operating system, or both.
    The largest possible scope is set by the <component element>. For example, if a <component> element has a context of User and a <rules> element had a context of UserAndSystem, then the <rules> element would act as though it had a context of User. If the <rules> element had a context of System, it would act as though the <rules> element were not there.
    • **User.** Evaluates the variables for each user.
    • **System.** Evaluates the variables only once for the system.
    • **UserAndSystem.** Evaluates the variables for the entire operating system and each user.

    The context parameter is ignored for <detects> elements that are inside <rules> elements. | +| name | Yes, when <detects> is a child to **<namedElements>**
    No, when <detects> is a child to **<role>** or **<rules>** | When *ID* is specified, no child **<detect>** elements are processed. Instead, any other **<detects>** elements with the same name that are declared within the **<namedElements>** element are processed. | +| context | No
    (default = UserAndSystem) | Defines the scope of this parameter: whether to process this component in the context of the specific user, across the entire operating system, or both.
    The largest possible scope is set by the **<component element>**. For example, if a **<component>** element has a context of **User** and a **<rules>** element had a context of **UserAndSystem**, then the **<rules>** element would act as though it had a context of **User**. If the **<rules>** element had a context of **System**, it would act as though the **<rules>** element were not there.
    • **User**: Evaluates the variables for each user.
    • **System**: Evaluates the variables only once for the system.
    • **UserAndSystem**: Evaluates the variables for the entire operating system and each user.

    The context parameter is ignored for **<detects>** elements that are inside **<rules>** elements. | -The following example is from the MigApp.xml file. +The following example is from the `MigApp.xml` file. ```xml @@ -807,20 +792,19 @@ The following example is from the MigApp.xml file. ``` -## <detection> +## <detection> +The **<detection>** element is a container for one **<conditions>** element. The result of the child **<condition>** elements, located underneath the **<conditions>** element, determines the result of this element. For example, if all of the child **<conditions>** elements within the **<detection>** element resolve to **TRUE**, then the **<detection>** element resolves to **TRUE**. If any of the child **<conditions>** elements resolve to **FALSE**, then the **<detection>** element resolves to **FALSE**. -The <detection> element is a container for one <conditions> element. The result of the child <condition> elements, located underneath the <conditions> element, determines the result of this element. For example, if all of the child <conditions> elements within the <detection> element resolve to TRUE, then the <detection> element resolves to TRUE. If any of the child <conditions> elements resolve to FALSE, then the <detection> element resolves to FALSE. +In addition, the results from each **<detection>** section within the **<role>** element are joined together by the **OR** operator to form the detection rule of the parent element. That is, if one of the **<detection>** sections resolves to **TRUE**, then the **<role>** element will be processed. Otherwise, the **<role>** element will not be processed. -In addition, the results from each <detection> section within the <role> element are joined together by the OR operator to form the detection rule of the parent element. That is, if one of the <detection> sections resolves to TRUE, then the <role> element will be processed. Otherwise, the <role> element will not be processed. +Use the **<detection>** element under the **<namedElements>** element if you do not want to write it within a component. Then include a matching **<detection>** section under the **<role>** element to control whether the component is migrated. If there is not a **<detection>** section for a component, then USMT will assume that the component is present. -Use the <detection> element under the <namedElements> element if you do not want to write it within a component. Then include a matching <detection> section under the <role> element to control whether the component is migrated. If there is not a <detection> section for a component, then USMT will assume that the component is present. +- **Number of occurrences:** Unlimited. -- **Number of occurrences:** Unlimited. +- **Parent elements:** [<role>](#role), [<namedElements>](#namedelements) -- **Parent elements:**[<role>](#role), [<namedElements>](#namedelements) - -- **Child elements:**[<conditions>](#conditions) +- **Child elements:** [<conditions>](#conditions) Syntax: @@ -831,8 +815,8 @@ Syntax: |Setting|Required?|Value| |--- |--- |--- | -| name |
    • Yes, when <detection> is declared under <namedElements>
    • Optional, when declared under <role>
    | If declared, the content of the <detection> element is ignored and the content of the <detection> element with the same name that is declared in the <namedElements> element will be evaluated. | -| context | No, default = UserAndSystem | Defines the scope of this parameter: whether to process this component in the context of the specific user, across the entire operating system, or both.
    • **User.** Evaluates the component for each user.
    • **System.** Evaluates the component only once for the system.
    • **UserAndSystem.** Evaluates the component for the entire operating system and each user.
    | +| name |
    • Yes, when **<detection>** is declared under **<namedElements>**
    • Optional, when declared under **<role>**
    | If declared, the content of the **<detection>** element is ignored and the content of the **<detection>** element with the same name that is declared in the **<namedElements>** element will be evaluated. | +| context | No, default = UserAndSystem | Defines the scope of this parameter: whether to process this component in the context of the specific user, across the entire operating system, or both.
    • **User**: Evaluates the component for each user.
    • **System**: Evaluates the component only once for the system.
    • **UserAndSystem**: Evaluates the component for the entire operating system and each user.
    | For example: @@ -857,16 +841,15 @@ and ``` -## <displayName> +## <displayName> +The **<displayName>** element is a required field within each **<component>** element. -The <displayName> element is a required field within each <component> element. +- **Number of occurrences:** once for each component -- **Number of occurrences:** once for each component +- **Parent elements:** [<component>](#component) -- **Parent elements:**[<component>](#component) - -- **Child elements:** none +- **Child elements:** none Syntax: @@ -885,17 +868,17 @@ For example: Command Prompt settings ``` -## <environment> +## <environment> -The <environment> element is a container for <variable> elements in which you can define variables to use in your .xml file. All environment variables defined this way will be private. That is, they will be available only for their child components and the component in which they were defined. For two example scenarios, see [Examples](#envex). +The **<environment>** element is a container for **<variable>** elements in which you can define variables to use in your .xml file. All environment variables defined this way will be private. That is, they will be available only for their child components and the component in which they were defined. For two example scenarios, see [Examples](#examples). -- **Number of occurrences:** unlimited +- **Number of occurrences:** unlimited -- **Parent elements:**[<role>](#role), [<component>](#component), [<namedElements>](#namedelements) +- **Parent elements:** [<role>](#role), [<component>](#component), [<namedElements>](#namedelements) -- **Required child elements:**[<variable>](#variable) +- **Required child elements:** [<variable>](#variable) -- **Optional child elements:**[conditions](#conditions) +- **Optional child elements:** [<conditions>](#conditions) Syntax: @@ -906,14 +889,14 @@ Syntax: |Setting|Required?|Value| |--- |--- |--- | -| name | Yes, when <environment> is a child of <namedElements>
    No, when <environment> is a child of <role> or <component> | When declared as a child of the <role> or <component> elements, if *ID* is declared, USMT ignores the content of the <environment> element and the content of the <environment> element with the same name declared in the <namedElements> element is processed. | -| context | No
    (default = UserAndSystem) | Defines the scope of this parameter: whether to process this component in the context of the specific user, across the entire operating system, or both.
    The largest possible scope is set by the <component> element. For example, if a <component> element has a context of User and a <rules> element had a context of UserAndSystem, then the <rules> element would act as though it had a context of User. If the <rules> element had a context of System, it would act as though <rules> were not there.
    • **User.** Evaluates the variables for each user.
    • **System.** Evaluates the variables only once for the system.
    • **UserAndSystem.** Evaluates the variables for the entire operating system and each user.
    | +| name | Yes, when **<environment>** is a child of **<namedElements>**
    No, when **<environment>** is a child of **<role>** or **<component>** | When declared as a child of the **<role>** or **<component>** elements, if *ID* is declared, USMT ignores the content of the **<environment>** element and the content of the **<environment>** element with the same name declared in the **<namedElements>** element is processed. | +| context | No
    (default = UserAndSystem) | Defines the scope of this parameter: whether to process this component in the context of the specific user, across the entire operating system, or both.
    The largest possible scope is set by the **<component>** element. For example, if a **<component>** element has a context of **User** and a **<rules>** element had a context of **UserAndSystem**, then the **<rules>** element would act as though it had a context of **User**. If the **<rules>** element had a context of **System**, it would act as though **<rules>** were not there.
    • **User**: Evaluates the variables for each user.
    • **System**: Evaluates the variables only once for the system.
    • **UserAndSystem**: Evaluates the variables for the entire operating system and each user.
    | -## +## Examples ### Example scenario 1 -In this scenario, you want to generate the location of objects at run time depending on the configuration of the destination computer. For example, you must do this if an application writes data in the directory where it is installed, and users can install the application anywhere on the computer. If the application writes a registry value hklm\\software\\companyname\\install \[path\] and then updates this value with the location where the application is installed, then the only way for you to migrate the required data correctly is to define an environment variable. For example: +In this scenario, you want to generate the location of objects at run time depending on the configuration of the destination computer. For example, you must do this if an application writes data in the directory where it is installed, and users can install the application anywhere on the computer. If the application writes a registry value `hklm\software\companyname\install [path\]` and then updates this value with the location where the application is installed, then the only way for you to migrate the required data correctly is to define an environment variable. For example: ```xml @@ -923,7 +906,7 @@ In this scenario, you want to generate the location of objects at run time depen ``` -Then you can use an include rule as follows. You can use any of the [<script> functions](#scriptfunctions) to perform similar tasks. +Then you can use an include rule as follows. You can use any of the [<script> functions](#script-functions) to perform similar tasks. ```xml @@ -933,7 +916,7 @@ Then you can use an include rule as follows. You can use any of the [<script& ``` -Second, you can also filter registry values that contain data that you need. The following example extracts the first string (before the separator ",") in the value of the registry Hklm\\software\\companyname\\application\\ \[Path\]. +Second, you can also filter registry values that contain data that you need. The following example extracts the first string (before the separator "`,`") in the value of the registry `Hklm\software\companyname\application\ [Path\]`. ```xml @@ -949,9 +932,9 @@ Second, you can also filter registry values that contain data that you need. The ``` -### Example scenario 2: +### Example scenario 2 -In this scenario, you want to migrate five files named File1.txt, File2.txt, and so on, from %SYSTEMDRIVE%\\data\\userdata\\dir1\\dir2\\. To do this you must have the following <include> rule in an .xml file: +In this scenario, you want to migrate five files named `File1.txt`, `File2.txt`, and so on, from `%SYSTEMDRIVE%\data\userdata\dir1\dir2\`. To do this you must have the following **<include>** rule in an .xml file: ```xml @@ -975,7 +958,7 @@ Instead of typing the path five times, you can create a variable for the locatio ``` -Then, you can specify the variable in an <include> rule as follows: +Then, you can specify the variable in an **<include>** rule as follows: ```xml @@ -989,18 +972,17 @@ Then, you can specify the variable in an <include> rule as follows: ``` -## <exclude> +## <exclude> +The **<exclude>** element determines what objects will not be migrated, unless there is a more specific **<include>** element that migrates an object. If there is an **<include>** and **<exclude>** element for the same object, the object will be included. For each **<exclude>** element there can be multiple child **<objectSet>** elements. -The <exclude> element determines what objects will not be migrated, unless there is a more specific <include> element that migrates an object. If there is an <include> and <exclude> element for the same object, the object will be included. For each <exclude> element there can be multiple child <objectSet> elements. +- **Number of occurrences:** Unlimited -- **Number of occurrences:** Unlimited +- **Parent elements:** [<rules>](#rules) -- **Parent elements:**[<rules>](#rules) +- **Child elements:** [<objectSet>](#objectset) -- **Child elements:**[<objectSet>](#objectset) - -- **Helper functions:** You can use the following [<exclude> filter functions](#persistfilterfunctions) with this element: CompareStringContent, IgnoreIrrelevantLinks, AnswerNo, NeverRestore, and SameRegContent. +- **Helper functions:** You can use the following [<exclude> filter functions](#include-and-exclude-filter-functions) with this element: `CompareStringContent`, `IgnoreIrrelevantLinks`, `AnswerNo`, `NeverRestore`, and `SameRegContent`. Syntax: @@ -1011,10 +993,9 @@ Syntax: |Setting|Required?|Value| |--- |--- |--- | -|filter|No
    (default = No)|A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example, `MyScripts.AScript ("Arg1","Arg2")`.

    The script will be called for each object that is enumerated by the object sets in the include rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated.| +|filter|No
    (default = No)|A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example, `MyScripts.AScript ("Arg1","Arg2")`.

    The script will be called for each object that is enumerated by the object sets in the include rule. The filter script returns a Boolean value. If the return value is **TRUE**, the object will be migrated. If it is **FALSE**, it will not be migrated.| - -For example, from the MigUser.xml file: +For example, from the `MigUser.xml` file: ```xml @@ -1026,16 +1007,15 @@ For example, from the MigUser.xml file: ``` -## <excludeAttributes> +## <excludeAttributes> +You can use the **<excludeAttributes>** element to determine which parameters associated with an object will not be migrated. If there are conflicts between the **<includeAttributes>** and **<excludeAttributes>** elements, the most specific pattern determines the patterns that will not be migrated. If an object does not have an **<includeAttributes>** or **<excludeAttributes>** element, then all of its parameters will be migrated. -You can use the <excludeAttributes> element to determine which parameters associated with an object will not be migrated. If there are conflicts between the <includeAttributes> and <excludeAttributes> elements, the most specific pattern determines the patterns that will not be migrated. If an object does not have an <includeAttributes> or <excludeAttributes> element, then all of its parameters will be migrated. +- **Number of occurrences:** Unlimited -- **Number of occurrences:** Unlimited +- **Parent elements:** [<rules>](#rules) -- **Parent elements:**[<rules>](#rules) - -- **Child elements:**[<objectSet>](#objectset) +- **Child elements:** [<objectSet>](#objectset) Syntax: @@ -1075,7 +1055,7 @@ Example: %SYSTEMDRIVE%\ [aa.txt] - + logoff @@ -1099,16 +1079,15 @@ Example: ``` -## <extensions> - +## <extensions> The <extensions> element is a container for one or more <extension> elements. -- **Number of occurrences:** zero or one +- **Number of occurrences:** zero or one -- **Parent elements:**[<component>](#component) +- **Parent elements:** [<component>](#component) -- **Required child elements:**[<extension>](#extension) +- **Required child elements:** [<extension>](#extension) Syntax: @@ -1117,16 +1096,15 @@ Syntax: ``` -## <extension> - +## <extension> You can use the <extension> element to specify documents of a specific extension. -- **Number of occurrences:** unlimited +- **Number of occurrences:** unlimited -- **Parent elements:**[<extensions>](#extensions) +- **Parent elements:** [<extensions>](#extensions) -- **Child elements:** none +- **Child elements:** none Syntax: @@ -1138,7 +1116,7 @@ Syntax: |--- |--- |--- | |*FilenameExtension*|Yes|A file name extension.| -For example, if you want to migrate all \*.doc files from the source computer, specifying the following code under the <component> element: +For example, if you want to migrate all \*.doc files from the source computer, specifying the following code under the **<component>** element: ```xml @@ -1146,7 +1124,7 @@ For example, if you want to migrate all \*.doc files from the source computer, s ``` -is the same as specifying the following code below the <rules> element: +is the same as specifying the following code below the **<rules>** element: ```xml @@ -1158,16 +1136,15 @@ is the same as specifying the following code below the <rules> element: For another example of how to use the <extension> element, see the example for [<excludeAttributes>](#excludeattributes). -## <externalProcess> +## <externalProcess> +You can use the <externalProcess> element to run a command line during the migration process. For example, you may want to run a command after the **LoadState** process completes. -You can use the <externalProcess> element to run a command line during the migration process. For example, you may want to run a command after the LoadState process completes. +- **Number of occurrences:** Unlimited -- **Number of occurrences:** Unlimited +- **Parent elements:** [<rules>](#rules) -- **Parent elements:**[<rules>](#rules) - -- **Required child elements:**[<commandLine>](#commandline) +- **Required child elements:** [<commandLine>](#commandline) Syntax: @@ -1182,21 +1159,21 @@ Syntax: For an example of how to use the <externalProcess> element, see the example for [<excludeAttributes>](#excludeattributes). -## <icon> +## <icon> This is an internal USMT element. Do not use this element. -## <include> +## <include> -The <include> element determines what to migrate, unless there is a more specific [<exclude>](#exclude) rule. You can specify a script to be more specific to extend the definition of what you want to collect. For each <include> element there can be multiple <objectSet> elements. +The **<include>** element determines what to migrate, unless there is a more specific [<exclude>](#exclude) rule. You can specify a script to be more specific to extend the definition of what you want to collect. For each **<include>** element there can be multiple **<objectSet>** elements. -- **Number of occurrences:** Unlimited +- **Number of occurrences:** Unlimited -- **Parent elements:**[<rules>](#rules) +- **Parent elements:** [<rules>](#rules) -- **Required child element:**[<objectSet>](#objectset) +- **Required child element:** [<objectSet>](#objectset) -- **Helper functions:** You can use the following [<include> filter functions](#persistfilterfunctions) with this element: CompareStringContent, IgnoreIrrelevantLinks, AnswerNo, and NeverRestore. +- **Helper functions:** You can use the following [<include> filter functions](#include-and-exclude-filter-functions) with this element: `CompareStringContent`, `IgnoreIrrelevantLinks`, `AnswerNo`, and `NeverRestore`. Syntax: @@ -1207,7 +1184,7 @@ Syntax: |Setting|Required?|Value| |--- |--- |--- | -| filter | No.
    If this parameter is not specified, then all patterns that are inside the child <ObjectSet> element will be processed. | A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example, `MyScripts.AScript ("Arg1","Arg2")`.
    The script will be called for each object that is enumerated by the object sets in the <include> rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated. | +| filter | No.
    If this parameter is not specified, then all patterns that are inside the child **<objectSet>** element will be processed. | A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example, `MyScripts.AScript ("Arg1","Arg2")`.
    The script will be called for each object that is enumerated by the object sets in the **<include>** rule. The filter script returns a Boolean value. If the return value is **TRUE**, the object will be migrated. If it is **FALSE**, it will not be migrated. | The following example is from the MigUser.xml file: @@ -1239,28 +1216,28 @@ The following example is from the MigUser.xml file: ``` -### <include> and <exclude> filter functions +### <include> and **<exclude>** filter functions The following functions return a Boolean value. You can use them to migrate certain objects based on when certain conditions are met. -- **AnswerNo** +- **AnswerNo** - This filter always returns FALSE. + This filter always returns **FALSE**. Syntax: `AnswerNo ()` -- **CompareStringContent** +- **CompareStringContent** Syntax: `CompareStringContent("StringContent","CompareType")` |Setting|Required?|Value| |--- |--- |--- | | *StringContent* | Yes | The string to check against. | - | *CompareType* | Yes | A string. Use one of the following values:
    • **Equal** (case insensitive). The function returns TRUE if the string representation of the current object that is processed by the migration engine is identical to `StringContent`.
    • **NULL** **or any other value**. The function returns TRUE if the string representation of the current object that is processed by the migration engine does not match `StringContent`.
    | + | *CompareType* | Yes | A string. Use one of the following values:
    • **Equal** (case insensitive). The function returns **TRUE** if the string representation of the current object that is processed by the migration engine is identical to `StringContent`.
    • **NULL** **or any other value**. The function returns **TRUE** if the string representation of the current object that is processed by the migration engine does not match `StringContent`.
    | -- **IgnoreIrrelevantLinks** +- **IgnoreIrrelevantLinks** - This filter screens out the .lnk files that point to an object that is not valid on the destination computer. Note that the screening takes place on the destination computer, so all .lnk files will be saved to the store during ScanState. Then they will be screened out when you run the LoadState tool. + This filter screens out the .lnk files that point to an object that is not valid on the destination computer. Note that the screening takes place on the destination computer, so all .lnk files will be saved to the store during **ScanState**. Then they will be screened out when you run the **LoadState** tool. Syntax: `IgnoreIrrelevantLinks ()` @@ -1274,9 +1251,9 @@ The following functions return a Boolean value. You can use them to migrate cert     ``` -- **NeverRestore** +- **NeverRestore** - You can use this function to collect the specified objects from the source computer but then not migrate the objects to the destination computer. When run with the ScanState tool, this function evaluates to TRUE. When run with the LoadState tool, this function evaluates to FALSE. You may want to use this function when you want to check an object's value on the destination computer but do not intend to migrate the object to the destination. + You can use this function to collect the specified objects from the source computer but then not migrate the objects to the destination computer. When run with the **ScanState** tool, this function evaluates to **TRUE**. When run with the **LoadState** tool, this function evaluates to **FALSE**. You may want to use this function when you want to check an object's value on the destination computer but do not intend to migrate the object to the destination. Syntax: `NeverRestore()` @@ -1290,16 +1267,15 @@ The following functions return a Boolean value. You can use them to migrate cert     ``` -## <includeAttributes> +## <includeAttributes> +You can use the **<includeAttributes>** element to determine whether certain parameters associated with an object will be migrated along with the object itself. If there are conflicts between the **<includeAttributes>** and **<excludeAttributes>** elements, the most specific pattern will determine which parameters will be migrated. If an object does not have an **<includeAttributes>** or **<excludeAttributes>** element, then all of its parameters will be migrated. -You can use the <includeAttributes> element to determine whether certain parameters associated with an object will be migrated along with the object itself. If there are conflicts between the <includeAttributes> and <excludeAttributes> elements, the most specific pattern will determine which parameters will be migrated. If an object does not have an <includeAttributes> or <excludeAttributes> element, then all of its parameters will be migrated. +- **Number of occurrences:** unlimited -- **Number of occurrences:** unlimited +- **Parent elements:** [<rules>](#rules) -- **Parent elements:**[<rules>](#rules) - -- **Child elements:**[<objectSet>](#objectset) +- **Child elements:** [<objectSet>](#objectset) Syntax: @@ -1310,23 +1286,23 @@ Syntax: |Setting|Required?|Value| |--- |--- |--- | -| attributes | Yes | Specifies the attributes to be included with a migrated object. You can specify one of the following, or both separated by quotes; for example, `"Security","TimeFields"`:
    • Security can be one of the following values:
      • **Owner.** The owner of the object (SID).
      • **Group.** The primary group for the object (SID).
      • **DACL** (discretionary access control list). An access control list that is controlled by the owner of an object and that specifies the access particular users or groups can have to the object.
      • **SACL** (system access control list). An ACL that controls the generation of audit messages for attempts to access a securable object. The ability to get or set an object's SACL is controlled by a privilege typically held only by system administrators.
    • TimeFields can be one of the following:
      • **CreationTime.** Specifies when the file or directory was created.
      • **LastAccessTime.** Specifies when the file is last read from, written to, or, in the case of executable files, run.
      • **LastWrittenTime.** Specifies when the file is last written to, truncated, or overwritten.
    | +| attributes | Yes | Specifies the attributes to be included with a migrated object. You can specify one of the following, or both separated by quotes; for example, `"Security","TimeFields"`:
    • Security can be one of the following values:
      • **Owner**: The owner of the object (SID).
      • **Group**: The primary group for the object (SID).
      • **DACL** (discretionary access control list): An access control list that is controlled by the owner of an object and that specifies the access particular users or groups can have to the object.
      • **SACL** (system access control list): An ACL that controls the generation of audit messages for attempts to access a securable object. The ability to get or set an object's SACL is controlled by a privilege typically held only by system administrators.
    • TimeFields can be one of the following:
      • **CreationTime**: Specifies when the file or directory was created.
      • **LastAccessTime**: Specifies when the file is last read from, written to, or, in the case of executable files, run.
      • **LastWrittenTime**: Specifies when the file is last written to, truncated, or overwritten.
    | -For an example of how to use the <includeAttributes> element, see the example for [<excludeAttributes>](#excludeattributes). +For an example of how to use the **<includeAttributes>** element, see the example for [<excludeAttributes>](#excludeattributes). -## <library> +## <library> This is an internal USMT element. Do not use this element. -## <location> +## <location> -The <location> element defines the location of the <object> element. +The **<location>** element defines the location of the **<object>** element. -- **Number of occurrences:** once for each <object> +- **Number of occurrences:** once for each **<object>** -- **Parent elements:**[<object>](#object) +- **Parent elements:** [<object>](#object) -- **Child elements:**[<script>](#script) +- **Child elements:** [<script>](#script) Syntax: @@ -1339,7 +1315,7 @@ Syntax: |type|Yes|*typeID* can be Registry or File.| |*ObjectLocation*|Yes|The location of the object.| -The following example is from the MigApp.xml file: +The following example is from the `MigApp.xml` file: ```xml @@ -1356,17 +1332,17 @@ The following example is from the MigApp.xml file: ``` -## <locationModify> +## <locationModify> -You can use the <locationModify> element to change the location and name of an object before it is migrated to the destination computer. The <locationModify> element is processed only when the LoadState tool is run on the destination computer. In other words, this element is ignored by the ScanState tool. The <locationModify> element will create the appropriate folder on the destination computer if it does not already exist. +You can use the **<locationModify>** element to change the location and name of an object before it is migrated to the destination computer. The **<locationModify>** element is processed only when the **LoadState** tool is run on the destination computer. In other words, this element is ignored by the **ScanState** tool. The **<locationModify>** element will create the appropriate folder on the destination computer if it does not already exist. **Number of occurrences:** Unlimited -- **Parent elements:**[<rules>](#rules) +- **Parent elements:** [<rules>](#rules) -- **Required child element:**[<objectSet>](#objectset) +- **Required child element:** [<objectSet>](#objectset) -- **Helper functions:** You can use the following [<locationModify> functions](#locationmodifyfunctions) with this element: ExactMove, RelativeMove, and Move. +- **Helper functions:** You can use the following [<locationModify> functions](#locationmodify-functions) with this element: `ExactMove`, `RelativeMove`, and `Move`. Syntax: @@ -1377,9 +1353,9 @@ Syntax: |Setting|Required?|Value| |--- |--- |--- | -|script|Yes|A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example, `MyScripts.AScript ("Arg1","Arg2")`.

    The script will be called for each object that is enumerated by the object sets in the include rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated.| +|script|Yes|A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example, `MyScripts.AScript ("Arg1","Arg2")`.

    The script will be called for each object that is enumerated by the object sets in the include rule. The filter script returns a Boolean value. If the return value is **TRUE**, the object will be migrated. If it is **FALSE**, it will not be migrated.| -The following example is from the MigApp.xml file: +The following example is from the `MigApp.xml` file: ```xml @@ -1389,19 +1365,19 @@ The following example is from the MigApp.xml file: ``` -### <locationModify> functions +### <locationModify> functions -The following functions change the location of objects as they are migrated when using the <locationModify> element. These functions are called for every object that the parent <ObjectSet> element is enumerating. The <locationModify> element will create the appropriate folder on the destination computer if it does not already exist. +The following functions change the location of objects as they are migrated when using the **<locationModify>** element. These functions are called for every object that the parent **<objectSet>** element is enumerating. The **<locationModify>** element will create the appropriate folder on the destination computer if it does not already exist. - **ExactMove** - The ExactMove function moves all of the objects that are matched by the parent <ObjectSet> element into the given *ObjectEncodedLocation*. You can use this function when you want to move a single file to a different location on the destination computer. If the destination location is a node, all of the matching source objects will be written to the node without any subdirectories. If the destination location is a leaf, the migration engine will migrate all of the matching source objects to the same location. If a collision occurs, the normal collision algorithms will apply. + The ExactMove function moves all of the objects that are matched by the parent **<objectSet>** element into the given *ObjectEncodedLocation*. You can use this function when you want to move a single file to a different location on the destination computer. If the destination location is a node, all of the matching source objects will be written to the node without any subdirectories. If the destination location is a leaf, the migration engine will migrate all of the matching source objects to the same location. If a collision occurs, the normal collision algorithms will apply. Syntax: `ExactMove(ObjectEncodedLocation)` |Setting|Required?|Value| |--- |--- |--- | - |*ObjectEncodedLocation*|Yes|The destination [location](#locations) for all of the source objects.| + |*ObjectEncodedLocation*|Yes|The destination [location](#specifying-locations) for all of the source objects.| For example: @@ -1413,7 +1389,7 @@ The following functions change the location of objects as they are migrated when ``` -- **Move** +- **Move** The Move function moves objects to a different location on the destination computer. In addition, this function creates subdirectories that were above the longest CSIDL in the source object name. @@ -1423,7 +1399,7 @@ The following functions change the location of objects as they are migrated when |--- |--- |--- | |*DestinationRoot*|Yes|The location where the source objects will be moved. If needed, this function will create any subdirectories that were above the longest CSIDL in the source object name.| -- **RelativeMove** +- **RelativeMove** You can use the RelativeMove function to collect and move data. Note that you can use environment variables in source and destination roots, but they may be defined differently on the source and destination computers. @@ -1431,7 +1407,7 @@ The following functions change the location of objects as they are migrated when |Setting|Required?|Value| |--- |--- |--- | - |*SourceRoot*|Yes|The location from where the objects will be moved. Any source objects that are enumerated by the parent <ObjectSet> element that are not in this location will not be moved.| + |*SourceRoot*|Yes|The location from where the objects will be moved. Any source objects that are enumerated by the parent **<objectSet>** element that are not in this location will not be moved.| |*DestinationRoot*|Yes|The location where the source objects will be moved to on the destination computer. If needed, this function will create any subdirectories that were above *SourceRoot*.| For example: @@ -1449,21 +1425,19 @@ For example: ``` -## <\_locDefinition> - +## <\_locDefinition> This is an internal USMT element. Do not use this element. -## <manufacturer> +## <manufacturer> +The **<manufacturer>** element defines the manufacturer for the component, but does not affect the migration. -The <manufacturer> element defines the manufacturer for the component, but does not affect the migration. +- **Number of occurrences:** zero or one -- **Number of occurrences:** zero or one +- **Parent elements:** [<component>](#component) -- **Parent elements:**[<component>](#component) - -- **Child elements:** none +- **Child elements:** none Syntax: @@ -1475,19 +1449,19 @@ Syntax: |--- |--- |--- | |*Name*|Yes|The name of the manufacturer for the component.| -## <merge> +## <merge> -The <merge> element determines what will happen when a collision occurs. A collision is when an object that is migrated is already present on the destination computer. If you do not specify this element, the default behavior for the registry is for the source object to overwrite the destination object. The default behavior for files is for the source file to be renamed to "OriginalFileName(1).OriginalExtension". This element specifies only what should be done when a collision occurs. It does not include objects. Therefore, for your objects to migrate, you must specify <include> rules along with the <merge> element. When an object is processed and a collision is detected, USMT will select the most specific merge rule and apply it to resolve the conflict. For example, if you have a <merge> rule C:\\\* \[\*\] set to <sourcePriority> and a <merge> rule C:\\subfolder\\\* \[\*\] set to <destinationPriority>, then USMT would use the <destinationPriority> rule because it is the more specific. +The **<merge>** element determines what will happen when a collision occurs. A collision is when an object that is migrated is already present on the destination computer. If you do not specify this element, the default behavior for the registry is for the source object to overwrite the destination object. The default behavior for files is for the source file to be renamed to `OriginalFileName(1).OriginalExtension`. This element specifies only what should be done when a collision occurs. It does not include objects. Therefore, for your objects to migrate, you must specify **<include>** rules along with the **<merge>** element. When an object is processed and a collision is detected, USMT will select the most specific merge rule and apply it to resolve the conflict. For example, if you have a **<merge>** rule `C:\* [*]` set to **<sourcePriority>** and a **<merge>** rule `C:\subfolder\* [*]` set to **<destinationPriority>**, then USMT would use the **<destinationPriority>** rule because it is the more specific. -For an example of this element, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md). +For an example of this element, see [Conflicts and precedence](usmt-conflicts-and-precedence.md). -- **Number of occurrences:** Unlimited +- **Number of occurrences:** Unlimited -- **Parent elements:**[<rules>](#rules) +- **Parent elements:** [<rules>](#rules) -- **Required child element:**[<objectSet>](#objectset) +- **Required child element:** [<objectSet>](#objectset) -- **Helper functions:** You can use the following [<merge> functions](#mergefunctions) with this element: SourcePriority, DestinationPriority, FindFilePlaceByPattern, LeafPattern, NewestVersion, HigherValue(), and LowerValue(). +- **Helper functions:** You can use the following [<merge> functions](#merge-functions) with this element: `SourcePriority`, `DestinationPriority`, `FindFilePlaceByPattern`, `LeafPattern`, `NewestVersion`, `HigherValue()`, and `LowerValue()`. Syntax: @@ -1498,7 +1472,7 @@ Syntax: |Setting|Required?|Value| |--- |--- |--- | -|script|Yes|A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example, `MyScripts.AScript ("Arg1","Arg2")`.

    The script will be called for each object that is enumerated by the object sets in the <include> rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated.| +|script|Yes|A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example, `MyScripts.AScript ("Arg1","Arg2")`.

    The script will be called for each object that is enumerated by the object sets in the **<include>** rule. The filter script returns a Boolean value. If the return value is **TRUE**, the object will be migrated. If it is **FALSE**, it will not be migrated.| The following example is from the MigUser.xml file: @@ -1517,11 +1491,11 @@ The following example is from the MigUser.xml file: ``` -### <merge> functions +### <merge> functions These functions control how collisions are resolved. -- **DestinationPriority** +- **DestinationPriority** Specifies to keep the object that is on the destination computer and not migrate the object from the source computer. @@ -1537,17 +1511,17 @@ These functions control how collisions are resolved. ``` -- **FindFilePlaceByPattern** +- **FindFilePlaceByPattern** - The FindFilePlaceByPattern function saves files with an incrementing counter when a collision occurs. It is a string that contains one of each constructs: <F>, <E>, <N> in any order. + The FindFilePlaceByPattern function saves files with an incrementing counter when a collision occurs. It is a string that contains one of each constructs: **<F>**, **<E>**, **<N>** in any order. Syntax: `FindFilePlaceByPattern(FilePattern)` |Setting|Required?|Value| |--- |--- |--- | - | *FilePattern* | Yes |
    • **<F>** will be replaced by the original file name.
    • **<N>** will be replaced by an incrementing counter until there is no collision with the objects on the destination computer.
    • **<E>** will be replaced by the original file name extension.

    For example, ` ().` will change the source file MyDocument.doc into MyDocument (1).doc on the destination computer. | + | *FilePattern* | Yes |
    • **<F>** will be replaced by the original file name.
    • **<N>** will be replaced by an incrementing counter until there is no collision with the objects on the destination computer.
    • **<E>** will be replaced by the original file name extension.

    For example, ` ().` will change the source file `MyDocument.doc` into `MyDocument (1).doc` on the destination computer. | -- **NewestVersion** +- **NewestVersion** The NewestVersion function will resolve conflicts on the destination computer based on the version of the file. @@ -1555,17 +1529,17 @@ These functions control how collisions are resolved. |Setting|Required?|Value| |--- |--- |--- | - |*VersionTag*|Yes|The version field that will be checked. This can be "FileVersion" or "ProductVersion". The file with the highest *VersionTag* version determines which conflicts will be resolved based on the file's version. For example, if Myfile.txt contains FileVersion 1 and the same file on the destination computer contains FileVersion 2, the file on destination will remain.| + |*VersionTag*|Yes|The version field that will be checked. This can be `FileVersion` or `ProductVersion`. The file with the highest *VersionTag* version determines which conflicts will be resolved based on the file's version. For example, if `Myfile.txt` contains FileVersion 1 and the same file on the destination computer contains FileVersion 2, the file on destination will remain.| -- **HigherValue()** +- **HigherValue()** You can use this function for merging registry values. The registry values will be evaluated as numeric values, and the one with the higher value will determine which registry values will be merged. -- **LowerValue()** +- **LowerValue()** You can use this function for merging registry values. The registry values will be evaluated as numeric values and the one with the lower value will determine which registry values will be merged. -- **SourcePriority** +- **SourcePriority** Specifies to migrate the object from the source computer, and to delete the object that is on the destination computer. @@ -1581,17 +1555,17 @@ These functions control how collisions are resolved. ``` -## <migration> +## <migration> -The <migration> element is the single root element of a migration .xml file and is required. Each .xml file must have a unique migration urlid. The urlid of each file that you specify on the command line must be unique. This is because USMT uses the urlid to define the components within the file. For example, you must specify the following at the beginning of each file: <CustomFileName> is the name of the file; for example, "CustomApp". +The **<migration>** element is the single root element of a migration .xml file and is required. Each .xml file must have a unique migration urlid. The urlid of each file that you specify on the command line must be unique. This is because USMT uses the urlid to define the components within the file. For example, you must specify the following at the beginning of each file: <CustomFileName> is the name of the file; for example, "CustomApp". -- **Number of occurrences:** one +- **Number of occurrences:** one -- **Parent elements:** none +- **Parent elements:** none -- **Required child elements:**[<component>](#component) +- **Required child elements:** [<component>](#component) -- **Optional child elements:**[<library>](#library), [<namedElements>](#namedelements) +- **Optional child elements:** [<library>](#library), [<namedElements>](#namedelements) Syntax: @@ -1605,7 +1579,7 @@ Syntax: |urlid|Yes|*UrlID* is a string identifier that uniquely identifies this .xml file. This parameter must be a no-colon-name as defined by the XML Namespaces specification. Each migration .xml file must have a unique urlid. If two migration .xml files have the same urlid, the second .xml file that is specified on the command line will not be processed. For more information about XML Namespaces, see [Use XML Namespaces](/previous-versions/windows/desktop/ms754539(v=vs.85)).| |Name|No|Although not required, it is good practice to use the name of the .xml file.| -The following example is from the MigApp.xml file: +The following example is from the `MigApp.xml` file: ```xml @@ -1638,9 +1612,9 @@ This filter helper function can be used to filter the migration of files based o ``` -## <namedElements> +## <namedElements> -You can use the **<namedElements>** element to define named elements. You can use these elements in any component throughout your .xml file. For an example of how to use this element, see the MigApp.xml file. +You can use the **<namedElements>** element to define named elements. You can use these elements in any component throughout your .xml file. For an example of how to use this element, see the `MigApp.xml` file. Syntax: @@ -1649,25 +1623,25 @@ Syntax: ``` -- **Number of occurrences:** Unlimited +- **Number of occurrences:** Unlimited -- **Parent elements:**[<migration>](#migration) +- **Parent elements:** [<migration>](#migration) -- **Child elements:**[<environment>](#bkmk-environment), [<rules>](#rules), [<conditions>](#conditions), [<detection>](#detection), <detects>, <detect> +- **Child elements:** [<environment>](#environment), [<rules>](#rules), [<conditions>](#conditions), [<detection>](#detection), [<detects>](#detects), [<detect>](#detect) -For an example of this element, see the MigApp.xml file. +For an example of this element, see the `MigApp.xml` file. -## <object> +## <object> -The <object> element represents a file or registry key. +The **<object>** element represents a file or registry key. -- **Number of occurrences:** Unlimited +- **Number of occurrences:** Unlimited -- **Parent elements:**[<addObjects>](#addobjects) +- **Parent elements:** [<addObjects>](#addobjects) -- **Required child elements:**[<location>](#location), [<attributes>](#attribute) +- **Required child elements:** [<location>](#location), [<attributes>](#attributes) -- **Optional child elements:**[<bytes>](#bytes) +- **Optional child elements:** [<bytes>](#bytes) Syntax: @@ -1676,7 +1650,7 @@ Syntax: ``` -The following example is from the MigApp.xml file: +The following example is from the `MigApp.xml` file: ```xml @@ -1693,18 +1667,17 @@ The following example is from the MigApp.xml file: ``` -## <objectSet> +## <objectSet> +The **<objectSet>** element contains a list of object patterns ; for example, file paths, registry locations, and so on. Any child **<conditions>** elements will be evaluated first. If all child **<conditions>** elements return **FALSE**, the **<objectSet>** element will evaluate to an empty set. For each parent element, there can be only multiple **<objectSet>** elements. -The <objectSet> element contains a list of object patterns ; for example, file paths, registry locations, and so on. Any child <conditions> elements will be evaluated first. If all child <conditions> elements return FALSE, the <objectSet> element will evaluate to an empty set. For each parent element, there can be only multiple <objectSet> elements. +- **Number of occurrences:** Unlimited -- **Number of occurrences:** Unlimited +- **Parent elements:** [<variable>](#variable), [<content>](#content), [<include>](#include), [<exclude>](#exclude), [<merge>](#merge), [<contentModify>](#contentmodify), [<locationModify>](#locationmodify), [<destinationCleanup>](#destinationcleanup), [<includeAttributes>](#includeattributes), [<excludeAttributes>](#excludeattributes), [<unconditionalExclude>](#unconditionalexclude), [<detect>](#detect) -- **Parent elements:**[<variable>](#variable), [<content>](#content), [<include>](#include), [<exclude>](#exclude), [<merge>](#merge), [<contentModify>](#contentmodify), [<locationModify>](#locationmodify), [<destinationCleanup>](#destinationcleanup), [<includeAttributes>](#includeattributes), [<excludeAttributes>](#excludeattributes), [<unconditionalExclude>](#unconditionalexclude), <detect> +- **Required child elements:** either [<script>](#script) or [<pattern>](#pattern) -- **Required child elements:** either [<script>](#script) or [<pattern>](#pattern) - -- **Optional child elements:**[<content>](#content), [conditions](#conditions), <condition> +- **Optional child elements:** [<content>](#content), [<conditions>](#conditions), [<condition>](#condition) Syntax: @@ -1743,31 +1716,28 @@ The following example is from the MigUser.xml file: ``` -## <path> - +## <path> This is an internal USMT element. Do not use this element. -## <paths> - +## <paths> This is an internal USMT element. Do not use this element. -## <pattern> +## <pattern> - -You can use this element to specify multiple objects. You can specify multiple <pattern> elements for each <objectSet> element and they will be combined. If you are specifying files, you may want to use GenerateDrivePatterns with <script> instead. GenerateDrivePatterns is basically the same as a <pattern> rule, without the drive letter specification. For example, the following two lines of code are similar: +You can use this element to specify multiple objects. You can specify multiple **<pattern>** elements for each **<objectSet>** element and they will be combined. If you are specifying files, you may want to use `GenerateDrivePatterns` with **<script>** instead. `GenerateDrivePatterns` is basically the same as a **<pattern>** rule, without the drive letter specification. For example, the following two lines of code are similar: ```xml C:\Folder\* [Sample.doc] ``` -- **Number of occurrences:** Unlimited +- **Number of occurrences:** Unlimited -- **Parent elements:**[<objectSet>](#objectset) +- **Parent elements:** [<objectSet>](#objectset) -- **Child elements:** none but *Path* \[*object*\] must be valid. +- **Child elements:** none but *Path* \[*object*\] must be valid. Syntax: @@ -1778,49 +1748,49 @@ Syntax: |Setting|Required?|Value| |--- |--- |--- | | type | Yes | *typeID* can be Registry, File, or Ini. If *typeId* is Ini, then you cannot have a space between *Path* and *object*. For example, the following is correct when type="Ini":
    **<pattern type="Ini">%WinAmp5InstPath%\Winamp.ini|WinAmp[keeponscreen]</pattern>** | -| *Path* [*object*] | Yes | A valid registry or file path pattern, followed by at least one space, followed by brackets [] that contain the object to be migrated.
    • *Path* can contain the asterisk (*) wildcard character or can be an [Recognized Environment Variables](usmt-recognized-environment-variables.md). You cannot use the question mark as a wildcard character.You can use HKCU and HKLM to refer to HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE respectively.
    • *Object* can contain the asterisk () wildcard character. However, you cannot use the question mark as a wildcard character. For example:
      **`C:\Folder\ [*]`** enumerates all files in C:<em>Path* but no subfolders of C:\Folder.
      **`C:\Folder* [*]`** enumerates all files and subfolders of C:\Folder.
      **`C:\Folder\ [*.mp3]`** enumerates all .mp3 files in C:\Folder.
      **`C:\Folder\ [Sample.doc]`** enumerates only the Sample.doc file located in C:\Folder.
      **Note**
      If you are migrating a file that has a square bracket character ([ or ]) in the file name, you must insert the carrot (^) character directly before the bracket for it to be valid. For example, if there is a file named "file].txt", you must specify `c:\documents\mydocs [file^].txt]` instead of `c:\documents\mydocs [file].txt]`.
    | +| *Path* [*object*] | Yes | A valid registry or file path pattern, followed by at least one space, followed by brackets [] that contain the object to be migrated.
    • *Path* can contain the asterisk (`*`) wildcard character or can be an [Recognized environment variables](usmt-recognized-environment-variables.md). You cannot use the question mark as a wildcard character. You can use `HKCU` and `HKLM` to refer to `HKEY_CURRENT_USER` and `HKEY_LOCAL_MACHINE` respectively.
    • *Object* can contain the asterisk (`*`) wildcard character. However, you cannot use the question mark as a wildcard character. For example:
      **`C:\Folder\ [*]`** enumerates all files in `C:\Folder` but no subfolders of `C:\Folder`.
      **`C:\Folder* [*]`** enumerates all files and subfolders of `C:\Folder`.
      **`C:\Folder\ [*.mp3]`** enumerates all `.mp3` files in `C:\Folder`.
      **`C:\Folder\ [Sample.doc]`** enumerates only the `Sample.doc` file located in C:\Folder.
      **Note**
      If you are migrating a file that has a square bracket character ([ or ]) in the file name, you must insert the carrot (^) character directly before the bracket for it to be valid. For example, if there is a file named "file].txt", you must specify `c:\documents\mydocs [file^].txt]` instead of `c:\documents\mydocs [file].txt]`.
    | For example: -- To migrate a single registry key: +- To migrate a single registry key: ```xml HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache [Persistent] ``` -- To migrate the EngineeringDrafts folder and any subfolders from the C: drive: +- To migrate the `C:\EngineeringDrafts` folder and any subfolders from the C: drive: ```xml C:\EngineeringDrafts\* [*] ``` -- To migrate only the EngineeringDrafts folder, excluding any subfolders, from the C: drive: +- To migrate only the `C:\EngineeringDrafts` folder, excluding any subfolders, from the C: drive: - [Reroute Files and Settings](usmt-reroute-files-and-settings.md) + [Reroute files and settings](usmt-reroute-files-and-settings.md) -- To migrate the Sample.doc file from C:\\EngineeringDrafts: +- To migrate the `Sample.doc` file from `C:\EngineeringDrafts`: ```xml C:\EngineeringDrafts\ [Sample.doc] ``` -- To migrate the Sample.doc file from where ever it exists on the C: drive use pattern in the following way. If multiple files exist with the same name on the C: drive, then all of these files will be migrated. +- To migrate the `Sample.doc` file from where ever it exists on the C: drive use pattern in the following way. If multiple files exist with the same name on the C: drive, then all of these files will be migrated. ```xml C:\* [Sample.doc] ``` -- For more examples of how to use this element, see [Exclude Files and Settings](usmt-exclude-files-and-settings.md), [Reroute Files and Settings](usmt-reroute-files-and-settings.md), [Include Files and Settings](usmt-include-files-and-settings.md), and [Custom XML Examples](usmt-custom-xml-examples.md). +- For more examples of how to use this element, see [Exclude files and settings](usmt-exclude-files-and-settings.md), [Reroute files and settings](usmt-reroute-files-and-settings.md), [Include files and settings](usmt-include-files-and-settings.md), and [Custom XML examples](usmt-custom-xml-examples.md). -## <processing> +## <processing> You can use this element to run a script during a specific point within the migration process. Return values are not expected from the scripts that you specify, and if there are return values, they will be ignored. -- **Number of occurrences:** unlimited +- **Number of occurrences:** unlimited -- **Parent elements:**[<rules>](#rules) +- **Parent elements:** [<rules>](#rules) -- **Required child element:**[<script>](#script) +- **Required child element:** [<script>](#script) Syntax: @@ -1833,21 +1803,21 @@ Syntax: |--- |--- |--- | | when | Yes | Indicates when the script should be run. This value can be one of the following:
    • **pre-scan** means before the scanning process begins.
    • **scan-success** means after the scanning process has finished successfully.
    • **post-scan** means after the scanning process has finished, whether it was successful or not.
    • **pre-apply** means before the apply process begins.
    • **apply-success** means after the apply process has finished successfully.
    • **post-apply** means after the apply process has finished, whether it was successful or not.
    | -## <plugin> +## <plugin> This is an internal USMT element. Do not use this element. -## <role> +## <role> -The <role> element is required in a custom .xml file. By specifying the <role> element, you can create a concrete component. The component will be defined by the parameters specified at the <component> level, and with the role that you specify here. +The **<role>** element is required in a custom .xml file. By specifying the **<role>** element, you can create a concrete component. The component will be defined by the parameters specified at the **<component>** level, and with the role that you specify here. -- **Number of occurrences:** Each <component> can have one, two or three child <role> elements. +- **Number of occurrences:** Each **<component>** can have one, two or three child **<role>** elements. -- **Parent elements:**[<component>](#component), [<role>](#role) +- **Parent elements:** [<component>](#component), [<role>](#role) -- **Required child elements:**[<rules>](#rules) +- **Required child elements:** [<rules>](#rules) -- **Optional child elements:**[<environment>](#bkmk-environment), [<detection>](#detection), [<component>](#component), [<role>](#role), <detects>, <plugin>, +- **Optional child elements:** [<environment>](#environment), [<detection>](#detection), [<component>](#component), [<role>](#role), [<detects>](#detects), [<plugin>](#plugin) Syntax: @@ -1858,9 +1828,9 @@ Syntax: |Setting|Required?|Value| |--- |--- |--- | -| role | Yes | Defines the role for the component. Role can be one of:
    • **Container**
    • **Binaries**
    • **Settings**
    • **Data**
    You can either:
    1. Specify up to three <role> elements within a <component> — one "Binaries" role element, one "Settings" role element and one "Data" role element. These parameters do not change the migration behavior — their only purpose is to help you categorize the settings that you are migrating. You can nest these <role> elements, but each nested element must be of the same role parameter.
    2. Specify one "Container" <role> element within a <component> element. In this case, you cannot specify any child <rules> elements, only other <component> elements. And each child <component> element must have the same type as that of parent <component> element. For example:
    <component context="UserAndSystem" type="Application"> 
      <displayName _locID="migapp.msoffice2003">Microsoft Office 2003</displayName> 
      <environment name="GlobalEnv" /> 
      <role role="Container">
        <detection name="AnyOffice2003Version" /> 
        <detection name="FrontPage2003" /> 
        <!-- 
     Office 2003 Common Settings 
      --> 
         <component context="UserAndSystem" type="Application">
    | +| role | Yes | Defines the role for the component. Role can be one of:
    • **Container**
    • **Binaries**
    • **Settings**
    • **Data**
    You can either:
    1. Specify up to three **<role>** elements within a **<component>** — one "Binaries" role element, one "Settings" role element and one "Data" role element. These parameters do not change the migration behavior — their only purpose is to help you categorize the settings that you are migrating. You can nest these **<role>** elements, but each nested element must be of the same role parameter.
    2. Specify one "Container" **<role>** element within a **<component>** element. In this case, you cannot specify any child **<rules>** elements, only other **<component>** elements. And each child **<component>** element must have the same type as that of parent **<component>** element. For example:
    <component context="UserAndSystem" type="Application"> 
      <displayName _locID="migapp.msoffice2003">Microsoft Office 2003</displayName> 
      <environment name="GlobalEnv" /> 
      <role role="Container">
        <detection name="AnyOffice2003Version" /> 
        <detection name="FrontPage2003" /> 
        <!-- 
     Office 2003 Common Settings 
      --> 
         <component context="UserAndSystem" type="Application">
    | -The following example is from the MigUser.xml file. For more examples, see the MigApp.xml file: +The following example is from the MigUser.xml file. For more examples, see the `MigApp.xml` file: ```xml @@ -1891,18 +1861,17 @@ The following example is from the MigUser.xml file. For more examples, see the M ``` -## <rules> +## <rules> +The **<rules>** element is required in a custom .xml file. This element contains rules that will run during the migration if the parent **<component>** element is selected, unless the child **<conditions>** element, if present, evaluates to **FALSE**. For each **<rules>** element there can be multiple child **<rules>** elements. -The <rules> element is required in a custom .xml file. This element contains rules that will run during the migration if the parent <component> element is selected, unless the child <conditions> element, if present, evaluates to FALSE. For each <rules> element there can be multiple child <rules> elements. +- **Number of occurrences:** unlimited -- **Number of occurrences:** unlimited +- **Parent elements:** [<role>](#role), [<rules>](#rules), [<namedElements>](#namedelements) -- **Parent elements:**[<role>](#role), [<rules>](#rules), [<namedElements>](#namedelements) +- **Required child elements:** [<include>](#include) -- **Required child elements:**[<include>](#include) - -- **Optional child elements:**[<rules>](#rules), [<exclude>](#exclude), [<unconditionalExclude>](#unconditionalexclude),[<merge>](#merge), [<contentModify>](#contentmodify), [<locationModify>](#locationmodify), [<destinationCleanup>](#destinationcleanup), [<addObjects>](#addobjects), [<externalProcess>](#externalprocess), [<processing>](#processing), [<includeAttributes>](#includeattributes), [<excludeAttributes>](#excludeattributes), [conditions](#conditions), <detects> +- **Optional child elements:** [<rules>](#rules), [<exclude>](#exclude), [<unconditionalExclude>](#unconditionalexclude),[<merge>](#merge), [<contentModify>](#contentmodify), [<locationModify>](#locationmodify), [<destinationCleanup>](#destinationcleanup), [<addObjects>](#addobjects), [<externalProcess>](#externalprocess), [<processing>](#processing), [<includeAttributes>](#includeattributes), [<excludeAttributes>](#excludeattributes), [conditions](#conditions), [<detects>](#detects) Syntax: @@ -1913,8 +1882,8 @@ Syntax: |Setting|Required?|Value| |--- |--- |--- | -| name | Yes, when <rules> is a child to <namedElements>
    No, when <rules> is a child to any other element | When *ID* is specified, any child elements are not processed. Instead, any other <rules> elements with the same name that are declared within <namedElements> are processed. | -| context | No
    (default = UserAndSystem) | Defines the scope of this parameter — whether to process this component in the context of the specific user, across the entire operating system, or both.
    The largest possible scope is set by the component element. For example, if a <component> element has a context of User and a <rules> element had a context of UserAndSystem, then the <rules> element would act as though it has a context of User. If <rules> had a context of System, it would act as though <rules> was not there.
    • **User.** Evaluates the variables for each user.
    • **System.** Evaluates the variables only once for the system.
    • **UserAndSystem.** Evaluates the variables for the entire operating system and each user.
    | +| name | Yes, when **<rules>** is a child to **<namedElements>**
    No, when **<rules>** is a child to any other element | When *ID* is specified, any child elements are not processed. Instead, any other **<rules>** elements with the same name that are declared within **<namedElements>** are processed. | +| context | No
    (default = UserAndSystem) | Defines the scope of this parameter — whether to process this component in the context of the specific user, across the entire operating system, or both.
    The largest possible scope is set by the component element. For example, if a **<component>** element has a context of **User** and a **<rules>** element had a context of **UserAndSystem**, then the **<rules>** element would act as though it has a context of **User**. If **<rules>** had a context of **System**, it would act as though **<rules>** was not there.
    • **User**: Evaluates the variables for each user.
    • **System**: Evaluates the variables only once for the system.
    • **UserAndSystem**: Evaluates the variables for the entire operating system and each user.
    | The following example is from the MigUser.xml file: @@ -1946,40 +1915,39 @@ The following example is from the MigUser.xml file: ``` -## <script> +## <script> - -The return value that is required by <script> depends on the parent element. +The return value that is required by **<script>** depends on the parent element. **Number of occurrences:** Once for [<variable>](#variable), unlimited for [<objectSet>](#objectset) and [<processing>](#processing) -**Parent elements:**[<objectSet>](#objectset), [<variable>](#variable), [<processing>](#processing) +**Parent elements:** [<objectSet>](#objectset), [<variable>](#variable), [<processing>](#processing) **Child elements:** none **Syntax and helper functions:** -- General Syntax: `` +- General Syntax: `` -- You can use [GetStringContent](#scriptfunctions) when <script> is within <variable>. +- You can use [GetStringContent](#script-functions) when **<script>** is within **<variable>**. Syntax: `` Example: `` -- You can use [GenerateUserPatterns](#scriptfunctions) when <script> is within <objectSet>. +- You can use [GenerateUserPatterns](#script-functions) when **<script>** is within **<objectSet>**. Syntax: `` Example: `` -- You can use [GenerateDrivePatterns](#scriptfunctions) when <script> is within <objectSet>. +- You can use [GenerateDrivePatterns](#script-functions) when **<script>** is within **<objectSet>**. Syntax: `` Example: `` -- You can use the [Simple executing scripts](#scriptfunctions) with <script> elements that are within <processing> elements: AskForLogoff, ConvertToShortFileName, KillExplorer, RemoveEmptyDirectories, RestartExplorer, RegisterFonts, StartService, StopService, SyncSCM. +- You can use the [Simple executing scripts](#script-functions) with **<script>** elements that are within **<processing>** elements: AskForLogoff, ConvertToShortFileName, KillExplorer, RemoveEmptyDirectories, RestartExplorer, RegisterFonts, StartService, StopService, SyncSCM. Syntax: `` @@ -1987,11 +1955,11 @@ The return value that is required by <script> depends on the parent elemen |Setting|Required?|Value| |--- |--- |--- | -| *ScriptWithArguments* | Yes | A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example, `MyScripts.AScript ("Arg1","Arg2")`.
    The script will be called for each object that is enumerated by the object sets in the <include> rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated.
    The return value that is required by <script> depends on the parent element.
    • When used within <variable>, the return value must be a string.
    • When used within <objectSet>, the return value must be a two-dimensional array of strings.
    • When used within <location>, the return value must be a valid location that aligns with the type attribute of <location>. For example, if <location type="File">, the child script element, if specified, must be a valid file location.
      **Note**
      If you are migrating a file that has a bracket character ([ or ]) in the file name, insert the carrot (^) character directly before the bracket for it to be valid. For example, if there is a file named "file].txt", specify `c:\documents\mydocs [file^].txt]` instead of `c:\documents\mydocs [file].txt]`.
    | +| *ScriptWithArguments* | Yes | A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example, `MyScripts.AScript ("Arg1","Arg2")`.
    The script will be called for each object that is enumerated by the object sets in the **<include>** rule. The filter script returns a Boolean value. If the return value is **TRUE**, the object will be migrated. If it is **FALSE**, it will not be migrated.
    The return value that is required by **<script>** depends on the parent element.
    • When used within **<variable>**, the return value must be a string.
    • When used within **<objectSet>**, the return value must be a two-dimensional array of strings.
    • When used within **<location>**, the return value must be a valid location that aligns with the type attribute of **<location>**. For example, if <location type="File">, the child script element, if specified, must be a valid file location.
      **Note**
      If you are migrating a file that has a bracket character ([ or ]) in the file name, insert the carrot (^) character directly before the bracket for it to be valid. For example, if there is a file named "file].txt", specify `c:\documents\mydocs [file^].txt]` instead of `c:\documents\mydocs [file].txt]`.
    | Examples: -To migrate the Sample.doc file from any drive on the source computer, use <script> as follows. If multiple files exist with the same name, all such files will get migrated. +To migrate the Sample.doc file from any drive on the source computer, use **<script>** as follows. If multiple files exist with the same name, all such files will get migrated. ```xml @@ -1999,29 +1967,29 @@ To migrate the Sample.doc file from any drive on the source computer, use <sc For more examples of how to use this element, see [Exclude Files and Settings](usmt-exclude-files-and-settings.md), [Reroute Files and Settings](usmt-reroute-files-and-settings.md), and [Custom XML Examples](usmt-custom-xml-examples.md). -### <script> functions +### <script> functions -You can use the following functions with the <script> element +You can use the following functions with the **<script>** element -- [String and pattern generating functions](#stringgeneratingfunctions) +- [String and pattern generating functions](#string-and-pattern-generating-functions) -- [Simple executing scripts](#simple) +- [Simple executing scripts](#simple-executing-scripts) -### String and pattern generating functions +### String and pattern generating functions These functions return either a string or a pattern. -- **GetStringContent** +- **GetStringContent** - You can use GetStringContent with <script> elements that are within <variable> elements. If possible, this function returns the string representation of the given object. Otherwise, it returns NULL. For file objects this function always returns NULL. + You can use GetStringContent with **<script>** elements that are within **<variable>** elements. If possible, this function returns the string representation of the given object. Otherwise, it returns **NULL**. For file objects this function always returns **NULL**. Syntax: `GetStringContent("ObjectType","EncodedLocationPattern", "ExpandContent")` |Setting|Required?|Value| |--- |--- |--- | | *ObjectType* | Yes | The type of object. Can be Registry or Ini (for an .ini file). | - | *EncodedLocationPattern* | Yes |
    • If type of object is Registry, EncodedLocationPattern must be a valid registry path. For example, HKLM\SOFTWARE\MyKey[].
    • If the type of object is Ini, then EncodedLocationPattern must be in the following format:
      IniFilePath|SectionName[SettingName]
    | - | *ExpandContent* | No (default=TRUE) | Can be TRUE or FALSE. If FALSE, then the given location will not be expanded before it is returned. | + | *EncodedLocationPattern* | Yes |
    • If type of object is Registry, EncodedLocationPattern must be a valid registry path. For example, `HKLM\SOFTWARE\MyKey[]`.
    • If the type of object is Ini, then EncodedLocationPattern must be in the following format:
      **IniFilePath|SectionName[SettingName]**
    | + | *ExpandContent* | No (default=TRUE) | Can be **TRUE** or **FALSE**. If **FALSE**, then the given location will not be expanded before it is returned. | For example: @@ -2033,40 +2001,40 @@ These functions return either a string or a pattern. - **GenerateDrivePatterns** - The GenerateDrivePatterns function will iterate all of the available drives and select the ones that match the requested drive type. It will then concatenate the selected drives with the end part of *PatternSegment* to form a full encoded file pattern. For example, if *PatternSegment* is `Path [file.txt]` and DriveType is `Fixed`, then the function will generate `C:\Path [file.txt]`, and other patterns if there are fixed drives other than C:. You cannot specify environment variables with this function. You can use GenerateDrivePatterns with <script> elements that are within [<objectSet>](#objectset) that are within <include>/<exclude>. + The `GenerateDrivePatterns` function will iterate all of the available drives and select the ones that match the requested drive type. It will then concatenate the selected drives with the end part of *PatternSegment* to form a full encoded file pattern. For example, if *PatternSegment* is `Path [file.txt]` and *DriveType* is `Fixed`, then the function will generate `C:\Path [file.txt]`, and other patterns if there are fixed drives other than C:. You cannot specify environment variables with this function. You can use `GenerateDrivePatterns` with **<script>** elements that are within [<objectSet>](#objectset) that are within **<include>**/**<exclude>**. Syntax: `GenerateDrivePatterns("PatternSegment","DriveType")` |Setting|Required?|Value| |--- |--- |--- | - | *PatternSegment* | Yes | The suffix of an encoded pattern. It will be concatenated with a drive specification, such as "c:", to form a complete [encoded file pattern](#locations). For example, "* [*.doc]". *PatternSegment* cannot be an environment variable. | + | *PatternSegment* | Yes | The suffix of an encoded pattern. It will be concatenated with a drive specification, such as "c:", to form a complete [encoded file pattern](#specifying-locations). For example, "* [*.doc]". *PatternSegment* cannot be an environment variable. | | *DriveType* | Yes | The drive type for which the patterns are to be generated. You can specify one of:
    • Fixed
    • CDROM
    • Removable
    • Remote
    | See the last component in the MigUser.xml file for an example of this element. - **GenerateUserPatterns** - The function will iterate through all users that are being migrated, excluding the currently processed user if <ProcessCurrentUser> is FALSE, and will expand the specified pattern in the context of each user. For example, if users A, B and C have profiles in C:\\Documents and Settings), by calling `GenerateUserPattens('File','%userprofile% [*.doc]','TRUE')`, the helper function will generate the following three patterns: + The `GenerateUserPatterns` function will iterate through all users that are being migrated, excluding the currently processed user if **<ProcessCurrentUser>** is **FALSE**, and will expand the specified pattern in the context of each user. For example, if users A, B, and C have profiles in `C:\Documents and Settings`, by calling `GenerateUserPattens('File','%userprofile% [*.doc]','TRUE')`, the helper function will generate the following three patterns: - - "C:\\Documents and Settings\\A\\\* \[\*.doc\]" + - "C:\\Documents and Settings\\A\\\* \[\*.doc\]" - - "C:\\Documents and Settings\\B\\\* \[\*.doc\]" + - "C:\\Documents and Settings\\B\\\* \[\*.doc\]" - - "C:\\Documents and Settings\\C\\\* \[\*.doc\]" + - "C:\\Documents and Settings\\C\\\* \[\*.doc\]" Syntax: `GenerateUserPatterns("ObjectType","EncodedLocationPattern","ProcessCurrentUser")` |Setting|Required?|Value| |--- |--- |--- | |*ObjectType*|Yes|Defines the object type. Can be File or Registry.| - |*EncodedLocationPattern*|Yes|The [location pattern](#locations). Environment variables are allowed.| - |*ProcessCurrentUser*|Yes|Can be TRUE or FALSE. Indicates if the patterns should be generated for the current user.| + |*EncodedLocationPattern*|Yes|The [location pattern](#specifying-locations). Environment variables are allowed.| + |*ProcessCurrentUser*|Yes|Can be **TRUE** or **FALSE**. Indicates if the patterns should be generated for the current user.| **Example:** -If GenerateUserPattens('File','%userprofile% \[\*.doc\]','FALSE') is called while USMT is processing user A, then this function will only generate patterns for users B and C. You can use this helper function to build complex rules. For example, to migrate all .doc files from the source computer — but if user X is not migrated, then do not migrate any of the .doc files from user X's profile. +If `GenerateUserPattens('File','%userprofile% [*.doc]','FALSE')` is called while USMT is processing user A, then this function will only generate patterns for users B and C. You can use this helper function to build complex rules. For example, to migrate all `.doc` files from the source computer — but if user X is not migrated, then do not migrate any of the `.doc` files from user X's profile. -The following is example code for this scenario. The first <rules> element migrates all.doc files on the source computer with the exception of those inside C:\\Documents and Settings. The second <rules> elements will migrate all .doc files from C:\\Documents and Settings with the exception of the .doc files in the profiles of the other users. Because the second <rules> element will be processed in each migrated user context, the end result will be the desired behavior. The end result is the one we expected. +The following is example code for this scenario. The first **<rules>** element migrates all `.doc` files on the source computer with the exception of those inside `C:\Documents and Settings`. The second **<rules>** elements will migrate all `.doc` files from `C:\Documents and Settings` with the exception of the `.doc` files in the profiles of the other users. Because the second **<rules>** element will be processed in each migrated user context, the end result will be the desired behavior. The end result is the one we expected. ```xml @@ -2097,13 +2065,13 @@ The following is example code for this scenario. The first <rules> element ### MigXmlHelper.GenerateDocPatterns -This helper function invokes the document finder to scan the system for all files that can be migrated. It can be invoked in either System or User context to focus the scan. +The `MigXmlHelper.GenerateDocPatterns` helper function invokes the document finder to scan the system for all files that can be migrated. It can be invoked in either **System** or **User** context to focus the scan. |Setting|Required?|Value| |--- |--- |--- | -|*ScanProgramFiles*|No (default = FALSE)|Can be TRUE or FALSE. The *ScanProgramFiles* parameter determines whether or not the document finder scans the **Program Files** directory to gather registered file extensions for known applications. For example, when set to TRUE it will discover and migrate .jpg files under the Photoshop directory, if .jpg is a file extension registered to Photoshop.| -|*IncludePatterns*|No (default = TRUE)|Can be TRUE or FALSE. TRUE will generate include patterns and can be added under the <include> element. FALSE will generate exclude patterns and can be added under the <exclude> element.| -|*SystemDrive*|No (default = FALSE)|Can be TRUE or FALSE. If TRUE, restricts all patterns to the system drive.| +|*ScanProgramFiles*|No (default = FALSE)|Can be **TRUE** or **FALSE**. The *ScanProgramFiles* parameter determines whether or not the document finder scans the **Program Files** directory to gather registered file extensions for known applications. For example, when set to **TRUE** it will discover and migrate .jpg files under the Photoshop directory, if `.jpg` is a file extension registered to Photoshop.| +|*IncludePatterns*|No (default = TRUE)|Can be **TRUE** or **FALSE**. **TRUE** will generate include patterns and can be added under the **<include>** element. **FALSE** will generate exclude patterns and can be added under the **<exclude>** element.| +|*SystemDrive*|No (default = FALSE)|Can be **TRUE** or **FALSE**. If **TRUE**, restricts all patterns to the system drive.| ```xml @@ -2126,11 +2094,11 @@ This helper function invokes the document finder to scan the system for all file ``` -### Simple executing scripts +### Simple executing scripts -The following scripts have no return value. You can use the following errors with <script> elements that are within <processing> elements +The following scripts have no return value. You can use the following errors with **<script>** elements that are within **<processing>** elements -- **AskForLogoff()**. Prompts the user to log off at the end of the migration. For example: +- **AskForLogoff()**. Prompts the user to log off at the end of the migration. For example: ```xml @@ -2138,9 +2106,9 @@ The following scripts have no return value. You can use the following errors wit ``` -- **ConvertToShortFileName(RegistryEncodedLocation)**. If *RegistryEncodedLocation* is the full path of an existing file, this function will convert the file to its short file name and then it will update the registry value. +- **ConvertToShortFileName(RegistryEncodedLocation)**. If *RegistryEncodedLocation* is the full path of an existing file, this function will convert the file to its short file name and then it will update the registry value. -- **KillExplorer()**. Stops Explorer.exe for the current user context. This allows access to certain keys and files that are kept open when Explorer.exe is running. For example: +- **KillExplorer()**. Stops Explorer.exe for the current user context. This allows access to certain keys and files that are kept open when Explorer.exe is running. For example: ```xml @@ -2148,7 +2116,7 @@ The following scripts have no return value. You can use the following errors wit ``` -- **RegisterFonts(FileEncodedLocation)**. Registers the given font or all of the fonts in the given directory. For example: +- **RegisterFonts(FileEncodedLocation)**. Registers the given font or all of the fonts in the given directory. For example: ```xml @@ -2156,9 +2124,9 @@ The following scripts have no return value. You can use the following errors wit ``` -- **RemoveEmptyDirectories (DirectoryEncodedPattern).** Deletes any empty directories that match *DirectoryEncodedPattern* on the destination computer. +- **RemoveEmptyDirectories (DirectoryEncodedPattern).** Deletes any empty directories that match *DirectoryEncodedPattern* on the destination computer. -- **RestartExplorer().** Restarts Explorer.exe at the end of the migration. For example: +- **RestartExplorer().** Restarts Explorer.exe at the end of the migration. For example: ```xml @@ -2166,22 +2134,21 @@ The following scripts have no return value. You can use the following errors wit ``` -- **StartService (ServiceName, OptionalParam1, OptionalParam2,…).** Starts the service identified by *ServiceName. ServiceName* is the subkey in HKLM\\System\\CurrentControlSet\\Services that holds the data for the given service. The optional parameters, if any, will be passed to the StartService API. For more information, see [this Microsoft Web site](/windows/win32/api/winsvc/nf-winsvc-startservicea). +- **StartService (ServiceName, OptionalParam1, OptionalParam2,…).** Starts the service identified by *ServiceName. ServiceName* is the subkey in `HKLM\System\CurrentControlSet\Services` that holds the data for the given service. The optional parameters, if any, will be passed to the StartService API. For more information, see the [StartServiceA function (winsvc.h)](/windows/win32/api/winsvc/nf-winsvc-startservicea) article. -- **StopService (ServiceName)**. Stops the service that is identified by *ServiceName. ServiceName* is the subkey in HKLM\\System\\CurrentControlSet\\Services that holds the data for the given service. +- **StopService (ServiceName)**. Stops the service that is identified by *ServiceName. ServiceName* is the subkey in `HKLM\System\CurrentControlSet\Services` that holds the data for the given service. -- **SyncSCM(ServiceShortName).** Reads the Start type value from the registry (HKLM\\System\\CurrentControlSet\\Services\\ServiceShortName \[Start\]) after it is changed by the migration engine, and then synchronizes Service Control Manager (SCM) with the new value. +- **SyncSCM(ServiceShortName).** Reads the Start type value from the registry `(HKLM\System\CurrentControlSet\Services\ServiceShortName [Start])` after it is changed by the migration engine, and then synchronizes Service Control Manager (SCM) with the new value. -## <text> +## <text> +You can use the **<text>** element to set a value for any environment variables that are inside one of the migration .xml files. -You can use the <text> element to set a value for any environment variables that are inside one of the migration .xml files. +- **Number of occurrences:** Once in each [<variable>](#variable) element. -- **Number of occurrences:** Once in each [<variable>](#variable) element. +- **Parent elements:** [<variable>](#variable) -- **Parent elements:**[<variable>](#variable) - -- **Child elements:** None. +- **Child elements:** None. Syntax: @@ -2201,18 +2168,17 @@ For example: ``` -## <unconditionalExclude> +## <unconditionalExclude> +The **<unconditionalExclude>** element excludes the specified files and registry values from the migration, regardless of the other include rules in any of the migration .xml files or in the `Config.xml` file. The objects declared here will not be migrated because this element takes precedence over all other rules. For example, even if there are explicit **<include>** rules to include `.mp3` files, if you specify to exclude them with this option, then they will not be migrated. -The <unconditionalExclude> element excludes the specified files and registry values from the migration, regardless of the other include rules in any of the migration .xml files or in the Config.xml file. The objects declared here will not be migrated because this element takes precedence over all other rules. For example, even if there are explicit <include> rules to include .mp3 files, if you specify to exclude them with this option, then they will not be migrated. +Use this element if you want to exclude all `.mp3` files from the source computer. Or, if you are backing up `C:\UserData` using another method, you can exclude the entire folder from the migration. Use this element with caution, however, because if an application needs a file that you exclude, the application may not function properly on the destination computer. -Use this element if you want to exclude all .mp3 files from the source computer. Or, if you are backing up C:\\UserData using another method, you can exclude the entire folder from the migration. Use this element with caution, however, because if an application needs a file that you exclude, the application may not function properly on the destination computer. +- **Number of occurrences:** Unlimited. -- **Number of occurrences:** Unlimited. +- **Parent elements:** [<rules>](#rules) -- **Parent elements:**[<rules>](#rules) - -- **Child elements:**[<objectSet>](#objectset) +- **Child elements:** [<objectSet>](#objectset) Syntax: @@ -2220,7 +2186,7 @@ Syntax: ``` -The following .xml file excludes all .mp3 files from migration. For additional examples of how to use this element, see the [Exclude Files and Settings](usmt-exclude-files-and-settings.md). +The following .xml file excludes all `.mp3` files from migration. For additional examples of how to use this element, see the [Exclude Files and Settings](usmt-exclude-files-and-settings.md). ```xml @@ -2239,22 +2205,21 @@ The following .xml file excludes all .mp3 files from migration. For additional e ``` -## <variable> +## <variable> +The **<variable>** element is required in an **<environment>** element. For each **<variable>** element there must be one **<objectSet>**, **<script>**, or **<text>** element. The content of the **<variable>** element assigns a text value to the environment variable. This element has the following three options: -The <variable> element is required in an <environment> element. For each <variable> element there must be one <objectSet>, <script>, or <text> element. The content of the <variable> element assigns a text value to the environment variable. This element has the following three options: +1. If the **<variable>** element contains a **<text>** element, then the value of the variable element will be the value of the **<text>** element. -1. If the <variable> element contains a <text> element, then the value of the variable element will be the value of the <text> element. +2. If the **<variable>** element contains a **<script>** element and the invocation of the script produces a non-null string, then the value of the **<variable>** element will be the result of the script invocation. -2. If the <variable> element contains a <script> element and the invocation of the script produces a non-null string, then the value of the <variable> element will be the result of the script invocation. +3. If the **<variable>** element contains an **<objectSet>** element and the evaluation of the **<objectSet>** element produces at least one object pattern, then the value of the first object to match the resulting object pattern will be the value of the variable element. -3. If the <variable> element contains an <objectSet> element and the evaluation of the <objectSet> element produces at least one object pattern, then the value of the first object to match the resulting object pattern will be the value of the variable element. +- **Number of occurrences:** Unlimited -- **Number of occurrences:** Unlimited +- **Parent elements:** [<environment>](#environment) -- **Parent elements:**[<environment>](#bkmk-environment) - -- **Required child elements:** either [<text>](#text), or [<script>](#script), or [<objectSet>](#objectset) +- **Required child elements:** either [<text>](#text), or [<script>](#script), or [<objectSet>](#objectset) Syntax: @@ -2268,7 +2233,7 @@ Syntax: |name|Yes|*ID* is a string value that is the name used to reference the environment variable. We recommend that *ID* start with the component's name to avoid namespace collisions. For example, if your component's name is MyComponent, and you want a variable that is your component's install path, you could specify `MyComponent.InstallPath`.| |remap|No, default = FALSE|Specifies whether to evaluate this environment variable as a remapping environment variable. Objects that are located in a path that is underneath this environment variable's value are automatically moved to where the environment variable points on the destination computer.| -The following example is from the MigApp.xml file: +The following example is from the `MigApp.xml` file: ```xml @@ -2281,16 +2246,15 @@ The following example is from the MigApp.xml file: ``` -## <version> +## <version> +The **<version>** element defines the version for the component, but does not affect the migration. -The <version> element defines the version for the component, but does not affect the migration. +- **Number of occurrences:** zero or one -- **Number of occurrences:** zero or one +- **Parent elements:** [<component>](#component) -- **Parent elements:**[<component>](#component) - -- **Child elements:** none +- **Child elements:** none Syntax: @@ -2308,80 +2272,80 @@ For example: 4.* ``` -## <windowsObjects> +## <windowsObjects> -The <windowsObjects> element is for USMT internal use only. Do not use this element. +The **<windowsObjects>** element is for USMT internal use only. Do not use this element. ## Appendix -### Specifying locations +### Specifying locations -- **Specifying encoded locations**. The encoded location used in all of the helper functions is an unambiguous string representation for the name of an object. It is composed of the node part, optionally followed by the leaf enclosed in square brackets. This makes a clear distinction between nodes and leaves. +- **Specifying encoded locations**. The encoded location used in all of the helper functions is an unambiguous string representation for the name of an object. It is composed of the node part, optionally followed by the leaf enclosed in square brackets. This makes a clear distinction between nodes and leaves. - For example, specify the file C:\\Windows\\Notepad.exe like this: `c:\Windows[Notepad.exe]`. Similarly, specify the directory C:\\Windows\\System32 like this: `c:\Windows\System32`. (Notice the absence of the \[\] construct.) + For example, specify the file `C:\Windows\Notepad.exe` like this: `c:\Windows[Notepad.exe]`. Similarly, specify the directory `C:\Windows\System32` like this: `c:\Windows\System32`. (Notice the absence of the `[]` construct.) - Representing the registry is very similar. The default value of a registry key is represented as an empty \[\] construct. For example, the default value for the HKLM\\SOFTWARE\\MyKey registry key will be `HKLM\SOFTWARE\MyKey[]`. + Representing the registry is very similar. The default value of a registry key is represented as an empty `[]` construct. For example, the default value for the `HKLM\SOFTWARE\MyKey` registry key will be `HKLM\SOFTWARE\MyKey[]`. -- **Specifying location patterns**. You specify a location pattern in a way that is similar to how you specify an actual location. The exception is that both the node and leaf part accept patterns. However, a pattern from the node does not extend to the leaf. +- **Specifying location patterns**. You specify a location pattern in a way that is similar to how you specify an actual location. The exception is that both the node and leaf part accept patterns. However, a pattern from the node does not extend to the leaf. - For example, the pattern `c:\Windows\*` will match the Windows directory and all subdirectories. But it will not match any of the files in those directories. To match the files as well, you must specify `c:\Windows\*[*]`. + For example, the pattern `c:\Windows\*` will match the Windows directory and all subdirectories, but it will not match any of the files in those directories. To match the files as well, you must specify `c:\Windows\*[*]`. -### Internal USMT functions +### Internal USMT functions The following functions are for internal USMT use only. Do not use them in an .xml file. -- AntiAlias +- *AntiAlias* -- ConvertScreenSaver +- *ConvertScreenSaver* -- ConvertShowIEOnDesktop +- *ConvertShowIEOnDesktop* -- ConvertToOfficeLangID +- *ConvertToOfficeLangID* -- MigrateActiveDesktop +- *MigrateActiveDesktop* -- MigrateAppearanceUPM +- *MigrateAppearanceUPM* -- MigrateDisplayCS +- *MigrateDisplayCS* -- MigrateDisplaySS +- *MigrateDisplaySS* -- MigrateIEAutoSearch +- *MigrateIEAutoSearch* -- MigrateMouseUPM +- *MigrateMouseUPM* -- MigrateSoundSysTray +- *MigrateSoundSysTray* -- MigrateTaskBarSS +- *MigrateTaskBarSS* -- SetPstPathInMapiStruc +- *SetPstPathInMapiStruc* -### Valid version tags +### Valid version tags You can use the following version tags with various helper functions: -- "CompanyName" +- "CompanyName" -- "FileDescription" +- "FileDescription" -- "FileVersion" +- "FileVersion" -- "InternalName" +- "InternalName" -- "LegalCopyright" +- "LegalCopyright" -- "OriginalFilename" +- "OriginalFilename" -- "ProductName" +- "ProductName" -- "ProductVersion" +- "ProductVersion" The following version tags contain values that can be compared: -- "FileVersion" +- "FileVersion" -- "ProductVersion" +- "ProductVersion" -## Related topics +## Related articles -[USMT XML Reference](usmt-xml-reference.md) +[USMT XML reference](usmt-xml-reference.md) diff --git a/windows/deployment/usmt/usmt-xml-reference.md b/windows/deployment/usmt/usmt-xml-reference.md index aed31c7e9a..af25e49152 100644 --- a/windows/deployment/usmt/usmt-xml-reference.md +++ b/windows/deployment/usmt/usmt-xml-reference.md @@ -2,29 +2,29 @@ title: USMT XML Reference (Windows 10) description: Learn about working with and customizing the migration XML files using User State Migration Tool (USMT) XML Reference for Windows 10. ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/19/2017 +author: frankroj +ms.date: 11/01/2022 ms.topic: article ms.technology: itpro-deploy --- -# USMT XML Reference +# USMT XML reference -This section contains topics that you can use to work with and to customize the migration XML files. +This section contains articles that you can use to work with and to customize the migration XML files. -## In This Section +## In this section | Link | Description | |--- |--- | -|[Understanding Migration XML Files](understanding-migration-xml-files.md)|Provides an overview of the default and custom migration XML files and includes guidelines for creating and editing a customized version of the MigDocs.xml file.| -|[Config.xml File](usmt-configxml-file.md)|Describes the Config.xml file and policies concerning its configuration.| -|[Customize USMT XML Files](usmt-customize-xml-files.md)|Describes how to customize USMT XML files.| -|[Custom XML Examples](usmt-custom-xml-examples.md)|Gives examples of XML files for various migration scenarios.| -|[Conflicts and Precedence](usmt-conflicts-and-precedence.md)|Describes the precedence of migration rules and how conflicts are handled.| -|[General Conventions](usmt-general-conventions.md)|Describes the XML helper functions.| -|[XML File Requirements](xml-file-requirements.md)|Describes the requirements for custom XML files.| -|[Recognized Environment Variables](usmt-recognized-environment-variables.md)|Describes environment variables recognized by USMT.| -|[XML Elements Library](usmt-xml-elements-library.md)|Describes the XML elements and helper functions for authoring migration XML files to use with USMT.| +|[Understanding migration XML files](understanding-migration-xml-files.md)|Provides an overview of the default and custom migration XML files and includes guidelines for creating and editing a customized version of the MigDocs.xml file.| +|[Config.xml file](usmt-configxml-file.md)|Describes the `Config.xml` file and policies concerning its configuration.| +|[Customize USMT XML files](usmt-customize-xml-files.md)|Describes how to customize USMT XML files.| +|[Custom XML examples](usmt-custom-xml-examples.md)|Gives examples of XML files for various migration scenarios.| +|[Conflicts and precedence](usmt-conflicts-and-precedence.md)|Describes the precedence of migration rules and how conflicts are handled.| +|[General conventions](usmt-general-conventions.md)|Describes the XML helper functions.| +|[XML file requirements](xml-file-requirements.md)|Describes the requirements for custom XML files.| +|[Recognized environment variables](usmt-recognized-environment-variables.md)|Describes environment variables recognized by USMT.| +|[XML elements library](usmt-xml-elements-library.md)|Describes the XML elements and helper functions for authoring migration XML files to use with USMT.| diff --git a/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md b/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md index cac669786b..60856e7a7e 100644 --- a/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md +++ b/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md @@ -1,126 +1,104 @@ --- title: Verify the Condition of a Compressed Migration Store (Windows 10) -description: Use these tips and tricks to verify the condition of a compressed migration store when using User State Migration Tool (USMT). +description: Use these tips and tricks to verify the condition of a compressed migration store when using User State Migration Tool (USMT). ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/19/2017 +author: frankroj +ms.date: 11/01/2022 ms.topic: article ms.technology: itpro-deploy --- -# Verify the Condition of a Compressed Migration Store - +# Verify the condition of a compressed migration store When you migrate files and settings during a typical PC-refresh migration, the user state is usually stored in a compressed folder on the intermediate store. This compressed folder, also called the compressed migration store, is a single image file that contains: -- All of the files being migrated. +- All of the files being migrated. -- The user’s settings. +- The user's settings. -- A catalog file that contains metadata for all files in the migration store. +- A catalog file that contains metadata for all files in the migration store. -When you run the **LoadState** command to load the data from these files to the destination computer, LoadState requires a valid catalog file in order to open the migration store. You can run the **UsmtUtils** command with the **/verify** option to determine whether the compressed migration store is intact, or whether it contains corrupted files or a corrupted catalog. You should run the **/verify** option on the migration store before you overwrite the original user-state files and settings. +When you run the `LoadState.exe` command to load the data from these files to the destination computer, **LoadState** requires a valid catalog file in order to open the migration store. You can run the `UsmtUtils.exe` command with the `/verify` option to determine whether the compressed migration store is intact, or whether it contains corrupted files or a corrupted catalog. You should run the `/verify` option on the migration store before you overwrite the original user-state files and settings. -When you use the **/verify** option, you can specify what type of information to report in the UsmtUtils log file. These report types are: +When you use the `/verify` option, you can specify what type of information to report in the **UsmtUtils** log file. These report types are: -- **Catalog**: Displays the status of only the catalog file. +- **Catalog**: Displays the status of only the catalog file. -- **All**: Displays the status of all files, including the catalog file. +- **All**: Displays the status of all files, including the catalog file. -- **Failure only**: Displays only the files that are corrupted. +- **Failure only**: Displays only the files that are corrupted. -## In This Topic +The following sections demonstrate how to run the `UsmtUtils.exe` command with the `/verify` option, and how to specify the information to display in the **UsmtUtils** log file. - -The following sections demonstrate how to run the **UsmtUtils** command with the **/verify** option, and how to specify the information to display in the UsmtUtils log file. - -- [The UsmtUtils syntax for the /verify option](#bkmk-verifysyntax) - -- [To verify that the migration store is intact](#bkmk-verifyintactstore) - -- [To verify the status of only the catalog file](#bkmk-verifycatalog) - -- [To verify the status of all files](#bkmk-verifyallfiles) - -- [To verify the status of the files and return only the corrupted files](#bkmk-returncorrupted) - -### The UsmtUtils Syntax for the /verify Option +## The UsmtUtils syntax for the /verify option To verify the condition of a compressed migration store, use the following UsmtUtils syntax: -cd /d<USMTpath>usmtutils /verify\[:<reportType>\] <filePath> \[/l:<logfile>\] \[/decrypt \[:<AlgID>\] {/key:<keystring> | /keyfile:<filename>}\] +> UsmtUtils.exe /verify\[:<*reportType*>\] <*filePath*> \[/l:<*logfile*>\] \[/decrypt \[:<*AlgID*>\] {/key:<*keystring*> | /keyfile:<*filename*>}\] Where the placeholders have the following values: -- *<USMTpath>* is the location where you have saved the USMT files and tools. +- *<USMTpath>* is the location where you've saved the USMT files and tools. -- *<reportType>* specifies whether to report on all files, corrupted files only, or the status of the catalog. +- *<reportType>* specifies whether to report on all files, corrupted files only, or the status of the catalog. -- *<filePath>* is the location of the compressed migration store. +- *<filePath>* is the location of the compressed migration store. -- *<logfile>* is the location and name of the log file. +- *<logfile>* is the location and name of the log file. -- *<AlgID>* is the cryptographic algorithm that was used to create the migration store on the **ScanState** command line. +- *<AlgID>* is the cryptographic algorithm that was used to create the migration store on the `ScanState.exe` command line. -- *<keystring>* is the encryption key that was used to encrypt the migration store. +- *<keystring>* is the encryption key that was used to encrypt the migration store. -- *<filename>* is the location and name of the text file that contains the encryption key. +- *<filename>* is the location and name of the text file that contains the encryption key. -### To Verify that the Migration Store is Intact +## To verify that the migration store is intact -To verify whether the migration store is intact or whether it contains corrupted files or a corrupted catalog, type: +To verify whether the migration store is intact or whether it contains corrupted files or a corrupted catalog, enter: -``` syntax -usmtutils /verify D:\MyMigrationStore\store.mig +```cmd +UsmtUtils.exe /verify D:\MyMigrationStore\store.mig ``` -Because no report type is specified, UsmtUtils displays the default summary report. +Because no report type is specified, **UsmtUtils** displays the default summary report. -### To Verify the Status of Only the Catalog File +## To verify the status of only the catalog file -To verify whether the catalog file is corrupted or intact, type: +To verify whether the catalog file is corrupted or intact, enter: -``` syntax -usmtutils /verify:catalog D:\MyMigrationStore\store.mig +```cmd +UsmtUtils.exe /verify:catalog D:\MyMigrationStore\store.mig ``` -### To Verify the Status of all Files +## To verify the status of all files -To verify whether there are any corrupted files in the compressed migration store, and to specify the name and location of the log file, type: +To verify whether there are any corrupted files in the compressed migration store, and to specify the name and location of the log file, enter: -`usmtutils /verify:all D:\MyMigrationStore\store.mig /decrypt /l:D:\UsmtUtilsLog.txt` +```cmd +UsmtUtils.exe /verify:all D:\MyMigrationStore\store.mig /decrypt /l:D:\UsmtUtilsLog.txt` +``` -In addition to verifying the status of all files, this example decrypts the files. Because no encryption algorithm is specified, UsmtUtils uses the default 3DES cryptographic algorithm. +In addition to verifying the status of all files, this example decrypts the files. Because no encryption algorithm is specified, **UsmtUtils** uses the default 3DES cryptographic algorithm. -### To Verify the Status of the Files and Return Only the Corrupted Files +## To verify the status of the files and return only the corrupted files -In this example, the log file will only list the files that became corrupted during the ScanState process. This list will include the catalog file if it is also corrupted. +In this example, the log file will only list the files that became corrupted during the **ScanState** process. This list will include the catalog file if it's also corrupted. -``` syntax -usmtutils /verify:failureonly D:\MyMigrationStore\USMT\store.mig /decrypt:AES_192 /keyfile:D:\encryptionKey.txt +```cmd +UsmtUtils.exe /verify:failureonly D:\MyMigrationStore\USMT\store.mig /decrypt:AES_192 /keyfile:D:\encryptionKey.txt ``` This example also decrypts the files by specifying the cryptographic algorithm and the location of the file that contains the encryption key. -### Next Steps - -If the **/verify** option indicates that there are corrupted files in the migration store, you can use the **/extract** option in the UsmtUtils tool to recover data from some corrupted stores. For more information, see [Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md). - -## Related topics - - -[UsmtUtils Syntax](usmt-utilities.md) - -[Return Codes](usmt-return-codes.md) - -  - -  - +## Next steps +If the `/verify` option indicates that there are corrupted files in the migration store, you can use the `/extract` option in the **UsmtUtils** tool to recover data from some corrupted stores. For more information, see [Extract files from a compressed USMT migration store](usmt-extract-files-from-a-compressed-migration-store.md). +## Related articles +[UsmtUtils syntax](usmt-utilities.md) +[Return codes](/troubleshoot/windows-client/deployment/usmt-return-codes) diff --git a/windows/deployment/usmt/xml-file-requirements.md b/windows/deployment/usmt/xml-file-requirements.md index b080e87c2b..156809cb6d 100644 --- a/windows/deployment/usmt/xml-file-requirements.md +++ b/windows/deployment/usmt/xml-file-requirements.md @@ -2,46 +2,36 @@ title: XML File Requirements (Windows 10) description: Learn about the XML file requirements for creating custom .xml files, like the file must be in UTF-8 and have a unique migration URL ID. ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/19/2017 +author: frankroj +ms.date: 11/01/2022 ms.topic: article ms.technology: itpro-deploy --- -# XML File Requirements - +# XML file requirements When creating custom .xml files, note the following requirements: -- **The file must be in Unicode Transformation Format-8 (UTF-8).** Save the file in this format, and you must specify the following syntax at the beginning of each .xml file: +- **The file must be in Unicode Transformation Format-8 (UTF-8).** Save the file in this format, and you must specify the following syntax at the beginning of each .xml file: - ``` xml + ```xml ``` -- **The file must have a unique migration URL ID**. The URL ID of each file that you specify on the command line must be different. If two migration .xml files have the same URL ID, the second .xml file that is specified on the command line will not be processed. This is because USMT uses the URL ID to define the components within the file. For example, you must specify the following syntax at the beginning of each file: +- **The file must have a unique migration URL ID**. The URL ID of each file that you specify on the command line must be different. If two migration .xml files have the same URL ID, the second .xml file that is specified on the command line won't be processed. The second file won't be processed because USMT uses the URL ID to define the components within the file. For example, you must specify the following syntax at the beginning of each file: - ``` xml + ```xml ``` -- **Each component in the file must have a display name in order for it to appear in the Config.xml file.** This condition is because the Config.xml file defines the components by the display name and the migration URL ID. For example, specify the following syntax: +- **Each component in the file must have a display name in order for it to appear in the Config.xml file.** This condition is because the `Config.xml` file defines the components by the display name and the migration URL ID. For example, specify the following syntax: - ``` xml + ```xml My Application ``` -For examples of custom .xml files, see [Custom XML Examples](usmt-custom-xml-examples.md). - -  - -  - - - - - +For examples of custom .xml files, see [Custom XML examples](usmt-custom-xml-examples.md). diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md index 1316467395..cc4d7b7b90 100644 --- a/windows/deployment/vda-subscription-activation.md +++ b/windows/deployment/vda-subscription-activation.md @@ -10,13 +10,12 @@ ms.prod: windows-client ms.technology: itpro-fundamentals ms.localizationpriority: medium ms.topic: how-to -ms.collection: M365-modern-desktop -ms.date: 10/31/2022 +ms.date: 11/23/2022 --- # Configure VDA for Windows subscription activation -Applies to: +*Applies to:* - Windows 10 - Windows 11 @@ -61,42 +60,55 @@ For examples of activation issues, see [Troubleshoot the user experience](./depl ## Active Directory-joined VMs 1. Use the following instructions to prepare the VM for Azure: [Prepare a Windows VHD or VHDX to upload to Azure](/azure/virtual-machines/windows/prepare-for-upload-vhd-image) -2. (Optional) To disable network level authentication, type the following command at an elevated command prompt: + +2. (Optional) To disable network level authentication, enter the following command at an elevated command prompt: ```cmd - REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f + REG.exe ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f ``` -3. At an elevated command prompt, type **sysdm.cpl** and press ENTER. +3. At an elevated command prompt, enter **sysdm.cpl**. + 4. On the Remote tab, choose **Allow remote connections to this computer** and then select **Select Users**. -5. Select **Add**, type **Authenticated users**, and then select **OK** three times. + +5. Select **Add**, enter **Authenticated users**, and then select **OK** three times. + 6. Follow the instructions to use sysprep at [Steps to generalize a VHD](/azure/virtual-machines/windows/prepare-for-upload-vhd-image#generalize-a-vhd) and then start the VM again. + 7. If you must activate Windows Pro as described for [scenario 3](#scenario-3), complete the following steps to use Windows Configuration Designer and inject an activation key. Otherwise, skip to step 8. 1. [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd). - 1. Open Windows Configuration Designer and select **Provision desktop services**. - 1. Under **Name**, type **Desktop AD Enrollment Pro GVLK**, select **Finish**, and then on the **Set up device** page enter a device name. + + 2. Open Windows Configuration Designer and select **Provision desktop services**. + + 3. Under **Name**, enter **Desktop AD Enrollment Pro GVLK**, select **Finish**, and then on the **Set up device** page enter a device name. > [!NOTE] > You can use a different project name, but this name is also used with dism.exe in a later step. - 1. Under **Enter product key** type the Pro GVLK key: `W269N-WFGWX-YVC9B-4J6C9-T83GX`. - 1. On the Set up network page, choose **Off**. - 1. On the Account Management page, choose **Enroll into Active Directory** and then enter the account details. + 4. Under **Enter product key** enter the Pro GVLK key: `W269N-WFGWX-YVC9B-4J6C9-T83GX`. + + 5. On the Set up network page, choose **Off**. + + 6. On the Account Management page, choose **Enroll into Active Directory** and then enter the account details. > [!NOTE] > This step is different for [Azure AD-joined VMs](#azure-active-directory-joined-vms). - 1. On the Add applications page, add applications if desired. This step is optional. - 1. On the Add certificates page, add certificates if desired. This step is optional. - 1. On the Finish page, select **Create**. - 1. In file explorer, open the VHD to mount the disk image. Determine the drive letter of the mounted image. - 1. Type the following command at an elevated command prompt. Replace the letter `G` with the drive letter of the mounted image, and enter the project name you used if it's different than the one suggested: + 7. On the Add applications page, add applications if desired. This step is optional. + + 8. On the Add certificates page, add certificates if desired. This step is optional. + + 9. On the Finish page, select **Create**. + + 10. In file explorer, open the VHD to mount the disk image. Determine the drive letter of the mounted image. + + 11. Enter the following command at an elevated command prompt. Replace the letter `G` with the drive letter of the mounted image, and enter the project name you used if it's different than the one suggested: ```cmd Dism.exe /Image=G:\ /Add-ProvisioningPackage /PackagePath: "Desktop AD Enrollment Pro GVLK.ppkg" ``` - 1. Right-click the mounted image in file explorer and select **Eject**. + 12. Right-click the mounted image in file explorer and select **Eject**. 8. See the instructions at [Upload and create VM from generalized VHD](/azure/virtual-machines/windows/upload-generalized-managed#upload-the-vhd) to sign in to Azure, get your storage account details, upload the VHD, and create a managed image. @@ -107,33 +119,50 @@ For examples of activation issues, see [Troubleshoot the user experience](./depl For Azure AD-joined VMs, follow the same instructions as for [Active Directory-joined VMs](#active-directory-joined-vms) with the following exceptions: -- During setup with Windows Configuration Designer, under **Name**, type a name for the project that indicates it isn't for Active Directory-joined VMs, such as **Desktop Bulk Enrollment Token Pro GVLK**. +- During setup with Windows Configuration Designer, under **Name**, enter a name for the project that indicates it isn't for Active Directory-joined VMs, such as **Desktop Bulk Enrollment Token Pro GVLK**. + - During setup with Windows Configuration Designer, on the Account Management page, instead of enrolling in Active Directory, choose **Enroll in Azure AD**, select **Get Bulk Token**, sign in, and add the bulk token using your organization's credentials. + - When entering the PackagePath, use the project name you previously entered. For example, **Desktop Bulk Enrollment Token Pro GVLK.ppkg** + - When attempting to access the VM using remote desktop, you'll need to create a custom RDP settings file as described below in [Create custom RDP settings for Azure](#create-custom-rdp-settings-for-azure). ## Azure Gallery VMs -1. (Optional) To disable network level authentication, type the following command at an elevated command prompt: +1. (Optional) To disable network level authentication, enter the following command at an elevated command prompt: ```cmd - REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f + REG.exe ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f ``` -2. At an elevated command prompt, type `sysdm.cpl` and press ENTER. +2. At an elevated command prompt, enter `sysdm.cpl`. + 3. On the Remote tab, choose **Allow remote connections to this computer** and then select **Select Users**. -4. Select **Add**, type **Authenticated users**, and then select **OK** three times. + +4. Select **Add**, enter **Authenticated users**, and then select **OK** three times. + 5. [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd). + 6. Open Windows Configuration Designer and select **Provision desktop services**. + 7. If you must activate Windows Pro as described for [scenario 3](#scenario-3), complete the following steps. Otherwise, skip to step 8. - 1. Under **Name**, type **Desktop Bulk Enrollment Token Pro GVLK**, select **Finish**, and then on the **Set up device** page enter a device name. - 2. Under **Enter product key** type the Pro GVLK key: `W269N-WFGWX-YVC9B-4J6C9-T83GX`. -8. Under **Name**, type **Desktop Bulk Enrollment**, select **Finish**, and then on the **Set up device** page enter a device name. + + 1. Under **Name**, enter **Desktop Bulk Enrollment Token Pro GVLK**, select **Finish**, and then on the **Set up device** page enter a device name. + + 2. Under **Enter product key** enter the Pro GVLK key: `W269N-WFGWX-YVC9B-4J6C9-T83GX`. + +8. Under **Name**, enter **Desktop Bulk Enrollment**, select **Finish**, and then on the **Set up device** page enter a device name. + 9. On the Set up network page, choose **Off**. + 10. On the Account Management page, choose **Enroll in Azure AD**, select **Get Bulk Token**, sign in, and add the bulk token using your organizations credentials. + 11. On the Add applications page, add applications if desired. This step is optional. + 12. On the Add certificates page, add certificates if desired. This step is optional. + 13. On the Finish page, select **Create**. + 14. Copy the PPKG file to the remote virtual machine. Open the provisioning package to install it. This process will restart the system. > [!NOTE] @@ -142,9 +171,13 @@ For Azure AD-joined VMs, follow the same instructions as for [Active Directory-j ## Create custom RDP settings for Azure 1. Open Remote Desktop Connection and enter the IP address or DNS name for the remote host. + 2. Select **Show Options**, and then under Connection settings select **Save As**. Save the RDP file to the location where you'll use it. + 3. Close the Remote Desktop Connection window and open Notepad. + 4. Open the RDP file in Notepad to edit it. + 5. Enter or replace the line that specifies authentication level with the following two lines of text: ```text @@ -162,4 +195,4 @@ For Azure AD-joined VMs, follow the same instructions as for [Active Directory-j [Recommended settings for VDI desktops](/windows-server/remote/remote-desktop-services/rds-vdi-recommendations) -[Whitepaper on licensing the Windows desktop for VDI environments](https://download.microsoft.com/download/9/8/d/98d6a56c-4d79-40f4-8462-da3ecba2dc2c/licensing_windows_desktop_os_for_virtual_machines.pdf) \ No newline at end of file +[Whitepaper on licensing the Windows desktop for VDI environments](https://download.microsoft.com/download/9/8/d/98d6a56c-4d79-40f4-8462-da3ecba2dc2c/licensing_windows_desktop_os_for_virtual_machines.pdf) diff --git a/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md b/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md index 5b7165a017..b00e515b54 100644 --- a/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md +++ b/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md @@ -2,18 +2,19 @@ title: Activate by Proxy an Active Directory Forest (Windows 10) description: Learn how to use the Volume Activation Management Tool (VAMT) Active Directory-Based Activation (ADBA) function to activate by proxy an Active Directory (AD) forest. ms.reviewer: -manager: dougeby -ms.author: aaroncz + - nganguly +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/25/2017 +author: frankroj +ms.date: 11/07/2022 ms.topic: article ms.technology: itpro-fundamentals --- # Activate by Proxy an Active Directory Forest -You can use the Volume Activation Management Tool (VAMT) Active Directory-Based Activation (ADBA) function to activate by proxy an Active Directory (AD) forest for an isolated workgroup that does not have Internet access. ADBA enables certain volume products to inherit activation from the domain. +You can use the Volume Activation Management Tool (VAMT) Active Directory-Based Activation (ADBA) function to activate by proxy an Active Directory (AD) forest for an isolated workgroup that doesn't have Internet access. ADBA enables certain volume products to inherit activation from the domain. > [!IMPORTANT] > ADBA is only applicable to *Generic Volume License Keys (GVLKs)* and *KMS Host key (CSVLK)*. To use ADBA, one or more KMS Host keys (CSVLK) must be installed on the AD forest, and client keys (GVLKs) must be installed on the client products. @@ -26,28 +27,42 @@ In a typical proxy-activation scenario, the VAMT host computer distributes a pro ## Requirements Before performing proxy activation, ensure that the network and the VAMT installation meet the following requirements: -- There is an instance of VAMT that is installed on a computer that has Internet access. If you are performing proxy activation for an isolated workgroup, you must also have VAMT installed on one of the computers in the workgroup. + +- There's an instance of VAMT that is installed on a computer that has Internet access. If you're performing proxy activation for an isolated workgroup, you must also have VAMT installed on one of the computers in the workgroup. - VAMT has administrative permissions to the Active Directory domain. -**To perform an Active Directory forest proxy activation** +### To perform an Active Directory forest proxy activation -1. Open VAMT. -2. In the left-side pane, click the **Active Directory-Based Activation** node. -3. In the right-side **Actions** pane, click **Proxy activate forest** to open the **Install Product Key** dialog box. -4. In the **Install Product Key** dialog box, select the KMS Host key (CSVLK) that you want to activate. -5. If you want to rename the ADBA object, enter a new Active Directory-Based Activation Object name. If you want to rename the ADBA object, you must do it now. After you click **Install Key**, the name cannot be changed. -6. Enter the name of the file where you want to save the offline installation ID, or browse to the file location and then click **Open**. If you are activating an AD forest in an isolated workgroup, save the .cilx file to a removable media device. -7. Click **Install Key**. VAMT displays the **Activating Active Directory** dialog box until it completes the requested action. The activated object and the date that it was created appear in the **Active Directory-Based Activation** node in the center pane. -9. Insert the removable media into the VAMT host that has Internet access. Make sure that you are on the root node, and that the **Volume Activation Management Tool** view is displayed in the center pane. -10. In the right-side **Actions** pane, click **Acquire confirmation IDs for CILX** to open the **Acquire confirmation IDs for file** dialog box. -11. In the **Acquire confirmation IDs for file** dialog box, browse to where the .cilx file you exported from the isolated workgroup host computer is located. Select the file, and then click **Open**. VAMT displays an **Acquiring Confirmation IDs** message while it contacts Microsoft and acquires the CIDs. -12. When the CID collection process is complete, VAMT displays a **Volume Activation Management Tool** message that shows how many confirmation IDs were successfully acquired, and the name of the file to which the IDs were saved. Click **OK** to close the message. -13. Remove the storage device that contains the .cilx file from the Internet-connected VAMT host computer and insert it into the VAMT host computer in the isolated workgroup. -14. Open VAMT and then click the **Active Directory-Based Activation** node in the left-side pane. -15. In the right-side **Actions** pane, click **Apply confirmation ID to Active Directory domain**, browse to the .cilx file and then click **Open**. +1. Open VAMT. + +2. In the left-side pane, select the **Active Directory-Based Activation** node. + +3. In the right-side **Actions** pane, select **Proxy activate forest** to open the **Install Product Key** dialog box. + +4. In the **Install Product Key** dialog box, select the KMS Host key (CSVLK) that you want to activate. + +5. If you want to rename the ADBA object, enter a new Active Directory-Based Activation Object name. If you want to rename the ADBA object, you must do it now. After you select **Install Key**, the name can't be changed. + +6. Enter the name of the file where you want to save the offline installation ID, or browse to the file location and then select **Open**. If you're activating an AD forest in an isolated workgroup, save the `.cilx` file to a removable media device. + +7. Select **Install Key**. VAMT displays the **Activating Active Directory** dialog box until it completes the requested action. The activated object and the date that it was created appear in the **Active Directory-Based Activation** node in the center pane. + +8. Insert the removable media into the VAMT host that has Internet access. Make sure that you are on the root node, and that the **Volume Activation Management Tool** view is displayed in the center pane. + +9. In the right-side **Actions** pane, select **Acquire confirmation IDs for CILX** to open the **Acquire confirmation IDs for file** dialog box. + +10. In the **Acquire confirmation IDs for file** dialog box, browse to where the `.cilx` file you exported from the isolated workgroup host computer is located. Select the file, and then select **Open**. VAMT displays an **Acquiring Confirmation IDs** message while it contacts Microsoft and acquires the CIDs. + +11. When the CID collection process is complete, VAMT displays a **Volume Activation Management Tool** message that shows how many confirmation IDs were successfully acquired, and the name of the file to which the IDs were saved. Select **OK** to close the message. + +12. Remove the storage device that contains the `.cilx` file from the Internet-connected VAMT host computer and insert it into the VAMT host computer in the isolated workgroup. + +13. Open VAMT and then select the **Active Directory-Based Activation** node in the left-side pane. + +14. In the right-side **Actions** pane, select **Apply confirmation ID to Active Directory domain**, browse to the `.cilx` file and then select **Open**. VAMT displays the **Activating Active Directory** dialog box until it completes the requested action. The activated object and the date that it was created appear in the **Active Directory-Based Activation** node in the center pane. -## Related topics +## Related articles - [Add and Remove Computers](add-remove-computers-vamt.md) diff --git a/windows/deployment/volume-activation/activate-forest-vamt.md b/windows/deployment/volume-activation/activate-forest-vamt.md index c390b22fe3..dc8833d2f8 100644 --- a/windows/deployment/volume-activation/activate-forest-vamt.md +++ b/windows/deployment/volume-activation/activate-forest-vamt.md @@ -2,11 +2,12 @@ title: Activate an Active Directory Forest Online (Windows 10) description: Use the Volume Activation Management Tool (VAMT) Active Directory-Based Activation (ADBA) function to activate an Active Directory (AD) forest online. ms.reviewer: -manager: dougeby -ms.author: aaroncz + - nganguly +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/25/2017 +author: frankroj +ms.date: 11/07/2022 ms.topic: article ms.technology: itpro-fundamentals --- @@ -15,33 +16,41 @@ ms.technology: itpro-fundamentals You can use the Volume Activation Management Tool (VAMT) Active Directory-Based Activation (ADBA) function to activate an Active Directory (AD) forest over the Internet. ADBA enables certain products to inherit activation from the domain. -**Important**   -ADBA is only applicable to Generic Volume License Keys (GVLKs) and KMS Host keys (CSVLKs). To use ADBA, one or more KMS Host keys (CSVLKs) must be installed on the AD forest, and client keys (GVLKs) must be installed on the client products. +> [!IMPORTANT] +> ADBA is only applicable to Generic Volume License Keys (GVLKs) and KMS Host keys (CSVLKs). To use ADBA, one or more KMS Host keys (CSVLKs) must be installed on the AD forest, and client keys (GVLKs) must be installed on the client products. ## Requirements Before performing online activation, ensure that the network and the VAMT installation meet the following requirements: -- VAMT is installed on a host computer that has Internet access. -- VAMT has administrative permissions to the Active Directory domain. -- The KMS Host key (CSVLK) you intend to use is added to VAMT in the **Product Keys** node. -**To perform an online Active Directory forest activation** +- VAMT is installed on a host computer that has Internet access. -1. Open VAMT. -2. In the left-side pane, click the **Active Directory-Based Activation** node. -3. In the right-side **Actions** pane, click **Online activate forest** to open the **Install Product Key** dialog box. -4. In the **Install Product Key** dialog box, select the KMS Host key (CSVLK) that you want to apply to the AD forest. -5. If required, enter a new Active Directory-Based Activation Object name +- VAMT has administrative permissions to the Active Directory domain. - **Important**   - If you want to rename the ADBA object, you must do it now. After you click **Install Key**, the name cannot be changed. +- The KMS Host key (CSVLK) you intend to use is added to VAMT in the **Product Keys** node. -6. Click **Install Key**. -7. VAMT displays the **Activating Active Directory** dialog box until it completes the requested action. +### To perform an online Active Directory forest activation -The activated object and the date that is was created appear in the **Active Directory-Based Activation** node in the center pane. +1. Open VAMT. -## Related topics +2. In the left-side pane, select the **Active Directory-Based Activation** node. + +3. In the right-side **Actions** pane, select **Online activate forest** to open the **Install Product Key** dialog box. + +4. In the **Install Product Key** dialog box, select the KMS Host key (CSVLK) that you want to apply to the AD forest. + +5. If necessary, enter a new Active Directory-Based Activation Object name. + + > [!IMPORTANT] + > If you want to rename the ADBA object, you must do it now. After you click **Install Key**, the name cannot be changed. + +6. Select **Install Key**. + +7. VAMT displays the **Activating Active Directory** dialog box until it completes the requested action. + +The activated object and the date that it was created appear in the **Active Directory-Based Activation** node in the center pane. + +## Related articles - [Scenario 1: Online Activation](scenario-online-activation-vamt.md) - [Add and Remove Computers](add-remove-computers-vamt.md) diff --git a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md index 2c413491c3..73f32edf78 100644 --- a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md +++ b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md @@ -1,20 +1,22 @@ --- title: Activate using Active Directory-based activation description: Learn how active directory-based activation is implemented as a role service that relies on AD DS to store activation objects. -manager: dougeby -author: aczechowski -ms.author: aaroncz +ms.reviewer: + - nganguly +manager: aaroncz +author: frankroj +ms.author: frankroj ms.prod: windows-client ms.technology: itpro-fundamentals ms.localizationpriority: medium -ms.date: 09/16/2022 +ms.date: 11/07/2022 ms.topic: how-to ms.collection: highpri --- # Activate using Active Directory-based activation -**Applies to supported versions of** +**Applies to:** - Windows - Windows Server @@ -23,18 +25,18 @@ ms.collection: highpri > [!TIP] > Are you looking for information on retail activation? > -> - [Product activation for Windows](https://support.microsoft.com/windows/product-activation-for-windows-online-support-telephone-numbers-35f6a805-1259-88b4-f5e9-b52cccef91a0) -> - [Activate Windows](https://support.microsoft.com/windows/activate-windows-c39005d4-95ee-b91e-b399-2820fda32227) +> - [Activate Windows](https://support.microsoft.com/help/12440/) +> - [Product activation for Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) -Active Directory-based activation is implemented as a role service that relies on AD DS to store activation objects. Active Directory-based activation requires that you update the forest schema using *adprep.exe* on a supported server OS. After the schema is updated, older domain controllers can still activate clients. +Active Directory-based activation is implemented as a role service that relies on AD DS to store activation objects. Active Directory-based activation requires that you update the forest schema using `adprep.exe` on a supported server OS. After the schema is updated, older domain controllers can still activate clients. Any domain-joined computers running a supported OS with a Generic Volume License Key (GVLK) will be activated automatically and transparently. They'll stay activated as long as they remain members of the domain and maintain periodic contact with a domain controller. Activation takes place after the Licensing service starts. When this service starts, the computer contacts AD DS automatically, receives the activation object, and is activated without user intervention. -To allow computers with GVLKs to activate themselves, use the Volume Activation Tools console or the [Volume Activation Management Tool (VAMT)](volume-activation-management-tool.md) in earlier versions of Windows Server to create an object in the AD DS forest. You create this activation object by submitting a KMS host key to Microsoft, as shown in Figure 10. +To allow computers with GVLKs to activate themselves, use the Volume Activation Tools console, or the [Volume Activation Management Tool (VAMT)](volume-activation-management-tool.md) in earlier versions of Windows Server to create an object in the AD DS forest. You create this activation object by submitting a KMS host key to Microsoft, as shown in Figure 10. The process proceeds as follows: -1. Do _one_ of the following tasks: +1. Do *one* of the following tasks: - Install the Volume Activation Services server role on a domain controller. Then add a KMS host key by using the Volume Activation Tools Wizard. @@ -134,6 +136,6 @@ To verify your Active Directory-based activation configuration, complete the fol > > To manage individual activations or apply multiple (mass) activations, use the [VAMT](./volume-activation-management-tool.md). -## See also +## Related articles [Volume Activation for Windows 10](volume-activation-windows-10.md) diff --git a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md index 6fdacc0acb..c9d04453fb 100644 --- a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md +++ b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md @@ -1,12 +1,14 @@ --- title: Activate using Key Management Service (Windows 10) -manager: dougeby -ms.author: aaroncz -description: How to activate using Key Management Service in Windows 10. +description: Learn how to use Key Management Service (KMS) to activate Windows. +ms.reviewer: + - nganguly +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski +author: frankroj ms.localizationpriority: medium -ms.date: 10/16/2017 +ms.date: 11/07/2022 ms.topic: article ms.collection: highpri ms.technology: itpro-fundamentals @@ -14,7 +16,7 @@ ms.technology: itpro-fundamentals # Activate using Key Management Service -**Applies to** +**Applies to:** - Windows 10 - Windows 8.1 @@ -24,82 +26,91 @@ ms.technology: itpro-fundamentals - Windows Server 2012 - Windows Server 2008 R2 -**Looking for retail activation?** +> [!TIP] +> Are you looking for information on retail activation? +> +> - [Activate Windows](https://support.microsoft.com/help/12440/) +> - [Product activation for Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) -- [Get Help Activating Microsoft Windows 10](https://support.microsoft.com/help/12440/) -- [Get Help Activating Microsoft Windows 7 or Windows 8.1 ](https://go.microsoft.com/fwlink/p/?LinkId=618644) +There are three possible scenarios for volume activation of Windows 10 or Windows Server 2012 R2 by using a Key Management Service (KMS) host: -There are three possible scenarios for volume activation of Windows 10 or Windows Server 2012 R2 by using a Key Management Service (KMS) host: - -- Host KMS on a computer running Windows 10 -- Host KMS on a computer running Windows Server 2012 R2 +- Host KMS on a computer running Windows 10 +- Host KMS on a computer running Windows Server 2012 R2 - Host KMS on a computer running an earlier version of Windows Check out [Windows 10 Volume Activation Tips](/archive/blogs/askcore/windows-10-volume-activation-tips). -## Key Management Service in Windows 10 +## Key Management Service in Windows 10 + +Installing a KMS host key on a computer running Windows 10 allows you to activate other computers running Windows 10 against this KMS host and earlier versions of the client operating system, such as Windows 8.1 or Windows 7. -Installing a KMS host key on a computer running Windows 10 allows you to activate other computers running Windows 10 against this KMS host and earlier versions of the client operating system, such as Windows 8.1 or Windows 7. Clients locate the KMS server by using resource records in DNS, so some configuration of DNS may be required. This scenario can be beneficial if your organization uses volume activation for clients and MAK-based activation for a smaller number of servers. To enable KMS functionality, a KMS key is installed on a KMS host; then, the host is activated over the Internet or by phone using Microsoft activation services. ### Configure KMS in Windows 10 -To activate, use the slmgr.vbs command. Open an elevated command prompt and run one of the following commands: +To activate, use the `slmgr.vbs` command. Open an elevated command prompt and run one of the following commands: + +- To install the KMS key, run the command `slmgr.vbs /ipk `. + +- To activate online, run the command `slmgr.vbs /ato`. -- To install the KMS key, type `slmgr.vbs /ipk `. -- To activate online, type `slmgr.vbs /ato`. - To activate by telephone, follow these steps: + 1. Run `slmgr.vbs /dti` and confirm the installation ID. + 2. Call [Microsoft Licensing Activation Centers worldwide telephone numbers](https://www.microsoft.com/licensing/existing-customer/activation-centers) and follow the voice prompts to enter the installation ID that you obtained in step 1 on your telephone. + 3. Follow the voice prompts and write down the responded 48-digit confirmation ID for OS activation. + 4. Run `slmgr.vbs /atp \`. -For more information, see the information for Windows 7 in [Deploy KMS Activation](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn502531(v=ws.11)). +For more information, see the information for Windows 7 in [Deploy KMS Activation](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn502531(v=ws.11)). -## Key Management Service in Windows Server 2012 R2 +## Key Management Service in Windows Server 2012 R2 -Installing a KMS host key on a computer running Windows Server allows you to activate computers running Windows Server 2012 R2, Windows Server 2008 R2, Windows Server 2008, Windows 10, Windows 8.1, Windows 7, and Windows Vista. +Installing a KMS host key on a computer running Windows Server allows you to activate computers running Windows Server 2012 R2, Windows Server 2008 R2, Windows Server 2008, Windows 10, Windows 8.1, Windows 7, and Windows Vista. > [!NOTE] > You cannot install a client KMS key into the KMS in Windows Server. -This scenario is commonly used in larger organizations that do not find the overhead of using a server a burden. +This scenario is commonly used in larger organizations that don't find the overhead of using a server a burden. > [!NOTE] -> If you receive error 0xC004F015 when trying to activate Windows 10 Enterprise, see [KB 3086418](/troubleshoot/windows-server/deployment/error-0xc004f015-activate-windows-10). +> If you receive error 0xC004F015 when trying to activate Windows 10 Enterprise, see [Error 0xC004F015 when you activate Windows 10 Enterprise on a Windows Server 2012 R2 KMS host](/troubleshoot/windows-server/deployment/error-0xc004f015-activate-windows-10). -### Configure KMS in Windows Server 2012 R2 +### Configure KMS in Windows Server 2012 R2 1. Sign in to a computer running Windows Server 2012 R2 with an account that has local administrative credentials. + 2. Launch Server Manager. + 3. Add the Volume Activation Services role, as shown in Figure 4. ![Adding the Volume Activation Services role in Server Manager.](../images/volumeactivationforwindows81-04.jpg) **Figure 4**. Adding the Volume Activation Services role in Server Manager -4. When the role installation is complete, click the link to launch the Volume Activation Tools (Figure 5). +4. When the role installation is complete, select the link to launch the Volume Activation Tools (Figure 5). ![Launching the Volume Activation Tools.](../images/volumeactivationforwindows81-05.jpg) **Figure 5**. Launching the Volume Activation Tools -5. Select the **Key Management Service (KMS)** option, and specify the computer that will act as the KMS host (Figure 6). - This can be the same computer on which you installed the role or another computer. For example, it can be a client computer running Windows 10. +5. Select the **Key Management Service (KMS)** option, and specify the computer that will act as the KMS host (Figure 6). This computer can be the same computer on which you installed the role or another computer. For example, it can be a client computer running Windows 10. ![Configuring the computer as a KMS host.](../images/volumeactivationforwindows81-06.jpg) **Figure 6**. Configuring the computer as a KMS host -6. Install your KMS host key by typing it in the text box, and then click **Commit** (Figure 7). +6. Install your KMS host key by typing it in the text box, and then select **Commit** (Figure 7). ![Installing your KMS host key.](../images/volumeactivationforwindows81-07.jpg) **Figure 7**. Installing your KMS host key -7. If asked to confirm replacement of an existing key, click **Yes**. -8. After the product key is installed, you must activate it. Click **Next** (Figure 8). +7. If asked to confirm replacement of an existing key, select **Yes**. +8. After the product key is installed, you must activate it. Select **Next** (Figure 8). ![Activating the software.](../images/volumeactivationforwindows81-08.jpg) @@ -115,26 +126,28 @@ Now that the KMS host is configured, it will begin to listen for activation requ ## Verifying the configuration of Key Management Service -You can verify KMS volume activation from the KMS host server or from the client computer. KMS volume activation requires a minimum threshold of 25 computers before activation requests will be processed. The verification process described here will increment the activation count each time a client computer contacts the KMS host, but unless the activation threshold is reached, the verification will take the form of an error message rather than a confirmation message. +KMS volume activation can be verified from the KMS host server or from the client computer. KMS volume activation requires a minimum threshold of 25 computers before activation requests will be processed. The verification process described here will increment the activation count each time a client computer contacts the KMS host, but unless the activation threshold is reached, the verification will take the form of an error message rather than a confirmation message. > [!NOTE] -> If you configured Active Directory-based activation before configuring KMS activation, you must use a client computer that will not first try to activate itself by using Active Directory-based activation. You could use a workgroup computer that is not joined to a domain or a computer running Windows 7 or Windows Server 2008 R2. +> If you configured Active Directory-based activation before configuring KMS activation, you must use a client computer that will not first try to activate itself by using Active Directory-based activation. You could use a workgroup computer that is not joined to a domain or a computer running Windows 7 or Windows Server 2008 R2. To verify that KMS volume activation works, complete the following steps: 1. On the KMS host, open the event log and confirm that DNS publishing is successful. -2. On a client computer, open a Command Prompt window, type **Slmgr.vbs /ato**, and then press ENTER. - The **/ato** command causes the operating system to attempt activation by using whichever key has been installed in the operating system. The response should show the license state and detailed Windows version information. -3. On a client computer or the KMS host, open an elevated Command Prompt window, type **Slmgr.vbs /dlv**, and then press ENTER. +2. On a client computer, open a Command Prompt window and run the command `Slmgr.vbs /ato`. - The **/dlv** command displays the detailed licensing information. The response should return an error that states that the KMS activation count is too low. This confirms that KMS is functioning correctly, even though the client has not been activated. + The `/ato` command causes the operating system to attempt activation by using whichever key has been installed in the operating system. The response should show the license state and detailed Windows version information. + +3. On a client computer or the KMS host, open an elevated Command Prompt window and run the command `Slmgr.vbs /dlv`. + + The `/dlv` command displays the detailed licensing information. The response should return an error that states that the KMS activation count is too low. This test confirms that KMS is functioning correctly, even though the client hasn't been activated. For more information about the use and syntax of slmgr.vbs, see [Slmgr.vbs Options](/windows-server/get-started/activation-slmgr-vbs-options). ## Key Management Service in earlier versions of Windows -If you have already established a KMS infrastructure in your organization for an earlier version of Windows, you may want to continue using that infrastructure to activate computers running Windows 10 or Windows Server 2012 R2. Your existing KMS host must be running Windows 7 or later. To upgrade your KMS host, complete the following steps: +If you've already established a KMS infrastructure in your organization for an earlier version of Windows, you may want to continue using that infrastructure to activate computers running Windows 10 or Windows Server 2012 R2. Your existing KMS host must be running Windows 7 or later. To upgrade your KMS host, complete the following steps: 1. Download and install the correct update for your current KMS host operating system. Restart the computer as directed. 2. Request a new KMS host key from the Volume Licensing Service Center. @@ -143,6 +156,6 @@ If you have already established a KMS infrastructure in your organization for an For detailed instructions, see [Update that enables Windows 8.1 and Windows 8 KMS hosts to activate a later version of Windows](https://go.microsoft.com/fwlink/p/?LinkId=618265) and [Update that enables Windows 7 and Windows Server 2008 R2 KMS hosts to activate Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=626590). -## See also +## Related articles - [Volume Activation for Windows 10](volume-activation-windows-10.md) diff --git a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md index 36d3961a3f..3166add837 100644 --- a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md +++ b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md @@ -1,59 +1,70 @@ --- title: Activate clients running Windows 10 (Windows 10) -description: After you have configured Key Management Service (KMS) or Active Directory-based activation on your network, activating a client running Windows 10 is easy. +description: After you have configured Key Management Service (KMS) or Active Directory-based activation on your network, activating a client running Windows 10 is easy. ms.reviewer: -manager: dougeby -ms.author: aaroncz + - nganguly +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski +author: frankroj ms.localizationpriority: medium -ms.date: 07/27/2017 +ms.date: 11/07/2022 ms.topic: article ms.technology: itpro-fundamentals --- # Activate clients running Windows 10 -**Applies to** -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2012 -- Windows Server 2008 R2 +**Applies to:** -**Looking for retail activation?** +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2012 +- Windows Server 2008 R2 -- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) +> [!TIP] +> Are you looking for information on retail activation? +> +> - [Activate Windows](https://support.microsoft.com/help/12440/) +> - [Product activation for Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) + +After you have configured Key Management Service (KMS) or Active Directory-based activation on your network, activating a client running Windows 10 is easy. If the computer has been configured with a Generic Volume License Key (GVLK), neither IT nor the user need take any action. It just works. -After you have configured Key Management Service (KMS) or Active Directory-based activation on your network, activating a client running Windows 10 is easy. If the computer has been configured with a Generic Volume License Key (GVLK), neither IT nor the user need take any action. It just works. Enterprise edition images and installation media should already be configured with the GVLK. When the client computer starts, the Licensing service examines the current licensing condition of the computer. -If activation or reactivation is required, the following sequence occurs: -1. If the computer is a member of a domain, it asks a domain controller for a volume activation object. If Active Directory-based activation is configured, the domain controller returns the object. If the object matches the edition of the software that is installed and the computer has a matching GVLK, the computer is activated (or reactivated), and it will not need to be activated again for 180 days, although the operating system will attempt reactivation at much shorter, regular intervals. -2. If the computer is not a member of a domain or if the volume activation object is not available, the computer will issue a DNS query to attempt to locate a KMS server. If a KMS server can be contacted, activation occurs if the KMS has a key that matches the computer’s GVLK. -3. The computer tries to activate against Microsoft servers if it is configured with a MAK. -If the client is not able to activate itself successfully, it will periodically try again. The frequency of the retry attempts depends on the current licensing state and whether the client computer has been successfully activated in the past. For example, if the client computer had been previously activated by Active Directory-based activation, it will periodically try to contact the domain controller at each restart. +If activation or reactivation is required, the following sequence occurs: + +1. If the computer is a member of a domain, it asks a domain controller for a volume activation object. If Active Directory-based activation is configured, the domain controller returns the object. If the object matches the edition of the software that is installed and the computer has a matching GVLK, the computer is activated (or reactivated), and it will not need to be activated again for 180 days, although the operating system will attempt reactivation at much shorter, regular intervals. + +2. If the computer isn't a member of a domain or if the volume activation object isn't available, the computer will issue a DNS query to attempt to locate a KMS server. If a KMS server can be contacted, activation occurs if the KMS has a key that matches the computer's GVLK. + +3. The computer tries to activate against Microsoft servers if it's configured with a MAK. + +If the client isn't able to activate itself successfully, it will periodically try again. The frequency of the retry attempts depends on the current licensing state and whether the client computer has been successfully activated in the past. For example, if the client computer had been previously activated by Active Directory-based activation, it will periodically try to contact the domain controller at each restart. ## How Key Management Service works -KMS uses a client–server topology. KMS client computers can locate KMS host computers by using DNS or a static configuration. KMS clients contact the KMS host by using RPCs carried over TCP/IP. +KMS uses a client-server topology. KMS client computers can locate KMS host computers by using DNS or a static configuration. KMS clients contact the KMS host by using RPCs carried over TCP/IP. ### Key Management Service activation thresholds You can activate physical computers and virtual machines by contacting a KMS host. To qualify for KMS activation, there must be a minimum number of qualifying computers (called the activation threshold). KMS clients will be activated only after this threshold has been met. Each KMS host counts the number of computers that have requested activation until the threshold is met. -A KMS host responds to each valid activation request from a KMS client with the count of how many computers have already contacted the KMS host for activation. Client computers that receive a count below the activation threshold are not activated. For example, if the first two computers that contact the KMS host are running Windows 10, the first receives an activation count of 1, and the second receives an activation count of 2. If the next computer is a virtual machine on a computer running Windows 10, it receives an activation count of 3, and so on. None of these computers will be activated, because computers running Windows 10, like other client operating system versions, must receive an activation count of 25 or more. -When KMS clients are waiting for the KMS to reach the activation threshold, they will connect to the KMS host every two hours to get the current activation count. They will be activated when the threshold is met. +A KMS host responds to each valid activation request from a KMS client with the count of how many computers have already contacted the KMS host for activation. Client computers that receive a count below the activation threshold aren't activated. For example, if the first two computers that contact the KMS host are running Windows 10, the first receives an activation count of 1, and the second receives an activation count of 2. If the next computer is a virtual machine on a computer running Windows 10, it receives an activation count of 3, and so on. None of these computers will be activated, because computers running Windows 10, like other client operating system versions, must receive an activation count of 25 or more. -In our example, if the next computer that contacts the KMS host is running Windows Server 2012 R2, it receives an activation count of 4, because activation counts are cumulative. If a computer running Windows Server 2012 R2 receives an activation count that is 5 or more, it is activated. If a computer running Windows 10 receives an activation count of 25 or more, it is activated. +When KMS clients are waiting for the KMS to reach the activation threshold, they'll connect to the KMS host every two hours to get the current activation count. They'll be activated when the threshold is met. + +In our example, if the next computer that contacts the KMS host is running Windows Server 2012 R2, it receives an activation count of 4, because activation counts are cumulative. If a computer running Windows Server 2012 R2 receives an activation count that is 5 or more, it's activated. If a computer running Windows 10 receives an activation count of 25 or more, it's activated. ### Activation count cache -To track the activation threshold, the KMS host keeps a record of the KMS clients that request activation. The KMS host gives each KMS client a client ID designation, and the KMS host saves each client ID in a table. By default, each activation request remains in the table for up to 30 days. When a client renews its activation, the cached client ID is removed from the table, a new record is created, and the 30day period begins again. If a KMS client computer does not renew its activation within 30 days, the KMS host removes the corresponding client ID from the table and reduces the activation count by one. -However, the KMS host only caches twice the number of client IDs that are required to meet the activation threshold. Therefore, only the 50 most recent client IDs are kept in the table, and a client ID could be removed much sooner than 30 days. -The total size of the cache is set by the type of client computer that is attempting to activate. If a KMS host receives activation requests only from servers, the cache will hold only 10 client IDs (twice the required 5). If a client computer running Windows 10 contacts that KMS host, KMS increases the cache size to 50 to accommodate the higher threshold. KMS never reduces the cache size. +To track the activation threshold, the KMS host keeps a record of the KMS clients that request activation. The KMS host gives each KMS client a client ID designation, and the KMS host saves each client ID in a table. By default, each activation request remains in the table for up to 30 days. When a client renews its activation, the cached client ID is removed from the table, a new record is created, and the 30 day period begins again. If a KMS client computer doesn't renew its activation within 30 days, the KMS host removes the corresponding client ID from the table and reduces the activation count by one. + +However, the KMS host only caches twice the number of client IDs that are required to meet the activation threshold. Therefore, only the 50 most recent client IDs are kept in the table, and a client ID could be removed much sooner than 30 days. +The total size of the cache is set by the type of client computer that is attempting to activate. If a KMS host receives activation requests only from servers, the cache will hold only 10 client IDs (twice the required 5). If a client computer running Windows 10 contacts that KMS host, KMS increases the cache size to 50 to accommodate the higher threshold. KMS never reduces the cache size. ### Key Management Service connectivity @@ -61,63 +72,67 @@ KMS activation requires TCP/IP connectivity. By default, KMS hosts and clients u ### Key Management Service activation renewal -KMS activations are valid for 180 days (the *activation validity interval*). To remain activated, KMS client computers must renew their activation by connecting to the KMS host at least once every 180 days. By default, KMS client computers attempt to renew their activation every 7 days. If KMS activation fails, the client computer retries every two hours. After a client computer’s activation is renewed, the activation validity interval begins again. +KMS activations are valid for 180 days (the *activation validity interval*). To remain activated, KMS client computers must renew their activation by connecting to the KMS host at least once every 180 days. By default, KMS client computers attempt to renew their activation every seven days. If KMS activation fails, the client computer retries every two hours. After a client computer's activation is renewed, the activation validity interval begins again. ### Publication of the Key Management Service -The KMS uses service (SRV) resource records in DNS to store and communicate the locations of KMS hosts. KMS hosts use the DNS dynamic update protocol, if available, to publish the KMS service (SRV) resource records. If dynamic update is not available or the KMS host does not have rights to publish the resource records, the DNS records must be published manually, or you must configure client computers to connect to specific KMS hosts. +The KMS uses service (SRV) resource records in DNS to store and communicate the locations of KMS hosts. KMS hosts use the DNS dynamic update protocol, if available, to publish the KMS service (SRV) resource records. If dynamic update isn't available or the KMS host doesn't have rights to publish the resource records, the DNS records must be published manually, or you must configure client computers to connect to specific KMS hosts. ### Client discovery of the Key Management Service By default, KMS client computers query DNS for KMS information. The first time a KMS client computer queries DNS for KMS information, it randomly chooses a KMS host from the list of service (SRV) resource records that DNS returns. The address of a DNS server that contains the service (SRV) resource records can be listed as a suffixed entry on KMS client computers, which allows one DNS server to advertise the service (SRV) resource records for KMS, and KMS client computers with other primary DNS servers to find it. -Priority and weight parameters can be added to the DnsDomainPublishList registry value for KMS. Establishing KMS host priority groupings and weighting within each group allows you to specify which KMS host the client computers should try first and balances traffic among multiple KMS hosts. Only Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 provide these priority and weight parameters. -If the KMS host that a client computer selects does not respond, the KMS client computer removes that KMS host from its list of service (SRV) resource records and randomly selects another KMS host from the list. When a KMS host responds, the KMS client computer caches the name of the KMS host and uses it for subsequent activation and renewal attempts. If the cached KMS host does not respond on a subsequent renewal, the KMS client computer discovers a new KMS host by querying DNS for KMS service (SRV) resource records. -By default, client computers connect to the KMS host for activation by using anonymous RPCs through TCP port 1688. (You can change the default port.) After establishing a TCP session with the KMS host, the client computer sends a single request packet. The KMS host responds with the activation count. If the count meets or exceeds the activation threshold for that operating system, the client computer is activated and the session is closed. The KMS client computer uses this same process for renewal requests. 250 bytes are used for communication each way. + +Priority and weight parameters can be added to the DnsDomainPublishList registry value for KMS. Establishing KMS host priority groupings and weighting within each group allows you to specify which KMS host the client computers should try first and balances traffic among multiple KMS hosts. Only Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 provide these priority and weight parameters. + +If the KMS host that a client computer selects doesn't respond, the KMS client computer removes that KMS host from its list of service (SRV) resource records and randomly selects another KMS host from the list. When a KMS host responds, the KMS client computer caches the name of the KMS host and uses it for subsequent activation and renewal attempts. If the cached KMS host doesn't respond on a subsequent renewal, the KMS client computer discovers a new KMS host by querying DNS for KMS service (SRV) resource records. + +By default, client computers connect to the KMS host for activation by using anonymous RPCs through TCP port 1688. (You can change the default port.) After establishing a TCP session with the KMS host, the client computer sends a single request packet. The KMS host responds with the activation count. If the count meets or exceeds the activation threshold for that operating system, the client computer is activated, and the session is closed. The KMS client computer uses this same process for renewal requests. 250 bytes are used for communication each way. ### Domain Name System server configuration -The default KMS automatic publishing feature requires the service (SRV) resource record and support for DNS dynamic update protocol. KMS client computer default behavior and the KMS service (SRV) resource record publishing are supported on a DNS server that is running Microsoft software or any other DNS server that supports service (SRV) resource records (per Internet Engineering Task Force \[IETF\] Request for Comments \[RFC\] 2782) and dynamic updates (per IETF RFC 2136). For example, Berkeley Internet Domain Name versions 8.x and 9.x support service (SRV) resource records and dynamic update. -The KMS host must be configured so that it has the credentials needed to create and update the following resource records on the DNS servers: service (SRV), IPv4 host (A), and IPv6 host (AAAA), or the records need to be created manually. The recommended solution for giving the KMS host the needed credentials is to create a security group in AD DS, then add all KMS hosts to that group. On a DNS server that is running Microsoft software, ensure that this security group is given full control over the \_VLMCS.\_TCP record in each DNS domain that will contain the KMS service (SRV) resource records. +The default KMS automatic publishing feature requires the service (SRV) resource record and support for DNS dynamic update protocol. KMS client computer default behavior and the KMS service (SRV) resource record publishing are supported on a DNS server that is running Microsoft software or any other DNS server that supports service (SRV) resource records (per Internet Engineering Task Force \[IETF\] Request for Comments \[RFC\] 2782) and dynamic updates (per IETF RFC 2136). For example, Berkeley Internet Domain Name versions 8.x and 9.x support service (SRV) resource records and dynamic update. +The KMS host must be configured so that it has the credentials needed to create and update the following resource records on the DNS servers: service (SRV), IPv4 host (A), and IPv6 host (AAAA), or the records need to be created manually. The recommended solution for giving the KMS host the needed credentials is to create a security group in AD DS, then add all KMS hosts to that group. On a DNS server that is running Microsoft software, ensure that this security group is given full control over the \_VLMCS.\_TCP record in each DNS domain that will contain the KMS service (SRV) resource records. ### Activating the first Key Management Service host -KMS hosts on the network need to install a KMS key, and then be activated with Microsoft. Installation of a KMS key enables the KMS on the KMS host. After installing the KMS key, complete the activation of the KMS host by telephone or online. Beyond this initial activation, a KMS host does not communicate any information to Microsoft. KMS keys are only installed on KMS hosts, never on individual KMS client computers. +KMS hosts on the network need to install a KMS key, and then be activated with Microsoft. Installation of a KMS key enables the KMS on the KMS host. After installing the KMS key, complete the activation of the KMS host by telephone or online. Beyond this initial activation, a KMS host doesn't communicate any information to Microsoft. KMS keys are only installed on KMS hosts, never on individual KMS client computers. ### Activating subsequent Key Management Service hosts -Each KMS key can be installed on up to six KMS hosts. These hosts can be physical computers or virtual machines. After activating a KMS host, the same host can be reactivated up to nine times with the same key. If the organization needs more than six KMS hosts, you can request additional activations for your organization’s KMS key by calling a Microsoft Volume [Licensing Activation Center](https://go.microsoft.com/fwlink/p/?LinkID=618264) to request an exception. +Each KMS key can be installed on up to six KMS hosts. These hosts can be physical computers or virtual machines. After activating a KMS host, the same host can be reactivated up to nine times with the same key. If the organization needs more than six KMS hosts, you can request additional activations for your organization's KMS key by calling a Microsoft Volume [Licensing Activation Center](https://go.microsoft.com/fwlink/p/?LinkID=618264) to request an exception. ## How Multiple Activation Key works -A MAK is used for one-time activation with Microsoft’s hosted activation services. Each MAK has a predetermined number of allowed activations. This number is based on volume licensing agreements, and it might not match the organization’s exact license count. Each activation that uses a MAK with the Microsoft hosted activation service counts toward the activation limit. +A MAK is used for one-time activation with Microsoft's hosted activation services. Each MAK has a predetermined number of allowed activations. This number is based on volume licensing agreements, and it might not match the organization's exact license count. Each activation that uses a MAK with the Microsoft hosted activation service counts toward the activation limit. You can activate computers by using a MAK in two ways: -- **MAK independent activation**. Each computer independently connects and is activated with Microsoft over the Internet or by telephone. MAK independent activation is best suited to computers within an organization that do not maintain a connection to the corporate network. MAK independent activation is shown in Figure 16. + +- **MAK independent activation**. Each computer independently connects and is activated with Microsoft over the Internet or by telephone. MAK independent activation is best suited to computers within an organization that don't maintain a connection to the corporate network. MAK independent activation is shown in Figure 16. ![MAK independent activation.](../images/volumeactivationforwindows81-16.jpg) - + **Figure 16**. MAK independent activation -- **MAK proxy activation**. MAK proxy activation enables a centralized activation request on behalf of multiple computers with one connection to Microsoft. You configure MAK proxy activation by using the VAMT. MAK proxy activation is appropriate for environments in which security concerns restrict direct access to the Internet or the corporate network. It is also suited for development and test labs that lack this connectivity. MAK proxy activation with the VAMT is shown in Figure 17. + +- **MAK proxy activation**. MAK proxy activation enables a centralized activation request on behalf of multiple computers with one connection to Microsoft. You configure MAK proxy activation by using the VAMT. MAK proxy activation is appropriate for environments in which security concerns restrict direct access to the Internet or the corporate network. It's also suited for development and test labs that lack this connectivity. MAK proxy activation with the VAMT is shown in Figure 17. ![MAK proxy activation with the VAMT.](../images/volumeactivationforwindows81-17.jpg) - + **Figure 17**. MAK proxy activation with the VAMT -A MAK is recommended for computers that rarely or never connect to the corporate network and for environments in which the number of computers that require activation does not meet the KMS activation threshold. +A MAK is recommended for computers that rarely or never connect to the corporate network and for environments in which the number of computers that require activation doesn't meet the KMS activation threshold. -You can use a MAK for individual computers or with an image that can be duplicated or installed by using Microsoft deployment solutions. You can also use a MAK on a computer that was originally configured to use KMS activation. This is useful for moving a computer off the core network to a disconnected environment. +You can use a MAK for individual computers or with an image that can be duplicated or installed using Microsoft deployment solutions. You can also use a MAK on a computer that was originally configured to use KMS activation. Switching from KMS to a MAK is useful for moving a computer off the core network to a disconnected environment. ### Multiple Activation Key architecture and activation MAK independent activation installs a MAK product key on a client computer. The key instructs that computer to activate itself with Microsoft servers over the Internet. + In MAK proxy activation, the VAMT installs a MAK product key on a client computer, obtains the installation ID from the target computer, sends the installation ID to Microsoft on behalf of the client, and obtains a confirmation ID. The tool then activates the client computer by installing the confirmation ID. ## Activating as a standard user -Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 do not require administrator privileges for activation, but this change does not allow standard user accounts to remove computers running Windows 7 or Windows Server 2008 R2 from the activated state. An administrator account is still required for other activation- or license-related tasks, such as “rearm.” +Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 don't require administrator privileges for activation, but this change doesn't allow standard user accounts to remove computers running Windows 7 or Windows Server 2008 R2 from the activated state. An administrator account is still required for other activation- or license-related tasks, such as "rearm." -## See also +## Related articles -- [Volume Activation for Windows 10](volume-activation-windows-10.md) -  -  +- [Volume Activation for Windows 10](volume-activation-windows-10.md) diff --git a/windows/deployment/volume-activation/active-directory-based-activation-overview.md b/windows/deployment/volume-activation/active-directory-based-activation-overview.md index 3b0a290815..48855f3afa 100644 --- a/windows/deployment/volume-activation/active-directory-based-activation-overview.md +++ b/windows/deployment/volume-activation/active-directory-based-activation-overview.md @@ -2,39 +2,39 @@ title: Active Directory-Based Activation Overview (Windows 10) description: Enable your enterprise to activate its computers through a connection to their domain using Active Directory-Based Activation (ADBA). ms.reviewer: -manager: dougeby -ms.author: aaroncz + - nganguly +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 12/07/2018 +author: frankroj +ms.date: 11/07/2022 ms.topic: article ms.technology: itpro-fundamentals --- # Active Directory-Based Activation overview -Active Directory-Based Activation (ADBA) enables enterprises to activate computers through a connection to their domain. Many companies have computers at offsite locations that use products that are registered to the company. Previously these computers needed to either use a retail key or a Multiple Activation Key (MAK), or physically connect to the network in order to activate their products by using Key Management Services (KMS). ADBA provides a way to activate these products if the computers can join the company’s domain. When the user joins their computer to the domain, the ADBA object automatically activates Windows installed on their computer, as long as the computer has a Generic Volume License Key (GVLK) installed. No single physical computer is required to act as the activation object, because it is distributed throughout the domain. +Active Directory-Based Activation (ADBA) enables enterprises to activate computers through a connection to their domain. Many companies have computers at offsite locations that use products that are registered to the company. Previously these computers needed to either use a retail key or a Multiple Activation Key (MAK), or physically connect to the network in order to activate their products by using Key Management Services (KMS). ADBA provides a way to activate these products if the computers can join the company's domain. When the user joins their computer to the domain, the ADBA object automatically activates Windows installed on their computer, as long as the computer has a Generic Volume License Key (GVLK) installed. No single physical computer is required to act as the activation object, because it's distributed throughout the domain. ## ADBA scenarios You might use ADBA if you only want to activate domain joined devices. -If you have a server hosting the KMS service, it can be necessary to reactivate licenses if the server is replaced with a new host. This is not necessary When ADBA is used. +If you have a server hosting the KMS service, it can be necessary to reactivate licenses if the server is replaced with a new host. Reactivating licenses isn't necessary When ADBA is used. -ADBA can also make load balancing easier when multiple KMS servers are present since the client can connect to any domain controller. This is simpler than using the DNS service to load balance by configuring priority and weight values. - -Some VDI solutions also require that new clients activate during creation before they are added to the pool. In this scenario, ADBA can eliminate potential VDI issues that might arise due to a KMS outage. +ADBA can also make load balancing easier when multiple KMS servers are present since the client can connect to any domain controller. ADBA is simpler than using the DNS service to load balance by configuring priority and weight values. +Some VDI solutions also require that new clients activate during creation before they're added to the pool. In this VDI scenario, ADBA can eliminate potential VDI issues that might arise due to a KMS outage. ## ADBA methods VAMT enables IT Professionals to manage and activate the ADBA object. Activation can be performed using the following methods: -- Online activation: To activate an ADBA forest online, the user selects the **Online activate forest** function, selects a KMS Host key (CSVLK) to use, and gives the ADBA Object a name. -- Proxy activation: For a proxy activation, the user first selects the **Proxy activate forest** function, selects a KMS Host key (CSVLK) to use, gives the ADBA Object a name, and provides a file name to save the CILx file that contains the Installation ID. Next, the user takes that file to a computer that is running VAMT with an Internet connection and then selects the **Acquire confirmation IDs for CILX** function on the VAMT landing page, and provides the original CILx file. When VAMT has loaded the Confirmation IDs into the original CILx file, the user takes this file back to the original VAMT instance, where the user completes the proxy activation process by selecting the **Apply confirmation ID to Active Directory domain** function. -## Related topics +- Online activation: To activate an ADBA forest online, the user selects the **Online activate forest** function, selects a KMS Host key (CSVLK) to use, and gives the ADBA Object a name. + +- Proxy activation: For a proxy activation, the user first selects the **Proxy activate forest** function, selects a KMS Host key (CSVLK) to use, gives the ADBA Object a name, and provides a file name to save the CILx file that contains the Installation ID. Next, the user takes that file to a computer that is running VAMT with an Internet connection and then selects the **Acquire confirmation IDs for CILX** function on the VAMT landing page, and provides the original CILx file. When VAMT has loaded the Confirmation IDs into the original CILx file, the user takes this file back to the original VAMT instance, where the user completes the proxy activation process by selecting the **Apply confirmation ID to Active Directory domain** function. + +## Related articles - [How to Activate an Active Directory Forest Online](./activate-forest-vamt.md) - [How to Proxy Activate an Active Directory Forest](./activate-forest-by-proxy-vamt.md) -  -  diff --git a/windows/deployment/volume-activation/add-manage-products-vamt.md b/windows/deployment/volume-activation/add-manage-products-vamt.md index 5250a833f9..53a1f70b1b 100644 --- a/windows/deployment/volume-activation/add-manage-products-vamt.md +++ b/windows/deployment/volume-activation/add-manage-products-vamt.md @@ -2,26 +2,24 @@ title: Add and Manage Products (Windows 10) description: Add client computers into the Volume Activation Management Tool (VAMT). After you add the computers, you can manage the products that are installed on your network. ms.reviewer: -manager: dougeby -ms.author: aaroncz + - nganguly +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/25/2017 +author: frankroj +ms.date: 11/07/2022 ms.topic: article ms.technology: itpro-fundamentals --- -# Add and Manage Products +# Add and manage products This section describes how to add client computers into the Volume Activation Management Tool (VAMT). After the computers are added, you can manage the products that are installed on your network. ## In this Section -|Topic |Description | -|------|------------| +|Article |Description | +|-------|------------| |[Add and Remove Computers](add-remove-computers-vamt.md) |Describes how to add client computers to VAMT. | |[Update Product Status](update-product-status-vamt.md) |Describes how to update the status of product license. | |[Remove Products](remove-products-vamt.md) |Describes how to remove a product from the product list. | - - - diff --git a/windows/deployment/volume-activation/add-remove-computers-vamt.md b/windows/deployment/volume-activation/add-remove-computers-vamt.md index 66868c46dd..55297e1791 100644 --- a/windows/deployment/volume-activation/add-remove-computers-vamt.md +++ b/windows/deployment/volume-activation/add-remove-computers-vamt.md @@ -2,59 +2,74 @@ title: Add and Remove Computers (Windows 10) description: The Discover products function on the Volume Activation Management Tool (VAMT) allows you to search the Active Directory domain or a general LDAP query. ms.reviewer: -manager: dougeby -ms.author: aaroncz + - nganguly +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/25/2017 +author: frankroj +ms.date: 11/07/2022 ms.topic: article ms.technology: itpro-fundamentals --- -# Add and Remove Computers +# Add and remove computers You can add computers that have any of the supported Windows or Office products installed to a Volume Activation Management Tool (VAMT) database by using the **Discover products** function. You can search for computers in an Active Directory domain, by individual computer name or IP address, in a workgroup, or by a general LDAP query. You can remove computers from a VAMT database by using the **Delete** function. After you add the computers, you can add the products that are installed on the computers by running the **Update license status** function. -Before adding computers, ensure that the Windows Management Instrumentation (WMI) firewall exception required by VAMT has been enabled on all target computers. For more information see [Configure Client Computers](configure-client-computers-vamt.md). +Before adding computers, ensure that the Windows Management Instrumentation (WMI) firewall exception required by VAMT has been enabled on all target computers. For more information, see [Configure Client Computers](configure-client-computers-vamt.md). ## To add computers to a VAMT database -1. Open VAMT. -2. Click **Discover products** in the **Actions** menu in the right-side pane to open the **Discover Products** dialog box. -3. In the **Discover products** dialog box, click **Search for computers in the Active Directory** to display the search options, then click the search option you want to use. You can search for computers in an Active Directory domain, by individual computer name or IP address, in a workgroup, or by a general LDAP query. - - To search for computers in an Active Directory domain, click **Search for computers in the Active Directory**, then under **Domain Filter Criteria**, in the list of domain names click the name of the domain you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for a specific computer within the domain. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only computer names that start with the letter "a". - - To search by individual computer name or IP address, click **Manually enter name or IP address**, then enter the full name or IP address in the **One or more computer names or IP addresses separated by commas** text box. Separate multiple entries with a comma. Note that VAMT supports both IPv4 and IPV6 addressing. - - To search for computers in a workgroup, click **Search for computers in the workgroup**, then under **Workgroup Filter Criteria**, in the list of workgroup names click the name of the workgroup you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for a specific computer within the workgroup. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only computer names that start with the letter "a". - - To search for computers by using a general LDAP query, click **Search with LDAP query** and enter your query in the text box provided. VAMT will validate only the LDAP query syntax, but will otherwise run the query without further checks. -4. Click **Search**. -5. VAMT searches for the specified computers and adds them to the VAMT database. During the search, VAMT displays the **Finding computers** message shown below. - To cancel the search, click **Cancel**. When the search is complete the names of the newly-discovered computers appear in the product list view in the center pane. - +1. Open VAMT. + +2. Select **Discover products** in the **Actions** menu in the right-side pane to open the **Discover Products** dialog box. + +3. In the **Discover products** dialog box, select **Search for computers in the Active Directory** to display the search options, then select the search option you want to use. You can search for computers in an Active Directory domain, by individual computer name or IP address, in a workgroup, or by a general LDAP query. + + - To search for computers in an Active Directory domain, select **Search for computers in the Active Directory**, then under **Domain Filter Criteria**, in the list of domain names select the name of the domain you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for a specific computer within the domain. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only computer names that start with the letter "a". + + - To search by individual computer name or IP address, select **Manually enter name or IP address**, then enter the full name or IP address in the **One or more computer names or IP addresses separated by commas** text box. Separate multiple entries with a comma. VAMT supports both IPv4 and IPV6 addressing. + + - To search for computers in a workgroup, select **Search for computers in the workgroup**, then under **Workgroup Filter Criteria**, in the list of workgroup names select the name of the workgroup you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for a specific computer within the workgroup. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only computer names that start with the letter "a". + + - To search for computers by using a general LDAP query, select **Search with LDAP query** and enter your query in the text box provided. VAMT will validate only the LDAP query syntax, but will otherwise run the query without further checks. + +4. Select **Search**. + +5. VAMT searches for the specified computers and adds them to the VAMT database. During the search, VAMT displays the **Finding computers** message shown below. + + To cancel the search, select **Cancel**. When the search is complete, the names of the newly discovered computers appear in the product list view in the center pane. + ![VAMT, Finding computers dialog box.](images/dep-win8-l-vamt-findingcomputerdialog.gif) - - **Important**   - This step adds only the computers to the VAMT database, and not the products that are installed on the computers. To add the products, you need to run the **Update license status** function. - + + > [!IMPORTANT] + > This step adds only the computers to the VAMT database, and not the products that are installed on the computers. To add the products, you need to run the **Update license status** function. + ## To add products to VAMT -1. In the **Products** list, select the computers that need to have their product information added to the VAMT database. -2. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. -3. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. - - To filter the list by computer name, enter a name in the **Computer Name** box. - - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. -4. Click **Filter**. VAMT displays the filtered list in the center pane. -5. In the right-side **Actions** pane, click **Update license status** and then click a credential option. Choose **Alternate Credentials** only if you are updating products that require administrator credentials different from the ones you used to log into the computer. If you are supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and click **OK**. -6. VAMT displays the **Collecting product information** dialog box while it collects the licensing status of all supported products on the selected computers. When the process is finished, the updated licensing status of each product will appear in the product list view in the center pane. +1. In the **Products** list, select the computers that need to have their product information added to the VAMT database. - **Note**   +2. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. + +3. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. + + - To filter the list by computer name, enter a name in the **Computer Name** box. + + - To filter the list by Product Name, Product Key Type, or License Status, select the list you want to use for the filter and select an option. If necessary, select **clear all filters** to create a new filter. + +4. Select **Filter**. VAMT displays the filtered list in the center pane. + +5. In the right-side **Actions** pane, select **Update license status** and then select a credential option. Choose **Alternate Credentials** only if you're updating products that require administrator credentials different from the ones you used to log into the computer. If you're supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and select **OK**. + +6. VAMT displays the **Collecting product information** dialog box while it collects the licensing status of all supported products on the selected computers. When the process is finished, the updated licensing status of each product will appear in the product list view in the center pane. + + > [!NOTE] If a computer has more than one supported product installed, VAMT adds an entry for each product. The entry appears under the appropriate product heading. - + ## To remove computers from a VAMT database -You can delete a computer by clicking on it in the product list view, and then clicking **Delete** in the **Selected Item** menu in the right-hand pane. In the **Confirm Delete Selected Products** dialog box that appears, click **Yes** to delete the computer. If a computer has multiple products listed, you must delete each product to completely remove the computer from the VAMT database. +You can delete a computer by clicking on it in the product list view, and then clicking **Delete** in the **Selected Item** menu in the right-hand pane. In the **Confirm Delete Selected Products** dialog box that appears, select **Yes** to delete the computer. If a computer has multiple products listed, you must delete each product to completely remove the computer from the VAMT database. -## Related topics +## Related articles - [Add and Manage Products](add-manage-products-vamt.md) - - diff --git a/windows/deployment/volume-activation/add-remove-product-key-vamt.md b/windows/deployment/volume-activation/add-remove-product-key-vamt.md index d096546643..5fa51a1c12 100644 --- a/windows/deployment/volume-activation/add-remove-product-key-vamt.md +++ b/windows/deployment/volume-activation/add-remove-product-key-vamt.md @@ -2,35 +2,41 @@ title: Add and Remove a Product Key (Windows 10) description: Add a product key to the Volume Activation Management Tool (VAMT) database. Also, learn how to remove the key from the database. ms.reviewer: -manager: dougeby -ms.author: aaroncz + - nganguly +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/25/2017 +author: frankroj +ms.date: 11/07/2022 ms.topic: article ms.technology: itpro-fundamentals --- -# Add and Remove a Product Key +# Add and remove a product key Before you can use a Multiple Activation Key (MAK), retail, or KMS Host key (CSVLK) product key, you must first add it to the Volume Activation Management Tool (VAMT) database. -## To Add a Product Key +## To add a product key -1. Open VAMT. -2. In the left-side pane, right-click the **Product Keys** node to open the **Actions** menu. -3. Click **Add product keys** to open the **Add Product Keys** dialog box. -4. In the **Add Product Keys** dialog box, select from one of the following methods to add product keys: - - To add product keys manually, click **Enter product key(s) separated by line breaks**, enter one or more product keys separated by line breaks, and click **Add Key(s)**. - - To import a Comma Separated Values (CSV) file containing a list of product keys, click **Select a product key file to import**, browse to the file location, click **Open** to import the file, and then click **Add Key(s)**. +1. Open VAMT. - **Note**   - If you are activating a large number of products with a MAK, you should refresh the activation count of the MAK, to ensure that the MAK can support the required number of activations. In the product key list in the center pane, select the MAK and click **Refresh product key data online** in the right-side pane to contact Microsoft and retrieve the number of remaining activations for the MAK. This step requires Internet access. You can only retrieve the remaining activation count for MAKs. +2. In the left-side pane, right-click the **Product Keys** node to open the **Actions** menu. -## Remove a Product Key +3. Select **Add product keys** to open the **Add Product Keys** dialog box. -- To remove a product key from the list, simply select the key in the list and click **Delete** on the **Selected Items** menu in the right-side pane. Click **Yes** to confirm deletion of the product key. Removing a product key from the VAMT database will not affect the activation state of any products or computers on the network. +4. In the **Add Product Keys** dialog box, select from one of the following methods to add product keys: -## Related topics + - To add product keys manually, select **Enter product key(s) separated by line breaks**, enter one or more product keys separated by line breaks, and select **Add Key(s)**. + + - To import a Comma Separated Values (CSV) file containing a list of product keys, select **Select a product key file to import**, browse to the file location, select **Open** to import the file, and then select **Add Key(s)**. + + > [!NOTE] + > If you are activating a large number of products with a MAK, you should refresh the activation count of the MAK, to ensure that the MAK can support the required number of activations. In the product key list in the center pane, select the MAK and click **Refresh product key data online** in the right-side pane to contact Microsoft and retrieve the number of remaining activations for the MAK. This step requires Internet access. You can only retrieve the remaining activation count for MAKs. + +## Remove a product key + +- To remove a product key from the list, select the key in the list and select **Delete** on the **Selected Items** menu in the right-side pane. Select **Yes** to confirm deletion of the product key. Removing a product key from the VAMT database won't affect the activation state of any products or computers on the network. + +## Related articles - [Manage Product Keys](manage-product-keys-vamt.md) diff --git a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md index d478a5e6fc..0aa4fe2fb3 100644 --- a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md +++ b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md @@ -2,56 +2,72 @@ title: Appendix Information sent to Microsoft during activation (Windows 10) description: Learn about the information sent to Microsoft during activation. ms.reviewer: -manager: dougeby -ms.author: aaroncz -author: aczechowski + - nganguly +manager: aaroncz +ms.author: frankroj +author: frankroj ms.prod: windows-client ms.technology: itpro-fundamentals ms.localizationpriority: medium -ms.date: 07/27/2017 +ms.date: 11/07/2022 ms.topic: article --- # Appendix: Information sent to Microsoft during activation -**Applies to** -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2012 -- Windows Server 2008 R2 + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2012 +- Windows Server 2008 R2 **Looking for retail activation?** -- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) +- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) When you activate a computer running Windows 10, the following information is sent to Microsoft: -- The Microsoft product code (a five-digit code that identifies the Windows product you're activating) -- A channel ID or site code that identifies how the Windows product was originally obtained +- The Microsoft product code (a five-digit code that identifies the Windows product you're activating) +- A channel ID or site code that identifies how the Windows product was originally obtained For example, a channel ID or site code identifies whether the product was originally purchased from a retail store, obtained as an evaluation copy, obtained through a volume licensing program, or preinstalled by a computer manufacturer. - -- The date of installation and whether the installation was successful -- Information that helps confirm that your Windows product key hasn't been altered -- Computer make and model -- Version information for the operating system and software -- Region and language settings -- A unique number called a *globally unique identifier*, which is assigned to your computer -- Product key (hashed) and product ID -- BIOS name, revision number, and revision date -- Volume serial number (hashed) of the hard disk drive -- The result of the activation check + +- The date of installation and whether the installation was successful +- Information that helps confirm that your Windows product key hasn't been altered + +- Computer make and model + +- Version information for the operating system and software + +- Region and language settings + +- A unique number called a *globally unique identifier*, which is assigned to your computer + +- Product key (hashed) and product ID + +- BIOS name, revision number, and revision date + +- Volume serial number (hashed) of the hard disk drive + +- The result of the activation check This result includes error codes and the following information about any activation exploits and related malicious or unauthorized software that was found or disabled: - - - The activation exploit's identifier - - The activation exploit's current state, such as cleaned or quarantined - - Computer manufacturer's identification - - The activation exploit's file name and hash in addition to a hash of related software components that may indicate the presence of an activation exploit -- The name and a hash of the contents of your computer's startup instructions file -- If your Windows license is on a subscription basis, information about how your subscription works + + - The activation exploit's identifier + + - The activation exploit's current state, such as cleaned or quarantined + + - Computer manufacturer's identification + + - The activation exploit's file name and hash in addition to a hash of related software components that may indicate the presence of an activation exploit + +- The name and a hash of the contents of your computer's startup instructions file + +- If your Windows license is on a subscription basis, information about how your subscription works Standard computer information is also sent, but your computer's IP address is only kept temporarily. @@ -60,6 +76,6 @@ Standard computer information is also sent, but your computer's IP address is on Microsoft uses the information to confirm that you have a licensed copy of the software. Microsoft doesn't use the information to contact individual consumers. For more information, see [Windows 10 Privacy Statement](https://go.microsoft.com/fwlink/p/?LinkId=619879). -## See also +## Related articles -- [Volume Activation for Windows 10](volume-activation-windows-10.md) +- [Volume Activation for Windows 10](volume-activation-windows-10.md) diff --git a/windows/deployment/volume-activation/configure-client-computers-vamt.md b/windows/deployment/volume-activation/configure-client-computers-vamt.md index ec8b2ffdba..189f8488ed 100644 --- a/windows/deployment/volume-activation/configure-client-computers-vamt.md +++ b/windows/deployment/volume-activation/configure-client-computers-vamt.md @@ -2,21 +2,23 @@ title: Configure Client Computers (Windows 10) description: Learn how to configure client computers to enable the Volume Activation Management Tool (VAMT) to function correctly. ms.reviewer: -manager: dougeby -author: aczechowski -ms.author: aaroncz + - nganguly +manager: aaroncz +author: frankroj +ms.author: frankroj ms.prod: windows-client -ms.date: 04/30/2020 +ms.date: 11/07/2022 ms.topic: article ms.technology: itpro-fundamentals --- -# Configure Client Computers +# Configure client computers To enable the Volume Activation Management Tool (VAMT) to function correctly, certain configuration changes are required on all client computers: - An exception must be set in the client computer's firewall. -- A registry key must be created and set properly, for computers in a workgroup; otherwise, Windows® User Account Control (UAC) will not allow remote administrative operations. + +- A registry key must be created and set properly, for computers in a workgroup; otherwise, Windows® User Account Control (UAC) won't allow remote administrative operations. Organizations where the VAMT will be widely used may benefit from making these changes inside the master image for Windows. @@ -28,11 +30,16 @@ Organizations where the VAMT will be widely used may benefit from making these c Enable the VAMT to access client computers using the **Windows Firewall** Control Panel: 1. Open Control Panel and double-click **System and Security**. -2. Click **Windows Firewall**. -3. Click **Allow a program or feature through Windows Firewall**. -4. Click the **Change settings** option. + +2. Select **Windows Firewall**. + +3. Select **Allow a program or feature through Windows Firewall**. + +4. Select the **Change settings** option. + 5. Select the **Windows Management Instrumentation (WMI)** checkbox. -6. Click **OK**. + +6. Select **OK**. > [!WARNING] > By default, Windows Firewall Exceptions only apply to traffic originating on the local subnet. To expand the exception to apply to multiple subnets, you need to change the exception settings in the Windows Firewall with Advanced Security, as described below. @@ -44,11 +51,15 @@ Enable the VAMT to access client computers across multiple subnets using the **W ![VAMT Firewall configuration for multiple subnets.](images/dep-win8-l-vamt-firewallconfigurationformultiplesubnets.gif) 1. Open the Control Panel and double-click **Administrative Tools**. -2. Click **Windows Firewall with Advanced Security**. + +2. Select **Windows Firewall with Advanced Security**. + 3. Make your changes for each of the following three WMI items, for the applicable Network Profile (Domain, Public, Private): - Windows Management Instrumentation (ASync-In) + - Windows Management Instrumentation (DCOM-In) + - Windows Management Instrumentation (WMI-In) 4. In the **Windows Firewall with Advanced Security** dialog box, select **Inbound Rules** from the left-hand panel. @@ -56,10 +67,12 @@ Enable the VAMT to access client computers across multiple subnets using the **W 5. Right-click the desired rule and select **Properties** to open the **Properties** dialog box. - On the **General** tab, select the **Allow the connection** checkbox. + - On the **Scope** tab, change the Remote IP Address setting from "Local Subnet" (default) to allow the specific access you need. + - On the **Advanced** tab, verify selection of all profiles that are applicable to the network (Domain or Private/Public). - In certain scenarios, only a limited set of TCP/IP ports are allowed through a hardware firewall. Administrators must ensure that WMI (which relies on RPC over TCP/IP) is allowed through these types of firewalls. By default, the WMI port is a dynamically allocated random port above 1024. The following Microsoft knowledge article discusses how administrators can limit the range of dynamically-allocated ports. This is useful if, for example, the hardware firewall only allows traffic in a certain range of ports. + In certain scenarios, only a limited set of TCP/IP ports are allowed through a hardware firewall. Administrators must ensure that WMI (which relies on RPC over TCP/IP) is allowed through these types of firewalls. By default, the WMI port is a dynamically allocated random port above 1024. The following Microsoft knowledge article discusses how administrators can limit the range of dynamically allocated ports. Limiting the range of dynamically allocated ports is useful if, for example, the hardware firewall only allows traffic in a certain range of ports. For more info, see [How to configure RPC dynamic port allocation to work with firewalls](/troubleshoot/windows-server/networking/default-dynamic-port-range-tcpip-chang). @@ -71,6 +84,7 @@ Enable the VAMT to access client computers across multiple subnets using the **W On the client computer, create the following registry key using regedit.exe. 1. Navigate to `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system` + 2. Enter the following details: - **Value Name: LocalAccountTokenFilterPolicy** @@ -85,12 +99,15 @@ On the client computer, create the following registry key using regedit.exe. There are several options for organizations to configure the WMI firewall exception for computers: - **Image.** Add the configurations to the master Windows image deployed to all clients. -- **Group Policy.** If the clients are part of a domain, then all clients can be configured using Group Policy. The Group Policy setting for the WMI firewall exception is found in GPMC.MSC at: **Computer Configuration\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Inbound Rules**. -- **Script.** Execute a script using Microsoft Configuration Manager or a third-party remote script execution facility. + +- **Group Policy.** If the clients are part of a domain, then all clients can be configured using Group Policy. The Group Policy setting for the WMI firewall exception is found in GPMC.MSC at: **Computer Configuration** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security** > **Windows Firewall with Advanced Security** > **Inbound Rules**. + +- **Script.** Execute a script using Microsoft Configuration Manager or a third-party remote script execution facility. + - **Manual.** Configure the WMI firewall exception individually on each client. The above configurations will open an additional port through the Windows Firewall on target computers and should be performed on computers that are protected by a network firewall. In order to allow VAMT to query the up-to-date licensing status, the WMI exception must be maintained. We recommend administrators consult their network security policies and make clear decisions when creating the WMI exception. -## Related topics +## Related articles - [Install and Configure VAMT](install-configure-vamt.md) diff --git a/windows/deployment/volume-activation/import-export-vamt-data.md b/windows/deployment/volume-activation/import-export-vamt-data.md index 8f83af6335..63e839c6dd 100644 --- a/windows/deployment/volume-activation/import-export-vamt-data.md +++ b/windows/deployment/volume-activation/import-export-vamt-data.md @@ -2,12 +2,13 @@ title: Import and export VAMT data description: Learn how to use the VAMT to import product-activation data from a file into SQL Server. ms.reviewer: -manager: dougeby -ms.author: aaroncz + - nganguly +manager: aaroncz +ms.author: frankroj ms.prod: windows-client ms.technology: itpro-fundamentals -author: aczechowski -ms.date: 05/02/2022 +author: frankroj +ms.date: 11/07/2022 ms.topic: how-to --- @@ -16,10 +17,12 @@ ms.topic: how-to You can use the Volume Activation Management Tool (VAMT) to import product-activation data from a computer information list (`.cilx` or `.cil`) file into SQL Server. Also use VAMT to export product-activation data into a `.cilx` file. A `.cilx` file is an XML file that stores computer and product-activation data. You can import data or export data during the following scenarios: + - Import and merge data from previous versions of VAMT. + - Export data to perform proxy activations. -> [!Warning] +> [!WARNING] > Editing a `.cilx` file through an application other than VAMT can corrupt the `.cilx` file. This method isn't supported. ## Import VAMT data @@ -27,8 +30,11 @@ You can import data or export data during the following scenarios: To import data into VAMT, use the following process: 1. Open VAMT. + 2. In the right-side **Actions** pane, select **Import list** to open the **Import List** dialog box. + 3. In the **Import List** dialog box, navigate to the `.cilx` file location, choose the file, and select **Open**. + 4. In the **Volume Activation Management Tool** dialog box, select **OK** to begin the import. VAMT displays a progress message while the file is being imported. Select **OK** when a message appears and confirms that the import has completed successfully. ## Export VAMT data @@ -36,14 +42,23 @@ To import data into VAMT, use the following process: Exporting VAMT data from a VAMT host computer that's not internet-connected is the first step of proxy activation using multiple VAMT hosts. To export product-activation data to a `.cilx` file: 1. In the left-side pane, select a product you want to export data for, or select **Products** if the list contains data for all products. + 2. If you want to export only part of the data in a product list, in the product-list view in the center pane, select the products you want to export. + 3. In the right-side **Actions** pane on, select **Export list** to open the **Export List** dialog box. + 4. In the **Export List** dialog box, select **Browse** to navigate to the `.cilx` file. + 5. Under **Export options**, select one of the following data-type options: + - Export products and product keys + - Export products only + - Export proxy activation data only. Selecting this option makes sure that the export contains only the licensing information required for the proxy web service to obtain CIDs from Microsoft. No personally identifiable information (PII) is contained in the exported `.cilx` file when this selection is checked. + 6. If you've selected products to export, select the **Export selected product rows only** check box. + 7. Select **Save**. VAMT displays a progress message while the data is being exported. Select **OK** when a message appears and confirms that the export has completed successfully. ## Related articles diff --git a/windows/deployment/volume-activation/install-configure-vamt.md b/windows/deployment/volume-activation/install-configure-vamt.md index 4b1b5ca520..833bc9a283 100644 --- a/windows/deployment/volume-activation/install-configure-vamt.md +++ b/windows/deployment/volume-activation/install-configure-vamt.md @@ -2,30 +2,29 @@ title: Install and Configure VAMT (Windows 10) description: Learn how to install and configure the Volume Activation Management Tool (VAMT), and learn where to find information about the process. ms.reviewer: -manager: dougeby -ms.author: aaroncz + - nganguly +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski +author: frankroj ms.localizationpriority: medium -ms.date: 07/27/2017 +ms.date: 11/07/2022 ms.topic: article ms.technology: itpro-fundamentals --- -# Install and Configure VAMT +# Install and configure VAMT This section describes how to install and configure the Volume Activation Management Tool (VAMT). -## In this Section +## In this section -|Topic |Description | -|------|------------| +|Article |Description | +|-------|------------| |[VAMT Requirements](vamt-requirements.md) |Provides system requirements for installing VAMT on a host computer. | |[Install VAMT](install-vamt.md) |Describes how to get and install VAMT. | |[Configure Client Computers](configure-client-computers-vamt.md) |Describes how to configure client computers on your network to work with VAMT. | -## Related topics +## Related articles - [Introduction to VAMT](introduction-vamt.md) -  -  diff --git a/windows/deployment/volume-activation/install-kms-client-key-vamt.md b/windows/deployment/volume-activation/install-kms-client-key-vamt.md index 2039634198..ed311b84f5 100644 --- a/windows/deployment/volume-activation/install-kms-client-key-vamt.md +++ b/windows/deployment/volume-activation/install-kms-client-key-vamt.md @@ -2,39 +2,50 @@ title: Install a KMS Client Key (Windows 10) description: Learn to use the Volume Activation Management Tool (VAMT) to install Generic Volume License Key (GVLK), or KMS client, product keys. ms.reviewer: -manager: dougeby -ms.author: aaroncz + - nganguly +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski +author: frankroj ms.localizationpriority: medium -ms.date: 07/27/2017 +ms.date: 11/07/2022 ms.topic: article ms.technology: itpro-fundamentals --- # Install a KMS Client Key -You can use the Volume Activation Management Tool (VAMT) to install Generic Volume License Key (GVLK), or KMS client, product keys. For example, if you are converting a MAK-activated product to KMS activation. +You can use the Volume Activation Management Tool (VAMT) to install Generic Volume License Key (GVLK), or KMS client, product keys. For example, if you're converting a MAK-activated product to KMS activation. -**Note**   -By default, volume license editions of Windows Vista, Windows® 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. GVLKs are already installed in volume license editions of these products. +> [!NOTE] +> By default, volume license editions of Windows Vista, Windows® 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. GVLKs are already installed in volume license editions of these products. -**To install a KMS Client key** -1. Open VAMT. -2. In the left-side pane click **Products** to open the product list view in the center pane. -3. In the products list view in the center pane, select the products that need to have GVLKs installed. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. -4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. - - To filter the list by computer name, enter a name in the **Computer Name** box. - - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. -5. Click **Filter**. VAMT displays the filtered list in the center pane. -6. Click **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box. -7. The **Install Product Key** dialog box displays the keys that are available to be installed. -8. Select the **Automatically select an AD or KMS client key** option and then click **Install Key**. +## To install a KMS Client key + +1. Open VAMT. + +2. In the left-side pane, select **Products** to open the product list view in the center pane. + +3. In the products list view in the center pane, select the products that need to have GVLKs installed. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. + +4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. + + - To filter the list by computer name, enter a name in the **Computer Name** box. + + - To filter the list by Product Name, Product Key Type, or License Status, select the list you want to use for the filter and select an option. If necessary, select **clear all filters** to create a new filter. + +5. Select **Filter**. VAMT displays the filtered list in the center pane. + +6. Select **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box. + +7. The **Install Product Key** dialog box displays the keys that are available to be installed. + +8. Select the **Automatically select an AD or KMS client key** option and then select **Install Key**. + + VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Select **Close** to close the dialog box. You can also select the **Automatically close when done** check box when the dialog box appears. - VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears. - The same status is shown under the **Status of Last Action** column in the product list view in the center pane. -## Related topics +## Related articles - [Perform KMS Activation](kms-activation-vamt.md) diff --git a/windows/deployment/volume-activation/install-product-key-vamt.md b/windows/deployment/volume-activation/install-product-key-vamt.md index c96c711355..00ea59707d 100644 --- a/windows/deployment/volume-activation/install-product-key-vamt.md +++ b/windows/deployment/volume-activation/install-product-key-vamt.md @@ -2,12 +2,13 @@ title: Install a Product Key (Windows 10) description: Learn to use the Volume Activation Management Tool (VAMT) to install retail, Multiple Activation Key (MAK), and KMS Host key (CSVLK). ms.reviewer: -manager: dougeby -ms.author: aaroncz + - nganguly +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski +author: frankroj ms.localizationpriority: medium -ms.date: 07/27/2017 +ms.date: 11/07/2022 ms.topic: article ms.technology: itpro-fundamentals --- @@ -16,26 +17,35 @@ ms.technology: itpro-fundamentals You can use the Volume Activation Management Tool (VAMT) to install retail, Multiple Activation Key (MAK), and KMS Host key (CSVLK). -**To install a Product key** -1. Open VAMT. -2. In the left-side pane, click the product that you want to install keys onto. -3. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. -4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. - - To filter the list by computer name, enter a name in the **Computer Name** box. - - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. -5. Click **Filter**. -6. In the products list view in the center pane, sort the list if needed and then select the products that need to have keys installed. You can use the **CTRL** key or the **SHIFT** key to select more than one product. -7. Click **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box. -8. The **Select Product Key** dialog box displays the keys that are available to be installed. Under **Recommended MAKs**, VAMT might display one or more recommended MAK based on the selected products. You can select a recommended product key or a product key from the **All Product Keys** list. Use the scroll bar if you need to view the **Description** for each key. When you have selected the product key you want to install, click **Install Key**. Note that only one key can be installed at a time. -9. VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears. +## To install a Product key + +1. Open VAMT. + +2. In the left-side pane, select the product that you want to install keys onto. + +3. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. + +4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. + + - To filter the list by computer name, enter a name in the **Computer Name** box. + + - To filter the list by Product Name, Product Key Type, or License Status, select the list you want to use for the filter and select an option. If necessary, select **clear all filters** to create a new filter. + +5. Select **Filter**. + +6. In the products list view in the center pane, sort the list if needed and then select the products that need to have keys installed. You can use the **CTRL** key or the **SHIFT** key to select more than one product. + +7. Select **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box. + +8. The **Select Product Key** dialog box displays the keys that are available to be installed. Under **Recommended MAKs**, VAMT might display one or more recommended MAK based on the selected products. You can select a recommended product key or a product key from the **All Product Keys** list. Use the scroll bar if you need to view the **Description** for each key. When you've selected the product key you want to install, select **Install Key**. Only one key can be installed at a time. + +9. VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Select **Close** to close the dialog box. You can also select the **Automatically close when done** check box when the dialog box appears. The same status is shown under the **Status of Last Action** column in the product list view in the center pane. - **Note**   - Product key installation will fail if VAMT finds mismatched key types or editions. VAMT will display the failure status and will continue the installation for the next product in the list. For more information on choosing the correct MAK or KMS Host key (CSVLK), see [How to Choose the Right - Volume License Key for Windows](/previous-versions/tn-archive/ee939271(v=technet.10)). + > [!NOTE] + > Product key installation will fail if VAMT finds mismatched key types or editions. VAMT will display the failure status and will continue the installation for the next product in the list. For more information on choosing the correct MAK or KMS Host key (CSVLK), see [How to Choose the Right Volume License Key for Windows](/previous-versions/tn-archive/ee939271(v=technet.10)). -## Related topics +## Related articles - [Manage Product Keys](manage-product-keys-vamt.md) - diff --git a/windows/deployment/volume-activation/install-vamt.md b/windows/deployment/volume-activation/install-vamt.md index aecd419d3e..1ea051c4fe 100644 --- a/windows/deployment/volume-activation/install-vamt.md +++ b/windows/deployment/volume-activation/install-vamt.md @@ -1,35 +1,40 @@ --- title: Install VAMT (Windows 10) description: Learn how to install Volume Activation Management Tool (VAMT) as part of the Windows Assessment and Deployment Kit (ADK) for Windows 10. -manager: dougeby -ms.author: aaroncz +ms.reviewer: + - nganguly +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski +author: frankroj ms.localizationpriority: medium -ms.date: 03/11/2019 +ms.date: 11/07/2022 ms.topic: article ms.technology: itpro-fundamentals --- # Install VAMT -This topic describes how to install the Volume Activation Management Tool (VAMT). +This article describes how to install the Volume Activation Management Tool (VAMT). -## Install VAMT +## Installing VAMT -You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for Windows 10. +You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for Windows 10. >[!IMPORTANT] ->VAMT requires local administrator privileges on all managed computers in order to deposit confirmation IDs (CIDs), get the client products’ license status, and install product keys. If VAMT is being used to manage products and product keys on the local host computer and you do not have administrator privileges, start VAMT with elevated privileges. For best results when using Active Directory-based activation, we recommend running VAMT while logged on as a domain administrator.  +>VAMT requires local administrator privileges on all managed computers in order to deposit confirmation IDs (CIDs), get the client products' license status, and install product keys. If VAMT is being used to manage products and product keys on the local host computer and you do not have administrator privileges, start VAMT with elevated privileges. For best results when using Active Directory-based activation, we recommend running VAMT while logged on as a domain administrator. >[!NOTE] ->The VAMT Microsoft Management Console snap-in ships as an x86 package. +>The VAMT Microsoft Management Console snap-in ships as an x86 package. ### Requirements - [Windows Server with Desktop Experience](/windows-server/get-started/getting-started-with-server-with-desktop-experience), with internet access (for the main VAMT console) and all updates applied + - Latest version of the [Windows 10 ADK](/windows-hardware/get-started/adk-install) + - Any supported [SQL Server Express](https://www.microsoft.com/sql-server/sql-server-editions-express) version, the latest is recommended + - Alternatively, any supported **full** SQL instance ### Install SQL Server Express / alternatively use any full SQL instance @@ -42,7 +47,7 @@ You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for 4. Enter an install location or use the default path, and then select **Install**. -5. On the completion page, note the instance name for your installation, select **Close**, and then select **Yes**. +5. On the completion page, note the instance name for your installation, select **Close**, and then select **Yes**. ![In this example, the instance name is SQLEXPRESS01.](images/sql-instance.png) @@ -50,7 +55,7 @@ You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for 1. Download the latest version of [Windows 10 ADK](/windows-hardware/get-started/adk-install). - If an older version is already installed, it is recommended to uninstall the older ADK and install the latest version. Existing VAMT data is maintained in the VAMT database. + If an older version is already installed, it's recommended to uninstall the older ADK and install the latest version. Existing VAMT data is maintained in the VAMT database. 2. Enter an install location or use the default path, and then select **Next**. @@ -58,7 +63,7 @@ You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for 4. Accept the license terms. -5. On the **Select the features you want to install** page, select **Volume Activation Management Tool (VAMT)**, and then select **Install**. (You can select additional features to install as well.) +5. On the **Select the features you want to install** page, select **Volume Activation Management Tool (VAMT)**, and then select **Install**. If desired, you can select additional features to install as well. 6. On the completion page, select **Close**. @@ -72,15 +77,10 @@ You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for For remote SQL Server, use `servername.yourdomain.com`. - - ## Uninstall VAMT To uninstall VAMT using the **Programs and Features** Control Panel: -1. Open **Control Panel** and select **Programs and Features**. +1. Open **Control Panel** and select **Programs and Features**. -2. Select **Assessment and Deployment Kit** from the list of installed programs and click **Change**. Follow the instructions in the Windows ADK installer to remove VAMT. - - - +2. Select **Assessment and Deployment Kit** from the list of installed programs and select **Change**. Follow the instructions in the Windows ADK installer to remove VAMT. diff --git a/windows/deployment/volume-activation/introduction-vamt.md b/windows/deployment/volume-activation/introduction-vamt.md index 35011f3cea..1d5ba5f37c 100644 --- a/windows/deployment/volume-activation/introduction-vamt.md +++ b/windows/deployment/volume-activation/introduction-vamt.md @@ -2,12 +2,13 @@ title: Introduction to VAMT (Windows 10) description: VAMT enables administrators to automate and centrally manage the Windows, Microsoft Office, and select other Microsoft products volume and retail activation process. ms.reviewer: -manager: dougeby -ms.author: aaroncz + - nganguly +manager: aaroncz +ms.author: frankroj ms.prod: windows-client ms.technology: itpro-fundamentals -author: aczechowski -ms.date: 09/16/2022 +author: frankroj +ms.date: 11/07/2022 ms.topic: overview --- @@ -18,7 +19,7 @@ The Volume Activation Management Tool (VAMT) enables network administrators and > [!NOTE] > VAMT can be installed on, and can manage, physical or virtual instances. VAMT can't detect whether or not the remote products are virtual. As long as the products can respond to Windows Management Instrumentation (WMI) calls, they will be discovered and activated. -## Managing MAK and retail activation +## Managing MAK and retail activation You can use a MAK or a retail product key to activate Windows, Windows Server, or Office on an individual computer or a group of computers. VAMT enables two different activation scenarios: @@ -26,23 +27,25 @@ You can use a MAK or a retail product key to activate Windows, Windows Server, o - **Proxy activation**: This activation method enables you to perform volume activation for products installed on client computers that don't have internet access. The VAMT host computer distributes a MAK, KMS host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs internet access. You can also activate products installed on computers in a workgroup that's isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the internet-connected VAMT host. -## Managing KMS activation +## Managing KMS activation In addition to MAK or retail activation, you can use VAMT to perform volume activation using the KMS. VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by volume license editions of Windows, Windows Server, and Office. VAMT treats a KMS host key (CSVLK) product key identically to a retail-type product key. The experience for product key entry and activation management are identical for both these product key types. -## Enterprise environment +## Enterprise environment VAMT is commonly implemented in enterprise environments. The following screenshot illustrates three common environments: core network, secure zone, and isolated lab. ![VAMT in the enterprise.](images/dep-win8-l-vamt-image001-enterprise.jpg) - In the core network environment, all computers are within a common network managed by Active Directory Domain Services (AD DS). + - The secure zone represents higher-security core network computers that have extra firewall protection. + - The isolated lab environment is a workgroup that is physically separate from the core network, and its computers don't have internet access. The network security policy states that no information that could identify a specific computer or user may be transferred out of the isolated lab. -## VAMT user interface +## VAMT user interface The following screenshot shows the VAMT graphical user interface: @@ -58,7 +61,7 @@ VAMT provides a single, graphical user interface for managing activations, and f - **Managing product keys**: You can store multiple product keys and use VAMT to install these keys to remote client products. You can also determine the number of activations remaining for MAKs. -- **Managing activation data**: VAMT stores activation data in a SQL database. VAMT can export this data to other VAMT hosts or to an archive in XML format. +- **Managing activation data**: VAMT stores activation data in an SQL database. VAMT can export this data to other VAMT hosts or to an archive in XML format. ## Next steps diff --git a/windows/deployment/volume-activation/kms-activation-vamt.md b/windows/deployment/volume-activation/kms-activation-vamt.md index c6c284ccb9..348a87ba6b 100644 --- a/windows/deployment/volume-activation/kms-activation-vamt.md +++ b/windows/deployment/volume-activation/kms-activation-vamt.md @@ -2,45 +2,63 @@ title: Perform KMS Activation (Windows 10) description: The Volume Activation Management Tool (VAMT) can be used to perform volume activation using the Key Management Service (KMS). ms.reviewer: -manager: dougeby -ms.author: aaroncz + - nganguly +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/25/2017 +author: frankroj +ms.date: 11/07/2022 ms.topic: article ms.technology: itpro-fundamentals --- -# Perform KMS Activation +# Perform KMS activation -The Volume Activation Management Tool (VAMT) can be used to perform volume activation using the Key Management Service (KMS). You can use VAMT to activate Generic Volume Licensing Keys, or KMS client keys, on products accessible to VAMT. GVLKs are the default product keys used by the volume-license editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft Office 2010. GVLKs are already installed in volume-license editions of these products. +The Volume Activation Management Tool (VAMT) can be used to perform volume activation using the Key Management Service (KMS). You can use VAMT to activate Generic Volume Licensing Keys, or KMS client keys, on products accessible to VAMT. GVLKs are the default product keys used by the volume-license editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft Office 2010. GVLKs are already installed in volume-license editions of these products. ## Requirements Before configuring KMS activation, ensure that your network and VAMT installation meet the following requirements: -- KMS host is set up and enabled. -- KMS clients can access the KMS host. -- VAMT is installed on a central computer with network access to all client computers. -- The products to be activated have been added to VAMT. For more information on adding product keys, see [Install a KMS Client Key](install-kms-client-key-vamt.md). -- VAMT has administrative permissions on all computers to be activated, and Windows Management Instrumentation (WMI) is accessible through the Windows Firewall. For more information, see [Configure Client Computers](configure-client-computers-vamt.md). + +- KMS host is set up and enabled. + +- KMS clients can access the KMS host. + +- VAMT is installed on a central computer with network access to all client computers. + +- The products to be activated have been added to VAMT. For more information on adding product keys, see [Install a KMS Client Key](install-kms-client-key-vamt.md). + +- VAMT has administrative permissions on all computers to be activated, and Windows Management Instrumentation (WMI) is accessible through the Windows Firewall. For more information, see [Configure client computers](configure-client-computers-vamt.md). ## To configure devices for KMS activation -**To configure devices for KMS activation** -1. Open VAMT. -2. If necessary, set up the KMS activation preferences. If you don’t need to set up the preferences, skip to step 6 in this procedure. Otherwise, continue to step 2. -3. To set up the preferences, on the menu bar click **View**, then click **Preferences** to open the **Volume Activation Management Tool Preferences** dialog box. -4. Under **Key Management Services host selection**, select one of the following options: - - **Find a KMS host automatically using DNS (default)**. If you choose this option, VAMT first clears any previously configured KMS host on the target computer and instructs the computer to query the Domain Name Service (DNS) to locate a KMS host and attempt activation. - - **Find a KMS host using DNS in this domain for supported products**. Enter the domain name. If you choose this option, VAMT first clears any previously configured KMS host on the target computer and instructs the computer to query the DNS in the specified domain to locate a KMS host and attempt activation. - - **Use specific KMS host**. Enter the KMS host name and KMS host port. For environments which do not use DNS for KMS host identification, VAMT sets the specified KMS host name and KMS host port on the target computer, and then instructs the computer to attempt activation with the specific KMS host. -5. Click **Apply**, and then click **OK** to close the **Volume Activation Management Tool Preferences** dialog box. -6. Select the products to be activated by selecting individual products in the product list view in the center pane. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. - - To filter the list by computer name, enter a name in the **Computer Name** box. - - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. -7. Click **Filter**. VAMT displays the filtered list in the center pane. -8. In the right-side pane, click **Activate** in the **Selected Items** menu, and then click **Volume activate**. -9. Click a credential option. Choose **Alternate credentials** only if you are activating products that require administrator credentials different from the ones you are currently using. -10. If you are supplying alternate credentials, at the prompt, type the appropriate user name and password and click **OK**. +1. Open VAMT. + +2. If necessary, set up the KMS activation preferences. If you don't need to set up the preferences, skip to step 6 in this procedure. Otherwise, continue to step 2. + +3. To set up the preferences, on the menu bar select **View**, then select **Preferences** to open the **Volume Activation Management Tool Preferences** dialog box. + +4. Under **Key Management Services host selection**, select one of the following options: + + - **Find a KMS host automatically using DNS (default)**. If you choose this option, VAMT first clears any previously configured KMS host on the target computer, and instructs the computer to query the Domain Name Service (DNS) to locate a KMS host and attempt activation. + + - **Find a KMS host using DNS in this domain for supported products**. Enter the domain name. If you choose this option, VAMT first clears any previously configured KMS host on the target computer, and instructs the computer to query the DNS in the specified domain to locate a KMS host and attempt activation. + + - **Use specific KMS host**. Enter the KMS host name and KMS host port. For environments that don't use DNS for KMS host identification, VAMT sets the specified KMS host name and KMS host port on the target computer, and then instructs the computer to attempt activation with the specific KMS host. + +5. Select **Apply**, and then select **OK** to close the **Volume Activation Management Tool Preferences** dialog box. + +6. Select the products to be activated by selecting individual products in the product list view in the center pane. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. + + - To filter the list by computer name, enter a name in the **Computer Name** box. + + - To filter the list by Product Name, Product Key Type, or License Status, select the list you want to use for the filter and select an option. If necessary, select **clear all filters** to create a new filter. + +7. Select **Filter**. VAMT displays the filtered list in the center pane. + +8. In the right-side pane, select **Activate** in the **Selected Items** menu, and then select **Volume activate**. + +9. Select a credential option. Choose **Alternate credentials** only if you're activating products that require administrator credentials different from the ones you're currently using. + +10. If you're supplying alternate credentials, at the prompt, type the appropriate user name and password and select **OK**. VAMT displays the **Volume Activation** dialog box until it completes the requested action. When the process is finished, the updated activation status of each product appears in the product list view in the center pane. -  diff --git a/windows/deployment/volume-activation/local-reactivation-vamt.md b/windows/deployment/volume-activation/local-reactivation-vamt.md index 64aa4ddfb2..e189dd781a 100644 --- a/windows/deployment/volume-activation/local-reactivation-vamt.md +++ b/windows/deployment/volume-activation/local-reactivation-vamt.md @@ -2,43 +2,54 @@ title: Perform Local Reactivation (Windows 10) description: An initially activated a computer using scenarios like MAK, retail, or CSLVK (KMS host), can be reactivated with Volume Activation Management Tool (VAMT). ms.reviewer: -manager: dougeby -ms.author: aaroncz + - nganguly +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/25/2017 +author: frankroj +ms.date: 11/07/2022 ms.topic: article ms.technology: itpro-fundamentals --- -# Perform Local Reactivation +# Perform local reactivation If you reinstall Windows® or Microsoft® Office 2010 on a computer that was initially activated using proxy activation (MAK, retail, or CSLVK (KMS host)), and have not made significant changes to the hardware, use this local reactivation procedure to reactivate the program on that computer. Local reactivation relies upon data that was created during the initial proxy activation and stored in the Volume Activation Management Tool (VAMT) database. The database contains the installation ID (IID) and confirmation ID (Pending CID). Local reactivation uses this data to reapply the CID and reactivate those products. Reapplying the same CID conserves the remaining activations on the key. -**Note**   -During the initial proxy activation, the CID is bound to a digital “fingerprint”, which is calculated from values assigned to several different hardware components in the computer. If the computer has had significant hardware changes, this fingerprint will no longer match the CID. In this case, you must obtain a new CID for the computer from Microsoft. +> [!NOTE] +> During the initial proxy activation, the CID is bound to a digital "fingerprint", which is calculated from values assigned to several different hardware components in the computer. If the computer has had significant hardware changes, this fingerprint will no longer match the CID. In this case, you must obtain a new CID for the computer from Microsoft. -## To Perform a Local Reactivation +## To perform a local reactivation + +1. Open VAMT. Make sure that you're connected to the desired database. + +2. In the left-side pane, select the product you want to reactivate to display the products list. + +3. In the product list view in the center pane, select the desired products to be reactivated. You can sort the list by computer name by clicking on the **Computer Name** heading. You can also use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. + +4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. + + - To filter the list by computer name, enter a name in the **Computer Name** box. + + - To filter the list by Product Name, Product Key Type, or License Status, select the list you want to use for the filter and select an option. If necessary, select **clear all filters** to create a new filter. + +5. Select **Filter**. VAMT displays the filtered list in the center pane. + +6. In the right-side pane, select **Activate**, and then select **Apply Confirmation ID**. + +7. Select a credential option. Choose **Alternate credentials** only if you're reactivating products that require administrator credentials different from the ones you're currently using. + +8. If you're supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name, and password and select **OK**. -**To perform a local reactivation** -1. Open VAMT. Make sure that you are connected to the desired database. -2. In the left-side pane, click the product you want to reactivate to display the products list. -3. In the product list view in the center pane, select the desired products to be reactivated. You can sort the list by computer name by clicking on the **Computer Name** heading. You can also use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. -4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. - - To filter the list by computer name, enter a name in the **Computer Name** box. - - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. -5. Click **Filter**. VAMT displays the filtered list in the center pane. -6. In the right-side pane, click **Activate**, and then click **Apply Confirmation ID**. -7. Click a credential option. Choose **Alternate credentials** only if you are reactivating products that require administrator credentials different from the ones you are currently using. -8. If you are supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and click **OK**. - VAMT displays the **Apply Confirmation ID** dialog box. -10. If you are using a different product key than the product key used for initial activation, you must complete a new activation to obtain a new CID. -11. If you are activating a product that requires administrator credentials different from the ones you are currently using, select the **Use Alternate Credentials** check box. -12. Click **OK**. +9. If you're using a different product key than the product key used for initial activation, you must complete a new activation to obtain a new CID. -## Related topics +10. If you're activating a product that requires administrator credentials different from the ones you're currently using, select the **Use Alternate Credentials** check box. + +11. Select **OK**. + +## Related article - [Manage Activations](manage-activations-vamt.md) diff --git a/windows/deployment/volume-activation/manage-activations-vamt.md b/windows/deployment/volume-activation/manage-activations-vamt.md index ce146804af..17dfa9af6d 100644 --- a/windows/deployment/volume-activation/manage-activations-vamt.md +++ b/windows/deployment/volume-activation/manage-activations-vamt.md @@ -2,11 +2,12 @@ title: Manage Activations (Windows 10) description: Learn how to manage activations and how to activate a client computer by using various activation methods. ms.reviewer: -manager: dougeby -ms.author: aaroncz + - nganguly +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/25/2017 +author: frankroj +ms.date: 11/07/2022 ms.topic: article ms.technology: itpro-fundamentals --- @@ -17,14 +18,11 @@ This section describes how to activate a client computer, by using various activ ## In this Section -|Topic |Description | -|------|------------| +|Article |Description | +|-------|------------| |[Perform Online Activation](online-activation-vamt.md) |Describes how to activate a client computer over the Internet. | |[Perform Proxy Activation](proxy-activation-vamt.md) |Describes how to perform volume activation for client products that don't have Internet access. | |[Perform KMS Activation](kms-activation-vamt.md) |Describes how to perform volume activation using the Key Management Service (KMS). | |[Perform Local Reactivation](local-reactivation-vamt.md) |Describes how to reactivate an operating system or Office program that was reinstalled. | |[Activate an Active Directory Forest Online](activate-forest-vamt.md) |Describes how to use Active Directory-Based Activation to activate an Active Directory forest, online. | |[Activate by Proxy an Active Directory Forest](activate-forest-by-proxy-vamt.md) |Describes how to use Active Directory-Based Activation to proxy activate an Active Directory forest that isn't connected to the Internet. | - - - diff --git a/windows/deployment/volume-activation/manage-product-keys-vamt.md b/windows/deployment/volume-activation/manage-product-keys-vamt.md index 474f83d10d..2b9594e4f6 100644 --- a/windows/deployment/volume-activation/manage-product-keys-vamt.md +++ b/windows/deployment/volume-activation/manage-product-keys-vamt.md @@ -2,25 +2,24 @@ title: Manage Product Keys (Windows 10) description: In this article, learn how to add and remove a product key from the Volume Activation Management Tool (VAMT). ms.reviewer: -manager: dougeby -ms.author: aaroncz + - nganguly +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/25/2017 +author: frankroj +ms.date: 11/07/2022 ms.topic: article ms.technology: itpro-fundamentals --- # Manage Product Keys -This section describes how to add and remove a product key from the Volume Activation Management Tool (VAMT). After you add a product key to VAMT, you can install that product key on a product or products you select in the VAMT database. +This section describes how to add and remove a product key from the Volume Activation Management Tool (VAMT). After you add a product key to VAMT, you can install that product key on a product, or products you select in the VAMT database. + ## In this Section -|Topic |Description | -|------|------------| +|Article |Description | +|-------|------------| |[Add and Remove a Product Key](add-remove-product-key-vamt.md) |Describes how to add a product key to the VAMT database. | |[Install a Product Key](install-product-key-vamt.md) |Describes how to install a product key for specific product. | |[Install a KMS Client Key](install-kms-client-key-vamt.md) |Describes how to install a GVLK (KMS client) key. | - - - diff --git a/windows/deployment/volume-activation/manage-vamt-data.md b/windows/deployment/volume-activation/manage-vamt-data.md index 39a1737116..d2499a44f3 100644 --- a/windows/deployment/volume-activation/manage-vamt-data.md +++ b/windows/deployment/volume-activation/manage-vamt-data.md @@ -2,11 +2,12 @@ title: Manage VAMT Data (Windows 10) description: Learn how to save, import, export, and merge a Computer Information List (CILX) file using the Volume Activation Management Tool (VAMT). ms.reviewer: -manager: dougeby -ms.author: aaroncz + - nganguly +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/25/2017 +author: frankroj +ms.date: 11/07/2022 ms.topic: article ms.technology: itpro-fundamentals --- @@ -16,7 +17,8 @@ ms.technology: itpro-fundamentals This section describes how to save, import, export, and merge a Computer Information List (CILX) file using the Volume Activation Management Tool (VAMT). ## In this Section -|Topic |Description | -|------|------------| + +|Article |Description | +|-------|------------| |[Import and Export VAMT Data](import-export-vamt-data.md) |Describes how to import and export VAMT data. | |[Use VAMT in Windows PowerShell](use-vamt-in-windows-powershell.md) |Describes how to access Windows PowerShell and how to import the VAMT PowerShell module. | diff --git a/windows/deployment/volume-activation/monitor-activation-client.md b/windows/deployment/volume-activation/monitor-activation-client.md index 94cdf4e1e9..7205e81894 100644 --- a/windows/deployment/volume-activation/monitor-activation-client.md +++ b/windows/deployment/volume-activation/monitor-activation-client.md @@ -1,19 +1,22 @@ --- title: Monitor activation (Windows 10) ms.reviewer: -manager: dougeby -ms.author: aaroncz + - nganguly +manager: aaroncz +ms.author: frankroj description: Understand the most common methods to monitor the success of the activation process for a computer running Windows. ms.prod: windows-client -author: aczechowski +author: frankroj ms.localizationpriority: medium ms.topic: article ms.technology: itpro-fundamentals +ms.date: 11/07/2022 --- # Monitor activation -**Applies to** +**Applies to:** + - Windows 10 - Windows 8.1 - Windows 8 @@ -22,19 +25,28 @@ ms.technology: itpro-fundamentals - Windows Server 2012 - Windows Server 2008 R2 -**Looking for retail activation?** - -- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) +> [!TIP] +> Are you looking for information on retail activation? +> +> - [Activate Windows](https://support.microsoft.com/help/12440/) +> - [Product activation for Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) You can monitor the success of the activation process for a computer running Windows in several ways. The most popular methods include: -- Using the Volume Licensing Service Center website to track use of MAK keys. -- Using the **Slmgr /dlv** command on a client computer or on the KMS host. (For a full list of options, see [Slmgr.vbs Options](/previous-versions//ff793433(v=technet.10)).) -- Viewing the licensing status, which is exposed through Windows Management Instrumentation (WMI); therefore, it is available to non-Microsoft or custom tools that can access WMI. (Windows PowerShell can also access WMI information.) -- Most licensing actions and events are recorded in the Event log (ex: Application Log events 12288-12290). -- Microsoft System Center Operations Manager and the KMS Management Pack can provide insight and information to users of System Center Operations Manager. -- See [Troubleshooting activation error codes](/windows-server/get-started/activation-error-codes) for information about troubleshooting procedures for Multiple Activation Key (MAK) or the Key Management Service (KMS). -- The VAMT provides a single site from which to manage and monitor volume activations. This is explained in the next section. -## See also +- Using the Volume Licensing Service Center website to track use of MAK keys. + +- Using the `Slmgr /dlv` command on a client computer or on the KMS host. For a full list of options, see [Slmgr.vbs options](/previous-versions//ff793433(v=technet.10)). + +- Viewing the licensing status, which is exposed through Windows Management Instrumentation (WMI); therefore, it's available to non-Microsoft or custom tools that can access WMI. (Windows PowerShell can also access WMI information.) + +- Most licensing actions and events are recorded in the Event log (ex: Application Log events 12288-12290). + +- Microsoft System Center Operations Manager and the KMS Management Pack can provide insight and information to users of System Center Operations Manager. + +- See [Troubleshooting activation error codes](/windows-server/get-started/activation-error-codes) for information about troubleshooting procedures for Multiple Activation Key (MAK) or the Key Management Service (KMS). + +- The VAMT provides a single site from which to manage and monitor volume activations. This feature is explained in the next section. + +## Related articles [Volume Activation for Windows 10](volume-activation-windows-10.md) diff --git a/windows/deployment/volume-activation/online-activation-vamt.md b/windows/deployment/volume-activation/online-activation-vamt.md index 18ded873b5..f1dcda98ce 100644 --- a/windows/deployment/volume-activation/online-activation-vamt.md +++ b/windows/deployment/volume-activation/online-activation-vamt.md @@ -2,51 +2,64 @@ title: Perform Online Activation (Windows 10) description: Learn how to use the Volume Activation Management Tool (VAMT) to enable client products to be activated online. ms.reviewer: -manager: dougeby -ms.author: aaroncz + - nganguly +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/25/2017 +author: frankroj +ms.date: 11/07/2022 ms.topic: article ms.technology: itpro-fundamentals --- -# Perform Online Activation +# Perform online activation You can use the Volume Activation Management Tool (VAMT) to enable client products to be activated over the Internet. You can install the client products with any kind of product key that is eligible for online activation—Multiple Activation Key (MAK), retail, and Windows Key Management Services (KMS) host key. ## Requirements Before performing online activation, ensure that the network and the VAMT installation meet the following requirements: -- VAMT is installed on a central computer that has network access to all client computers. -- Both the VAMT host and client computers have Internet access. -- The products that you want to activate are added to VAMT. -- VAMT has administrative permissions on all computers that you intend to activate, and that Windows Management Instrumentation (WMI) can be accessed through the Windows firewall. For more information, see [Configure Client Computers](configure-client-computers-vamt.md). -The product keys that are installed on the client products must have a sufficient number of remaining activations. If you are activating a MAK key, you can retrieve the remaining number of activations for that key by selecting the MAK in the product key list in the center pane and then clicking -**Refresh product key data online** in the right-side pane. This retrieves the number of remaining activations for the MAK from Microsoft. Note that this step requires Internet access and that the remaining activation count can only be retrieved for MAKs. +- VAMT is installed on a central computer that has network access to all client computers. -## To Perform an Online Activation +- Both the VAMT host and client computers have Internet access. -**To perform an online activation** -1. Open VAMT. -2. In the products list view in the center pane, sort the list if necessary. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. -3. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. - - To filter the list by computer name, enter a name in the **Computer Name** box. - - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. -4. Click **Filter**. VAMT displays the filtered list in the center pane. -5. Select the products that you want to activate. You can use the **CTRL** key or the **SHIFT** key to select more than one product. -6. Click **Activate** in the **Selected Items** menu in the right-side **Actions** pane and then point to **Activate**. If the **Actions** pane is not displayed, click the Show/Hide Action Pane button, which is located on the toolbar to the right of the Help button. -7. Point to **Online activate**, and then select the appropriate credential option. If you click the **Alternate Credentials** option, you will be prompted to enter an alternate user name and password. -8. VAMT displays the **Activating products** dialog box until it completes the requested action. When activation is complete, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears. +- The products that you want to activate are added to VAMT. + +- VAMT has administrative permissions on all computers that you intend to activate, and that Windows Management Instrumentation (WMI) can be accessed through the Windows firewall. For more information, see [Configure Client Computers](configure-client-computers-vamt.md). + +The product keys that are installed on the client products must have a sufficient number of remaining activations. If you're activating a MAK key, you can retrieve the remaining number of activations for that key by selecting the MAK in the product key list in the center pane and then clicking **Refresh product key data online** in the right-side pane. This action retrieves the number of remaining activations for the MAK from Microsoft. This step requires Internet access and that the remaining activation count can only be retrieved for MAKs. + +## To perform an online activation + +1. Open VAMT. + +2. In the products list view in the center pane, sort the list if necessary. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. + +3. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. + + - To filter the list by computer name, enter a name in the **Computer Name** box. + + - To filter the list by Product Name, Product Key Type, or License Status, select the list you want to use for the filter and select an option. If necessary, select **clear all filters** to create a new filter. + +4. Select **Filter**. VAMT displays the filtered list in the center pane. + +5. Select the products that you want to activate. You can use the **CTRL** key or the **SHIFT** key to select more than one product. + +6. Select **Activate** in the **Selected Items** menu in the right-side **Actions** pane and then point to **Activate**. If the **Actions** pane isn't displayed, select the Show/Hide Action Pane button, which is located on the toolbar to the right of the Help button. + +7. Point to **Online activate**, and then select the appropriate credential option. If you select the **Alternate Credentials** option, you'll be prompted to enter an alternate user name and password. + +8. VAMT displays the **Activating products** dialog box until it completes the requested action. When activation is complete, the status appears in the **Action Status** column of the dialog box. Select **Close** to close the dialog box. You can also select the **Automatically close when done** check box when the dialog box appears. The same status is shown under the **Status of Last Action** column in the products list view in the center pane. - **Note**   - Online activation does not enable you to save the Confirmation IDs (CIDs). As a result, you cannot perform local reactivation. - - **Note** - You can use online activation to select products that have different key types and activate the products at the same time. + > [!NOTE] + > Online activation does not enable you to save the Confirmation IDs (CIDs). As a result, you cannot perform local reactivation. -## Related topics -- [Manage Activations](manage-activations-vamt.md) + > [!NOTE] + > You can use online activation to select products that have different key types and activate the products at the same time. + +## Related articles + +- [Manage activations](manage-activations-vamt.md) diff --git a/windows/deployment/volume-activation/plan-for-volume-activation-client.md b/windows/deployment/volume-activation/plan-for-volume-activation-client.md index 5fe9d182fa..97cdedeb4f 100644 --- a/windows/deployment/volume-activation/plan-for-volume-activation-client.md +++ b/windows/deployment/volume-activation/plan-for-volume-activation-client.md @@ -2,18 +2,21 @@ title: Plan for volume activation (Windows 10) description: Product activation is the process of validating software with the manufacturer after it has been installed on a specific computer. ms.reviewer: -manager: dougeby -ms.author: aaroncz + - nganguly +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski +author: frankroj ms.localizationpriority: medium ms.topic: article ms.technology: itpro-fundamentals +ms.date: 11/07/2022 --- # Plan for volume activation -**Applies to** +**Applies to:** + - Windows 10 - Windows 8.1 - Windows 8 @@ -22,16 +25,18 @@ ms.technology: itpro-fundamentals - Windows Server 2012 - Windows Server 2008 R2 -**Looking for retail activation?** +> [!TIP] +> Are you looking for information on retail activation? +> +> - [Activate Windows](https://support.microsoft.com/help/12440/) +> - [Product activation for Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) -- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) +*Product activation* is the process of validating software with the manufacturer after it has been installed on a specific computer. Activation confirms that the product is genuine—not a fraudulent copy—and that the product key or serial number is valid and hasn't been compromised or revoked. Activation also establishes a link or relationship between the product key and the particular installation. -*Product activation* is the process of validating software with the manufacturer after it has been installed on a specific computer. Activation confirms that the product is genuine—not a fraudulent copy—and that the product key or serial number is valid and has not been compromised or revoked. Activation also establishes a link or relationship between the product key and the particular installation. - -During the activation process, information about the specific installation is examined. For online activations, this information is sent to a server at Microsoft. This information may include the software version, the product key, the IP address of the computer, and information about the device. The activation methods that Microsoft uses are designed to help protect user privacy, and they cannot be used to track back to the computer or user. The gathered data confirms that the software is a legally licensed copy, and this data is used for statistical analysis. Microsoft does not use this information to identify or contact the user or the organization. +During the activation process, information about the specific installation is examined. For online activations, this information is sent to a server at Microsoft. This information may include the software version, the product key, the IP address of the computer, and information about the device. The activation methods that Microsoft uses are designed to help protect user privacy, and they can't be used to track back to the computer or user. The gathered data confirms that the software is a legally licensed copy, and this data is used for statistical analysis. Microsoft doesn't use this information to identify or contact the user or the organization. >[!NOTE] ->The IP address is used only to verify the location of the request, because some editions of Windows (such as “Starter” editions) can only be activated within certain geographical target markets. +>The IP address is used only to verify the location of the request, because some editions of Windows (such as "Starter" editions) can only be activated within certain geographical target markets. ## Distribution channels and activation @@ -39,69 +44,78 @@ In general, Microsoft software is obtained through three main channels: retail, ### Retail activations -The retail activation method has not changed in several versions of Windows and Windows Server. Each purchased copy comes with one unique product key (often referred to as a retail key). The user enters this key during product installation. The computer uses this retail key to complete the activation after the installation is complete. Most activations are performed online, but telephone activation is also available. +The retail activation method hasn't changed in several versions of Windows and Windows Server. Each purchased copy comes with one unique product key (often referred to as a retail key). The user enters this key during product installation. The computer uses this retail key to complete the activation after the installation is complete. Most activations are performed online, but telephone activation is also available. Recently, retail keys have been expanded into new distribution scenarios. Product key cards are available to activate products that have been preinstalled or downloaded. Programs such as Windows Anytime Upgrade and Get Genuine allow users to acquire legal keys separately from the software. These electronically distributed keys may come with media that contains software, they can come as a software shipment, or they may be provided on a printed card or electronic copy. Products are activated the same way with any of these retail keys. ### Original equipment manufacturer -Most original equipment manufacturers (OEMs) sell systems that include a standard build of the Windows operating system. The hardware vendor activates Windows by associating the operating system with the firmware (BIOS) of the computer. This occurs before the computer is sent to the customer, and no additional actions are required. +Most original equipment manufacturers (OEMs) sell systems that include a standard build of the Windows operating system. The hardware vendor activates Windows by associating the operating system with the firmware/BIOS of the computer. This activation occurs before the computer is sent to the customer, and no additional actions are required. + OEM activation is valid as long as the customer uses the OEM-provided image on the system. OEM activation is available only for computers that are purchased through OEM channels and have the Windows operating system preinstalled. ### Volume licensing -Volume licensing offers customized programs that are tailored to the size and purchasing preference of the organization. To become a volume licensing customer, the organization must set up a volume licensing agreement with Microsoft.There is a common misunderstanding about acquiring licenses for a new computer through volume licensing. There are two legal ways to acquire a full Windows client license for a new computer: -- Have the license preinstalled through the OEM. -- Purchase a fully packaged retail product. +Volume licensing offers customized programs that are tailored to the size and purchasing preference of the organization. To become a volume licensing customer, the organization must set up a volume licensing agreement with Microsoft. There's a common misunderstanding about acquiring licenses for a new computer through volume licensing. There are two legal ways to acquire a full Windows client license for a new computer: -The licenses that are provided through volume licensing programs such as Open License, Select License, and Enterprise Agreements cover upgrades to Windows client operating systems only. An existing retail or OEM operating system license is needed for each computer running Windows 10, Windows 8.1 Pro, Windows 8 Pro, Windows 7 Professional or Ultimate, or Windows XP Professional before the upgrade rights obtained through volume licensing can be exercised. +- Have the license preinstalled through the OEM + +- Purchase a fully packaged retail product + +The licenses that are provided through volume licensing programs such as Open License, Select License, and Enterprise Agreements cover upgrades to Windows client operating systems only. An existing retail or OEM operating system license is needed for each computer running Windows 10, Windows 8.1 Pro, Windows 8 Pro, Windows 7 Professional or Ultimate, or Windows XP Professional before the upgrade rights obtained through volume licensing can be exercised. Volume licensing is also available through certain subscription or membership programs, such as the Microsoft Partner Network and MSDN. These volume licenses may contain specific restrictions or other changes to the general terms applicable to volume licensing. -**Note**   -Some editions of the operating system, such as Windows 10 Enterprise, and some editions of application software are available only through volume licensing agreements or subscriptions. +> [!NOTE] +> Some editions of the operating system, such as Windows 10 Enterprise, and some editions of application software are available only through volume licensing agreements or subscriptions. ## Activation models For a user or IT department, there are no significant choices about how to activate products that are acquired through retail or OEM channels. The OEM performs the activation at the factory, and the user or the IT department need take no activation steps. With a retail product, the Volume Activation Management Tool (VAMT), which is discussed later in this guide, helps you track and manage keys. For each retail activation, you can choose: -- Online activation -- Telephone activation -- VAMT proxy activation -Telephone activation is primarily used in situations where a computer is isolated from all networks. VAMT proxy activation (with retail keys) is sometimes used when an IT department wants to centralize retail activations or when a computer with a retail version of the operating system is isolated from the Internet but connected to the LAN. For volume-licensed products, however, you must determine the best method or combination of methods to use in your environment. For Windows 10 Pro and Enterprise, you can choose from three models: -- MAKs -- KMS -- Active Directory-based activation +- Online activation -**Note**   -Token-based activation is available for specific situations when approved customers rely on a public key infrastructure in an isolated and high-security environment. For more information, contact your Microsoft Account Team or your service representative. +- Telephone activation + +- VAMT proxy activation + +Telephone activation is primarily used in situations where a computer is isolated from all networks. VAMT proxy activation (with retail keys) is sometimes used when an IT department wants to centralize retail activations or when a computer with a retail version of the operating system is isolated from the Internet but connected to the LAN. For volume-licensed products, however, you must determine the best method or combination of methods to use in your environment. For Windows 10 Pro and Enterprise, you can choose from three models: + +- MAKs + +- KMS + +- Active Directory-based activation + +> [!NOTE] +> Token-based activation is available for specific situations when approved customers rely on a public key infrastructure in an isolated and high-security environment. For more information, contact your Microsoft Account Team or your service representative. Token-based Activation option is available for Windows 10 Enterprise LTSB editions (Version 1507 and 1607). ### Multiple activation key -A Multiple Activation Key (MAK) is commonly used in small- or mid-sized organizations that have a volume licensing agreement, but they do not meet the requirements to operate a KMS or they prefer a simpler approach. A MAK also -allows permanent activation of computers that are isolated from the KMS or are part of an isolated network that does not have enough computers to use the KMS. +A Multiple Activation Key (MAK) is commonly used in small- or mid-sized organizations that have a volume licensing agreement, but they don't meet the requirements to operate a KMS or they prefer a simpler approach. A MAK also +allows permanent activation of computers that are isolated from the KMS or are part of an isolated network that doesn't have enough computers to use the KMS. To use a MAK, the computers to be activated must have a MAK installed. The MAK is used for one-time activation with the Microsoft online hosted activation services, by telephone, or by using VAMT proxy activation. -In the simplest terms, a MAK acts like a retail key, except that a MAK is valid for activating multiple computers. Each MAK can be used a specific number of times. The VAMT can assist in tracking the number of activations that have been performed with each key and how many remain. +In the simplest terms, a MAK acts like a retail key, except that a MAK is valid for activating multiple computers. Each MAK can be used a specific number of times. The VAMT can help with tracking the number of activations that have been performed with each key and how many remain. Organizations can download MAK and KMS keys from the [Volume Licensing Service Center](https://go.microsoft.com/fwlink/p/?LinkId=618213) website. Each MAK has a preset number of activations, which are based on a percentage of the count of licenses the organization purchases; however, you can increase the number of activations that are available with your MAK by calling Microsoft. ### Key Management Service -With the Key Management Service (KMS), IT pros can complete activations on their local network, eliminating the need for individual computers to connect to Microsoft for product activation. The KMS is a lightweight service that does not require a dedicated system and can easily be cohosted on a system that provides other services. +With the Key Management Service (KMS), IT pros can complete activations on their local network, eliminating the need for individual computers to connect to Microsoft for product activation. The KMS is a lightweight service that doesn't require a dedicated system and can easily be cohosted on a system that provides other services. -Volume editions of Windows 10 and Windows Server 2012 R2 (in addition to volume editions of operating system editions since Windows Vista and Windows Server 2008) automatically connect to a system that hosts the KMS to request activation. No action is required from the user. +Volume editions of Windows 10 and Windows Server 2012 R2 (in addition to volume editions of operating system editions since Windows Vista and Windows Server 2008) automatically connect to a system that hosts the KMS to request activation. No action is required from the user. -The KMS requires a minimum number of computers (physical computers or virtual machines) in a network environment. The organization must have at least five computers to activate Windows Server 2012 R2 and at least 25 computers to activate client computers that are running Windows 10. These minimums are referred to as *activation thresholds*. +The KMS requires a minimum number of computers (physical computers or virtual machines) in a network environment. The organization must have at least five computers to activate Windows Server 2012 R2 and at least 25 computers to activate client computers that are running Windows 10. These minimums are referred to as *activation thresholds*. -Planning to use the KMS includes selecting the best location for the KMS host and how many KMS hosts to have. One KMS host can handle a large number of activations, but organizations will often deploy two KMS hosts to ensure availability. Only rarely will more than two KMS hosts be used. The KMS can be hosted on a client computer or on a server, and it can be run on older versions of the operating system if proper configuration steps are taken. Setting up your KMS is discussed later in this guide. +Planning to use the KMS includes selecting the best location for the KMS host and how many KMS hosts to have. One KMS host can handle a large number of activations, but organizations will often deploy two KMS hosts to ensure availability. It will be rare that more than two KMS hosts are used. The KMS can be hosted on a client computer or on a server, and it can be run on older versions of the operating system if proper configuration steps are taken. Setting up your KMS is discussed later in this guide. ### Active Directory-based activation -Active Directory-based activation is the newest type of volume activation, and it was introduced in Windows 8. In many ways, Active Directory-based activation is similar to activation by using the KMS, but the activated computer does not need to maintain periodic connectivity with the KMS host. Instead, a domain-joined computer running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2 queries AD DS for a volume activation object that is stored in the domain. The operating system checks the digital signatures that are contained in the activation object, and then activates the device. +Active Directory-based activation is the newest type of volume activation, and it was introduced in Windows 8. In many ways, Active Directory-based activation is similar to activation by using the KMS, but the activated computer doesn't need to maintain periodic connectivity with the KMS host. Instead, a domain-joined computer running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2 queries AD DS for a volume activation object that is stored in the domain. The operating system checks the digital signatures that are contained in the activation object, and then activates the device. -Active Directory-based activation allows enterprises to activate computers through a connection to their domain. Many companies have computers at remote or branch locations, where it is impractical to connect to a KMS, or would not reach the KMS activation threshold. Rather than use MAKs, Active Directory-based activation provides a way to activate computers running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2 as long as the computers can contact the company’s domain. Active Directory-based activation offers the advantage of extending volume activation services everywhere you already have a domain presence. +Active Directory-based activation allows enterprises to activate computers through a connection to their domain. Many companies have computers at remote or branch locations, where it's impractical to connect to a KMS, or wouldn't reach the KMS activation threshold. Rather than use MAKs, Active Directory-based activation provides a way to activate computers running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2 as long as the computers can contact the company's domain. Active Directory-based activation offers the advantage of extending volume activation services everywhere you already have a domain presence. ## Network and connectivity @@ -109,11 +123,11 @@ A modern business network has many nuances and interconnections. This section ex ### Core network -Your core network is that part of your network that enjoys stable, high-speed, reliable connectivity to infrastructure servers. In many cases, the core network is also connected to the Internet, although that is not a requirement to use the KMS or Active Directory-based activation after the KMS server or AD DS is configured and active. Your core network likely consists of many network segments. In many organizations, the core network makes up the vast majority of the business network. +Your core network is that part of your network that enjoys stable, high-speed, reliable connectivity to infrastructure servers. In many cases, the core network is also connected to the Internet, although that isn't a requirement to use the KMS or Active Directory-based activation after the KMS server or AD DS is configured and active. Your core network likely consists of many network segments. In many organizations, the core network makes up the majority of the business network. -In the core network, a centralized KMS solution is recommended. You can also use Active Directory-based activation, but in many organizations, KMS will still be required to activate older client computers and computers that are not joined to the domain. Some administrators prefer to run both solutions to have the most flexibility, while others prefer to choose only a KMS-based solution for simplicity. Active Directory-based activation as the only solution is workable if all of the clients in your organization are running Windows 10, Windows 8.1, or Windows 8. +In the core network, a centralized KMS solution is recommended. You can also use Active Directory-based activation, but in many organizations, KMS will still be required to activate older client computers and computers that aren't joined to the domain. Some administrators prefer to run both solutions to have the most flexibility, while others prefer to choose only a KMS-based solution for simplicity. Active Directory-based activation as the only solution is workable if all of the clients in your organization are running Windows 10, Windows 8.1, or Windows 8. -A typical core network that includes a KMS host is shown in Figure 1. +A typical core network that includes a KMS host is shown in Figure 1. ![Typical core network.](../images/volumeactivationforwindows81-01.jpg) @@ -121,106 +135,124 @@ A typical core network that includes a KMS host is shown in Figure 1. ### Isolated networks -In a large network, it is all but guaranteed that some segments will be isolated, either for security reasons or because of geography or connectivity issues. +In a large network, it's all but guaranteed that some segments will be isolated, either for security reasons or because of geography or connectivity issues. -**Isolated for security** +#### Isolated for security Sometimes called a *high-security zone*, a particular network segment may be isolated from the core network by a firewall or disconnected from other networks totally. The best solution for activating computers in an isolated network depends on the security policies in place in the organization. -If the isolated network can access the core network by using outbound requests on TCP port 1688, and it is allowed to receive remote procedure calls (RPCs), you can perform activation by using the KMS in the core network, thereby avoiding the need to reach additional activation thresholds. +If the isolated network can access the core network by using outbound requests on TCP port 1688, and it's allowed to receive remote procedure calls (RPCs), you can perform activation by using the KMS in the core network, thereby avoiding the need to reach additional activation thresholds. -If the isolated network participates fully in the corporate forest, and it can make typical connections to domain controllers, such as using Lightweight Directory Access Protocol (LDAP) for queries and Domain Name Service (DNS) for name resolution, this is a good opportunity to use Active Directory-based activation for Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, and Windows Server 2012 R2. +If the isolated network participates fully in the corporate forest, and it can make typical connections to domain controllers, such as using Lightweight Directory Access Protocol (LDAP) for queries and Domain Name Service (DNS) for name resolution, this is a good opportunity to use Active Directory-based activation for Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, and Windows Server 2012 R2. -If the isolated network cannot communicate with the core network’s KMS server, and it cannot use Active Directory-based activation, you can set up a KMS host in the isolated network. This configuration is shown in Figure 2. However, if the isolated network contains only a few computers, it will not reach the KMS activation threshold. In that case, you can activate by using MAKs. +If the isolated network can't communicate with the core network's KMS server, and it can't use Active Directory-based activation, you can set up a KMS host in the isolated network. This configuration is shown in Figure 2. However, if the isolated network contains only a few computers, it will not reach the KMS activation threshold. In that case, you can activate by using MAKs. -If the network is fully isolated, MAK-independent activation would be the recommended choice, perhaps using the telephone option. But VAMT proxy activation may also be possible. You can also use MAKs to activate new computers during setup, before they are placed in the isolated network. +If the network is fully isolated, MAK-independent activation would be the recommended choice, perhaps using the telephone option. But VAMT proxy activation may also be possible. You can also use MAKs to activate new computers during setup, before they're placed in the isolated network. ![New KMS host in an isolated network.](../images/volumeactivationforwindows81-02.jpg) -**Figure 2**. New KMS host in an isolated network +**Figure 2**. New KMS host in an isolated network -**Branch offices and distant networks** -From mining operations to ships at sea, organizations often have a few computers that are not easily connected to the core network or the Internet. Some organizations have network segments at branch offices that are large and well-connected internally, but have a slow or unreliable WAN link to the rest of the organization. In these situations, you have several options: -- **Active Directory-based activation**. In any site where the client computers are running Windows 10, Active Directory-based activation is supported, and it can be activated by joining the domain. -- **Local KMS**. If a site has 25 or more client computers, it can activate against a local KMS server. -- **Remote (core) KMS**. If the remote site has connectivity to an existing KMS (perhaps through a virtual private network (VPN) to the core network), that KMS can be used. Using the existing KMS means that you only need to meet the activation threshold on that server. -- **MAK activation**. If the site has only a few computers and no connectivity to an existing KMS host, MAK activation is the best option. +#### Branch offices and distant networks + +From mining operations to ships at sea, organizations often have a few computers that aren't easily connected to the core network or the Internet. Some organizations have network segments at branch offices that are large and well-connected internally, but have a slow or unreliable WAN link to the rest of the organization. In these situations, you have several options: + +- **Active Directory-based activation**. In any site where the client computers are running Windows 10, Active Directory-based activation is supported, and it can be activated by joining the domain. + +- **Local KMS**. If a site has 25 or more client computers, it can activate against a local KMS server. + +- **Remote (core) KMS**. If the remote site has connectivity to an existing KMS (perhaps through a virtual private network (VPN) to the core network), that KMS can be used. Using the existing KMS means that you only need to meet the activation threshold on that server. + +- **MAK activation**. If the site has only a few computers and no connectivity to an existing KMS host, MAK activation is the best option. ### Disconnected computers -Some users may be in remote locations or may travel to many locations. This scenario is common for roaming clients, such as the computers that are used by salespeople or other users who are offsite but not at branch locations. This scenario can also apply to remote branch office locations that have no connection to the core network. You can consider this an “isolated network,” where the number of computers is one. Disconnected computers can use Active Directory-based activation, the KMS, or MAK depending on the client version and how often the computers connect to the core network. -If the computer is joined to the domain and running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2 8, you can use Active Directory-based activation—directly or through a VPN—at least once every 180 days. If the computer connects to a network with a KMS host at least every 180 days, but it does not support Active Directory-based activation, you can use KMS activation. Otherwise for computers that rarely or never connect to the network, use MAK independent activation (by using the telephone or the Internet). +Some users may be in remote locations or may travel to many locations. This scenario is common for roaming clients, such as the computers that are used by salespeople or other users who are offsite but not at branch locations. This scenario can also apply to remote branch office locations that have no connection to the core network. You can consider this branch office an "isolated network," where the number of computers is one. Disconnected computers can use Active Directory-based activation, the KMS, or MAK depending on the client version and how often the computers connect to the core network. + +If the computer is joined to the domain and running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2 8, you can use Active Directory-based activation—directly or through a VPN—at least once every 180 days. If the computer connects to a network with a KMS host at least every 180 days, but it doesn't support Active Directory-based activation, you can use KMS activation. Otherwise for computers that rarely or never connect to the network, use MAK independent activation (by using the telephone or the Internet). ### Test and development labs -Lab environments often have large numbers of virtual machines, and physical computers and virtual machines in labs are reconfigured frequently. Therefore, first determine whether the computers in test and development labs require activation. Editions of Windows 10 that include volume licensing will operate normally, even if they cannot activate immediately. -If you have ensured that your test or development copies of the operating system are within the license agreement, you may not need to activate the lab computers if they will be rebuilt frequently. If you require that the lab computers be activated, treat the lab as an isolated network and use the methods described earlier in this guide. -In labs that have a high turnover of computers and a small number of KMS clients, you must monitor the KMS activation count. You might need to adjust the time that the KMS caches the activation requests. The default is 30 days. +Lab environments often have large numbers of virtual machines, and physical computers and virtual machines in labs are reconfigured frequently. Therefore, first determine whether the computers in test and development labs require activation. Editions of Windows 10 that include volume licensing will operate normally, even if they can't activate immediately. + +If you've ensured that your test or development copies of the operating system are within the license agreement, you may not need to activate the lab computers if they'll be rebuilt frequently. If you require that the lab computers be activated, treat the lab as an isolated network, and use the methods described earlier in this guide. +In labs that have a high turnover of computers and a few KMS clients, you must monitor the KMS activation count. You might need to adjust the time that the KMS caches the activation requests. The default is 30 days. ## Mapping your network to activation methods -Now it’s time to assemble the pieces into a working solution. By evaluating your network connectivity, the numbers of computers you have at each site, and the operating system versions in use in your environment, you have collected the information you need to determine which activation methods will work best for you. You can fill-in information in Table 1 to help you make this determination. +Now it's time to assemble the pieces into a working solution. By evaluating your network connectivity, the numbers of computers you have at each site, and the operating system versions in use in your environment, you've collected the information you need to determine which activation methods will work best for you. You can fill in information in Table 1 to help you make this determination. **Table 1**. Criteria for activation methods |Criterion |Activation method | |----------|------------------| -|Number of domain-joined computers that support Active Directory-based activation (computers running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2) and will connect to a domain controller at least every 180 days. Computers can be mobile, semi-isolated, or located in a branch office or the core network. |Active Directory-based activation | -|Number of computers in the core network that will connect (directly or through a VPN) at least every 180 days

    Note
    The core network must meet the KMS activation threshold. |KMS (central) | -|Number of computers that do not connect to the network at least once every 180 days (or if no network meets the activation threshold) | MAK | +|Number of domain-joined computers that support Active Directory-based activation (computers running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2) and will connect to a domain controller at least every 180 days. Computers can be mobile, semi-isolated, or located in a branch office or the core network. |Active Directory-based activation | +|Number of computers in the core network that will connect (directly or through a VPN) at least every 180 days

    **Note**
    The core network must meet the KMS activation threshold.
    |KMS (central) | +|Number of computers that don't connect to the network at least once every 180 days (or if no network meets the activation threshold) | MAK | |Number of computers in semi-isolated networks that have connectivity to the KMS in the core network |KMS (central) | |Number of computers in isolated networks where the KMS activation threshold is met |KMS (local) | -|Number of computers in isolated networks where the KMS activation threshold is not met |MAK | -|Number of computers in test and development labs that will not be activated |None| -|Number of computers that do not have a retail volume license |Retail (online or phone) | -|Number of computers that do not have an OEM volume license |OEM (at factory) | -|Total number of computer activations

    Note
    This total should match the total number of licensed computers in your organization. | +|Number of computers in isolated networks where the KMS activation threshold isn't met |MAK | +|Number of computers in test and development labs that won't be activated |None| +|Number of computers that don't have a retail volume license |Retail (online or phone) | +|Number of computers that don't have an OEM volume license |OEM (at factory) | +|Total number of computer activations

    **Note**
    This total should match the total number of licensed computers in your organization.
    | ## Choosing and acquiring keys When you know which keys you need, you must obtain them. Generally speaking, volume licensing keys are collected in two ways: -- Go to the **Product Keys** section of the [Volume Licensing Service Center](https://go.microsoft.com/fwlink/p/?LinkID=618213) for the following agreements: Open, Open Value, Select, Enterprise, and Services Provider License. -- Contact your [Microsoft Activation Center](https://go.microsoft.com/fwlink/p/?LinkId=618264). + +- Go to the **Product Keys** section of the [Volume Licensing Service Center](https://go.microsoft.com/fwlink/p/?LinkID=618213) for the following agreements: Open, Open Value, Select, Enterprise, and Services Provider License. + +- Contact your [Microsoft activation center](https://go.microsoft.com/fwlink/p/?LinkId=618264). ### KMS host keys -A KMS host needs a key that activates, or authenticates, the KMS host with Microsoft. This key is usually referred to as the *KMS host key*, but it is formally known as a *Microsoft Customer Specific Volume License Key* (CSVLK). Most documentation and Internet references earlier than Windows 8.1 use the term KMS key, but CSVLK is becoming more common in current documentation and management tools. +A KMS host needs a key that activates, or authenticates, the KMS host with Microsoft. This key is referred to as the *KMS host key*, but it's formally known as a *Microsoft Customer Specific Volume License Key* (CSVLK). Most documentation and Internet references earlier than Windows 8.1 use the term KMS key, but CSVLK is becoming more common in current documentation and management tools. -A KMS host running Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 can activate both Windows Server and Windows client operating systems. A KMS host key is also needed to create the activation objects in AD DS, as described later in this guide. You will need a KMS host key for any KMS that you want to set up and if you are going to use Active Directory-based activation. +A KMS host running Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 can activate both Windows Server and Windows client operating systems. A KMS host key is also needed to create the activation objects in AD DS, as described later in this guide. You'll need a KMS host key for any KMS that you want to set up and if you're going to use Active Directory-based activation. ### Generic volume licensing keys -When you create installation media or images for client computers that will be activated by KMS or Active Directory-based activation, install a generic volume license key (GVLK) for the edition of Windows you are creating. GVLKs are also referred to as KMS client setup keys. +When you create installation media or images for client computers that will be activated by KMS or Active Directory-based activation, install a generic volume license key (GVLK) for the edition of Windows you're creating. GVLKs are also referred to as KMS client setup keys. -Installation media from Microsoft for Enterprise editions of the Windows operating system may already contain the GVLK. One GVLK is available for each type of installation. The GLVK will not activate the software against Microsoft activation servers, but rather against a KMS or Active Directory-based activation object. In other words, the GVLK does not work unless a valid KMS host key can be found. GVLKs are the only product keys that do not need to be kept confidential. +Installation media from Microsoft for Enterprise editions of the Windows operating system may already contain the GVLK. One GVLK is available for each type of installation. The GLVK won't activate the software against Microsoft activation servers, but rather against a KMS or Active Directory-based activation object. In other words, the GVLK doesn't work unless a valid KMS host key can be found. GVLKs are the only product keys that don't need to be kept confidential. -Typically, you will not need to manually enter a GVLK unless a computer has been activated with a MAK or a retail key and it is being converted to a KMS activation or to Active Directory-based activation. If you need to locate the GVLK for a particular client edition, see [Appendix A: KMS Client Setup Keys](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj612867(v=ws.11)). +Typically, you won't need to manually enter a GVLK unless a computer has been activated with a MAK or a retail key and it's being converted to a KMS activation or to Active Directory-based activation. If you need to locate the GVLK for a particular client edition, see [Appendix A: KMS client setup keys](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj612867(v=ws.11)). ### Multiple activation keys -You will also need MAK keys with the appropriate number of activations available. You can see how many times a MAK has been used on the Volume Licensing Service Center website or in the VAMT. +You'll also need MAK keys with the appropriate number of activations available. You can see how many times a MAK has been used on the Volume Licensing Service Center website or in the VAMT. ## Selecting a KMS host -The KMS does not require a dedicated server. It can be cohosted with other services, such as AD DS domain controllers and read-only domain controllers. -KMS hosts can run on physical computers or virtual machines that are running any supported Windows operating system. A KMS host that is running Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 can activate any Windows client or server operating system that supports volume activation. A KMS host that is running Windows 10 can activate only computers running Windows 10, Windows 8.1, Windows 8, Windows 7, or Windows Vista. +The KMS doesn't require a dedicated server. It can be cohosted with other services, such as AD DS domain controllers and read-only domain controllers. + +KMS hosts can run on physical computers or virtual machines that are running any supported Windows operating system. A KMS host that is running Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 can activate any Windows client or server operating system that supports volume activation. A KMS host that is running Windows 10 can activate only computers running Windows 10, Windows 8.1, Windows 8, Windows 7, or Windows Vista. + A single KMS host can support unlimited numbers of KMS clients, but Microsoft recommends deploying a minimum of two KMS hosts for failover purposes. However, as more clients are activated through Active Directory-based activation, the KMS and the redundancy of the KMS will become less important. Most organizations can use as few as two KMS hosts for their entire infrastructure. -The flow of KMS activation is shown in Figure 3, and it follows this sequence: +The flow of KMS activation is shown in Figure 3, and it follows this sequence: -1. An administrator uses the VAMT console to configure a KMS host and install a KMS host key. -2. Microsoft validates the KMS host key, and the KMS host starts to listen for requests. -3. The KMS host updates resource records in DNS to allow clients to locate the KMS host. (Manually adding DNS records is required if your environment does not support DNS dynamic update protocol.) -4. A client configured with a GVLK uses DNS to locate the KMS host. -5. The client sends one packet to the KMS host. -6. The KMS host records information about the requesting client (by using a client ID). Client IDs are used to maintain the count of clients and detect when the same computer is requesting activation again. The client ID is only used to determine whether the activation thresholds are met. The IDs are not stored permanently or transmitted to Microsoft. If the KMS is restarted, the client ID collection starts again. -7. If the KMS host has a KMS host key that matches the products in the GVLK, the KMS host sends a single packet back to the client. This packet contains a count of the number of computers that have requested activation from this KMS host. -8. If the count exceeds the activation threshold for the product that is being activated, the client is activated. If the activation threshold has not yet been met, the client will try again. +1. An administrator uses the VAMT console to configure a KMS host and install a KMS host key. + +2. Microsoft validates the KMS host key, and the KMS host starts to listen for requests. + +3. The KMS host updates resource records in DNS to allow clients to locate the KMS host. (Manually adding DNS records is required if your environment doesn't support DNS dynamic update protocol.) + +4. A client configured with a GVLK uses DNS to locate the KMS host. + +5. The client sends one packet to the KMS host. + +6. The KMS host records information about the requesting client (by using a client ID). Client IDs are used to maintain the count of clients and detect when the same computer is requesting activation again. The client ID is only used to determine whether the activation thresholds are met. The IDs aren't stored permanently or transmitted to Microsoft. If the KMS is restarted, the client ID collection starts again. + +7. If the KMS host has a KMS host key that matches the products in the GVLK, the KMS host sends a single packet back to the client. This packet contains a count of the number of computers that have requested activation from this KMS host. + +8. If the count exceeds the activation threshold for the product that is being activated, the client is activated. If the activation threshold hasn't yet been met, the client will try again. ![KMS activation flow.](../images/volumeactivationforwindows81-03.jpg) **Figure 3**. KMS activation flow -## See also -- [Volume Activation for Windows 10](volume-activation-windows-10.md) - +## Related articles + +- [Volume Activation for Windows 10](volume-activation-windows-10.md) diff --git a/windows/deployment/volume-activation/proxy-activation-vamt.md b/windows/deployment/volume-activation/proxy-activation-vamt.md index 587efce773..2410bc8ba2 100644 --- a/windows/deployment/volume-activation/proxy-activation-vamt.md +++ b/windows/deployment/volume-activation/proxy-activation-vamt.md @@ -1,55 +1,69 @@ --- title: Perform Proxy Activation (Windows 10) -description: Perform proxy activation by using the Volume Activation Management Tool (VAMT) to activate client computers that do not have Internet access. +description: Perform proxy activation by using the Volume Activation Management Tool (VAMT) to activate client computers that don't have Internet access. ms.reviewer: -manager: dougeby -ms.author: aaroncz + - nganguly +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/25/2017 +author: frankroj +ms.date: 11/07/2022 ms.topic: article ms.technology: itpro-fundamentals --- # Perform Proxy Activation -You can use the Volume Activation Management Tool (VAMT) to perform activation for client computers that do not have Internet access. The client products can be installed with any type of product key that is eligible for proxy activation: Multiple activation Key (MAK), KMS Host key (CSVLK), or retail key. +You can use the Volume Activation Management Tool (VAMT) to perform activation for client computers that don't have Internet access. The client products can be installed with any type of product key that is eligible for proxy activation: Multiple activation Key (MAK), KMS Host key (CSVLK), or retail key. In a typical proxy-activation scenario, the VAMT host computer distributes a MAK to one or more client computers and collects the installation ID (IID) from each computer. The VAMT host computer sends the IIDs to Microsoft on behalf of the client computers and obtains the corresponding Confirmation IDs (CIDs). The VAMT host computer then installs the CIDs on the client computer to complete the activation. Using this activation method, only the VAMT host computer needs Internet access. -**Note**   -For workgroups that are completely isolated from any larger network, you can still perform MAK, KMS Host key (CSVLK), or retail proxy activation. This requires installing a second instance of VAMT on a computer within the isolated group and using removable media to transfer activation data between that computer and another VAMT host computer that has Internet access. For more information about this scenario, see [Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md). Similarly, you can proxy activate a KMS Host key (CSVLK) located in an isolated network. You can also proxy activate a KMS Host key (CSVLK) in the core network if you do not want the KMS host computer to connect to Microsoft over the Internet.  +> [!NOTE] +> For workgroups that are completely isolated from any larger network, you can still perform MAK, KMS Host key (CSVLK), or retail proxy activation. This requires installing a second instance of VAMT on a computer within the isolated group and using removable media to transfer activation data between that computer and another VAMT host computer that has Internet access. For more information about this scenario, see [Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md). Similarly, you can proxy activate a KMS Host key (CSVLK) located in an isolated network. You can also proxy activate a KMS Host key (CSVLK) in the core network if you do not want the KMS host computer to connect to Microsoft over the Internet. ## Requirements Before performing proxy activation, ensure that your network and the VAMT installation meet the following requirements: -- There is an instance of VAMT that is installed on a computer that has Internet access. If you are performing proxy activation for an isolated workgroup, you also need to have VAMT installed on one of the computers in the workgroup. -- The products to be activated have been added to VAMT and are installed with a retail product key, a KMS Host key (CSVLK) or a MAK. If the products have not been installed with a proper product key, refer to the steps in the [Add and Remove a Product Key](add-remove-product-key-vamt.md) section for instructions on how to install a product key. -- VAMT has administrative permissions on all products to be activated and Windows Management Instrumentation (WMI) is accessible through the Windows firewall. -- For workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure Client Computers](configure-client-computers-vamt.md). -The product keys that are installed on the client products must have a sufficient number of remaining activations. If you are activating a MAK key, you can retrieve the remaining number of activations for that key by selecting the MAK in the product key list in the center pane and then clicking **Refresh product key data online** in the right-side pane. This retrieves the number of remaining activations for the MAK from Microsoft. Note that this step requires Internet access and that the remaining activation count can only be retrieved for MAKs. + +- There's an instance of VAMT that is installed on a computer that has Internet access. If you're performing proxy activation for an isolated workgroup, you also need to have VAMT installed on one of the computers in the workgroup. + +- The products to be activated have been added to VAMT and are installed with a retail product key, a KMS Host key (CSVLK) or a MAK. If the products haven't been installed with a proper product key, refer to the steps in the [Add and Remove a Product Key](add-remove-product-key-vamt.md) section for instructions on how to install a product key. + +- VAMT has administrative permissions on all products to be activated and Windows Management Instrumentation (WMI) is accessible through the Windows firewall. + +- For workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure client computers](configure-client-computers-vamt.md). + + The product keys that are installed on the client products must have a sufficient number of remaining activations. If you're activating a MAK key, you can retrieve the remaining number of activations for that key by selecting the MAK in the product key list in the center pane and then clicking **Refresh product key data online** in the right-side pane. This action retrieves the number of remaining activations for the MAK from Microsoft. This step requires Internet access and that the remaining activation count can only be retrieved for MAKs. ## To Perform Proxy Activation -**To perform proxy activation** +1. Open VAMT. -1. Open VAMT. -2. If necessary, install product keys. For more information see: - - [Install a Product Key](install-product-key-vamt.md) to install retail, MAK, or KMS Host key (CSVLK). - - [Install a KMS Client Key](install-kms-client-key-vamt.md) to install GVLK (KMS client) keys. -3. In the **Products** list in the center pane, select the individual products to be activated. You can use the **Filter** function to narrow your search for products by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. -4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. - - To filter the list by computer name, enter a name in the **Computer Name** box. - - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. -5. Click **Filter**. VAMT displays the filtered list in the center pane. -6. In the right-side pane, click **Activate** and then click **Proxy activate** to open the **Proxy Activate** dialog box. -7. In the **Proxy Activate** dialog box click **Apply Confirmation ID, apply to selected machine(s) and activate**. -8. If you are activating products that require administrator credentials different from the ones you are currently using, select the **Use Alternate Credentials** checkbox. -9. Click **OK**. -10. VAMT displays the **Activating products** dialog box until it completes the requested action. If you selected the **Alternate Credentials** option, you will be prompted to enter the credentials. +2. If necessary, install product keys. For more information, see: - **Note**   + - [Install a product key](install-product-key-vamt.md) to install retail, MAK, or KMS Host key (CSVLK). + + - [Install a KMS Client Key](install-kms-client-key-vamt.md) to install GVLK (KMS client) keys. + +3. In the **Products** list in the center pane, select the individual products to be activated. You can use the **Filter** function to narrow your search for products by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. + +4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. + + - To filter the list by computer name, enter a name in the **Computer Name** box. + + - To filter the list by Product Name, Product Key Type, or License Status, select the list you want to use for the filter and select an option. If necessary, select **clear all filters** to create a new filter. + +5. Select **Filter**. VAMT displays the filtered list in the center pane. + +6. In the right-side pane, select **Activate** and then select **Proxy activate** to open the **Proxy Activate** dialog box. + +7. In the **Proxy Activate** dialog box select **Apply Confirmation ID, apply to selected machine(s) and activate**. + +8. If you're activating products that require administrator credentials different from the ones you're currently using, select the **Use Alternate Credentials** checkbox. + +9. Select **OK**. + +10. VAMT displays the **Activating products** dialog box until it completes the requested action. If you selected the **Alternate Credentials** option, you'll be prompted to enter the credentials. + + > [!NOTE] You can use proxy activation to select products that have different key types and activate the products at the same time. - - - diff --git a/windows/deployment/volume-activation/remove-products-vamt.md b/windows/deployment/volume-activation/remove-products-vamt.md index e0fa9fe778..b8118e73e2 100644 --- a/windows/deployment/volume-activation/remove-products-vamt.md +++ b/windows/deployment/volume-activation/remove-products-vamt.md @@ -2,31 +2,40 @@ title: Remove Products (Windows 10) description: Learn how you must delete products from the product list view so you can remove products from the Volume Activation Management Tool (VAMT). ms.reviewer: -manager: dougeby -ms.author: aaroncz + - nganguly +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/25/2017 +author: frankroj +ms.date: 11/07/2022 ms.topic: article ms.technology: itpro-fundamentals --- -# Remove Products +# Remove products To remove one or more products from the Volume Activation Management Tool (VAMT), you can delete them from the product list view in the center pane. -**To delete one or more products** -1. Click a product node in the left-side pane. -2. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. -3. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. - - To filter the list by computer name, enter a name in the **Computer Name** box. - - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. -4. Click **Filter**. VAMT displays the filtered list in the center pane. -5. Select the products you want to delete. -6. Click **Delete** in the **Selected Items** menu in the right-side pane. -7. On the **Confirm Delete Selected Products** dialog box, click **OK**. +## To delete one or more products + +1. Select a product node in the left-side pane. + +2. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. + +3. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. + + - To filter the list by computer name, enter a name in the **Computer Name** box. + + - To filter the list by Product Name, Product Key Type, or License Status, select the list you want to use for the filter and select an option. If necessary, select **clear all filters** to create a new filter. + +4. Select **Filter**. VAMT displays the filtered list in the center pane. + +5. Select the products you want to delete. + +6. Select **Delete** in the **Selected Items** menu in the right-side pane. + +7. On the **Confirm Delete Selected Products** dialog box, select **OK**. + +## Related articles -## Related topics - [Add and Manage Products](add-manage-products-vamt.md) -  -  diff --git a/windows/deployment/volume-activation/scenario-kms-activation-vamt.md b/windows/deployment/volume-activation/scenario-kms-activation-vamt.md index 6f92b8bdbb..85a3fe5222 100644 --- a/windows/deployment/volume-activation/scenario-kms-activation-vamt.md +++ b/windows/deployment/volume-activation/scenario-kms-activation-vamt.md @@ -2,44 +2,59 @@ title: Scenario 3 KMS Client Activation (Windows 10) description: Learn how to use the Volume Activation Management Tool (VAMT) to activate Key Management Service (KMS) client keys or Generic Volume License Keys (GVLKs). ms.reviewer: -manager: dougeby -ms.author: aaroncz + - nganguly +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/25/2017 +author: frankroj +ms.date: 11/07/2022 ms.topic: article ms.technology: itpro-fundamentals --- -# Scenario 3: KMS Client Activation +# Scenario 3: KMS client activation -In this scenario, you use the Volume Activation Management Tool (VAMT) to activate Key Management Service (KMS) client keys or Generic Volume License Keys (GVLKs). This can be performed on either Core Network or Isolated Lab computers. By default, volume license editions of Windows Vista, Windows® 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. GVLKs are already installed in volume license editions of these products. You do not have to enter a key to activate a product as a GVLK, unless you are converting a MAK-activated product to a KMS activation. For more information, see [Install a KMS Client Key](install-kms-client-key-vamt.md). +In this scenario, you use the Volume Activation Management Tool (VAMT) to activate Key Management Service (KMS) client keys or Generic Volume License Keys (GVLKs). This type of activation can be performed on either Core Network or Isolated Lab computers. By default, volume license editions of Windows Vista, Windows® 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. GVLKs are already installed in volume license editions of these products. You don't have to enter a key to activate a product as a GVLK, unless you're converting a MAK-activated product to a KMS activation. For more information, see [Install a KMS Client Key](install-kms-client-key-vamt.md). -The procedure that is described below assumes the following: -- The KMS Service is enabled and available to all KMS clients. -- VAMT has been installed and computers have been added to the VAMT database. See Parts 1 through 4 in either [Scenario 1: Online Activation](scenario-online-activation-vamt.md) or [Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md) for more information. +The procedure that is described below assumes the following configuration: -## Activate KMS Clients +- The KMS Service is enabled and available to all KMS clients. -1. Open VAMT. -2. To set the KMS activation options, on the menu bar click **View**. Then click **Preferences** to open the **Volume Activation Management Tool Preferences** dialog box. -3. In the **Volume Activation Management Tool Preferences** dialog box, under **KMS Management Services host selection** select from the following options: - - **Find a KMS host automatically using DNS**. This is the default setting. VAMT will instruct the computer to query the Domain Name Service (DNS) to locate a KMS host and perform activation. If the client contains a registry key with a valid KMS host, that value will be used instead. - - **Find a KMS host using DNS in this domain for supported products**. Select this option if you use a specific domain, and enter the name of the domain. - - **Use specific KMS host**. Select this option for environments which do not use DNS for KMS host identification, and manually enter the KMS host name and select the KMS host port. VAMT will set the specified KMS host name and KMS host port on the target computer, and then instruct the computer to perform activation with the specific KMS host. -4. In the left-side pane, in the **Products** node, click the product that you want to activate. -5. In the products list view in the center pane, sort the list if necessary. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. -6. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. - - To filter the list by computer name, enter a name in the **Computer Name** box. - - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. -7. Click **Filter**. VAMT displays the filtered list in the center pane. -8. Select the products that you want to activate. -9. Click **Activate** in the **Selected Items** menu in the right-side **Actions** pane, click **Activate**, point to **Volume activate**, and then click the appropriate credential option. If you click the **Alternate Credentials** option, you will be prompted to enter an alternate user name and password. -10. VAMT displays the **Activating products** dialog box until it completes the requested action. When activation is complete, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears. +- VAMT has been installed and computers have been added to the VAMT database. See Parts 1 through 4 in either [Scenario 1: Online Activation](scenario-online-activation-vamt.md) or [Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md) for more information. + +## Activate KMS clients + +1. Open VAMT. + +2. To set the KMS activation options, on the menu bar select **View**. Then select **Preferences** to open the **Volume Activation Management Tool Preferences** dialog box. + +3. In the **Volume Activation Management Tool Preferences** dialog box, under **KMS Management Services host selection** select from the following options: + + - **Find a KMS host automatically using DNS**. This setting is the default setting. VAMT will instruct the computer to query the Domain Name Service (DNS) to locate a KMS host and perform activation. If the client contains a registry key with a valid KMS host, that value will be used instead. + + - **Find a KMS host using DNS in this domain for supported products**. Select this option if you use a specific domain, and enter the name of the domain. + + - **Use specific KMS host**. Select this option for environments that don't use DNS for KMS host identification, and manually enter the KMS host name and select the KMS host port. VAMT will set the specified KMS host name and KMS host port on the target computer, and then instruct the computer to perform activation with the specific KMS host. + +4. In the left-side pane, in the **Products** node, select the product that you want to activate. + +5. In the products list view in the center pane, sort the list if necessary. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. + +6. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. + - To filter the list by computer name, enter a name in the **Computer Name** box. + + - To filter the list by Product Name, Product Key Type, or License Status, select the list you want to use for the filter and select an option. If necessary, select **clear all filters** to create a new filter. + +7. Select **Filter**. VAMT displays the filtered list in the center pane. + +8. Select the products that you want to activate. + +9. Select **Activate** in the **Selected Items** menu in the right-side **Actions** pane, select **Activate**, point to **Volume activate**, and then select the appropriate credential option. If you select the **Alternate Credentials** option, you'll be prompted to enter an alternate user name and password. + +10. VAMT displays the **Activating products** dialog box until it completes the requested action. When activation is complete, the status appears in the **Action Status** column of the dialog box. Select **Close** to close the dialog box. You can also select the **Automatically close when done** check box when the dialog box appears. The same status is shown under the **Status of Last Action** column in the products list view in the center pane. -## Related topics -- [VAMT Step-by-Step Scenarios](vamt-step-by-step.md) -  -  +## Related articles + +- [VAMT step-by-step scenarios](vamt-step-by-step.md) diff --git a/windows/deployment/volume-activation/scenario-online-activation-vamt.md b/windows/deployment/volume-activation/scenario-online-activation-vamt.md index 0456ed2993..c234aa5c7d 100644 --- a/windows/deployment/volume-activation/scenario-online-activation-vamt.md +++ b/windows/deployment/volume-activation/scenario-online-activation-vamt.md @@ -2,11 +2,12 @@ title: Scenario 1 Online Activation (Windows 10) description: Achieve network access by deploying the Volume Activation Management Tool (VAMT) in a Core Network environment. ms.reviewer: -manager: dougeby -ms.author: aaroncz + - nganguly +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/25/2017 +author: frankroj +ms.date: 11/07/2022 ms.topic: article ms.technology: itpro-fundamentals --- @@ -14,119 +15,146 @@ ms.technology: itpro-fundamentals # Scenario 1: Online Activation In this scenario, the Volume Activation Management Tool (VAMT) is deployed in the Core Network environment. VAMT is installed on a central computer that has network access to all of the client computers. Both the VAMT host and the client computers have Internet access. The following illustration shows a diagram of an online activation scenario for Multiple Activation Keys (MAKs). You can use this scenario for online activation of the following key types: -- Multiple Activation Key (MAK) -- Windows Key Management Service (KMS) keys: - - KMS Host key (CSVLK) - - Generic Volume License Key (GVLK), or KMS client key -- Retail + +- Multiple Activation Key (MAK) + +- Windows Key Management Service (KMS) keys: + + - KMS Host key (CSVLK) + + - Generic Volume License Key (GVLK), or KMS client key + +- Retail The Secure Zone represents higher-security Core Network computers that have additional firewall protection. ![VAMT firewall configuration for multiple subnets.](images/dep-win8-l-vamt-makindependentactivationscenario.jpg) -## In This Topic -- [Install and start VAMT on a networked host computer](#bkmk-partone) -- [Configure the Windows Management Instrumentation firewall exception on target computers](#bkmk-parttwo) -- [Connect to VAMT database](#bkmk-partthree) -- [Discover products](#bkmk-partfour) -- [Sort and filter the list of computers](#bkmk-partfive) -- [Collect status information from the computers in the list](#bkmk-partsix) -- [Add product keys and determine the remaining activation count](#bkmk-partseven) -- [Install the product keys](#bkmk-parteight) -- [Activate the client products](#bkmk-partnine) +## Step 1: Install and start VAMT on a networked host computer -## Step 1: Install and start VAMT on a networked host computer +1. Install VAMT on the host computer. -1. Install VAMT on the host computer. -2. Click the VAMT icon in the **Start** menu to open VAMT. +2. Select the VAMT icon in the **Start** menu to open VAMT. -## Step 2: Configure the Windows Management Instrumentation firewall exception on target computers +## Step 2: Configure the Windows Management Instrumentation firewall exception on target computers -- Ensure that the Windows Management Instrumentation (WMI) firewall exception has been enabled for all target computers. For more information, see [Configure Client Computers](configure-client-computers-vamt.md). +- Ensure that the Windows Management Instrumentation (WMI) firewall exception has been enabled for all target computers. For more information, see [Configure Client Computers](configure-client-computers-vamt.md). - **Note**   - To retrieve product license status, VAMT must have administrative permissions on the remote computers and WMI must be available through the Windows Firewall. In addition, for workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure Client Computers](configure-client-computers-vamt.md). + > [!NOTE] + > To retrieve product license status, VAMT must have administrative permissions on the remote computers and WMI must be available through the Windows Firewall. In addition, for workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure Client Computers](configure-client-computers-vamt.md). -## Step 3: Connect to a VAMT database +## Step 3: Connect to a VAMT database -1. If you are not already connected to a database, the **Database Connection Settings** dialog box appears when you open VAMT. Select the server and database where the keys that must be activated are located. -2. Click **Connect**. -3. If you are already connected to a database, VAMT displays an inventory of the products and product keys in the center pane, and a license overview of the computers in the database. If you need to connect to a different database, click **Successfully connected to Server** to open **the Database Connection Settings** dialog box. For more information about how to create VAMT databases and adding VAMT data, see [Manage VAMT Data](manage-vamt-data.md) +1. If you aren't already connected to a database, the **Database Connection Settings** dialog box appears when you open VAMT. Select the server and database where the keys that must be activated are located. -## Step 4: Discover products +2. Select **Connect**. -1. In the left-side pane, in the **Products** node Products, click the product that you want to activate. -2. To open the **Discover Products** dialog box, click **Discover products** in the **Actions** menu in the right-side pane. -3. In the **Discover Products** dialog box, click **Search for computers in the Active Directory** to display the search options, and then click the search options that you want to use. You can search for computers in an Active Directory domain, by individual computer name or IP address, in a workgroup, or by a general Lightweight Directory Access Protocol (LDAP) query: - - To search for computers in an Active Directory domain, click **Search for computers in the Active Directory**. Then under **Domain Filter Criteria**, in the list of domain names click the name of the domain that you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for specific computers in the domain. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only those computer names that start with the letter "a". - - To search by individual computer name or IP address, click **Manually enter name or IP address**. Then enter the full name or IP address in the **One or more computer names or IP addresses separated by commas** text box. Separate multiple entries with a comma. Note that VAMT supports both IPv4 and IPV6 addressing. - - To search for computers in a workgroup, click **Search for computers in the workgroup**. Then under **Workgroup Filter Criteria**, in the list of workgroup names, click the name of the workgroup that you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for a specific computer in the workgroup. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only computer names that start with the letter "a". - - To search for computers by using a general LDAP query, click **Search with LDAP query** and enter your query in the text box that appears. VAMT will validate the LDAP query syntax, but will otherwise run the query without additional checks. -4. Click **Search**. +3. If you're already connected to a database, VAMT displays an inventory of the products and product keys in the center pane, and a license overview of the computers in the database. If you need to connect to a different database, select **Successfully connected to Server** to open **the Database Connection Settings** dialog box. For more information about how to create VAMT databases and adding VAMT data, see [Manage VAMT Data](manage-vamt-data.md) + +## Step 4: Discover products + +1. In the left-side pane, in the **Products** node Products, select the product that you want to activate. + +2. To open the **Discover Products** dialog box, select **Discover products** in the **Actions** menu in the right-side pane. + +3. In the **Discover Products** dialog box, select **Search for computers in the Active Directory** to display the search options, and then select the search options that you want to use. You can search for computers in an Active Directory domain, by individual computer name or IP address, in a workgroup, or by a general Lightweight Directory Access Protocol (LDAP) query: + + - To search for computers in an Active Directory domain, select **Search for computers in the Active Directory**. Then under **Domain Filter Criteria**, in the list of domain names select the name of the domain that you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for specific computers in the domain. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only those computer names that start with the letter "a". + + - To search by individual computer name or IP address, select **Manually enter name or IP address**. Then enter the full name or IP address in the **One or more computer names or IP addresses separated by commas** text box. Separate multiple entries with a comma. VAMT supports both IPv4 and IPV6 addressing. + + - To search for computers in a workgroup, select **Search for computers in the workgroup**. Then under **Workgroup Filter Criteria**, in the list of workgroup names, select the name of the workgroup that you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for a specific computer in the workgroup. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only computer names that start with the letter "a". + + - To search for computers by using a general LDAP query, select **Search with LDAP query** and enter your query in the text box that appears. VAMT will validate the LDAP query syntax, but will otherwise run the query without additional checks. + +4. Select **Search**. When the search is complete, the products that VAMT discovers appear in the product list view in the center pane. -## Step 5: Sort and filter the list of computers +## Step 5: Sort and filter the list of computers -You can sort the list of products so that it is easier to find the computers that require product keys to be activated: -1. On the menu bar at the top of the center pane, click **Group by**, and then click **Product**, **Product Key Type**, or **License Status**. -2. To sort the list further, you can click one of the column headings to sort by that column. -3. You can also use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. -4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. - - To filter the list by computer name, enter a name in the **Computer Name** box. - - To filter the list by product name, product key type, or license status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. -5. Click **Filter**. VAMT displays the filtered list in the product list view in the center pane. +You can sort the list of products so that it's easier to find the computers that require product keys to be activated: -## Step 6: Collect status information from the computers in the list +1. On the menu bar at the top of the center pane, select **Group by**, and then select **Product**, **Product Key Type**, or **License Status**. + +2. To sort the list further, you can select one of the column headings to sort by that column. + +3. You can also use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. + +4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. + + - To filter the list by computer name, enter a name in the **Computer Name** box. + + - To filter the list by product name, product key type, or license status, select the list you want to use for the filter and select an option. If necessary, select **clear all filters** to create a new filter. + +5. Select **Filter**. VAMT displays the filtered list in the product list view in the center pane. + +## Step 6: Collect status information from the computers in the list To collect the status from select computers in the database, you can select computers in the product list view by using one of the following methods: -- To select a block of consecutively listed computers, click the first computer that you want to select, and then click the last computer while pressing the **Shift** key. -- To select computers which are not listed consecutively, hold down the **Ctrl** key and select each computer for which you want to collect the status information. - **To collect status information from the selected computers** -- In the right-side **Actions** pane, click **Update license status** in the **Selected Items** menu and then click a credential option. Choose **Alternate Credentials** only if you are updating products that require administrator credentials that are different from the ones that you used to log on to the computer. Otherwise, click **Current Credentials** and continue to step 2.If you are supplying alternate credentials, in the **Windows Security** dialog box, type the appropriate user name and password and then click **OK**. + +- To select a block of consecutively listed computers, select the first computer that you want to select, and then select the last computer while pressing the **Shift** key. + +- To select computers that aren't listed consecutively, hold down the **Ctrl** key and select each computer for which you want to collect the status information. + +### To collect status information from the selected computers + +- In the right-side **Actions** pane, select **Update license status** in the **Selected Items** menu and then select a credential option. Choose **Alternate Credentials** only if you're updating products that require administrator credentials that are different from the ones that you used to sign into the computer. Otherwise, select **Current Credentials** and continue to step 2. If you're supplying alternate credentials, in the **Windows Security** dialog box, type the appropriate user name and password and then select **OK**. + - VAMT displays the **Collecting product information** dialog box while it collects the license status of all supported products on the selected computers. When the process is finished, the updated license status of each product will appear in the product list view in the center pane. - **Note** - If a computer has more than one supported product installed, VAMT adds an entry for each product. The entry appears under the appropriate product heading. + > [!NOTE] + > If a computer has more than one supported product installed, VAMT adds an entry for each product. The entry appears under the appropriate product heading. -## Step 7: Add product keys and determine the remaining activation count +## Step 7: Add product keys and determine the remaining activation count -1. Click the **Product Keys** node in the left-side pane, and then click **Add Product Keys** in the right-side pane to open the **Add Product Keys** dialog box. -2. In the **Add Product Key** dialog box, you can select from one of the following methods to add product keys: - - To add product keys manually, click **Enter product key(s) separated by line breaks**, enter one or more product keys, and then click **Add Key(s)**. - - To import a Comma Separated Values File (CSV) that contains a list of product keys, click **Select a product key file to import**, browse to the file location, click **Open** to import the file, and then click **Add Key(s)**. +1. Select the **Product Keys** node in the left-side pane, and then select **Add Product Keys** in the right-side pane to open the **Add Product Keys** dialog box. + +2. In the **Add Product Key** dialog box, you can select from one of the following methods to add product keys: + + - To add product keys manually, select **Enter product key(s) separated by line breaks**, enter one or more product keys, and then select **Add Key(s)**. + + - To import a Comma Separated Values File (CSV) that contains a list of product keys, select **Select a product key file to import**, browse to the file location, select **Open** to import the file, and then select **Add Key(s)**. The keys that you have added appear in the **Product Keys** list view in the center pane. - **Important**   - If you are activating many products with a MAK, refresh the activation count of the MAK to ensure that the MAK can support the required number of activations. In the product key list in the center pane, select the MAK and then click **Refresh product key data online** in the right-side pane to contact Microsoft and retrieve the number of remaining activations for the MAK. This step requires Internet access. You can only retrieve the remaining activation count for MAKs. + > [!IMPORTANT] + > If you are activating many products with a MAK, refresh the activation count of the MAK to ensure that the MAK can support the required number of activations. In the product key list in the center pane, select the MAK and then click **Refresh product key data online** in the right-side pane to contact Microsoft and retrieve the number of remaining activations for the MAK. This step requires Internet access. You can only retrieve the remaining activation count for MAKs. -## Step 8: Install the product keys +## Step 8: Install the product keys -1. In the left-side pane, click the product that you want to install keys on to. -2. If necessary, sort and filter the list of products so that it is easier to find the computers that must have a product key installed. See [Step 5: Sort and filter the list of computers](#bkmk-partfive). -3. In the **Products** list view pane, select the individual products which must have keys installed. You can use the **CTRL** key or the **SHIFT** key to select more than one product. -4. Click **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box. -5. The **Select Product Key** dialog box displays the keys that are available to be installed. Under **Recommended MAKs**, VAMT might display one or more recommended MAKs based on the selected products. If you are installing a MAK you can select a recommended product key or any other MAK from the **All Product Keys List**. If you are not installing a MAK, select a product key from the **All Product Keys** list. Use the scroll bar if you want to view the **Description** for each key. When you have selected the product key that you want to install, click **Install Key**. Note that only one key can be installed at a time. -6. VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears. +1. In the left-side pane, select the product that you want to install keys on to. + +2. If necessary, sort and filter the list of products so that it's easier to find the computers that must have a product key installed. See [Step 5: Sort and filter the list of computers](#step-5-sort-and-filter-the-list-of-computers). + +3. In the **Products** list view pane, select the individual products that must have keys installed. You can use the **CTRL** key or the **SHIFT** key to select more than one product. + +4. Select **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box. + +5. The **Select Product Key** dialog box displays the keys that are available to be installed. Under **Recommended MAKs**, VAMT might display one or more recommended MAKs based on the selected products. If you're installing a MAK, you can select a recommended product key or any other MAK from the **All Product Keys List**. If you aren't installing a MAK, select a product key from the **All Product Keys** list. Use the scroll bar if you want to view the **Description** for each key. When you've selected the product key that you want to install, select **Install Key**. Only one key can be installed at a time. + +6. VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Select **Close** to close the dialog box. You can also select the **Automatically close when done** check box when the dialog box appears. The same status appears under the **Status of Last Action** column in the product list view in the center pane. - **Note**   - Product key installation will fail if VAMT finds mismatched key types or editions. VAMT will display the failure status and will continue the installation for the next product in the list. For more information on choosing the correct product key, see [How to Choose the Right Volume License Key for Windows.](/previous-versions/tn-archive/ee939271(v=technet.10)) + > [!NOTE] + > Product key installation will fail if VAMT finds mismatched key types or editions. VAMT will display the failure status and will continue the installation for the next product in the list. For more information on choosing the correct product key, see [How to Choose the Right Volume License Key for Windows.](/previous-versions/tn-archive/ee939271(v=technet.10)) -## Step 9: Activate the client products +## Step 9: Activate the client products -1. Select the individual products that you want to activate in the list-view pane. -2. On the menu bar, click **Action**, point to **Activate** and point to **Online activate**. You can also right-click the selected computers(s) to display the **Action** menu, point to **Activate** and point to **Online activate**. You can also click **Activate** in the **Selected Items** menu in the right-hand pane to access the **Activate** option. -3. If you are activating product keys using your current credential, click **Current credential** and continue to step 5. If you are activating products that require an administrator credential that is different from the one you are currently using, click the **Alternate credential** option. -4. Enter your alternate user name and password and click **OK**. -5. The **Activate** option contacts the Microsoft product-activation server over the Internet and requests activation for the selected products. VAMT displays the **Activating products** dialog box until the requested actions are completed. +1. Select the individual products that you want to activate in the list-view pane. - **Note**   - Installing a MAK and overwriting the GVLK on client products must be done with care. If the RTM version of Windows Vista has been installed on the computer for more than 30 days, then its initial grace period has expired. As a result, it will enter Reduced Functionality Mode (RFM) if online activation is not completed successfully before the next logon attempt. However, you can use online activation to recover properly configured computers from RFM, as long as the computers are available on the network. - - RFM only applies to the RTM version of Windows Vista or the retail editions of Microsoft Office 2010. Windows Vista with SP1 or later, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and volume editions of Office 2010 will not enter RFM. +2. On the menu bar, select **Action**, point to **Activate** and point to **Online activate**. You can also right-click the selected computers(s) to display the **Action** menu, point to **Activate** and point to **Online activate**. You can also select **Activate** in the **Selected Items** menu in the right-hand pane to access the **Activate** option. + +3. If you're activating product keys using your current credential, select **Current credential** and continue to step 5. If you're activating products that require an administrator credential that is different from the one you're currently using, select the **Alternate credential** option. + +4. Enter your alternate user name and password and select **OK**. + +5. The **Activate** option contacts the Microsoft product-activation server over the Internet and requests activation for the selected products. VAMT displays the **Activating products** dialog box until the requested actions are completed. + + > [!NOTE] + > Installing a MAK and overwriting the GVLK on client products must be done with care. If the RTM version of Windows Vista has been installed on the computer for more than 30 days, then its initial grace period has expired. As a result, it will enter Reduced Functionality Mode (RFM) if online activation is not completed successfully before the next logon attempt. However, you can use online activation to recover properly configured computers from RFM, as long as the computers are available on the network. + > RFM only applies to the RTM version of Windows Vista or the retail editions of Microsoft Office 2010. Windows Vista with SP1 or later, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and volume editions of Office 2010 will not enter RFM. + +## Related articles -## Related topics - [VAMT Step-by-Step Scenarios](vamt-step-by-step.md) - diff --git a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md index d66678367b..223ef377b2 100644 --- a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md +++ b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md @@ -2,11 +2,12 @@ title: Scenario 2 Proxy Activation (Windows 10) description: Use the Volume Activation Management Tool (VAMT) to activate products that are installed on workgroup computers in an isolated lab environment. ms.reviewer: -manager: dougeby -ms.author: aaroncz + - nganguly +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/25/2017 +author: frankroj +ms.date: 11/07/2022 ms.topic: article ms.technology: itpro-fundamentals --- @@ -19,148 +20,198 @@ In this scenario, the Volume Activation Management Tool (VAMT) is used to activa ## Step 1: Install VAMT on a Workgroup Computer in the Isolated Lab -1. Install VAMT on a host computer in the isolated lab workgroup. This computer can be running Windows 7, Windows 8, Windows 10, Windows Server 2008 R2, or Windows Server® 2012. -2. Click the VAMT icon in the **Start** menu to open VAMT. +1. Install VAMT on a host computer in the isolated lab workgroup. This computer can be running Windows 7, Windows 8, Windows 10, Windows Server 2008 R2, or Windows Server® 2012. -## Step 2: Configure the Windows Management Instrumentation Firewall Exception on Target Computers +2. Select the VAMT icon in the **Start** menu to open VAMT. -- Ensure that the Windows Management Instrumentation (WMI) firewall exception has been enabled for all target computers. For more information, see [Configure Client Computers](configure-client-computers-vamt.md). +## Step 2: Configure the Windows Management Instrumentation Firewall Exception on target computers - **Note**   - To retrieve the license status on the selected computers, VAMT must have administrative permissions on the remote computers and WMI must be accessible through the Windows Firewall. In addition, for workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure Client Computers](configure-client-computers-vamt.md). +- Ensure that the Windows Management Instrumentation (WMI) firewall exception has been enabled for all target computers. For more information, see [Configure Client Computers](configure-client-computers-vamt.md). -## Step 3: Connect to a VAMT Database + > [!NOTE] + > To retrieve the license status on the selected computers, VAMT must have administrative permissions on the remote computers and WMI must be accessible through the Windows Firewall. In addition, for workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure Client Computers](configure-client-computers-vamt.md). -1. If the host computer in the isolated lab workgroup is not already connected to the database, the **Database Connection Settings** dialog box appears when you open VAMT. Select the server and database that contains the computers in the workgroup. -2. Click **Connect**. -3. If you are already connected to a database, in the center pane VAMT displays an inventory of the products and product keys, and a license overview of the computers in the database. If you need to connect to a different database, click **Successfully connected to the Server** to open the **Database Connection Settings** dialog box. For more information about how to create VAMT databases and adding VAMT data, see [Manage VAMT Data.](manage-vamt-data.md) +## Step 3: Connect to a VAMT database -## Step 4: Discover Products +1. If the host computer in the isolated lab workgroup isn't already connected to the database, the **Database Connection Settings** dialog box appears when you open VAMT. Select the server and database that contains the computers in the workgroup. -1. In the left-side pane, in the **Products** node, click the product that you want to activate. -2. To open the **Discover Products** dialog box, click **Discover products** in the right-side pane. -3. In the **Discover Products** dialog box, click **Search for computers in the Active Directory** to display the search options, and then click the search options that you want to use. You can search for computers in an Active Directory domain, by individual computer name or IP address, in a workgroup, or by a general LDAP query: - - To search for computers in an Active Directory domain, click **Search for computers in the Active Directory**. Then under **Domain Filter Criteria**, in the list of domain names, click the name of the domain that you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for specific computers in the domain. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only computer names that start with the letter "a". - - To search by individual computer name or IP address, click **Manually enter name or IP address**. Then enter the full name or IP address in the **One or more computer names or IP addresses separated by commas** text box. Separate multiple entries with a comma. Both IPv4 and IPv6addressing are supported. - - To search for computers in a workgroup, click **Search for computers in the workgroup**. Then under **Workgroup Filter Criteria**, in the list of workgroup names, click the name of the workgroup that you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for a specific computer in the workgroup. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only those computer names that start with the letter "a". - - To search for computers by using a general LDAP query, click **Search with LDAP query** and enter your query in the text box that appears. VAMT will validate the LDAP query syntax, but will otherwise run the query without extra checks. -4. Click **Search**. +2. Select **Connect**. + +3. If you're already connected to a database, in the center pane VAMT displays an inventory of the products and product keys, and a license overview of the computers in the database. If you need to connect to a different database, select **Successfully connected to the Server** to open the **Database Connection Settings** dialog box. For more information about how to create VAMT databases and adding VAMT data, see [Manage VAMT Data.](manage-vamt-data.md) + +## Step 4: Discover products + +1. In the left-side pane, in the **Products** node, select the product that you want to activate. + +2. To open the **Discover Products** dialog box, select **Discover products** in the right-side pane. + +3. In the **Discover Products** dialog box, select **Search for computers in the Active Directory** to display the search options, and then select the search options that you want to use. You can search for computers in an Active Directory domain, by individual computer name or IP address, in a workgroup, or by a general LDAP query: + + - To search for computers in an Active Directory domain, select **Search for computers in the Active Directory**. Then under **Domain Filter Criteria**, in the list of domain names, select the name of the domain that you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for specific computers in the domain. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only computer names that start with the letter "a". + + - To search by individual computer name or IP address, select **Manually enter name or IP address**. Then enter the full name or IP address in the **One or more computer names or IP addresses separated by commas** text box. Separate multiple entries with a comma. Both IPv4 and IPv6addressing are supported. + + - To search for computers in a workgroup, select **Search for computers in the workgroup**. Then under **Workgroup Filter Criteria**, in the list of workgroup names, select the name of the workgroup that you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for a specific computer in the workgroup. This filter supports the asterisk (`*`) wildcard. For example, typing `a*` will display only those computer names that start with the letter **a**. + + - To search for computers by using a general LDAP query, select **Search with LDAP query** and enter your query in the text box that appears. VAMT will validate the LDAP query syntax, but will otherwise run the query without extra checks. + +4. Select **Search**. The **Finding Computers** window appears and displays the search progress as the computers are located. When the search is complete, the products that VAMT discovers appear in the list view in the center pane. -## Step 5: Sort and Filter the List of Computers +## Step 5: Sort and filter the list of computers -You can sort the list of products so that it is easier to find the computers that require product keys to be activated: +You can sort the list of products so that it's easier to find the computers that require product keys to be activated: -1. On the menu bar at the top of the center pane, click **Group by**, and then click **Product**, **Product Key Type**, or **License Status**. -2. To sort the list further, you can click one of the column headings to sort by that column. -3. You can also use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. -4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. - - To filter the list by computer name, enter a name in the **Computer Name** box. - - To filter the list by product name, product key type, or license status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter. -5. Click **Filter**. VAMT displays the filtered list in the product list view in the center pane. +1. On the menu bar at the top of the center pane, select **Group by**, and then select **Product**, **Product Key Type**, or **License Status**. -## Step 6: Collect Status Information from the Computers in the Isolated Lab +2. To sort the list further, you can select one of the column headings to sort by that column. + +3. You can also use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. + +4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options. + + - To filter the list by computer name, enter a name in the **Computer Name** box. + + - To filter the list by product name, product key type, or license status, select the list you want to use for the filter and select an option. If necessary, select **clear all filters** to create a new filter. + +5. Select **Filter**. VAMT displays the filtered list in the product list view in the center pane. + +## Step 6: Collect status information from the computers in the Isolated lab To collect the status from select computers in the database, you can select computers in the product list view by using one of the following methods: -- To select a block of consecutively listed computers, click the first computer that you want to select, and then click the last computer while pressing the **Shift** key. -- To select computers that are not listed consecutively, hold down the **Ctrl** key and select each computer for which you want to collect the status information. + +- To select a block of consecutively listed computers, select the first computer that you want to select, and then select the last computer while pressing the **Shift** key. + +- To select computers that aren't listed consecutively, hold down the **Ctrl** key and select each computer for which you want to collect the status information. **To collect status information from the selected computers** -- In the right-side **Actions** pane, click **Update license status** in the **Selected Items** menu and then click a credential option. Choose **Alternate Credentials** only if you are updating products that require administrator credentials that are different from the ones that you used to sign in to the computer. Otherwise, click **Current Credentials** and continue to step 2.If you are supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and then click **OK**. + +- In the right-side **Actions** pane, select **Update license status** in the **Selected Items** menu and then select a credential option. Choose **Alternate Credentials** only if you're updating products that require administrator credentials that are different from the ones that you used to sign in to the computer. Otherwise, select **Current Credentials** and continue to step 2.If you're supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and then select **OK**. + - VAMT displays the **Collecting product information** dialog box while it collects the license status of all supported products on the selected computers. When the process is finished, the updated license status of each product will appear in the product list view in the center pane. - **Note** - If a computer has more than one supported product installed, VAMT adds an entry for each product. The entry appears under the appropriate product heading. + > [!NOTE] + > If a computer has more than one supported product installed, VAMT adds an entry for each product. The entry appears under the appropriate product heading. ## Step 7: Add Product Keys -1. Click the **Product Keys** node in the left-side pane, and then click **Add Product Keys** in the right-side pane to open the **Add Product Keys** dialog box. -2. In the **Add Product Keys** dialog box, you can select from one of the following methods to add product keys: - - To add a single product key, click **Enter product key(s) separated by line breaks**, enter one or more product keys, and then click **Add key(s)**. - - To import a Comma Separated Values File (CSV) that contains a list of product keys, click **Select a product key to import**, browse to the file location, click **Open** to import the file, and then click **Add Key(s)**. +1. Select the **Product Keys** node in the left-side pane, and then select **Add Product Keys** in the right-side pane to open the **Add Product Keys** dialog box. + +2. In the **Add Product Keys** dialog box, you can select from one of the following methods to add product keys: + + - To add a single product key, select **Enter product key(s) separated by line breaks**, enter one or more product keys, and then select **Add key(s)**. + + - To import a Comma Separated Values File (CSV) that contains a list of product keys, select **Select a product key to import**, browse to the file location, select **Open** to import the file, and then select **Add Key(s)**. The keys that you have added appear in the **Product Keys** list view in the center pane. ## Step 8: Install the Product Keys on the Isolated Lab Computers -1. In the left-side pane, in the **Products** node click the product that you want to install keys onto. -2. If necessary, sort and filter the list of products so that it is easier to find the computers that must have a product key installed. See [Step 5: Sort and Filter the List of Computers](#step-5-sort-and-filter-the-list-of-computers). -3. In the **Products** list view pane, select the individual products that must have keys installed. You can use the **CTRL** key or the **SHIFT** key to select more than one product. -4. Click **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box. -5. The **Select Product Key** dialog box displays the keys that are available to be installed. Under **Recommended MAKs**, VAMT might display one or more recommended MAKs based on the selected products. If you are installing an MAK, you can select a recommended product key or any other MAK from the **All Product Keys List**. If you are not installing a MAK, select a product key from the **All Product Keys** list. Use the scroll bar if you need to view the **Description** for each key. When you have selected the product key that you want to install, click **Install Key**. Only one key can be installed at a time. -6. VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears. +1. In the left-side pane, in the **Products** node select the product that you want to install keys onto. + +2. If necessary, sort and filter the list of products so that it's easier to find the computers that must have a product key installed. See [Step 5: Sort and filter the list of computers](#step-5-sort-and-filter-the-list-of-computers). + +3. In the **Products** list view pane, select the individual products that must have keys installed. You can use the **CTRL** key or the **SHIFT** key to select more than one product. + +4. Select **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box. + +5. The **Select Product Key** dialog box displays the keys that are available to be installed. Under **Recommended MAKs**, VAMT might display one or more recommended MAKs based on the selected products. If you're installing an MAK, you can select a recommended product key or any other MAK from the **All Product Keys List**. If you aren't installing a MAK, select a product key from the **All Product Keys** list. Use the scroll bar if you need to view the **Description** for each key. When you've selected the product key that you want to install, select **Install Key**. Only one key can be installed at a time. + +6. VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Select **Close** to close the dialog box. You can also select the **Automatically close when done** check box when the dialog box appears. The same status appears under the **Status of Last Action** column in the product list view in the center pane. - **Note**   - Product key installation will fail if VAMT finds mismatched key types or editions. VAMT displays the failure status and continues the installation for the next product in the list. For more information on choosing the correct product key, see [How to Choose the Right Volume License Key for Windows.](/previous-versions/tn-archive/ee939271(v=technet.10)) + > [!NOTE] + > Product key installation will fail if VAMT finds mismatched key types or editions. VAMT displays the failure status and continues the installation for the next product in the list. For more information on choosing the correct product key, see [How to Choose the Right Volume License Key for Windows.](/previous-versions/tn-archive/ee939271(v=technet.10)) - **Note**   - Installing a MAK and overwriting the GVLK on client products must be done with care. If the RTM version of Windows Vista has been installed on the computer for more than 30 days, then its initial grace period has expired. As a result, it will enter Reduced Functionality Mode (RFM) if online activation is not completed successfully before the next logon attempt. However, you can use online activation to recover properly configured computers from RFM, as long as the computers are available on the network. RFM only applies to the RTM version of Windows Vista or the retail editions of Microsoft Office 2010. Windows Vista with SP1 or later, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012, and volume editions of Office 2010 will not enter RFM. + > [!NOTE] + > Installing a MAK and overwriting the GVLK on client products must be done with care. If the RTM version of Windows Vista has been installed on the computer for more than 30 days, then its initial grace period has expired. As a result, it will enter Reduced Functionality Mode (RFM) if online activation is not completed successfully before the next logon attempt. However, you can use online activation to recover properly configured computers from RFM, as long as the computers are available on the network. RFM only applies to the RTM version of Windows Vista or the retail editions of Microsoft Office 2010. Windows Vista with SP1 or later, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012, and volume editions of Office 2010 will not enter RFM. -## Step 9: Export VAMT Data to a .cilx File +## Step 9: Export VAMT data to a `.cilx` file -In this step, you export VAMT from the workgroup’s host computer and save it in a .cilx file. Then you copy the .cilx file to removable media so that you can take it to a VAMT host computer that is connected to the Internet. In MAK proxy activation, it is critical to retain this file, because VAMT uses it to apply the Confirmation IDs (CIDs) to the proper products. +In this step, you export VAMT from the workgroup's host computer and save it in a `.cilx` file. Then you copy the `.cilx` file to removable media so that you can take it to a VAMT host computer that is connected to the Internet. In MAK proxy activation, it's critical to retain this file, because VAMT uses it to apply the Confirmation IDs (CIDs) to the proper products. -1. Select the individual products that successfully received a product key in Step 8. If needed, sort and filter the list to find the products. -2. In the right-side **Actions** pane, click **Export list** to open the **Export List** dialog box. -3. In the **Export List** dialog box, click **Browse** to navigate to the .cilx file, or enter the name of the .cilx file to which you want to export the data. -4. Under **Export options**, select one of the following data-type options: - - Export products and product keys. - - Export products only. - - Export proxy activation data only. Selecting this option ensures that the export contains only the license information required for the proxy web service to obtain CIDs from Microsoft. No Personally Identifiable Information (PII) is contained in the exported .cilx file when this selection is selected. This option should be used when an enterprise’s security policy states that no information that could identify a specific computer or user may be transferred out of the isolated lab and, therefore, this type of data must be excluded from the .cilx file that is transferred to the Core Network VAMT host. -5. If you have selected products to export, and not the entire set of data from the database, select the **Export selected product rows only** check box. -6. Click **Save**. VAMT displays a progress message while the data is being exported. Click **OK** when a message appears and confirms that the export has completed successfully. -7. If you exported the list to a file on the host computer’s hard drive, copy the file to removable media, such as a disk drive, CD/DVD, or USB storage device. +1. Select the individual products that successfully received a product key in Step 8. If needed, sort and filter the list to find the products. - **Important**   - Choosing the **Export proxy activation data only** option excludes Personally Identifiable Information (PII) from being saved in the .cilx file. Therefore, the .cilx file must be re-imported into the SQL Server database on the isolated lab workgroup’s VAMT host computer, so that the CIDs that are requested from Microsoft (discussed in Step 10) can be correctly assigned to the computers in the isolated lab group. +2. In the right-side **Actions** pane, select **Export list** to open the **Export List** dialog box. -## Step 10: Acquire Confirmation IDs from Microsoft on the Internet-Connected Host Computer +3. In the **Export List** dialog box, select **Browse** to navigate to the `.cilx` file, or enter the name of the `.cilx` file to which you want to export the data. -1. Insert the removable media into the VAMT host that has Internet access. -2. Open VAMT. Make sure you are on the root node, and that the **Volume Activation Management Tool** view is displayed in the center pane. -3. In the right-side **Actions** pane, click **Acquire confirmation IDs for CILX** to open the **Acquire confirmation IDs for file** dialog box. -4. In the **Acquire confirmation IDs for file** dialog box, browse to the location of the .cilx file that you exported from the isolated lab host computer, select the file, and then click **Open**. VAMT displays an **Acquiring Confirmation IDs** message while it contacts Microsoft and collects the CIDs. -5. When the CID collection process is complete, VAMT displays a **Volume Activation Management Tool** message that shows the number of confirmation IDs that were successfully acquired, and the name of the file where the IDs were saved. Click **OK** to close the message. +4. Under **Export options**, select one of the following data-type options: -## Step 11: Import the .cilx File onto the VAMT Host within the Isolated Lab Workgroup + - Export products and product keys. -1. Remove the storage device that contains the .cilx file from the Internet-connected VAMT host computer and insert it into the VAMT host computer in the isolated lab. -2. Open VAMT and verify that you are connected to the database that contains the computer with the product keys that you are activating. -3. In the right-side **Actions** pane, click **Import list** to open the **Import List** dialog box. -4. In the **Import list** dialog box, browse to the location of the .cilx file that contains the CIDs, select the file, and then click **Open**. -5. Click **OK** to import the file and to overwrite any conflicting data in the database with data from the file. -6. VAMT displays a progress message while the data is being imported. Click **OK** when a message appears and confirms that the data has been successfully imported. + - Export products only. + + - Export proxy activation data only. Selecting this option ensures that the export contains only the license information required for the proxy web service to obtain CIDs from Microsoft. No Personally Identifiable Information (PII) is contained in the exported `.cilx` file when this selection is selected. This option should be used when an enterprise's security policy states that no information that could identify a specific computer or user may be transferred out of the isolated lab and, therefore, this type of data must be excluded from the `.cilx` file that is transferred to the Core Network VAMT host. + +5. If you have selected products to export, and not the entire set of data from the database, select the **Export selected product rows only** check box. + +6. Select **Save**. VAMT displays a progress message while the data is being exported. Select **OK** when a message appears and confirms that the export has completed successfully. + +7. If you exported the list to a file on the host computer's hard drive, copy the file to removable media, such as a disk drive, CD/DVD, or USB storage device. + + > [!IMPORTANT] + > Choosing the **Export proxy activation data only** option excludes Personally Identifiable Information (PII) from being saved in the `.cilx` file. Therefore, the `.cilx` file must be re-imported into the SQL Server database on the isolated lab workgroup's VAMT host computer, so that the CIDs that are requested from Microsoft (discussed in Step 10) can be correctly assigned to the computers in the isolated lab group. + +## Step 10: Acquire confirmation IDs from Microsoft on the internet connected host computer + +1. Insert the removable media into the VAMT host that has Internet access. + +2. Open VAMT. Make sure you are on the root node, and that the **Volume Activation Management Tool** view is displayed in the center pane. + +3. In the right-side **Actions** pane, select **Acquire confirmation IDs for CILX** to open the **Acquire confirmation IDs for file** dialog box. + +4. In the **Acquire confirmation IDs for file** dialog box, browse to the location of the `.cilx` file that you exported from the isolated lab host computer, select the file, and then select **Open**. VAMT displays an **Acquiring Confirmation IDs** message while it contacts Microsoft and collects the CIDs. + +5. When the CID collection process is complete, VAMT displays a **Volume Activation Management Tool** message that shows the number of confirmation IDs that were successfully acquired, and the name of the file where the IDs were saved. Select **OK** to close the message. + +## Step 11: Import the `.cilx` file onto the VAMT host within the Isolated lab workgroup + +1. Remove the storage device that contains the `.cilx` file from the Internet-connected VAMT host computer and insert it into the VAMT host computer in the isolated lab. + +2. Open VAMT and verify that you're connected to the database that contains the computer with the product keys that you're activating. + +3. In the right-side **Actions** pane, select **Import list** to open the **Import List** dialog box. + +4. In the **Import list** dialog box, browse to the location of the `.cilx` file that contains the CIDs, select the file, and then select **Open**. + +5. Select **OK** to import the file and to overwrite any conflicting data in the database with data from the file. + +6. VAMT displays a progress message while the data is being imported. Select **OK** when a message appears and confirms that the data has been successfully imported. ## Step 12: Apply the CIDs and Activate the Isolated Lab Computers -1. Select the products to which you want to apply CIDs. If needed, sort and filter the list to find the products. -2. In the right-side **Selected Items** menu, click **Activate**, click **Apply Confirmation ID**, and then select the appropriate credential option. If you click the **Alternate Credentials** option, you will be prompted to enter an alternate user name and password. +1. Select the products to which you want to apply CIDs. If needed, sort and filter the list to find the products. - VAMT displays the **Applying Confirmation Id** dialog box while it installs the CIDs on the selected products. When VAMT finishes installing the CIDs, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears. +2. In the right-side **Selected Items** menu, select **Activate**, select **Apply Confirmation ID**, and then select the appropriate credential option. If you select the **Alternate Credentials** option, you'll be prompted to enter an alternate user name and password. + + VAMT displays the **Applying Confirmation Id** dialog box while it installs the CIDs on the selected products. When VAMT finishes installing the CIDs, the status appears in the **Action Status** column of the dialog box. Select **Close** to close the dialog box. You can also select the **Automatically close when done** check box when the dialog box appears. The same status appears under the **Status of Last Action** column in the product list view in the center pane. ## Step 13: (Optional) Reactivating Reimaged Computers in the Isolated Lab -If you have captured new images of the computers in the isolated lab, but the underlying hardware of those computers has not changed, VAMT can reactivate those computers using the CIDs that are stored in the database. -1. Redeploy products to each computer, using the same computer names as before. -2. Open VAMT. -3. In the right-side **Selected Items** menu, click **Activate**, click **Apply Confirmation ID**, and then select the appropriate credential option. If you click the **Alternate Credentials** option, you will be prompted to enter an alternate user name and password. +If you have captured new images of the computers in the isolated lab, but the underlying hardware of those computers hasn't changed, VAMT can reactivate those computers using the CIDs that are stored in the database. - VAMT displays the **Applying Confirmation Id** dialog box while it installs the CIDs on the selected products. When VAMT finishes installing the CIDs, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears. +1. Redeploy products to each computer, using the same computer names as before. + +2. Open VAMT. + +3. In the right-side **Selected Items** menu, select **Activate**, select **Apply Confirmation ID**, and then select the appropriate credential option. If you select the **Alternate Credentials** option, you'll be prompted to enter an alternate user name and password. + + VAMT displays the **Applying Confirmation Id** dialog box while it installs the CIDs on the selected products. When VAMT finishes installing the CIDs, the status appears in the **Action Status** column of the dialog box. Select **Close** to close the dialog box. You can also select the **Automatically close when done** check box when the dialog box appears. The same status appears under the **Status of Last Action** column in the product list view in the center pane. - **Note**   - Installing a MAK and overwriting the GVLK on the client products must be done with care. If the Windows activation initial grace period has expired, Windows will enter Reduced Functionality Mode (RFM) if online activation is not completed successfully before the next logon attempt. However, you can use online activation to recover properly configured computers from RFM, as long as the computers are accessible on the network. - - RFM only applies to the RTM version of Windows Vista or the retail editions of Microsoft Office 2010. Windows Vista with SP1 or later, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012, and volume editions of Office 2010 will not enter RFM. + > [!NOTE] + > Installing a MAK and overwriting the GVLK on the client products must be done with care. If the Windows activation initial grace period has expired, Windows will enter Reduced Functionality Mode (RFM) if online activation is not completed successfully before the next logon attempt. However, you can use online activation to recover properly configured computers from RFM, as long as the computers are accessible on the network. - **Note**   - Reapplying the same CID conserves the remaining activations on the MAK. + RFM only applies to the RTM version of Windows Vista or the retail editions of Microsoft Office 2010. Windows Vista with SP1 or later, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012, and volume editions of Office 2010 won't enter RFM. + + > [!NOTE] + > Reapplying the same CID conserves the remaining activations on the MAK. + +## Related articles -## Related topics - [VAMT Step-by-Step Scenarios](vamt-step-by-step.md) - diff --git a/windows/deployment/volume-activation/update-product-status-vamt.md b/windows/deployment/volume-activation/update-product-status-vamt.md index dfd7e456e7..be82deed6b 100644 --- a/windows/deployment/volume-activation/update-product-status-vamt.md +++ b/windows/deployment/volume-activation/update-product-status-vamt.md @@ -2,34 +2,39 @@ title: Update Product Status (Windows 10) description: Learn how to use the Update license status function to add the products that are installed on the computers. ms.reviewer: -manager: dougeby -ms.author: aaroncz + - nganguly +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/25/2017 +author: frankroj +ms.date: 11/07/2022 ms.topic: article ms.technology: itpro-fundamentals --- -# Update Product Status +# Update product status After you add computers to the VAMT database, you need to use the **Update license status** function to add the products that are installed on the computers. You can also use the **Update license status** at any time to retrieve the most current license status for any products in the VAMT database. To retrieve license status, VAMT must have administrative permissions on all selected computers and Windows Management Instrumentation (WMI) must be accessible through the Windows Firewall. In addition, for workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure Client Computers](configure-client-computers-vamt.md). -**Note**   +> [!NOTE] The license-status query requires a valid computer name for each system queried. If the VAMT database contains computers that were added without Personally Identifiable Information, computer names will not be available for those computers, and the status for these computers will not be updated. ## Update the license status of a product -1. Open VAMT. -2. In the **Products** list, select one or more products that need to have their status updated. -3. In the right-side **Actions** pane, click **Update license status** and then click a credential option. Choose **Alternate Credentials** only if you are updating products that require administrator credentials different from the ones you used to log into the computer. -4. If you are supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and click **OK**. +1. Open VAMT. + +2. In the **Products** list, select one or more products that need to have their status updated. + +3. In the right-side **Actions** pane, select **Update license status** and then select a credential option. Choose **Alternate Credentials** only if you're updating products that require administrator credentials different from the ones you used to log into the computer. + +4. If you're supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and select **OK**. VAMT displays the **Collecting product information** dialog box while it collects the status of all selected products. When the process is finished, the updated licensing status of each product will appear in the product list view in the center pane. - **Note**   - If a previously discovered Microsoft Office 2010 product has been uninstalled from the remote computer, updating its licensing status will cause the entry to be deleted from the **Office** product list view, and, consequently, the total number of discovered products will be smaller. However, the Windows installation of the same computer will not be deleted and will always be shown in the **Windows** products list view. - -## Related topics + > [!NOTE] + If a previously discovered Microsoft Office 2010 product has been uninstalled from the remote computer, updating its licensing status will cause the entry to be deleted from the **Office** product list view, and, consequently, the total number of discovered products will be smaller. However, the Windows installation of the same computer will not be deleted and will always be shown in the **Windows** products list view. + +## Related articles + - [Add and Manage Products](add-manage-products-vamt.md) diff --git a/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md b/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md index 96270a5500..a381b30b76 100644 --- a/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md +++ b/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md @@ -2,49 +2,55 @@ title: Use the Volume Activation Management Tool (Windows 10) description: The Volume Activation Management Tool (VAMT) provides several useful features, including the ability to track and monitor several types of product keys. ms.reviewer: -manager: dougeby -ms.author: aaroncz + - nganguly +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski +author: frankroj ms.localizationpriority: medium -ms.date: 07/27/2017 +ms.date: 11/07/2022 ms.topic: article ms.technology: itpro-fundamentals --- # Use the Volume Activation Management Tool -**Applies to** -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2012 -- Windows Server 2008 R2 +**Applies to:** -**Looking for retail activation?** -- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2012 +- Windows Server 2008 R2 + +> [!TIP] +> Are you looking for information on retail activation? +> +> - [Activate Windows](https://support.microsoft.com/help/12440/) +> - [Product activation for Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) The Volume Activation Management Tool (VAMT) provides several useful features, including the ability to perform VAMT proxy activation and to track and monitor several types of product keys. -By using the VAMT, you can automate and centrally manage the volume, retail, and MAK activation process for Windows, Office, and select other Microsoft products. The VAMT can manage volume activation by using MAKs or KMS. It is a standard Microsoft Management Console snap-in, and it can be -installed on any computer running Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2. +By using the VAMT, you can automate and centrally manage the volume, retail, and MAK activation process for Windows, Office, and select other Microsoft products. The VAMT can manage volume activation by using MAKs or KMS. It's a standard Microsoft Management Console snap-in, and it can be installed on any computer running Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2. -The VAMT is distributed as part of the Windows Assessment and Deployment Kit (Windows ADK), which is a free download available from Microsoft Download Center. For more information, see [Windows Assessment and Deployment Kit (Windows ADK) for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526740). +The VAMT is distributed as part of the Windows Assessment and Deployment Kit (Windows ADK), which is a free download available from Microsoft Download Center. For more information, see [Windows Assessment and Deployment Kit (Windows ADK) for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526740). -In Windows Server 2012 R2, you can install the VAMT directly from Server Manager without downloading the Windows ADK by selecting the Volume Activation Services role or the Remote Server Administration Tools/Role Administration Tools/Volume Activation Tools feature. +In Windows Server 2012 R2, you can install the VAMT directly from Server Manager without downloading the Windows ADK by selecting the Volume Activation Services role or the Remote Server Administration Tools/Role Administration Tools/Volume Activation Tools feature. ## Activating with the Volume Activation Management Tool You can use the VAMT to complete the activation process in products by using MAK and retail keys, and you can work with computers individually or in groups. The VAMT enables two activation scenarios: -- **Online activation**. Online activation enables you to activate over the Internet any products that are installed with MAK, KMS host, or retail product keys. You can activate one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft. -- **Proxy activation**. This activation method enables you to perform volume activation for products that are installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS host key, or retail product key to one or more client products and collects the installation ID from each client product. The VAMT host sends the installation IDs to Microsoft on behalf of the client products and obtains the corresponding confirmation IDs. The VAMT host then installs the confirmation IDs on the client products to complete their activation. + +- **Online activation**. Online activation enables you to activate over the Internet any products that are installed with MAK, KMS host, or retail product keys. You can activate one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft. + +- **Proxy activation**. This activation method enables you to perform volume activation for products that are installed on client computers that don't have Internet access. The VAMT host computer distributes a MAK, KMS host key, or retail product key to one or more client products and collects the installation ID from each client product. The VAMT host sends the installation IDs to Microsoft on behalf of the client products and obtains the corresponding confirmation IDs. The VAMT host then installs the confirmation IDs on the client products to complete their activation. By using this method, only the VAMT host computer requires Internet access. Proxy activation by using the VAMT is beneficial for isolated network segments and for cases where your organization has a mix of retail, MAK, and KMS-based activations. ## Tracking products and computers with the Volume Activation Management Tool -The VAMT provides an overview of the activation and licensing status of computers across your network, as shown in Figure 18. Several prebuilt reports are also available to help you proactively manage licensing. +The VAMT provides an overview of the activation and licensing status of computers across your network, as shown in Figure 18. Several prebuilt reports are also available to help you proactively manage licensing. ![VAMT showing the licensing status of multiple computers.](../images/volumeactivationforwindows81-18.jpg) @@ -52,7 +58,7 @@ The VAMT provides an overview of the activation and licensing status of computer ## Tracking key usage with the Volume Activation Management Tool -The VAMT makes it easier to track the various keys that are issued to your organization. You can enter each key into VAMT, and then the VAMT can use those keys for online or proxy activation of clients. The tool can also describe what type of key it is and to which product group it belongs. The VAMT is the most convenient way to quickly determine how many activations remain on a MAK. Figure 19 shows an example of key types and usage. +The VAMT makes it easier to track the various keys that are issued to your organization. You can enter each key into VAMT, and then the VAMT can use those keys for online or proxy activation of clients. The tool can also describe what type of key it's and to which product group it belongs. The VAMT is the most convenient way to quickly determine how many activations remain on a MAK. Figure 19 shows an example of key types and usage. ![VAMT showing key types and usage.](../images/volumeactivationforwindows81-19.jpg) @@ -60,16 +66,19 @@ The VAMT makes it easier to track the various keys that are issued to your organ ## Other Volume Activation Management Tool features -The VAMT stores information in a Microsoft SQL Server database for performance and flexibility, and it provides a single graphical user interface for managing activations and performing other activation-related tasks, such as: -- **Adding and removing computers**. You can use the VAMT to discover computers in the local environment. The VAMT can discover computers by querying AD DS, workgroups, or individual computer names or IP addresses, or through a general LDAP query. -- **Discovering products**. You can use the VAMT to discover Windows, Windows Server, Office, and select other products that are installed on the client computers. -- **Managing activation data**. The VAMT stores activation data in a SQL Server database. The tool can export this data in XML format to other VAMT hosts or to an archive. +The VAMT stores information in a Microsoft SQL Server database for performance and flexibility, and it provides a single graphical user interface for managing activations and performing other activation-related tasks, such as: + +- **Adding and removing computers**. You can use the VAMT to discover computers in the local environment. The VAMT can discover computers by querying AD DS, workgroups, or individual computer names or IP addresses, or through a general LDAP query. + +- **Discovering products**. You can use the VAMT to discover Windows, Windows Server, Office, and select other products that are installed on the client computers. + +- **Managing activation data**. The VAMT stores activation data in a SQL Server database. The tool can export this data in XML format to other VAMT hosts or to an archive. For more information, see: -- [Volume Activation Management Tool (VAMT) Overview](./volume-activation-management-tool.md) -- [VAMT Step-by-Step Scenarios](./vamt-step-by-step.md) -## See also -- [Volume Activation for Windows 10](volume-activation-windows-10.md) -  -  +- [Volume Activation Management Tool (VAMT) Overview](./volume-activation-management-tool.md) +- [VAMT Step-by-Step Scenarios](./vamt-step-by-step.md) + +## Related articles + +- [Volume Activation for Windows 10](volume-activation-windows-10.md) diff --git a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md index ce68f48784..e965f4be1c 100644 --- a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md +++ b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md @@ -2,11 +2,12 @@ title: Use VAMT in Windows PowerShell (Windows 10) description: Learn how to use Volume Activation Management Tool (VAMT) PowerShell cmdlets to perform the same functions as the Vamt.exe command-line tool. ms.reviewer: -manager: dougeby -ms.author: aaroncz + - nganguly +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/25/2017 +author: frankroj +ms.date: 11/07/2022 ms.topic: article ms.technology: itpro-fundamentals --- @@ -15,61 +16,87 @@ ms.technology: itpro-fundamentals The Volume Activation Management Tool (VAMT) PowerShell cmdlets can be used to perform the same functions as the Vamt.exe command-line tool. -**To install PowerShell 3.0** -- VAMT PowerShell cmdlets require Windows PowerShell, which is included in Windows 10, Windows 8 and Windows Server® 2012. You can download PowerShell for Windows 7 or other operating systems from the [Microsoft Download Center](/powershell/scripting/install/installing-powershell). +## Configuring VAMT in Windows PowerShell -**To install the Windows Assessment and Deployment Kit** -- In addition to PowerShell, you must import the VAMT PowerShell module. The module is included in the VAMT 3.0 folder after you install the Windows Assessment and Deployment Kit (Windows ADK). +### Install PowerShell 3.0 -**To prepare the VAMT PowerShell environment** -- To open PowerShell with administrative credentials, click **Start** and type “PowerShell” to locate the program. Right-click **Windows PowerShell**, and then click **Run as administrator**. To open PowerShell in Windows 7, click **Start**, click **All Programs**, click **Accessories**, click **Windows PowerShell**, right-click **Windows PowerShell**, and then click **Run as administrator**. +VAMT PowerShell cmdlets require Windows PowerShell, which is included in Windows 10, Windows 8 and Windows Server® 2012. You can download PowerShell for Windows 7 or other operating systems from the [Microsoft Download Center](/powershell/scripting/install/installing-powershell). - **Important** - If you are using a computer that has an 64-bit processor, select **Windows PowerShell (x86)**. VAMT PowerShell cmdlets are supported for the x86 architecture only. You must use an x86 version of Windows PowerShell to import the VAMT module, which are available in these directories: - - The x86 version of PowerShell is available in C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe - - The x86 version of the PowerShell ISE is available in C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell\_ise.exe -- For all supported operating systems you can use the VAMT PowerShell module included with the Windows ADK. By default, the module is installed with the Windows ADK in the VAMT folder. Change directories to the directory where VAMT is located. +### Install the Windows Assessment and Deployment Kit** - For example, if the Windows ADK is installed in the default location of `C:\Program Files(x86)\Windows Kits\10`, type: - - ``` powershell - cd “C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\VAMT 3.0” +In addition to PowerShell, you must import the VAMT PowerShell module. The module is included in the VAMT 3.0 folder after you install the Windows Assessment and Deployment Kit (Windows ADK). + +### Prepare the VAMT PowerShell environment + +To open PowerShell with administrative credentials, select **Start** and enter `PowerShell` to locate the program. Right-click **Windows PowerShell**, and then select **Run as administrator**. To open PowerShell in Windows 7, select **Start**, select **All Programs**, select **Accessories**, select **Windows PowerShell**, right-click **Windows PowerShell**, and then select **Run as administrator**. + + > [!IMPORTANT] + > If you are using a computer that has an 64-bit processor, select **Windows PowerShell (x86)**. VAMT PowerShell cmdlets are only supported for x86 architecture. You must use an x86 version of Windows PowerShell to import the VAMT module + + The x86 versions of Windows PowerShell are available in the following directories: + +- PowerShell: + + `C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe` +- PowerShell ISE: + + `C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe` + +For all supported operating systems, you can use the VAMT PowerShell module included with the Windows ADK. By default, the module is installed with the Windows ADK in the VAMT folder. Change directories to the directory where VAMT is located. For example, if the Windows ADK is installed in the default location of `C:\Program Files(x86)\Windows Kits\10`, enter: + + ```powershell + cd "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\VAMT 3.0" ``` -- Import the VAMT PowerShell module. To import the module, type the following at a command prompt: - ``` powershell + +### Import the VAMT PowerShell module + +To import the VAMT PowerShell module, enter the following command at a PowerShell command prompt: + + ```powershell Import-Module .\VAMT.psd1 ``` - Where **Import-Module** imports a module only into the current session. To import the module into all sessions, add an **Import-Module** command to a Windows PowerShell profile. For more information about profiles, type `get-help about_profiles`. -## To Get Help for VAMT PowerShell cmdlets + where **Import-Module** imports a module only into the current session. To import the module into all sessions, add an **Import-Module** command to a Windows PowerShell profile. For more information about profiles, enter `get-help about_profiles`. -You can view all of the help sections for a VAMT PowerShell cmdlet, or you can view only the section that you are interested in. To view all of the Help content for a VAMT cmdlet, type: -``` powershell +## To get help for VAMT PowerShell cmdlets + +You can view all of the help sections for a VAMT PowerShell cmdlet, or you can view only the section that you're interested in. To view all of the Help content for a VAMT cmdlet, enter: + +```powershell get-help -all ``` -For example, type: -``` powershell + +For example, enter: + +```powershell get-help get-VamtProduct -all ``` -**Warning** -The update-help cmdlet is not supported for VAMT PowerShell cmdlets. To view online help for VAMT cmdlets, you can use the -online option with the get-help cmdlet. For more information, see [Volume Activation Management Tool (VAMT) Cmdlets in Windows PowerShell](/powershell/module/vamt). +> [!WARNING] +> The update-help cmdlet is not supported for VAMT PowerShell cmdlets. To view online help for VAMT cmdlets, you can use the `-online` option with the `get-help` cmdlet. For more information, see [Volume Activation Management Tool (VAMT) Cmdlets in Windows PowerShell](/powershell/module/vamt). -**To view VAMT PowerShell Help sections** +### View VAMT PowerShell help sections -1. To get the syntax to use with a cmdlet, type the following at a command prompt: - ``` powershell +1. To get the syntax to use with a cmdlet, enter the following command at a PowerShell command prompt: + + ```powershell get-help ``` - For example, type: - ``` powershell + + For example, enter: + + ```powershell get-help get-VamtProduct ``` -2. To see examples using a cmdlet, type: - ``` powershell + +2. To see examples using a cmdlet, enter: + + ```powershell get-help -examples ``` - For example, type: - ``` powershell + + For example, enter: + + ```powershell get-help get-VamtProduct -examples ``` diff --git a/windows/deployment/volume-activation/vamt-known-issues.md b/windows/deployment/volume-activation/vamt-known-issues.md index 1e02f26440..4c29fd57a4 100644 --- a/windows/deployment/volume-activation/vamt-known-issues.md +++ b/windows/deployment/volume-activation/vamt-known-issues.md @@ -2,11 +2,12 @@ title: VAMT known issues (Windows 10) description: Find out the current known issues with the Volume Activation Management Tool (VAMT), versions 3.0. and 3.1. ms.reviewer: -manager: dougeby -ms.author: aaroncz + - nganguly +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 12/17/2019 +author: frankroj +ms.date: 11/07/2022 ms.topic: article ms.custom: - CI 111496 @@ -19,7 +20,9 @@ ms.technology: itpro-fundamentals The current known issues with the Volume Activation Management Tool (VAMT), versions 3.0. and 3.1, include: - VAMT Windows Management Infrastructure (WMI) remote operations might take longer to execute if the target computer is in a sleep or standby state. -- When you open a Computer Information List (CIL) file that was saved by using a previous version of VAMT, the edition information is not shown for each product in the center pane. You must update the product status again to obtain the edition information. + +- When you open a Computer Information List (CIL) file that was saved by using a previous version of VAMT, the edition information isn't shown for each product in the center pane. You must update the product status again to obtain the edition information. + - The remaining activation count can only be retrieved for Multiple Activation Key (MAKs). ## Workarounds for adding CSVLKs for Windows 10 activation to VAMT 3.1 @@ -28,11 +31,11 @@ Another known issue is that when you try to add a Windows 10 Key Management Serv ![VAMT error message.](./images/vamt-known-issue-message.png) -This issue occurs because VAMT 3.1 does not contain the correct Pkconfig files to recognize this kind of key. To work around this issue, use one of the following methods. +This issue occurs because VAMT 3.1 doesn't contain the correct Pkconfig files to recognize this kind of key. To work around this issue, use one of the following methods. ### Method 1 -Do not add the CSVLK to the VAMT 3.1 tool. Instead, use the **slmgr.vbs /ipk \<*CSVLK*>** command to install a CSVLK on a KMS host. In this command, \<*CSVLK*> represents the specific key that you want to install. For more information about how to use the Slmgr.vbs tool, see [Slmgr.vbs options for obtaining volume activation information](/windows-server/get-started/activation-slmgr-vbs-options). +Don't add the CSVLK to the VAMT 3.1 tool. Instead, use the ` slmgr.vbs /ipk ` command to install a CSVLK on a KMS host. In this command, \<*CSVLK*> represents the specific key that you want to install. For more information about how to use the `Slmgr.vbs` tool, see [Slmgr.vbs options for obtaining volume activation information](/windows-server/get-started/activation-slmgr-vbs-options). ### Method 2 @@ -40,20 +43,32 @@ On the KMS host computer, perform the following steps: 1. Download the hotfix from [July 2016 update rollup for Windows 8.1 and Windows Server 2012 R2](https://support.microsoft.com/help/3172614/). -1. In Windows Explorer, right-click **485392_intl_x64_zip** and extract the hotfix to C:\KB3058168. +2. In Windows Explorer, right-click **485392_intl_x64_zip** and extract the hotfix to C:\KB3058168. -1. To extract the contents of the update, run the following command: +3. To extract the contents of the update, run the following command: - ```console + ```cmd expand c:\KB3058168\Windows8.1-KB3058168-x64.msu -f:* C:\KB3058168\ ``` -1. To extract the contents of Windows8.1-KB3058168-x64.cab, run the following command: +4. To extract the contents of Windows8.1-KB3058168-x64.cab, run the following command: - ```console + ```cmd expand c:\KB3058168\Windows8.1-KB3058168-x64.cab -f:pkeyconfig-csvlk.xrm-ms c:\KB3058168 ``` -1. In the C:\KB3058168\x86_microsoft-windows-s..nent-sku-csvlk-pack_31bf3856ad364e35_6.3.9600.17815_none_bd26b4f34d049716 folder, copy the pkeyconfig-csvlk.xrm-ms file. Paste this file into the C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\VAMT3\pkconfig folder. +5. In the + + `C:\KB3058168\x86_microsoft-windows-s..nent-sku-csvlk-pack_31bf3856ad364e35_6.3.9600.17815_none_bd26b4f34d049716` + + folder, copy the + + `pkeyconfig-csvlk.xrm-ms` + + file. Paste this file into the + + `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\VAMT3\pkconfig` + + folder. -1. Restart VAMT. +6. Restart VAMT. diff --git a/windows/deployment/volume-activation/vamt-requirements.md b/windows/deployment/volume-activation/vamt-requirements.md index 736a7d6b84..47e54481c4 100644 --- a/windows/deployment/volume-activation/vamt-requirements.md +++ b/windows/deployment/volume-activation/vamt-requirements.md @@ -2,20 +2,21 @@ title: VAMT Requirements (Windows 10) description: In this article, learn about the product key and system requierements for Volume Activation Management Tool (VAMT). ms.reviewer: -manager: dougeby -ms.author: aaroncz + - nganguly +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/25/2017 +author: frankroj +ms.date: 11/07/2022 ms.topic: article ms.technology: itpro-fundamentals --- -# VAMT Requirements +# VAMT requirements -This topic includes info about the product key and system requirements for VAMT. +This article includes info about the product key and system requirements for VAMT. -## Product Key Requirements +## Product key requirements The Volume Activation Management Tool (VAMT) can be used to perform activations using any of the following types of product keys. @@ -24,7 +25,7 @@ The Volume Activation Management Tool (VAMT) can be used to perform activations |
    • Multiple Activation Key (MAK)
    • Key Management Service (KMS) host key (CSVLK)
    • KMS client setup keys (GVLK)
    |Volume licensing keys can only be obtained with a signed contract from Microsoft. For more info, see the [Microsoft Volume Licensing portal](https://go.microsoft.com/fwlink/p/?LinkId=227282). | |Retail product keys |Obtained at time of product purchase. | -## System Requirements +## System requirements The following table lists the system requirements for the VAMT host computer. @@ -37,7 +38,8 @@ The following table lists the system requirements for the VAMT host computer. | Display | 1024x768 or higher resolution monitor | | Network | Connectivity to remote computers via Windows Management Instrumentation (TCP/IP) and Microsoft Activation Web Service on the Internet via HTTPS | | Operating System | Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 R2, Windows Server 2012, or later. | -| Additional Requirements |
    • Connection to a SQL Server database. For more info, see [Install VAMT](install-vamt.md).
    • PowerShell 3.0: For Windows 8, Windows 8.1, Windows 10, and Windows Server 2012, PowerShell is included in the installation. For previous versions of Windows and Windows Server, you must download PowerShell 3.0. To download PowerShell, go to [Download Windows PowerShell 3.0](/powershell/scripting/install/installing-powershell).
    • If installing on Windows Server 2008 R2, you must also install .NET Framework 3.51.
    | +| Additional Requirements |
    • Connection to a SQL Server database. For more info, see [Install VAMT](install-vamt.md).
    • PowerShell 3.0: For Windows 8, Windows 8.1, Windows 10, and Windows Server 2012, PowerShell is included in the installation. For previous versions of Windows and Windows Server, you must download PowerShell 3.0. To download PowerShell, go to [Download Windows PowerShell 3.0](/powershell/scripting/install/installing-powershell).
    • If installing on Windows Server 2008 R2, you must also install .NET Framework 3.51.
    | -## Related topics -- [Install and Configure VAMT](install-configure-vamt.md) +## Related articles + +- [Install and configure VAMT](install-configure-vamt.md) diff --git a/windows/deployment/volume-activation/vamt-step-by-step.md b/windows/deployment/volume-activation/vamt-step-by-step.md index 1c161bf9b5..2378579069 100644 --- a/windows/deployment/volume-activation/vamt-step-by-step.md +++ b/windows/deployment/volume-activation/vamt-step-by-step.md @@ -2,28 +2,28 @@ title: VAMT Step-by-Step Scenarios (Windows 10) description: Learn step-by-step instructions on implementing the Volume Activation Management Tool (VAMT) in typical environments. ms.reviewer: -manager: dougeby -ms.author: aaroncz + - nganguly +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski -ms.date: 04/25/2017 +author: frankroj +ms.date: 11/07/2022 ms.topic: article ms.technology: itpro-fundamentals --- -# VAMT Step-by-Step Scenarios +# VAMT step-by-step scenarios This section provides instructions on how to implement the Volume Activation Management Tool (VAMT) in typical environments. VAMT supports many common scenarios; it describes here some of the most common to get you started. -## In this Section +## In this section -|Topic |Description | -|------|------------| +|Article |Description | +|-------|------------| |[Scenario 1: Online Activation](scenario-online-activation-vamt.md) |Describes how to distribute Multiple Activation Keys (MAKs) to products installed on one or more connected computers within a network, and how to instruct these products to contact Microsoft over the Internet for activation. | |[Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md) |Describes how to use two VAMT host computers—the first one with Internet access and a second computer within an isolated workgroup—as proxies to perform MAK volume activation for workgroup computers that don't have Internet access. | -|[Scenario 3: Key Management Service (KMS) Client Activation](scenario-kms-activation-vamt.md) |Describes how to use VAMT to configure client products for Key Management Service (KMS) activation. By default, volume license editions of Windows 10, Windows Vista, Windows® 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, or Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. | +|[Scenario 3: Key Management Service (KMS) Client Activation](scenario-kms-activation-vamt.md) |Describes how to use VAMT to configure client products for Key Management Service (KMS) activation. By default, volume license editions of Windows 10, Windows Vista, Windows® 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, or Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. | ## Related articles + - [Introduction to VAMT](introduction-vamt.md) -  -  diff --git a/windows/deployment/volume-activation/volume-activation-management-tool.md b/windows/deployment/volume-activation/volume-activation-management-tool.md index b24992eac1..3f9a5a7264 100644 --- a/windows/deployment/volume-activation/volume-activation-management-tool.md +++ b/windows/deployment/volume-activation/volume-activation-management-tool.md @@ -1,12 +1,14 @@ --- title: VAMT technical reference description: The Volume Activation Management Tool (VAMT) enables network administrators to automate and centrally manage volume activation and retail activation. -manager: dougeby -ms.author: aaroncz +ms.reviewer: + - nganguly +manager: aaroncz +ms.author: frankroj ms.prod: windows-client ms.technology: itpro-fundamentals -author: aczechowski -ms.date: 09/16/2022 +author: frankroj +ms.date: 11/07/2022 ms.topic: overview ms.custom: seo-marvel-apr2020 --- @@ -16,7 +18,7 @@ ms.custom: seo-marvel-apr2020 The Volume Activation Management Tool (VAMT) lets you automate and centrally manage the Windows, Office, and select other Microsoft products volume and retail-activation process. VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in. VAMT can be installed on any computer that has a supported Windows OS version. > [!IMPORTANT] -> VAMT is designed to manage volume activation for supported versions of Windows, Windows Server, and Office. +> VAMT is designed to manage volume activation for all currently supported versions of Windows, Windows Server, and Office. VAMT is only available in an EN-US (x86) package. diff --git a/windows/deployment/volume-activation/volume-activation-windows-10.md b/windows/deployment/volume-activation/volume-activation-windows-10.md index c97a874ef7..3bc4621e7a 100644 --- a/windows/deployment/volume-activation/volume-activation-windows-10.md +++ b/windows/deployment/volume-activation/volume-activation-windows-10.md @@ -2,35 +2,41 @@ title: Volume Activation for Windows 10 description: Learn how to use volume activation to deploy & activate Windows 10. Includes details for orgs that have used volume activation for earlier versions of Windows. ms.reviewer: -manager: dougeby -ms.author: aaroncz + - nganguly +manager: aaroncz +ms.author: frankroj ms.prod: windows-client -author: aczechowski +author: frankroj ms.localizationpriority: medium -ms.date: 07/27/2017 +ms.date: 11/07/2022 ms.topic: article ms.technology: itpro-fundamentals --- # Volume Activation for Windows 10 -> Applies to +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2012 +- Windows Server 2008 R2 + +> [!TIP] +> Are you looking for volume licensing information? > ->- Windows 10 ->- Windows Server 2012 R2 ->- Windows Server 2012 ->- Windows Server 2016 ->- Windows Server 2019 +> - [Download the Volume Licensing Reference Guide for Windows 10 Desktop Operating System](https://go.microsoft.com/fwlink/p/?LinkId=620104) -**Looking for volume licensing information?** +> [!TIP] +> Are you looking for information on retail activation? +> +> - [Activate Windows](https://support.microsoft.com/help/12440/) +> - [Product activation for Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) -- [Download the Volume Licensing Reference Guide for Windows 10 Desktop Operating System](https://go.microsoft.com/fwlink/p/?LinkId=620104) - -**Looking for retail activation?** - -- [Get Help Activating Microsoft Windows](https://support.microsoft.com/help/12440/windows-10-activate) - -This guide is designed to help organizations that are planning to use volume activation to deploy and activate Windows 10, including organizations that have used volume activation for earlier versions of Windows. +This guide is designed to help organizations that are planning to use volume activation to deploy and activate Windows 10, including organizations that have used volume activation for earlier versions of Windows. *Volume activation* is the process that Microsoft volume licensing customers use to automate and manage the activation of Windows operating systems, Microsoft Office, and other Microsoft products across large organizations. Volume licensing is available to customers who purchase software under various volume programs (such as [Open](https://www.microsoft.com/Licensing/licensing-programs/open-license) and [Select](https://www.microsoft.com/Licensing/licensing-programs/select)) and to participants in programs such as the [Microsoft Partner Program](https://partner.microsoft.com/) and [MSDN Subscriptions](https://visualstudio.microsoft.com/msdn-platforms/). @@ -38,25 +44,31 @@ Volume activation is a configurable solution that helps automate and manage the This guide provides information and step-by-step guidance to help you choose a volume activation method that suits your environment, and then to configure that solution successfully. This guide describes the volume activation features and the tools to manage volume activation. -Because most organizations will not immediately switch all computers to Windows 10, practical volume activation strategies must also take in to account how to work with the Windows 8.1, Windows 7, Windows Server 2012, and Windows Server 2008 R2 operating systems. This guide discusses how the new volume activation tools can support earlier operating systems, but it does not discuss the tools that are provided with earlier operating system versions. +Because most organizations won't immediately switch all computers to Windows 10, practical volume activation strategies must also take in to account how to work with the Windows 8.1, Windows 7, Windows Server 2012, and Windows Server 2008 R2 operating systems. This guide discusses how the new volume activation tools can support earlier operating systems, but it doesn't discuss the tools that are provided with earlier operating system versions. -Volume activation -and the need for activation itself- is not new, and this guide does not review all of its concepts and history. You can find additional background in the appendices of this guide. For more information, see [Volume Activation Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831612(v=ws.11)). +Volume activation -and the need for activation itself- isn't new, and this guide doesn't review all of its concepts and history. You can find additional background in the appendices of this guide. For more information, see [Volume Activation Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831612(v=ws.11)). -If you would like additional information about planning a volume activation deployment specifically for Windows 7 and Windows Server 2008 R2, please see the [Volume Activation Planning Guide for Windows 7](/previous-versions/tn-archive/dd878528(v=technet.10)). +If you would like additional information about planning a volume activation deployment specifically for Windows 7 and Windows Server 2008 R2, see the [Volume Activation Planning Guide for Windows 7](/previous-versions/tn-archive/dd878528(v=technet.10)). To successfully plan and implement a volume activation strategy, you must: - Learn about and understand product activation. + - Review and evaluate the available activation types or models. + - Consider the connectivity of the clients to be activated. + - Choose the method or methods to be used with each type of client. -- Determine the types and number of product keys you will need. + +- Determine the types and number of product keys you'll need. + - Determine the monitoring and reporting needs in your organization. + - Install and configure the tools required to support the methods selected. -Keep in mind that the method of activation does not change an organization’s responsibility to the licensing requirements. You must ensure that all software used in your organization is properly licensed and activated in accordance with the terms of the licensing agreements in place. +Keep in mind that the method of activation doesn't change an organization's responsibility to the licensing requirements. You must ensure that all software used in your organization is properly licensed and activated in accordance with the terms of the licensing agreements in place. -## Additional information +## Related articles - [Plan for volume activation](plan-for-volume-activation-client.md) - [Activate using Key Management Service](activate-using-key-management-service-vamt.md) diff --git a/windows/deployment/wds-boot-support.md b/windows/deployment/wds-boot-support.md index dfab934f9d..32807ff581 100644 --- a/windows/deployment/wds-boot-support.md +++ b/windows/deployment/wds-boot-support.md @@ -8,14 +8,15 @@ ms.author: frankroj manager: aaroncz ms.topic: article ms.custom: seo-marvel-apr2020 -ms.date: 10/31/2022 +ms.date: 11/23/2022 ms.technology: itpro-deploy --- # Windows Deployment Services (WDS) boot.wim support -Applies to: -- Windows 10 +*Applies to:* + +- Windows 10 - Windows 11 The operating system deployment functionality of [Windows Deployment Services](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831764(v=ws.11)) (WDS) is being partially deprecated. Starting with Windows 11, workflows that rely on **boot.wim** from installation media or on running Windows Setup in WDS mode will no longer be supported. @@ -26,9 +27,9 @@ When you PXE-boot from a WDS server that uses the **boot.wim** file from install ## Deployment scenarios affected -The table below provides support details for specific deployment scenarios (Boot Image Version). +The table below provides support details for specific deployment scenarios. Boot.wim is the `boot.wim` file obtained from the Windows source files for each specified version of Windows. -||Windows 10|Windows Server 2016|Windows Server 2019|Windows Server 2022|Windows 11| +|Windows Version being deployed |Boot.wim from Windows 10|Boot.wim from Windows Server 2016|Boot.wim from Windows Server 2019|Boot.wim from Windows Server 2022|Boot.wim from Windows 11| |--- |--- |--- |--- |--- |--- | |**Windows 10**|Supported, using a boot image from matching or newer version.|Supported, using a boot image from Windows 10, version 1607 or later.|Supported, using a boot image from Windows 10, version 1809 or later.|Not supported.|Not supported.| |**Windows Server 2016**|Supported, using a boot image from Windows 10, version 1607 or later.|Supported.|Not supported.|Not supported.|Not supported.| @@ -38,7 +39,7 @@ The table below provides support details for specific deployment scenarios (Boot ## Reason for the change -Alternatives to WDS, such as [Microsoft Configuration Manager](/mem/configmgr/) and [Microsoft Deployment Toolkit](/mem/configmgr/mdt/) (MDT) provide a better, more flexible, and feature-rich experience for deploying Windows images. +Alternatives to WDS, such as [Microsoft Configuration Manager](/mem/configmgr/) and [Microsoft Deployment Toolkit](/mem/configmgr/mdt/) (MDT) provide a better, more flexible, and feature-rich experience for deploying Windows images. ## Not affected @@ -53,7 +54,7 @@ You can still run Windows Setup from a network share. Workflows that use a custo - Windows Server 2022 workflows that rely on **boot.wim** from installation media will show a non-blocking deprecation notice. The notice can be dismissed, and currently the workflow isn't blocked. - Windows Server workflows after Windows Server 2022 that rely on **boot.wim** from installation media are blocked. -If you currently use WDS with **boot.wim** from installation media for end-to-end operating system deployment, and your OS version isn't supported, deprecated, or blocked, it's recommended that you use deployment tools such as MDT, Configuration Manager, or a non-Microsoft solution with a custom boot.wim image. +If you currently use WDS with **boot.wim** from installation media for end-to-end operating system deployment, and your OS version isn't supported, deprecated, or blocked, it's recommended that you use deployment tools such as MDT, Configuration Manager, or a non-Microsoft solution with a custom boot.wim image. ## Also see diff --git a/windows/deployment/windows-10-deployment-posters.md b/windows/deployment/windows-10-deployment-posters.md index d7d8c65cc3..677807d5c7 100644 --- a/windows/deployment/windows-10-deployment-posters.md +++ b/windows/deployment/windows-10-deployment-posters.md @@ -9,13 +9,14 @@ ms.prod: windows-client ms.technology: itpro-deploy ms.localizationpriority: medium ms.topic: reference -ms.date: 10/31/2022 +ms.date: 11/23/2022 --- # Windows 10 deployment process posters -**Applies to** -- Windows 10 +*Applies to:* + +- Windows 10 The following posters step through various options for deploying Windows 10 with Windows Autopilot or Microsoft Configuration Manager. diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md index 3d06ff84bb..18e44ca25b 100644 --- a/windows/deployment/windows-10-deployment-scenarios.md +++ b/windows/deployment/windows-10-deployment-scenarios.md @@ -7,15 +7,15 @@ author: frankroj ms.prod: windows-client ms.localizationpriority: medium ms.topic: article -ms.date: 10/31/2022 +ms.date: 11/23/2022 ms.technology: itpro-deploy --- # Windows 10 deployment scenarios -**Applies to** +*Applies to:* -- Windows 10 +- Windows 10 To successfully deploy the Windows 10 operating system in your organization, it's important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Key tasks include choosing among these scenarios and understanding the capabilities and limitations of each. @@ -55,9 +55,9 @@ The following tables summarize various Windows 10 deployment scenarios. The scen |[Refresh](#computer-refresh)|Also called wipe and load. Redeploy a device by saving the user state, wiping the disk, then restoring the user state. | [Refresh a Windows 7 computer with Windows 10](/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10)
    [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager)| |[Replace](#computer-replace)|Replace an existing device with a new one by saving the user state on the old device and then restoring it to the new device.| [Replace a Windows 7 computer with a Windows 10 computer](/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer)
    [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager)| ->[!IMPORTANT] ->The Windows Autopilot and Subscription Activation scenarios require that the beginning OS be Windows 10 version 1703, or later.
    ->Except for clean install scenarios such as traditional bare metal and Windows Autopilot, all the methods described can optionally migrate apps and settings to the new OS. +> [!IMPORTANT] +> The Windows Autopilot and Subscription Activation scenarios require that the beginning OS be Windows 10 version 1703, or later.
    +> Except for clean install scenarios such as traditional bare metal and Windows Autopilot, all the methods described can optionally migrate apps and settings to the new OS. ## Modern deployment methods @@ -86,19 +86,19 @@ Scenarios that support in-place upgrade with some other procedures include chang - **Legacy BIOS to UEFI booting**: To perform an in-place upgrade on a UEFI-capable system that currently boots using legacy BIOS, first perform the in-place upgrade to Windows 10, maintaining the legacy BIOS boot mode. Windows 10 doesn't require UEFI, so it will work fine to upgrade a system using legacy BIOS emulation. After the upgrade, if you wish to enable Windows 10 features that require UEFI (such as Secure Boot), you can convert the system disk to a format that supports UEFI boot using the [MBR2GPT](./mbr-to-gpt.md) tool. Note: [UEFI specification](http://www.uefi.org/specifications) requires GPT disk layout. After the disk has been converted, you must also configure the firmware to boot in UEFI mode. -- **Non-Microsoft disk encryption software**: While devices encrypted with BitLocker can easily be upgraded, more work is necessary for non-Microsoft disk encryption tools. Some ISVs will provide instructions on how to integrate their software into the in-place upgrade process. Check with your ISV to see if they have instructions. The following articles provide details on how to provision encryption drivers for use during Windows Setup via the ReflectDrivers setting: - - [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview) - - [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options) +- **Non-Microsoft disk encryption software**: While devices encrypted with BitLocker can easily be upgraded, more work is necessary for non-Microsoft disk encryption tools. Some ISVs will provide instructions on how to integrate their software into the in-place upgrade process. Check with your ISV to see if they have instructions. The following articles provide details on how to provision encryption drivers for use during Windows Setup via the ReflectDrivers setting: + - [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview) + - [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options) There are some situations where you can't use in-place upgrade; in these situations, you can use traditional deployment (wipe-and-load) instead. Examples of these situations include: -- Changing from Windows 7, Windows 8, or Windows 8.1 x86 to Windows 10 x64. The upgrade process can't change from a 32-bit operating system to a 64-bit operating system, because of possible complications with installed applications and drivers. +- Changing from Windows 7, Windows 8, or Windows 8.1 x86 to Windows 10 x64. The upgrade process can't change from a 32-bit operating system to a 64-bit operating system, because of possible complications with installed applications and drivers. -- Windows To Go and Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed. +- Windows To Go and Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed. -- Updating existing images. It can be tempting to try to upgrade existing Windows 7, Windows 8, or Windows 8.1 images to Windows 10 by installing the old image, upgrading it, and then recapturing the new Windows 10 image. But, it's not supported. Preparing an upgraded OS via `Sysprep.exe` before capturing an image isn't supported and won't work. When `Sysprep.exe` detects the upgraded OS, it will fail. +- Updating existing images. It can be tempting to try to upgrade existing Windows 7, Windows 8, or Windows 8.1 images to Windows 10 by installing the old image, upgrading it, and then recapturing the new Windows 10 image. But, it's not supported. Preparing an upgraded OS via `Sysprep.exe` before capturing an image isn't supported and won't work. When `Sysprep.exe` detects the upgraded OS, it will fail. -- Dual-boot and multi-boot systems. The upgrade process is designed for devices running a single OS. If you use dual-boot or multi-boot systems with multiple operating systems (not using virtual machines for the second and subsequent operating systems), then extra care should be taken. +- Dual-boot and multi-boot systems. The upgrade process is designed for devices running a single OS. If you use dual-boot or multi-boot systems with multiple operating systems (not using virtual machines for the second and subsequent operating systems), then extra care should be taken. ## Dynamic provisioning @@ -106,9 +106,9 @@ For new PCs, organizations have historically replaced the version of Windows inc The goal of dynamic provisioning is to take a new PC out of the box, turn it on, and transform it into a productive organization device, with minimal time and effort. The types of transformations that are available include: -### Windows 10 Subscription Activation +### Windows 10 Subscription Activation -Windows 10 Subscription Activation is a modern deployment method that enables you to change the SKU from Pro to Enterprise with no keys and no reboots. For more information about Subscription Activation, see [Windows 10 Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation). +Windows 10 Subscription Activation is a dynamic deployment method that enables you to change the SKU from Pro to Enterprise with no keys and no reboots. For more information about Subscription Activation, see [Windows 10 Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation). ### Azure Active Directory (Azure AD) join with automatic mobile device management (MDM) enrollment @@ -122,17 +122,17 @@ These scenarios can be used to enable "choose your own device" (CYOD) programs. While the initial Windows 10 release includes various provisioning settings and deployment mechanisms, provisioning settings and deployment mechanisms will continue to be enhanced and extended based on feedback from organizations. As with all Windows features, organizations can submit suggestions for more features through the Windows Feedback app or through their Microsoft Support contacts. -## Traditional deployment: +## Traditional deployment -New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md), and [Microsoft Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). +New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md), and [Microsoft Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). With the release of Windows 10, all of these tools are being updated to fully support Windows 10. Although newer scenarios such as in-place upgrade and dynamic provisioning may reduce the need for traditional deployment capabilities in some organizations, these traditional methods remain important, and will continue to be available to organizations that need them. The traditional deployment scenario can be divided into different sub-scenarios. These sub-scenarios are explained in detail in the following sections, but the following list provides a brief summary: -- **New computer.** A bare-metal deployment of a new machine. -- **Computer refresh.** A reinstall of the same machine (with user-state migration and an optional full Windows Imaging (WIM) image backup). -- **Computer replace.** A replacement of the old machine with a new machine (with user-state migration and an optional full WIM image backup). +- **New computer**: A bare-metal deployment of a new machine. +- **Computer refresh**: A reinstall of the same machine (with user-state migration and an optional full Windows Imaging (WIM) image backup). +- **Computer replace**: A replacement of the old machine with a new machine (with user-state migration and an optional full WIM image backup). ### New computer @@ -140,13 +140,13 @@ Also called a "bare metal" deployment. This scenario occurs when you have a blan The deployment process for the new machine scenario is as follows: -1. Start the setup from boot media (CD, USB, ISO, or PXE). +1. Start the setup from boot media (CD, USB, ISO, or PXE). -2. Wipe the hard disk clean and create new volume(s). +2. Wipe the hard disk clean and create new volume(s). -3. Install the operating system image. +3. Install the operating system image. -4. Install other applications (as part of the task sequence). +4. Install other applications (as part of the task sequence). After you follow these steps, the computer is ready for use. @@ -156,17 +156,17 @@ A refresh is sometimes called wipe-and-load. The process is normally initiated i The deployment process for the wipe-and-load scenario is as follows: -1. Start the setup on a running operating system. +1. Start the setup on a running operating system. -2. Save the user state locally. +2. Save the user state locally. -3. Wipe the hard disk clean (except for the folder containing the backup). +3. Wipe the hard disk clean (except for the folder containing the backup). -4. Install the operating system image. +4. Install the operating system image. -5. Install other applications. +5. Install other applications. -6. Restore the user state. +6. Restore the user state. After you follow these steps, the machine is ready for use. @@ -176,9 +176,9 @@ A computer replace is similar to the refresh scenario. However, since we're repl The deployment process for the replace scenario is as follows: -1. Save the user state (data and settings) on the server through a backup job on the running operating system. +1. Save the user state (data and settings) on the server through a backup job on the running operating system. -2. Deploy the new computer as a bare-metal deployment. +2. Deploy the new computer as a bare-metal deployment. > [!NOTE] > In some situations, you can use the replace scenario even if the target is the same machine. For example, you can use replace if you want to modify the disk layout from the master boot record (MBR) to the GUID partition table (GPT), which will allow you to take advantage of the Unified Extensible Firmware Interface (UEFI) functionality. You can also use replace if the disk needs to be repartitioned since user data needs to be transferred off the disk. @@ -191,4 +191,4 @@ The deployment process for the replace scenario is as follows: - [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) - [Windows setup technical reference](/windows-hardware/manufacture/desktop/windows-setup-technical-reference) - [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) -- [UEFI firmware](/windows-hardware/design/device-experiences/oem-uefi) \ No newline at end of file +- [UEFI firmware](/windows-hardware/design/device-experiences/oem-uefi) diff --git a/windows/deployment/windows-10-enterprise-e3-overview.md b/windows/deployment/windows-10-enterprise-e3-overview.md index 67864fbe6c..5399593006 100644 --- a/windows/deployment/windows-10-enterprise-e3-overview.md +++ b/windows/deployment/windows-10-enterprise-e3-overview.md @@ -3,28 +3,27 @@ title: Windows 10/11 Enterprise E3 in CSP description: Describes Windows 10/11 Enterprise E3, an offering that delivers, by subscription, the features of Windows 10/11 Enterprise edition. ms.prod: windows-client ms.localizationpriority: medium -ms.date: 10/31/2022 +ms.date: 11/23/2022 author: frankroj ms.author: frankroj manager: aaroncz -ms.collection: - - M365-modern-desktop ms.topic: article ms.technology: itpro-deploy --- # Windows 10/11 Enterprise E3 in CSP -Applies to: +*Applies to:* + - Windows 10 - Windows 11 -Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. With the release of Windows 11, Windows 10/11 Enterprise E3 in CSP is available. +Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. With the release of Windows 11, Windows 10/11 Enterprise E3 in CSP is available. Windows 10/11 Enterprise E3 in CSP delivers, by subscription, exclusive features reserved for Windows 10 or Windows 11 Enterprise editions. This offering is available through the Cloud Solution Provider (CSP) channel via the Partner Center as an online service. Windows 10/11 Enterprise E3 in CSP provides a flexible, per-user subscription for small and medium-sized organizations (from one to hundreds of users). To take advantage of this offering, you must have the following prerequisites: -- Windows 10 Pro, version 1607 (Windows 10 Anniversary Update) or later (or Windows 11), installed and activated, on the devices to be upgraded. -- Azure Active Directory (Azure AD) available for identity management +- Windows 10 Pro, version 1607 (Windows 10 Anniversary Update) or later (or Windows 11), installed and activated, on the devices to be upgraded. +- Azure Active Directory (Azure AD) available for identity management You can move from Windows 10 Pro or Windows 11 Pro to Windows 10 Enterprise or Windows 11 Enterprise more easily than ever before with no keys and no reboots. After one of your users enters the Azure AD credentials associated with a Windows 10/11 Enterprise E3 license, the operating system turns from Windows 10 Pro to Windows 10 Enterprise or Windows 11 Pro to Windows 11 Enterprise, and all the appropriate Enterprise features are unlocked. When a subscription license expires or is transferred to another user, the Enterprise device seamlessly steps back down to Windows 10 Pro or Windows 11 Pro. @@ -32,22 +31,22 @@ Previously, only organizations with a Microsoft Volume Licensing Agreement could When you purchase Windows 10/11 Enterprise E3 via a partner, you get the following benefits: -- **Windows 10/11 Enterprise edition**. Devices currently running Windows 10 Pro or Windows 11 Pro can get Windows 10/11 Enterprise Current Branch (CB) or Current Branch for Business (CBB). This benefit doesn't include Long Term Service Branch (LTSB). -- **Support from one to hundreds of users**. Although the Windows 10/11 Enterprise E3 in CSP program doesn't have a limitation on the number of licenses an organization can have, the program is designed for small- and medium-sized organizations. -- **Deploy on up to five devices**. For each user covered by the license, you can deploy Windows 10 Enterprise edition on up to five devices. -- **Roll back to Windows 10/11 Pro at any time**. When a user's subscription expires or is transferred to another user, the Windows 10/11 Enterprise device reverts seamlessly to Windows 10/11 Pro edition (after a grace period of up to 90 days). -- **Monthly, per-user pricing model**. This makes Windows 10/11 Enterprise E3 affordable for any organization. -- **Move licenses between users**. Licenses can be quickly and easily reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs. +- **Windows 10/11 Enterprise edition**. Devices currently running Windows 10 Pro or Windows 11 Pro can get Windows 10/11 Enterprise Current Branch (CB) or Current Branch for Business (CBB). This benefit doesn't include Long Term Service Branch (LTSB). +- **Support from one to hundreds of users**. Although the Windows 10/11 Enterprise E3 in CSP program doesn't have a limitation on the number of licenses an organization can have, the program is designed for small- and medium-sized organizations. +- **Deploy on up to five devices**. For each user covered by the license, you can deploy Windows 10 Enterprise edition on up to five devices. +- **Roll back to Windows 10/11 Pro at any time**. When a user's subscription expires or is transferred to another user, the Windows 10/11 Enterprise device reverts seamlessly to Windows 10/11 Pro edition (after a grace period of up to 90 days). +- **Monthly, per-user pricing model**. This makes Windows 10/11 Enterprise E3 affordable for any organization. +- **Move licenses between users**. Licenses can be quickly and easily reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs. How does the Windows 10/11 Enterprise E3 in CSP program compare with Microsoft Volume Licensing Agreements and Software Assurance? -- [Microsoft Volume Licensing](https://www.microsoft.com/licensing/default.aspx) programs are broader in scope, providing organizations with access to licensing for all Microsoft products. -- [Software Assurance](https://www.microsoft.com/Licensing/licensing-programs/software-assurance-default.aspx) provides organizations with the following categories of benefits: +- [Microsoft Volume Licensing](https://www.microsoft.com/licensing/default.aspx) programs are broader in scope, providing organizations with access to licensing for all Microsoft products. +- [Software Assurance](https://www.microsoft.com/Licensing/licensing-programs/software-assurance-default.aspx) provides organizations with the following categories of benefits: - - **Deployment and management**. These benefits include planning services, Microsoft Desktop Optimization (MDOP), Windows Virtual Desktop Access Rights, Windows-To-Go Rights, Windows Roaming Use Rights, Windows Thin PC, Windows RT Companion VDA Rights, and other benefits. - - **Training**. These benefits include training vouchers, online e-learning, and a home use program. - - **Support**. These benefits include 24x7 problem resolution support, backup capabilities for disaster recovery, System Center Global Service Monitor, and a passive secondary instance of SQL Server. - - **Specialized**. These benefits include step-up licensing availability (which enables you to migrate software from an earlier edition to a higher-level edition) and to spread license and Software Assurance payments across three equal, annual sums. + - **Deployment and management**. These benefits include planning services, Microsoft Desktop Optimization (MDOP), Windows Virtual Desktop Access Rights, Windows-To-Go Rights, Windows Roaming Use Rights, Windows Thin PC, Windows RT Companion VDA Rights, and other benefits. + - **Training**. These benefits include training vouchers, online e-learning, and a home use program. + - **Support**. These benefits include 24x7 problem resolution support, backup capabilities for disaster recovery, System Center Global Service Monitor, and a passive secondary instance of SQL Server. + - **Specialized**. These benefits include step-up licensing availability (which enables you to migrate software from an earlier edition to a higher-level edition) and to spread license and Software Assurance payments across three equal, annual sums. In addition, in Windows 10/11 Enterprise E3 in CSP, a partner can manage your licenses for you. With Software Assurance, you, the customer, manage your own licenses. @@ -60,15 +59,15 @@ In summary, the Windows 10/11 Enterprise E3 in CSP program is an upgrade offerin Windows 10 Enterprise edition has many features that are unavailable in Windows 10 Pro. Table 1 lists the Windows 10 Enterprise features not found in Windows 10 Pro. Many of these features are security-related, whereas others enable finer-grained device management. -*Table 1. Windows 10 Enterprise features not found in Windows 10 Pro* +### Table 1. Windows 10 Enterprise features not found in Windows 10 Pro |Feature|Description| |--- |--- | -|Credential Guard|Credential Guard uses virtualization-based security to help protect security secrets so that only privileged system software can access them. Examples of security secrets that can be protected include NTLM password hashes and Kerberos Ticket Granting Tickets. This protection helps prevent Pass-the-Hash or Pass-the-Ticket attacks.

    Credential Guard has the following features:

  • **Hardware-level security**. Credential Guard uses hardware platform security features (such as Secure Boot and virtualization) to help protect derived domain credentials and other secrets.
  • **Virtualization-based security**. Windows services that access derived domain credentials and other secrets run in a virtualized, protected environment that is isolated.
  • **Improved protection against persistent threats**. Credential Guard works with other technologies (for example, Device Guard) to help provide further protection against attacks, no matter how persistent.
  • **Improved manageability**. Credential Guard can be managed through Group Policy, Windows Management Instrumentation (WMI), or Windows PowerShell.

    For more information, see [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard).

    *Credential Guard requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present)*| -|Device Guard|This feature is a combination of hardware and software security features that allows only trusted applications to run on a device. Even if an attacker manages to get control of the Windows kernel, they'll be much less likely to run executable code. Device Guard can use virtualization-based security (VBS) in Windows 10 Enterprise edition to isolate the Code Integrity service from the Windows kernel itself. With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code.

    Device Guard protects in the following ways:

  • Helps protect against malware
  • Helps protect the Windows system core from vulnerability and zero-day exploits
  • Allows only trusted apps to run

    For more information, see [Introduction to Device Guard](/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control).| -|AppLocker management|This feature helps IT pros determine which applications and files users can run on a device. The applications and files that can be managed include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.

    For more information, see [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview).| -|Application Virtualization (App-V)|This feature makes applications available to end users without installing the applications directly on users' devices. App-V transforms applications into centrally managed services that are never installed and don't conflict with other applications. This feature also helps ensure that applications are kept current with the latest security updates.

    For more information, see [Getting Started with App-V for Windows 10](/windows/application-management/app-v/appv-getting-started).| -|User Experience Virtualization (UE-V)|With this feature, you can capture user-customized Windows and application settings and store them on a centrally managed network file share.

    When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to.

    UE-V provides the following features:

  • Specify which application and Windows settings synchronize across user devices
  • Deliver the settings anytime and anywhere users work throughout the enterprise
  • Create custom templates for your third-party or line-of-business applications
  • Recover settings after hardware replacement or upgrade, or after re-imaging a virtual machine to its initial state

    For more information, see [User Experience Virtualization (UE-V) for Windows 10 overview](/windows/configuration/ue-v/uev-for-windows).| +|Credential Guard|Credential Guard uses virtualization-based security to help protect security secrets so that only privileged system software can access them. Examples of security secrets that can be protected include NTLM password hashes and Kerberos Ticket Granting Tickets. This protection helps prevent Pass-the-Hash or Pass-the-Ticket attacks.

    Credential Guard has the following features:

  • **Hardware-level security** - Credential Guard uses hardware platform security features (such as Secure Boot and virtualization) to help protect derived domain credentials and other secrets.
  • **Virtualization-based security** - Windows services that access derived domain credentials and other secrets run in a virtualized, protected environment that is isolated.
  • **Improved protection against persistent threats** - Credential Guard works with other technologies (for example, Device Guard) to help provide further protection against attacks, no matter how persistent.
  • **Improved manageability** - Credential Guard can be managed through Group Policy, Windows Management Instrumentation (WMI), or Windows PowerShell.

    For more information, see [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard).

    *Credential Guard requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present)*| +|Device Guard|This feature is a combination of hardware and software security features that allows only trusted applications to run on a device. Even if an attacker manages to get control of the Windows kernel, they'll be much less likely to run executable code. Device Guard can use virtualization-based security (VBS) in Windows 10 Enterprise edition to isolate the Code Integrity service from the Windows kernel itself. With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code.

    Device Guard protects in the following ways:
  • Helps protect against malware
  • Helps protect the Windows system core from vulnerability and zero-day exploits
  • Allows only trusted apps to run

    For more information, see [Introduction to Device Guard](/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control).| +|AppLocker management|This feature helps IT pros determine which applications and files users can run on a device. The applications and files that can be managed include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.

    For more information, see [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview).| +|Application Virtualization (App-V)|This feature makes applications available to end users without installing the applications directly on users' devices. App-V transforms applications into centrally managed services that are never installed and don't conflict with other applications. This feature also helps ensure that applications are kept current with the latest security updates.

    For more information, see [Getting Started with App-V for Windows 10](/windows/application-management/app-v/appv-getting-started).| +|User Experience Virtualization (UE-V)|With this feature, you can capture user-customized Windows and application settings and store them on a centrally managed network file share.

    When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to.

    UE-V provides the following features:
  • Specify which application and Windows settings synchronize across user devices
  • Deliver the settings anytime and anywhere users work throughout the enterprise
  • Create custom templates for your third-party or line-of-business applications
  • Recover settings after hardware replacement or upgrade, or after re-imaging a virtual machine to its initial state

    For more information, see [User Experience Virtualization (UE-V) for Windows 10 overview](/windows/configuration/ue-v/uev-for-windows).| |Managed User Experience|This feature helps customize and lock down a Windows device's user interface to restrict it to a specific task. For example, you can configure a device for a controlled scenario such as a kiosk or classroom device. The user experience would be automatically reset once a user signs off. You can also restrict access to services including Cortana or the Windows Store, and manage Start layout options, such as:
  • Removing and preventing access to the Shut Down, Restart, Sleep, and Hibernate commands
  • Removing Log Off (the User tile) from the Start menu
  • Removing frequent programs from the Start menu
  • Removing the All Programs list from the Start menu
  • Preventing users from customizing their Start screen
  • Forcing Start menu to be either full-screen size or menu size
  • Preventing changes to Taskbar and Start menu settings| ## Deployment of Windows 10/11 Enterprise E3 licenses @@ -88,41 +87,39 @@ The following sections provide you with the high-level tasks that need to be per You can implement Credential Guard on Windows 10 Enterprise devices by turning on Credential Guard on these devices. Credential Guard uses Windows 10/11 virtualization-based security features (Hyper-V features) that must be enabled on each device before you can turn on Credential Guard. You can turn on Credential Guard by using one of the following methods: -- **Automated**. You can automatically turn on Credential Guard for one or more devices by using Group Policy. The Group Policy settings automatically add the virtualization-based security features and configure the Credential Guard registry settings on managed devices. +- **Automated**. You can automatically turn on Credential Guard for one or more devices by using Group Policy. The Group Policy settings automatically add the virtualization-based security features and configure the Credential Guard registry settings on managed devices. -- **Manual**. You can manually turn on Credential Guard by taking one of the following actions: +- **Manual**. You can manually turn on Credential Guard by taking one of the following actions: - - Add the virtualization-based security features by using Programs and Features or Deployment Image Servicing and Management (DISM). + - Add the virtualization-based security features by using Programs and Features or Deployment Image Servicing and Management (DISM). - - Configure Credential Guard registry settings by using the Registry Editor or the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). + - Configure Credential Guard registry settings by using the Registry Editor or the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). You can automate these manual steps by using a management tool such as Microsoft Configuration Manager. For more information about implementing Credential Guard, see the following resources: -- [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard) -- [PC OEM requirements for Device Guard and Credential Guard](/windows-hardware/design/device-experiences/oem-security-considerations) -- [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337) - - +- [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard) +- [PC OEM requirements for Device Guard and Credential Guard](/windows-hardware/design/device-experiences/oem-security-considerations) +- [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337) ### Device Guard Now that the devices have Windows 10/11 Enterprise, you can implement Device Guard on the Windows 10 Enterprise devices by performing the following steps: -1. **Optionally, create a signing certificate for code integrity policies**. As you deploy code integrity policies, you might need to sign catalog files or code integrity policies internally. To sign catalog files or code integrity policies internally, you'll either need a publicly issued code signing certificate (that you purchase) or an internal certificate authority (CA). If you choose to use an internal CA, you'll need to create a code signing certificate. +1. **Optionally, create a signing certificate for code integrity policies**. As you deploy code integrity policies, you might need to sign catalog files or code integrity policies internally. To sign catalog files or code integrity policies internally, you'll either need a publicly issued code signing certificate (that you purchase) or an internal certificate authority (CA). If you choose to use an internal CA, you'll need to create a code signing certificate. -2. **Create code integrity policies from "golden" computers**. When you have identified departments or roles that use distinctive or partly distinctive sets of hardware and software, you can set up "golden" computers containing that software and hardware. In this respect, creating and managing code integrity policies to align with the needs of roles or departments can be similar to managing corporate images. From each "golden" computer, you can create a code integrity policy and decide how to manage that policy. You can merge code integrity policies to create a broader policy or a master policy, or you can manage and deploy each policy individually. +2. **Create code integrity policies from "golden" computers**. When you have identified departments or roles that use distinctive or partly distinctive sets of hardware and software, you can set up "golden" computers containing that software and hardware. In this respect, creating and managing code integrity policies to align with the needs of roles or departments can be similar to managing corporate images. From each "golden" computer, you can create a code integrity policy and decide how to manage that policy. You can merge code integrity policies to create a broader policy or a master policy, or you can manage and deploy each policy individually. -3. **Audit the code integrity policy and capture information about applications that are outside the policy**. We recommend that you use "audit mode" to carefully test each code integrity policy before you enforce it. With audit mode, no application is blocked—the policy just logs an event whenever an application outside the policy is started. Later, you can expand the policy to allow these applications, as needed. +3. **Audit the code integrity policy and capture information about applications that are outside the policy**. We recommend that you use "audit mode" to carefully test each code integrity policy before you enforce it. With audit mode, no application is blocked—the policy just logs an event whenever an application outside the policy is started. Later, you can expand the policy to allow these applications, as needed. -4. **Create a "catalog file" for unsigned line-of-business (LOB) applications**. Use the Package Inspector tool to create and sign a catalog file for your unsigned LOB applications. In later steps, you can merge the catalog file's signature into your code integrity policy so that applications in the catalog will be allowed by the policy. +4. **Create a "catalog file" for unsigned line-of-business (LOB) applications**. Use the Package Inspector tool to create and sign a catalog file for your unsigned LOB applications. In later steps, you can merge the catalog file's signature into your code integrity policy so that applications in the catalog will be allowed by the policy. -5. **Capture needed policy information from the event log, and merge information into the existing policy as needed**. After a code integrity policy has been running for a time in audit mode, the event log will contain information about applications that are outside the policy. To expand the policy so that it allows for these applications, use Windows PowerShell commands to capture the needed policy information from the event log, and then merge that information into the existing policy. You can merge code integrity policies from other sources also, for flexibility in how you create your final code integrity policies. +5. **Capture needed policy information from the event log, and merge information into the existing policy as needed**. After a code integrity policy has been running for a time in audit mode, the event log will contain information about applications that are outside the policy. To expand the policy so that it allows for these applications, use Windows PowerShell commands to capture the needed policy information from the event log, and then merge that information into the existing policy. You can merge code integrity policies from other sources also, for flexibility in how you create your final code integrity policies. -6. **Deploy code integrity policies and catalog files**. After you confirm that you've completed all the preceding steps, you can begin deploying catalog files and taking code integrity policies out of audit mode. We strongly recommend that you begin this process with a test group of users. This provides a final quality-control validation before you deploy the catalog files and code integrity policies more broadly. +6. **Deploy code integrity policies and catalog files**. After you confirm that you've completed all the preceding steps, you can begin deploying catalog files and taking code integrity policies out of audit mode. We strongly recommend that you begin this process with a test group of users. This provides a final quality-control validation before you deploy the catalog files and code integrity policies more broadly. -7. **Enable desired hardware security features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by code integrity policies. +7. **Enable desired hardware security features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by code integrity policies. For more information about implementing Device Guard, see: @@ -139,19 +136,20 @@ For more information about AppLocker management by using Group Policy, see [AppL App-V requires an App-V server infrastructure to support App-V clients. The primary App-V components that you must have are as follows: -- **App-V server**. The App-V server provides App-V management, virtualized app publishing, app streaming, and reporting services. Each of these services can be run on one server or can be run individually on multiple servers. For example, you could have multiple streaming servers. App-V clients contact App-V servers to determine which apps are published to the user or device, and then run the virtualized app from the server. +- **App-V server**. The App-V server provides App-V management, virtualized app publishing, app streaming, and reporting services. Each of these services can be run on one server or can be run individually on multiple servers. For example, you could have multiple streaming servers. App-V clients contact App-V servers to determine which apps are published to the user or device, and then run the virtualized app from the server. -- **App-V sequencer**. The App-V sequencer is a typical client device that is used to sequence (capture) apps and prepare them for hosting from the App-V server. You install apps on the App-V sequencer, and the App-V sequencer software determines the files and registry settings that are changed during app installation. Then the sequencer captures these settings to create a virtualized app. +- **App-V sequencer**. The App-V sequencer is a typical client device that is used to sequence (capture) apps and prepare them for hosting from the App-V server. You install apps on the App-V sequencer, and the App-V sequencer software determines the files and registry settings that are changed during app installation. Then the sequencer captures these settings to create a virtualized app. -- **App-V client**. The App-V client must be enabled on any client device on which apps will be run from the App-V server. These will be the Windows 10/11 Enterprise E3 devices. +- **App-V client**. The App-V client must be enabled on any client device on which apps will be run from the App-V server. These will be the Windows 10/11 Enterprise E3 devices. For more information about implementing the App-V server, App-V sequencer, and App-V client, see the following resources: -- [Getting Started with App-V for Windows 10](/windows/application-management/app-v/appv-getting-started) -- [Deploying the App-V server](/windows/application-management/app-v/appv-deploying-the-appv-server) -- [Deploying the App-V Sequencer and Configuring the Client](/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client) +- [Getting Started with App-V for Windows 10](/windows/application-management/app-v/appv-getting-started) +- [Deploying the App-V server](/windows/application-management/app-v/appv-deploying-the-appv-server) +- [Deploying the App-V Sequencer and Configuring the Client](/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client) ### UE-V + UE-V requires server and client-side components that you'll need to download, activate, and install. These components include: - **UE-V service**. The UE-V service (when enabled on devices) monitors registered applications and Windows for any settings changes, then synchronizes those settings between devices. @@ -174,16 +172,16 @@ For more information about deploying UE-V, see the following resources: The Managed User Experience feature is a set of Windows 10 Enterprise edition features and corresponding settings that you can use to manage user experience. Table 2 describes the Managed User Experience settings (by category), which are only available in Windows 10 Enterprise edition. The management methods used to configure each feature depend on the feature. Some features are configured by using Group Policy, while others are configured by using Windows PowerShell, Deployment Image Servicing and Management (DISM), or other command-line tools. For the Group Policy settings, you must have AD DS with the Windows 10 Enterprise devices joined to your AD DS domain. -*Table 2. Managed User Experience features* +#### Table 2. Managed User Experience features | Feature | Description | |------------------|-----------------| | Start layout customization | You can deploy a customized Start layout to users in a domain. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. The XML file enables you to customize Start layouts for different departments or organizations, with minimal management overhead.
    For more information on these settings, see [Customize Windows 10 Start and taskbar with Group Policy](/windows/configuration/customize-windows-10-start-screens-by-using-group-policy). | -| Unbranded boot | You can suppress Windows elements that appear when Windows starts or resumes and can suppress the crash screen when Windows encounters an error from which it can't recover.
    For more information on these settings, see [Unbranded Boot](/windows-hardware/customize/enterprise/unbranded-boot). | -| Custom logon | You can use the Custom Logon feature to suppress Windows 10 UI elements that relate to the Welcome screen and shutdown screen. For example, you can suppress all elements of the Welcome screen UI and provide a custom logon UI. You can also suppress the Blocked Shutdown Resolver (BSDR) screen and automatically end applications while the OS waits for applications to close before a shutdown.
    For more information on these settings, see [Custom Logon](/windows-hardware/customize/enterprise/custom-logon). | -| Shell launcher | Enables Assigned Access to run only a classic Windows app via Shell Launcher to replace the shell.
    For more information on these settings, see [Shell Launcher](/windows-hardware/customize/enterprise/shell-launcher). | -| Keyboard filter | You can use Keyboard Filter to suppress undesirable key presses or key combinations. Normally, users can use certain Windows key combinations like Ctrl+Alt+Delete or Ctrl+Shift+Tab to control a device by locking the screen or using Task Manager to close a running application. This isn't desirable on devices intended for a dedicated purpose.
    For more information on these settings, see [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter). | -| Unified write filter | You can use Unified Write Filter (UWF) on your device to help protect your physical storage media, including most standard writable storage types that are supported by Windows, such as physical hard disks, solid-state drives, internal USB devices, external SATA devices, and so on. You can also use UWF to make read-only media appear to the OS as a writable volume.
    For more information on these settings, see [Unified Write Filter](/windows-hardware/customize/enterprise/unified-write-filter). | +| Unbranded boot | You can suppress Windows elements that appear when Windows starts or resumes and can suppress the crash screen when Windows encounters an error from which it can't recover.
    For more information on these settings, see [Unbranded Boot](/windows-hardware/customize/enterprise/unbranded-boot). | +| Custom logon | You can use the Custom Logon feature to suppress Windows 10 UI elements that relate to the Welcome screen and shutdown screen. For example, you can suppress all elements of the Welcome screen UI and provide a custom logon UI. You can also suppress the Blocked Shutdown Resolver (BSDR) screen and automatically end applications while the OS waits for applications to close before a shutdown.
    For more information on these settings, see [Custom Logon](/windows-hardware/customize/enterprise/custom-logon). | +| Shell launcher | Enables Assigned Access to run only a classic Windows app via Shell Launcher to replace the shell.
    For more information on these settings, see [Shell Launcher](/windows-hardware/customize/enterprise/shell-launcher). | +| Keyboard filter | You can use Keyboard Filter to suppress undesirable key presses or key combinations. Normally, users can use certain Windows key combinations like Ctrl+Alt+Delete or Ctrl+Shift+Tab to control a device by locking the screen or using Task Manager to close a running application. This isn't desirable on devices intended for a dedicated purpose.
    For more information on these settings, see [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter). | +| Unified write filter | You can use Unified Write Filter (UWF) on your device to help protect your physical storage media, including most standard writable storage types that are supported by Windows, such as physical hard disks, solid-state drives, internal USB devices, external SATA devices, and so on. You can also use UWF to make read-only media appear to the OS as a writable volume.
    For more information on these settings, see [Unified Write Filter](/windows-hardware/customize/enterprise/unified-write-filter). | ## Related articles diff --git a/windows/deployment/windows-10-media.md b/windows/deployment/windows-10-media.md index 6668d42e52..66d08877b8 100644 --- a/windows/deployment/windows-10-media.md +++ b/windows/deployment/windows-10-media.md @@ -3,7 +3,7 @@ title: Windows 10 volume license media description: Learn about volume license media in Windows 10, and channels such as the Volume License Service Center (VLSC). ms.prod: windows-client ms.localizationpriority: medium -ms.date: 10/31/2022 +ms.date: 11/23/2022 ms.reviewer: manager: aaroncz ms.author: frankroj @@ -14,9 +14,9 @@ ms.technology: itpro-deploy # Windows 10 volume license media -**Applies to** +*Applies to:* -- Windows 10 +- Windows 10 With each release of Windows 10, volume license media is made available on the [Volume Licensing Service Center](https://www.microsoft.com/vlsc) (VLSC) and other relevant channels such as Windows Update for Business, Windows Server Update Services (WSUS), and Visual Studio Subscriptions. This article provides a description of volume license media, and describes some of the changes that have been implemented with the current release of Windows 10. @@ -29,7 +29,7 @@ When you select a product, for example "Windows 10 Enterprise" or "Windows 10 Ed > [!NOTE] > If you do not see a Windows 10 release available in the list of downloads, verify the [release date](https://technet.microsoft.com/windows/release-info.aspx). -Instead of having separate media and packages for Windows 10 Pro (volume licensing version), Windows 10 Enterprise, and Windows 10 Education, all three are bundled together. +Instead of having separate media and packages for Windows 10 Pro (volume licensing version), Windows 10 Enterprise, and Windows 10 Education, all three are bundled together. ### Language packs @@ -47,4 +47,4 @@ Features on demand is a method for adding features to your Windows 10 image that
    [Volume Activation for Windows 10](./volume-activation/volume-activation-windows-10.md)
    [Plan for volume activation](./volume-activation/plan-for-volume-activation-client.md)
    [VLSC downloads FAQ](https://www.microsoft.com/Licensing/servicecenter/Help/FAQDetails.aspx?id=150) -
    [Download and burn an ISO file on the volume licensing site (VLSC)](/troubleshoot/windows-client/deployment/iso-file-on-vlsc) \ No newline at end of file +
    [Download and burn an ISO file on the volume licensing site (VLSC)](/troubleshoot/windows-client/deployment/iso-file-on-vlsc) diff --git a/windows/deployment/windows-10-missing-fonts.md b/windows/deployment/windows-10-missing-fonts.md index 3c0da5a490..364c23a213 100644 --- a/windows/deployment/windows-10-missing-fonts.md +++ b/windows/deployment/windows-10-missing-fonts.md @@ -7,12 +7,12 @@ author: frankroj ms.author: frankroj manager: aaroncz ms.topic: article -ms.date: 10/31/2022 +ms.date: 11/23/2022 ms.technology: itpro-deploy --- # How to install fonts that are missing after upgrading to Windows client -**Applies to** +*Applies to:* - Windows 10 - Windows 11 @@ -36,7 +36,7 @@ For example, if you've an English, French, German, or Spanish version of Windows If you want to use these fonts, you can enable the optional feature to add them back to your system. The removal of these fonts is a permanent change in behavior for Windows client, and it will remain this way in future releases. -## Installing language-associated features via language settings: +## Installing language-associated features via language settings If you want to use the fonts from the optional feature and you know that you'll want to view Web pages, edit documents, or use apps in the language associated with that feature, add that language into your user profile. Use the Settings app. @@ -57,7 +57,7 @@ Once you've added Hebrew to your language list, then the optional Hebrew font fe > [!NOTE] > The optional features are installed by Windows Update. You need to be online for the Windows Update service to work. -## Install optional fonts manually without changing language settings: +## Install optional fonts manually without changing language settings If you want to use fonts in an optional feature but don't need to search web pages, edit documents, or use apps in the associated language, you can install the optional font features manually without changing your language settings. diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md index 89f8d25fe4..3741412fbb 100644 --- a/windows/deployment/windows-10-poc-mdt.md +++ b/windows/deployment/windows-10-poc-mdt.md @@ -3,7 +3,7 @@ title: Step by step - Deploy Windows 10 in a test lab using MDT description: In this article, you'll learn how to deploy Windows 10 in a test lab using Microsoft Deployment Toolkit (MDT). ms.prod: windows-client ms.localizationpriority: medium -ms.date: 10/31/2022 +ms.date: 11/23/2022 ms.reviewer: manager: aaroncz ms.author: frankroj @@ -14,23 +14,26 @@ ms.technology: itpro-deploy # Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit -**Applies to** +*Applies to:* -- Windows 10 +- Windows 10 > [!IMPORTANT] -> This guide leverages the proof of concept (PoC) environment configured using procedures in the following guide: -- [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) - -Complete all steps in the prerequisite guide before starting this guide. This guide requires about 5 hours to complete, but can require less time or more time depending on the speed of the Hyper-V host. After completing the current guide, also see the companion guide: -- [Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md) +> This guide leverages the proof of concept (PoC) environment configured using procedures in the following guide: +> +> [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) +> +> Complete all steps in the prerequisite guide before starting this guide. This guide requires about 5 hours to complete, but can require less time or more time depending on the speed of the Hyper-V host. After completing the current guide, also see the companion guide: +> +> [Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md) The PoC environment is a virtual network running on Hyper-V with three virtual machines (VMs): + - **DC1**: A contoso.com domain controller, DNS server, and DHCP server. - **SRV1**: A dual-homed contoso.com domain member server, DNS server, and default gateway providing NAT service for the PoC network. - **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been shadow-copied from a physical computer on your corporate network. -This guide uses the Hyper-V server role. If you don't complete all steps in a single session, consider using [checkpoints](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn818483(v=ws.11)) and [saved states](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee247418(v=ws.10)) to pause, resume, or restart your work. +This guide uses the Hyper-V server role. If you don't complete all steps in a single session, consider using [checkpoints](/virtualization/hyper-v-on-windows/user-guide/checkpoints) to pause, resume, or restart your work. ## In this guide @@ -50,10 +53,13 @@ Topics and procedures in this guide are summarized in the following table. An es ## About MDT -MDT performs deployments by using the Lite Touch Installation (LTI), Zero Touch Installation (ZTI), and User-Driven Installation (UDI) deployment methods. +MDT performs deployments by using the Lite Touch Installation (LTI), Zero Touch Installation (ZTI), and User-Driven Installation (UDI) deployment methods. + - LTI is the deployment method used in the current guide, requiring only MDT and performed with a minimum amount of user interaction. + - ZTI is fully automated, requiring no user interaction and is performed using MDT and Microsoft Configuration Manager. After completing the steps in the current guide, see [Step by step: Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md) to use the ZTI deployment method in the PoC environment. -- UDI requires manual intervention to respond to installation prompts such as machine name, password and language settings. UDI requires MDT and Microsoft Configuration Manager. + +- UDI requires manual intervention to respond to installation prompts such as machine name, password and language settings. UDI requires MDT and Microsoft Configuration Manager. ## Install MDT @@ -80,11 +86,12 @@ MDT performs deployments by using the Lite Touch Installation (LTI), Zero Touch A reference image serves as the foundation for Windows 10 devices in your organization. -1. In [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md), the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command: +1. In [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md), the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and enter the following command: ```powershell Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso ``` + 2. On SRV1, verify that the Windows Enterprise installation DVD is mounted as drive letter D. 3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, select **Start**, type **deployment**, and then select **Deployment Workbench**. @@ -108,7 +115,7 @@ A reference image serves as the foundation for Windows 10 devices in your organi 9. Right-click the **Windows 10** folder created in the previous step, and then select **Import Operating System**. -10. Use the following settings for the Import Operating System Wizard: +10. Use the following settings for the Import Operating System Wizard: - OS Type: **Full set of source files**
    - Source: **D:\\**
    - Destination: **W10Ent_x64**
    @@ -119,6 +126,7 @@ A reference image serves as the foundation for Windows 10 devices in your organi For purposes of this test lab, we'll only add the prerequisite .NET Framework feature. Commercial applications (ex: Microsoft Office) won't be added to the deployment share. For information about adding applications, see the [Add applications](./deploy-windows-mdt/create-a-windows-10-reference-image.md#add-applications) section of the [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) article. 11. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node and then select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: + - Task sequence ID: **REFW10X64-001**
    - Task sequence name: **Windows 10 Enterprise x64 Default Image**
    - Task sequence comments: **Reference Build**
    @@ -143,7 +151,7 @@ A reference image serves as the foundation for Windows 10 devices in your organi 16. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then select **Apply**. 17. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox. - + > [!NOTE] > Since we are not installing applications in this test lab, there is no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you are also installing applications. @@ -153,7 +161,7 @@ A reference image serves as the foundation for Windows 10 devices in your organi 20. Replace the default rules with the following text: - ```text + ```ini [Settings] Priority=Default @@ -188,7 +196,7 @@ A reference image serves as the foundation for Windows 10 devices in your organi 21. Select **Apply** and then select **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file: - ```text + ```ini [Settings] Priority=Default @@ -211,7 +219,7 @@ A reference image serves as the foundation for Windows 10 devices in your organi > [!TIP] > To copy the file, right-click the **LiteTouchPE_x86.iso** file and click **Copy** on SRV1, then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder and click **Paste**. -26. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands: +26. Open a Windows PowerShell prompt on the Hyper-V host computer and enter the following commands: ```powershell New-VM REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB @@ -221,21 +229,21 @@ A reference image serves as the foundation for Windows 10 devices in your organi vmconnect localhost REFW10X64-001 ``` - The VM will require a few minutes to prepare devices and boot from the LiteTouchPE_x86.iso file. + The VM will require a few minutes to prepare devices and boot from the LiteTouchPE_x86.iso file. 27. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then select **Next**. 28. Accept the default values on the Capture Image page, and select **Next**. Operating system installation will complete after 5 to 10 minutes, and then the VM will reboot automatically. Allow the system to boot normally (don't press a key). The process is fully automated. - Additional system restarts will occur to complete updating and preparing the operating system. Setup will complete the following procedures: + Additional system restarts will occur to complete updating and preparing the operating system. Setup will complete the following procedures: - - Install the Windows 10 Enterprise operating system. - - Install added applications, roles, and features. - - Update the operating system using Windows Update (or WSUS if optionally specified). - - Stage Windows PE on the local disk. - - Run System Preparation (Sysprep) and reboot into Windows PE. - - Capture the installation to a Windows Imaging (WIM) file. - - Turn off the virtual machine.

    + - Install the Windows 10 Enterprise operating system. + - Install added applications, roles, and features. + - Update the operating system using Windows Update (or WSUS if optionally specified). + - Stage Windows PE on the local disk. + - Run System Preparation (Sysprep) and reboot into Windows PE. + - Capture the installation to a Windows Imaging (WIM) file. + - Turn off the virtual machine.

    This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host. After some time, you'll have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on your deployment server (SRV1). The file name is **REFW10X64-001.wim**. @@ -244,6 +252,7 @@ A reference image serves as the foundation for Windows 10 devices in your organi This procedure will demonstrate how to deploy the reference image to the PoC environment using MDT. 1. On SRV1, open the MDT Deployment Workbench console, right-click **Deployment Shares**, and then select **New Deployment Share**. Use the following values in the New Deployment Share Wizard: + - **Deployment share path**: C:\MDTProd - **Share name**: MDTProd$ - **Deployment share description**: MDT Production @@ -259,7 +268,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env 6. On the Image page, browse to the **C:\MDTBuildLab\Captures\REFW10X64-001.wim** file created in the previous procedure, select **Open**, and then select **Next**. -7. On the Setup page, select **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path**. +7. On the Setup page, select **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path**. 8. Under **Setup source directory**, browse to **C:\MDTBuildLab\Operating Systems\W10Ent_x64** select **OK** and then select **Next**. @@ -274,6 +283,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env 1. Using the Deployment Workbench, right-click **Task Sequences** under the **MDT Production** node, select **New Folder** and create a folder with the name: **Windows 10**. 2. Right-click the **Windows 10** folder created in the previous step, and then select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: + - Task sequence ID: W10-X64-001 - Task sequence name: Windows 10 Enterprise x64 Custom Image - Task sequence comments: Production Image @@ -282,22 +292,23 @@ This procedure will demonstrate how to deploy the reference image to the PoC env - Specify Product Key: Don't specify a product key at this time - Full Name: Contoso - Organization: Contoso - - Internet Explorer home page: http://www.contoso.com - - Admin Password: pass@word1 - + - Internet Explorer home page: `http://www.contoso.com` + - Admin Password: pass@word1 + ### Configure the MDT production deployment share -1. On SRV1, open an elevated Windows PowerShell prompt and type the following commands: +1. On SRV1, open an elevated Windows PowerShell prompt and enter the following commands: ```powershell copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\Bootstrap.ini" C:\MDTProd\Control\Bootstrap.ini -Force copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\CustomSettings.ini" C:\MDTProd\Control\CustomSettings.ini -Force - ``` + ``` + 2. In the Deployment Workbench console on SRV1, right-click the **MDT Production** deployment share and then select **Properties**. 3. Select the **Rules** tab and replace the rules with the following text (don't select OK yet): - ```text + ```ini [Settings] Priority=Default @@ -341,13 +352,13 @@ This procedure will demonstrate how to deploy the reference image to the PoC env If desired, edit the following line to include or exclude other users when migrating settings. Currently, the command is set to user exclude (`ue`) all users except for CONTOSO users specified by the user include option (ui): - ```console + ```cmd ScanStateArgs=/ue:*\* /ui:CONTOSO\* ``` For example, to migrate **all** users on the computer, replace this line with the following line: - ```console + ```cmd ScanStateArgs=/all ``` @@ -355,7 +366,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env 4. Select **Edit Bootstap.ini** and replace text in the file with the following text: - ```text + ```ini [Settings] Priority=Default @@ -367,7 +378,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env SkipBDDWelcome=YES ``` -5. Select **OK** when finished. +5. Select **OK** when finished. ### Update the deployment share @@ -391,9 +402,9 @@ This procedure will demonstrate how to deploy the reference image to the PoC env 1. Initialize Windows Deployment Services (WDS) by typing the following command at an elevated Windows PowerShell prompt on SRV1: - ```powershell - WDSUTIL /Verbose /Progress /Initialize-Server /Server:SRV1 /RemInst:"C:\RemoteInstall" - WDSUTIL /Set-Server /AnswerClients:All + ```cmd + WDSUTIL.exe /Verbose /Progress /Initialize-Server /Server:SRV1 /RemInst:"C:\RemoteInstall" + WDSUTIL.exe /Set-Server /AnswerClients:All ``` 2. Select **Start**, type **Windows Deployment**, and then select **Windows Deployment Services**. @@ -404,12 +415,12 @@ This procedure will demonstrate how to deploy the reference image to the PoC env ### Deploy the client image -1. Before using WDS to deploy a client image, you must temporarily disable the external network adapter on SRV1. This configuration is just an artifact of the lab environment. In a typical deployment environment WDS wouldn't be installed on the default gateway. +1. Before using WDS to deploy a client image, you must temporarily disable the external network adapter on SRV1. This configuration is just an artifact of the lab environment. In a typical deployment environment WDS wouldn't be installed on the default gateway. > [!NOTE] - > Do not disable the *internal* network interface. To quickly view IP addresses and interface names configured on the VM, type **Get-NetIPAddress | ft interfacealias, ipaddress** + > Do not disable the *internal* network interface. To quickly view IP addresses and interface names configured on the VM, enter **`Get-NetIPAddress | ft interfacealias, ipaddress** in a PowerShell prompt. - Assuming the external interface is named "Ethernet 2", to disable the *external* interface on SRV1, open a Windows PowerShell prompt on SRV1 and type the following command: + Assuming the external interface is named "Ethernet 2", to disable the *external* interface on SRV1, open a Windows PowerShell prompt on SRV1 and enter the following command: ```powershell Disable-NetAdapter "Ethernet 2" -Confirm:$false @@ -417,7 +428,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env >Wait until the disable-netadapter command completes before proceeding. -2. Next, switch to the Hyper-V host and open an elevated Windows PowerShell prompt. Create a generation 2 VM on the Hyper-V host that will load its OS using PXE. To create this VM, type the following commands at an elevated Windows PowerShell prompt: +2. Next, switch to the Hyper-V host and open an elevated Windows PowerShell prompt. Create a generation 2 VM on the Hyper-V host that will load its OS using PXE. To create this VM, enter the following commands at an elevated Windows PowerShell prompt: ```powershell New-VM -Name "PC2" -NewVHDPath "c:\vhd\pc2.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 @@ -437,7 +448,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env 5. In the Windows Deployment Wizard, choose the **Windows 10 Enterprise x64 Custom Image** and then select **Next**. -6. After MDT lite touch installation has started, be sure to re-enable the external network adapter on SRV1. Re-enabling the external network adapter is needed so the client can use Windows Update after operating system installation is complete. To re-enable the external network interface, open an elevated Windows PowerShell prompt on SRV1 and type the following command: +6. After MDT lite touch installation has started, be sure to re-enable the external network adapter on SRV1. Re-enabling the external network adapter is needed so the client can use Windows Update after operating system installation is complete. To re-enable the external network interface, open an elevated Windows PowerShell prompt on SRV1 and enter the following command: ```powershell Enable-NetAdapter "Ethernet 2" @@ -453,7 +464,7 @@ This completes the demonstration of how to deploy a reference image to the netwo ## Refresh a computer with Windows 10 -This section will demonstrate how to export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings. The scenario will use PC1, a computer that was cloned from a physical device to a VM, as described in [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md). +This section will demonstrate how to export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings. The scenario will use PC1, a computer that was cloned from a physical device to a VM, as described in [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md). 1. If the PC1 VM isn't already running, then start and connect to it: @@ -462,7 +473,7 @@ This section will demonstrate how to export user data from an existing client co vmconnect localhost PC1 ``` -2. Switch back to the Hyper-V host and create a checkpoint for the PC1 VM so that it can easily be reverted to its current state for troubleshooting purposes and performing additional scenarios. Checkpoints are also known as snapshots. To create a checkpoint for the PC1 VM, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: +2. Switch back to the Hyper-V host and create a checkpoint for the PC1 VM so that it can easily be reverted to its current state for troubleshooting purposes and performing additional scenarios. Checkpoints are also known as snapshots. To create a checkpoint for the PC1 VM, enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host: ```powershell Checkpoint-VM -Name PC1 -SnapshotName BeginState @@ -472,10 +483,10 @@ This section will demonstrate how to export user data from an existing client co Specify **contoso\administrator** as the user name to ensure you don't sign on using the local administrator account. You must sign in with this account so that you have access to the deployment share. -4. Open an elevated command prompt on PC1 and type the following command: +4. Open an elevated command prompt on PC1 and enter the following command: - ```console - cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs + ```cmd + cscript.exe \\SRV1\MDTProd$\Scripts\Litetouch.vbs ``` > [!NOTE] @@ -498,13 +509,13 @@ This section will demonstrate how to export user data from an existing client co 8. Sign in with the CONTOSO\Administrator account and verify that all CONTOSO domain user accounts and data have been migrated to the new operating system, or other user accounts as specified [previously](#configure-the-mdt-production-deployment-share). -9. Create another checkpoint for the PC1 VM so that you can review results of the computer refresh later. To create a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: +9. Create another checkpoint for the PC1 VM so that you can review results of the computer refresh later. To create a checkpoint, enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host: ```powershell Checkpoint-VM -Name PC1 -SnapshotName RefreshState ``` -10. Restore the PC1 VM to its previous state in preparation for the replace procedure. To restore a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: +10. Restore the PC1 VM to its previous state in preparation for the replace procedure. To restore a checkpoint, enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host: ```powershell Restore-VMSnapshot -VMName PC1 -Name BeginState -Confirm:$false @@ -516,15 +527,18 @@ This section will demonstrate how to export user data from an existing client co ## Replace a computer with Windows 10 -At a high level, the computer replace process consists of:
    +At a high level, the computer replace process consists of: + - A special replace task sequence that runs the USMT backup and an optional full Windows Imaging (WIM) backup.
    - A standard OS deployment on a new computer. At the end of the deployment, the USMT backup from the old computer is restored. ### Create a backup-only task sequence 1. On SRV1, in the deployment workbench console, right-click the MDT Production deployment share, select **Properties**, select the **Rules** tab, and change the line **SkipUserData=YES** to **SkipUserData=NO**. + 2. Select **OK**, right-click **MDT Production**, select **Update Deployment Share** and accept the default options in the wizard to update the share. -3. Type the following commands at an elevated Windows PowerShell prompt on SRV1: + +3. enter the following commands at an elevated Windows PowerShell prompt on SRV1: ```powershell New-Item -Path C:\MigData -ItemType directory @@ -533,45 +547,56 @@ At a high level, the computer replace process consists of:
    ``` 4. On SRV1 in the deployment workbench, under **MDT Production**, right-click the **Task Sequences** node, and select **New Folder**. + 5. Name the new folder **Other**, and complete the wizard using default options. + 6. Right-click the **Other** folder and then select **New Task Sequence**. Use the following values in the wizard: + - **Task sequence ID**: REPLACE-001 - **Task sequence name**: Backup Only Task Sequence - **Task sequence comments**: Run USMT to back up user data and settings - **Template**: Standard Client Replace Task Sequence (note: this template isn't the default template) + 7. Accept defaults for the rest of the wizard and then select **Finish**. The replace task sequence will skip OS selection and settings. -8. Open the new task sequence that was created and review it. Note the type of capture and backup tasks that are present. Select **OK** when you're finished reviewing the task sequence. + +8. Open the new task sequence that was created and review it. Note the enter of capture and backup tasks that are present. Select **OK** when you're finished reviewing the task sequence. ### Run the backup-only task sequence -1. If you aren't already signed on to PC1 as **contoso\administrator**, sign in using this account. To verify the currently signed in account, type the following command at an elevated command prompt: +1. If you aren't already signed on to PC1 as **contoso\administrator**, sign in using this account. To verify the currently signed in account, enter the following command at an elevated command prompt: - ```console - whoami + ```cmd + whoami.exe ``` -2. To ensure a clean environment before running the backup task sequence, type the following commands at an elevated Windows PowerShell prompt on PC1: + +2. To ensure a clean environment before running the backup task sequence, enter the following commands at an elevated Windows PowerShell prompt on PC1: ```powershell Remove-Item c:\minint -recurse Remove-Item c:\_SMSTaskSequence -recurse Restart-Computer ``` -3. Sign in to PC1 using the contoso\administrator account, and then type the following command at an elevated command prompt: - ```console - cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs +3. Sign in to PC1 using the contoso\administrator account, and then enter the following command at an elevated command prompt: + + ```cmd + cscript.exe \\SRV1\MDTProd$\Scripts\Litetouch.vbs ``` 4. Complete the deployment wizard using the following settings: + - **Task Sequence**: Backup Only Task Sequence - **User Data**: Specify a location: **\\\\SRV1\MigData$\PC1** - **Computer Backup**: Don't back up the existing computer. + 5. While the task sequence is running on PC1, open the deployment workbench console on SRV1 and select the **Monitoring* node. Press F5 to refresh the console, and view the status of current tasks. + 6. On PC1, verify that **The user state capture was completed successfully** is displayed, and select **Finish** when the capture is complete. + 7. On SRV1, verify that the file **USMT.MIG** was created in the **C:\MigData\PC1\USMT** directory. See the following example: - ```powershell - PS C:\> dir C:\MigData\PC1\USMT + ```cmd + dir C:\MigData\PC1\USMT Directory: C:\MigData\PC1\USMT @@ -580,16 +605,16 @@ At a high level, the computer replace process consists of:
    -a--- 9/6/2016 11:34 AM 14248685 USMT.MIG ``` -### Deploy PC3 +### Deploy PC3 -1. On the Hyper-V host, type the following commands at an elevated Windows PowerShell prompt: +1. On the Hyper-V host, enter the following commands at an elevated Windows PowerShell prompt: ```powershell New-VM -Name "PC3" -NewVHDPath "c:\vhd\pc3.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 Set-VMMemory -VMName "PC3" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20 ``` -2. Temporarily disable the external network adapter on SRV1 again, so that we can successfully boot PC3 from WDS. To disable the adapter, type the following command at an elevated Windows PowerShell prompt on SRV1: +2. Temporarily disable the external network adapter on SRV1 again, so that we can successfully boot PC3 from WDS. To disable the adapter, enter the following command at an elevated Windows PowerShell prompt on SRV1: ```powershell Disable-NetAdapter "Ethernet 2" -Confirm:$false @@ -628,6 +653,7 @@ At a high level, the computer replace process consists of:
    ## Troubleshooting logs, events, and utilities Deployment logs are available on the client computer in the following locations: + - Before the image is applied: X:\MININT\SMSOSD\OSDLOGS - After the system drive has been formatted: C:\MININT\SMSOSD\OSDLOGS - After deployment: %WINDIR%\TEMP\DeploymentLogs diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md index f7ecaa8853..46c6a2b39c 100644 --- a/windows/deployment/windows-10-poc-sc-config-mgr.md +++ b/windows/deployment/windows-10-poc-sc-config-mgr.md @@ -9,16 +9,16 @@ manager: aaroncz ms.author: frankroj author: frankroj ms.topic: tutorial -ms.date: 10/31/2022 +ms.date: 11/23/2022 --- # Deploy Windows 10 in a test lab using Configuration Manager -*Applies to* +*Applies to:* - Windows 10 -> [!Important] +> [!IMPORTANT] > This guide uses the proof of concept (PoC) environment, and some settings that are configured in the following guides: > > - [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) @@ -59,7 +59,7 @@ The procedures in this guide are summarized in the following table. An estimate ## Install prerequisites -1. Before installing Microsoft Configuration Manager, we must install prerequisite services and features. Type the following command at an elevated Windows PowerShell prompt on SRV1: +1. Before installing Microsoft Configuration Manager, we must install prerequisite services and features. Enter the following command at an elevated Windows PowerShell prompt on SRV1: ```powershell Install-WindowsFeature Web-Windows-Auth,Web-ISAPI-Ext,Web-Metabase,Web-WMI,BITS,RDC,NET-Framework-Features,Web-Asp-Net,Web-Asp-Net45,NET-HTTP-Activation,NET-Non-HTTP-Activ @@ -69,7 +69,7 @@ The procedures in this guide are summarized in the following table. An estimate > If the request to add features fails, retry the installation by typing the command again. 2. Download [SQL Server 2014 SP2](https://www.microsoft.com/evalcenter/evaluate-sql-server-2014-sp2) from the Microsoft Evaluation Center as an .ISO file on the Hyper-V host computer. Save the file to the **C:\VHD** directory. -3. When you've downloaded the file **SQLServer2014SP2-FullSlipstream-x64-ENU.iso** and placed it in the C:\VHD directory, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: +3. When you've downloaded the file **SQLServer2014SP2-FullSlipstream-x64-ENU.iso** and placed it in the C:\VHD directory, enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host: ```powershell Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\SQLServer2014SP2-FullSlipstream-x64-ENU.iso @@ -77,15 +77,15 @@ The procedures in this guide are summarized in the following table. An estimate This command mounts the .ISO file to drive D on SRV1. -4. Type the following command at an elevated Windows PowerShell prompt on SRV1 to install SQL Server: +4. Enter the following command at an elevated Windows PowerShell prompt on SRV1 to install SQL Server: - ```powershell + ```cmd D:\setup.exe /q /ACTION=Install /ERRORREPORTING="False" /FEATURES=SQLENGINE,RS,IS,SSMS,TOOLS,ADV_SSMS,CONN /INSTANCENAME=MSSQLSERVER /INSTANCEDIR="C:\Program Files\Microsoft SQL Server" /SQLSVCACCOUNT="NT AUTHORITY\System" /SQLSYSADMINACCOUNTS="BUILTIN\ADMINISTRATORS" /SQLSVCSTARTUPTYPE=Automatic /AGTSVCACCOUNT="NT AUTHORITY\SYSTEM" /AGTSVCSTARTUPTYPE=Automatic /RSSVCACCOUNT="NT AUTHORITY\System" /RSSVCSTARTUPTYPE=Automatic /ISSVCACCOUNT="NT AUTHORITY\System" /ISSVCSTARTUPTYPE=Disabled /ASCOLLATION="Latin1_General_CI_AS" /SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS" /TCPENABLED="1" /NPENABLED="1" /IAcceptSQLServerLicenseTerms ``` Installation will take several minutes. When installation is complete, the following output will be displayed: - ```dos + ```console Microsoft (R) SQL Server 2014 12.00.5000.00 Copyright (c) Microsoft Corporation. All rights reserved. @@ -99,10 +99,9 @@ The procedures in this guide are summarized in the following table. An estimate Success One or more affected files have operations pending. You should restart your computer to complete this process. - PS C:\> ``` -5. Type the following commands at an elevated Windows PowerShell prompt on SRV1: +5. Enter the following commands at an elevated Windows PowerShell prompt on SRV1: ```powershell New-NetFirewallRule -DisplayName "SQL Server" -Direction Inbound -Protocol TCP -LocalPort 1433 -Action allow @@ -124,13 +123,13 @@ The procedures in this guide are summarized in the following table. An estimate Stop-Process -Name Explorer ``` -1. Download [Microsoft Configuration Manager (current branch)](https://www.microsoft.com/evalcenter/evaluate-microsoft-endpoint-configuration-manager) and extract the contents on SRV1. +2. Download [Microsoft Configuration Manager (current branch)](https://www.microsoft.com/evalcenter/evaluate-microsoft-endpoint-configuration-manager) and extract the contents on SRV1. -1. Open the file, enter **C:\configmgr** for **Unzip to folder**, and select **Unzip**. The `C:\configmgr` directory will be automatically created. Select **OK** and then close the **WinZip Self-Extractor** dialog box when finished. +3. Open the file, enter **C:\configmgr** for **Unzip to folder**, and select **Unzip**. The `C:\configmgr` directory will be automatically created. Select **OK** and then close the **WinZip Self-Extractor** dialog box when finished. -1. Before starting the installation, verify that WMI is working on SRV1. See the following examples. Verify that **Running** is displayed under **Status** and **True** is displayed next to **TcpTestSucceeded**: +4. Before starting the installation, verify that WMI is working on SRV1. See the following examples. Verify that **Running** is displayed under **Status** and **True** is displayed next to **TcpTestSucceeded**: - ```dos + ```powershell Get-Service Winmgmt Status Name DisplayName @@ -157,36 +156,48 @@ The procedures in this guide are summarized in the following table. An estimate If the WMI service isn't started, attempt to start it or reboot the computer. If WMI is running but errors are present, see [WMIDiag](https://blogs.technet.microsoft.com/askperf/2015/05/12/wmidiag-2-2-is-here/) for troubleshooting information. -1. To extend the Active Directory schema, type the following command at an elevated Windows PowerShell prompt: +5. To extend the Active Directory schema, enter the following command at an elevated Windows PowerShell prompt: - ```powershell - cmd /c C:\configmgr\SMSSETUP\BIN\X64\extadsch.exe + ```cmd + C:\configmgr\SMSSETUP\BIN\X64\extadsch.exe ``` -1. Temporarily switch to the DC1 VM, and type the following command at an elevated command prompt on DC1: +6. Temporarily switch to the DC1 VM, and enter the following command at an elevated command prompt on DC1: - ```dos + ```cmd adsiedit.msc ``` -1. Right-click **ADSI Edit**, select **Connect to**, select **Default (Domain or server that you logged in to)** under **Computer** and then select **OK**. -1. Expand **Default naming context**>**DC=contoso,DC=com**, and then in the console tree right-click **CN=System**, point to **New**, and then select **Object**. -1. Select **container** and then select **Next**. -1. Next to **Value**, type **System Management**, select **Next**, and then select **Finish**. -1. Right-click **CN=system Management** and then select **Properties**. -1. On the **Security** tab, select **Add**, select **Object Types**, select **Computers**, and select **OK**. -1. Under **Enter the object names to select**, type **SRV1** and select **OK**. -1. The **SRV1** computer account will be highlighted, select **Allow** next to **Full control**. -1. Select **Advanced**, select **SRV1 (CONTOSO\SRV1$)** and select **Edit**. -1. Next to **Applies to**, choose **This object and all descendant objects**, and then select **OK** three times. -1. Close the ADSI Edit console and switch back to SRV1. -1. To start Configuration Manager installation, type the following command at an elevated Windows PowerShell prompt on SRV1: +7. Right-click **ADSI Edit**, select **Connect to**, select **Default (Domain or server that you logged in to)** under **Computer** and then select **OK**. - ```powershell - cmd /c C:\configmgr\SMSSETUP\BIN\X64\Setup.exe +8. Expand **Default naming context**>**DC=contoso,DC=com**, and then in the console tree right-click **CN=System**, point to **New**, and then select **Object**. + +9. Select **container** and then select **Next**. + +10. Next to **Value**, enter **System Management**, select **Next**, and then select **Finish**. + +11. Right-click **CN=system Management** and then select **Properties**. + +12. On the **Security** tab, select **Add**, select **Object Types**, select **Computers**, and select **OK**. + +13. Under **Enter the object names to select**, enter **SRV1** and select **OK**. + +14. The **SRV1** computer account will be highlighted, select **Allow** next to **Full control**. + +15. Select **Advanced**, select **SRV1 (CONTOSO\SRV1$)** and select **Edit**. + +16. Next to **Applies to**, choose **This object and all descendant objects**, and then select **OK** three times. + +17. Close the ADSI Edit console and switch back to SRV1. + +18. To start Configuration Manager installation, enter the following command at an elevated Windows PowerShell prompt on SRV1: + + ```cmd + C:\configmgr\SMSSETUP\BIN\X64\Setup.exe ``` -1. Provide the following information in the Configuration Manager Setup Wizard: +19. Provide the following information in the Configuration Manager Setup Wizard: + - **Before You Begin**: Read the text and select *Next*. - **Getting Started**: Choose **Install a Configuration Manager primary site** and select the **Use typical installation options for a stand-alone primary site** checkbox. - Select **Yes** in response to the popup window. @@ -206,7 +217,7 @@ The procedures in this guide are summarized in the following table. An estimate Depending on the speed of the Hyper-V host and resources allocated to SRV1, installation can require approximately one hour. Select **Close** when installation is complete. -1. If desired, re-enable IE Enhanced Security Configuration at this time on SRV1: +20. If desired, re-enable IE Enhanced Security Configuration at this time on SRV1: ```powershell Set-ItemProperty -Path $AdminKey -Name "IsInstalled" -Value 1 @@ -217,24 +228,30 @@ The procedures in this guide are summarized in the following table. An estimate > [!IMPORTANT] > This step requires an MSDN subscription or volume licence agreement. For more information, see [Ready for Windows 10: MDOP 2015 and more tools are now available](https://blogs.technet.microsoft.com/windowsitpro/2015/08/17/ready-for-windows-10-mdop-2015-and-more-tools-are-now-available/). + 1. Download the [Microsoft Desktop Optimization Pack 2015](https://msdn.microsoft.com/subscriptions/downloads/#ProductFamilyId=597) to the Hyper-V host using an MSDN subscription. Download the .ISO file (mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso, 2.79 GB) to the C:\VHD directory on the Hyper-V host. -2. Type the following command at an elevated Windows PowerShell prompt on the Hyper-V host to mount the MDOP file on SRV1: +2. Enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host to mount the MDOP file on SRV1: ```powershell Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso ``` -3. Type the following command at an elevated Windows PowerShell prompt on SRV1: +3. Enter the following command at an elevated Windows PowerShell prompt on SRV1: - ```powershell - cmd /c "D:\DaRT\DaRT 10\Installers\en-us\x64\MSDaRT100.msi" + ```cmd + D:\DaRT\DaRT 10\Installers\en-us\x64\MSDaRT100.msi ``` 4. Install DaRT 10 using default settings. -5. Type the following commands at an elevated Windows PowerShell prompt on SRV1: + +5. Enter the following commands at an elevated Windows PowerShell prompt on SRV1: ```powershell Copy-Item "C:\Program Files\Microsoft DaRT\v10\Toolsx64.cab" -Destination "C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x64" @@ -247,7 +264,7 @@ This section contains several procedures to support Zero Touch installation with ### Create a folder structure -1. Type the following commands at a Windows PowerShell prompt on SRV1: +1. Enter the following commands at a Windows PowerShell prompt on SRV1: ```powershell New-Item -ItemType Directory -Path "C:\Sources\OSD\Boot" @@ -262,56 +279,78 @@ This section contains several procedures to support Zero Touch installation with ### Enable MDT ConfigMgr integration -1. On SRV1, select **Start**, type `configmgr`, and then select **Configure ConfigMgr Integration**. -2. Type `PS1` as the **Site code**, and then select **Next**. +1. On SRV1, select **Start**, enter `configmgr`, and then select **Configure ConfigMgr Integration**. + +2. Enter `PS1` as the **Site code**, and then select **Next**. + 3. Verify **The process completed successfully** is displayed, and then select **Finish**. ### Configure client settings -1. On SRV1, select **Start**, type **configuration manager**, right-click **Configuration Manager Console**, and then select **Pin to Taskbar**. +1. On SRV1, select **Start**, enter **configuration manager**, right-click **Configuration Manager Console**, and then select **Pin to Taskbar**. + 2. Select **Desktop**, and then launch the Configuration Manager console from the taskbar. + 3. If the console notifies you that an update is available, select **OK**. It isn't necessary to install updates to complete this lab. + 4. In the console tree, open the **Administration** workspace (in the lower left corner) and select **Client Settings**. + 5. In the display pane, double-click **Default Client Settings**. -6. Select **Computer Agent**, next to **Organization name displayed in Software Center** type **Contoso**, and then select **OK**. + +6. Select **Computer Agent**, next to **Organization name displayed in Software Center** enter **Contoso**, and then select **OK**. ### Configure the network access account -1. In the Administration workspace, expand **Site Configuration** and select **Sites**. +1. in the **Administration** workspace, expand **Site Configuration** and select **Sites**. + 2. On the **Home** ribbon at the top of the console window, select **Configure Site Components** and then select **Software Distribution**. + 3. On the **Network Access Account** tab, choose **Specify the account that accesses network locations**. + 4. Select the yellow starburst and then select **New Account**. -5. Select **Browse** and then under **Enter the object name to select**, type **CM_NAA** and select **OK**. -6. Next to **Password** and **Confirm Password**, type **pass\@word1**, and then select **OK** twice. + +5. Select **Browse** and then under **Enter the object name to select**, enter **CM_NAA** and select **OK**. + +6. Next to **Password** and **Confirm Password**, enter **pass\@word1**, and then select **OK** twice. ### Configure a boundary group -1. In the Administration workspace, expand **Hierarchy Configuration**, right-click **Boundaries** and then select **Create Boundary**. -2. Next to **Description**, type **PS1**, next to **Type** choose **Active Directory Site**, and then select **Browse**. +1. in the **Administration** workspace, expand **Hierarchy Configuration**, right-click **Boundaries** and then select **Create Boundary**. + +2. Next to **Description**, enter **PS1**, next to **Type** choose **Active Directory Site**, and then select **Browse**. + 3. Choose **Default-First-Site-Name** and then select **OK** twice. -4. In the Administration workspace, right-click **Boundary Groups** and then select **Create Boundary Group**. -5. Next to **Name**, type **PS1 Site Assignment and Content Location**, select **Add**, select the **Default-First-Site-Name** boundary and then select **OK**. + +4. in the **Administration** workspace, right-click **Boundary Groups** and then select **Create Boundary Group**. + +5. Next to **Name**, enter **PS1 Site Assignment and Content Location**, select **Add**, select the **Default-First-Site-Name** boundary and then select **OK**. + 6. On the **References** tab in the **Create Boundary Group** window, select the **Use this boundary group for site assignment** checkbox. + 7. Select **Add**, select the **\\\SRV1.contoso.com** checkbox, and then select **OK** twice. ### Add the state migration point role -1. In the Administration workspace, expand **Site Configuration**, select **Sites**, and then in on the **Home** ribbon at the top of the console select **Add Site System Roles**. +1. in the **Administration** workspace, expand **Site Configuration**, select **Sites**, and then in on the **Home** ribbon at the top of the console select **Add Site System Roles**. + 2. In the Add site System Roles Wizard, select **Next** twice and then on the Specify roles for this server page, select the **State migration point** checkbox. -3. Select **Next**, select the yellow starburst, type **C:\MigData** for the **Storage folder**, and select **OK**. + +3. Select **Next**, select the yellow starburst, enter **C:\MigData** for the **Storage folder**, and select **OK**. + 4. Select **Next**, and then verify under **Boundary groups** that **PS1 Site Assignment and Content Location** is displayed. + 5. Select **Next** twice and then select **Close**. ### Enable PXE on the distribution point > [!IMPORTANT] -> Before enabling PXE in Configuration Manager, ensure that any previous installation of WDS does not cause conflicts. Configuration Manager will automatically configure the WDS service to manage PXE requests. To disable a previous installation, if it exists, type the following commands at an elevated Windows PowerShell prompt on SRV1: +> Before enabling PXE in Configuration Manager, ensure that any previous installation of WDS does not cause conflicts. Configuration Manager will automatically configure the WDS service to manage PXE requests. To disable a previous installation, if it exists, enter the following commands at an elevated Windows PowerShell prompt on SRV1: -```powershell -WDSUTIL /Set-Server /AnswerClients:None +```cmd +WDSUTIL.exe /Set-Server /AnswerClients:None ``` -1. Determine the MAC address of the internal network adapter on SRV1. Type the following command at an elevated Windows PowerShell prompt on SRV1: +1. Determine the MAC address of the internal network adapter on SRV1. Enter the following command at an elevated Windows PowerShell prompt on SRV1: ```powershell (Get-NetAdapter "Ethernet").MacAddress @@ -321,8 +360,11 @@ WDSUTIL /Set-Server /AnswerClients:None > If the internal network adapter, assigned an IP address of 192.168.0.2, isn't named "Ethernet" then replace the name "Ethernet" in the previous command with the name of this network adapter. You can review the names of network adapters and the IP addresses assigned to them by typing **ipconfig**. 2. In the Configuration Manager console, in the **Administration** workspace, select **Distribution Points**. + 3. In the display pane, right-click **SRV1.CONTOSO.COM** and then select **Properties**. + 4. On the PXE tab, select the following settings: + - **Enable PXE support for clients**. Select **Yes** in the popup that appears. - **Allow this distribution point to respond to incoming PXE requests** - **Enable unknown computer support**. Select **OK** in the popup that appears. @@ -334,10 +376,11 @@ WDSUTIL /Set-Server /AnswerClients:None ![Config Mgr PXE.](images/configmgr-pxe.png) 5. Select **OK**. -6. Wait for a minute, then type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present: - ```powershell - cmd /c dir /b C:\RemoteInstall\SMSBoot\x64 +6. Wait for a minute, then enter the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present: + + ```cmd + dir /b C:\RemoteInstall\SMSBoot\x64 abortpxe.com bootmgfw.efi @@ -349,12 +392,12 @@ WDSUTIL /Set-Server /AnswerClients:None ``` > [!NOTE] - > If these files aren't present in the C:\RemoteInstall directory, verify that the REMINST share is configured as C:\RemoteInstall. You can view the properties of this share by typing `net share REMINST` at a command prompt. If the share path is set to a different value, then replace C:\RemoteInstall with your REMINST share path. + > If these files aren't present in the C:\RemoteInstall directory, verify that the REMINST share is configured as C:\RemoteInstall. You can view the properties of this share by typing `net.exe share REMINST` at a command prompt. If the share path is set to a different value, then replace C:\RemoteInstall with your REMINST share path. > - > You can also type the following command at an elevated Windows PowerShell prompt to open the CMTrace. In the tool, select **File**, select **Open**, and then open the **distmgr.log** file. If errors are present, they will be highlighted in red: + > You can also enter the following command at an elevated Windows PowerShell prompt to open CMTrace. In the tool, select **File**, select **Open**, and then open the **distmgr.log** file. If errors are present, they will be highlighted in red: > - > ```powershell - > Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe' + > ```cmd + > "C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe" > ``` > > The log file is updated continuously while Configuration Manager is running. Wait for Configuration Manager to repair any issues that are present, and periodically recheck that the files are present in the REMINST share location. Close CMTrace when done. You'll see the following line in distmgr.log that indicates the REMINST share is being populated with necessary files: @@ -366,7 +409,8 @@ WDSUTIL /Set-Server /AnswerClients:None ### Create a branding image file 1. If you have a bitmap (.BMP) image for suitable use as a branding image, copy it to the C:\Sources\OSD\Branding folder on SRV1. Otherwise, use the following step to copy a branding image. -2. Type the following command at an elevated Windows PowerShell prompt: + +2. Enter the following command at an elevated Windows PowerShell prompt: ```powershell Copy-Item -Path "C:\ProgramData\Microsoft\User Account Pictures\user.bmp" -Destination "C:\Sources\OSD\Branding\contoso.bmp" @@ -378,16 +422,26 @@ WDSUTIL /Set-Server /AnswerClients:None ### Create a boot image for Configuration Manager 1. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Boot Images**, and then select **Create Boot Image using MDT**. -2. On the Package Source page, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Boot\Zero Touch WinPE x64**, and then select **Next**. + +2. On the Package Source page, under **Package source folder to be created (UNC Path):**, enter **\\\SRV1\Sources$\OSD\Boot\Zero Touch WinPE x64**, and then select **Next**. + - The Zero Touch WinPE x64 folder doesn't yet exist. The folder will be created later. -3. On the General Settings page, type **Zero Touch WinPE x64** next to **Name**, and select **Next**. + +3. On the General Settings page, enter **Zero Touch WinPE x64** next to **Name**, and select **Next**. + 4. On the Options page, under **Platform** choose **x64**, and select **Next**. + 5. On the Components page, in addition to the default selection of **Microsoft Data Access Components (MDAC/ADO) support**, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** checkbox, and select **Next**. -6. On the Customization page, select the **Use a custom background bitmap file** checkbox, and under **UNC path**, type or browse to **\\\SRV1\Sources$\OSD\Branding\contoso.bmp**, and then select **Next** twice. It will take a few minutes to generate the boot image. + +6. On the Customization page, select the **Use a custom background bitmap file** checkbox, and under **UNC path**, enter or browse to **\\\SRV1\Sources$\OSD\Branding\contoso.bmp**, and then select **Next** twice. It will take a few minutes to generate the boot image. + 7. Select **Finish**. + 8. In the console display pane, right-click the **Zero Touch WinPE x64** boot image, and then select **Distribute Content**. + 9. In the Distribute Content Wizard, select **Next**, select **Add** and select **Distribution Point**, select the **SRV1.CONTOSO.COM** checkbox, select **OK**, select **Next** twice, and then select **Close**. -10. Use the CMTrace application to view the **distmgr.log** file again and verify that the boot image has been distributed. To open CMTrace, type the following command at an elevated Windows PowerShell prompt on SRV1: + +10. Use the CMTrace application to view the **distmgr.log** file again and verify that the boot image has been distributed. To open CMTrace, enter the following command at an elevated Windows PowerShell prompt on SRV1: ```powershell Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe' @@ -400,12 +454,15 @@ WDSUTIL /Set-Server /AnswerClients:None ``` 11. You can also review status by clicking the **Zero Touch WinPE x64** image, and then clicking **Content Status** under **Related Objects** in the bottom right-hand corner of the console, or by entering **\Monitoring\Overview\Distribution Status\Content Status** on the location bar in the console. Double-click **Zero Touch WinPE x64** under **Content Status** in the console tree and verify that a status of **Successfully distributed content** is displayed on the **Success** tab. + 12. Next, in the **Software Library** workspace, double-click **Zero Touch WinPE x64** and then select the **Data Source** tab. + 13. Select the **Deploy this boot image from the PXE-enabled distribution point** checkbox, and select **OK**. + 14. Review the distmgr.log file again for "**STATMSG: ID=2301**" and verify that there are three folders under **C:\RemoteInstall\SMSImages** with boot images. See the following example: - ```console - cmd /c dir /s /b C:\RemoteInstall\SMSImages + ```cmd + dir /s /b C:\RemoteInstall\SMSImages C:\RemoteInstall\SMSImages\PS100004 C:\RemoteInstall\SMSImages\PS100005 @@ -422,19 +479,19 @@ WDSUTIL /Set-Server /AnswerClients:None If you've already completed steps in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then you've already created a Windows 10 reference image. In this case, skip to the next procedure in this guide: [Add a Windows 10 OS image](#add-a-windows-10-os-image). If you've not yet created a Windows 10 reference image, complete the steps in this section. -1. In [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command: +1. In [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and enter the following command: ```powershell Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso ``` -1. Verify that the Windows Enterprise installation DVD is mounted on SRV1 as drive letter D. +2. Verify that the Windows Enterprise installation DVD is mounted on SRV1 as drive letter D. -1. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, select **Start**, type **deployment**, and then select **Deployment Workbench**. +3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, select **Start**, enter **deployment**, and then select **Deployment Workbench**. -1. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**. +4. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**. -1. Use the following settings for the New Deployment Share Wizard: +5. Use the following settings for the New Deployment Share Wizard: - Deployment share path: **C:\MDTBuildLab** - Share name: **MDTBuildLab$** - Deployment share description: **MDT build lab** @@ -443,22 +500,23 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr - Progress: settings will be applied - Confirmation: Select **Finish** -1. Expand the **Deployment Shares** node, and then expand **MDT build lab**. +6. Expand the **Deployment Shares** node, and then expand **MDT build lab**. -1. Right-click the **Operating Systems** node, and then select **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and select **Finish**. +7. Right-click the **Operating Systems** node, and then select **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and select **Finish**. -1. Right-click the **Windows 10** folder created in the previous step, and then select **Import Operating System**. +8. Right-click the **Windows 10** folder created in the previous step, and then select **Import Operating System**. -1. Use the following settings for the Import Operating System Wizard: +9. Use the following settings for the Import Operating System Wizard: - OS Type: **Full set of source files** - Source: **D:\\** - Destination: **W10Ent_x64** - Summary: Select **Next** - Confirmation: Select **Finish** -1. For purposes of this test lab, we won't add applications, such as Microsoft Office, to the deployment share. For more information about adding applications, see [Add applications](deploy-windows-mdt/create-a-windows-10-reference-image.md#add-applications). +10. For purposes of this test lab, we won't add applications, such as Microsoft Office, to the deployment share. For more information about adding applications, see [Add applications](deploy-windows-mdt/create-a-windows-10-reference-image.md#add-applications). + +11. The next step is to create a task sequence to reference the OS that was imported. To create a task sequence, right-click the **Task Sequences** node under **MDT Build Lab** and then select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: -1. The next step is to create a task sequence to reference the OS that was imported. To create a task sequence, right-click the **Task Sequences** node under **MDT Build Lab** and then select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: - Task sequence ID: **REFW10X64-001** - Task sequence name: **Windows 10 Enterprise x64 Default Image** - Task sequence comments: **Reference Build** @@ -467,31 +525,31 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr - Specify Product Key: **Do not specify a product key at this time** - Full Name: **Contoso** - Organization: **Contoso** - - Internet Explorer home page: **http://www.contoso.com** + - Internet Explorer home page: **`http://www.contoso.com`** - Admin Password: **Do not specify an Administrator password at this time** - Summary: Select **Next** - Confirmation: Select **Finish** -1. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step. +12. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step. -1. Select the **Task Sequence** tab. Under **State Restore**, select **Tattoo** to highlight it, then select **Add** and choose **New Group**. A new group will be added under Tattoo. +13. Select the **Task Sequence** tab. Under **State Restore**, select **Tattoo** to highlight it, then select **Add** and choose **New Group**. A new group will be added under Tattoo. -1. On the Properties tab of the group that was created in the previous step, change the Name from New Group to **Custom Tasks (Pre-Windows Update)** and then select **Apply**. To see the name change, select **Tattoo**, then select the new group again. +14. On the Properties tab of the group that was created in the previous step, change the Name from New Group to **Custom Tasks (Pre-Windows Update)** and then select **Apply**. To see the name change, select **Tattoo**, then select the new group again. -1. Select the **Custom Tasks (Pre-Windows Update)** group again, select **Add**, point to **Roles**, and then select **Install Roles and Features**. +15. Select the **Custom Tasks (Pre-Windows Update)** group again, select **Add**, point to **Roles**, and then select **Install Roles and Features**. -1. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then select **Apply**. +16. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then select **Apply**. -1. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox. +17. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox. > [!NOTE] > Since we aren't installing applications in this test lab, there's no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you're also installing applications. -1. Select **OK** to complete editing the task sequence. +18. Select **OK** to complete editing the task sequence. -1. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click MDT build lab (C:\MDTBuildLab) and select **Properties**, and then select the **Rules** tab. +19. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click MDT build lab (C:\MDTBuildLab) and select **Properties**, and then select the **Rules** tab. -1. Replace the default rules with the following text: +20. Replace the default rules with the following text: ```ini [Settings] @@ -526,7 +584,7 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr SkipFinalSummary=NO ``` -1. Select **Apply** and then select **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file: +21. Select **Apply** and then select **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file: ```ini [Settings] @@ -540,18 +598,18 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr SkipBDDWelcome=YES ``` -1. Select **OK** to complete the configuration of the deployment share. +22. Select **OK** to complete the configuration of the deployment share. -1. Right-click **MDT build lab (C:\MDTBuildLab)** and then select **Update Deployment Share**. +23. Right-click **MDT build lab (C:\MDTBuildLab)** and then select **Update Deployment Share**. -1. Accept all default values in the Update Deployment Share Wizard by clicking **Next**. The update process will take 5 to 10 minutes. When it has completed, select **Finish**. +24. Accept all default values in the Update Deployment Share Wizard by clicking **Next**. The update process will take 5 to 10 minutes. When it has completed, select **Finish**. -1. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. In MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI). +25. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. In MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI). > [!TIP] > To copy the file, right-click the **LiteTouchPE_x86.iso** file, and select **Copy** on SRV1. Then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder, and select **Paste**. -1. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands: +26. Open a Windows PowerShell prompt on the Hyper-V host computer and enter the following commands: ```powershell New-VM -Name REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB @@ -561,9 +619,9 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr vmconnect localhost REFW10X64-001 ``` -1. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then select **Next**. +27. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then select **Next**. -1. Accept the default values on the Capture Image page, and select **Next**. OS installation will complete after 5 to 10 minutes and then the VM will reboot automatically. Allow the system to boot normally, don't press a key. The process is fully automated. +28. Accept the default values on the Capture Image page, and select **Next**. OS installation will complete after 5 to 10 minutes and then the VM will reboot automatically. Allow the system to boot normally, don't press a key. The process is fully automated. Other system restarts will occur to complete updating and preparing the OS. Setup will complete the following procedures: @@ -579,7 +637,7 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr ### Add a Windows 10 OS image -1. Type the following commands at an elevated Windows PowerShell prompt on SRV1: +1. Enter the following commands at an elevated Windows PowerShell prompt on SRV1: ```powershell New-Item -ItemType Directory -Path "C:\Sources\OSD\OS\Windows 10 Enterprise x64" @@ -588,9 +646,9 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr 2. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Operating System Images**, and then select **Add Operating System Image**. -3. On the Data Source page, under **Path:**, type or browse to **\\\SRV1\Sources$\OSD\OS\Windows 10 Enterprise x64\REFW10X64-001.wim**, and select **Next**. +3. On the Data Source page, under **Path:**, enter or browse to **\\\SRV1\Sources$\OSD\OS\Windows 10 Enterprise x64\REFW10X64-001.wim**, and select **Next**. -4. On the General page, next to **Name:**, type **Windows 10 Enterprise x64**, select **Next** twice, and then select **Close**. +4. On the General page, next to **Name:**, enter **Windows 10 Enterprise x64**, select **Next** twice, and then select **Close**. 5. Distribute the OS image to the SRV1 distribution point by right-clicking the **Windows 10 Enterprise x64** OS image and then clicking **Distribute Content**. @@ -610,9 +668,10 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr 2. On the Choose Template page, select the **Client Task Sequence** template and select **Next**. -3. On the General page, type **Windows 10 Enterprise x64** under **Task sequence name:** and then select **Next**. +3. On the General page, enter **Windows 10 Enterprise x64** under **Task sequence name:** and then select **Next**. 4. On the Details page, enter the following settings: + - Join a domain: **contoso.com** - Account: Select **Set** - User name: **contoso\CM_JD** @@ -632,9 +691,9 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr 6. On the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package, select **OK**, and then select **Next**. -7. On the MDT Package page, select **Create a new Microsoft Deployment Toolkit Files package**, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\MDT\MDT** (MDT is repeated here, not a typo), and then select **Next**. +7. On the MDT Package page, select **Create a new Microsoft Deployment Toolkit Files package**, under **Package source folder to be created (UNC Path):**, enter **\\\SRV1\Sources$\OSD\MDT\MDT** (MDT is repeated here, not a typo), and then select **Next**. -8. On the MDT Details page, next to **Name:** type **MDT** and then select **Next**. +8. On the MDT Details page, next to **Name:** enter **MDT** and then select **Next**. 9. On the OS Image page, browse and select the **Windows 10 Enterprise x64** package, select **OK**, and then select **Next**. @@ -644,9 +703,9 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr 12. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows 10.0.14393.0** package, select **OK**, and then select **Next**. -13. On the Settings Package page, select **Create a new settings package**, and under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Settings\Windows 10 x64 Settings**, and then select **Next**. +13. On the Settings Package page, select **Create a new settings package**, and under **Package source folder to be created (UNC Path):**, enter **\\\SRV1\Sources$\OSD\Settings\Windows 10 x64 Settings**, and then select **Next**. -14. On the Settings Details page, next to **Name:**, type **Windows 10 x64 Settings**, and select **Next**. +14. On the Settings Details page, next to **Name:**, enter **Windows 10 x64 Settings**, and select **Next**. 15. On the Sysprep Package page, select **Next** twice. @@ -663,6 +722,7 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr 4. In the **State Restore** group, select the **Set Status 5** action, select **Add** in the upper left corner, point to **User State**, and select **Request State Store**. This action adds a new step immediately after **Set Status 5**. 5. Configure this **Request State Store** step with the following settings: + - Request state storage location to: **Restore state from another computer** - Select the **If computer account fails to connect to state store, use the Network Access account** checkbox. - Options tab: Select the **Continue on error** checkbox. @@ -676,6 +736,7 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr 6. In the **State Restore** group, select **Restore User State**, select **Add**, point to **User State**, and select **Release State Store**. 7. Configure this **Release State Store** step with the following settings: + - Options tab: Select the **Continue on error** checkbox. - Add Condition: **Task Sequence Variable**: - Variable: **USMTLOCAL** @@ -704,10 +765,10 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr 4. Select the **Monitoring** tab, select the **Enable monitoring for this deployment share** checkbox, and then select **OK**. -5. Type the following command at an elevated Windows PowerShell prompt on SRV1: +5. Enter the following command at an elevated Windows PowerShell prompt on SRV1: - ```powershell - notepad "C:\Sources\OSD\Settings\Windows 10 x64 Settings\CustomSettings.ini" + ```cmd + notepad.exe "C:\Sources\OSD\Settings\Windows 10 x64 Settings\CustomSettings.ini" ``` 6. Replace the contents of the file with the following text, and then save the file: @@ -735,9 +796,9 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr > OSDMigrateAdditionalCaptureOptions=/all > ``` -7. Return to the Configuration Manager console, and in the Software Library workspace, expand **Application Management**, select **Packages**, right-click **Windows 10 x64 Settings**, and then select **Update Distribution Points**. Select **OK** in the popup that appears. +7. Return to the Configuration Manager console, and in the **Software Library** workspace, expand **Application Management**, select **Packages**, right-click **Windows 10 x64 Settings**, and then select **Update Distribution Points**. Select **OK** in the popup that appears. -8. In the Software Library workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then select **Distribute Content**. +8. In the **Software Library** workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then select **Distribute Content**. 9. In the Distribute Content Wizard, select **Next** twice, select **Add**, select **Distribution Point**, select the **SRV1.CONTOSO.COM** distribution point, select **OK**, select **Next** twice and then select **Close**. @@ -745,7 +806,7 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr ### Create a deployment for the task sequence -1. In the Software Library workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then select **Deploy**. +1. In the **Software Library** workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then select **Deploy**. 2. On the General page, next to **Collection**, select **Browse**, select the **All Unknown Computers** collection, select **OK**, and then select **Next**. @@ -761,7 +822,7 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr In this first deployment scenario, you'll deploy Windows 10 using PXE. This scenario creates a new computer that doesn't have any migrated users or settings. -1. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: +1. Enter the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: ```powershell New-VM -Name "PC4" -NewVHDPath "c:\vhd\pc4.vhdx" -NewVHDSizeBytes 40GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 @@ -776,7 +837,7 @@ In this first deployment scenario, you'll deploy Windows 10 using PXE. This scen 4. Before you select **Next** in the Task Sequence Wizard, press the **F8** key. A command prompt will open. -5. At the command prompt, type **explorer.exe** and review the Windows PE file structure. +5. At the command prompt, enter **explorer.exe** and review the Windows PE file structure. 6. The smsts.log file is critical for troubleshooting any installation problems that might be encountered. Depending on the deployment phase, the smsts.log file is created in different locations: - X:\Windows\temp\SMSTSLog\smsts.log before disks are formatted. @@ -796,6 +857,7 @@ In this first deployment scenario, you'll deploy Windows 10 using PXE. This scen 10. The **Windows 10 Enterprise x64** task sequence is selected in the Task Sequence Wizard. Select **Next** to continue with the deployment. 11. The task sequence will require several minutes to complete. You can monitor progress of the task sequence using the MDT Deployment Workbench under Deployment Shares > MDTProduction > Monitoring. The task sequence will: + - Install Windows 10 - Install the Configuration Manager client and hotfix - Join the computer to the contoso.com domain @@ -803,7 +865,7 @@ In this first deployment scenario, you'll deploy Windows 10 using PXE. This scen 12. When Windows 10 installation has completed, sign in to PC4 using the **contoso\administrator** account. -13. Right-click **Start**, select **Run**, type **control appwiz.cpl**, press ENTER, select **Turn Windows features on or off**, and verify that **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** is installed. This feature is included in the reference image. +13. Right-click **Start**, select **Run**, enter **control appwiz.cpl**, press ENTER, select **Turn Windows features on or off**, and verify that **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** is installed. This feature is included in the reference image. 14. Shut down the PC4 VM. @@ -821,19 +883,25 @@ In the replace procedure, PC1 won't be migrated to a new OS. It's simplest to pe ### Create a replace task sequence -1. On SRV1, in the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and then select **Create MDT Task Sequence**. +1. On SRV1, in the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Task Sequences**, and then select **Create MDT Task Sequence**. 2. On the Choose Template page, select **Client Replace Task Sequence** and select **Next**. -3. On the General page, type the following information: +3. On the General page, enter the following information: + - Task sequence name: **Replace Task Sequence** - Task sequence comments: **USMT backup only** 4. Select **Next**, and on the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package. Select **OK** and then select **Next** to continue. + 5. On the MDT Package page, browse and select the **MDT** package. Select **OK** and then select **Next** to continue. + 6. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows** package. Select **OK** and then select **Next** to continue. + 7. On the Settings Package page, browse and select the **Windows 10 x64 Settings** package. Select **OK** and then select **Next** to continue. + 8. On the Summary page, review the details and then select **Next**. + 9. On the Confirmation page, select **Finish**. > [!NOTE] @@ -841,7 +909,7 @@ In the replace procedure, PC1 won't be migrated to a new OS. It's simplest to pe ### Deploy PC4 -Create a VM named PC4 to receive the applications and settings from PC1. This VM represents a new computer that will replace PC1. To create this VM, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: +Create a VM named PC4 to receive the applications and settings from PC1. This VM represents a new computer that will replace PC1. To create this VM, enter the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: ```powershell New-VM -Name "PC4" -NewVHDPath "c:\vhd\pc4.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 @@ -856,61 +924,66 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF 1. Verify that the PC1 VM is running and in its original state, which was saved as a checkpoint and then restored in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md). -1. If you haven't already saved a checkpoint for PC1, then do it now. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: +2. If you haven't already saved a checkpoint for PC1, then do it now. Enter the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: ```powershell Checkpoint-VM -Name PC1 -SnapshotName BeginState ``` -1. On SRV1, in the Configuration Manager console, in the Administration workspace, expand **Hierarchy Configuration** and select on **Discovery Methods**. -1. Double-click **Active Directory System Discovery** and on the **General** tab select the **Enable Active Directory System Discovery** checkbox. -1. Select the yellow starburst, select **Browse**, select **contoso\Computers**, and then select **OK** three times. -1. When a popup dialog box asks if you want to run full discovery, select **Yes**. -1. In the Assets and Compliance workspace, select **Devices** and verify that the computer account names for SRV1 and PC1 are displayed. See the following example (GREGLIN-PC1 is the computer account name of PC1 in this example): +3. On SRV1, in the Configuration Manager console, in the **Administration** workspace, expand **Hierarchy Configuration** and select on **Discovery Methods**. + +4. Double-click **Active Directory System Discovery** and on the **General** tab select the **Enable Active Directory System Discovery** checkbox. + +5. Select the yellow starburst, select **Browse**, select **contoso\Computers**, and then select **OK** three times. + +6. When a popup dialog box asks if you want to run full discovery, select **Yes**. + +7. In the **Assets and Compliance** workspace, select **Devices** and verify that the computer account names for SRV1 and PC1 are displayed. See the following example (GREGLIN-PC1 is the computer account name of PC1 in this example): > [!TIP] > If you don't see the computer account for PC1, select **Refresh** in the upper right corner of the console. The **Client** column indicates that the Configuration Manager client isn't currently installed. This procedure will be carried out next. -1. Sign in to PC1 using the contoso\administrator account and type the following command at an elevated command prompt to remove any pre-existing client configuration, if it exists. +8. Sign in to PC1 using the contoso\administrator account and enter the following command at an elevated command prompt to remove any pre-existing client configuration, if it exists. > [!Note] - > This command requires an elevated _command prompt_, not an elevated Windows PowerShell prompt. + > This command requires an elevated command prompt, not an elevated Windows PowerShell prompt. - ```dos - sc stop ccmsetup + ```cmd + sc.exe stop ccmsetup "\\SRV1\c$\Program Files\Microsoft Configuration Manager\Client\CCMSetup.exe" /Uninstall ``` > [!NOTE] > If PC1 still has Configuration Manager registry settings that were applied by Group Policy, startup scripts, or other policies in its previous domain, these might not all be removed by `CCMSetup /Uninstall` and can cause problems with installation or registration of the client in its new environment. It might be necessary to manually remove these settings if they are present. For more information, see [Manual removal of the Configuration Manager client](/archive/blogs/michaelgriswold/manual-removal-of-the-sccm-client). -1. On PC1, temporarily stop Windows Update from queuing items for download and clear all BITS jobs from the queue. From an elevated command prompt, type: +9. On PC1, temporarily stop Windows Update from queuing items for download and clear all BITS jobs from the queue. From an elevated command prompt, enter: - ```dos - net stop wuauserv - net stop BITS + ```cmd + net.exe stop wuauserv + net.exe stop BITS ``` - Verify that both services were stopped successfully, then type the following command at an elevated command prompt: + Verify that both services were stopped successfully, then enter the following command at an elevated command prompt: - ```dos + ```cmd del "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr*.dat" - net start BITS - bitsadmin /list /allusers + net.exe start BITS + bitsadmin.exe /list /allusers ``` Verify that BITSAdmin displays zero jobs. -1. To install the Configuration Manager client as a standalone process, type the following command at an elevated command prompt: +10. To install the Configuration Manager client as a standalone process, enter the following command at an elevated command prompt: - ```dos + ```cmd "\\SRV1\c$\Program Files\Microsoft Configuration Manager\Client\CCMSetup.exe" /mp:SRV1.contoso.com /logon SMSSITECODE=PS1 ``` -1. On PC1, using file explorer, open the **C:\Windows\ccmsetup** directory. During client installation, files will be downloaded here. -1. Installation progress will be captured in the file: **c:\windows\ccmsetup\logs\ccmsetup.log**. You can periodically open this file in notepad, or you can type the following command at an elevated Windows PowerShell prompt to monitor installation progress: +11. On PC1, using file explorer, open the **C:\Windows\ccmsetup** directory. During client installation, files will be downloaded here. + +12. Installation progress will be captured in the file: **c:\windows\ccmsetup\logs\ccmsetup.log**. You can periodically open this file in notepad, or you can enter the following command at an elevated Windows PowerShell prompt to monitor installation progress: ```powershell Get-Content -Path c:\windows\ccmsetup\logs\ccmsetup.log -Wait @@ -918,21 +991,21 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF Installation might require several minutes, and display of the log file will appear to hang while some applications are installed. This behavior is normal. When setup is complete, verify that **CcmSetup is existing with return code 0** is displayed on the last line of the ccmsetup.log file. Then press **CTRL-C** to break out of the Get-Content operation. If you're viewing the log file in Windows PowerShell, the last line will be wrapped. A return code of `0` indicates that installation was successful and you should now see a directory created at **C:\Windows\CCM** that contains files used in registration of the client with its site. -1. On PC1, open the Configuration Manager control panel applet by typing the following command from a command prompt: +13. On PC1, open the Configuration Manager control panel applet by typing the following command from a command prompt: - ```dos - control smscfgrc + ```cmd + control.exe smscfgrc ``` -1. Select the **Site** tab, select **Configure Settings**, and select **Find Site**. The client will report that it has found the PS1 site. See the following example: +14. Select the **Site** tab, select **Configure Settings**, and select **Find Site**. The client will report that it has found the PS1 site. See the following example: ![site.](images/configmgr-site.png) If the client isn't able to find the PS1 site, review any error messages that are displayed in **C:\Windows\CCM\Logs\ClientIDManagerStartup.log** and **LocationServices.log**. A common reason the client can't locate the site code is because a previous configuration exists. For example, if a previous site code is configured at **HKLM\SOFTWARE\Microsoft\SMS\Mobile Client\GPRequestedSiteAssignmentCode**, delete or update this entry. -1. On SRV1, in the Assets and Compliance workspace, select **Device Collections** and then double-click **All Desktop and Server Clients**. This node will be added under **Devices**. +15. On SRV1, in the **Assets and Compliance** workspace, select **Device Collections** and then double-click **All Desktop and Server Clients**. This node will be added under **Devices**. -1. Select **All Desktop and Server Clients** and verify that the computer account for PC1 is displayed here with **Yes** and **Active** in the **Client** and **Client Activity** columns, respectively. You might have to refresh the view and wait few minutes for the client to appear here. See the following example: +16. Select **All Desktop and Server Clients** and verify that the computer account for PC1 is displayed here with **Yes** and **Active** in the **Client** and **Client Activity** columns, respectively. You might have to refresh the view and wait few minutes for the client to appear here. See the following example: ![client.](images/configmgr-client.png) @@ -941,9 +1014,10 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF ### Create a device collection and deployment -1. On SRV1, in the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections** and then select **Create Device Collection**. +1. On SRV1, in the Configuration Manager console, in the **Assets and Compliance** workspace, right-click **Device Collections** and then select **Create Device Collection**. 2. Use the following settings in the **Create Device Collection Wizard**: + - General > Name: **Install Windows 10 Enterprise x64** - General > Limiting collection: **All Systems** - Membership Rules > Add Rule: **Direct Rule** @@ -956,7 +1030,7 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF 3. Double-click the Install Windows 10 Enterprise x64 device collection and verify that the PC1 computer account is displayed. -4. In the Software Library workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64** and then select **Deploy**. +4. In the **Software Library** workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64** and then select **Deploy**. 5. Use the following settings in the Deploy Software wizard: - General > Collection: Select Browse and select **Install Windows 10 Enterprise x64** @@ -971,24 +1045,25 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF ### Associate PC4 with PC1 -1. On SRV1 in the Configuration Manager console, in the Assets and Compliance workspace, right-click **Devices** and then select **Import Computer Information**. +1. On SRV1 in the Configuration Manager console, in the **Assets and Compliance** workspace, right-click **Devices** and then select **Import Computer Information**. 2. On the Select Source page, choose **Import single computer** and select **Next**. 3. On the Single Computer page, use the following settings: + - Computer Name: **PC4** - MAC Address: **00:15:5D:83:26:FF** - - Source Computer: \ + - Source Computer: \ 4. Select **Next**, and on the User Accounts page choose **Capture and restore specified user accounts**, then select the yellow starburst next to **User accounts to migrate**. -5. Select **Browse** and then under Enter the object name to select type **user1** and select OK twice. +5. Select **Browse** and then under **Enter the object name to select** enter **user1** and select **OK** twice. 6. Select the yellow starburst again and repeat the previous step to add the **contoso\administrator** account. 7. Select **Next** twice, and on the Choose Target Collection page, choose **Add computers to the following collection**, select **Browse**, choose **Install Windows 10 Enterprise x64**, select **OK**, select **Next** twice, and then select **Close**. -8. In the Assets and Compliance workspace, select **User State Migration** and review the computer association in the display pane. The source computer will be the computername of PC1 (GREGLIN-PC1 in this example), the destination computer will be **PC4**, and the migration type will be **side-by-side**. +8. In the **Assets and Compliance** workspace, select **User State Migration** and review the computer association in the display pane. The source computer will be the computername of PC1 (GREGLIN-PC1 in this example), the destination computer will be **PC4**, and the migration enter will be **side-by-side**. 9. Right-click the association in the display pane and then select **Specify User Accounts**. You can add or remove user account here. Select **OK**. @@ -1000,9 +1075,10 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF ### Create a device collection for PC1 -1. On SRV1, in the Configuration Manager console, in the Assets and Compliance workspace, right-click **Device Collections** and then select **Create Device Collection**. +1. On SRV1, in the Configuration Manager console, in the **Assets and Compliance** workspace, right-click **Device Collections** and then select **Create Device Collection**. 2. Use the following settings in the **Create Device Collection Wizard**: + - General > Name: **USMT Backup (Replace)** - General > Limiting collection: **All Systems** - Membership Rules > Add Rule: **Direct Rule** @@ -1032,15 +1108,15 @@ In the Configuration Manager console, in the **Software Library** workspace, und 1. On PC1, open the Configuration Manager control panel applet by typing the following command in a command prompt: - ```dos - control smscfgrc + ```cmd + control.exe smscfgrc ``` 2. On the **Actions** tab, select **Machine Policy Retrieval & Evaluation Cycle**, select **Run Now**, select **OK**, and then select **OK** again. This method is one that you can use to run a task sequence in addition to the Client Notification method that will be demonstrated in the computer refresh procedure. -3. Type the following command at an elevated command prompt to open the Software Center: +3. Enter the following command at an elevated command prompt to open the Software Center: - ```dos + ```cmd C:\Windows\CCM\SCClient.exe ``` @@ -1052,26 +1128,30 @@ In the Configuration Manager console, in the **Software Library** workspace, und > If you don't see any available software, try running step #2 again to start the Machine Policy Retrieval & Evaluation Cycle. You should see an alert that new software is available. 5. Select **INSTALL SELECTED** and then select **INSTALL OPERATING SYSTEM**. + 6. Allow the **Replace Task Sequence** to complete, then verify that the C:\MigData folder on SRV1 contains the USMT backup. ### Deploy the new computer -1. Start PC4 and press ENTER for a network boot when prompted. To start PC4, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: +1. Start PC4 and press ENTER for a network boot when prompted. To start PC4, enter the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: ```powershell Start-VM PC4 vmconnect localhost PC4 ``` -1. In the **Welcome to the Task Sequence Wizard**, enter **pass@word1** and select **Next**. -1. Choose the **Windows 10 Enterprise X64** image. -1. Setup will install the OS using the Windows 10 Enterprise x64 reference image, install the configuration manager client, join PC4 to the domain, and restore users and settings from PC1. -1. Save checkpoints for all VMs if you wish to review their status at a later date. This action isn't required, as checkpoints do take up space on the Hyper-V host. +2. In the **Welcome to the Task Sequence Wizard**, enter **pass@word1** and select **Next**. + +3. Choose the **Windows 10 Enterprise X64** image. + +4. Setup will install the OS using the Windows 10 Enterprise x64 reference image, install the configuration manager client, join PC4 to the domain, and restore users and settings from PC1. + +5. Save checkpoints for all VMs if you wish to review their status at a later date. This action isn't required, as checkpoints do take up space on the Hyper-V host. > [!Note] > The next procedure will install a new OS on PC1, and update its status in Configuration Manager and in Active Directory as a Windows 10 device. So you can't return to a previous checkpoint only on the PC1 VM without a conflict. Therefore, if you do create a checkpoint, you should do this action for all VMs. - To save a checkpoint for all VMs, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: + To save a checkpoint for all VMs, enter the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: ```powershell Checkpoint-VM -Name DC1 -SnapshotName cm-refresh @@ -1083,14 +1163,17 @@ In the Configuration Manager console, in the **Software Library** workspace, und ### Initiate the computer refresh -1. On SRV1, in the Assets and Compliance workspace, select **Device Collections** and then double-click **Install Windows 10 Enterprise x64**. +1. On SRV1, in the **Assets and Compliance** workspace, select **Device Collections** and then double-click **Install Windows 10 Enterprise x64**. + 2. Right-click the computer account for PC1, point to **Client Notification**, select **Download Computer Policy**, and select **OK** in the popup dialog box. + 3. On PC1, in the notification area, select **New software is available** and then select **Open Software Center**. + 4. In the Software Center, select **Operating Systems**, select **Windows 10 Enterprise x64**, select **Install** and then select **INSTALL OPERATING SYSTEM**. See the following example: ![installOS.](images/configmgr-install-os.png) - The computer will restart several times during the installation process. Installation includes downloading updates, reinstalling the Configuration Manager Client Agent, and restoring the user state. You can view status of the installation in the Configuration Manager console by accessing the Monitoring workspace, clicking **Deployments**, and then double-clicking the deployment associated with the **Install Windows 10 Enterprise x64** collection. Under **Asset Details**, right-click the device and then select **More Details**. Select the **Status** tab to see a list of tasks that have been performed. See the following example: + The computer will restart several times during the installation process. Installation includes downloading updates, reinstalling the Configuration Manager Client Agent, and restoring the user state. You can view status of the installation in the Configuration Manager console by accessing the **Monitoring** workspace, clicking **Deployments**, and then double-clicking the deployment associated with the **Install Windows 10 Enterprise x64** collection. Under **Asset Details**, right-click the device and then select **More Details**. Select the **Status** tab to see a list of tasks that have been performed. See the following example: ![asset.](images/configmgr-asset.png) diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md index 376a7ff9c4..0998486d71 100644 --- a/windows/deployment/windows-10-poc.md +++ b/windows/deployment/windows-10-poc.md @@ -9,12 +9,12 @@ ms.prod: windows-client ms.technology: itpro-deploy ms.localizationpriority: medium ms.topic: tutorial -ms.date: 10/31/2022 +ms.date: 11/23/2022 --- # Step by step guide: Configure a test lab to deploy Windows 10 -*Applies to* +*Applies to:* - Windows 10 @@ -69,6 +69,7 @@ The procedures in this guide are summarized in the following table. An estimate One computer that meets the hardware and software specifications below is required to complete the guide; A second computer is recommended to validate the upgrade process. - **Computer 1**: the computer you'll use to run Hyper-V and host virtual machines. This computer should have 16 GB or more of installed RAM and a multi-core processor. + - **Computer 2**: a client computer from your network. It's shadow-copied to create a VM that can be added to the PoC environment, enabling you to test a mirror image of a computer on your network. If you don't have a computer to use for this simulation, you can download an evaluation VHD and use it to represent this computer. Subsequent guides use this computer to simulate Windows 10 replace and refresh scenarios, so the VM is required even if you can't create this VM using computer 2. Hardware requirements are displayed below: @@ -92,7 +93,9 @@ The lab architecture is summarized in the following diagram: ![PoC diagram.](images/poc.png) - Computer 1 is configured to host four VMs on a private, PoC network. + - Two VMs are running Windows Server 2012 R2 with required network services and tools installed. + - Two VMs are client systems: One VM is intended to mirror a host on your network (computer 2) and one VM is running Windows 10 Enterprise to demonstrate the hardware replacement scenario. > [!NOTE] @@ -120,8 +123,8 @@ Starting with Windows 8, the host computer's microprocessor must support second 1. To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press ENTER, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example: - ```console - C:\>systeminfo + ```cmd + C:\>systeminfo.exe ... Hyper-V Requirements: VM Monitor Mode Extensions: Yes @@ -136,8 +139,8 @@ Starting with Windows 8, the host computer's microprocessor must support second You can also identify Hyper-V support using [tools](/archive/blogs/taylorb/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v) provided by the processor manufacturer, the [msinfo32](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731397(v=ws.11)) tool, or you can download the [coreinfo](/sysinternals/downloads/coreinfo) utility and run it, as shown in the following example: - ```console - C:\>coreinfo -v + ```cmd + C:\>coreinfo.exe -v Coreinfo v3.31 - Dump information on system CPU and memory topology Copyright (C) 2008-2014 Mark Russinovich @@ -205,7 +208,7 @@ When you have completed installation of Hyper-V on the host computer, begin conf The following example displays the procedures described in this section, both before and after downloading files: - ```console + ```cmd C:>mkdir VHD C:>cd VHD C:\VHD>ren 9600*.vhd 2012R2-poc-1.vhd @@ -225,13 +228,23 @@ When you have completed installation of Hyper-V on the host computer, begin conf If you don't have a PC available to convert to VM, do the following steps to download an evaluation VM: -1. Open the [Download virtual machines](https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/) page. +1. Open the [Download virtual machines](https://developer.microsoft.com/microsoft-edge/tools/vms/) page. + + > [!NOTE] + > The above link may not be available in all locales. + 2. Under **Virtual machine**, choose **IE11 on Win7**. + 3. Under **Select platform**, choose **HyperV (Windows)**. + 4. Select **Download .zip**. The download is 3.31 GB. + 5. Extract the zip file. Three directories are created. + 6. Open the **Virtual Hard Disks** directory and then copy **IE11 - Win7.vhd** to the **C:\VHD** directory. + 7. Rename **IE11 - Win7.vhd** to **w7.vhd** (don't rename the file to w7.vhdx). + 8. In step 5 of the [Configure Hyper-V](#configure-hyper-v) section, replace the VHD file name **w7.vhdx** with **w7.vhd**. If you have a PC available to convert to VM (computer 2): @@ -242,6 +255,7 @@ If you have a PC available to convert to VM (computer 2): > The account used in this step must have local administrator privileges. You can use a local computer account, or a domain account with administrative rights if domain policy allows the use of cached credentials. After converting the computer to a VM, you must be able to sign in on this VM with administrator rights while the VM is disconnected from the network. 2. [Determine the VM generation and partition type](#determine-the-vm-generation-and-partition-type) that is required. + 3. Based on the VM generation and partition type, perform one of the following procedures: [Prepare a generation 1 VM](#prepare-a-generation-1-vm), [Prepare a generation 2 VM](#prepare-a-generation-2-vm), or [prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk). #### Determine the VM generation and partition type @@ -256,6 +270,7 @@ When creating a VM in Hyper-V, you must specify either generation 1 or generatio If the PC is running a 32-bit OS or the OS is Windows 7, it must be converted to a generation 1 VM. Otherwise, it can be converted to a generation 2 VM. - To determine the OS and architecture of a PC, type **systeminfo** at a command prompt and review the output next to **OS Name** and **System Type**. + - To determine the partition style, open a Windows PowerShell prompt on the PC and type the following command: ```powershell @@ -265,7 +280,7 @@ If the PC is running a 32-bit OS or the OS is Windows 7, it must be converted to If the **Type** column doesn't indicate GPT, then the disk partition format is MBR ("Installable File System" = MBR). In the following example, the disk is GPT: ```powershell -PS C:> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type +Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type SystemName Caption Type ---------- ------- ---- @@ -276,7 +291,7 @@ USER-PC1 Disk #0, Partition #1 GPT On a computer running Windows 8 or later, you can also type **Get-Disk** at a Windows PowerShell prompt to discover the partition style. The default output of this cmdlet displays the partition style for all attached disks. Both commands are displayed below. In this example, the client computer is running Windows 8.1 and uses a GPT style partition format: ```powershell -PS C:> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type +Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type SystemName Caption Type ---------- ------- ---- @@ -293,34 +308,32 @@ Number Friendly Name OperationalStatus Tota 0 INTEL SSDSCMMW240A3L Online 223.57 GB GPT ``` - - -**Choosing a VM generation** +##### Choosing a VM generation The following tables display the Hyper-V VM generation to choose based on the OS, architecture, and partition style. Links to procedures to create the corresponding VMs are included. -**Windows 7 MBR** +###### Windows 7 MBR |Architecture|VM generation|Procedure| |--- |--- |--- | |32|1|[Prepare a generation 1 VM](#prepare-a-generation-1-vm)| |64|1|[Prepare a generation 1 VM](#prepare-a-generation-1-vm)| -**Windows 7 GPT** +###### Windows 7 GPT |Architecture|VM generation|Procedure| |--- |--- |--- | |32|N/A|N/A| |64|1|[Prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk)| -**Windows 8 or later MBR** +###### Windows 8 or later MBR |Architecture|VM generation|Procedure| |--- |--- |--- | |32|1|[Prepare a generation 1 VM](#prepare-a-generation-1-vm)| |64|1, 2|[Prepare a generation 1 VM](#prepare-a-generation-1-vm)| -**Windows 8 or later GPT** +###### Windows 8 or later GPT |Architecture|VM generation|Procedure| |--- |--- |--- | @@ -347,7 +360,7 @@ The following tables display the Hyper-V VM generation to choose based on the OS 3. Select the checkboxes next to the `C:\` and the **system reserved** (BIOS/MBR) volumes. The system volume isn't assigned a drive letter, but will be displayed in the Disk2VHD tool with a volume label similar to `\?\Volume{`. See the following example. > [!IMPORTANT] - > You must include the system volume in order to create a bootable VHD. If this volume isn't displayed in the disk2vhd tool, then the computer is likely to be using the GPT partition style. For more information, see [Determine VM generation](#determine-vm-generation). + > You must include the system volume in order to create a bootable VHD. If this volume isn't displayed in the disk2vhd tool, then the computer is likely to be using the GPT partition style. For more information, see [Choosing a VM generation](#choosing-a-vm-generation). 4. Specify a location to save the resulting VHD or VHDX file (F:\VHD\w7.vhdx in the following example) and select **Create**. See the following example: @@ -374,13 +387,14 @@ The following tables display the Hyper-V VM generation to choose based on the OS 2. On the computer you wish to convert, open an elevated command prompt and type the following command: - ```console - mountvol s: /s + ```cmd + mountvol.exe s: /s ``` This command temporarily assigns a drive letter of S to the system volume and mounts it. If the letter S is already assigned to a different volume on the computer, then choose one that is available (ex: mountvol z: /s). 3. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface. + 4. Select the checkboxes next to the **C:\\** and the **S:\\** volumes, and clear the **Use Volume Shadow Copy checkbox**. Volume shadow copy won't work if the EFI system partition is selected. > [!IMPORTANT] @@ -394,7 +408,7 @@ The following tables display the Hyper-V VM generation to choose based on the OS 6. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (PC1.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory: - ```console + ```cmd C:\vhd>dir /B 2012R2-poc-1.vhd 2012R2-poc-2.vhd @@ -409,6 +423,7 @@ The following tables display the Hyper-V VM generation to choose based on the OS You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive. 2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface. + 3. Select the checkbox next to the **C:\\** volume and clear the checkbox next to **Use Vhdx**. > [!NOTE] @@ -524,7 +539,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to > [!NOTE] > The RAM values assigned to VMs in this step are not permanent, and can be easily increased or decreased later if needed to address performance issues. -5. Using the same elevated Windows PowerShell prompt that was used in the previous step, type one of the following sets of commands, depending on the type of VM that was prepared in the [Determine VM generation](#determine-vm-generation) section, either generation 1, generation 2, or generation 1 with GPT. +5. Using the same elevated Windows PowerShell prompt that was used in the previous step, type one of the following sets of commands, depending on the type of VM that was prepared in the [Choosing a VM generation](#choosing-a-vm-generation) section, either generation 1, generation 2, or generation 1 with GPT. To create a generation 1 VM (using c:\vhd\w7.vhdx): @@ -574,19 +589,23 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to The VM will automatically boot into Windows Setup. In the PC1 window: 1. Select **Next**. + 2. Select **Repair your computer**. + 3. Select **Troubleshoot**. + 4. Select **Command Prompt**. + 5. Type the following command to save an image of the OS drive: - ```console - dism /Capture-Image /ImageFile:D:\c.wim /CaptureDir:C:\ /Name:Drive-C + ```cmd + dism.exe /Capture-Image /ImageFile:D:\c.wim /CaptureDir:C:\ /Name:Drive-C ``` 6. Wait for the OS image to complete saving, and then type the following commands to convert the C: drive to MBR: - ```console - diskpart + ```cmd + diskpart.exe select disk 0 clean convert MBR @@ -601,14 +620,16 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to 7. Type the following commands to restore the OS image and boot files: - ```console - dism /Apply-Image /ImageFile:D:\c.wim /Index:1 /ApplyDir:C:\ - bcdboot c:\windows + ```cmd + dism.exe /Apply-Image /ImageFile:D:\c.wim /Index:1 /ApplyDir:C:\ + bcdboot.exe c:\windows exit ``` 8. Select **Continue** and verify the VM boots successfully. Don't boot from DVD. + 9. Select **Ctrl+Alt+Del**, and then in the bottom right corner, select **Shut down**. + 10. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to remove the temporary disks and drives from PC1: ```powershell @@ -626,8 +647,14 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to ``` 2. Select **Next** to accept the default settings, read the license terms and select **I accept**, provide a strong administrator password, and select **Finish**. + 3. Select **Ctrl+Alt+Del** in the upper left corner of the virtual machine connection window, and then sign in to DC1 using the Administrator account. -4. Right-click **Start**, point to **Shut down or sign out**, and select **Sign out**. The VM connection will reset and a new connection dialog box will appear enabling you to choose a custom display configuration. Select a desktop size, select **Connect** and sign in again with the local Administrator account. Note: Signing in this way ensures that [enhanced session mode](/windows-server/virtualization/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) is enabled. It's only necessary to do this action the first time you sign in to a new VM. + +4. Right-click **Start**, point to **Shut down or sign out**, and select **Sign out**. The VM connection will reset and a new connection dialog box will appear enabling you to choose a custom display configuration. Select a desktop size, select **Connect** and sign in again with the local Administrator account. + + > [!NOTE] + > Signing in this way ensures that [enhanced session mode](/windows-server/virtualization/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) is enabled. It's only necessary to do this action the first time you sign in to a new VM. + 5. If DC1 is configured as described in this guide, it will currently be assigned an APIPA address, have a randomly generated hostname, and a single network adapter named "Ethernet." Open an elevated Windows PowerShell prompt on DC1 and type or paste the following commands to provide a new hostname and configure a static IP address and gateway: ```powershell @@ -690,7 +717,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to The following output should be displayed: - ```powershell + ```console UseRootHint : True Timeout(s) : 3 EnableReordering : True @@ -752,8 +779,8 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to To open Windows PowerShell on Windows 7, select **Start**, and search for "**power**." Right-click **Windows PowerShell** and then select **Pin to Taskbar** so that it's simpler to use Windows PowerShell during this lab. Select **Windows PowerShell** on the taskbar, and then type `ipconfig` at the prompt to see the client's current IP address. Also type `ping dc1.contoso.com` and `nltest /dsgetdc:contoso.com` to verify that it can reach the domain controller. See the following examples of a successful network connection: - ```console - ipconfig + ```cmd + ipconfig.exe Windows IP Configuration @@ -909,8 +936,8 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to 33. In most cases, this process completes configuration of the PoC network. However, if your network has a firewall that filters queries from local DNS servers, you'll also need to configure a server-level DNS forwarder on SRV1 to resolve internet names. To test whether or not DNS is working without this forwarder, try to reach a name on the internet from DC1 or PC1, which are only using DNS services on the PoC network. You can test DNS with the ping command, for example: - ```powershell - ping www.microsoft.com + ```cmd + ping.exe www.microsoft.com ``` If you see "Ping request couldn't find host `www.microsoft.com`" on PC1 and DC1, but not on SRV1, then you'll need to configure a server-level DNS forwarder on SRV1. To do this action, open an elevated Windows PowerShell prompt on SRV1 and type the following command. @@ -924,8 +951,8 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to 34. If DNS and routing are both working correctly, you'll see the following output on DC1 and PC1 (the IP address might be different, but that's OK): - ```powershell - PS C:\> ping www.microsoft.com + ```cmd + ping www.microsoft.com Pinging e2847.dspb.akamaiedge.net [23.222.146.170] with 32 bytes of data: Reply from 23.222.146.170: bytes=32 time=3ms TTL=51 @@ -943,7 +970,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to 36. Lastly, because the client computer has different hardware after copying it to a VM, its Windows activation will be invalidated and you might receive a message that you must activate Windows in three days. To extend this period to 30 days, type the following commands at an elevated Windows PowerShell prompt on PC1: ```powershell - runas /noprofile /env /user:administrator@contoso.com "cmd /c slmgr -rearm" + runas.exe /noprofile /env /user:administrator@contoso.com "cmd.exe /c slmgr -rearm" Restart-Computer ``` @@ -963,7 +990,7 @@ Use the following procedures to verify that the PoC environment is configured pr Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com Get-DhcpServerInDC Get-DhcpServerv4Statistics - ipconfig /all + ipconfig.exe /all ``` **Get-Service** displays a status of "Running" for all three services. @@ -988,8 +1015,8 @@ Use the following procedures to verify that the PoC environment is configured pr Get-Service DNS,RemoteAccess Get-DnsServerForwarder Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com - ipconfig /all - netsh int ipv4 show address + ipconfig.exe /all + netsh.exe int ipv4 show address ``` **Get-Service** displays a status of "Running" for both services. @@ -1004,38 +1031,38 @@ Use the following procedures to verify that the PoC environment is configured pr 3. On PC1, open an elevated Windows PowerShell prompt and type the following commands: - ```powershell - whoami - hostname - nslookup www.microsoft.com - ping -n 1 dc1.contoso.com - tracert www.microsoft.com + ```cmd + whoami.exe + hostname.exe + nslookup.exe www.microsoft.com + ping.exe -n 1 dc1.contoso.com + tracert.exe www.microsoft.com ``` - **whoami** displays the current user context, for example in an elevated Windows PowerShell prompt, contoso\administrator is displayed. + **whoami.exe** displays the current user context, for example in an elevated Windows PowerShell prompt, contoso\administrator is displayed. - **hostname** displays the name of the local computer, for example W7PC-001. + **hostname.exe** displays the name of the local computer, for example W7PC-001. - **nslookup** displays the DNS server used for the query, and the results of the query. For example, server `dc1.contoso.com`, address 192.168.0.1, Name `e2847.dspb.akamaiedge.net`. + **nslookup.exe** displays the DNS server used for the query, and the results of the query. For example, server `dc1.contoso.com`, address 192.168.0.1, Name `e2847.dspb.akamaiedge.net`. - **ping** displays if the source can resolve the target name, and whether or not the target responds to ICMP. If it can't be resolved, "couldn't find host" will be displayed. If the target is found and also responds to ICMP, you'll see "Reply from" and the IP address of the target. + **ping.exe** displays if the source can resolve the target name, and whether or not the target responds to ICMP. If it can't be resolved, "couldn't find host" will be displayed. If the target is found and also responds to ICMP, you'll see "Reply from" and the IP address of the target. - **tracert** displays the path to reach the destination, for example `srv1.contoso.com` [192.168.0.2] followed by a list of hosts and IP addresses corresponding to subsequent routing nodes between the source and the destination. + **tracert.exe** displays the path to reach the destination, for example `srv1.contoso.com` [192.168.0.2] followed by a list of hosts and IP addresses corresponding to subsequent routing nodes between the source and the destination. ## Appendix B: Terminology used in this guide |Term|Definition| |--- |--- | -|GPT|GUID partition table (GPT) is an updated hard-disk formatting scheme that enables the use of newer hardware. GPT is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions.| -|Hyper-V|Hyper-V is a server role introduced with Windows Server 2008 that lets you create a virtualized computing environment. Hyper-V can also be installed as a Windows feature on Windows client operating systems, starting with Windows 8.| -|Hyper-V host|The computer where Hyper-V is installed.| -|Hyper-V Manager|The user-interface console used to view and configure Hyper-V.| -|MBR|Master Boot Record (MBR) is a legacy hard-disk formatting scheme that limits support for newer hardware. MBR is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions. MBR is in the process of being replaced by the GPT partition format.| -|Proof of concept (PoC)|Confirmation that a process or idea works as intended. A PoC is carried out in a test environment to learn about and verify a process.| -|Shadow copy|A copy or "snapshot" of a computer at a point in time, created by the Volume Shadow Copy Service (VSS), typically for backup purposes.| -|Virtual machine (VM)|A VM is a virtual computer with its own operating system, running on the Hyper-V host.| -|Virtual switch|A virtual network connection used to connect VMs to each other and to physical network adapters on the Hyper-V host.| -|VM snapshot|A point in time image of a VM that includes its disk, memory and device state. It can be used to return a virtual machine to a former state corresponding to the time the snapshot was taken.| +|**GPT**|GUID partition table (GPT) is an updated hard-disk formatting scheme that enables the use of newer hardware. GPT is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions.| +|**Hyper-V**|Hyper-V is a server role introduced with Windows Server 2008 that lets you create a virtualized computing environment. Hyper-V can also be installed as a Windows feature on Windows client operating systems, starting with Windows 8.| +|**Hyper-V host**|The computer where Hyper-V is installed.| +|**Hyper-V Manager**|The user-interface console used to view and configure Hyper-V.| +|**MBR**|Master Boot Record (MBR) is a legacy hard-disk formatting scheme that limits support for newer hardware. MBR is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions. MBR is in the process of being replaced by the GPT partition format.| +|**Proof of concept (PoC)**|Confirmation that a process or idea works as intended. A PoC is carried out in a test environment to learn about and verify a process.| +|**Shadow copy**|A copy or "snapshot" of a computer at a point in time, created by the Volume Shadow Copy Service (VSS), typically for backup purposes.| +|**Virtual machine (VM)**|A VM is a virtual computer with its own operating system, running on the Hyper-V host.| +|**Virtual switch**|A virtual network connection used to connect VMs to each other and to physical network adapters on the Hyper-V host.| +|**VM snapshot**|A point in time image of a VM that includes its disk, memory and device state. It can be used to return a virtual machine to a former state corresponding to the time the snapshot was taken.| ## Next steps diff --git a/windows/deployment/windows-10-pro-in-s-mode.md b/windows/deployment/windows-10-pro-in-s-mode.md index e5ceaf1248..d2bf8bb55d 100644 --- a/windows/deployment/windows-10-pro-in-s-mode.md +++ b/windows/deployment/windows-10-pro-in-s-mode.md @@ -6,16 +6,14 @@ ms.author: frankroj manager: aaroncz ms.localizationpriority: medium ms.prod: windows-client -ms.collection: - - M365-modern-desktop ms.topic: article -ms.date: 10/31/2022 +ms.date: 11/23/2022 ms.technology: itpro-deploy --- # Switch to Windows 10 Pro or Enterprise from S mode -We recommend staying in S mode. However, in some limited scenarios, you might need to switch to Windows 10 Pro, Home, or Enterprise (not in S mode). You can switch devices running Windows 10, version 1709 or later. +We recommend staying in S mode. However, in some limited scenarios, you might need to switch to Windows 10 Pro, Home, or Enterprise (not in S mode). You can switch devices running Windows 10, version 1709 or later. Many other transformations are possible depending on which version and edition of Windows 10 you're starting with. Depending on the details, you might *switch* between S mode and the ordinary version or *convert* between different editions while staying in or out of S mode. The following quick reference table summarizes all of the switches or conversions that are supported by various means: @@ -37,20 +35,26 @@ Many other transformations are possible depending on which version and edition o | | Home | Not by any method | Not by any method | Not by any method | Use the following information to switch to Windows 10 Pro through the Microsoft Store. + > [!IMPORTANT] > While it's free to switch to Windows 10 Pro, it's not reversible. The only way to rollback this kind of switch is through a [bare-metal recovery (BMR)](/windows-hardware/manufacture/desktop/create-media-to-run-push-button-reset-features-s14) reset. This restores a Windows device to the factory state, even if the user needs to replace the hard drive or completely wipe the drive clean. If a device is switched out of S mode via the Microsoft Store, it will remain out of S mode even after the device is reset. ## Switch one device through the Microsoft Store + Use the following information to switch to Windows 10 Pro through the Microsoft Store or by navigating to **Settings** and then **Activation** on the device. Note these differences affecting switching modes in various releases of Windows 10: - In Windows 10, version 1709, you can switch devices one at a time from Windows 10 Pro in S mode to Windows 10 Pro by using the Microsoft Store or **Settings**. No other switches are possible. -- In Windows 10, version 1803, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store or **Settings**. -- Windows 10, version 1809, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store, **Settings**, or you can switch multiple devices in bulk by using Intune. You can also block users from switching devices themselves. -1. Sign into the Microsoft Store using your Microsoft account. +- In Windows 10, version 1803, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store or **Settings**. + +- Windows 10, version 1809, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store, **Settings**, or you can switch multiple devices in bulk by using Intune. You can also block users from switching devices themselves. + +1. Sign into the Microsoft Store using your Microsoft account. + 2. Search for "S mode". + 3. In the offer, select **Buy**, **Get**, or **Learn more.** You'll be prompted to save your files before the switch starts. Follow the prompts to switch to Windows 10 Pro. @@ -60,13 +64,14 @@ You'll be prompted to save your files before the switch starts. Follow the promp Starting with Windows 10, version 1809, if you need to switch multiple devices in your environment from Windows 10 Pro in S mode to Windows 10 Pro, you can use Microsoft Intune or any other supported mobile device management software. You can configure devices to switch out of S mode during OOBE or post-OOBE. Switching out of S mode gives you flexibility to manage Windows 10 in S mode devices at any point during the device lifecycle. 1. Start Microsoft Intune. -2. Navigate to **Device configuration > Profiles > Windows 10 and later > Edition upgrade and mode switch**. + +2. Navigate to **Device configuration** > **Profiles** > **Windows 10 and later** > **Edition upgrade and mode switch**. + 3. Follow the instructions to complete the switch. ## Block users from switching -You can control which devices or users can use the Microsoft Store to switch out of S mode in Windows 10. -To set this policy, go to **Device configuration > Profiles > Windows 10 and later > Edition upgrade and mode switch in Microsoft Intune**, and then choose **Keep in S mode**. +You can control which devices or users can use the Microsoft Store to switch out of S mode in Windows 10. To set this policy, go to **Device configuration** > **Profiles** > **Windows 10 and later** > **Edition upgrade and mode switch in Microsoft Intune**, and then choose **Keep in S mode**. ## S mode management with CSPs @@ -77,4 +82,4 @@ In addition to using Microsoft Intune or another modern device management tool t [FAQs](https://support.microsoft.com/help/4020089/windows-10-in-s-mode-faq)
    [Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)
    [Windows 10 Pro Education](/education/windows/test-windows10s-for-edu)
    -[Introduction to Microsoft Intune in the Azure portal](/intune/what-is-intune) \ No newline at end of file +[Introduction to Microsoft Intune in the Azure portal](/intune/what-is-intune) diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 29d62e08fa..c34e8342eb 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -8,12 +8,11 @@ author: frankroj ms.author: frankroj manager: aaroncz ms.collection: - - M365-modern-desktop - highpri search.appverid: - MET150 ms.topic: conceptual -ms.date: 10/31/2022 +ms.date: 11/23/2022 appliesto: - ✅ Windows 10 - ✅ Windows 11 @@ -40,6 +39,9 @@ This article covers the following information: For more information on how to deploy Enterprise licenses, see [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md). +> [!NOTE] +> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude the Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f, from their device compliance policy using **Select Excluded Cloud Apps**. + ## Subscription activation for Enterprise Windows Enterprise E3 and E5 are available as online services via subscription. You can deploy Windows Enterprise in your organization without keys and reboots. @@ -98,7 +100,7 @@ The following list illustrates how deploying Windows client has evolved with eac > The following requirements don't apply to general Windows client activation on Azure. Azure activation requires a connection to Azure KMS only. It supports workgroup, hybrid, and Azure AD-joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure virtual machines](/troubleshoot/azure/virtual-machines/troubleshoot-activation-problems). > [!IMPORTANT] -> As of October 1, 2022, subscription activation is available for _commercial_ and _GCC_ tenants. It's currently not available on GCC High or DoD tenants. For more information, see [Enable subscription activation with an existing EA](deploy-enterprise-licenses.md#enable-subscription-activation-with-an-existing-ea). +> As of October 1, 2022, subscription activation is available for *commercial* and *GCC* tenants. It's currently not available on GCC High or DoD tenants. For more information, see [Enable subscription activation with an existing EA](deploy-enterprise-licenses.md#enable-subscription-activation-with-an-existing-ea). For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following requirements: @@ -144,7 +146,7 @@ You can benefit by moving to Windows as an online service in the following ways: > [!NOTE] > The following examples use Windows 10 Pro to Enterprise edition. The examples also apply to Windows 11, and Education editions. -The device is Azure AD-joined from **Settings > Accounts > Access work or school**. +The device is Azure AD-joined from **Settings** > **Accounts** > **Access work or school**. You assign Windows 10 Enterprise to a user: diff --git a/windows/deployment/windows-adk-scenarios-for-it-pros.md b/windows/deployment/windows-adk-scenarios-for-it-pros.md index f2fce638d0..f38cf33ebe 100644 --- a/windows/deployment/windows-adk-scenarios-for-it-pros.md +++ b/windows/deployment/windows-adk-scenarios-for-it-pros.md @@ -6,7 +6,7 @@ ms.author: frankroj manager: aaroncz ms.prod: windows-client ms.localizationpriority: medium -ms.date: 10/31/2022 +ms.date: 11/23/2022 ms.topic: article ms.technology: itpro-deploy --- @@ -19,50 +19,50 @@ In previous releases of Windows, the Windows ADK docs were published on both Tec Here are some key scenarios that will help you find the content on the MSDN Hardware Dev Center. -### Create a Windows image using command-line tools +## Create a Windows image using command-line tools [DISM](/windows-hardware/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows) is used to mount and service Windows images. Here are some things you can do with DISM: -- [Mount an offline image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism) -- [Add drivers to an offline image](/windows-hardware/manufacture/desktop/add-and-remove-drivers-to-an-offline-windows-image) -- [Enable or disable Windows features](/windows-hardware/manufacture/desktop/enable-or-disable-windows-features-using-dism) -- [Add or remove packages](/windows-hardware/manufacture/desktop/add-or-remove-packages-offline-using-dism) -- [Add language packs](/windows-hardware/manufacture/desktop/add-language-packs-to-windows) -- [Add Universal Windows apps](/windows-hardware/manufacture/desktop/preinstall-apps-using-dism) -- [Upgrade the Windows edition](/windows-hardware/manufacture/desktop/change-the-windows-image-to-a-higher-edition-using-dism) +- [Mount an offline image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism) +- [Add drivers to an offline image](/windows-hardware/manufacture/desktop/add-and-remove-drivers-to-an-offline-windows-image) +- [Enable or disable Windows features](/windows-hardware/manufacture/desktop/enable-or-disable-windows-features-using-dism) +- [Add or remove packages](/windows-hardware/manufacture/desktop/add-or-remove-packages-offline-using-dism) +- [Add language packs](/windows-hardware/manufacture/desktop/add-language-packs-to-windows) +- [Add Universal Windows apps](/windows-hardware/manufacture/desktop/preinstall-apps-using-dism) +- [Upgrade the Windows edition](/windows-hardware/manufacture/desktop/change-the-windows-image-to-a-higher-edition-using-dism) [Sysprep](/windows-hardware/manufacture/desktop/sysprep--system-preparation--overview) prepares a Windows installation for imaging and allows you to capture a customized installation. Here are some things you can do with Sysprep: -- [Generalize a Windows installation](/windows-hardware/manufacture/desktop/sysprep--generalize--a-windows-installation) -- [Customize the default user profile](/windows-hardware/manufacture/desktop/customize-the-default-user-profile-by-using-copyprofile) -- [Use answer files](/windows-hardware/manufacture/desktop/use-answer-files-with-sysprep) +- [Generalize a Windows installation](/windows-hardware/manufacture/desktop/sysprep--generalize--a-windows-installation) +- [Customize the default user profile](/windows-hardware/manufacture/desktop/customize-the-default-user-profile-by-using-copyprofile) +- [Use answer files](/windows-hardware/manufacture/desktop/use-answer-files-with-sysprep) [Windows PE (WinPE)](/windows-hardware/manufacture/desktop/winpe-intro) is a small operating system used to boot a computer that doesn't have an operating system. You can boot to Windows PE and then install a new operating system, recover data, or repair an existing operating system. Here are ways you can create a WinPE image: -- [Create a bootable USB drive](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive) -- [Create a Boot CD, DVD, ISO, or VHD](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive) +- [Create a bootable USB drive](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive) +- [Create a Boot CD, DVD, ISO, or VHD](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive) [Windows Recovery Environment (Windows RE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference) is a recovery environment that can repair common operating system problems. Here are some things you can do with Windows RE: -- [Customize Windows RE](/windows-hardware/manufacture/desktop/customize-windows-re) -- [Push-button reset](/windows-hardware/manufacture/desktop/push-button-reset-overview) +- [Customize Windows RE](/windows-hardware/manufacture/desktop/customize-windows-re) +- [Push-button reset](/windows-hardware/manufacture/desktop/push-button-reset-overview) [Windows System Image Manager (Windows SIM)](/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference) helps you create answer files that change Windows settings and run scripts during installation. Here are some things you can do with Windows SIM: -- [Create answer file](/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file) -- [Add a driver path to an answer file](/windows-hardware/customize/desktop/wsim/add-a-device-driver-path-to-an-answer-file) -- [Add a package to an answer file](/windows-hardware/customize/desktop/wsim/add-a-package-to-an-answer-file) -- [Add a custom command to an answer file](/windows-hardware/customize/desktop/wsim/add-a-custom-command-to-an-answer-file) +- [Create answer file](/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file) +- [Add a driver path to an answer file](/windows-hardware/customize/desktop/wsim/add-a-device-driver-path-to-an-answer-file) +- [Add a package to an answer file](/windows-hardware/customize/desktop/wsim/add-a-package-to-an-answer-file) +- [Add a custom command to an answer file](/windows-hardware/customize/desktop/wsim/add-a-custom-command-to-an-answer-file) For a list of settings you can change, see [Unattended Windows Setup Reference](/windows-hardware/customize/desktop/unattend/) on the MSDN Hardware Dev Center. @@ -72,12 +72,12 @@ Introduced in Windows 10, [Windows Imaging and Configuration Designer (ICD)](/wi Here are some things you can do with Windows ICD: -- [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package) -- [Export a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package) +- [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package) +- [Export a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package) ### IT Pro Windows deployment tools There are also a few tools included in the Windows ADK that are specific to IT Pros and this documentation is available on TechNet: -- [Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) -- [User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md) \ No newline at end of file +- [Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) +- [User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md) diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml index f2950818eb..8789fb10ba 100644 --- a/windows/deployment/windows-autopatch/TOC.yml +++ b/windows/deployment/windows-autopatch/TOC.yml @@ -6,10 +6,12 @@ items: - name: What is Windows Autopatch? href: overview/windows-autopatch-overview.md + - name: Roles and responsibilities + href: overview/windows-autopatch-roles-responsibilities.md - name: FAQ href: overview/windows-autopatch-faq.yml - name: Prepare - href: prepare/index.md + href: items: - name: Prerequisites href: prepare/windows-autopatch-prerequisites.md @@ -21,7 +23,7 @@ - name: Fix issues found by the Readiness assessment tool href: prepare/windows-autopatch-fix-issues.md - name: Deploy - href: deploy/index.md + href: items: - name: Add and verify admin contacts href: deploy/windows-autopatch-admin-contacts.md @@ -35,7 +37,7 @@ - name: Post-device registration readiness checks href: deploy/windows-autopatch-post-reg-readiness-checks.md - name: Operate - href: operate/index.md + href: items: - name: Software update management href: operate/windows-autopatch-update-management.md @@ -50,6 +52,19 @@ href: operate/windows-autopatch-wqu-end-user-exp.md - name: Windows quality update signals href: operate/windows-autopatch-wqu-signals.md + - name: Windows quality update reports + href: operate/windows-autopatch-wqu-reports-overview.md + items: + - name: Summary dashboard + href: operate/windows-autopatch-wqu-summary-dashboard.md + - name: All devices report + href: operate/windows-autopatch-wqu-all-devices-report.md + - name: All devices report—historical + href: operate/windows-autopatch-wqu-all-devices-historical-report.md + - name: Eligible devices report—historical + href: operate/windows-autopatch-wqu-eligible-devices-historical-report.md + - name: Ineligible devices report—historical + href: operate/windows-autopatch-wqu-ineligible-devices-historical-report.md - name: Windows feature updates href: operate/windows-autopatch-fu-overview.md items: @@ -85,5 +100,10 @@ href: references/windows-autopatch-changes-to-tenant.md - name: Privacy href: references/windows-autopatch-privacy.md - - name: Windows Autopatch preview addendum - href: references/windows-autopatch-preview-addendum.md \ No newline at end of file + - name: What's new + href: + items: + - name: What's new 2023 + href: whats-new/windows-autopatch-whats-new-2023.md + - name: What's new 2022 + href: whats-new/windows-autopatch-whats-new-2022.md \ No newline at end of file diff --git a/windows/deployment/windows-autopatch/deploy/index.md b/windows/deployment/windows-autopatch/deploy/index.md deleted file mode 100644 index 00fc06d01d..0000000000 --- a/windows/deployment/windows-autopatch/deploy/index.md +++ /dev/null @@ -1,20 +0,0 @@ ---- -title: Deploying with Windows Autopatch -description: Landing page for the deploy section -ms.date: 05/30/2022 -ms.prod: windows-client -ms.technology: itpro-updates -ms.topic: conceptual -ms.localizationpriority: medium -author: tiaraquan -ms.author: tiaraquan -manager: dougeby -msreviewer: hathind ---- - -# Deploying with Windows Autopatch - -The following articles describe the steps you must take to deploy your devices with Windows Autopatch: - -1. [Add and verify admin contacts](windows-autopatch-admin-contacts.md) -1. [Register devices](windows-autopatch-register-devices.md) diff --git a/windows/deployment/windows-autopatch/index.yml b/windows/deployment/windows-autopatch/index.yml index ee3fd80449..1f245af013 100644 --- a/windows/deployment/windows-autopatch/index.yml +++ b/windows/deployment/windows-autopatch/index.yml @@ -7,12 +7,13 @@ metadata: title: Windows Autopatch documentation # Required; page title displayed in search results. Include the brand. < 60 chars. description: Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization. # Required; article description that is displayed in search results. < 160 chars. keywords: device, app, update, management - ms.service: w11 #Required; service per approved list. service slug assigned to your service by ACOM. ms.topic: landing-page # Required author: tiaraquan #Required; your GitHub user alias, with correct capitalization. ms.author: tiaraquan #Required; microsoft alias of author; optional team alias. ms.date: 05/30/2022 #Required; mm/dd/yyyy format. ms.custom: intro-hub-or-landing + ms.prod: windows-client + ms.technology: itpro-updates ms.collection: - highpri diff --git a/windows/deployment/windows-autopatch/media/release-process-timeline.png b/windows/deployment/windows-autopatch/media/release-process-timeline.png index 9aab1d73cf..693ad5ecf9 100644 Binary files a/windows/deployment/windows-autopatch/media/release-process-timeline.png and b/windows/deployment/windows-autopatch/media/release-process-timeline.png differ diff --git a/windows/deployment/windows-autopatch/media/update-communications.png b/windows/deployment/windows-autopatch/media/update-communications.png index e4eceeccd6..82e6b1fe78 100644 Binary files a/windows/deployment/windows-autopatch/media/update-communications.png and b/windows/deployment/windows-autopatch/media/update-communications.png differ diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-all-devices-historical-report.png b/windows/deployment/windows-autopatch/media/windows-autopatch-all-devices-historical-report.png new file mode 100644 index 0000000000..4a7cf97197 Binary files /dev/null and b/windows/deployment/windows-autopatch/media/windows-autopatch-all-devices-historical-report.png differ diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-all-devices-report.png b/windows/deployment/windows-autopatch/media/windows-autopatch-all-devices-report.png new file mode 100644 index 0000000000..31350b563f Binary files /dev/null and b/windows/deployment/windows-autopatch/media/windows-autopatch-all-devices-report.png differ diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-eligible-devices-historical-report.png b/windows/deployment/windows-autopatch/media/windows-autopatch-eligible-devices-historical-report.png new file mode 100644 index 0000000000..cb56852f3d Binary files /dev/null and b/windows/deployment/windows-autopatch/media/windows-autopatch-eligible-devices-historical-report.png differ diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-ineligible-devices-historical-report.png b/windows/deployment/windows-autopatch/media/windows-autopatch-ineligible-devices-historical-report.png new file mode 100644 index 0000000000..2aeacfd0d5 Binary files /dev/null and b/windows/deployment/windows-autopatch/media/windows-autopatch-ineligible-devices-historical-report.png differ diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-summary-dashboard.png b/windows/deployment/windows-autopatch/media/windows-autopatch-summary-dashboard.png new file mode 100644 index 0000000000..82cb1b1fcd Binary files /dev/null and b/windows/deployment/windows-autopatch/media/windows-autopatch-summary-dashboard.png differ diff --git a/windows/deployment/windows-autopatch/media/windows-feature-force-update.png b/windows/deployment/windows-autopatch/media/windows-feature-force-update.png index a1752b7996..2f0dd5f089 100644 Binary files a/windows/deployment/windows-autopatch/media/windows-feature-force-update.png and b/windows/deployment/windows-autopatch/media/windows-feature-force-update.png differ diff --git a/windows/deployment/windows-autopatch/media/windows-feature-release-process-timeline.png b/windows/deployment/windows-autopatch/media/windows-feature-release-process-timeline.png index 0b926b62f6..17b51a71f8 100644 Binary files a/windows/deployment/windows-autopatch/media/windows-feature-release-process-timeline.png and b/windows/deployment/windows-autopatch/media/windows-feature-release-process-timeline.png differ diff --git a/windows/deployment/windows-autopatch/media/windows-feature-typical-update-experience.png b/windows/deployment/windows-autopatch/media/windows-feature-typical-update-experience.png index f05268d372..a49f39ce2c 100644 Binary files a/windows/deployment/windows-autopatch/media/windows-feature-typical-update-experience.png and b/windows/deployment/windows-autopatch/media/windows-feature-typical-update-experience.png differ diff --git a/windows/deployment/windows-autopatch/media/windows-feature-update-grace-period.png b/windows/deployment/windows-autopatch/media/windows-feature-update-grace-period.png index a0899ccf6c..d0829576f6 100644 Binary files a/windows/deployment/windows-autopatch/media/windows-feature-update-grace-period.png and b/windows/deployment/windows-autopatch/media/windows-feature-update-grace-period.png differ diff --git a/windows/deployment/windows-autopatch/media/windows-quality-force-update.png b/windows/deployment/windows-autopatch/media/windows-quality-force-update.png index 147d61e752..70089da16b 100644 Binary files a/windows/deployment/windows-autopatch/media/windows-quality-force-update.png and b/windows/deployment/windows-autopatch/media/windows-quality-force-update.png differ diff --git a/windows/deployment/windows-autopatch/media/windows-quality-typical-update-experience.png b/windows/deployment/windows-autopatch/media/windows-quality-typical-update-experience.png index 830f9f1428..f79a27747a 100644 Binary files a/windows/deployment/windows-autopatch/media/windows-quality-typical-update-experience.png and b/windows/deployment/windows-autopatch/media/windows-quality-typical-update-experience.png differ diff --git a/windows/deployment/windows-autopatch/media/windows-quality-update-grace-period.png b/windows/deployment/windows-autopatch/media/windows-quality-update-grace-period.png index 4e347dc3cf..c6ab672cf7 100644 Binary files a/windows/deployment/windows-autopatch/media/windows-quality-update-grace-period.png and b/windows/deployment/windows-autopatch/media/windows-quality-update-grace-period.png differ diff --git a/windows/deployment/windows-autopatch/operate/index.md b/windows/deployment/windows-autopatch/operate/index.md deleted file mode 100644 index 125ddc43b1..0000000000 --- a/windows/deployment/windows-autopatch/operate/index.md +++ /dev/null @@ -1,28 +0,0 @@ ---- -title: Operating with Windows Autopatch -description: Landing page for the operate section -ms.date: 05/30/2022 -ms.prod: windows-client -ms.technology: itpro-updates -ms.topic: conceptual -ms.localizationpriority: medium -author: tiaraquan -ms.author: tiaraquan -manager: dougeby -msreviewer: hathind ---- - -# Operating with Windows Autopatch - -This section includes information about Windows Autopatch update management, types of updates managed by Windows Autopatch, maintaining your Windows Autopatch environment, how to contact the Windows Autopatch Service Engineering Team, and unenrolling your tenant: - -- [Update management](windows-autopatch-update-management.md) -- [Windows quality updates](windows-autopatch-wqu-overview.md) -- [Windows feature updates](windows-autopatch-fu-overview.md) -- [Microsoft 365 Apps for enterprise updates](windows-autopatch-microsoft-365-apps-enterprise.md) -- [Microsoft Edge updates](windows-autopatch-edge.md) -- [Microsoft Teams updates](windows-autopatch-teams.md) -- [Maintain the Windows Autopatch environment](windows-autopatch-maintain-environment.md) -- [Deregister devices](windows-autopatch-deregister-devices.md) -- [Submit a support request](windows-autopatch-support-request.md) -- [Unenroll your tenant](windows-autopatch-unenroll-tenant.md) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md index 023003d400..020359528b 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md @@ -31,7 +31,7 @@ For a device to be eligible for Windows feature updates as a part of Windows Aut | Internet connectivity | Devices must have a steady internet connection, and access to Windows [update endpoints](../prepare/windows-autopatch-configure-network.md). | | Windows edition | Devices must be on a Windows edition supported by Windows Autopatch. For more information, see [Prerequisites](../prepare/windows-autopatch-prerequisites.md). | | Mobile device management (MDM) policy conflict | Devices must not have deployed any policies that would prevent device management. For more information, see [Conflicting and unsupported policies](../operate/windows-autopatch-wqu-unsupported-policies.md). | -| Group policy conflict | Devices must not have group policies deployed which would prevent device management. For more information, see [Group policy](windows-autopatch-wqu-unsupported-policies.md#group-policy) | +| Group policy conflict | Devices must not have group policies deployed which would prevent device management. For more information, see [Group policy](windows-autopatch-wqu-unsupported-policies.md#group-policy-and-other-policy-managers). | ## Windows feature update releases @@ -63,10 +63,10 @@ When releasing a feature update, there are two policies that are configured by t | Ring | Target version (DSS) Policy | Feature update deferral | Feature update deadline | Feature update grace period | | ----- | ----- | ----- | ----- | ----- | -| Test | 21H2 | 0 | 5 | 0 | -| First | 21H2 | 0 | 5 | 2 | -| Fast | 21H2 | 0 | 5 | 2 | -| Broad | 21H2 | 0 | 5 | 2 | +| Test | 20H2 | 0 | 5 | 0 | +| First | 20H2 | 0 | 5 | 2 | +| Fast | 20H2 | 0 | 5 | 2 | +| Broad | 20H2 | 0 | 5 | 2 | > [!NOTE] > Customers are not able to select a target version for their tenant. @@ -101,6 +101,6 @@ Windows Autopatch doesn't support the rollback of feature updates. ## Incidents and outages -If devices in your tenant aren't meeting the [service level objective](#service-level-objective) for Windows feature updates, Autopatch will raise an incident will be raised. The Windows Autopatch Service Engineering Team will work to bring those devices onto the latest version of Windows. +If devices in your tenant don't meet the [service level objective](#service-level-objective) for Windows feature updates, Autopatch will raise an incident will be raised. The Windows Autopatch Service Engineering Team will work to bring those devices onto the latest version of Windows. If you're experiencing other issues related to Windows feature updates, [submit a support request](../operate/windows-autopatch-support-request.md). diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md index ab63a52ddf..c59e0e6802 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md @@ -1,7 +1,7 @@ --- title: Submit a support request description: Details how to contact the Windows Autopatch Service Engineering Team and submit support requests -ms.date: 05/30/2022 +ms.date: 01/06/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: how-to @@ -19,10 +19,27 @@ msreviewer: hathind You can submit support tickets to Microsoft using the Windows Autopatch admin center. Email is the recommended approach to interact with the Windows Autopatch Service Engineering Team. -## Submit a new support request +## Submit a new support request Support requests are triaged and responded to as they're received. +### Premier and Unified support options + +If you have a **Premier** or **Unified** support contract, when you submit a new request, or edit an active support request, you can: + +- Specify the severity of your issue +- Schedule a support callback for a specific day and time + +Depending on your support contract, the following severity options are available: + +> [!NOTE] +> Selecting either severity **A** or **Critical** issue limits you to a phone support case. This is the fastest support option. + +| Support contract | Severity options | +| ----- | ----- | +| Premier | Severity A, B or C | +| Unified | Critical or non-critical | + **To submit a new support request:** 1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant administration** menu. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-all-devices-historical-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-all-devices-historical-report.md new file mode 100644 index 0000000000..3808dd45a7 --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-all-devices-historical-report.md @@ -0,0 +1,40 @@ +--- +title: All devices report—historical +description: Provides a visual representation of the update status trend for all devices over the last 90 days. +ms.date: 12/01/2022 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: adnich +--- + +# All devices report—historical + +The historical All devices report provides a visual representation of the update status trend for all devices over the last 90 days. + +**To view the historical All devices report:** + +1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**. +1. Select the **Reports** tab. +1. Select **All devices report—historical**. + +:::image type="content" source="../media/windows-autopatch-all-devices-historical-report.png" alt-text="All devices—historical report" lightbox="../media/windows-autopatch-all-devices-historical-report.png"::: + +> [!NOTE] +> This report provides a time stamp of when the report trend was last generated and can be seen at the top of the page. + +## Report options + +The following options are available: + +| Option | Description | +| ----- | ----- | +| Export | Select **Export devices** at the top of the page to export data from this report into a CSV file. | +| Filter | Select either the **Update status** or **Deployment rings** filters at the top of the report to filter the results. Then, select **Generate trend**. | + +For a description of the displayed device status trends, see [Windows quality update statuses](windows-autopatch-wqu-reports-overview.md#windows-quality-update-statuses). diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-all-devices-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-all-devices-report.md new file mode 100644 index 0000000000..5536a42c04 --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-all-devices-report.md @@ -0,0 +1,56 @@ +--- +title: All devices report +description: Provides a per device view of the current update status for all Windows Autopatch enrolled devices. +ms.date: 12/01/2022 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: adnich +--- + +# All devices report + +The All devices report provides a per device view of the current update status for all Windows Autopatch enrolled devices. + +**To view the All devices report:** + +1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**. +1. Select the **Reports** tab. +1. Select **All devices report**. + +:::image type="content" source="../media/windows-autopatch-all-devices-report.png" alt-text="All devices report" lightbox="../media/windows-autopatch-all-devices-report.png"::: + +> [!NOTE] +> The data in this report is refreshed every 24 hours. The last refreshed on date/time can be seen at the top of the page. + +## Report information + +The following information is available in the All devices report: + +| Column name | Description | +| ----- | ----- | +| Device name | The name of the device. | +| Azure Active Directory (AD) device ID | The current Azure AD recorded device ID for the device. | +| Serial number | The current Intune recorded serial number for the device. | +| Deployment ring | The currently assigned Windows Autopatch deployment ring for the device. | +| Update status | The current update status for the device (see [Windows quality update statuses](windows-autopatch-wqu-reports-overview.md#windows-quality-update-statuses)). | +| Update sub status | The current update sub status for the device (see [Windows quality update statuses](windows-autopatch-wqu-reports-overview.md#windows-quality-update-statuses)) | +| OS version | The current version of Windows installed on the device. | +| OS revision | The current revision of Windows installed on the device. | +| Intune last check in time | The last time the device checked in to Intune. | + +## Report options + +The following options are available: + +| Option | Description | +| ----- | ----- | +| Search | Use to search by device name, Azure AD device ID or serial number | +| Sort | Select the **column headings** to sort the report data in ascending and descending order. | +| Export | Select **Export devices** at the top of the page to export data from this report into a CSV file. | +| Filter | Select either the **Update status** or **Deployment rings** filters at the top of the report to filter the results. Then, select **Generate report**. | diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-communications.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-communications.md index ffb70992db..e0b5a5f133 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-communications.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-communications.md @@ -12,7 +12,7 @@ manager: dougeby msreviewer: hathind --- -# Windows quality update communications +# Windows quality and feature update communications There are three categories of communication that are sent out during a Windows quality and feature update: @@ -29,8 +29,8 @@ Communications are posted to Message center, Service health dashboard, and the W | Communication | Location | Timing | Description | | ----- | ----- | ----- | ----- | | Release schedule |
    • Message center
    • Messages blade
    • Email sent to your specified [admin contacts](../deploy/windows-autopatch-admin-contacts.md)
        • | At least seven days prior to the second Tuesday of the month| Notification of the planned release window for each ring. | -| Release start | Same as release schedule | The second Tuesday of every month | Notification that the update is now being released into your environment. | -| Release summary | Same as release schedule | The fourth Tuesday of every month | Informs you of the percentage of eligible devices that were patched during the release. | +| Release start | Same as release schedule | The second Tuesday of every month. | Notification that the update is now being released into your environment. | +| Release summary | Same as release schedule | The fourth Tuesday of every month. | Informs you of the percentage of eligible devices that were patched during the release. | ## Communications during release diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-eligible-devices-historical-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-eligible-devices-historical-report.md new file mode 100644 index 0000000000..4e4e383213 --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-eligible-devices-historical-report.md @@ -0,0 +1,40 @@ +--- +title: Eligible devices report—historical +description: Provides a visual representation of the update status trend for all eligible devices to receive quality updates over the last 90 days. +ms.date: 12/01/2022 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: adnich +--- + +# Eligible devices report—historical + +The historical Eligible devices report provides a visual representation of the update status trend for all eligible devices to receive quality updates over the last 90 days. + +**To view the historical Eligible devices report:** + +1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**. +1. Select the **Reports** tab. +1. Select **Eligible devices report—historical**. + +:::image type="content" source="../media/windows-autopatch-eligible-devices-historical-report.png" alt-text="Eligible devices—historical report" lightbox="../media/windows-autopatch-eligible-devices-historical-report.png"::: + +> [!NOTE] +> This report provides a time stamp of when the report trend was last generated and can be seen at the top of the page. + +## Report options + +The following options are available: + +| Option | Description | +| ----- | ----- | +| Export | Select **Export devices** at the top of the page to export data from this report into a CSV file. | +| Filter | Select either the **Update status** or **Deployment rings** filters at the top of the report to filter the results. Then, select **Generate trend**. | + +For a description of the displayed device status trends, see [Windows quality update statuses](windows-autopatch-wqu-reports-overview.md#windows-quality-update-statuses). diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-ineligible-devices-historical-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-ineligible-devices-historical-report.md new file mode 100644 index 0000000000..733ee98e88 --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-ineligible-devices-historical-report.md @@ -0,0 +1,43 @@ +--- +title: Ineligible devices report—historical +description: Provides a visual representation of why devices have been ineligible to receive quality updates over the last 90 days. +ms.date: 12/01/2022 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: adnich +--- + +# Ineligible devices report—historical + +The historical Ineligible devices report provides a visual representation of why devices have been ineligible to receive quality updates over the last 90 days. + +> [!NOTE] +> Devices must have at least six hours of usage, with at least two hours being continuous. You may see an increase in the number of ineligible devices when the widget refreshes every second Tuesday of each month. + +**To view the historical Ineligible devices report:** + +1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**. +1. Select the **Reports** tab. +1. Select **Ineligible devices report—historical**. + +:::image type="content" source="../media/windows-autopatch-ineligible-devices-historical-report.png" alt-text="Ineligible devices—historical report" lightbox="../media/windows-autopatch-ineligible-devices-historical-report.png"::: + +> [!NOTE] +> This report provides a time stamp of when the report trend was last generated and can be seen at the top of the page. + +## Report options + +The following options are available: + +| Option | Description | +| ----- | ----- | +| Export | Select **Export devices** at the top of the page to export data from this report into a CSV file. | +| Filter | Select either the **Update status** or **Deployment rings** filters at the top of the report to filter the results. Then, select **Generate trend**. | + +For a description of the displayed device status trends, see [Windows quality update statuses](windows-autopatch-wqu-reports-overview.md#windows-quality-update-statuses). diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md index d922d4a3cc..2dbf3db0a5 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md @@ -1,7 +1,7 @@ --- title: Windows quality updates description: This article explains how Windows quality updates are managed in Autopatch -ms.date: 08/08/2022 +ms.date: 12/15/2022 ms.prod: windows-client ms.technology: itpro-updates ms.topic: conceptual @@ -31,7 +31,7 @@ For a device to be eligible for Windows quality updates as a part of Windows Aut | Internet connectivity | Devices must have a steady internet connection, and access to Windows [update endpoints](../prepare/windows-autopatch-configure-network.md). | | Windows edition | Devices must be on a Windows edition supported by Windows Autopatch. For more information, see [Prerequisites](../prepare/windows-autopatch-prerequisites.md). | | Mobile device management (MDM) policy conflict | Devices must not have deployed any policies that would prevent device management. For more information, see [Conflicting and unsupported policies](../operate/windows-autopatch-wqu-unsupported-policies.md). | -| Group policy conflict | Devices must not have group policies deployed which would prevent device management. For more information, see [Group policy](windows-autopatch-wqu-unsupported-policies.md#group-policy) | +| Group policy conflict | Devices must not have group policies deployed which would prevent device management. For more information, see [Group policy](windows-autopatch-wqu-unsupported-policies.md#group-policy-and-other-policy-managers) | ## Windows quality update releases @@ -52,27 +52,72 @@ Windows Autopatch configures these policies differently across update rings to g :::image type="content" source="../media/release-process-timeline.png" alt-text="Release process timeline" lightbox="../media/release-process-timeline.png"::: -## Expedited releases +## Release management + +In the Release management blade, you can: + +- Track the [Windows quality update schedule](#release-schedule) for devices in the [four deployment rings](windows-autopatch-update-management.md#windows-autopatch-deployment-rings). +- [Turn off expedited Windows quality updates](#turn-off-service-driven-expedited-quality-update-releases). +- Review release announcements and knowledge based articles for regular and [Out of Band (OOB) Windows quality updates](#out-of-band-releases). + +### Release schedule + +For each [deployment ring](windows-autopatch-update-management.md#windows-autopatch-deployment-rings), the **Release schedule** tab contains: + +- The status of the update. Releases will appear as **Active**. The update schedule is based on the values of the [Windows 10 Update Ring policies](/mem/intune/protect/windows-update-for-business-configure), which have been configured on your behalf. +- The date the update is available. +- The target completion date of the update. +- In the **Release schedule** tab, you can either [**Pause** and/or **Resume**](#pausing-and-resuming-a-release) a Windows quality update release. + +### Expedited releases Threat and vulnerability information about a new revision of Windows becomes available on the second Tuesday of each month. Windows Autopatch assesses that information shortly afterwards. If the service determines that it's critical to security, it may be expedited. The quality update is also evaluated on an ongoing basis throughout the release and Windows Autopatch may choose to expedite at any time during the release. -When running an expedited release, the regular goal of 95% of devices in 21 days no longer applies. Instead, Windows Autopatch greatly accelerates the release schedule of the release to update the environment more quickly. This approach requires an updated schedule for all devices outside of the Test ring since those devices are already getting the update as quickly. +When running an expedited release, the regular goal of 95% of devices in 21 days no longer applies. Instead, Windows Autopatch greatly accelerates the release schedule of the release to update the environment more quickly. This approach requires an updated schedule for all devices outside of the Test ring since those devices are already getting the update quickly. | Release type | Group | Deferral | Deadline | Grace period | | ----- | ----- | ----- | ----- | ----- | | Standard release | Test

        First

        Fast

        Broad | 0

        1

        6

        9 | 0

        2

        2

        5 | 0

        2

        2

        2 | | Expedited release | All devices | 0 | 1 | 1 | +#### Turn off service-driven expedited quality update releases + +Windows Autopatch provides the option to turn off of service-driven expedited quality updates. + +By default, the service expedites quality updates as needed. For those organizations seeking greater control, you can disable expedited quality updates for Windows Autopatch-enrolled devices using Microsoft Intune. + +**To turn off service-driven expedited quality updates:** + +1. Go to **[Microsoft Endpoint Manager portal](https://go.microsoft.com/fwlink/?linkid=2109431)** > **Devices**. +2. Under **Windows Autopatch** > **Release management**, go to the **Release settings** tab and turn off the **Expedited Quality Updates** setting. + > [!NOTE] > Windows Autopatch doesn't allow customers to request expedited releases. -## Pausing and resuming a release +### Out of Band releases + +Windows Autopatch schedules and deploys required Out of Band (OOB) updates released outside of the normal schedule. + +**To view deployed Out of Band quality updates:** + +1. Go to [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Devices** > **Windows Autopatch** > **Release management**. +2. Under the **Release Announcements** tab, you can view the knowledge base (KB) articles corresponding to deployed OOB and regular Windows quality updates. + +> [!NOTE] +> Announcements will be **removed** from the Release announcements tab when the next quality update is released. Further, if quality updates are paused for a deployment ring, the OOB updates will also be paused. + +### Pausing and resuming a release If Windows Autopatch detects a [significant issue with a release](../operate/windows-autopatch-wqu-signals.md), we may decide to pause that release. -If we pause the release, a policy will be deployed which prevents devices from updating while the issue is investigated. Once the issue is resolved, the release will be resumed. +In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Release management** > in the **Release schedule** tab, you can pause or resume a Windows quality update. -You can pause or resume a Windows quality update from the Release management tab in the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +There are two statuses associated with paused quality updates, **Service Paused** and **Customer Paused**. + +| Status | Description | +| ----- | ------ | +| Service Paused | If the Windows Autopatch service has paused an update, the release will have the **Service Paused** status. You must [submit a support request](windows-autopatch-support-request.md) to resume the update. | +| Customer Paused | If you've paused an update, the release will have the **Customer Paused** status. The Windows Autopatch service can't overwrite a customer-initiated pause. You must select **Resume** to resume the update. | ## Incidents and outages diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-reports-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-reports-overview.md new file mode 100644 index 0000000000..2e61770efe --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-reports-overview.md @@ -0,0 +1,110 @@ +--- +title: Windows quality update reports +description: This article details the types of reports available and info about update device eligibility, device update health, device update trends in Windows Autopatch +ms.date: 12/01/2022 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: adnich +--- + +# Windows quality update reports + +The Windows quality update reports provide you information about: + +- Quality update device eligibility +- Device update health +- Device update trends + +Together, these reports provide insight into the quality update state and compliance of Windows devices that are enrolled into Windows Autopatch. + +The report types are organized into the following focus areas: + +| Focus area | Description | +| ----- | ----- | +| Operational detail |

        • [Summary dashboard](windows-autopatch-wqu-summary-dashboard.md): Provides the current update status summary for all devices.
        • [All devices report](windows-autopatch-wqu-all-devices-report.md): Provides the current update status of all devices at the device level.
        | +| Device trends |
        • [All devices report – historical](windows-autopatch-wqu-all-devices-historical-report.md): Provides the update status trend of all devices over the last 90 days.
        • [Eligible devices report – historical](windows-autopatch-wqu-eligible-devices-historical-report.md): Provides the update status trend of all eligible devices to receive quality updates over the last 90 days.
        • [Ineligible devices report – historical](windows-autopatch-wqu-ineligible-devices-historical-report.md): Provides a trending view of why ineligible devices haven’t received quality updates over the last 90 days.
        | + +## Who can access the reports? + +Users with the following permissions can access the reports: + +- Global Administrator +- Intune Service Administrator +- Administrators assigned to an Intune role with read permissions + +## About data latency + +The data source for these reports is the [Windows diagnostic data](../references/windows-autopatch-privacy.md#microsoft-windows-1011-diagnostic-data). The data typically uploads from enrolled devices once per day. Then, the data is processed in batches before being made available in Windows Autopatch. The maximum end-to-end latency is approximately 24 hours. + +## Windows quality update statuses + +The following statuses are used throughout the Windows Autopatch reporting suite to describe the quality update status for devices: + +- [Healthy devices](#healthy-devices) +- [Not Up to Date (Microsoft Action)](#not-up-to-date-microsoft-action) +- [Ineligible Devices (Customer Action)](#ineligible-devices-customer-action) + +Each status has its own set of sub statuses to further describe the status. + +### Healthy devices + +Healthy devices are devices that meet all of the following prerequisites: + +- [Prerequisites](../prepare/windows-autopatch-prerequisites.md) +- [Prerequisites for device registration](../deploy/windows-autopatch-register-devices.md#prerequisites-for-device-registration) +- [Windows quality update device eligibility](../operate/windows-autopatch-wqu-overview.md#device-eligibility) + +> [!NOTE] +> Healthy devices will remain with the **In Progress** status for the 21-day service level objective period. Devices which are **Paused** are also considered healthy. + +| Sub status | Description | +| ----- | ----- | +| Up to Date | Devices are up to date with the latest quality update deployed through the [Windows Autopatch release schedule](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases). | +| In Progress | Devices are currently installing the latest quality update deployed through the [Windows Autopatch release schedule](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases). | +| Paused | Devices that are currently paused due to a Windows Autopatch or customer-initiated Release Management pause. For more information, see [Pausing and resuming a release](../operate/windows-autopatch-wqu-overview.md#pausing-and-resuming-a-release). | + +### Not Up to Date (Microsoft Action) + +Not Up to Date means a device isn’t up to date when the: + +- Quality update is more than a month out of date, or the device is on last month’s quality update +- Device is more than 21 days overdue from the last release. + +> [!NOTE] +> Microsoft Action refers to the responsibility of the Windows Autopatch Service Engineering Team to carry out the appropriate action to resolve the reported device state. Windows Autopatch aims to keep at least [95% of eligible devices on the latest Windows quality update 21 days after release](../operate/windows-autopatch-wqu-overview.md#service-level-objective). + +| Sub status | Description | +| ----- | ----- | +| No Heartbeat | The Windows Update service hasn’t been able to connect to this device. The service can’t offer the update to that device. | +| Not Offered | The Windows Update service hasn’t offered the update to that device. | +| Policy Blocking Update | This device has a policy that is blocking the update, such as a deferral or pause policy. Devices are only in this state after the 21-day threshold. | +| In Progress—Stuck | This device has downloaded the update but is getting stuck in a loop during the install process. The update isn’t complete. | +| Other | This device isn't up to date and isn’t reporting back data from the client. | + +### Ineligible Devices (Customer Action) + +Customer Action refers to the responsibility of the designated customer IT administrator to carry out the appropriate action to resolve the reported device sub status. + +Within each 24-hour reporting period, devices that are ineligible are updated with one of the following sub statuses. + +| Sub status | Description | +| ----- | ----- | +| Insufficient Usage | Devices must have at least six hours of usage, with at least two hours being continuous. | +| Low Connectivity | Devices must have a steady internet connection, and access to [Windows update endpoints](../prepare/windows-autopatch-configure-network.md). | +| Out of Disk Space | Devices must have more than one GB (GigaBytes) of free storage space. | +| Not Deployed | Windows Autopatch doesn't update devices that haven't yet been deployed. | +| Not On Supported Windows Edition | Devices must be on a Windows edition supported by Windows Autopatch. For more information, see [prerequisites](../prepare/windows-autopatch-prerequisites.md). | +| Not On Supported Windows Build | Devices must be on a Windows build supported by Windows Autopatch. For more information, see [prerequisites](../prepare/windows-autopatch-prerequisites.md). | +| Intune Sync Older Than 5 Days | Devices must have checked in with Intune within the last five days. | + +## Data export + +Select **Export devices** to export data for each report type. + +> [!NOTE] +> You can’t export Windows Autopatch report data using Microsoft Graph RESTful web API. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md index be5becc700..2a4c33b67a 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md @@ -22,7 +22,7 @@ If there's a scenario that is critical to your business, which isn't monitored b Before being released to the Test ring, Windows Autopatch reviews several data sources to determine if we need to send any customer advisories or need to pause the update. Situations where Windows Autopatch doesn't release an update to the Test ring are seldom occurrences. -| Text | Text | +| Pre-release signal | Description | | ----- | ----- | | Windows Payload Review | The contents of the B release are reviewed to help focus your update testing on areas that have changed. If any relevant changes are detected, a [customer advisory](../operate/windows-autopatch-wqu-communications.md#communications-during-release) will be sent out. | | C-Release Review - Internal Signals | Windows Autopatch reviews active incidents associated with the previous C release to understand potential risks in the B release. | @@ -50,12 +50,12 @@ Autopatch monitors the following reliability signals: | Device reliability signal | Description | | ----- | ----- | -| Blue screens | These events are highly disruptive to end users so are closely watched. | +| Blue screens | These events are highly disruptive to end users. These events are closely monitored. | | Overall app reliability | Tracks the total number of app crashes and freezes on a device. A known limitation with this measure is that if one app becomes 10% more reliable and another becomes 10% less reliable then it shows up as a flat line in the measure. | | Microsoft Office reliability | Tracks the number of Office crashes and freezes per application per device. | | Microsoft Edge reliability | Tracks the number of Microsoft Edge crashes and freezes per device. | | Microsoft Teams reliability | Tracks the number of Microsoft Teams crashes and freezes per device. | -When the update is released to the First ring, the service crosses the 500 device threshold. Therefore, Autopatch is able to detect regressions, which are common to all customers. At this point in the release, we'll decide if we need to change the release schedule or pause for all customers. +When the update is released to the First ring, the service crosses the 500 device threshold. Therefore, Autopatch can to detect regressions, which are common to all customers. At this point in the release, we'll decide if we need to change the release schedule or pause for all customers. Once your tenant reaches 500 devices, Windows Autopatch starts generating recommendations specific to your devices. Based on this information, the service starts developing insights specific to your tenant allowing a customized response to what's happening in your environment. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-summary-dashboard.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-summary-dashboard.md new file mode 100644 index 0000000000..735136be22 --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-summary-dashboard.md @@ -0,0 +1,44 @@ +--- +title: Summary dashboard +description: Provides a summary view of the current update status for all devices enrolled into Windows Autopatch. +ms.date: 12/01/2022 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: adnich +--- + +# Summary dashboard + +The Summary dashboard provides a summary view of the current update status for all devices enrolled into Windows Autopatch. + +**To view the current update status for all your enrolled devices:** + +1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**. + +:::image type="content" source="../media/windows-autopatch-summary-dashboard.png" alt-text="Summary dashboard" lightbox="../media/windows-autopatch-summary-dashboard.png"::: + +> [!NOTE] +> The data in this report is refreshed every 24 hours. The last refreshed on date/time can be seen at the top of the page. + +## Report information + +The following information is available in the Summary dashboard: + +| Column name | Description | +| ----- | ----- | +| Windows quality update status | The device update state. For more information, see [Windows quality update status](windows-autopatch-wqu-reports-overview.md#windows-quality-update-statuses). | +| Devices | The number of devices showing as applicable for the state. | + +## Report options + +The following option is available: + +| Option | Description | +| ----- | ----- | +| Refresh | The option to **Refresh** the Summary dashboard is available at the top of the page. This process will ensure that the Summary dashboard view is updated to the latest available dataset from within the last 24-hour period. | diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml index 7f5b4cf23e..fdb9b1f891 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml @@ -2,7 +2,7 @@ metadata: title: Windows Autopatch - Frequently Asked Questions (FAQ) description: Answers to frequently asked questions about Windows Autopatch. - ms.prod: w11 + ms.prod: windows-client ms.topic: faq ms.date: 08/26/2022 audience: itpro @@ -11,6 +11,7 @@ metadata: author: tiaraquan ms.author: tiaraquan ms.reviwer: hathind + ms.technology: itpro-updates title: Frequently Asked Questions about Windows Autopatch summary: This article answers frequently asked questions about Windows Autopatch. sections: @@ -45,7 +46,9 @@ sections: - [Azure Active Directory (Azure AD) Premium](/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses) - [Hybrid Azure AD-Joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or [Azure AD-joined only](/azure/active-directory/devices/concept-azure-ad-join-hybrid) - [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune) - Additional pre-requisites for devices managed by Configuration Manager: + + Additional prerequisites for devices managed by Configuration Manager: + - [Configuration Manager Co-management requirements](../prepare/windows-autopatch-prerequisites.md#configuration-manager-co-management-requirements) - [A supported version of Configuration Manager](/mem/configmgr/core/servers/manage/updates#supported-versions) - [Switch workloads for device configuration, Windows Update and Microsoft 365 Apps from Configuration Manager to Intune](/mem/configmgr/comanage/how-to-switch-workloads) (minimum Pilot Intune. Pilot collection must contain the devices you want to register into Autopatch.) @@ -85,7 +88,7 @@ sections: - Microsoft Teams: Windows Autopatch allows eligible devices to benefit from the standard automatic update channels and will provide support for issues with Teams updates. - question: What does Windows Autopatch do to ensure updates are done successfully? answer: | - For Windows quality updates, updates are applied to devices in the Test ring first. The devices are evaluated, and then rolled out to the First, Fast then Broad rings. There's an evaluation period at each progression. This process is dependent on customer testing and verification of all updates during these rollout stages. The outcome is to ensure that registered devices are always up to date and disruption to business operations is minimized to free up your IT department from that ongoing task. + For Windows quality and feature updates, updates are applied to devices in the Test ring first. The devices are evaluated, and then rolled out to the First, Fast then Broad rings. There's an evaluation period at each progression. This process is dependent on customer testing and verification of all updates during these rollout stages. The outcome is to ensure that registered devices are always up to date and disruption to business operations is minimized to free up your IT department from that ongoing task. - question: What happens if there's an issue with an update? answer: | Autopatch relies on the following capabilities to help resolve update issues: diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md new file mode 100644 index 0000000000..ec8c9d7ece --- /dev/null +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md @@ -0,0 +1,91 @@ +--- +title: Roles and responsibilities +description: This article describes the roles and responsibilities provided by Windows Autopatch and what the customer must do +ms.date: 12/12/2022 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: conceptual +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: hathind +--- + +# Roles and responsibilities + +This article outlines your responsibilities and Windows Autopatch's responsibilities when: + +- [Preparing to enroll into the Windows Autopatch service](#prepare) +- [Deploying the service](#deploy) +- [Operating with the service](#operate) + +## Prepare + +| Task | Your responsibility | Windows Autopatch | +| ----- | :-----: | :-----: | +| Review the [prerequisites](../prepare/windows-autopatch-prerequisites.md) | :heavy_check_mark: | :x: | +| [Review the service data platform and privacy compliance details](../references/windows-autopatch-privacy.md) | :heavy_check_mark: | :x: | +| Ensure device [prerequisites](../prepare/windows-autopatch-prerequisites.md) are met and in place prior to enrollment | :heavy_check_mark: | :x: | +| Ensure [infrastructure and environment prerequisites](../prepare/windows-autopatch-configure-network.md) are met and in place prior to enrollment | :heavy_check_mark: | :x: | +| Prepare to remove your devices from existing unsupported [Windows update](../references/windows-autopatch-wqu-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies | :heavy_check_mark: | :x: | +| [Configure required network endpoints](../prepare/windows-autopatch-configure-network.md#required-microsoft-product-endpoints) | :heavy_check_mark: | :x: | +| [Fix issues identified by the Readiness assessment tool](../prepare/windows-autopatch-fix-issues.md) | :heavy_check_mark: | :x: | +| [Enroll tenant into the Windows Autopatch service](../prepare/windows-autopatch-enroll-tenant.md) | :heavy_check_mark: | :x: | +| Identify stakeholders for deployment communications | :heavy_check_mark: | :x: | + +## Deploy + +| Task | Your responsibility | Windows Autopatch | +| ----- | :-----: | :-----: | +| [Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md) in Microsoft Endpoint Manager | :heavy_check_mark: | :x: | +| [Deploy and configure Windows Autopatch service configuration](../references/windows-autopatch-changes-to-tenant.md) | :x: | :heavy_check_mark: | +| Educate users on the Windows Autopatch end user update experience
        • [Windows quality update end user experience](../operate/windows-autopatch-wqu-end-user-exp.md)
        • [Windows feature update end user experience](../operate/windows-autopatch-fu-end-user-exp.md)
        • [Microsoft 365 Apps for enterprise end user experience](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#end-user-experience)
        • [Microsoft Teams end user experience](../operate/windows-autopatch-teams.md#end-user-experience)
        | :heavy_check_mark: | :x: | +| Remove your devices from existing unsupported [Windows update](../references/windows-autopatch-wqu-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies | :heavy_check_mark: | :x: | +| [Register devices/add devices to the Windows Autopatch Device Registration group](../deploy/windows-autopatch-register-devices.md#steps-to-register-devices) | :heavy_check_mark: | :x: | +| [Run the pre-registration device readiness checks](../deploy/windows-autopatch-register-devices.md#about-the-ready-not-ready-and-not-registered-tabs) | :x: | :heavy_check_mark: | +| [Automatically assign devices to First, Fast & Broad deployment rings at device registration](../operate/windows-autopatch-update-management.md#deployment-ring-calculation-logic) | :x: | :heavy_check_mark: | +| [Manually override device assignments to First, Fast & Broad deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings) | :heavy_check_mark: | :x: | +| [Remediate devices displayed in the **Not ready** tab](../deploy/windows-autopatch-post-reg-readiness-checks.md#about-the-three-tabs-in-the-devices-blade) | :heavy_check_mark: | :x: | +| [Remediate devices displayed in the **Not registered** tab](../deploy/windows-autopatch-post-reg-readiness-checks.md#about-the-three-tabs-in-the-devices-blade) | :heavy_check_mark: | :x: | +| [Populate the Test deployment ring membership](../operate/windows-autopatch-update-management.md#deployment-ring-calculation-logic) | :heavy_check_mark: | :x: | +| [Ensure devices are only present in one deployment ring](../operate/windows-autopatch-update-management.md#automated-deployment-ring-remediation-functions) | :x: | :heavy_check_mark: | +| Communicate to end-users, help desk and stakeholders | :heavy_check_mark: | :x: | + +## Operate + +| Task | Your responsibility | Windows Autopatch | +| ----- | :-----: | :-----: | +| [Maintain contacts in the Microsoft Endpoint Manager admin center](../deploy/windows-autopatch-admin-contacts.md) | :heavy_check_mark: | :x: | +| [Maintain and manage the Windows Autopatch service configuration](../operate/windows-autopatch-maintain-environment.md) | :x: | :heavy_check_mark: | +| [Maintain customer configuration to align with the Windows Autopatch service configuration](../operate/windows-autopatch-maintain-environment.md) | :heavy_check_mark: | :x: | +| [Run on-going checks to ensure devices are only present in one deployment ring](../operate/windows-autopatch-update-management.md#automated-deployment-ring-remediation-functions) | :x: | :heavy_check_mark: | +| [Maintain the Test deployment ring membership](../operate/windows-autopatch-update-management.md#deployment-ring-calculation-logic) | :heavy_check_mark: | :x: | +| Monitor [Windows update signals](../operate/windows-autopatch-wqu-signals.md) for safe update release | :x: | :heavy_check_mark: | +| Test specific [business update scenarios](../operate/windows-autopatch-wqu-signals.md) | :heavy_check_mark: | :x: | +| [Define and implement release schedule](../operate/windows-autopatch-wqu-overview.md) | :x: | :heavy_check_mark: | +| Communicate the update [release schedule](../operate/windows-autopatch-wqu-communications.md) | :x: | :heavy_check_mark: | +| Release updates (as scheduled)
        • [Windows quality updates](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases)
        • [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#update-release-schedule)
        • [Microsoft Edge](../operate/windows-autopatch-edge.md#update-release-schedule)
        • [Microsoft Teams](../operate/windows-autopatch-teams.md#update-release-schedule)
            • | :x: | :heavy_check_mark: | +| [Release updates (expedited)](../operate/windows-autopatch-wqu-overview.md#expedited-releases) | :x: | :heavy_check_mark: | +| [Deploy updates to devices](../operate/windows-autopatch-update-management.md) | :x: | :heavy_check_mark: | +| Monitor [Windows quality](../operate/windows-autopatch-wqu-overview.md) or [feature updates](../operate/windows-autopatch-fu-overview.md) through the release cycle | :x: | :heavy_check_mark: | +| Review [update reports](../operate/windows-autopatch-wqu-reports-overview.md) | :heavy_check_mark: | :x: | +| [Pause updates (Windows Autopatch initiated)](../operate/windows-autopatch-wqu-signals.md) | :x: | :heavy_check_mark: | +| [Pause updates (initiated by you)](../operate/windows-autopatch-wqu-overview.md#pausing-and-resuming-a-release) | :heavy_check_mark: | :x: | +| Run [on-going post-registration device readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md) | :x: | :heavy_check_mark: | +| [Remediate devices displayed in the **Not ready** tab](../deploy/windows-autopatch-post-reg-readiness-checks.md#about-the-three-tabs-in-the-devices-blade) | :heavy_check_mark: | :x: | +| Resolve any conflicting and unsupported [Windows update](../references/windows-autopatch-wqu-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies | :heavy_check_mark: | :x: | +| [Investigate devices that aren't up to date within the service level objective (Microsoft action)](../operate/windows-autopatch-wqu-reports-overview.md#not-up-to-date-microsoft-action) | :x: | :heavy_check_mark: | +| [Investigate and remediate devices that are marked as ineligible (Customer action)](../operate/windows-autopatch-wqu-reports-overview.md#ineligible-devices-customer-action) | :heavy_check_mark: | :x: | +| [Raise, manage and resolve a service incident if an update management area isn't meeting the service level objective](windows-autopatch-overview.md#update-management) | :x: | :heavy_check_mark: | +| [Deregister devices](../operate/windows-autopatch-deregister-devices.md) | :heavy_check_mark: | :x: | +| [Register a device that was previously deregistered (upon customers request)](../operate/windows-autopatch-deregister-devices.md#excluded-devices) | :x: | :heavy_check_mark: | +| [Request unenrollment from Windows Autopatch](../operate/windows-autopatch-unenroll-tenant.md) | :heavy_check_mark: | :x: | +| [Remove Windows Autopatch data from the service and deregister devices](../operate/windows-autopatch-unenroll-tenant.md#microsofts-responsibilities-during-unenrollment) | :x: | :heavy_check_mark: | +| [Maintain update configuration & update devices post unenrollment from Windows Autopatch](../operate/windows-autopatch-unenroll-tenant.md#your-responsibilities-after-unenrolling-your-tenant) | :heavy_check_mark: | :x: | +| Review and respond to Message Center and Service Health Dashboard notifications
            • [Windows quality and feature update communications](../operate/windows-autopatch-wqu-communications.md)
            • [Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md)
            | :heavy_check_mark: | :x: | +| [Highlight Windows Autopatch Tenant management alerts that require customer action](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions) | :x: | :heavy_check_mark: | +| [Review and respond to Windows Autopatch Tenant management alerts](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions) | :heavy_check_mark: | :x: | +| [Raise and respond to support requests](../operate/windows-autopatch-support-request.md) | :heavy_check_mark: | :x: | +| [Manage and respond to support requests](../operate/windows-autopatch-support-request.md#manage-an-active-support-request) | :x: | :heavy_check_mark: | +| Review the [What’s new](../whats-new/windows-autopatch-whats-new-2022.md) section to stay up to date with updated feature and service releases | :heavy_check_mark: | :x: | diff --git a/windows/deployment/windows-autopatch/prepare/index.md b/windows/deployment/windows-autopatch/prepare/index.md deleted file mode 100644 index 49198d3b87..0000000000 --- a/windows/deployment/windows-autopatch/prepare/index.md +++ /dev/null @@ -1,22 +0,0 @@ ---- -title: Preparing for Windows Autopatch -description: Landing page for the prepare section -ms.date: 05/30/2022 -ms.prod: windows-client -ms.technology: itpro-updates -ms.topic: conceptual -ms.localizationpriority: medium -author: tiaraquan -ms.author: tiaraquan -manager: dougeby -msreviewer: hathind ---- - -# Preparing for Windows Autopatch - -The following articles describe the steps you must take to onboard with Windows Autopatch: - -1. [Review the prerequisites](windows-autopatch-prerequisites.md) -1. [Configure your network](windows-autopatch-configure-network.md) -1. [Enroll your tenant](windows-autopatch-enroll-tenant.md) - 1. [Fix issues found in the Readiness assessment tool](windows-autopatch-fix-issues.md) diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md index 4b87f046dd..ee145b6390 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md @@ -1,7 +1,7 @@ --- title: Fix issues found by the Readiness assessment tool description: This article details how to fix issues found by the Readiness assessment tool -ms.date: 05/30/2022 +ms.date: 01/12/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: how-to @@ -16,6 +16,9 @@ msreviewer: hathind Seeing issues with your tenant? This article details how to remediate issues found with your tenant. +> [!NOTE] +> If you need more assistance with tenant enrollment, you can [submit a tenant enrollment support request](#submit-a-tenant-enrollment-support-request). + ## Check results For each check, the tool will report one of four possible results: @@ -70,3 +73,29 @@ Windows Autopatch requires the following licenses: | Result | Meaning | | ----- | ----- | | Not ready | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Azure Active Directory Premium, and Microsoft Intune are required. For more information, see [more about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses). | + +## Submit a tenant enrollment support request + +> [!IMPORTANT] +> Make sure you've [added and verified your admin contacts](../deploy/windows-autopatch-admin-contacts.md). The Windows Autopatch Service Engineering Team will contact these individuals for assistance with troubleshooting issues. + +If you need more assistance with tenant enrollment, you can submit support requests to the Windows Autopatch Service Engineering Team in the Windows Autopatch enrollment tool. Email is the recommended approach to interact with the Windows Autopatch Service Engineering Team. + +**To submit a new tenant enrollment support request:** + +1. If the Readiness assessment tool fails, remediation steps can be found by selecting **View details** under **Management settings** and then selecting the individual checkbox. The **Contact Support** button will be available below remediation instructions in the fly-in-pane. +2. Enter your question(s) and/or a description of the problem. +3. Review all the information you provided for accuracy. +4. When you're ready, select **Create**. + +### Manage an active tenant enrollment support request + +The primary contact for the support request will receive email notifications when a case is created, assigned to a service engineer to investigate, and mitigated. + +If you have a question about the case, the best way to get in touch is to reply directly to one of the emails. If we have questions about your request or need more details, we'll email the primary contact listed in the support request. + +**To view all your active tenant enrollment support requests:** + +1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant Administration** menu. +1. In the **Windows Autopatch** section, select **Tenant Enrollment**. +1. Select the **Support history** tab. You can view the list of all support cases, or select an individual case to view the details. diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md index 5008b76d7a..5ff4c62390 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md @@ -16,9 +16,6 @@ msreviewer: hathind Getting started with Windows Autopatch has been designed to be easy. This article outlines the infrastructure requirements you must meet to assure success with Windows Autopatch. -> [!NOTE] -> For those who used the promo code to access Windows Autopatch during public preview, you'll continue to have access to Windows Autopatch even when the promo code expires. There is no additional action you have to take to continue using Windows Autopatch. - | Area | Prerequisite details | | ----- | ----- | | Licensing | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Azure Active Directory Premium and Microsoft Intune are required. For details about the specific service plans, see [more about licenses](#more-about-licenses).

            For more information on available licenses, see [Microsoft 365 licensing](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans).

            For more information about licensing terms and conditions for products and services purchased through Microsoft Commercial Volume Licensing Programs, see the [Product Terms site](https://www.microsoft.com/licensing/terms/). | @@ -29,12 +26,20 @@ Getting started with Windows Autopatch has been designed to be easy. This articl ## More about licenses -Windows Autopatch is included with Window 10/11 Enterprise E3 or higher (user-based only). The following are the service plan SKUs that are eligible for Windows Autopatch: +Windows Autopatch is included with Windows 10/11 Enterprise E3 or higher (user-based only). The following are the service plan SKUs that are eligible for Windows Autopatch: | License | ID | GUID number | | ----- | ----- | ------| | [Microsoft 365 E3](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | SPE_E3 | 05e9a617-0261-4cee-bb44-138d3ef5d965 | +| [Microsoft 365 E3 (500 seats minimum_HUB)](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | Microsoft_365_E3 | 0c21030a-7e60-4ec7-9a0f-0042e0e0211a | +| [Microsoft 365 E3 - Unattended License](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | SPE_E3_RPA1 | c2ac2ee4-9bb1-47e4-8541-d689c7e83371 | | [Microsoft 365 E5](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | SPE_E5 | 06ebc4ee-1bb5-47dd-8120-11324bc54e06 | +| [Microsoft 365 E5 (500 seats minimum)_HUB](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | Microsoft_365_E5 | db684ac5-c0e7-4f92-8284-ef9ebde75d33 | +| [Microsoft 365 E5 with calling minutes](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | SPE_E5_CALLINGMINUTES | a91fc4e0-65e5-4266-aa76-4037509c1626 | +| [Microsoft 365 E5 without audio conferencing](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | SPE_E5_NOPSTNCONF | cd2925a3-5076-4233-8931-638a8c94f773 | +| [Microsoft 365 E5 without audio conferencing (500 seats minimum)_HUB](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | Microsoft_365_E5_without_Audio_Conferencing | 2113661c-6509-4034-98bb-9c47bd28d63c | +| [TEST - Microsoft 365 E3](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | SPE_E3_TEST | 23a55cbc-971c-4ba2-8bae-04cd13d2f4ad | +| [TEST - Microsoft 365 E5 without audio conferencing](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | SPE_E5_NOPSTNCONF_TEST | 1362a0d9-b3c2-4112-bf1a-7a838d181c0f | | [Windows 10/11 Enterprise E3](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | WIN10_VDA_E3 | 6a0f6da5-0b87-4190-a6ae-9bb5a2b9546a | | [Windows 10/11 Enterprise E5](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | WIN10_VDA_E5 | 488ba24a-39a9-4473-8ee5-19291e71b002 | | [Windows 10/11 Enterprise VDA](/windows/deployment/deploy-enterprise-licenses#virtual-desktop-access-vda) | E3_VDA_only | d13ef257-988a-46f3-8fce-f47484dd4550 | diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md index b2ac14cb00..ce916ff862 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md @@ -1,7 +1,7 @@ --- title: Changes made at tenant enrollment description: This reference article details the changes made to your tenant when enrolling into Windows Autopatch -ms.date: 11/02/2022 +ms.date: 12/01/2022 ms.prod: windows-client ms.technology: itpro-updates ms.topic: reference @@ -29,9 +29,6 @@ Windows Autopatch creates an enterprise application in your tenant. This enterpr | ----- | ------ | ----- | | Modern Workplace Management | This enterprise application is a limited first party enterprise application with elevated privileges. This application is used to manage the service, publish baseline configuration updates, and maintain overall service health. |

            • DeviceManagementApps.ReadWrite.All
            • DeviceManagementConfiguration.ReadWrite.All
            • DeviceManagementManagedDevices.PriviligedOperation.All
            • DeviceManagementManagedDevices.ReadWrite.All
            • DeviceManagementRBAC.ReadWrite.All
            • DeviceManagementServiceConfig.ReadWrite.All
            • Directory.Read.All
            • Group.Create
            • Policy.Read.All
            • WindowsUpdates.Read.Write.All
            | -> [!NOTE] -> Enterprise application authentication is only available on tenants enrolled after July 9th, 2022. For tenants enrolled before this date, Enterprise Application authentication will be made available for enrollment soon. - ### Service principal Windows Autopatch will create a service principal in your tenant allowing the service to establish an identity and restrict access to what resources the service has access to within the tenant. For more information, see [Application and service principal objects in Azure Active Directory](/azure/active-directory/develop/app-objects-and-service-principals#service-principal-object). The service principal created by Windows Autopatch is: @@ -63,8 +60,8 @@ Windows Autopatch will create Azure Active Directory groups that are required to | Policy name | Policy description | Properties | Value | | ----- | ----- | ----- | ----- | -| Windows Autopatch - Set MDM to Win Over GPO | Sets mobile device management (MDM) to win over GPO

            Assigned to:

            • Modern Workplace Devices-Windows Autopatch-Test
            • Modern Workplace Devices-Windows Autopatch-First
            • Modern Workplace Devices-Windows Autopatch-Fast
            • Modern Workplace Devices-Windows Autopatch-Broad
            | | | -| Windows Autopatch - Data Collection | Allows diagnostic data from this device to be processed by Microsoft Managed Desktop and Telemetry settings for Windows devices.

            Assigned to:

            • Modern Workplace Devices-Windows Autopatch-Test
            • Modern Workplace Devices-Windows Autopatch-First
            • Modern Workplace Devices-Windows Autopatch-Fast
            • Modern Workplace Devices-Windows Autopatch-Broad
            |
            • [./Device/Vendor/MSFT/Policy/Config/System/AllowTelemetry ](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)
            • [./Device/Vendor/MSFT/Policy/Config/System/LimitEnhancedDiagnosticDataWindowsAnalytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics)
            • [./Device/Vendor/MSFT/Policy/Config/System/LimitDumpCollection](/windows/client-management/mdm/policy-csp-system#system-limitdumpcollection)
            • [./Device/Vendor/MSFT/Policy/Config/System/LimitDiagnosticLogCollection](/windows/client-management/mdm/policy-csp-system#system-limitdiagnosticlogcollection)
            |
            • Full
            • 1
            • 1
            • 1
              • | +| Windows Autopatch - Set MDM to Win Over GPO | Sets mobile device management (MDM) to win over GPO

              Assigned to:

              • Modern Workplace Devices-Windows Autopatch-Test
              • Modern Workplace Devices-Windows Autopatch-First
              • Modern Workplace Devices-Windows Autopatch-Fast
              • Modern Workplace Devices-Windows Autopatch-Broad
              | [MDM Wins Over GP](/windows/client-management/mdm/policy-csp-controlpolicyconflict#controlpolicyconflict-MDMWinsOverGP) | The MDM policy is used and the GP policy is blocked | +| Windows Autopatch - Data Collection | Allows diagnostic data from this device to be processed by Microsoft Managed Desktop and Telemetry settings for Windows devices.

              Assigned to:

              • Modern Workplace Devices-Windows Autopatch-Test
              • Modern Workplace Devices-Windows Autopatch-First
              • Modern Workplace Devices-Windows Autopatch-Fast
              • Modern Workplace Devices-Windows Autopatch-Broad
              |
              1. [Configure Telemetry Opt In Change Notification](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinchangenotification)
              2. [Configure Telemetry Opt In Settings Ux](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux)
              3. [Allow Telemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)
              4. [Limit Enhanced Diagnostic Data Windows Analytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics)
              5. [Limit Dump Collection](/windows/client-management/mdm/policy-csp-system#system-limitdumpcollection)
              6. [Limit Diagnostic Log Collection](/windows/client-management/mdm/policy-csp-system#system-limitdiagnosticlogcollection)
              |
              1. Enable telemetry change notifications
              2. Enable Telemetry opt-in Settings
              3. Full
              4. Enabled
              5. Enabled
              6. Enabled
              | | Windows Autopatch - Windows Update Detection Frequency | Sets Windows update detection frequency

              Assigned to:

              • Modern Workplace Devices-Windows Autopatch-Test
              • Modern Workplace Devices-Windows Autopatch-First
              • Modern Workplace Devices-Windows Autopatch-Fast
              • Modern Workplace Devices-Windows Autopatch-Broad
              | [./Vendor/MSFT/Policy/Config/Update/DetectionFrequency](/windows/client-management/mdm/policy-csp-update#update-detectionfrequency)| 4 | ## Update rings for Windows 10 and later @@ -99,7 +96,7 @@ Windows Autopatch will create Azure Active Directory groups that are required to ## Microsoft Office update policies -- Windows Autopatch - Office Configuration v5 +- Windows Autopatch - Office Configuration - Windows Autopatch - Office Update Configuration [Test] - Windows Autopatch - Office Update Configuration [First] - Windows Autopatch - Office Update Configuration [Fast] @@ -107,11 +104,11 @@ Windows Autopatch will create Azure Active Directory groups that are required to | Policy name | Policy description | Properties | Value | | ----- | ----- | ----- | ----- | -| Windows Autopatch - Office Configuration v5 | Sets Office Update Channel to the Monthly Enterprise servicing branch.

              Assigned to:

              • Modern Workplace Devices-Windows Autopatch-Test
              • Modern Workplace Devices-Windows Autopatch-First
              • Modern Workplace Devices-Windows Autopatch-Fast
              • Modern Workplace Devices-Windows Autopatch-Broad
              | | | -| Windows Autopatch - Office Update Configuration [Test] | Sets the Office update deadline

              Assigned to:

              • Modern Workplace Devices-Windows Autopatch-Test
              |
              • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline`
              • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays`
              |
            • Enabled; L_UpdateDeadlineID == 7
            • Enabled; L_DeferUpdateDaysID == 0
              • | -| Windows Autopatch - Office Update Configuration [First] | Sets the Office update deadline

              Assigned to:

              • Modern Workplace Devices-Windows Autopatch-First
              |
              • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline`
              • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays`
              |
            • Enabled; L_UpdateDeadlineID == 7
            • Enabled; L_DeferUpdateDaysID == 0
              • | -| Windows Autopatch - Office Update Configuration [Fast] | Sets the Office update deadline

              Assigned to:

              • Modern Workplace Devices-Windows Autopatch-Fast
              |
              • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline`
              • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays`
              |
            • Enabled; L_UpdateDeadlineID == 7
            • Enabled; L_DeferUpdateDaysID == 3
              • | -| Windows Autopatch - Office Update Configuration [Broad] | Sets the Office update deadline
              Assigned to:
              • Modern Workplace Devices-Windows Autopatch-Broad
                • |
                • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline`
                • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays`
                |
              • Enabled; L_UpdateDeadlineID == 7
              • Enabled; L_DeferUpdateDaysID == 7
                • | +| Windows Autopatch - Office Configuration | Sets Office Update Channel to the Monthly Enterprise servicing branch.

                Assigned to:

                1. Modern Workplace Devices-Windows Autopatch-Test
                2. Modern Workplace Devices-Windows Autopatch-First
                3. Modern Workplace Devices-Windows Autopatch-Fast
                4. Modern Workplace Devices-Windows Autopatch-Broad
                |
                1. Enable Automatic Updates
                2. Hide option to enable or disable updates
                3. Update Channel
                4. Channel Name (Device)
                5. Hide Update Notifications
                6. Update Path
                |
                1. Enabled
                2. Enabled
                3. Enabled
                4. Monthly Enterprise Channel
                5. Disabled
                6. Enabled
                | +| Windows Autopatch - Office Update Configuration [Test] | Sets the Office update deadline

                Assigned to:

                1. Modern Workplace Devices-Windows Autopatch-Test
                |
                1. Delay downloading and installing updates for Office
                2. Update Deadline
                |
                1. Enabled;Days(Device) == 0 days
                2. Enabled;Update Deadline(Device) == 7 days
                | +| Windows Autopatch - Office Update Configuration [First] | Sets the Office update deadline

                Assigned to:

                1. Modern Workplace Devices-Windows Autopatch-First
                |
                1. Delay downloading and installing updates for Office
                2. Update Deadline
                |
                1. Enabled;Days(Device) == 0 days
                2. Enabled;Update Deadline(Device) == 7 days
                | +| Windows Autopatch - Office Update Configuration [Fast] | Sets the Office update deadline

                Assigned to:

                1. Modern Workplace Devices-Windows Autopatch-Fast
                |
                1. Delay downloading and installing updates for Office
                2. Update Deadline
                |
                1. Enabled;Days(Device) == 3 days
                2. Enabled;Update Deadline(Device) == 7 days
                | +| Windows Autopatch - Office Update Configuration [Broad] | Sets the Office update deadline
                Assigned to:
                1. Modern Workplace Devices-Windows Autopatch-Broad
                  2. |
                  1. Delay downloading and installing updates for Office
                  2. Update Deadline
                  |
                  1. Enabled;Days(Device) == 7 days
                  2. Enabled;Update Deadline(Device) == 7 days
                  | ## Microsoft Edge update policies @@ -120,8 +117,8 @@ Windows Autopatch will create Azure Active Directory groups that are required to | Policy name | Policy description | Properties | Value | | ----- | ----- | ----- | ----- | -| Windows Autopatch - Edge Update Channel Stable | Deploys updates via the Edge Stable Channel

                  Assigned to:

                  • Modern Workplace Devices-Windows Autopatch-First
                  • Modern Workplace Devices-Windows Autopatch-Fast
                  • Modern Workplace Devices-Windows Autopatch-Broad
                  | `./Device/Vendor/MSFT/Policy/Config/MicrosoftEdgeUpdate~Policy~Cat_EdgeUpdate~Cat_Applications~Cat_MicrosoftEdge/Pol_TargetChannelMicrosoftEdge` | Enabled | -| Windows Autopatch - Edge Update Channel Beta | Deploys updates via the Edge Beta Channel

                  Assigned to:

                  • Modern Workplace Devices-Windows Autopatch-Test
                  | `./Device/Vendor/MSFT/Policy/Config/MicrosoftEdgeUpdate~Policy~Cat_EdgeUpdate~Cat_Applications~Cat_MicrosoftEdge/Pol_TargetChannelMicrosoftEdge` | Enabled | +| Windows Autopatch - Edge Update Channel Stable | Deploys updates via the Edge Stable Channel

                  Assigned to:

                  1. Modern Workplace Devices-Windows Autopatch-First
                  2. Modern Workplace Devices-Windows Autopatch-Fast
                    1. Modern Workplace Devices-Windows Autopatch-Broad
                    |
                    1. Target Channel Override
                    2. Target Channel (Device)
                    |
                    1. Enabled
                    2. Stable
                    | +| Windows Autopatch - Edge Update Channel Beta | Deploys updates via the Edge Beta Channel

                    Assigned to:

                    1. Modern Workplace Devices-Windows Autopatch-Test
                    |
                    1. Target Channel Override
                    2. Target Channel (Device)
                    |
                    1. Enabled
                    2. Beta
                    | ## PowerShell scripts diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-preview-addendum.md b/windows/deployment/windows-autopatch/references/windows-autopatch-preview-addendum.md deleted file mode 100644 index d0f3e5acba..0000000000 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-preview-addendum.md +++ /dev/null @@ -1,33 +0,0 @@ ---- -title: Windows Autopatch Preview Addendum -description: This article explains the Autopatch preview addendum -ms.date: 05/30/2022 -ms.prod: windows-client -ms.technology: itpro-updates -ms.topic: reference -ms.localizationpriority: medium -author: tiaraquan -ms.author: tiaraquan -manager: dougeby -msreviewer: hathind ---- - -# Windows Autopatch Preview Addendum - -**This Windows Autopatch - Preview Addendum ("Addendum") to the Microsoft Product Terms** (as provided at: (the "**Product Terms**")) is entered into between Microsoft Corporation, a Washington corporation having its principal place of business at One Microsoft Way, Redmond, Washington, USA 98052-6399 (or based on where Customer lives, one of Microsoft's affiliates) ("**Microsoft**"), and you ("**Customer**"). - -## Background - -Microsoft desires to preview the Windows Autopatch service it is developing ("**Windows Autopatch Preview**") in order to evaluate it. Customer would like to particulate this Windows Autopatch Preview under the terms of the Product Terms and this Addendum. Windows Autopatch Preview consists of features and services that are in preview, beta, or other pre-release form. Windows Autopatch Preview is subject to the "preview" terms set forth in the Online Service sections of Product Terms. - -For good and valuable consideration, the receipt and sufficiency of which is acknowledged, the parties agree as follows: - -## Agreement - -### Definitions - -Capitalized terms used but not defined herein have the meanings given in the Product Terms. - -### Data Handling - -Windows Autopatch Preview integrates Customer Data from other Products, including Windows, Microsoft Intune, Azure Active Directory, and Office (collectively for purposes of this provision "Windows Autopatch Input Services"). Once Customer Data from Windows Autopatch Input Services is integrated into Windows Autopatch Preview, only the Product Terms and [DPA provisions)](https://www.microsoft.com/licensing/terms/product/Glossary/all) applicable to Windows Autopatch Preview apply to that data. diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md b/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md index 0001b7976c..06470b36ca 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md @@ -1,7 +1,7 @@ --- title: Privacy -description: This article provides details about the data platform and privacy compliance for Autopatch -ms.date: 05/30/2022 +description: This article provides details about the data platform and privacy compliance for Autopatch +ms.date: 11/08/2022 ms.prod: windows-client ms.technology: itpro-updates ms.topic: reference @@ -40,9 +40,12 @@ Processor duties of Windows Autopatch include ensuring appropriate confidentiali ## Windows Autopatch data storage and staff location -Windows Autopatch stores its data in the Azure data centers in the United States. +Windows Autopatch stores its data in the Azure data centers based on your data residency. For more information, see [Microsoft 365 data center locations](/microsoft-365/enterprise/o365-data-locations). -Personal data obtained by Windows Autopatch and other services are required to keep the service operational. If a device is removed from Windows Autopatch, we keep personal data for a maximum of 30 days. For more information on data retention, see [Data retention, deletion, and destruction in Microsoft 365](/compliance/assurance/assurance-data-retention-deletion-and-destruction-overview). +> [!IMPORTANT] +>
                    • As of November 8, 2022, only new Windows Autopatch customers (EU, UK, Africa, Middle East) will have their data live in the European data centers.
                    • Existing European Union (EU) Windows Autopatch customers will move from the North American data centers to the European data centers by the end of 2022.
                    • If you're an existing Windows Autopatch customer, but not part of the European Union, data migration from North America to your respective data residency will occur next year.
                    + +Data obtained by Windows Autopatch and other services are required to keep the service operational. If a device is removed from Windows Autopatch, we keep data for a maximum of 30 days. For more information on data retention, see [Data retention, deletion, and destruction in Microsoft 365](/compliance/assurance/assurance-data-retention-deletion-and-destruction-overview). Windows Autopatch Service Engineering Team is in the United States, India and Romania. @@ -54,9 +57,9 @@ The enhanced diagnostic data setting includes more detailed information about th The diagnostic data terminology will change in future versions of Windows. Windows Autopatch is committed to processing only the data that the service needs. The diagnostic level will change to **Optional**, but Windows Autopatch will implement the limited diagnostic policies to fine-tune diagnostic data collection required for the service. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection). -Windows Autopatch only processes and stores system-level data from Windows 10 optional diagnostic data that originates from enrolled devices such as application and device reliability, and performance information. Windows Autopatch doesn't process and store customers' personal data such as chat and browser history, voice, text, or speech data. +Windows Autopatch only processes and stores system-level data from Windows 10 optional diagnostic data that originates from enrolled devices such as application and device reliability, and performance information. Windows Autopatch doesn't process and store customers' data such as chat and browser history, voice, text, or speech data. -For more information about the diagnostic data collection of Microsoft Windows 10, see the [Where we store and process personal data](https://privacy.microsoft.com/privacystatement#mainwherewestoreandprocessdatamodule) section of the Microsoft Privacy Statement. +For more information about the diagnostic data collection of Microsoft Windows 10, see the [Where we store and process data](https://privacy.microsoft.com/privacystatement#mainwherewestoreandprocessdatamodule) section of the Microsoft Privacy Statement. ## Tenant access @@ -76,7 +79,7 @@ Windows Autopatch creates and uses guest accounts using just-in-time access func | Account name | Usage | Mitigating controls | | ----- | ----- | -----| | MsAdmin@tenantDomain.onmicrosoft.com |
                    • This account is a limited-service account with administrator privileges. This account is used as an Intune and User administrator to define and configure the tenant for Windows Autopatch devices.
                    • This account doesn't have interactive sign-in permissions. The account performs operations only through the service.
                    | Audited sign-ins | -| MsAdminInt@tenantDomain.onmicrosoft.com |
                    • This account is an Intune and User administrator account used to define and configure the tenant for Windows Autopatch devices.
                    • This account is used for interactive login to the customer’s tenant.
                    • The use of this account is limited as most operations are exclusively through MsAdmin (non-interactive) account.
                    |
                    • Restricted to be accessed only from defined secure access workstations (SAWs) through a conditional access policy
                    • Audited sign-ins | +| MsAdminInt@tenantDomain.onmicrosoft.com |
                      • This account is an Intune and User administrator account used to define and configure the tenant for Windows Autopatch devices.
                      • This account is used for interactive login to the customer’s tenant.
                      • The use of this account is limited as most operations are exclusively through MsAdmin (non-interactive) account.
                      |
                      • Restricted to be accessed only from defined secure access workstations (SAWs) through a conditional access policy
                      • Audited sign-ins
                      | | MsTest@tenantDomain.onmicrosoft.com | This account is a standard account used as a validation account for initial configuration and roll out of policy, application, and device compliance settings. | Audited sign-ins | ## Microsoft Windows Update for Business @@ -107,11 +110,11 @@ Changes to the types of data gathered and where it's stored are considered a mat ## Data subject requests -Windows Autopatch follows General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) privacy regulations, which give data subjects specific rights to their personal data. +Windows Autopatch follows General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) privacy regulations, which give data subjects specific rights to their data. These rights include: -- Obtaining copies of personal data +- Obtaining copies of data - Requesting corrections to it - Restricting the processing of it - Deleting it @@ -123,7 +126,7 @@ To exercise data subject requests on data collected by the Windows Autopatch cas | Data subject requests | Description | | ------ | ------ | -| Data from Windows Autopatch support requests | Your IT administrator can request deletion, or extraction of personal data related support requests by submitting a report request at the [admin center](https://aka.ms/memadmin).

                      Provide the following information:
                      • Request type: Change request
                      • Category: Security
                      • Subcategory: Other
                      • Description: Provide the relevant device names or user names.
                      | +| Data from Windows Autopatch support requests | Your IT administrator can request deletion, or extraction of data related support requests by submitting a report request at the [admin center](https://aka.ms/memadmin).

                      Provide the following information:
                      • Request type: Change request
                      • Category: Security
                      • Subcategory: Other
                      • Description: Provide the relevant device names or user names.
                      | For DSRs from other products related to the service, see the following articles: diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-unsupported-policies.md b/windows/deployment/windows-autopatch/references/windows-autopatch-wqu-unsupported-policies.md similarity index 92% rename from windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-unsupported-policies.md rename to windows/deployment/windows-autopatch/references/windows-autopatch-wqu-unsupported-policies.md index 667c755524..1c19a4bac4 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-unsupported-policies.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-wqu-unsupported-policies.md @@ -1,7 +1,7 @@ --- title: Windows update policies description: This article explains Windows update policies in Windows Autopatch -ms.date: 07/07/2022 +ms.date: 12/02/2022 ms.prod: windows-client ms.technology: itpro-updates ms.topic: conceptual @@ -9,7 +9,7 @@ ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan manager: dougeby -msreviewer: hathind +msreviewer: adnich --- # Windows update policies @@ -109,8 +109,9 @@ Window Autopatch deploys mobile device management (MDM) policies to configure de | [Active hours end](/windows/client-management/mdm/policy-csp-update#update-activehoursend) | Update/ActiveHoursEnd | This policy controls the end of the protected window where devices won't reboot.

                      Supported values are from zero through to 23, where zero is 12∶00AM, representing the hours of the day in local time on that device. This value can be no more than 12 hours after the time set in active hours start. | | [Active hours max range](/windows/client-management/mdm/policy-csp-update#update-activehoursmaxrange) | Update/ActiveHoursMaxRange | Allows the IT admin to specify the max active hours range.

                      This value sets the maximum number of active hours from the start time. Supported values are from eight through to 18. | -### Group policy +### Group policy and other policy managers -Group policy takes precedence over mobile device management (MDM) policies. For Windows quality updates, if any group policies are detected which modify the following hive in the registry, the device will be ineligible for management: +Group policy as well as other policy managers can take precedence over mobile device management (MDM) policies. For Windows quality updates, if any policies or configurations are detected which modify the following hives in the registry, the device could become ineligible for management: -`Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState` +- `HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState` +- `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate` diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md new file mode 100644 index 0000000000..5e36572e92 --- /dev/null +++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md @@ -0,0 +1,109 @@ +--- +title: What's new 2022 +description: This article lists the 2022 feature releases and any corresponding Message center post numbers. +ms.date: 12/09/2022 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: whats-new +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: hathind +--- + +# What's new 2022 + +This article lists new and updated feature releases, and service releases, with their corresponding Message center post numbers (if applicable). + +Minor corrections such as typos, style, or formatting issues aren't listed. + +## December 2022 + +### December feature releases or updates + +| Article | Description | +| ----- | ----- | +| [Windows quality updates](../operate/windows-autopatch-wqu-overview.md) | Added information about:

                      • Turning off service-driven expedited quality update releases
                        • [MC482178](https://admin.microsoft.com/adminportal/home#/MessageCenter)
                      • Viewing deployed out of band releases
                        • [MC484915](https://admin.microsoft.com/adminportal/home#/MessageCenter)
                      | +| [Roles and responsibilities](../overview/windows-autopatch-roles-responsibilities.md) | Added Roles and responsibilities article | +| [Prerequisites](../prepare/windows-autopatch-prerequisites.md) | Added more licenses to the More about licenses section
                      • [MC452168](https://admin.microsoft.com/adminportal/home#/MessageCenter) | +| [Unsupported policies](../operate/windows-autopatch-wqu-unsupported-policies.md) | Updated to include other policy managers in the Group policy section | +| [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) | Updated the Device configuration, Microsoft Office and Edge policies | +| [Windows quality update reports](../operate/windows-autopatch-wqu-reports-overview.md) | Added Windows quality update reports | + +### December service release + +| Message center post number | Description | +| ----- | ----- | +| [MC48119](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Windows Autopatch advisory: December 2022 (2022.12 B) Windows quality update deployment | + +## November 2022 + +### November feature releases or updates + +| Article | Description | +| ----- | ----- | +| [Privacy](../references/windows-autopatch-privacy.md) | Updated data center locations
                        • [MC448005](https://admin.microsoft.com/adminportal/home#/MessageCenter) | +| [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) | Updated multiple sections because of the OMA-URI to Intune Settings Catalog policy migration
                          • [MC443898](https://admin.microsoft.com/adminportal/home#/MessageCenter) | +| [Configure your network](../prepare/windows-autopatch-configure-network.md) | Added information on Delivery Optimization | +| [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) | 32 and 64-bit versions are supported | + +### November service release + +| Message center post number | Description | +| ----- | ----- | +| [MC470135](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Windows Autopatch baseline configuration update | + +## October 2022 + +### October feature releases or updates + +| Article | Description | +| ----- | ----- | +| [Maintain the Windows Autopatch environment](../operate/windows-autopatch-maintain-environment.md) | New Tenant management blade | +| [Register your devices](../deploy/windows-autopatch-register-devices.md) | Added Azure Virtual Desktop capability | + +### October service release + +| Message center post number | Description | +| ----- | ----- | +| [MC450491](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Windows Autopatch baseline configuration update | + +## September 2022 + +### September feature releases or updates + +| Article | Description | +| ----- | ----- | +| [Post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md) | Post-device registration readiness checks public preview release
                            • [MC409850](https://admin.microsoft.com/adminportal/home#/MessageCenter) | + +## August 2022 + +### August feature releases or updates + +| Article | Description | +| ----- | ----- | +| [Register your devices](../deploy/windows-autopatch-register-devices.md) | Windows Autopatch on Windows 365 Enterprise Workloads capability.
                              • [MC409850](https://admin.microsoft.com/adminportal/home#/MessageCenter)
                              | + +### August service release + +| Message center post number | Description | +| ----- | ----- | +| [MC418962](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Windows Autopatch baseline configuration update | + +## July 2022 + +### July feature releases or updates + +| Article | Description | +| ----- | ----- | +| [Register your devices](../deploy/windows-autopatch-register-devices.md) | Windows Autopatch on Windows 365 Enterprise Workloads capability | +| Windows Autopatch General Availability | Windows Autopatch General Availability (GA) release | + +## May 2022 + +### May feature release + +| Article | Description | +| ----- | ----- | +| Windows Autopatch | Announcing Windows Autopatch; a new feature in Windows E3 and E5
                              • [MC390012](https://admin.microsoft.com/adminportal/home#/MessageCenter)
                              | diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md new file mode 100644 index 0000000000..f8aadf763a --- /dev/null +++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md @@ -0,0 +1,34 @@ +--- +title: What's new 2023 +description: This article lists the 2023 feature releases and any corresponding Message center post numbers. +ms.date: 01/09/2023 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: whats-new +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: hathind +--- + +# What's new 2023 + +This article lists new and updated feature releases, and service releases, with their corresponding Message center post numbers (if applicable). + +Minor corrections such as typos, style, or formatting issues aren't listed. + +## January 2023 + +### January feature releases or updates + +| Article | Description | +| ----- | ----- | +| [Fix issues found by the Readiness assessment tool](../prepare/windows-autopatch-fix-issues.md) | Added the Submit a tenant enrollment support request section. You can submit a tenant enrollment support request through the Tenant enrollment tool if you're running into issues with enrollment. | +| [Submit a support request](../operate/windows-autopatch-support-request.md) | Added Premier and Unified support options section | + +### January service release + +| Message center post number | Description | +| ----- | ----- | +| [MC494386](https://admin.microsoft.com/adminportal/home#/MessageCenter) | January 2023 (2023.01 B) Windows quality update deployment | diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md index 14d1e1698a..7e8bbc7ba7 100644 --- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md +++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md @@ -8,7 +8,6 @@ ms.localizationpriority: medium author: frankroj ms.author: frankroj ms.collection: - - M365-modern-desktop - highpri ms.topic: tutorial ms.date: 10/28/2022 @@ -47,6 +46,9 @@ You'll need the following components to complete this lab: |**Hyper-V or a physical device running Windows 10**|The guide assumes that you'll use a Hyper-V VM, and provides instructions to install and configure Hyper-V if needed. To use a physical device, skip the steps to install and configure Hyper-V.| |**An account with Azure Active Directory (Azure AD) Premium license**|This guide will describe how to get a free 30-day trial Azure AD Premium subscription that can be used to complete the lab.| +> [!NOTE] +> When using a VM for Autopilot testing, assign at least two processors and 4 GB of memory. + ## Procedures A summary of the sections and procedures in the lab is provided below. Follow each section in the order it's presented, skipping the sections that don't apply to you. Optional procedures are provided in the appendices. diff --git a/windows/deployment/windows-autopilot/index.yml b/windows/deployment/windows-autopilot/index.yml index edec9d080e..567e5d62a8 100644 --- a/windows/deployment/windows-autopilot/index.yml +++ b/windows/deployment/windows-autopilot/index.yml @@ -6,12 +6,10 @@ summary: 'Note: Windows Autopilot documentation has moved! A few more resources metadata: title: Windows Autopilot deployment resources and documentation # Required; page title displayed in search results. Include the brand. < 60 chars. description: Learn about deploying Windows 10 and keeping it up to date in your organization. # Required; article description that is displayed in search results. < 160 chars. - services: windows-10 - ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. - ms.subservice: subservice - ms.topic: landing-page # Required + ms.topic: landing-page + ms.prod: windows-client + ms.technology: itpro-deploy ms.collection: - - windows-10 - highpri author: frankroj ms.author: frankroj diff --git a/windows/deployment/windows-deployment-scenarios-and-tools.md b/windows/deployment/windows-deployment-scenarios-and-tools.md index d939130747..b6ac225f0e 100644 --- a/windows/deployment/windows-deployment-scenarios-and-tools.md +++ b/windows/deployment/windows-deployment-scenarios-and-tools.md @@ -6,7 +6,7 @@ ms.author: frankroj author: frankroj ms.prod: windows-client ms.topic: article -ms.date: 10/31/2022 +ms.date: 11/23/2022 ms.technology: itpro-deploy --- @@ -32,13 +32,13 @@ DISM is one of the deployment tools included in the Windows ADK and is used for DISM services online and offline images. For example, with DISM you can install the Microsoft .NET Framework 3.5.1 in Windows 10 online, which means that you can start the installation in the running operating system, not that you get the software online. The /LimitAccess switch configures DISM to get the files only from a local source: -``` syntax +```cmd Dism.exe /Online /Enable-Feature /FeatureName:NetFX3 /All /Source:D:\Sources\SxS /LimitAccess ``` In Windows 10, you can use Windows PowerShell for many of the functions done by DISM.exe. The equivalent command in Windows 10 using PowerShell is: -``` syntax +```powershell Enable-WindowsOptionalFeature -Online -FeatureName NetFx3 -All -Source D:\Sources\SxS -LimitAccess ``` @@ -55,15 +55,15 @@ USMT is a backup and restore tool that allows you to migrate user state, data, a USMT includes several command-line tools, the most important of which are ScanState and LoadState: -- **ScanState.exe.** This tool performs the user-state backup. -- **LoadState.exe.** This tool performs the user-state restore. -- **UsmtUtils.exe.** This tool supplements the functionality in ScanState.exe and LoadState.exe. +- **ScanState.exe**: This tool performs the user-state backup. +- **LoadState.exe**: This tool performs the user-state restore. +- **UsmtUtils.exe**: This tool supplements the functionality in ScanState.exe and LoadState.exe. In addition to these tools, there are also XML templates that manage which data is migrated. You can customize the templates, or create new ones, to manage the backup process at a high level of detail. USMT uses the following terms for its templates: -- **Migration templates.** The default templates in USMT. -- **Custom templates.** Custom templates that you create. -- **Config template.** An optional template called Config.xml which you can use to exclude or include components in a migration without modifying the other standard XML templates. +- **Migration templates**: The default templates in USMT. +- **Custom templates**: Custom templates that you create. +- **Config template**: An optional template called Config.xml which you can use to exclude or include components in a migration without modifying the other standard XML templates. ![A sample USMT migration file that will exclude .MP3 files on all local drives and include the folder C:\\Data and all its files, including its subdirectories and their files..](images/mdt-11-fig06.png) @@ -73,60 +73,21 @@ USMT supports capturing data and settings from Windows Vista and later, and rest By default USMT migrates many settings, most of which are related to the user profile but also to Control Panel configurations, file types, and more. The default templates that are used in Windows 10 deployments are MigUser.xml and MigApp.xml. These two default templates migrate the following data and settings: -- Folders from each profile, including those folders from user profiles, and shared and public profiles. For example, the My Documents, My Video, My Music, My Pictures, desktop files, Start menu, Quick Launch settings, and Favorites folders are migrated. -- Specific file types. -
                              - USMT templates migrate the following file types: +- Folders from each profile, including those folders from user profiles, and shared and public profiles. For example, the My Documents, My Video, My Music, My Pictures, desktop files, Start menu, Quick Launch settings, and Favorites folders are migrated. - - `.accdb` - - `.ch3` - - `.csv` - - `.dif` - - `.doc*` - - `.dot*` - - `.dqy` - - `.iqy` - - `.mcw` - - `.mdb*` - - `.mpp` - - `.one*` - - `.oqy` - - `.or6` - - `.pot*` - - `.ppa` - - `.pps*` - - `.ppt*` - - `.pre` - - `.pst` - - `.pub` - - `.qdf` - - `.qel` - - `.qph` - - `.qsd` - - `.rqy` - - `.rtf` - - `.scd` - - `.sh3` - - `.slk` - - `.txt` - - `.vl*` - - `.vsd` - - `.wk*` - - `.wpd` - - `.wps` - - `.wq1` - - `.wri` - - `.xl*` - - `.xla` - - `.xlb` - - `.xls*` -
                              +- The following specific file types: + + `.accdb`, `.ch3`, `.csv`, `.dif`, `.doc*`, `.dot*`, `.dqy`, `.iqy`, `.mcw`, `.mdb*`, `.mpp`, `.one*`, `.oqy`, `.or6`, `.pot*`, `.ppa`, `.pps*`, `.ppt*`, `.pre`, `.pst`, `.pub`, `.qdf`, `.qel`, `.qph`, `.qsd`, `.rqy`, `.rtf`, `.scd`, `.sh3`, `.slk`, `.txt`, `.vl*`, `.vsd`, `.wk*`, `.wpd`, `.wps`, `.wq1`, `.wri`, `.xl*`, `.xla`, `.xlb`, `.xls*` + + > [!NOTE] + > The asterisk (`*`) stands for zero or more characters. > [!NOTE] > The OpenDocument extensions (`*.odt`, `*.odp`, `*.ods`) that Microsoft Office applications can use aren't migrated by default. -- Operating system component settings -- Application settings +- Operating system component settings + +- Application settings These settings are migrated by the default MigUser.xml and MigApp.xml templates. For more information, see [What does USMT migrate?](./usmt/usmt-what-does-usmt-migrate.md) For more general information on USMT, see [USMT technical reference](./usmt/usmt-reference.md). @@ -160,7 +121,7 @@ The updated Volume Activation Management Tool. VAMT also can be used to create reports, switch from MAK to KMS, manage Active Directory-based activation, and manage Office 2010 and Office 2013 volume activation. VAMT also supports PowerShell (instead of the old command-line tool). For example, if you want to get information from the VAMT database, you can type: -``` syntax +```powershell Get-VamtProduct ``` @@ -178,7 +139,7 @@ A machine booted with the Windows ADK default Windows PE boot image. For more information on Windows PE, see [Windows PE (WinPE)](/windows-hardware/manufacture/desktop/winpe-intro). -## Windows Recovery Environment +## Windows Recovery Environment Windows Recovery Environment (Windows RE) is a diagnostics and recovery toolset included in Windows Vista and later operating systems. The latest version of Windows RE is based on Windows PE. You can also extend Windows RE and add your own tools if needed. If a Windows installation fails to start and Windows RE is installed, you'll see an automatic failover into Windows RE. @@ -204,9 +165,9 @@ In some cases, you need to modify TFTP Maximum Block Size settings for performan Also, there are a few new features related to TFTP performance: -- **Scalable buffer management.** Allows buffering an entire file instead of a fixed-size buffer for each client, enabling different sessions to read from the same shared buffer. -- **Scalable port management.** Provides the capability to service clients with shared UDP port allocation, increasing scalability. -- **Variable-size transmission window (Variable Windows Extension).** Improves TFTP performance by allowing the client and server to determine the largest workable window size. +- **Scalable buffer management**: Allows buffering an entire file instead of a fixed-size buffer for each client, enabling different sessions to read from the same shared buffer. +- **Scalable port management**: Provides the capability to service clients with shared UDP port allocation, increasing scalability. +- **Variable-size transmission window (Variable Windows Extension)**: Improves TFTP performance by allowing the client and server to determine the largest workable window size. ![TFTP changes are now easy to perform.](images/mdt-11-fig12.png) @@ -214,7 +175,6 @@ TFTP changes are now easy to perform. ## Microsoft Deployment Toolkit - MDT is a free deployment solution from Microsoft. It provides end-to-end guidance, best practices, and tools for planning, building, and deploying Windows operating systems. MDT builds on top of the core deployment tools in the Windows ADK by contributing guidance, reducing complexity, and adding critical features for an enterprise-ready deployment solution. MDT has two main parts: the first is Lite Touch, which is a stand-alone deployment solution; the second is Zero Touch, which is an extension to Configuration Manager. @@ -242,16 +202,20 @@ MDOP is a suite of technologies available to Software Assurance customers throug The following components are included in the MDOP suite: -- **Microsoft Application Virtualization (App-V).** App-V 5.0 provides an integrated platform, more flexible virtualization, and powerful management for virtualized applications. With the release of App-V 5.0 SP3, you have support to run virtual applications on Windows 10. +- **Microsoft Application Virtualization (App-V).** App-V 5.0 provides an integrated platform, more flexible virtualization, and powerful management for virtualized applications. With the release of App-V 5.0 SP3, you have support to run virtual applications on Windows 10. -- **Microsoft User Experience Virtualization (UE-V).** UE-V monitors the changes that are made by users to application settings and Windows operating system settings. The user settings are captured and centralized to a settings storage location. These settings can then be applied to the different computers that are accessed by the user, including desktop computers, laptop computers, and virtual desktop infrastructure (VDI) sessions. +- **Microsoft User Experience Virtualization (UE-V).** UE-V monitors the changes that are made by users to application settings and Windows operating system settings. The user settings are captured and centralized to a settings storage location. These settings can then be applied to the different computers that are accessed by the user, including desktop computers, laptop computers, and virtual desktop infrastructure (VDI) sessions. -- **Microsoft Advanced Group Policy Management (AGPM).** AGPM enables advanced management of Group Policy objects by providing change control, offline editing, and role-based delegation. -- **Microsoft Diagnostics and Recovery Toolset (DaRT).** DaRT provides additional tools that extend Windows RE to help you troubleshoot and repair your machines. -- **Microsoft BitLocker Administration and Monitoring (MBAM).** MBAM is an administrator interface used to manage BitLocker drive encryption. It allows you to configure your enterprise with the correct BitLocker encryption policy options, and monitor compliance with these policies. +- **Microsoft Advanced Group Policy Management (AGPM).** AGPM enables advanced management of Group Policy objects by providing change control, offline editing, and role-based delegation. +- **Microsoft Diagnostics and Recovery Toolset (DaRT).** DaRT provides additional tools that extend Windows RE to help you troubleshoot and repair your machines. +- **Microsoft BitLocker Administration and Monitoring (MBAM).** MBAM is an administrator interface used to manage BitLocker drive encryption. It allows you to configure your enterprise with the correct BitLocker encryption policy options, and monitor compliance with these policies. For more information on the benefits of an MDOP subscription, see [Microsoft Desktop Optimization Pack](/microsoft-desktop-optimization-pack/). + + ## Windows Server Update Services WSUS is a server role in Windows Server 2012 R2 that enables you to maintain a local repository of Microsoft updates and then distribute them to machines on your network. WSUS offers approval control and reporting of update status in your environment. @@ -274,32 +240,31 @@ For more information on WSUS, see the [Windows Server Update Services Overview]( ## Unified Extensible Firmware Interface - For many years, BIOS has been the industry standard for booting a PC. BIOS has served us well, but it's time to replace it with something better. **UEFI** is the replacement for BIOS, so it's important to understand the differences between BIOS and UEFI. In this section, you learn the major differences between the two and how they affect operating system deployment. ### Introduction to UEFI BIOS has been in use for approximately 30 years. Even though it clearly has proven to work, it has some limitations, including: -- 16-bit code -- 1-MB address space -- Poor performance on ROM initialization -- MBR maximum bootable disk size of 2.2 TB +- 16-bit code +- 1-MB address space +- Poor performance on ROM initialization +- MBR maximum bootable disk size of 2.2 TB As the replacement to BIOS, UEFI has many features that Windows can and will use. With UEFI, you can benefit from: -- **Support for large disks.** UEFI requires a GUID Partition Table (GPT) based disk, which means a limitation of roughly 16.8 million TB in disk size and more than 100 primary disks. -- **Faster boot time.** UEFI doesn't use INT 13, and that improves boot time, especially when it comes to resuming from hibernate. -- **Multicast deployment.** UEFI firmware can use multicast directly when it boots up. In WDS, MDT, and Configuration Manager scenarios, you need to first boot up a normal Windows PE in unicast and then switch into multicast. With UEFI, you can run multicast from the start. -- **Compatibility with earlier BIOS.** Most of the UEFI implementations include a compatibility support module (CSM) that emulates BIOS. -- **CPU-independent architecture.** Even if BIOS can run both 32-bit and 64-bit versions of firmware, all firmware device drivers on BIOS systems must also be 16-bit, and this affects performance. One of the reasons is the limitation in addressable memory, which is only 64 KB with BIOS. -- **CPU-independent drivers.** On BIOS systems, PCI add-on cards must include a ROM that contains a separate driver for all supported CPU architectures. That isn't needed for UEFI because UEFI has the ability to use EFI Byte Code (EBC) images, which allow for a processor-independent device driver environment. -- **Flexible pre-operating system environment.** UEFI can perform many functions for you. You just need an UEFI application, and you can perform diagnostics and automatic repairs, and call home to report errors. -- **Secure boot.** Windows 8 and later can use the UEFI firmware validation process, called secure boot, which is defined in UEFI 2.3.1. Using this process, you can ensure that UEFI launches only a verified operating system loader and that malware can't switch the boot loader. +- **Support for large disks.** UEFI requires a GUID Partition Table (GPT) based disk, which means a limitation of roughly 16.8 million TB in disk size and more than 100 primary disks. +- **Faster boot time.** UEFI doesn't use INT 13, and that improves boot time, especially when it comes to resuming from hibernate. +- **Multicast deployment.** UEFI firmware can use multicast directly when it boots up. In WDS, MDT, and Configuration Manager scenarios, you need to first boot up a normal Windows PE in unicast and then switch into multicast. With UEFI, you can run multicast from the start. +- **Compatibility with earlier BIOS.** Most of the UEFI implementations include a compatibility support module (CSM) that emulates BIOS. +- **CPU-independent architecture.** Even if BIOS can run both 32-bit and 64-bit versions of firmware, all firmware device drivers on BIOS systems must also be 16-bit, and this affects performance. One of the reasons is the limitation in addressable memory, which is only 64 KB with BIOS. +- **CPU-independent drivers.** On BIOS systems, PCI add-on cards must include a ROM that contains a separate driver for all supported CPU architectures. That isn't needed for UEFI because UEFI has the ability to use EFI Byte Code (EBC) images, which allow for a processor-independent device driver environment. +- **Flexible pre-operating system environment.** UEFI can perform many functions for you. You just need an UEFI application, and you can perform diagnostics and automatic repairs, and call home to report errors. +- **Secure boot.** Windows 8 and later can use the UEFI firmware validation process, called secure boot, which is defined in UEFI 2.3.1. Using this process, you can ensure that UEFI launches only a verified operating system loader and that malware can't switch the boot loader. -### Versions +### UEFI versions UEFI Version 2.3.1B is the version required for Windows 8 and later logo compliance. Later versions have been released to address issues; a few machines may need to upgrade their firmware to fully support the UEFI implementation in Windows 8 and later. @@ -307,10 +272,10 @@ UEFI Version 2.3.1B is the version required for Windows 8 and later logo complia In regard to UEFI, hardware is divided into four device classes: -- **Class 0 devices.** The device of this class is the UEFI definition for a BIOS, or non-UEFI, device. -- **Class 1 devices.** The devices of this class behave like a standard BIOS machine, but they run EFI internally. They should be treated as normal BIOS-based machines. Class 1 devices use a CSM to emulate BIOS. These older devices are no longer manufactured. -- **Class 2 devices.** The devices of this class have the capability to behave as a BIOS- or a UEFI-based machine, and the boot process or the configuration in the firmware/BIOS determines the mode. Class 2 devices use a CSM to emulate BIOS. These are the most common type of devices currently available. -- **Class 3 devices.** The devices of this class are UEFI-only devices, which means you must run an operating system that supports only UEFI. Those operating systems include Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. Windows 7 isn't supported on these class 3 devices. Class 3 devices don't have a CSM to emulate BIOS. +- **Class 0 devices.** The device of this class is the UEFI definition for a BIOS, or non-UEFI, device. +- **Class 1 devices.** The devices of this class behave like a standard BIOS machine, but they run EFI internally. They should be treated as normal BIOS-based machines. Class 1 devices use a CSM to emulate BIOS. These older devices are no longer manufactured. +- **Class 2 devices.** The devices of this class have the capability to behave as a BIOS- or a UEFI-based machine, and the boot process or the configuration in the firmware/BIOS determines the mode. Class 2 devices use a CSM to emulate BIOS. These are the most common type of devices currently available. +- **Class 3 devices.** The devices of this class are UEFI-only devices, which means you must run an operating system that supports only UEFI. Those operating systems include Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. Windows 7 isn't supported on these class 3 devices. Class 3 devices don't have a CSM to emulate BIOS. ### Windows support for UEFI @@ -322,14 +287,14 @@ With UEFI 2.3.1, there are both x86 and x64 versions of UEFI. Windows 10 support There are many things that affect operating system deployment as soon as you run on UEFI/EFI-based hardware. Here are considerations to keep in mind when working with UEFI devices: -- Switching from BIOS to UEFI in the hardware is easy, but you also need to reinstall the operating system because you need to switch from MBR/NTFS to GPT/FAT32 and NTFS. -- When you deploy to a Class 2 device, make sure the boot option you select matches the setting you want to have. It's common for old machines to have several boot options for BIOS but only a few for UEFI, or vice versa. -- When deploying from media, remember the media has to be FAT32 for UEFI, and FAT32 has a file-size limitation of 4 GB. -- UEFI doesn't support cross-platform booting; therefore, you need to have the correct boot media (32-bit or 64-bit). +- Switching from BIOS to UEFI in the hardware is easy, but you also need to reinstall the operating system because you need to switch from MBR/NTFS to GPT/FAT32 and NTFS. +- When you deploy to a Class 2 device, make sure the boot option you select matches the setting you want to have. It's common for old machines to have several boot options for BIOS but only a few for UEFI, or vice versa. +- When deploying from media, remember the media has to be FAT32 for UEFI, and FAT32 has a file-size limitation of 4 GB. +- UEFI doesn't support cross-platform booting; therefore, you need to have the correct boot media (32-bit or 64-bit). For more information on UEFI, see the [UEFI firmware](/previous-versions/windows/it-pro/windows-8.1-and-8/hh824898(v=win.10)) overview and related resources. ## Related articles [Sideload apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10)
                              -[Windows ADK for Windows 10 scenarios for IT pros](windows-adk-scenarios-for-it-pros.md) \ No newline at end of file +[Windows ADK for Windows 10 scenarios for IT pros](windows-adk-scenarios-for-it-pros.md) diff --git a/windows/hub/docfx.json b/windows/hub/docfx.json index 508d741a9b..f1b885b970 100644 --- a/windows/hub/docfx.json +++ b/windows/hub/docfx.json @@ -37,7 +37,7 @@ "audience": "ITPro", "breadcrumb_path": "/windows/resources/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-M365-IT", - "ms.technology": "windows", + "ms.technology": "itpro-fundamentals", "ms.topic": "article", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", diff --git a/windows/hub/index.yml b/windows/hub/index.yml index dc624bbd9f..aa9a8e5a92 100644 --- a/windows/hub/index.yml +++ b/windows/hub/index.yml @@ -8,12 +8,9 @@ brand: windows metadata: title: Windows client documentation for IT Pros # Required; page title displayed in search results. Include the brand. < 60 chars. description: Evaluate, plan, deploy, secure, and manage devices running Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars. - services: windows-10 - ms.service: subservice #Required; service per approved list. service slug assigned to your service by ACOM. - ms.subservice: subservice # Optional; Remove if no subservice is used. - ms.topic: hub-page # Required + ms.topic: hub-page + ms.prod: windows-client ms.collection: - - windows-10 - highpri author: dougeby #Required; your GitHub user alias, with correct capitalization. ms.author: dougeby #Required; microsoft alias of author; optional team alias. diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md index 48eab123cc..34066bed6d 100644 --- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md +++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md @@ -30,6 +30,8 @@ In Windows 10, version 1903 and later, you'll see taxonomy updates in both the * Additionally, starting in Windows 11 and Windows Server 2022, we’re simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. We’re also clarifying the Security diagnostic data level to reflect its behavior more accurately by changing it to **Diagnostic data off**. All these changes are explained in the section named **Behavioral changes**. +Prior to December 13 2022, the default setting for Windows Server 2022 Datacenter: Azure Edition images deployed using Azure Marketplace was **Diagnostic data off**. Beginning December 13 2022, all newly deployed images are set to **Required diagnostic data** to align with all other Windows releases. All other Windows releases and existing installations remain unchanged. + ## Taxonomy changes Starting in Windows 10, version 1903 and later, both the **Out-of-Box-Experience** (OOBE) and the **Diagnostics & feedback** privacy setting pages will reflect the following changes: diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index 4e4656fc55..ac1febdc26 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -164,6 +164,8 @@ Here’s a summary of the types of data that is included with each setting: This setting was previously labeled as **Security**. When you configure this setting, no Windows diagnostic data is sent from your device. This is only available on Windows Server, Windows Enterprise, and Windows Education editions. If you choose this setting, devices in your organization will still be secure. +This was the default setting for Windows Server 2022 Datacenter: Azure Edition prior to December 13, 2022. + >[!NOTE] > If your organization relies on Windows Update, the minimum recommended setting is **Required diagnostic data**. Because no Windows Update information is collected when diagnostic data is off, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates. @@ -171,7 +173,7 @@ This setting was previously labeled as **Security**. When you configure this set Required diagnostic data, previously labeled as **Basic**, gathers a limited set of data that’s critical for understanding the device and its configuration. This data helps to identify problems that can occur on a specific hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a specific driver version. -This is the default setting for current releases of Windows, Windows 10, version 1903. +This is the default setting for current releases of Windows, Windows 10, version 1903. Beginning December 13, 2022, it is also the default setting for Windows Server 2022 Datacenter: Azure Edition. Required diagnostic data includes: diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index c364767760..26288c8351 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -45,45 +45,45 @@ href: /windows-hardware/design/device-experiences/oem-highly-secure - name: Operating system security items: - - name: Overview - href: operating-system.md - - name: System security - items: - - name: Secure the Windows boot process - href: information-protection/secure-the-windows-10-boot-process.md - - name: Trusted Boot - href: trusted-boot.md - - name: Cryptography and certificate management - href: cryptography-certificate-mgmt.md - - name: The Windows Security app - href: threat-protection/windows-defender-security-center/windows-defender-security-center.md - items: - - name: Virus & threat protection - href: threat-protection\windows-defender-security-center\wdsc-virus-threat-protection.md - - name: Account protection - href: threat-protection\windows-defender-security-center\wdsc-account-protection.md - - name: Firewall & network protection - href: threat-protection\windows-defender-security-center\wdsc-firewall-network-protection.md - - name: App & browser control - href: threat-protection\windows-defender-security-center\wdsc-app-browser-control.md - - name: Device security - href: threat-protection\windows-defender-security-center\wdsc-device-security.md - - name: Device performance & health - href: threat-protection\windows-defender-security-center\wdsc-device-performance-health.md - - name: Family options - href: threat-protection\windows-defender-security-center\wdsc-family-options.md - - name: Security policy settings - href: threat-protection/security-policy-settings/security-policy-settings.md - - name: Security auditing - href: threat-protection/auditing/security-auditing-overview.md - - name: Encryption and data protection - href: encryption-data-protection.md - items: - - name: Encrypted Hard Drive - href: information-protection/encrypted-hard-drive.md - - name: BitLocker - href: information-protection/bitlocker/bitlocker-overview.md - items: + - name: Overview + href: operating-system.md + - name: System security + items: + - name: Secure the Windows boot process + href: information-protection/secure-the-windows-10-boot-process.md + - name: Trusted Boot + href: trusted-boot.md + - name: Cryptography and certificate management + href: cryptography-certificate-mgmt.md + - name: The Windows Security app + href: threat-protection/windows-defender-security-center/windows-defender-security-center.md + items: + - name: Virus & threat protection + href: threat-protection\windows-defender-security-center\wdsc-virus-threat-protection.md + - name: Account protection + href: threat-protection\windows-defender-security-center\wdsc-account-protection.md + - name: Firewall & network protection + href: threat-protection\windows-defender-security-center\wdsc-firewall-network-protection.md + - name: App & browser control + href: threat-protection\windows-defender-security-center\wdsc-app-browser-control.md + - name: Device security + href: threat-protection\windows-defender-security-center\wdsc-device-security.md + - name: Device performance & health + href: threat-protection\windows-defender-security-center\wdsc-device-performance-health.md + - name: Family options + href: threat-protection\windows-defender-security-center\wdsc-family-options.md + - name: Security policy settings + href: threat-protection/security-policy-settings/security-policy-settings.md + - name: Security auditing + href: threat-protection/auditing/security-auditing-overview.md + - name: Encryption and data protection + href: encryption-data-protection.md + items: + - name: Encrypted Hard Drive + href: information-protection/encrypted-hard-drive.md + - name: BitLocker + href: information-protection/bitlocker/bitlocker-overview.md + items: - name: Overview of BitLocker Device Encryption in Windows href: information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md - name: BitLocker frequently asked questions (FAQ) @@ -136,40 +136,40 @@ - name: Troubleshoot BitLocker items: - name: Troubleshoot BitLocker - href: information-protection/bitlocker/troubleshoot-bitlocker.md + href: /troubleshoot/windows-client/windows-security/bitlocker-issues-troubleshooting - name: "BitLocker cannot encrypt a drive: known issues" - href: information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md + href: /troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-issues - name: "Enforcing BitLocker policies by using Intune: known issues" - href: information-protection/bitlocker/ts-bitlocker-intune-issues.md + href: /troubleshoot/windows-client/windows-security/enforcing-bitlocker-policies-by-using-intune-known-issues - name: "BitLocker Network Unlock: known issues" - href: information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md + href: /troubleshoot/windows-client/windows-security/bitlocker-network-unlock-known-issues - name: "BitLocker recovery: known issues" - href: information-protection/bitlocker/ts-bitlocker-recovery-issues.md + href: /troubleshoot/windows-client/windows-security/bitlocker-recovery-known-issues - name: "BitLocker configuration: known issues" - href: information-protection/bitlocker/ts-bitlocker-config-issues.md + href: /troubleshoot/windows-client/windows-security/bitlocker-configuration-known-issues - name: Troubleshoot BitLocker and TPM issues items: - name: "BitLocker cannot encrypt a drive: known TPM issues" - href: information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md + href: /troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-tpm-issues - name: "BitLocker and TPM: other known issues" - href: information-protection/bitlocker/ts-bitlocker-tpm-issues.md + href: /troubleshoot/windows-client/windows-security/bitlocker-and-tpm-other-known-issues - name: Decode Measured Boot logs to track PCR changes - href: information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md - - name: Personal Data Encryption (PDE) - items: - - name: Personal Data Encryption (PDE) overview - href: information-protection/personal-data-encryption/overview-pde.md - - name: Personal Data Encryption (PDE) frequently asked questions (FAQ) - href: information-protection/personal-data-encryption/faq-pde.yml - - name: Configure Personal Data Encryption (PDE) in Intune - href: information-protection/personal-data-encryption/configure-pde-in-intune.md - - name: Configure S/MIME for Windows - href: identity-protection/configure-s-mime.md - - name: Network security - items: - - name: VPN technical guide - href: identity-protection/vpn/vpn-guide.md - items: + href: /troubleshoot/windows-client/windows-security/decode-measured-boot-logs-to-track-pcr-changes + - name: Personal Data Encryption (PDE) + items: + - name: Personal Data Encryption (PDE) overview + href: information-protection/personal-data-encryption/overview-pde.md + - name: Personal Data Encryption (PDE) frequently asked questions (FAQ) + href: information-protection/personal-data-encryption/faq-pde.yml + - name: Configure Personal Data Encryption (PDE) in Intune + href: information-protection/personal-data-encryption/configure-pde-in-intune.md + - name: Configure S/MIME for Windows + href: identity-protection/configure-s-mime.md + - name: Network security + items: + - name: VPN technical guide + href: identity-protection/vpn/vpn-guide.md + items: - name: VPN connection types href: identity-protection/vpn/vpn-connection-type.md - name: VPN routing decisions @@ -192,17 +192,17 @@ href: identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md - name: Optimizing Office 365 traffic with the Windows VPN client href: identity-protection/vpn/vpn-office-365-optimization.md - - name: Windows Defender Firewall - href: threat-protection/windows-firewall/windows-firewall-with-advanced-security.md - - name: Windows security baselines - href: threat-protection/windows-security-configuration-framework/windows-security-baselines.md - items: + - name: Windows Defender Firewall + href: threat-protection/windows-firewall/windows-firewall-with-advanced-security.md + - name: Windows security baselines + href: threat-protection/windows-security-configuration-framework/windows-security-baselines.md + items: - name: Security Compliance Toolkit href: threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md - name: Get support href: threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md - - name: Virus & threat protection - items: + - name: Virus & threat protection + items: - name: Overview href: threat-protection/index.md - name: Microsoft Defender Antivirus @@ -219,8 +219,8 @@ href: /microsoft-365/security/defender-endpoint/exploit-protection - name: Microsoft Defender for Endpoint href: /microsoft-365/security/defender-endpoint - - name: More Windows security - items: + - name: More Windows security + items: - name: Override Process Mitigation Options to help enforce app-related security policies href: threat-protection/override-mitigation-options-for-app-related-security-policies.md - name: Use Windows Event Forwarding to help with intrusion detection @@ -230,9 +230,9 @@ - name: Windows Information Protection (WIP) href: information-protection/windows-information-protection/protect-enterprise-data-using-wip.md items: - - name: Create a WIP policy using Microsoft Intune - href: information-protection/windows-information-protection/overview-create-wip-policy.md - items: + - name: Create a WIP policy using Microsoft Intune + href: information-protection/windows-information-protection/overview-create-wip-policy.md + items: - name: Create a WIP policy in Microsoft Intune href: information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md items: @@ -244,26 +244,26 @@ href: information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md - name: Determine the enterprise context of an app running in WIP href: information-protection/windows-information-protection/wip-app-enterprise-context.md - - name: Create a WIP policy using Microsoft Configuration Manager - href: information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md - items: + - name: Create a WIP policy using Microsoft Configuration Manager + href: information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md + items: - name: Create and deploy a WIP policy in Configuration Manager href: information-protection/windows-information-protection/create-wip-policy-using-configmgr.md - name: Create and verify an EFS Data Recovery Agent (DRA) certificate href: information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md - name: Determine the enterprise context of an app running in WIP href: information-protection/windows-information-protection/wip-app-enterprise-context.md - - name: Mandatory tasks and settings required to turn on WIP - href: information-protection/windows-information-protection/mandatory-settings-for-wip.md - - name: Testing scenarios for WIP - href: information-protection/windows-information-protection/testing-scenarios-for-wip.md - - name: Limitations while using WIP - href: information-protection/windows-information-protection/limitations-with-wip.md - - name: How to collect WIP audit event logs - href: information-protection/windows-information-protection/collect-wip-audit-event-logs.md - - name: General guidance and best practices for WIP - href: information-protection/windows-information-protection/guidance-and-best-practices-wip.md - items: + - name: Mandatory tasks and settings required to turn on WIP + href: information-protection/windows-information-protection/mandatory-settings-for-wip.md + - name: Testing scenarios for WIP + href: information-protection/windows-information-protection/testing-scenarios-for-wip.md + - name: Limitations while using WIP + href: information-protection/windows-information-protection/limitations-with-wip.md + - name: How to collect WIP audit event logs + href: information-protection/windows-information-protection/collect-wip-audit-event-logs.md + - name: General guidance and best practices for WIP + href: information-protection/windows-information-protection/guidance-and-best-practices-wip.md + items: - name: Enlightened apps for use with WIP href: information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md - name: Unenlightened and enlightened app behavior while using WIP @@ -272,52 +272,59 @@ href: information-protection/windows-information-protection/recommended-network-definitions-for-wip.md - name: Using Outlook Web Access with WIP href: information-protection/windows-information-protection/using-owa-with-wip.md - - name: Fine-tune WIP Learning - href: information-protection/windows-information-protection/wip-learning.md - - name: Disable WIP - href: information-protection/windows-information-protection/how-to-disable-wip.md + - name: Fine-tune WIP Learning + href: information-protection/windows-information-protection/wip-learning.md + - name: Disable WIP + href: information-protection/windows-information-protection/how-to-disable-wip.md - name: Application security items: - - name: Overview - href: apps.md - - name: Windows Defender Application Control and virtualization-based protection of code integrity - href: threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md - - name: Windows Defender Application Control - href: threat-protection\windows-defender-application-control\windows-defender-application-control.md - - name: Microsoft Defender Application Guard - href: threat-protection\microsoft-defender-application-guard\md-app-guard-overview.md - - name: Windows Sandbox - href: threat-protection/windows-sandbox/windows-sandbox-overview.md - items: + - name: Overview + href: apps.md + - name: Windows Defender Application Control and virtualization-based protection of code integrity + href: threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md + - name: Windows Defender Application Control + href: threat-protection\windows-defender-application-control\windows-defender-application-control.md + - name: Microsoft Defender Application Guard + href: threat-protection\microsoft-defender-application-guard\md-app-guard-overview.md + - name: Windows Sandbox + href: threat-protection/windows-sandbox/windows-sandbox-overview.md + items: - name: Windows Sandbox architecture href: threat-protection/windows-sandbox/windows-sandbox-architecture.md - name: Windows Sandbox configuration href: threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md - - name: Microsoft Defender SmartScreen overview - href: threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md - items: + - name: Microsoft Defender SmartScreen overview + href: threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md + items: - name: Enhanced Phishing Protection in Microsoft Defender SmartScreen href: threat-protection\microsoft-defender-smartscreen\phishing-protection-microsoft-defender-smartscreen.md - - name: Configure S/MIME for Windows - href: identity-protection\configure-s-mime.md - - name: Windows Credential Theft Mitigation Guide Abstract - href: identity-protection\windows-credential-theft-mitigation-guide-abstract.md + - name: Configure S/MIME for Windows + href: identity-protection\configure-s-mime.md + - name: Windows Credential Theft Mitigation Guide Abstract + href: identity-protection\windows-credential-theft-mitigation-guide-abstract.md - name: User security and secured identity items: - name: Overview href: identity.md - - name: Windows Hello for Business - href: identity-protection/hello-for-business/index.yml - name: Windows credential theft mitigation guide href: identity-protection/windows-credential-theft-mitigation-guide-abstract.md + - name: Passwordless + items: + - name: Windows Hello for Business + href: identity-protection/hello-for-business/index.yml + - name: FIDO 2 security keys + href: /azure/active-directory/authentication/howto-authentication-passwordless-security-key?context=/windows/security/context/context + - name: Local Administrator Password Solution (LAPS) + href: /windows-server/identity/laps/laps-overview?context=/windows/security/context/context - name: Enterprise Certificate Pinning href: identity-protection/enterprise-certificate-pinning.md - - name: Protect derived domain credentials with Credential Guard - href: identity-protection/credential-guard/credential-guard.md + - name: Credential Guard items: + - name: Protect derived domain credentials with Credential Guard + href: identity-protection/credential-guard/credential-guard.md - name: How Credential Guard works href: identity-protection/credential-guard/credential-guard-how-it-works.md - - name: Credential Guard Requirements + - name: Requirements href: identity-protection/credential-guard/credential-guard-requirements.md - name: Manage Credential Guard href: identity-protection/credential-guard/credential-guard-manage.md @@ -327,30 +334,32 @@ href: identity-protection/credential-guard/credential-guard-protection-limits.md - name: Considerations when using Credential Guard href: identity-protection/credential-guard/credential-guard-considerations.md - - name: "Credential Guard: Additional mitigations" + - name: Additional mitigations href: identity-protection/credential-guard/additional-mitigations.md - - name: "Credential Guard: Known issues" + - name: Known issues href: identity-protection/credential-guard/credential-guard-known-issues.md - - name: Protect Remote Desktop credentials with Remote Credential Guard + - name: Remote Credential Guard href: identity-protection/remote-credential-guard.md - name: Configuring LSA Protection href: /windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection?toc=/windows/security/toc.json&bc=/windows/security/breadcrumb/toc.json - name: Technical support policy for lost or forgotten passwords href: identity-protection/password-support-policy.md - - name: Access Control Overview - href: identity-protection/access-control/access-control.md + - name: Access Control items: + - name: Overview + href: identity-protection/access-control/access-control.md - name: Local Accounts href: identity-protection/access-control/local-accounts.md - - name: User Account Control + - name: User Account Control (UAC) + items: + - name: Overview href: identity-protection/user-account-control/user-account-control-overview.md - items: - - name: How User Account Control works - href: identity-protection/user-account-control/how-user-account-control-works.md - - name: User Account Control security policy settings - href: identity-protection/user-account-control/user-account-control-security-policy-settings.md - - name: User Account Control Group Policy and registry key settings - href: identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md + - name: How User Account Control works + href: identity-protection/user-account-control/how-user-account-control-works.md + - name: User Account Control security policy settings + href: identity-protection/user-account-control/user-account-control-security-policy-settings.md + - name: User Account Control Group Policy and registry key settings + href: identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md - name: Smart Cards href: identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md items: @@ -396,14 +405,14 @@ href: identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md - name: Cloud services items: - - name: Overview - href: cloud.md - - name: Mobile device management - href: /windows/client-management/mdm/ - - name: Windows 365 Cloud PCs - href: /windows-365/overview - - name: Azure Virtual Desktop - href: /azure/virtual-desktop/ + - name: Overview + href: cloud.md + - name: Mobile device management + href: /windows/client-management/mdm/ + - name: Windows 365 Cloud PCs + href: /windows-365/overview + - name: Azure Virtual Desktop + href: /azure/virtual-desktop/ - name: Security foundations items: - name: Overview diff --git a/windows/security/apps.md b/windows/security/apps.md index 1ddbbc8a9d..6ae3789ec4 100644 --- a/windows/security/apps.md +++ b/windows/security/apps.md @@ -5,9 +5,10 @@ ms.reviewer: manager: aaroncz ms.author: dansimp author: dansimp -ms.collection: M365-security-compliance ms.prod: windows-client ms.technology: itpro-security +ms.date: 12/31/2017 +ms.topic: article --- # Windows application security diff --git a/windows/security/breadcrumb/toc.yml b/windows/security/breadcrumb/toc.yml index 2531ffba73..19748bed13 100644 --- a/windows/security/breadcrumb/toc.yml +++ b/windows/security/breadcrumb/toc.yml @@ -10,3 +10,9 @@ items: - name: Security tocHref: /windows-server/security/credentials-protection-and-management/ topicHref: /windows/security/ + - name: Security + tocHref: /windows-server/identity/laps/ + topicHref: /windows/security/ + - name: Security + tocHref: /azure/active-directory/authentication/ + topicHref: /windows/security/ diff --git a/windows/security/cloud.md b/windows/security/cloud.md index 0c96ff69db..27db0f26ae 100644 --- a/windows/security/cloud.md +++ b/windows/security/cloud.md @@ -10,7 +10,6 @@ ms.date: 09/20/2021 ms.localizationpriority: medium ms.custom: search.appverid: MET150 -ms.collection: M365-security-compliance ms.prod: windows-client ms.technology: itpro-security --- diff --git a/windows/security/context/context.yml b/windows/security/context/context.yml new file mode 100644 index 0000000000..aa53a529eb --- /dev/null +++ b/windows/security/context/context.yml @@ -0,0 +1,4 @@ +### YamlMime: ContextObject +brand: windows +breadcrumb_path: ../breadcrumb/toc.yml +toc_rel: ../toc.yml \ No newline at end of file diff --git a/windows/security/docfx.json b/windows/security/docfx.json index 84eb2da0af..bb2804df03 100644 --- a/windows/security/docfx.json +++ b/windows/security/docfx.json @@ -36,9 +36,10 @@ "recommendations": true, "breadcrumb_path": "/windows/resources/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-M365-IT", - "ms.topic": "article", - "manager": "dansimp", - "audience": "ITPro", + "ms.localizationpriority": "medium", + "ms.prod": "windows-client", + "ms.technology": "itpro-security", + "manager": "aaroncz", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", @@ -48,7 +49,6 @@ "folder_relative_path_in_docset": "./" } }, - "titleSuffix": "Windows security", "contributors_to_exclude": [ "rjagiewich", "traya1", @@ -56,13 +56,24 @@ "claydetels19", "jborsecnik", "tiburd", + "AngelaMotherofDragons", + "dstrome", + "v-dihans", "garycentric" ], "searchScope": ["Windows 10"] }, "fileMetadata": { - "titleSuffix":{ - "threat-protection/**/*.md": "Windows security" + "author":{ + "identity-protection/**/*.md": "paolomatarazzo" + }, + "ms.author":{ + "identity-protection/**/*.md": "paoloma" + }, + "ms.reviewer":{ + "identity-protection/hello-for-business/*.md": "erikdau", + "identity-protection/credential-guard/*.md": "zwhittington", + "identity-protection/access-control/*.md": "sulahiri" } }, "template": [], diff --git a/windows/security/hardware.md b/windows/security/hardware.md index 7954ea474f..0baa5e3748 100644 --- a/windows/security/hardware.md +++ b/windows/security/hardware.md @@ -5,9 +5,10 @@ ms.reviewer: manager: aaroncz ms.author: vinpa author: vinaypamnani-msft -ms.collection: M365-security-compliance ms.prod: windows-client ms.technology: itpro-security +ms.date: 12/31/2017 +ms.topic: article --- # Windows hardware security diff --git a/windows/security/identity-protection/access-control/access-control.md b/windows/security/identity-protection/access-control/access-control.md index abf2dc6eec..0f1ca8d5c4 100644 --- a/windows/security/identity-protection/access-control/access-control.md +++ b/windows/security/identity-protection/access-control/access-control.md @@ -1,108 +1,79 @@ --- -title: Access Control Overview (Windows 10) -description: Access Control Overview +title: Access Control Overview +description: Description of the access controls in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer. ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: sulahiri -manager: aaroncz -ms.collection: - - M365-identity-device-management ms.topic: article -ms.localizationpriority: medium -ms.date: 07/18/2017 +ms.date: 11/22/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows Server 2016 +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later +ms.technology: itpro-security --- # Access Control Overview This topic for the IT professional describes access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer. Key concepts that make up access control are permissions, ownership of objects, inheritance of permissions, user rights, and object auditing. -## Feature description - +## Feature description Computers that are running a supported version of Windows can control the use of system and network resources through the interrelated mechanisms of authentication and authorization. After a user is authenticated, the Windows operating system uses built-in authorization and access control technologies to implement the second phase of protecting resources: determining if an authenticated user has the correct permissions to access a resource. -Shared resources are available to users and groups other than the resource’s owner, and they need to be protected from unauthorized use. In the access control model, users and groups (also referred to as security principals) are represented by unique security identifiers (SIDs). They are assigned rights and permissions that inform the operating system what each user and group can do. Each resource has an owner who grants permissions to security principals. During the access control check, these permissions are examined to determine which security principals can access the resource and how they can access it. +Shared resources are available to users and groups other than the resource's owner, and they need to be protected from unauthorized use. In the access control model, users and groups (also referred to as security principals) are represented by unique security identifiers (SIDs). They are assigned rights and permissions that inform the operating system what each user and group can do. Each resource has an owner who grants permissions to security principals. During the access control check, these permissions are examined to determine which security principals can access the resource and how they can access it. Security principals perform actions (which include Read, Write, Modify, or Full control) on objects. Objects include files, folders, printers, registry keys, and Active Directory Domain Services (AD DS) objects. Shared resources use access control lists (ACLs) to assign permissions. This enables resource managers to enforce access control in the following ways: -- Deny access to unauthorized users and groups - -- Set well-defined limits on the access that is provided to authorized users and groups +- Deny access to unauthorized users and groups +- Set well-defined limits on the access that is provided to authorized users and groups Object owners generally grant permissions to security groups rather than to individual users. Users and computers that are added to existing groups assume the permissions of that group. If an object (such as a folder) can hold other objects (such as subfolders and files), it is called a container. In a hierarchy of objects, the relationship between a container and its content is expressed by referring to the container as the parent. An object in the container is referred to as the child, and the child inherits the access control settings of the parent. Object owners often define permissions for container objects, rather than individual child objects, to ease access control management. This content set contains: -- [Dynamic Access Control Overview](dynamic-access-control.md) - -- [Security identifiers](security-identifiers.md) - -- [Security Principals](security-principals.md) - - - [Local Accounts](local-accounts.md) - - - [Active Directory Accounts](active-directory-accounts.md) - - - [Microsoft Accounts](microsoft-accounts.md) - - - [Service Accounts](service-accounts.md) - - - [Active Directory Security Groups](active-directory-security-groups.md) - -## Practical applications +- [Dynamic Access Control Overview](dynamic-access-control.md) +- [Security identifiers](security-identifiers.md) +- [Security Principals](security-principals.md) + - [Local Accounts](local-accounts.md) + - [Active Directory Accounts](active-directory-accounts.md) + - [Microsoft Accounts](microsoft-accounts.md) + - [Service Accounts](service-accounts.md) + - [Active Directory Security Groups](active-directory-security-groups.md) +## Practical applications Administrators who use the supported version of Windows can refine the application and management of access control to objects and subjects to provide the following security: -- Protect a greater number and variety of network resources from misuse. - -- Provision users to access resources in a manner that is consistent with organizational policies and the requirements of their jobs. - -- Enable users to access resources from a variety of devices in numerous locations. - -- Update users’ ability to access resources on a regular basis as an organization’s policies change or as users’ jobs change. - -- Account for a growing number of use scenarios (such as access from remote locations or from a rapidly expanding variety of devices, such as tablet computers and mobile phones). - -- Identify and resolve access issues when legitimate users are unable to access resources that they need to perform their jobs. +- Protect a greater number and variety of network resources from misuse. +- Provision users to access resources in a manner that is consistent with organizational policies and the requirements of their jobs. +- Enable users to access resources from a variety of devices in numerous locations. +- Update users' ability to access resources on a regular basis as an organization's policies change or as users' jobs change. +- Account for a growing number of use scenarios (such as access from remote locations or from a rapidly expanding variety of devices, such as tablet computers and mobile phones). +- Identify and resolve access issues when legitimate users are unable to access resources that they need to perform their jobs. ## Permissions - Permissions define the type of access that is granted to a user or group for an object or object property. For example, the Finance group can be granted Read and Write permissions for a file named Payroll.dat. By using the access control user interface, you can set NTFS permissions for objects such as files, Active Directory objects, registry objects, or system objects such as processes. Permissions can be granted to any user, group, or computer. It is a good practice to assign permissions to groups because it improves system performance when verifying access to an object. For any object, you can grant permissions to: -- Groups, users, and other objects with security identifiers in the domain. - -- Groups and users in that domain and any trusted domains. - -- Local groups and users on the computer where the object resides. +- Groups, users, and other objects with security identifiers in the domain. +- Groups and users in that domain and any trusted domains. +- Local groups and users on the computer where the object resides. The permissions attached to an object depend on the type of object. For example, the permissions that can be attached to a file are different from those that can be attached to a registry key. Some permissions, however, are common to most types of objects. These common permissions are: -- Read - -- Modify - -- Change owner - -- Delete +- Read +- Modify +- Change owner +- Delete When you set permissions, you specify the level of access for groups and users. For example, you can let one user read the contents of a file, let another user make changes to the file, and prevent all other users from accessing the file. You can set similar permissions on printers so that certain users can configure the printer and other users can only print. When you need to change the permissions on a file, you can run Windows Explorer, right-click the file name, and click **Properties**. On the **Security** tab, you can change permissions on the file. For more information, see [Managing Permissions](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770962(v=ws.11)). -**Note**   -Another kind of permissions, called share permissions, is set on the Sharing tab of a folder's **Properties** page or by using the Shared Folder Wizard. For more information see [Share and NTFS Permissions on a File Server](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754178(v=ws.11)). - - +> [!NOTE] +> Another kind of permissions, called share permissions, is set on the Sharing tab of a folder's **Properties** page or by using the Shared Folder Wizard. For more information see [Share and NTFS Permissions on a File Server](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754178(v=ws.11)). ### Ownership of objects @@ -114,7 +85,6 @@ Inheritance allows administrators to easily assign and manage permissions. This ## User rights - User rights grant specific privileges and sign-in rights to users and groups in your computing environment. Administrators can assign specific rights to group accounts or to individual user accounts. These rights authorize users to perform specific actions, such as signing in to a system interactively or backing up files and directories. User rights are different from permissions because user rights apply to user accounts, and permissions are associated with objects. Although user rights can apply to individual user accounts, user rights are best administered on a group account basis. There is no support in the access control user interface to grant user rights. However, user rights assignment can be administered through **Local Security Settings**. @@ -123,15 +93,10 @@ For more information about user rights, see [User Rights Assignment](/windows/de ## Object auditing - With administrator's rights, you can audit users' successful or failed access to objects. You can select which object access to audit by using the access control user interface, but first you must enable the audit policy by selecting **Audit object access** under **Local Policies** in **Local Security Settings**. You can then view these security-related events in the Security log in Event Viewer. For more information about auditing, see [Security Auditing Overview](../../threat-protection/auditing/security-auditing-overview.md). ## See also -- For more information about access control and authorization, see [Access Control and Authorization Overview](/previous-versions/windows/it-pro/windows-8.1-and-8/jj134043(v=ws.11)). - - - - +- For more information about access control and authorization, see [Access Control and Authorization Overview](/previous-versions/windows/it-pro/windows-8.1-and-8/jj134043(v=ws.11)). diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md index b68832d816..5a35d2853f 100644 --- a/windows/security/identity-protection/access-control/local-accounts.md +++ b/windows/security/identity-protection/access-control/local-accounts.md @@ -1,84 +1,51 @@ --- -title: Local Accounts (Windows 10) +title: Local Accounts description: Learn how to secure and manage access to the resources on a standalone or member server for services or users. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: sulahiri -manager: aaroncz +ms.date: 12/05/2022 ms.collection: - - M365-identity-device-management - highpri ms.topic: article -ms.localizationpriority: medium -ms.date: 06/17/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later +ms.technology: itpro-security --- # Local Accounts -This reference article for IT professionals describes the default local user accounts for servers, including how to manage these built-in accounts on a member or standalone server. +This article describes the default local user accounts for Windows operating systems, and how to manage the built-in accounts. -## About local user accounts +## About local user accounts -Local user accounts are stored locally on the server. These accounts can be assigned rights and permissions on a particular server, but on that server only. Local user accounts are security principals that are used to secure and manage access to the resources on a standalone or member server for services or users. +Local user accounts are stored locally on the device. These accounts can be assigned rights and permissions on a particular device, but on that device only. Local user accounts are security principals that are used to secure and manage access to the resources on a device, for services or users. -This article describes the following: +## Default local user accounts -- [Default local user accounts](#sec-default-accounts) +The *default local user accounts* are built-in accounts that are created automatically when the operating system is installed. The default local user accounts can't be removed or deleted and don't provide access to network resources. - - [Administrator account](#sec-administrator) +Default local user accounts are used to manage access to the local device's resources based on the rights and permissions that are assigned to the account. The default local user accounts, and the local user accounts that you create, are located in the *Users* folder. The Users folder is located in the Local Users and Groups folder in the local *Computer Management* Microsoft Management Console (MMC). *Computer Management* is a collection of administrative tools that you can use to manage a local or remote device. - - [Guest Account](#sec-guest) +Default local user accounts are described in the following sections. Expand each section for more information. - - [HelpAssistant account (installed by using a Remote Assistance session)](#sec-helpassistant) +
                              +
                              +Administrator - - [DefaultAccount](#defaultaccount) +The default local Administrator account is a user account for system administration. Every computer has an Administrator account (SID S-1-5-*domain*-500, display name Administrator). The Administrator account is the first account that is created during the Windows installation. -- [Default local system accounts](#sec-localsystem) - -- [How to manage local accounts](#sec-manage-accounts) - - - [Restrict and protect local accounts with administrative rights](#sec-restrict-protect-accounts) - - - [Enforce local account restrictions for remote access](#sec-enforce-account-restrictions) - - - [Deny network logon to all local Administrator accounts](#sec-deny-network-logon) - - - [Create unique passwords for local accounts with administrative rights](#sec-create-unique-passwords) - -For information about security principals, see [Security Principals](security-principals.md). - -## Default local user accounts - -The default local user accounts are built-in accounts that are created automatically when you install Windows. - -After Windows is installed, the default local user accounts can't be removed or deleted. In addition, default local user accounts don't provide access to network resources. - -Default local user accounts are used to manage access to the local server’s resources based on the rights and permissions that are assigned to the account. The default local user accounts, and the local user accounts that you create, are located in the Users folder. The Users folder is located in the Local Users and Groups folder in the local Computer Management Microsoft Management Console (MMC). Computer Management is a collection of administrative tools that you can use to manage a single local or remote computer. For more information, see [How to manage local accounts](#sec-manage-accounts) later in this article. - -Default local user accounts are described in the following sections. - -### Administrator account - -The default local Administrator account is a user account for the system administrator. Every computer has an Administrator account (SID S-1-5-*domain*-500, display name Administrator). The Administrator account is the first account that is created during the Windows installation. - -The Administrator account has full control of the files, directories, services, and other resources on the local computer. The Administrator account can create other local users, assign user rights, and assign permissions. The Administrator account can take control of local resources at any time simply by changing the user rights and permissions. +The Administrator account has full control of the files, directories, services, and other resources on the local device. The Administrator account can create other local users, assign user rights, and assign permissions. The Administrator account can take control of local resources at any time by changing the user rights and permissions. The default Administrator account can't be deleted or locked out, but it can be renamed or disabled. -From Windows 10, Windows 11 and Windows Server 2016, Windows setup disables the built-in Administrator account and creates another local account that is a member of the Administrators group. Members of the Administrators groups can run apps with elevated permissions without using the **Run as Administrator** option. Fast User Switching is more secure than using Runas or different-user elevation. +Windows setup disables the built-in Administrator account and creates another local account that is a member of the Administrators group. + +Members of the Administrators groups can run apps with elevated permissions without using the *Run as Administrator* option. Fast User Switching is more secure than using `runas` or different-user elevation. **Account group membership** -By default, the Administrator account is installed as a member of the Administrators group on the server. It's a best practice to limit the number of users in the Administrators group because members of the Administrators group on a local server have Full Control permissions on that computer. +By default, the Administrator account is a member of the Administrators group. It's a best practice to limit the number of users in the Administrators group because members of the Administrators group have Full Control permissions on the device. -The Administrator account can't be deleted or removed from the Administrators group, but it can be renamed. +The Administrator account can't be removed from the Administrators group. **Security considerations** @@ -88,9 +55,7 @@ You can rename the Administrator account. However, a renamed Administrator accou As a security best practice, use your local (non-Administrator) account to sign in and then use **Run as administrator** to accomplish tasks that require a higher level of rights than a standard user account. Don't use the Administrator account to sign in to your computer unless it's entirely necessary. For more information, see [Run a program with administrative credentials](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732200(v=ws.11)). -In comparison, on the Windows client operating system, a user with a local user account that has Administrator rights is considered the system administrator of the client computer. The first local user account that is created during installation is placed in the local Administrators group. However, when multiple users run as local administrators, the IT staff has no control over these users or their client computers. - -In this case, Group Policy can be used to enable secure settings that can control the use of the local Administrators group automatically on every server or client computer. For more information about Group Policy, see [Group Policy Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831791(v=ws.11)). +Group Policy can be used to control the use of the local Administrators group automatically. For more information about Group Policy, see [Group Policy Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831791(v=ws.11)). > [!IMPORTANT] > @@ -98,13 +63,16 @@ In this case, Group Policy can be used to enable secure settings that can contro > > - Even when the Administrator account has been disabled, it can still be used to gain access to a computer by using safe mode. In the Recovery Console or in safe mode, the Administrator account is automatically enabled. When normal operations are resumed, it is disabled. -### Guest account +
                              +
                              +
                              +Guest -The Guest account is disabled by default on installation. The Guest account lets occasional or one-time users, who don't have an account on the computer, temporarily sign in to the local server or client computer with limited user rights. By default, the Guest account has a blank password. Because the Guest account can provide anonymous access, it's a security risk. For this reason, it's a best practice to leave the Guest account disabled, unless its use is entirely necessary. +The Guest account lets occasional or one-time users, who don't have an account on the computer, temporarily sign in to the local server or client computer with limited user rights. By default, the Guest account is disabled and has a blank password. Since the Guest account can provide anonymous access, it's considered a security risk. For this reason, it's a best practice to leave the Guest account disabled, unless its use is necessary. **Account group membership** -By default, the Guest account is the only member of the default Guests group (SID S-1-5-32-546), which lets a user sign in to a server. On occasion, an administrator who is a member of the Administrators group can set up a user with a Guest account on one or more computers. +By default, the Guest account is the only member of the default Guests group (SID S-1-5-32-546), which lets a user sign in to a device. **Security considerations** @@ -112,8 +80,11 @@ When enabling the Guest account, only grant limited rights and permissions. For In addition, the guest user in the Guest account shouldn't be able to view the event logs. After the Guest account is enabled, it's a best practice to monitor the Guest account frequently to ensure that other users can't use services and other resources. This includes resources that were unintentionally left available by a previous user. -## HelpAssistant account (installed with a Remote Assistance session) +
                              +
                              +
                              +HelpAssistant The HelpAssistant account is a default local account that is enabled when a Remote Assistance session is run. This account is automatically disabled when no Remote Assistance requests are pending. @@ -123,9 +94,9 @@ HelpAssistant is the primary account that is used to establish a Remote Assistan The SIDs that pertain to the default HelpAssistant account include: -- SID: S-1-5-<domain>-13, display name Terminal Server User. This group includes all users who sign in to a server with Remote Desktop Services enabled. Note: In Windows Server 2008, Remote Desktop Services is called Terminal Services. +- SID: `S-1-5--13`, display name Terminal Server User. This group includes all users who sign in to a server with Remote Desktop Services enabled. Note: In Windows Server 2008, Remote Desktop Services is called Terminal Services. -- SID: S-1-5-<domain>-14, display name Remote Interactive Logon. This group includes all users who connect to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID. +- SID: `S-1-5--14`, display name Remote Interactive Logon. This group includes all users who connect to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID. For the Windows Server operating system, Remote Assistance is an optional component that isn't installed by default. You must install Remote Assistance before it can be used. @@ -137,23 +108,26 @@ For details about the HelpAssistant account attributes, see the following table. |--- |--- | |Well-Known SID/RID|`S-1-5--13 (Terminal Server User), S-1-5--14 (Remote Interactive Logon)`| |Type|User| -|Default container|`CN=Users, DC=, DC=`| +|Default container|`CN=Users, DC=`| |Default members|None| |Default member of|Domain Guests

                              Guests| |Protected by ADMINSDHOLDER?|No| |Safe to move out of default container?|Can be moved out, but we don't recommend it.| |Safe to delegate management of this group to non-Service admins?|No| -### DefaultAccount +
                              -The DefaultAccount, also known as the Default System Managed Account (DSMA), is a built-in account introduced in Windows 10 version 1607 and Windows Server 2016. -The DSMA is a well-known user account type. -It's a user neutral account that can be used to run processes that are either multi-user aware or user-agnostic. -The DSMA is disabled by default on the desktop SKUs (full windows SKUs) and WS 2016 with the Desktop. +
                              +
                              +DefaultAccount -The DSMA has a well-known RID of 503. The security identifier (SID) of the DSMA will thus have a well-known SID in the following format: S-1-5-21-\-503 +The DefaultAccount account, also known as the Default System Managed Account (DSMA), is a well-known user account type. DefaultAccount can be used to run processes that are either multi-user aware or user-agnostic. -The DSMA is a member of the well-known group **System Managed Accounts Group**, which has a well-known SID of S-1-5-32-581. +The DSMA is disabled by default on the desktop SKUs and on the Server operating systems with the desktop experience. + +The DSMA has a well-known RID of `503`. The security identifier (SID) of the DSMA will thus have a well-known SID in the following format: `S-1-5-21-\-503`. + +The DSMA is a member of the well-known group **System Managed Accounts Group**, which has a well-known SID of `S-1-5-32-581`. The DSMA alias can be granted access to resources during offline staging even before the account itself has been created. The account and the group are created during first boot of the machine within the Security Accounts Manager (SAM). @@ -168,10 +142,10 @@ Today, Xbox automatically signs in as Guest account and all apps run in this con All the apps are multi-user-aware and respond to events fired by user manager. The apps run as the Guest account. -Similarly, Phone auto logs in as a “DefApps” account, which is akin to the standard user account in Windows but with a few extra privileges. Brokers, some services and apps run as this account. +Similarly, Phone auto logs in as a *DefApps* account, which is akin to the standard user account in Windows but with a few extra privileges. Brokers, some services and apps run as this account. In the converged user model, the multi-user-aware apps and multi-user-aware brokers will need to run in a context different from that of the users. -For this purpose, the system creates DSMA. +For this purpose, the system creates DSMA. #### How the DefaultAccount gets created on domain controllers @@ -181,25 +155,37 @@ If the domain was created with domain controllers running an earlier version of #### Recommendations for managing the Default Account (DSMA) Microsoft doesn't recommend changing the default configuration, where the account is disabled. There's no security risk with having the account in the disabled state. Changing the default configuration could hinder future scenarios that rely on this account. +
                              -## Default local system accounts +## Default local system accounts -### SYSTEM -The SYSTEM account is used by the operating system and by services running under Windows. There are many services and processes in the Windows operating system that need the capability to sign in internally, such as during a Windows installation. The SYSTEM account was designed for that purpose, and Windows manages the SYSTEM account’s user rights. It's an internal account that doesn't show up in User Manager, and it can't be added to any groups. +
                              +
                              +SYSTEM + + +The *SYSTEM* account is used by the operating system and by services running under Windows. There are many services and processes in the Windows operating system that need the capability to sign in internally, such as during a Windows installation. The SYSTEM account was designed for that purpose, and Windows manages the SYSTEM account's user rights. It's an internal account that doesn't show up in User Manager, and it can't be added to any groups. On the other hand, the SYSTEM account does appear on an NTFS file system volume in File Manager in the **Permissions** portion of the **Security** menu. By default, the SYSTEM account is granted Full Control permissions to all files on an NTFS volume. Here the SYSTEM account has the same functional rights and permissions as the Administrator account. > [!NOTE] > To grant the account Administrators group file permissions does not implicitly give permission to the SYSTEM account. The SYSTEM account's permissions can be removed from a file, but we do not recommend removing them. -### NETWORK SERVICE +
                              +
                              +
                              +NETWORK SERVICE + The NETWORK SERVICE account is a predefined local account used by the service control manager (SCM). A service that runs in the context of the NETWORK SERVICE account presents the computer's credentials to remote servers. For more information, see [NetworkService Account](/windows/desktop/services/networkservice-account). +
                              +
                              +
                              +LOCAL SERVICE -### LOCAL SERVICE The LOCAL SERVICE account is a predefined local account used by the service control manager. It has minimum privileges on the local computer and presents anonymous credentials on the network. For more information, see [LocalService Account](/windows/desktop/services/localservice-account). +
                              -## How to manage local user accounts - +## How to manage local user accounts The default local user accounts, and the local user accounts you create, are located in the Users folder. The Users folder is located in Local Users and Groups. For more information about creating and managing local user accounts, see [Manage Local Users](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731899(v=ws.11)). @@ -208,11 +194,11 @@ You can use Local Users and Groups to assign rights and permissions on only the You can't use Local Users and Groups on a domain controller. However, you can use Local Users and Groups on a domain controller to target remote computers that aren't domain controllers on the network. > [!NOTE] -> You use Active Directory Users and Computers to manage users and groups in Active Directory. +> You use Active Directory Users and Computers to manage users and groups in Active Directory. You can also manage local users by using NET.EXE USER and manage local groups by using NET.EXE LOCALGROUP, or by using various PowerShell cmdlets and other scripting technologies. -### Restrict and protect local accounts with administrative rights +### Restrict and protect local accounts with administrative rights An administrator can use many approaches to prevent malicious users from using stolen credentials such as a stolen password or password hash, for a local account on one computer from being used to authenticate on another computer with administrative rights. This is also called "lateral movement". @@ -220,22 +206,20 @@ The simplest approach is to sign in to your computer with a standard user accoun The other approaches that can be used to restrict and protect user accounts with administrative rights include: -- Enforce local account restrictions for remote access. +- Enforce local account restrictions for remote access. -- Deny network logon to all local Administrator accounts. +- Deny network logon to all local Administrator accounts. -- Create unique passwords for local accounts with administrative rights. +- Create unique passwords for local accounts with administrative rights. Each of these approaches is described in the following sections. > [!NOTE] > These approaches do not apply if all administrative local accounts are disabled. - +### Enforce local account restrictions for remote access -### Enforce local account restrictions for remote access - -The User Account Control (UAC) is a security feature in Windows that has been in use in Windows Server 2008 and in Windows Vista, and the operating systems to which the **Applies To** list refers. UAC enables you to stay in control of your computer by informing you when a program makes a change that requires administrator-level permission. UAC works by adjusting the permission level of your user account. By default, UAC is set to notify you when applications try to make changes to your computer, but you can change how often UAC notifies you. +User Account Control (UAC) is a security feature that informs you when a program makes a change that requires administrative permissions. UAC works by adjusting the permission level of your user account. By default, UAC is set to notify you when applications try to make changes to your computer, but you can change when UAC notifies you. UAC makes it possible for an account with administrative rights to be treated as a standard user non-administrator account until full rights, also called elevation, is requested and approved. For example, UAC lets an administrator enter credentials during a non-administrator's user session to perform occasional administrative tasks without having to switch users, sign out, or use the **Run as** command. @@ -267,79 +251,45 @@ The following table shows the Group Policy and registry settings that are used t #### To enforce local account restrictions for remote access -1. Start the **Group Policy Management** Console (GPMC). +1. Start the **Group Policy Management** Console (GPMC) +1. In the console tree, expand <*Forest*>\\Domains\\<*Domain*>, and then **Group Policy Objects** where *forest* is the name of the forest, and *domain* is the name of the domain where you want to set the Group Policy Object (GPO) +1. In the console tree, right-click **Group Policy Objects > New** +1. In the **New GPO** dialog box, type <**gpo\_name**>, and > **OK** where *gpo\_name* is the name of the new GPO. The GPO name indicates that the GPO is used to restrict local administrator rights from being carried over to another computer +1. In the details pane, right-click <**gpo\_name**>, and > **Edit** +1. Ensure that UAC is enabled and that UAC restrictions apply to the default Administrator account by following these steps: -2. In the console tree, expand <*Forest*>\\Domains\\<*Domain*>, and then **Group Policy Objects** where *forest* is the name of the forest, and *domain* is the name of the domain where you want to set the Group Policy Object (GPO). + - Navigate to the Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\, and > **Security Options** + - Double-click **User Account Control: Run all administrators in Admin Approval Mode** > **Enabled** > **OK** + - Double-click **User Account Control: Admin Approval Mode for the Built-in Administrator account** > **Enabled** > **OK** -3. In the console tree, right-click **Group Policy Objects**, and > **New**. +1. Ensure that the local account restrictions are applied to network interfaces by following these steps: - ![local accounts 1.](images/localaccounts-proc1-sample1.png) + - Navigate to *Computer Configuration\Preferences and Windows Settings*, and > **Registry** + - Right-click **Registry**, and > **New** > **Registry Item** + - In the **New Registry Properties** dialog box, on the **General** tab, change the setting in the **Action** box to **Replace** + - Ensure that the **Hive** box is set to **HKEY_LOCAL_MACHINE** + - Select (**…**), browse to the following location for **Key Path** > **Select** for: `SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System` + - In the **Value name** area, type `LocalAccountTokenFilterPolicy` + - In the **Value type** box, from the drop-down list, select **REG_DWORD** to change the value + - In the **Value data** box, ensure that the value is set to **0** + - Verify this configuration, and > **OK** -4. In the **New GPO** dialog box, type <**gpo\_name**>, and > **OK** where *gpo\_name* is the name of the new GPO. The GPO name indicates that the GPO is used to restrict local administrator rights from being carried over to another computer. +1. Link the GPO to the first **Workstations** organizational unit (OU) by doing the following: - ![local accounts 2.](images/localaccounts-proc1-sample2.png) + - Navigate to the `*Forest*\\*Domain*\*OU*` path + - Right-click the **Workstations > Link an existing GPO** + - Select the GPO that you created, and > **OK** -5. In the details pane, right-click <**gpo\_name**>, and > **Edit**. - - ![local accounts 3.](images/localaccounts-proc1-sample3.png) - -6. Ensure that UAC is enabled and that UAC restrictions apply to the default Administrator account by following these steps: - - 1. Navigate to the Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\, and > **Security Options**. - - 2. Double-click **User Account Control: Run all administrators in Admin Approval Mode** > **Enabled** > **OK**. - - 3. Double-click **User Account Control: Admin Approval Mode for the Built-in Administrator account** > **Enabled** > **OK**. - -7. Ensure that the local account restrictions are applied to network interfaces by following these steps: - - 1. Navigate to Computer Configuration\\Preferences and Windows Settings, and > **Registry**. - - 2. Right-click **Registry**, and > **New** > **Registry Item**. - - ![local accounts 4.](images/localaccounts-proc1-sample4.png) - - 3. In the **New Registry Properties** dialog box, on the **General** tab, change the setting in the **Action** box to **Replace**. - - 4. Ensure that the **Hive** box is set to **HKEY\_LOCAL\_MACHINE**. - - 5. Select (**…**), browse to the following location for **Key Path** > **Select** for: **SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System**. - - 6. In the **Value name** area, type **LocalAccountTokenFilterPolicy**. - - 7. In the **Value type** box, from the drop-down list, select **REG\_DWORD** to change the value. - - 8. In the **Value data** box, ensure that the value is set to **0**. - - 9. Verify this configuration, and > **OK**. - - ![local accounts 5.](images/localaccounts-proc1-sample5.png) - -8. Link the GPO to the first **Workstations** organizational unit (OU) by doing the following: - - 1. Navigate to the <*Forest*>\\Domains\\<*Domain*>\\OU path. - - 2. Right-click the **Workstations** OU, and > **Link an existing GPO**. - - ![local accounts 6.](images/localaccounts-proc1-sample6.png) - - 3. Select the GPO that you created, and > **OK**. - -9. Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy. - -10. Create links to all other OUs that contain workstations. - -11. Create links to all other OUs that contain servers. - -### Deny network logon to all local Administrator accounts +1. Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy +1. Create links to all other OUs that contain workstations +1. Create links to all other OUs that contain servers +### Deny network logon to all local Administrator accounts Denying local accounts the ability to perform network logons can help prevent a local account password hash from being reused in a malicious attack. This procedure helps to prevent lateral movement by ensuring that stolen credentials for local accounts from a compromised operating system can't be used to compromise other computers that use the same credentials. > [!NOTE] > To perform this procedure, you must first identify the name of the local, default Administrator account, which might not be the default user name "Administrator", and any other accounts that are members of the local Administrators group. - - The following table shows the Group Policy settings that are used to deny network logon for all local Administrator accounts. |No.|Setting|Detailed Description| @@ -353,55 +303,33 @@ The following table shows the Group Policy settings that are used to deny networ #### To deny network logon to all local administrator accounts -1. Start the **Group Policy Management** Console (GPMC). +1. Start the **Group Policy Management** Console (GPMC) +1. In the console tree, expand <*Forest*>\\Domains\\<*Domain*>, and then **Group Policy Objects**, where *forest* is the name of the forest, and *domain* is the name of the domain where you want to set the Group Policy Object (GPO) +1. In the console tree, right-click **Group Policy Objects**, and > **New** +1. In the **New GPO** dialog box, type <**gpo\_name**>, and then > **OK** where *gpo\_name* is the name of the new GPO indicates that it's being used to restrict the local administrative accounts from interactively signing in to the computer +1. In the details pane, right-click <**gpo\_name**>, and > **Edit** +1. Configure the user rights to deny network logons for administrative local accounts as follows: +1. Navigate to the Computer Configuration\\Windows Settings\\Security Settings\\, and > **User Rights Assignment** +1. Double-click **Deny access to this computer from the network** +1. Select **Add User or Group**, type **Local account and member of Administrators group**, and > **OK** +1. Configure the user rights to deny Remote Desktop (Remote Interactive) logons for administrative local accounts as follows: +1. Navigate to Computer Configuration\\Policies\\Windows Settings and Local Policies, and then select **User Rights Assignment** +1. Double-click **Deny log on through Remote Desktop Services** +1. Select **Add User or Group**, type **Local account and member of Administrators group**, and > **OK** +1. Link the GPO to the first **Workstations** OU as follows: -2. In the console tree, expand <*Forest*>\\Domains\\<*Domain*>, and then **Group Policy Objects**, where *forest* is the name of the forest, and *domain* is the name of the domain where you want to set the Group Policy Object (GPO). + - Navigate to the <*Forest*>\\Domains\\<*Domain*>\\OU path + - Right-click the **Workstations** OU, and > **Link an existing GPO** + - Select the GPO that you created, and > **OK** -3. In the console tree, right-click **Group Policy Objects**, and > **New**. +1. Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy +1. Create links to all other OUs that contain workstations +1. Create links to all other OUs that contain servers -4. In the **New GPO** dialog box, type <**gpo\_name**>, and then > **OK** where *gpo\_name* is the name of the new GPO indicates that it's being used to restrict the local administrative accounts from interactively signing in to the computer. +> [!NOTE] +> You might have to create a separate GPO if the user name of the default Administrator account is different on workstations and servers. - ![local accounts 7.](images/localaccounts-proc2-sample1.png) - -5. In the details pane, right-click <**gpo\_name**>, and > **Edit**. - - ![local accounts 8.](images/localaccounts-proc2-sample2.png) - -6. Configure the user rights to deny network logons for administrative local accounts as follows: - - 1. Navigate to the Computer Configuration\\Windows Settings\\Security Settings\\, and > **User Rights Assignment**. - - 2. Double-click **Deny access to this computer from the network**. - - 3. Select **Add User or Group**, type **Local account and member of Administrators group**, and > **OK**. - -7. Configure the user rights to deny Remote Desktop (Remote Interactive) logons for administrative local accounts as follows: - - 1. Navigate to Computer Configuration\\Policies\\Windows Settings and Local Policies, and then select **User Rights Assignment**. - - 2. Double-click **Deny log on through Remote Desktop Services**. - - 3. Select **Add User or Group**, type **Local account and member of Administrators group**, and > **OK**. - -8. Link the GPO to the first **Workstations** OU as follows: - - 1. Navigate to the <*Forest*>\\Domains\\<*Domain*>\\OU path. - - 2. Right-click the **Workstations** OU, and > **Link an existing GPO**. - - 3. Select the GPO that you created, and > **OK**. - -9. Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy. - -10. Create links to all other OUs that contain workstations. - -11. Create links to all other OUs that contain servers. - - > [!NOTE] - > You might have to create a separate GPO if the user name of the default Administrator account is different on workstations and servers. - - -### Create unique passwords for local accounts with administrative rights +### Create unique passwords for local accounts with administrative rights Passwords should be unique per individual account. While it's true for individual user accounts, many enterprises have identical passwords for common local accounts, such as the default Administrator account. This also occurs when the same passwords are used for local accounts during operating system deployments. @@ -409,19 +337,6 @@ Passwords that are left unchanged or changed synchronously to keep them identica Passwords can be randomized by: -- Purchasing and implementing an enterprise tool to accomplish this task. These tools are commonly referred to as "privileged password management" tools. - -- Configuring [Local Administrator Password Solution (LAPS)](https://www.microsoft.com/download/details.aspx?id=46899) to accomplish this task. - -- Creating and implementing a custom script or solution to randomize local account passwords. - -## See also - - -The following resources provide additional information about technologies that are related to local accounts. - -- [Security Principals](security-principals.md) - -- [Security Identifiers](security-identifiers.md) - -- [Access Control Overview](access-control.md) +- Purchasing and implementing an enterprise tool to accomplish this task. These tools are commonly referred to as "privileged password management" tools +- Configuring [Local Administrator Password Solution (LAPS)](/windows-server/identity/laps/laps-overview) to accomplish this task +- Creating and implementing a custom script or solution to randomize local account passwords diff --git a/windows/security/identity-protection/configure-s-mime.md b/windows/security/identity-protection/configure-s-mime.md index bb3788ad3c..e7d4d83f53 100644 --- a/windows/security/identity-protection/configure-s-mime.md +++ b/windows/security/identity-protection/configure-s-mime.md @@ -5,13 +5,13 @@ ms.prod: windows-client author: paolomatarazzo ms.author: paoloma manager: aaroncz -ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 07/27/2017 appliesto: - ✅ Windows 10 - ✅ Windows 11 +ms.technology: itpro-security --- diff --git a/windows/security/identity-protection/credential-guard/additional-mitigations.md b/windows/security/identity-protection/credential-guard/additional-mitigations.md index 91ab852722..c8ed1adc92 100644 --- a/windows/security/identity-protection/credential-guard/additional-mitigations.md +++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md @@ -1,15 +1,11 @@ --- title: Additional mitigations description: Advice and sample code for making your domain environment more secure and robust with Windows Defender Credential Guard. -ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: erikdau -manager: aaroncz -ms.collection: M365-identity-device-management -ms.topic: article ms.date: 08/17/2017 +ms.topic: article +appliesto: +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later --- # Additional mitigations @@ -26,21 +22,21 @@ Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, **To enable Kerberos armoring for restricting domain users to specific domain-joined devices** -- Users need to be in domains that are running Windows Server 2012 R2 or higher -- All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**. -- All the devices with Windows Defender Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**. +- Users need to be in domains that are running Windows Server 2012 R2 or higher +- All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**. +- All the devices with Windows Defender Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**. ### Protecting domain-joined device secrets Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Windows Defender Credential Guard, the private key can be protected. Then authentication policies can require that users sign on to devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user. Domain-joined device certificate authentication has the following requirements: -- Devices' accounts are in Windows Server 2012 domain functional level or higher. -- All domain controllers in those domains have KDC certificates which satisfy strict KDC validation certificate requirements: - - KDC EKU present - - DNS domain name matches the DNSName field of the SubjectAltName (SAN) extension -- Windows devices have the CA issuing the domain controller certificates in the enterprise store. -- A process is established to ensure the identity and trustworthiness of the device in a similar manner as you would establish the identity and trustworthiness of a user before issuing them a smartcard. +- Devices' accounts are in Windows Server 2012 domain functional level or higher. +- All domain controllers in those domains have KDC certificates which satisfy strict KDC validation certificate requirements: + - KDC EKU present + - DNS domain name matches the DNSName field of the SubjectAltName (SAN) extension +- Windows devices have the CA issuing the domain controller certificates in the enterprise store. +- A process is established to ensure the identity and trustworthiness of the device in a similar manner as you would establish the identity and trustworthiness of a user before issuing them a smartcard. #### Deploying domain-joined device certificates @@ -73,54 +69,54 @@ CertReq -EnrollCredGuardCert MachineAuthentication > [!NOTE] > You must restart the device after enrolling the machine authentication certificate. -  + #### How a certificate issuance policy can be used for access control Beginning with the Windows Server 2008 R2 domain functional level, domain controllers support for authentication mechanism assurance provides a way to map certificate issuance policy OIDs to universal security groups. Windows Server 2012 domain controllers with claim support can map them to claims. To learn more about authentication mechanism assurance, see [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd378897(v=ws.10)) on TechNet. **To see the issuance policies available** -- The [get-IssuancePolicy.ps1](#bkmk-getscript) shows all of the issuance policies that are available on the certificate authority. - From a Windows PowerShell command prompt, run the following command: +- The [get-IssuancePolicy.ps1](#bkmk-getscript) shows all of the issuance policies that are available on the certificate authority.\ +From a Windows PowerShell command prompt, run the following command: - ```powershell - .\get-IssuancePolicy.ps1 –LinkedToGroup:All - ``` +```powershell +.\get-IssuancePolicy.ps1 -LinkedToGroup:All +``` **To link an issuance policy to a universal security group** -- The [set-IssuancePolicyToGroupLink.ps1](#bkmk-setscript) creates a Universal security group, creates an organizational unit, and links the issuance policy to that Universal security group. - From a Windows PowerShell command prompt, run the following command: +- The [set-IssuancePolicyToGroupLink.ps1](#bkmk-setscript) creates a Universal security group, creates an organizational unit, and links the issuance policy to that Universal security group.\ +From a Windows PowerShell command prompt, run the following command: - ```powershell - .\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyName:"" –groupOU:"" –groupName:”" - ``` +```powershell +.\set-IssuancePolicyToGroupLink.ps1 -IssuancePolicyName:"" -groupOU:"" -groupName:"" +``` ### Restricting user sign-on So we now have completed the following: -- Created a special certificate issuance policy to identify devices that meet the deployment criteria required for the user to be able to sign on -- Mapped that policy to a universal security group or claim -- Provided a way for domain controllers to get the device authorization data during user sign-on using Kerberos armoring. Now what is left to do is to configure the access check on the domain controllers. This is done using authentication policies. +- Created a special certificate issuance policy to identify devices that meet the deployment criteria required for the user to be able to sign on +- Mapped that policy to a universal security group or claim +- Provided a way for domain controllers to get the device authorization data during user sign-on using Kerberos armoring. Now what is left to do is to configure the access check on the domain controllers. This is done using authentication policies. Authentication policies have the following requirements: -- User accounts are in a Windows Server 2012 domain functional level or higher domain. +- User accounts are in a Windows Server 2012 domain functional level or higher domain. **Creating an authentication policy restricting users to the specific universal security group** -1. Open Active Directory Administrative Center. -2. Click **Authentication**, click **New**, and then click **Authentication Policy**. -3. In the **Display name** box, enter a name for this authentication policy. -4. Under the **Accounts** heading, click **Add**. -5. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the user account you wish to restrict, and then click **OK**. -6. Under the **User Sign On** heading, click the **Edit** button. -7. Click **Add a condition**. -8. In the **Edit Access Control Conditions** box, ensure that it reads **User** > **Group** > **Member of each** > **Value**, and then click **Add items**. -9. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the universal security group that you created with the set-IssuancePolicyToGroupLink script, and then click **OK**. -10. Click **OK** to close the **Edit Access Control Conditions** box. -11. Click **OK** to create the authentication policy. -12. Close Active Directory Administrative Center. +1. Open Active Directory Administrative Center. +1. Click **Authentication**, click **New**, and then click **Authentication Policy**. +1. In the **Display name** box, enter a name for this authentication policy. +1. Under the **Accounts** heading, click **Add**. +1. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the user account you wish to restrict, and then click **OK**. +1. Under the **User Sign On** heading, click the **Edit** button. +1. Click **Add a condition**. +1. In the **Edit Access Control Conditions** box, ensure that it reads **User** > **Group** > **Member of each** > **Value**, and then click **Add items**. +1. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the universal security group that you created with the set-IssuancePolicyToGroupLink script, and then click **OK**. +1. Click **OK** to close the **Edit Access Control Conditions** box. +1. Click **OK** to create the authentication policy. +1. Close Active Directory Administrative Center. > [!NOTE] > When the authentication policy enforces policy restrictions, users will not be able to sign on using devices that do not have a certificate with the appropriate issuance policy deployed. This applies to both local and remote sign on scenarios. Therefore, it is strongly recommended to first only audit policy restrictions to ensure you don't have unexpected failures. @@ -325,7 +321,7 @@ write-host "There are no issuance policies which are not mapped to groups" ``` > [!NOTE] > If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter. -  + ### Link an issuance policy to a group Save the script file as set-IssuancePolicyToGroupLink.ps1. @@ -606,4 +602,4 @@ write-host $tmp -Foreground Red ``` > [!NOTE] -> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter. \ No newline at end of file +> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter. diff --git a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md index 84f85e1113..5714236fec 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md @@ -1,21 +1,11 @@ --- -title: Advice while using Windows Defender Credential Guard (Windows) +title: Considerations when using Windows Defender Credential Guard description: Considerations and recommendations for certain scenarios when using Windows Defender Credential Guard in Windows. -ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: erikdau -manager: aaroncz -ms.collection: M365-identity-device-management -ms.topic: article ms.date: 08/31/2017 +ms.topic: article appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later --- # Considerations when using Windows Defender Credential Guard @@ -25,6 +15,7 @@ Passwords are still weak. We recommend that in addition to deploying Windows Def Windows Defender Credential Guard uses hardware security, so some features such as Windows To Go, aren't supported. ## Wi-fi and VPN Considerations + When you enable Windows Defender Credential Guard, you can no longer use NTLM classic authentication for Single Sign-On. You'll be forced to enter your credentials to use these protocols and can't save the credentials for future use. If you're using WiFi and VPN endpoints that are based on MS-CHAPv2, they're subject to similar attacks as for NTLMv1. For WiFi and VPN connections, Microsoft recommends that organizations move from MSCHAPv2-based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication such as PEAP-TLS or EAP-TLS. ## Kerberos Considerations @@ -32,19 +23,25 @@ When you enable Windows Defender Credential Guard, you can no longer use NTLM cl When you enable Windows Defender Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process. Use constrained or resource-based Kerberos delegation instead. ## 3rd Party Security Support Providers Considerations + Some 3rd party Security Support Providers (SSPs and APs) might not be compatible with Windows Defender Credential Guard because it doesn't allow third-party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs aren't supported. We recommend that custom implementations of SSPs/APs are tested with Windows Defender Credential Guard. SSPs and APs that depend on any undocumented or unsupported behaviors fail. For example, using the KerbQuerySupplementalCredentialsMessage API isn't supported. Replacing the NTLM or Kerberos SSPs with custom SSPs and APs. For more info, see [Restrictions around Registering and Installing a Security Package](/windows/win32/secauthn/restrictions-around-registering-and-installing-a-security-package) on MSDN. ## Upgrade Considerations + As the depth and breadth of protections provided by Windows Defender Credential Guard are increased, subsequent releases of Windows 10 with Windows Defender Credential Guard running may impact scenarios that were working in the past. For example, Windows Defender Credential Guard may block the use of a particular type of credential or a particular component to prevent malware from taking advantage of vulnerabilities. Test scenarios required for operations in an organization before upgrading a device using Windows Defender Credential Guard. ### Saved Windows Credentials Protected -Starting with Windows 10, version 1511, domain credentials that are stored with Credential Manager are protected with Windows Defender Credential Guard. Credential Manager allows you to store three types of credentials: Windows credentials, certificate-based credentials, and generic credentials. Generic credentials such as user names and passwords that you use to log on to websites aren't protected since the applications require your cleartext password. If the application doesn't need a copy of the password, they can save domain credentials as Windows credentials that are protected. Windows credentials are used to connect to other computers on a network. The following considerations apply to the Windows Defender Credential Guard protections for Credential Manager: +Starting with Windows 10, version 1511, domain credentials that are stored with Credential Manager are protected with Windows Defender Credential Guard. Credential Manager allows you to store three types of credentials: Windows credentials, certificate-based credentials, and generic credentials. Generic credentials such as user names and passwords that you use to log on to websites aren't protected since the applications require your cleartext password. If the application doesn't need a copy of the password, they can save domain credentials as Windows credentials that are protected. Windows credentials are used to connect to other computers on a network. + +The following considerations apply to the Windows Defender Credential Guard protections for Credential Manager: + * Windows credentials saved by Remote Desktop Client can't be sent to a remote host. Attempts to use saved Windows credentials fail, displaying the error message "Logon attempt failed." * Applications that extract Windows credentials fail. * When credentials are backed up from a PC that has Windows Defender Credential Guard enabled, the Windows credentials can't be restored. If you need to back up your credentials, you must do this before you enable Windows Defender Credential Guard. Otherwise, you can't restore those credentials. ## Clearing TPM Considerations + Virtualization-based Security (VBS) uses the TPM to protect its key. So when the TPM is cleared then the TPM protected key used to encrypt VBS secrets is lost. >[!WARNING] @@ -57,9 +54,11 @@ As a result Credential Guard can no longer decrypt protected data. VBS creates a > Credential Guard obtains the key during initialization. So the data loss will only impact persistent data and occur after the next system startup. ### Windows credentials saved to Credential Manager + Since Credential Manager can't decrypt saved Windows Credentials, they're deleted. Applications should prompt for credentials that were previously saved. If saved again, then Windows credentials are protected Credential Guard. ### Domain-joined device’s automatically provisioned public key + Beginning with Windows 10 and Windows Server 2016, domain-devices automatically provision a bound public key, for more information about automatic public key provisioning, see [Domain-joined Device Public Key Authentication](/windows-server/security/kerberos/domain-joined-device-public-key-authentication). Since Credential Guard can't decrypt the protected private key, Windows uses the domain-joined computer's password for authentication to the domain. Unless additional policies are deployed, there should not be a loss of functionality. If a device is configured to only use public key, then it can't authenticate with password until that policy is disabled. For more information on Configuring devices to only use public key, see [Domain-joined Device Public Key Authentication](/windows-server/security/kerberos/domain-joined-device-public-key-authentication). @@ -67,6 +66,7 @@ Since Credential Guard can't decrypt the protected private key, Windows uses the Also if any access control checks including authentication policies require devices to have either the KEY TRUST IDENTITY (S-1-18-4) or FRESH PUBLIC KEY IDENTITY (S-1-18-3) well-known SIDs, then those access checks fail. For more information about authentication policies, see [Authentication Policies and Authentication Policy Silos](/windows-server/security/credentials-protection-and-management/authentication-policies-and-authentication-policy-silos). For more information about well-known SIDs, see [[MS-DTYP] Section 2.4.2.4 Well-known SID Structures](/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab). ### Breaking DPAPI on domain-joined devices + On domain-joined devices, DPAPI can recover user keys using a domain controller from the user's domain. If a domain-joined device has no connectivity to a domain controller, then recovery isn't possible. >[!IMPORTANT] @@ -87,6 +87,7 @@ Domain user sign-in on a domain-joined device after clearing a TPM for as long a Once the device has connectivity to the domain controllers, DPAPI recovers the user's key and data protected prior to clearing the TPM can be decrypted. #### Impact of DPAPI failures on Windows Information Protection + When data protected with user DPAPI is unusable, then the user loses access to all work data protected by Windows Information Protection. The impact includes: Outlook 2016 is unable to start and work protected documents can't be opened. If DPAPI is working, then newly created work data is protected and can be accessed. **Workaround:** Users can resolve the problem by connecting their device to the domain and rebooting or using their Encrypting File System Data Recovery Agent certificate. For more information about Encrypting File System Data Recovery Agent certificate, see [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate). @@ -94,6 +95,4 @@ When data protected with user DPAPI is unusable, then the user loses access to a ## See also -**Related videos** - -[What is virtualization-based security?](https://www.linkedin.com/learning/microsoft-cybersecurity-stack-advanced-identity-and-endpoint-protection/what-is-virtualization-based-security) \ No newline at end of file +- [What is virtualization-based security?](https://www.linkedin.com/learning/microsoft-cybersecurity-stack-advanced-identity-and-endpoint-protection/what-is-virtualization-based-security) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md index c170a5c421..c9ed9e42c7 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md @@ -1,21 +1,11 @@ --- title: How Windows Defender Credential Guard works description: Learn how Windows Defender Credential Guard uses virtualization to protect secrets, so that only privileged system software can access them. -ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: erikdau -manager: aaroncz -ms.collection: M365-identity-device-management -ms.topic: article ms.date: 08/17/2017 +ms.topic: conceptual appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later --- # How Windows Defender Credential Guard works diff --git a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md index f979b9c441..07d9647887 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md @@ -1,65 +1,68 @@ --- -title: Windows Defender Credential Guard - Known issues (Windows) +title: Windows Defender Credential Guard - Known issues description: Windows Defender Credential Guard - Known issues in Windows Enterprise -ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: erikdau -manager: aaroncz -ms.collection: M365-identity-device-management ms.topic: article -ms.date: 01/26/2022 +ms.date: 11/28/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later --- # Windows Defender Credential Guard: Known issues Windows Defender Credential Guard has certain application requirements. Windows Defender Credential Guard blocks specific authentication capabilities. So applications that require such capabilities won't function when it's enabled. For more information, see [Application requirements](credential-guard-requirements.md#application-requirements). -The following known issues have been fixed in the [Cumulative Security Update for November 2017](https://support.microsoft.com/topic/november-27-2017-kb4051033-os-build-14393-1914-447b6b88-e75d-0a24-9ab9-5dcda687aaf4): +## Known Issue: Single Sign-On (SSO) for Network services breaks after upgrading to **Windows 11, version 22H2** -- Scheduled tasks with domain user-stored credentials fail to run when Credential Guard is enabled. The task fails and reports Event ID 104 with the following message: +### Symptoms of the issue: +Devices that use 802.1x wireless or wired network, RDP, or VPN connections that rely on insecure protocols with password-based authentication will be unable to use SSO to log in and will be forced to manually re-authenticate in every new Windows session when Windows Defender Credential Guard is running. - ```console - Task Scheduler failed to log on '\Test'. - Failure occurred in 'LogonUserExEx'. - User Action: Ensure the credentials for the task are correctly specified. - Additional Data: Error Value: 2147943726. 2147943726: ERROR\_LOGON\_FAILURE (The user name or password is incorrect). - ``` +### Affected devices: +Any device that enables Windows Defender Credential Guard may encounter this issue. As part of the Windows 11, version 22H2 update, eligible devices which had not previously explicitly disabled Windows Defender Credential Guard had it enabled by default. This affected all devices on Enterprise (E3 and E5) and Education licenses, as well as some Pro licenses*, as long as they met the [minimum hardware requirements](credential-guard-requirements.md#hardware-and-software-requirements). + +\* All Pro devices which previously ran Windows Defender Credential Guard on an eligible license and later downgraded to Pro, and which still meet the [minimum hardware requirements](credential-guard-requirements.md#hardware-and-software-requirements), will receive default enablement. -- When you enable NTLM audit on the domain controller, an Event ID 8004 with an indecipherable username format is logged. You also get a similar user name in a user logon failure event 4625 with error 0xC0000064 on the machine itself. For example: +> [!TIP] +> To determine if your Pro device will receive default enablement when upgraded to **Windows 11, version 22H2**, do the following **before** upgrading: +> Check if the registry key `IsolatedCredentialsRootSecret` is present in `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0`. If it is present, the device will have Windows Defender Credential Guard enabled after upgrading. Note that Windows Defender Credential Guard can be disabled after upgrade by following the [disablement instructions](credential-guard-manage.md#disable-windows-defender-credential-guard). - ```console - Log Name: Microsoft-Windows-NTLM/Operational - Source: Microsoft-Windows-Security-Netlogon - Event ID: 8004 - Task Category: Auditing NTLM - Level: Information - Description: - Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller. - Secure Channel name: - User name: - @@CyBAAAAUBQYAMHArBwUAMGAoBQZAQGA1BAbAUGAyBgOAQFAhBwcAsGA6AweAgDA2AQQAMEAwAANAgDA1AQLAIEADBQRAADAtAANAYEA1AwQA0CA5AAOAMEAyAQLAYDAxAwQAEDAEBwMAMEAwAgMAMDACBgRA0HA - Domain name: NULL - ``` +### Why this is happening: +Applications and services are affected by this issue when they rely on insecure protocols that use password-based authentication. Windows Defender Credential Guard blocks the use of these insecure protocols by design. These protocols are considered insecure because they can lead to password disclosure on the client and the server, which is in direct contradiction to the goals of Windows Defender Credential Guard. Affected procols include: + - Kerberos unconstrained delegation (both SSO and supplied credentials are blocked) + - Kerberos when PKINIT uses RSA encryption instead of Diffie-Hellman (both SSO and supplied credentials are blocked) + - MS-CHAP (only SSO is blocked) + - WDigest (only SSO is blocked) + - NTLM v1 (only SSO is blocked) + +Since only SSO is blocked for MS-CHAP, WDigest, and NTLM v1, these protocols can still be used by prompting the user to supply credentials. - - This event stems from a scheduled task running under local user context with the [Cumulative Security Update for November 2017](https://support.microsoft.com/topic/november-27-2017-kb4051033-os-build-14393-1914-447b6b88-e75d-0a24-9ab9-5dcda687aaf4) or later and happens when Credential Guard is enabled. - - The username appears in an unusual format because local accounts aren't protected by Credential Guard. The task also fails to execute. - - As a workaround, run the scheduled task under a domain user or the computer's SYSTEM account. +> [!NOTE] +> MS-CHAP and NTLMv1 are particularly relevant to the observed SSO breakage after the Windows 11, version 22H2 update. To confirm whether Windows Defender Credential Guard is blocking either of these protocols, check the NTLM event logs in Event Viewer at `Application and Services Logs\Microsoft\Windows\NTLM\Operational` for the following warning and/or error: + > + > **Event ID 4013** (Warning) + > ``` + > id="NTLMv1BlockedByCredGuard" + > value="Attempt to use NTLMv1 failed. + > Target server: %1%nSupplied user: %2%nSupplied domain: %3%nPID of client process: %4%nName of client process: %5%nLUID of client process: %6%nUser identity of client process: %7%nDomain name of user identity of client process: %8%nMechanism OID: %9%n%nThis device does not support NTLMv1. For more information, see https://go.microsoft.com/fwlink/?linkid=856826." + > /> + > ``` + > + > **Event ID 4014** (Error) + > ``` + > id="NTLMGetCredentialKeyBlockedByCredGuard" + > value="Attempt to get credential key by call package blocked by Credential Guard.%n%nCalling Process Name: %1%nService Host Tag: %2" + > /> + > ``` -The following known issues have been fixed by servicing releases made available in the Cumulative Security Updates for April 2017: +### Options to fix the issue: -- [KB4015217 Windows Defender Credential Guard generates double bad password count on Active Directory domain-joined Windows machines](https://support.microsoft.com/topic/april-11-2017-kb4015217-os-build-14393-1066-and-14393-1083-b5f79067-98bd-b4ec-8b81-5d858d7dc722) +Microsoft recommends that organizations move away from MSCHAPv2-based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication such as PEAP-TLS or EAP-TLS. Windows Defender Credential Guard will not block certificate-based authentication. - This issue can potentially lead to unexpected account lockouts. For more information, see the following support articles: +For a more immediate but less secure fix, [disable Windows Defender Credential Guard](credential-guard-manage.md#disable-windows-defender-credential-guard). Note that Windows Defender Credential Guard does not have per-protocol or per-application policies, and must either be completely on or off. Disabling Windows Defender Credential Guard will leave some stored domain credentials vulnerable to theft. Windows Defender Credential Guard can be disabled after it has already been enabled, or it can be explicitly disabled prior to updating to Windows 11, version 22H2, which will prevent default enablement from occurring. - - [KB4015219](https://support.microsoft.com/topic/april-11-2017-kb4015219-os-build-10586-873-68b8e379-aafa-ea6c-6b29-56d19785e657) - - [KB4015221](https://support.microsoft.com/topic/april-11-2017-kb4015221-os-build-10240-17354-743f52bc-a484-d23f-71f5-b9957cbae0e6) +> [!TIP] +> To _prevent_ default enablement, [use Group Policy to explicitly disable Windows Defender Credential Guard](credential-guard-manage.md#disabling-windows-defender-credential-guard-using-group-policy) before updating to Windows 11, version 22H2. If the GPO value is not configured (which is the default state), the device will receive default enablement after updating, if eligible. If the GPO value is set to "disabled", it will not be enabled after updating. This process can also be done via Mobile Device Management (MDM) policy rather than Group Policy if the devices are currently being managed by MDM. ## Known issues involving third-party applications @@ -111,3 +114,45 @@ Windows Defender Credential Guard isn't supported by the following products, pro This list isn't comprehensive. Check whether your product vendor, product version, or computer system supports Windows Defender Credential Guard on systems that run Windows or specific versions of Windows. Specific computer system models may be incompatible with Windows Defender Credential Guard. Microsoft encourages third-party vendors to contribute to this page by providing relevant product support information and by adding links to their own product support statements. + +## Previous known issues that have been fixed + +The following known issues have been fixed in the [Cumulative Security Update for November 2017](https://support.microsoft.com/topic/november-27-2017-kb4051033-os-build-14393-1914-447b6b88-e75d-0a24-9ab9-5dcda687aaf4): + +- Scheduled tasks with domain user-stored credentials fail to run when Credential Guard is enabled. The task fails and reports Event ID 104 with the following message: + + ```console + Task Scheduler failed to log on '\Test'. + Failure occurred in 'LogonUserExEx'. + User Action: Ensure the credentials for the task are correctly specified. + Additional Data: Error Value: 2147943726. 2147943726: ERROR\_LOGON\_FAILURE (The user name or password is incorrect). + ``` + +- When you enable NTLM audit on the domain controller, an Event ID 8004 with an indecipherable username format is logged. You also get a similar user name in a user logon failure event 4625 with error 0xC0000064 on the machine itself. For example: + + ```console + Log Name: Microsoft-Windows-NTLM/Operational + Source: Microsoft-Windows-Security-Netlogon + Event ID: 8004 + Task Category: Auditing NTLM + Level: Information + Description: + Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller. + Secure Channel name: + User name: + @@CyBAAAAUBQYAMHArBwUAMGAoBQZAQGA1BAbAUGAyBgOAQFAhBwcAsGA6AweAgDA2AQQAMEAwAANAgDA1AQLAIEADBQRAADAtAANAYEA1AwQA0CA5AAOAMEAyAQLAYDAxAwQAEDAEBwMAMEAwAgMAMDACBgRA0HA + Domain name: NULL + ``` + + - This event stems from a scheduled task running under local user context with the [Cumulative Security Update for November 2017](https://support.microsoft.com/topic/november-27-2017-kb4051033-os-build-14393-1914-447b6b88-e75d-0a24-9ab9-5dcda687aaf4) or later and happens when Credential Guard is enabled. + - The username appears in an unusual format because local accounts aren't protected by Credential Guard. The task also fails to execute. + - As a workaround, run the scheduled task under a domain user or the computer's SYSTEM account. + +The following known issues have been fixed by servicing releases made available in the Cumulative Security Updates for April 2017: + +- [KB4015217 Windows Defender Credential Guard generates double bad password count on Active Directory domain-joined Windows machines](https://support.microsoft.com/topic/april-11-2017-kb4015217-os-build-14393-1066-and-14393-1083-b5f79067-98bd-b4ec-8b81-5d858d7dc722) + + This issue can potentially lead to unexpected account lockouts. For more information, see the following support articles: + + - [KB4015219](https://support.microsoft.com/topic/april-11-2017-kb4015219-os-build-10586-873-68b8e379-aafa-ea6c-6b29-56d19785e657) + - [KB4015221](https://support.microsoft.com/topic/april-11-2017-kb4015221-os-build-10240-17354-743f52bc-a484-d23f-71f5-b9957cbae0e6) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index 3ef2c7372f..e4eb399ed3 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -1,31 +1,22 @@ --- title: Manage Windows Defender Credential Guard (Windows) description: Learn how to deploy and manage Windows Defender Credential Guard using Group Policy, the registry, or hardware readiness tools. -ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: zwhittington -manager: aaroncz -ms.collection: - - M365-identity-device-management +ms.date: 11/23/2022 +ms.collection: - highpri ms.topic: article -ms.custom: - - CI 120967 - - CSSTroubleshooting appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later --- + # Manage Windows Defender Credential Guard ## Default Enablement -Starting in **Windows 11 Enterprise, version 22H2** and **Windows 11 Education, version 22H2**, compatible systems have Windows Defender Credential Guard turned on by default. This feature changes the default state of the feature in Windows, though system administrators can still modify this enablement state. Windows Defender Credential Guard can still be manually [enabled](#enable-windows-defender-credential-guard) or [disabled](#disable-windows-defender-credential-guard) via the methods documented below. +Starting in **Windows 11 Enterprise, version 22H2** and **Windows 11 Education, version 22H2**, compatible systems have Windows Defender Credential Guard turned on by default. This feature changes the default state of the feature in Windows, though system administrators can still modify this enablement state. Windows Defender Credential Guard can still be manually [enabled](#enable-windows-defender-credential-guard) or [disabled](#disable-windows-defender-credential-guard) via the methods documented below. + +Known issues arising from default enablement are documented in [Windows Defender Credential Guard: Known issues](credential-guard-known-issues.md#known-issue-single-sign-on-sso-for-network-services-breaks-after-upgrading-to-windows-11-version-22h2). ### Requirements for automatic enablement @@ -314,7 +305,7 @@ Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true Instructions are given below for how to disable Virtualization-Based Security (VBS) entirely, rather than just Windows Defender Credential Guard. Disabling Virtualization-Based Security will automatically disable Windows Defender Credential Guard and other features that rely on VBS. -> [!IMPORANT] +> [!IMPORTANT] > Other security features in addition to Windows Defender Credential Guard rely on Virtualization-Based Security in order to run. Disabling Virtualization-Based Security may have unintended side effects. 1. If Group Policy was used to enable Virtualization-Based Security, set the Group Policy setting that was used to enable it (**Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn on Virtualization Based Security**) to "Disabled". diff --git a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md index 3223fe70ac..86b9533f7a 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md @@ -1,21 +1,11 @@ --- title: Windows Defender Credential Guard protection limits & mitigations (Windows) description: Scenarios not protected by Windows Defender Credential Guard in Windows, and additional mitigations you can use. -ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: erikdau -manager: aaroncz -ms.collection: M365-identity-device-management ms.topic: article ms.date: 08/17/2017 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later --- # Windows Defender Credential Guard protection limits and mitigations @@ -25,16 +15,16 @@ in the Deep Dive into Windows Defender Credential Guard video series. Some ways to store credentials are not protected by Windows Defender Credential Guard, including: -- Software that manages credentials outside of Windows feature protection -- Local accounts and Microsoft Accounts -- Windows Defender Credential Guard does not protect the Active Directory database running on Windows Server 2016 domain controllers. It also does not protect credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC, it will get the same protection as it would when running Windows 10 Enterprise. -- Key loggers -- Physical attacks -- Does not prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization. -- Third-party security packages -- Digest and CredSSP credentials - - When Windows Defender Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols. -- Supplied credentials for NTLM authentication are not protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. Note that these same credentials are vulnerable to key loggers as well.- +- Software that manages credentials outside of Windows feature protection +- Local accounts and Microsoft Accounts +- Windows Defender Credential Guard does not protect the Active Directory database running on Windows Server 2016 domain controllers. It also does not protect credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC, it will get the same protection as it would when running Windows 10 Enterprise. +- Key loggers +- Physical attacks +- Does not prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization. +- Third-party security packages +- Digest and CredSSP credentials + - When Windows Defender Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols. +- Supplied credentials for NTLM authentication are not protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. Note that these same credentials are vulnerable to key loggers as well.- - When Windows Defender Credential Guard is deployed on a VM, Windows Defender Credential Guard protects secrets from attacks inside the VM. However, it does not provide additional protection from privileged system attacks originating from the host. - Windows logon cached password verifiers (commonly called "cached credentials") do not qualify as credentials because they cannot be presented to another computer for authentication, and can only be used locally to verify credentials. They are stored in the registry on the local computer and provide validation for credentials when a domain-joined computer cannot connect to AD DS during user logon. These “cached logons”, or more specifically, cached domain account information, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller is not available. @@ -53,21 +43,21 @@ Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, **To enable Kerberos armoring for restricting domain users to specific domain-joined devices** -- Users need to be in domains that are running Windows Server 2012 R2 or higher -- All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**. -- All the devices with Windows Defender Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**. +- Users need to be in domains that are running Windows Server 2012 R2 or higher +- All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**. +- All the devices with Windows Defender Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**. #### Protecting domain-joined device secrets Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Windows Defender Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user. Domain-joined device certificate authentication has the following requirements: -- Devices' accounts are in Windows Server 2012 domain functional level or higher. -- All domain controllers in those domains have KDC certificates which satisfy strict KDC validation certificate requirements: - - KDC EKU present - - DNS domain name matches the DNSName field of the SubjectAltName (SAN) extension -- Windows 10 devices have the CA issuing the domain controller certificates in the enterprise store. -- A process is established to ensure the identity and trustworthiness of the device in a similar manner as you would establish the identity and trustworthiness of a user before issuing them a smartcard. +- Devices' accounts are in Windows Server 2012 domain functional level or higher. +- All domain controllers in those domains have KDC certificates which satisfy strict KDC validation certificate requirements: + - KDC EKU present + - DNS domain name matches the DNSName field of the SubjectAltName (SAN) extension +- Windows 10 devices have the CA issuing the domain controller certificates in the enterprise store. +- A process is established to ensure the identity and trustworthiness of the device in a similar manner as you would establish the identity and trustworthiness of a user before issuing them a smartcard. ##### Deploying domain-joined device certificates @@ -77,17 +67,17 @@ For example, let's say you wanted to use the High Assurance policy only on these **Creating a new certificate template** -1. From the Certificate Manager console, right-click **Certificate Templates**, and then click **Manage.** -2. Right-click **Workstation Authentication**, and then click **Duplicate Template**. -3. Right-click the new template, and then click **Properties**. -4. On the **Extensions** tab, click **Application Policies**, and then click **Edit**. -5. Click **Client Authentication**, and then click **Remove**. -6. Add the ID-PKInit-KPClientAuth EKU. Click **Add**, click **New**, and then specify the following values: - - Name: Kerberos Client Auth - - Object Identifier: 1.3.6.1.5.2.3.4 -7. On the **Extensions** tab, click **Issuance Policies**, and then click **Edit**. -8. Under **Issuance Policies**, click**High Assurance**. -9. On the **Subject name** tab, clear the **DNS name** check box, and then select the **User Principal Name (UPN)** check box. +1. From the Certificate Manager console, right-click **Certificate Templates**, and then click **Manage.** +1. Right-click **Workstation Authentication**, and then click **Duplicate Template**. +1. Right-click the new template, and then click **Properties**. +1. On the **Extensions** tab, click **Application Policies**, and then click **Edit**. +1. Click **Client Authentication**, and then click **Remove**. +1. Add the ID-PKInit-KPClientAuth EKU. Click **Add**, click **New**, and then specify the following values: + - Name: Kerberos Client Auth + - Object Identifier: 1.3.6.1.5.2.3.4 +1. On the **Extensions** tab, click **Issuance Policies**, and then click **Edit**. +1. Under **Issuance Policies**, click**High Assurance**. +1. On the **Subject name** tab, clear the **DNS name** check box, and then select the **User Principal Name (UPN)** check box. Then on the devices that are running Windows Defender Credential Guard, enroll the devices using the certificate you just created. @@ -100,15 +90,15 @@ CertReq -EnrollCredGuardCert MachineAuthentication > [!NOTE] > You must restart the device after enrolling the machine authentication certificate. -  + ##### How a certificate issuance policy can be used for access control Beginning with the Windows Server 2008 R2 domain functional level, domain controllers support for authentication mechanism assurance provides a way to map certificate issuance policy OIDs to universal security groups. Windows Server 2012 domain controllers with claim support can map them to claims. To learn more about authentication mechanism assurance, see [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd378897(v=ws.10)) on TechNet. **To see the issuance policies available** -- The [get-IssuancePolicy.ps1](#bkmk-getscript) shows all of the issuance policies that are available on the certificate authority. - From a Windows PowerShell command prompt, run the following command: +- The [get-IssuancePolicy.ps1](#bkmk-getscript) shows all of the issuance policies that are available on the certificate authority.\ +From a Windows PowerShell command prompt, run the following command: ```powershell .\get-IssuancePolicy.ps1 –LinkedToGroup:All @@ -116,7 +106,7 @@ Beginning with the Windows Server 2008 R2 domain functional level, domain contro **To link an issuance policy to a universal security group** -- The [set-IssuancePolicyToGroupLink.ps1](#bkmk-setscript) creates a Universal security group, creates an organizational unit, and links the issuance policy to that Universal security group. +- The [set-IssuancePolicyToGroupLink.ps1](#bkmk-setscript) creates a Universal security group, creates an organizational unit, and links the issuance policy to that Universal security group. From a Windows PowerShell command prompt, run the following command: ```powershell @@ -127,12 +117,12 @@ Beginning with the Windows Server 2008 R2 domain functional level, domain contro So we now have completed the following: -- Created a special certificate issuance policy to identify devices that meet the deployment criteria required for the user to be able to sign on -- Mapped that policy to a universal security group or claim -- Provided a way for domain controllers to get the device authorization data during user sign-on using Kerberos armoring. Now what is left to do is to configure the access check on the domain controllers. This is done using authentication policies. +- Created a special certificate issuance policy to identify devices that meet the deployment criteria required for the user to be able to sign on +- Mapped that policy to a universal security group or claim +- Provided a way for domain controllers to get the device authorization data during user sign-on using Kerberos armoring. Now what is left to do is to configure the access check on the domain controllers. This is done using authentication policies. Authentication policies have the following requirements: -- User accounts are in a Windows Server 2012 domain functional level or higher domain. +- User accounts are in a Windows Server 2012 domain functional level or higher domain. **Creating an authentication policy restricting users to the specific universal security group** @@ -356,7 +346,7 @@ write-host "There are no issuance policies which are not mapped to groups" ``` > [!NOTE] > If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter. -  + #### Link an issuance policy to a group Save the script file as set-IssuancePolicyToGroupLink.ps1. @@ -643,4 +633,4 @@ write-host $tmp -Foreground Red **Deep Dive into Windows Defender Credential Guard: Related videos** -[Protecting privileged users with Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474) \ No newline at end of file +[Protecting privileged users with Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md index 708b5921a2..42fbe2a663 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md @@ -1,40 +1,30 @@ --- title: Windows Defender Credential Guard protection limits (Windows) description: Some ways to store credentials are not protected by Windows Defender Credential Guard in Windows. Learn more with this guide. -ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: erikdau -manager: aaroncz -ms.collection: M365-identity-device-management -ms.topic: article ms.date: 08/17/2017 +ms.topic: article appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later --- # Windows Defender Credential Guard protection limits Some ways to store credentials are not protected by Windows Defender Credential Guard, including: -- Software that manages credentials outside of Windows feature protection -- Local accounts and Microsoft Accounts -- Windows Defender Credential Guard doesn't protect the Active Directory database running on Windows Server 2016 domain controllers. It also doesn't protect credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC, it will get the same protection as it would when running Windows 10 Enterprise. -- Key loggers -- Physical attacks -- Doesn't prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization. -- Third-party security packages -- Digest and CredSSP credentials - - When Windows Defender Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols. -- Supplied credentials for NTLM authentication aren't protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. These same credentials are vulnerable to key loggers as well.- -- Kerberos service tickets aren't protected by Credential Guard, but the Kerberos Ticket Granting Ticket (TGT) is. -- When Windows Defender Credential Guard is deployed on a VM, Windows Defender Credential Guard protects secrets from attacks inside the VM. However, it doesn't provide additional protection from privileged system attacks originating from the host. -- Windows logon cached password verifiers (commonly called "cached credentials") -don't qualify as credentials because they can't be presented to another computer for authentication, and can only be used locally to verify credentials. They're stored in the registry on the local computer and provide validation for credentials when a domain-joined computer can't connect to AD DS during user logon. These “cached logons”, or more specifically, cached domain account information, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller isn't available. +- Software that manages credentials outside of Windows feature protection +- Local accounts and Microsoft Accounts +- Windows Defender Credential Guard doesn't protect the Active Directory database running on Windows Server domain controllers. It also doesn't protect credential input pipelines, such as Windows Server running Remote Desktop Gateway. If you're using a Windows Server OS as a client PC, it will get the same protection as it would when running a Windows client OS. +- Key loggers +- Physical attacks +- Doesn't prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization. +- Third-party security packages +- Digest and CredSSP credentials + - When Windows Defender Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols. +- Supplied credentials for NTLM authentication aren't protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. These same credentials are vulnerable to key loggers as well.- +- Kerberos service tickets aren't protected by Credential Guard, but the Kerberos Ticket Granting Ticket (TGT) is. +- When Windows Defender Credential Guard is deployed on a VM, Windows Defender Credential Guard protects secrets from attacks inside the VM. However, it doesn't provide additional protection from privileged system attacks originating from the host. +- Windows logon cached password verifiers (commonly called "cached credentials") +don't qualify as credentials because they can't be presented to another computer for authentication, and can only be used locally to verify credentials. They're stored in the registry on the local computer and provide validation for credentials when a domain-joined computer can't connect to AD DS during user logon. These *cached logons*, or more specifically, *cached domain account information*, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller isn't available. ## See also diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md index 2089f49bde..164f0f776e 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md @@ -1,25 +1,14 @@ --- -title: Windows Defender Credential Guard Requirements (Windows) +title: Windows Defender Credential Guard requirements description: Windows Defender Credential Guard baseline hardware, firmware, and software requirements, and additional protections for improved security. -ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: zwhittington -manager: aaroncz -ms.collection: - - M365-identity-device-management -ms.topic: article ms.date: 12/27/2021 +ms.topic: article appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later --- -# Windows Defender Credential Guard: Requirements +# Windows Defender Credential Guard requirements For Windows Defender Credential Guard to provide protection, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements, which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally, Windows Defender Credential Guard blocks specific authentication capabilities, so applications that require such capabilities will break. We will refer to these requirements as [Application requirements](#application-requirements). Beyond these requirements, computers can meet additional hardware and firmware qualifications, and receive additional protections. Those computers will be more hardened against certain threats. For detailed information on baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017, refer to the tables in [Security Considerations](#security-considerations). diff --git a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md b/windows/security/identity-protection/credential-guard/credential-guard-scripts.md index 118e9f9b2f..5051ce94cd 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-scripts.md @@ -1,22 +1,20 @@ --- title: Scripts for Certificate Issuance Policies in Windows Defender Credential Guard (Windows) description: Obtain issuance policies from the certificate authority for Windows Defender Credential Guard on Windows. -ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: erikdau -manager: aaroncz -ms.collection: M365-identity-device-management -ms.topic: article -ms.date: 08/17/2017 +ms.date: 11/22/2022 +ms.topic: reference +appliesto: +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later --- -# Windows Defender Credential Guard: Scripts for Certificate Authority Issuance Policies +# Windows Defender Credential Guard: scripts for certificate authority issuance policies -Here is a list of scripts mentioned in this topic. +Expand each section to see the PowerShell scripts: -## Get the available issuance policies on the certificate authority +
                              +
                              +Get the available issuance policies on the certificate authority Save this script file as get-IssuancePolicy.ps1. @@ -206,8 +204,12 @@ write-host "There are no issuance policies which are not mapped to groups" ``` > [!NOTE] > If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter. -  -## Link an issuance policy to a group + +
                              + +
                              +
                              +Link an issuance policy to a group Save the script file as set-IssuancePolicyToGroupLink.ps1. @@ -488,3 +490,5 @@ write-host $tmp -Foreground Red > [!NOTE] > If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter. + +
                              diff --git a/windows/security/identity-protection/credential-guard/credential-guard.md b/windows/security/identity-protection/credential-guard/credential-guard.md index 186993b2fb..6548d02f17 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard.md +++ b/windows/security/identity-protection/credential-guard/credential-guard.md @@ -1,23 +1,13 @@ --- title: Protect derived domain credentials with Windows Defender Credential Guard (Windows) description: Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. -ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: erikdau -manager: aaroncz -ms.collection: - - M365-identity-device-management - - highpri +ms.date: 11/22/2022 ms.topic: article -ms.date: 03/10/2022 +ms.collection: + - highpri appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later --- # Protect derived domain credentials with Windows Defender Credential Guard @@ -26,11 +16,13 @@ Windows Defender Credential Guard uses virtualization-based security to isolate By enabling Windows Defender Credential Guard, the following features and solutions are provided: -- **Hardware security** NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials. -- **Virtualization-based security** Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system. -- **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Windows Defender Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate other security strategies and architectures. +- **Hardware security** NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials. +- **Virtualization-based security** Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system. +- **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Windows Defender Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate other security strategies and architectures. + +> [!NOTE] +> As of Windows 11, version 22H2, Windows Defender Credential Guard has been enabled by default on all devices which meet the minimum requirements as specified in the [Default Enablement](credential-guard-manage.md#default-enablement) section. For information about known issues related to default enablement, see [Credential Guard: Known Issues](credential-guard-known-issues.md#known-issue-single-sign-on-sso-for-network-services-breaks-after-upgrading-to-windows-11-version-22h2). -  ## Related topics - [Protecting network passwords with Windows Defender Credential Guard](https://www.microsoft.com/itshowcase/Article/Content/831/Protecting-network-passwords-with-Windows-10-Credential-Guard) diff --git a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md index 62c4d19d36..d834db9710 100644 --- a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md +++ b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md @@ -1,20 +1,11 @@ --- title: Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool description: Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool script -ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: erikdau -manager: aaroncz -ms.collection: M365-identity-device-management -ms.topic: article -appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 +ms.date: 11/22/2022 +ms.topic: reference +appliesto: +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later --- # Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool diff --git a/windows/security/identity-protection/enterprise-certificate-pinning.md b/windows/security/identity-protection/enterprise-certificate-pinning.md index 4b46daa4cb..6b2de2aa60 100644 --- a/windows/security/identity-protection/enterprise-certificate-pinning.md +++ b/windows/security/identity-protection/enterprise-certificate-pinning.md @@ -4,7 +4,6 @@ description: Enterprise certificate pinning is a Windows feature for remembering author: paolomatarazzo ms.author: paoloma manager: aaroncz -ms.collection: M365-identity-device-management ms.topic: article ms.prod: windows-client ms.technology: itpro-security diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md index 04aadd070b..33c5c76b9f 100644 --- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md +++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md @@ -1,36 +1,23 @@ --- title: Multi-factor Unlock description: Learn how Windows 10 and Windows 11 offer multi-factor device unlock by extending Windows Hello with trusted signals. -ms.prod: windows-client -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 03/20/2018 -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: prsriva -manager: aaroncz appliesto: - - ✅ Windows 10 - - ✅ Windows 11 +- ✅ Windows 10 and later +ms.topic: article --- # Multi-factor Unlock -**Requirements:** -* Windows Hello for Business deployment (Cloud, Hybrid or On-premises) -* Azure AD, Hybrid Azure AD, or Domain Joined (Cloud, Hybrid, or On-Premises deployments) -* Windows 10, version 1709 or newer, or Windows 11 -* Bluetooth, Bluetooth capable phone - optional +Windows Hello for Business supports the use of a single credential (PIN and biometrics) for unlocking a device. Therefore, if any of those credentials are compromised (shoulder surfed), an attacker could gain access to the system. -Windows, today, natively only supports the use of a single credential (password, PIN, fingerprint, face, etc.) for unlocking a device. Therefore, if any of those credentials are compromised (shoulder surfed), an attacker could gain access to the system. - -Windows 10 and Windows 11 offer multi-factor device unlock by extending Windows Hello with trusted signals. Administrators can configure their Windows to request a combination of factors and trusted signals to unlock their devices. +Windows Hello for Business can be configured with multi-factor device unlock, by extending Windows Hello with trusted signals. Administrators can configure devices to request a combination of factors and trusted signals to unlock theim. Which organizations can take advantage of Multi-factor unlock? Those who: -* Have expressed that PINs alone do not meet their security needs. -* Want to prevent Information Workers from sharing credentials. -* Want their organizations to comply with regulatory two-factor authentication policy. -* Want to retain the familiar Windows sign-in user experience and not settle for a custom solution. + +- Have expressed that PINs alone do not meet their security needs +- Want to prevent Information Workers from sharing credentials +- Want their organizations to comply with regulatory two-factor authentication policy +- Want to retain the familiar Windows sign-in user experience and not settle for a custom solution You enable multi-factor unlock using Group Policy. The **Configure device unlock factors** policy setting is located under **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**. diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md index 738c5d164a..004083bb85 100644 --- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md +++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md @@ -1,29 +1,23 @@ --- -title: Azure Active Directory join cloud only deployment -description: Use this deployment guide to successfully use Azure Active Directory to join a Windows 10 or Windows 11 device. -ms.prod: windows-client -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium +title: Windows Hello for Business cloud-only deployment +description: Learn how to configure Windows Hello for Business in a cloud-only deployment scenario. ms.date: 06/23/2021 -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: prsriva -manager: aaroncz appliesto: - - ✅ Windows 10 - - ✅ Windows 11 +- ✅ Windows 10 and later +ms.topic: article --- -# Azure Active Directory join cloud only deployment +# Cloud-only deployment + +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-cloud.md)] ## Introduction -When you Azure Active Directory (Azure AD) join a Windows 10 or Windows 11 device, the system prompts you to enroll in Windows Hello for Business by default. If you want to use Windows Hello for Business in your cloud only environment, then there's no additional configuration needed. +When you Azure Active Directory (Azure AD) join a Windows device, the system prompts you to enroll in Windows Hello for Business by default. If you want to use Windows Hello for Business in your cloud-only environment, then there's no additional configuration needed. You may wish to disable the automatic Windows Hello for Business enrollment prompts if you aren't ready to use it in your environment. Instructions on how to disable Windows Hello for Business enrollment in a cloud only environment are included below. > [!NOTE] -> During the out-of-box experience (OOBE) flow of an Azure AD join, you will see a provisioning PIN when you don’t have Intune. You can always cancel the PIN screen and set this cancellation with registry keys to prevent future prompts. +> During the out-of-box experience (OOBE) flow of an Azure AD join, you will see a provisioning PIN when you don't have Intune. You can always cancel the PIN screen and set this cancellation with registry keys to prevent future prompts. ## Prerequisites @@ -31,7 +25,7 @@ Cloud only deployments will use Azure AD multi-factor authentication (MFA) durin The necessary Windows Hello for Business prerequisites are located at [Cloud Only Deployment](hello-identity-verification.md#azure-ad-cloud-only-deployment). -Also note that it's possible for federated domains to enable the “Supports MFA” flag in your federated domain settings. This flag tells Azure AD that the federated IDP will perform the MFA challenge. +Also note that it's possible for federated domains to enable the *Supports MFA* flag in your federated domain settings. This flag tells Azure AD that the federated IDP will perform the MFA challenge. Check and view this setting with the following MSOnline PowerShell command: @@ -70,7 +64,11 @@ If you don't use Intune in your organization, then you can disable Windows Hello Intune uses the following registry keys: **`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\Device\Policies`** -To look up your Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) +To look up your Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) or try the following, ensuring to sign-in with your organization's account: + +```msgraph-interactive +GET https://graph.microsoft.com/v1.0/organization?$select=id +``` These registry settings are pushed from Intune for user policies: diff --git a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md index 30c337b738..32dc3ba63e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md +++ b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md @@ -1,21 +1,11 @@ --- title: Having enough Domain Controllers for Windows Hello for Business deployments description: Guide for planning to have an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments -ms.prod: windows-client -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 08/20/2018 -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: prsriva -manager: aaroncz appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 or later - - ✅ Hybrid or On-Premises deployment - - ✅ Key trust +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later +ms.topic: article --- # Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments diff --git a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md index 7a1fee430a..b7b06e3193 100644 --- a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md +++ b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md @@ -1,18 +1,10 @@ --- title: Windows Hello and password changes (Windows) description: When you change your password on a device, you may need to sign in with a password on other devices to reset Hello. -ms.prod: windows-client -ms.collection: M365-identity-device-management -ms.topic: article -ms.localizationpriority: medium ms.date: 07/27/2017 -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: prsriva -manager: aaroncz appliesto: - - ✅ Windows 10 - - ✅ Windows 11 +- ✅ Windows 10 and later +ms.topic: article --- # Windows Hello and password changes diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md index 99713dc227..c9bc5a12f3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md +++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md @@ -1,20 +1,10 @@ --- title: Windows Hello biometrics in the enterprise (Windows) description: Windows Hello uses biometrics to authenticate users and guard against potential spoofing, through fingerprint matching and facial recognition. -ms.prod: windows-client -ms.collection: - - M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 01/12/2021 -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: prsriva -manager: aaroncz appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Holographic for Business +- ✅ Windows 10 and later +ms.topic: article --- # Windows Hello biometrics in the enterprise diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md index e6e1f62714..d258d207f7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md @@ -1,573 +1,318 @@ --- -title: Prepare and Deploy Windows AD FS certificate trust (Windows Hello for Business) -description: Learn how to Prepare and Deploy Windows Server 2016 Active Directory Federation Services (AD FS) for Windows Hello for Business, using certificate trust. -ms.prod: windows-client -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium -ms.date: 01/14/2021 -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: prsriva -manager: aaroncz +title: Prepare and deploy Active Directory Federation Services in an on-premises certificate trust +description: Learn how to configure Active Directory Federation Services to support the Windows Hello for Business certificate trust model. +ms.date: 12/12/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ On-premises deployments - - ✅ Certificate trust +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later +ms.topic: tutorial --- -# Prepare and Deploy Windows Server 2016 Active Directory Federation Services - Certificate Trust +# Prepare and deploy Active Directory Federation Services - on-premises certificate trust -Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update. The on-premises certificate trust deployment uses Active Directory Federation Services roles for key registration, device registration, and as a certificate registration authority. +[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)] -The following guidance describes deploying a new instance of Active Directory Federation Services 2016 using the Windows Information Database as the configuration database, which is ideal for environments with no more than 30 federation servers and no more than 100 relying party trusts. +Windows Hello for Business works exclusively with the Active Directory Federation Service (AD FS) role included with Windows Server. The on-premises certificate trust deployment model uses AD FS for *certificate enrollment* and *device registration*. -If your environment exceeds either of these factors or needs to provide SAML artifact resolution, token replay detection, or needs Active Directory Federation Services to operate in a federated provider role, then your deployment needs to use a SQL for your configuration database. To deploy the Active Directory Federation Services using SQL as its configuration database, please review the [Deploying a Federation Server Farm](/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm) checklist. +The following guidance describes the deployment of a new instance of AD FS using the Windows Information Database (WID) as the configuration database.\ +WID is ideal for environments with no more than **30 federation servers** and no more than **100 relying party trusts**. If your environment exceeds either of these factors, or needs to provide *SAML artifact resolution*, *token replay detection*, or needs AD FS to operate as a federated provider role, then the deployment requires the use of SQL as a configuration database.\ +To deploy AD FS using SQL as its configuration database, review the [Deploying a Federation Server Farm](/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm) checklist. -If your environment has an existing instance of Active Directory Federation Services, then you’ll need to upgrade all nodes in the farm to Windows Server 2016 along with the Windows Server 2016 update. If your environment uses Windows Internal Database (WID) for the configuration database, please read [Upgrading to AD FS in Windows Server 2016 using a WID database](/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016) to upgrade your environment. If your environment uses SQL for the configuration database, please read [Upgrading to AD FS in Windows Server 2016 with SQL Server](/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016-sql) to upgrade your environment. +A new AD FS farm should have a minimum of two federation servers for proper load balancing, which can be accomplished with external networking peripherals, or with using the Network Load Balancing Role included in Windows Server. -Ensure you apply the Windows Server 2016 Update to all nodes in the farm after you have successfully completed the upgrade. +Prepare the AD FS deployment by installing and **updating** two Windows Servers. -A new Active Directory Federation Services farm should have a minimum of two federation servers for proper load balancing, which can be accomplished with an external networking peripherals, or with using the Network Load Balancing Role included in Windows Server. +## Enroll for a TLS server authentication certificate -Prepare the Active Directory Federation Services deployment by installing and updating two Windows Server 2016 Servers. Ensure the update listed below is applied to each server before continuing. +Typically, a federation service is an edge facing role. However, the federation services and instance used with the on-premises deployment of Windows Hello for Business does not need Internet connectivity. -> [!NOTE] -> For AD FS 2019, if Windows Hello for Business with a Hybrid Certificate trust is performed, a known PRT issue exists. You may encounter this error in ADFS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'. To remediate this error: -> -> 1. Launch AD FS management console. Browse to "Services > Scope Descriptions". -> 2. Right click "Scope Descriptions" and select "Add Scope Description". -> 3. Under name type "ugs" and Click Apply > OK. -> 4. Launch PowerShell as an administrator. -> 5. Get the ObjectIdentifier of the application permission with the ClientRoleIdentifier parameter equal to "38aa3b87-a06d-4817-b275-7a316988d93b": -> ```PowerShell -> (Get-AdfsApplicationPermission -ServerRoleIdentifiers 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' | ?{ $_.ClientRoleIdentifier -eq '38aa3b87-a06d-4817-b275-7a316988d93b' }).ObjectIdentifier -> ``` -> 6. Execute the command `Set-AdfsApplicationPermission -TargetIdentifier -AddScope 'ugs'`. -> 7. Restart the AD FS service. -> 8. On the client: Restart the client. User should be prompted to provision Windows Hello for Business. +The AD FS role needs a *server authentication* certificate for the federation services, and you can use a certificate issued by your enterprise (internal) CA. The server authentication certificate should have the following names included in the certificate, if you are requesting an individual certificate for each node in the federation farm: + - **Subject Name**: the internal FQDN of the federation server + - **Subject Alternate Name**: the federation service name (e.g. *sts.corp.contoso.com*) or an appropriate wildcard entry (e.g. *\*.corp.contoso.com*) -## Update Windows Server 2016 +The federation service name is set when the AD FS role is configured. You can choose any name, but that name must be different than the name of the server or host. For example, you can name the host server *adfs* and the federation service *sts*. In this example, the FQDN of the host is *adfs.corp.contoso.com* and the FQDN of the federation service is *sts.corp.contoso.com*. -Sign-in the federation server with _local admin_ equivalent credentials. -1. Ensure Windows Server 2016 is current by running **Windows Update** from **Settings**. Continue this process until no further updates are needed. If you’re not using Windows Update for updates, please advise the [Windows Server 2016 update history page](https://support.microsoft.com/help/4000825/windows-10-windows-server-2016-update-history) to make sure you have the latest updates available installed. -2. Ensure the latest server updates to the federation server includes [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889). +You can also issue one certificate for all hosts in the farm. If you chose this option, leave the subject name *blank*, and include all the names in the subject alternate name when creating the certificate request. All names should include the FQDN of each host in the farm and the federation service name. ->[!IMPORTANT] ->The above referenced updates are mandatory for Windows Hello for Business all on-premises deployment and hybrid certificate trust deployments for domain joined computers. +When creating a wildcard certificate, mark the private key as exportable, so that the same certificate can be deployed across each federation server and web application proxy within the AD FS farm. Note that the certificate must be trusted (chain to a trusted root CA). Once you have successfully requested and enrolled the server authentication certificate on one node, you can export the certificate and private key to a PFX file using the Certificate Manager console. You can then import the certificate on the remaining nodes in the AD FS farm. -## Enroll for a TLS Server Authentication Certificate +Be sure to enroll or import the certificate into the AD FS server's computer certificate store. Also, ensure all nodes in the farm have the proper TLS server authentication certificate. +### AD FS authentication certificate enrollment -Windows Hello for Business on-premises deployments require a federation server for device registration, key registration, and authentication certificate enrollment. Typically, a federation service is an edge facing role. However, the federation services and instance used with the on-premises deployment of Windows Hello for Business does not need Internet connectivity. +Sign-in the federation server with *domain administrator* equivalent credentials. -The AD FS role needs a server authentication certificate for the federation services, but you can use a certificate issued by your enterprise (internal) certificate authority. The server authentication certificate should have the following names included in the certificate if you are requesting an individual certificate for each node in the federation farm: +1. Start the Local Computer **Certificate Manager** (certlm.msc) +1. Expand the **Personal** node in the navigation pane +1. Right-click **Personal**. Select **All Tasks > Request New Certificate** +1. Select **Next** on the **Before You Begin** page +1. Select **Next** on the **Select Certificate Enrollment Policy** page +1. On the **Request Certificates** page, select the **Internal Web Server** check box +1. Select the **⚠️ More information is required to enroll for this certificate. Click here to configure settings** link + :::image type="content" source="images/hello-internal-web-server-cert.png" lightbox="images/hello-internal-web-server-cert.png" alt-text="Example of Certificate Properties Subject Tab - This is what shows when you select the above link."::: +1. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the computer hosting the AD FS role and then select **Add** +1. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name that you will use for your federation services (*sts.corp.contoso.com*). The name you use here MUST match the name you use when configuring the AD FS server role. Select **Add** and **OK** when finished +1. Select **Enroll** -- Subject Name: The internal FQDN of the federation server (the name of the computer running AD FS) -- Subject Alternate Name: Your federation service name, such as *fs.corp.contoso.com* (or an appropriate wildcard entry such as *.corp.contoso.com) -- Subject Alternate Name: Your device registration service name, such as *enterpriseregistration.contoso.com* +A server authentication certificate should appear in the computer's personal certificate store. -You configure your federation service name when you configure the AD FS role. You can choose any name, but that name must be different than the name of the server or host. For example, you can name the host server **adfs** and the federation service **fs**. The FQDN of the host is adfs.corp.contoso.com and the FQDN of the federation service is fs.corp.contoso.com. +## Deploy the AD FS role -You can; however, issue one certificate for all hosts in the farm. If you chose this option, then leave the subject name blank, and include all the names in the subject alternate name when creating the certificate request. All names should include the FQDN of each host in the farm and the federation service name. - -It’s recommended that you mark the private key as exportable so that the same certificate can be deployed across each federation server and web application proxy within your AD FS farm. Note that the certificate must be trusted (chain to a trusted root CA). Once you have successfully requested and enrolled the server authentication certificate on one node, you can export the certificate and private key to a PFX file using the Certificate Manager console. You can then import the certificate on the remaining nodes in the AD FS farm. - -Be sure to enroll or import the certificate into the AD FS server’s computer certificate store. Also, ensure all nodes in the farm have the proper TLS server authentication certificate. - -### Internal Web Server Authentication Certificate Enrollment - -Sign-in the federation server with domain administrator equivalent credentials. - -1. Start the Local Computer **Certificate Manager** (certlm.msc). -2. Expand the **Personal** node in the navigation pane. -3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**. -4. Click **Next** on the **Before You Begin** page. -5. Click **Next** on the **Select Certificate Enrollment Policy** page. -6. On the **Request Certificates** page, Select the **Internal Web Server** check box. -7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link - ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link.](images/hello-internal-web-server-cert.png) -8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the computer hosting the Active Directory Federation Services role and then click **Add**. -9. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name you will use for your federation services (fs.corp.contoso.com). The name you use here MUST match the name you use when configuring the Active Directory Federation Services server role. Click **Add**. Repeat the same to add device registration service name (*enterpriseregistration.contoso.com*) as another alternative name. Click **OK** when finished. -10. Click **Enroll**. - -A server authentication certificate should appear in the computer’s Personal certificate store. - -## Deploy the Active Directory Federation Service Role - -The Active Directory Federation Service (AD FS) role provides the following services to support Windows Hello for Business on-premises deployments: +AD FS provides the following services to support Windows Hello for Business on-premises deployments in a certificate trust model: - Device registration - Key registration -- Certificate registration authority (certificate trust deployments) +- Certificate registration authority (CRA) >[!IMPORTANT] -> Finish the entire AD FS configuration on the first server in the farm before adding the second server to the AD FS farm. Once complete, the second server receives the configuration through the shared configuration database when it is added the AD FS farm. +> Finish the entire AD FS configuration on the first server in the farm before adding the second server to the AD FS farm. Once complete, the second server receives the configuration through the shared configuration database when it is added the AD FS farm. -Windows Hello for Business depends on proper device registration. For on-premises deployments, Windows Server 2016 AD FS handles device registration. +Sign-in the federation server with *Enterprise Administrator* equivalent credentials. -Sign-in the federation server with _Enterprise Admin_ equivalent credentials. +1. Start **Server Manager**. Select **Local Server** in the navigation pane +1. Select **Manage > Add Roles and Features** +1. Select **Next** on the **Before you begin** page +1. On the **Select installation type** page, select **Role-based or feature-based installation > Next** +1. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list and **Next** +1. On the **Select server roles** page, select **Active Directory Federation Services** and **Next** +1. Select **Next** on the **Select features** page +1. Select **Next** on the **Active Directory Federation Service** page +1. Select **Install** to start the role installation -1. Start **Server Manager**. Click **Local Server** in the navigation pane. -2. Click **Manage** and then click **Add Roles and Features**. -3. Click **Next** on the **Before you begin** page. -4. On the **Select installation type** page, select **Role-based or feature-based installation** and click **Next**. -5. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Click **Next**. -6. On the **Select server roles** page, select **Active Directory Federation Services**. Click **Next**. -7. Click **Next** on the **Select features** page. -8. Click **Next** on the **Active Directory Federation Service** page. -9. Click **Install** to start the role installation. - -## Review & validate +## Review to validate the AD FS deployment Before you continue with the deployment, validate your deployment progress by reviewing the following items: -- Confirm the AD FS farm uses the correct database configuration. -- Confirm the AD FS farm has an adequate number of nodes and is properly load balanced for the anticipated load. -- Confirm **all** AD FS servers in the farm have the latest updates. -- Confirm all AD FS servers have a valid server authentication certificate. - - The subject of the certificate is the common name (FQDN) of the host or a wildcard name. - - The alternate name of the certificate contains a wildcard or the FQDN of the federation service. +> [!div class="checklist"] +> * Confirm the AD FS farm uses the correct database configuration +> * Confirm the AD FS farm has an adequate number of nodes and is properly load balanced for the anticipated load +> * Confirm **all** AD FS servers in the farm have the latest updates installed +> * Confirm all AD FS servers have a valid server authentication certificate -## Device Registration Service Account Prerequisite +## Device registration service account prerequisites -The service account used for the device registration server depends on the domain controllers in the environment. +The use of Group Managed Service Accounts (GMSA) is the preferred way to deploy service accounts for services that support them. GMSAs have security advantages over normal user accounts because Windows handles password management. This means the password is long, complex, and changes periodically. AD FS supports GMSAs, and it should be configured using them for additional security. ->[!NOTE] -> Follow the procedures below based on the domain controllers deployed in your environment. If the domain controller is not listed below, then it is not supported for Windows Hello for Business. +GSMA uses the *Microsoft Key Distribution Service* that is located on the domain controllers. Before you can create a GSMA, you must first create a root key for the service. You can skip this if your environment already uses GSMA. -### Windows Server 2012 or later Domain Controllers +### Create KDS Root Key -Windows Server 2012 or later domain controllers support Group Managed Service Accounts—the preferred way to deploy service accounts for services that support them. Group Managed Service Accounts, or GMSA have security advantages over normal user accounts because Windows handles password management. This means the password is long, complex, and changes periodically. The best part of GMSA is all this happens automatically. AD FS supports GMSA and should be configured using them for additional defense in depth security. +Sign-in a domain controller with *Enterprise Administrator* equivalent credentials. -GMSA uses the Microsoft Key Distribution Service that is located on Windows Server 2012 or later domain controllers. Windows uses the Microsoft Key Distribution Service to protect secrets stored and used by the GMSA. Before you can create a GMSA, you must first create a root key for the service. You can skip this if your environment already uses GMSA. - ->[!NOTE] -> If the [default object creation quota for security principles](/openspecs/windows_protocols/ms-adts/d55ca655-109b-4175-902a-3e9d60833012) is set, you will need to change it for the Group Managed Service Account in order to be able to register new devices. - -#### Create KDS Root Key - -Sign-in a domain controller with _Enterprise Admin_ equivalent credentials. - -1. Start an elevated Windows PowerShell console. -2. Type `Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)`. - -### Windows Server 2008 or 2008 R2 Domain Controllers - -Windows Server 2008 and 2008 R2 domain controllers do not host the Microsoft Key Distribution Service, nor do they support Group Managed Service Accounts. Therefore, you must use create a normal user account as a service account where you are responsible for changing the password on a regular basis. - -#### Create an AD FS Service Account - -Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials. - -1. Open **Active Directory Users and Computers**. -2. Right-click the **Users** container, Click **New**. Click **User**. -3. In the **New Object – User** window, type **adfssvc** in the **Full name** text box. Type **adfssvc** in the **User logon name** text box. Click **Next**. -4. Enter and confirm a password for the **adfssvc** user. Clear the **User must change password at next logon** check box. -5. Click **Next** and then click **Finish**. +Start an elevated PowerShell console and execute the following command: +```PowerShell +Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10) +``` ## Configure the Active Directory Federation Service Role ->[!IMPORTANT] -> Follow the procedures below based on the domain controllers deployed in your environment. If the domain controller is not listed below, then it is not supported for Windows Hello for Business. +Use the following procedures to configure AD FS. -### Windows Server 2012 or later Domain Controllers +Sign-in to the federation server with *Domain Administrator* equivalent credentials. These procedures assume you are configuring the first federation server in a federation server farm. -Use the following procedures to configure AD FS when your environment uses **Windows Server 2012 or later Domain Controllers**. If you are not using Windows Server 2012 or later Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2008 or 2008R2 Domain Controllers)](#windows-server-2008-or-2008-r2-domain-controllers) section. - -Sign-in the federation server with _domain administrator_ equivalent credentials. These procedures assume you are configuring the first federation server in a federation server farm. - -1. Start **Server Manager**. -2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**. -![Example of pop-up notification as described above.](images/hello-adfs-configure-2012r2.png) -3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**. -4. Click **Next** on the **Connect to Active Directory Domain Services** page. -5. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as *fs.corp.contoso.com* or *fs.contoso.com*. -6. Select the federation service name from the **Federation Service Name** list. -7. Type the Federation Service Display Name in the text box. This is the name users see when signing in. Click **Next**. -8. On the **Specify Service Account** page, select **Create a Group Managed Service Account**. In the **Account Name** box, type **adfssvc**. -9. On the **Specify Configuration Database** page, select **Create a database on this server using Windows Internal Database** and click **Next**. -10. On the **Review Options** page, click **Next**. -11. On the **Pre-requisite Checks** page, click **Configure**. -12. When the process completes, click **Close**. - -### Windows Server 2008 or 2008 R2 Domain Controllers - -Use the following procedures to configure AD FS when your environment uses **Windows Server 2008 or 2008 R2 Domain Controllers**. If you are not using Windows Server 2008 or 2008 R2 Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2012 or later Domain Controllers)](#windows-server-2012-or-later-domain-controllers) section. - -Sign-in the federation server with _domain administrator_ equivalent credentials. These instructions assume you are configuring the first federation server in a federation server farm. - -1. Start **Server Manager**. -2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**. -![Example of pop-up notification as described above.](images/hello-adfs-configure-2012r2.png) -3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**. -4. Click **Next** on the **Connect to Active Directory Domain Services** page. -5. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as fs.corp.mstepdemo.net or fs.mstepdemo.net. -6. Select the federation service name from the **Federation Service Name** list. -7. Type the Federation Service Display Name in the text box. This is the name users see when signing in. Click **Next**. -8. On the **Specify Service Account** page, Select **Use an existing domain user account or group Managed Service Account** and click **Select**. In the **Select User or Service Account** dialog box, type the name of the previously created AD FS service account (example adfssvc) and click **OK**. Type the password for the AD FS service account and click **Next**. -9. On the **Specify Configuration Database** page, select **Create a database on this server using Windows Internal Database** and click **Next**. -10. On the **Review Options** page, click **Next**. -11. On the **Pre-requisite Checks** page, click **Configure**. -12. When the process completes, click **Close**. -13. Do not restart the AD FS server. You will do this later. - -### Add the AD FS Service account to the KeyCredential Admin group and the Windows Hello for Business Users group +1. Start **Server Manager** +1. Select the notification flag in the upper right corner and select **Configure the federation services on this server** +1. On the **Welcome** page, select **Create the first federation server farm > Next** +1. On the **Connect to Active Directory Domain Services** page, select **Next** +1. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as *sts.corp.contoso.com* +1. Select the federation service name from the **Federation Service Name** list +1. Type the *Federation Service Display Name* in the text box. This is the name users see when signing in. Select **Next** +1. On the **Specify Service Account** page, select **Create a Group Managed Service Account**. In the **Account Name** box, type *adfssvc* +1. On the **Specify Configuration Database** page, select **Create a database on this server using Windows Internal Database** and select **Next** +1. On the **Review Options** page, select **Next** +1. On the **Pre-requisite Checks** page, select **Configure** +1. When the process completes, select **Close** > [!NOTE] -> If you have a Windows Server 2016 domain controller in your domain, you can use the **Key Admins** group instead of **KeyCredential Administrators** and skip the **Configure Permissions for Key Registration** step. +> For AD FS 2019 and later in a certificate trust model, a known PRT issue exists. You may encounter this error in AD FS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'. To remediate this error: +> +> 1. Launch AD FS management console. Browse to ***Services > Scope Descriptions** +> 2. Right-click **Scope Descriptions** and select **Add Scope Description** +> 3. Under name type *ugs* and select **Apply > OK** +> 4. Launch PowerShell as an administrator and execute the following commands: +> ```PowerShell +> $id = (Get-AdfsApplicationPermission -ServerRoleIdentifiers 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' | ?{ $_.ClientRoleIdentifier -eq '38aa3b87-a06d-4817-b275-7a316988d93b' }).ObjectIdentifier +> Set-AdfsApplicationPermission -TargetIdentifier $id -AddScope 'ugs' +> ``` +> 7. Restart the AD FS service +> 8. Restart the client. User should be prompted to provision Windows Hello for Business -The **KeyCredential Administrators** global group provides the AD FS service with the permissions needed to perform key registration. The Windows Hello for Business group provides the AD FS service with the permissions needed to enroll a Windows Hello for Business authentication certificate on behalf of the provisioning user. +### Add the AD FS service account to the *Key Admins* group -Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials. +During Windows Hello for Business enrollment, the public key is registered in an attribute of the user object in Active Directory. To ensure that the AD FS service can add and remove keys are part of its normal workflow, it must be a member of the *Key Admins* global group. -1. Open **Active Directory Users and Computers**. -2. Click the **Users** container in the navigation pane. -3. Right-click **KeyCredential Admins** in the details pane and click **Properties**. -4. Click the **Members** tab and click **Add…** -5. In the **Enter the object names to select** text box, type **adfssvc**. Click **OK**. -6. Click **OK** to return to **Active Directory Users and Computers**. -7. Right-click **Windows Hello for Business Users** group -8. Click the **Members** tab and click **Add…** -9. In the **Enter the object names to select** text box, type **adfssvc**. Click **OK**. -10. Click **OK** to return to **Active Directory Users and Computers**. -11. Change to server hosting the AD FS role and restart it. +Sign-in to a domain controller or management workstation with *Domain Administrator* equivalent credentials. -### Configure Permissions for Key Registration +1. Open **Active Directory Users and Computers** +1. Select the **Users** container in the navigation pane +1. Right-click **Key Admins** in the details pane and select **Properties** +1. Select the **Members > Add…** +1. In the **Enter the object names to select** text box, type *adfssvc*. Select **OK** +1. Select **OK** to return to **Active Directory Users and Computers** +1. Change to server hosting the AD FS role and restart it -Key Registration stores the Windows Hello for Business public key in Active Directory. With on-premises deployments, the Windows Server 2016 AD FS server registers the public key with the on-premises Active Directory. +Sign-in to the federation server with *Enterprise Administrator* equivalent credentials. These instructions assume you are configuring the first federation server in a federation server farm. -The key-trust model needs Windows Server 2016 domain controllers, which configures the key registration permissions automatically; however, the certificate-trust model does not and requires you to add the permissions manually. +1. Open the **AD FS management** console +1. In the navigation pane, expand **Service**. Select **Device Registration** +1. In the details pane, select **Configure device registration** +1. In the **Configure Device Registration** dialog, Select **OK** -Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. +:::image type="content" source="images/adfs-device-registration.png" lightbox="images/adfs-device-registration.png" alt-text="AD FS device registration: configuration of the service connection point."::: -1. Open **Active Directory Users and Computers**. -2. Right-click your domain name from the navigation pane and click **Properties**. -3. Click **Security** (if the Security tab is missing, turn on Advanced Features from the View menu). -4. Click **Advanced**. Click **Add**. Click **Select a principal**. -5. The **Select User, Computer, Service Account, or Group** dialog box appears. In the **Enter the object name to select** text box, type **KeyCredential Admins**. Click **OK**. -6. In the **Applies to** list box, select **Descendant User objects**. -7. Using the scroll bar, scroll to the bottom of the page and click **Clear all**. -8. In the **Properties** section, select **Read msDS-KeyCredentialLink** and **Write msDS-KeyCrendentialLink**. -9. Click **OK** three times to complete the task. +Triggering device registration from AD FS, creates the service connection point (SCP) in the Active Directory configuration partition. The SCP is used to store the device registration information that Windows clients will automatically discover. -## Configure the Device Registration Service +:::image type="content" source="images/adfs-scp.png" lightbox="images/adfs-scp.png" alt-text="AD FS device registration: service connection point object created by AD FS."::: -Sign-in the federation server with _Enterprise Admin_ equivalent credentials. These instructions assume you are configuring the first federation server in a federation server farm. - -1. Open the **AD FS management** console. -2. In the navigation pane, expand **Service**. Click **Device Registration**. -3. In the details pane, click **Configure Device Registration**. -4. In the **Configure Device Registration** dialog, click **OK**. - -## Review to validate +## Review to validate the AD FS and Active Directory configuration Before you continue with the deployment, validate your deployment progress by reviewing the following items: -* Confirm you followed the correct procedures based on the domain controllers used in your deployment. - * Windows Server 2012 or Windows Server 2012 R2 - * Windows Server 2008 or Windows Server 2008 R2 -* Confirm you have the correct service account based on your domain controller version. -* Confirm you properly installed the AD FS role on your Windows Server 2016 based on the proper sizing of your federation, the number of relying parties, and database needs. -* Confirm you used a certificate with the correct names as the server authentication certificate. - * Record the expiration date of the certificate and set a renewal reminder at least six weeks before it expires that includes the: - * Certificate serial number - * Certificate thumbprint - * Common name of the certificate - * Subject alternate name of the certificate - * Name of the physical host server - * The issued date - * The expiration date - * Issuing CA Vendor (if a third-party certificate) -* Confirm you granted the AD FS service allow read and write permissions to the ms-DSKeyCredentialLink Active Directory attribute. -* Confirm you enabled the Device Registration service. -## Prepare and Deploy AD FS Registration Authority +> [!div class="checklist"] +> * Record the information about the AD FS certificate, and set a renewal reminder at least six weeks before it expires. Relevant information includes: certificate serial number, thumbprint, common name, subject alternate name, name of the physical host server, the issued date, the expiration date, and issuing CA vendor (if a third-party certificate) +> * Confirm you added the AD FS service account to the KeyAdmins group +> * Confirm you enabled the Device Registration service -A registration authority is a trusted authority that validates certificate request. Once it validates the request, it presents the request to the certificate authority for issuance. The certificate authority issues the certificate, returns it to the registration authority, which returns the certificate to the requesting user. The Windows Hello for Business on-premises certificate-based deployment uses the Active Directory Federation Server (AD FS) as the certificate registration authority. +## Configure the certificate registration authority -### Configure Registration Authority template +The Windows Hello for Business on-premises certificate-based deployment uses AD FS as the certificate registration authority (CRA). The registration authority is responsible for issuing certificates to users and devices. The registration authority is also responsible for revoking certificates when users or devices are removed from the environment. -The certificate registration authority enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate. The certificate authority only issues a certificate for that template if the registration authority signs the certificate request. +Sign-in the AD FS server with *domain administrator* equivalent credentials. -The registration authority template you configure depends on the AD FS service configuration, which depends on the domain controllers the environment uses for authentication. +Open a **Windows PowerShell** prompt and type the following command: ->[!IMPORTANT] ->Follow the procedures below based on the domain controllers deployed in your environment. If the domain controller is not listed below, then it is not supported for Windows Hello for Business. - -#### Windows 2012 or later domain controllers - -Sign-in a certificate authority or management workstations with _domain administrator_ equivalent credentials. - -1. Open the **Certificate Authority Management** console. -2. Right-click **Certificate Templates** and click **Manage**. -3. In the **Certificate Template Console**, right click on the **Exchange Enrollment Agent (Offline request)** template details pane and click **Duplicate Template**. -4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. -5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs. -6. On the **Subject** tab, select the **Supply in the request** button if it is not already selected. - - > [!NOTE] - > The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate. - -7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. -8. On the **Security** tab, click **Add**. -9. Click **Object Types**. Select the **Service Accounts** check box and click **OK**. -10. Type **adfssvc** in the **Enter the object names to select** text box and click **OK**. -11. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. -12. Close the console. - -#### Windows 2008 or 2008R2 domain controllers - -Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials. - -1. Open the **Certificate Authority** management console. -2. Right-click **Certificate Templates** and click **Manage**. -3. In the **Certificate Template** console, right-click the **Exchange Enrollment Agent** template in the details pane and click **Duplicate Template**. -4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. -5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs. -6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**. -7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. -8. On the **Security** tab, click **Add**. Type **adfssvc** in the **Enter the object names to select text box** and click **OK**. -9. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check boxes for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. -10. Close the console. - -### Configure the Windows Hello for Business Authentication Certificate template - -During Windows Hello for Business provisioning, the Windows 10, version 1703 client requests an authentication certificate from the Active Directory Federation Service, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You use the name of the certificate template when configuring. - -Sign-in a certificate authority or management workstations with _domain administrator equivalent_ credentials. - -1. Open the **Certificate Authority** management console. -2. Right-click **Certificate Templates** and click **Manage**. -3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**. -4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. -5. On the **General** tab, type **WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs. - > [!NOTE] - > If you use different template names, you’ll need to remember and substitute these names in different portions of the deployment. -6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. -7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**. -8. On the **Issuance Requirements** tab, select the T**his number of authorized signatures** check box. Type **1** in the text box. - Select **Application policy** from the **Policy type required in signature**. Select **Certificate Request Agent** from in the **Application policy** list. Select the **Valid existing certificate** option. -9. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**. -10. On the **Request Handling** tab, select the **Renew with same key** check box. -11. On the **Security** tab, click **Add**. Type **Window Hello for Business Users** in the **Enter the object names to select** text box and click **OK**. -12. Click the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section, select the **Allow** check box for the **Enroll** permission. Excluding the **Windows Hello for Business Users** group, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. -13. If you previously issued Windows Hello for Business sign-in certificates using Configuration Manger and are switching to an AD FS registration authority, then on the **Superseded Templates** tab, add the previously used **Windows Hello for Business Authentication** template(s), so they will be superseded by this template for the users that have Enroll permission for this template. -14. Click on the **Apply** to save changes and close the console. - -#### Mark the template as the Windows Hello Sign-in template - -Sign-in to an **AD FS Windows Server 2016** computer with _enterprise administrator_ equivalent credentials. - -1. Open an elevated command prompt. -2. Run `certutil –dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY`. - ->[!NOTE] ->If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It’s important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on our Windows Server 2012 or later certificate authority. - -### Publish Enrollment Agent and Windows Hello For Business Authentication templates to the Certificate Authority - -Sign-in a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials. - -1. Open the **Certificate Authority** management console. -2. Expand the parent node from the navigation pane. -3. Click **Certificate Templates** in the navigation pane. -4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template to issue**. -5. In the **Enable Certificates Templates** window, select the **WHFB Enrollment Agent** template you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority. -6. Publish the **WHFB Authentication** certificate template using step 5. -7. Close the console. - -### Configure the Registration Authority - -Sign-in the AD FS server with domain administrator equivalent credentials. - -1. Open a **Windows PowerShell** prompt. -2. Type the following command - ```PowerShell Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication ``` >[!NOTE] - > If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the above command with the name of your certificate templates. It’s important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority. + > If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace *WHFBEnrollmentAgent* and *WHFBAuthentication* in the above command with the name of your certificate templates. -### Enrollment Agent Certificate Enrollment +### Enrollment agent certificate enrollment -Active Directory Federation Server used for Windows Hello for Business certificate enrollment perform their own certificate lifecycle management. Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request or when the service first starts. +AD FS performs its own certificate lifecycle management. Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request or when the service first starts. -Approximately 60 days prior to enrollment agent certificate’s expiration, the AD FS service attempts to renew the certificate until it is successful. If the certificate fails to renew, and the certificate expires, the AD FS server will request a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate. +Approximately 60 days prior to enrollment agent certificate's expiration, the AD FS service attempts to renew the certificate until it is successful. If the certificate fails to renew, and the certificate expires, the AD FS server will request a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate. -### Service Connection Point (SCP) in Active Directory for ADFS Device Registration Service +## Additional federation servers -> [!NOTE] -> Normally this script is not needed, as enabling Device Registration via the ADFS Management console already creates the objects. You can validate the SCP using the script below. For detailed information about the Device Registration Service, see [Configuring Device Registration](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn614658(v=ws.11)). +Organizations should deploy more than one federation server in their federation farm for high-availability. You should have a minimum of two federation services in your AD FS farm, however most organizations are likely to have more. This largely depends on the number of devices and users using the services provided by the AD FS farm. -Now you will add the Service connection Point to ADFS device registration Service for your Active directory by running the following script: +### Server authentication certificate -> [!TIP] -> Make sure to change the $enrollmentService and $configNC variables before running the script. +Each server you add to the AD FS farm must have a proper server authentication certificate. Refer to the [Enroll for a TLS Server Authentication Certificate](#enroll-for-a-tls-server-authentication-certificate) section of this document to determine the requirements for your server authentication certificate. As previously stated, AD FS servers used exclusively for on-premises deployments of Windows Hello for Business can use enterprise server authentication certificates rather than server authentication certificates issued by public certificate authorities. -```powershell -# Replace this with your Device Registration Service endpoint -$enrollmentService = "enterpriseregistration.contoso.com" -# Replace this with your Active Directory configuration naming context -$configNC = "CN=Configuration,DC=corp,DC=contoso,DC=org" - -$de = New-Object System.DirectoryServices.DirectoryEntry -$de.Path = "LDAP://CN=Device Registration Configuration,CN=Services," + $configNC - -$deSCP = $de.Children.Add("CN=62a0ff2e-97b9-4513-943f-0d221bd30080", "serviceConnectionPoint") -$deSCP.Properties["keywords"].Add("enterpriseDrsName:" + $enrollmentService) -$deSCP.CommitChanges() -``` - ->[!NOTE] -> You can save the modified script in notepad and save them as "add-scpadfs.ps1" and the way to run it is just navigating into the script path folder and running .\add-scpAdfs.ps1. -> - -## Additional Federation Servers - -Organizations should deploy more than one federation server in their federation farm for high-availability. You should have a minimum of two federation services in your AD FS farm, however most organizations are likely to have more. This largely depends on the number of devices and users using the services provided by the AD FS farm. - -### Server Authentication Certificate - -Each server you add to the AD FS farm must have a proper server authentication certificate. Refer to the [Enroll for a TLS Server Authentication Certificate](#enroll-for-a-tls-server-authentication-certificate) section of this document to determine the requirements for your server authentication certificate. As previously stated, AD FS servers used exclusively for on-premises deployments of Windows Hello for Business can use enterprise server authentication certificates rather than server authentication certificates issued by public certificate authorities. - -### Install Additional Servers +### Install additional servers Adding federation servers to the existing AD FS farm begins with ensuring the server are fully patched, to include Windows Server 2016 Update needed to support Windows Hello for Business deployments (https://aka.ms/whfbadfs1703). Next, install the Active Directory Federation Service role on the additional servers and then configure the server as an additional server in an existing farm. -## Load Balance AD FS Federation Servers +## Load balance AD FS -Many environments load balance using hardware devices. Environments without hardware load-balancing capabilities can take advantage the network load-balancing feature included in Windows Server to load balance the AD FS servers in the federation farm. Install the Windows Network Load Balancing feature on all nodes participating in the AD FS farm that should be load balanced. +Many environments load balance using hardware devices. Environments without hardware load-balancing capabilities can take advantage the network load-balancing feature included in Windows Server to load balance the AD FS servers in the federation farm. Install the Windows Network Load Balancing feature on all nodes participating in the AD FS farm that should be load balanced. ### Install Network Load Balancing Feature on AD FS Servers -Sign-in the federation server with _Enterprise Admin_ equivalent credentials. +Sign-in the federation server with *Enterprise Administrator* equivalent credentials. -1. Start **Server Manager**. Click **Local Server** in the navigation pane. -2. Click **Manage** and then click **Add Roles and Features**. -3. Click **Next** On the **Before you begin** page. -4. On the **Select installation type** page, select **Role-based or feature-based installation** and click **Next**. -5. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Click **Next**. -6. On the **Select server roles** page, click **Next**. -7. Select **Network Load Balancing** on the **Select features** page. -8. Click **Install** to start the feature installation. - ![Feature selection screen with NLB selected.](images/hello-nlb-feature-install.png) +1. Start **Server Manager**. Select **Local Server** in the navigation pane +1. Select **Manage** and then select **Add Roles and Features** +1. Select **Next** On the **Before you begin** page +1. On the **Select installation type** page, select **Role-based or feature-based installation** and select **Next** +1. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Select **Next** +1. On the **Select server roles** page, select **Next** +1. Select **Network Load Balancing** on the **Select features** page +1. Select **Install** to start the feature installation ### Configure Network Load Balancing for AD FS -Before you can load balance all the nodes in the AD FS farm, you must first create a new load balance cluster. Once you have created the cluster, then you can add new nodes to that cluster. +Before you can load balance all the nodes in the AD FS farm, you must first create a new load balance cluster. Once you have created the cluster, then you can add new nodes to that cluster. -Sign-in a node of the federation farm with _Admin_ equivalent credentials. +Sign-in a node of the federation farm with *Administrator* equivalent credentials. -1. Open **Network Load Balancing Manager** from **Administrative Tools**. - ![NLB Manager user interface.](images/hello-nlb-manager.png) -2. Right-click **Network Load Balancing Clusters**, and then click **New Cluster**. -3. To connect to the host that is to be a part of the new cluster, in the **Host** text box, type the name of the host, and then click **Connect**. - ![NLB Manager - Connect to new Cluster screen.](images/hello-nlb-connect.png) -4. Select the interface that you want to use with the cluster, and then click **Next**. (The interface hosts the virtual IP address and receives the client traffic to load balance.) -5. In **Host Parameters**, select a value in **Priority (Unique host identifier)**. This parameter specifies a unique ID for each host. The host with the lowest numerical priority among the current members of the cluster handles all of the cluster's network traffic that is not covered by a port rule. Click **Next**. -6. In **Cluster IP Addresses**, click **Add** and type the cluster IP address that is shared by every host in the cluster. NLB adds this IP address to the TCP/IP stack on the selected interface of all hosts that are chosen to be part of the cluster. Click **Next**. - ![NLB Manager - Add IP to New Cluster screen.](images/hello-nlb-add-ip.png) -7. In **Cluster Parameters**, select values in **IP Address** and **Subnet mask** (for IPv6 addresses, a subnet mask value is not needed). Type the full Internet name that users will use to access this NLB cluster. - ![NLB Manager - Cluster IP Configuration screen.](images/hello-nlb-cluster-ip-config.png) -8. In **Cluster operation mode**, click **Unicast** to specify that a unicast media access control (MAC) address should be used for cluster operations. In unicast mode, the MAC address of the cluster is assigned to the network adapter of the computer, and the built-in MAC address of the network adapter is not used. We recommend that you accept the unicast default settings. Click **Next**. -9. In Port Rules, click Edit to modify the default port rules to use port 443. - ![NLB Manager - Add\Edit Port Rule screen.](images/hello-nlb-cluster-port-rule.png) +1. Open **Network Load Balancing Manager** from **Administrative Tools** +1. Right-click **Network Load Balancing Clusters**, and then select **New Cluster** +1. To connect to the host that is to be a part of the new cluster, in the **Host** text box, type the name of the host, and then select **Connect** +1. Select the interface that you want to use with the cluster, and then select **Next** (the interface hosts the virtual IP address and receives the client traffic to load balance) +1. In **Host Parameters**, select a value in **Priority (Unique host identifier)**. This parameter specifies a unique ID for each host. The host with the lowest numerical priority among the current members of the cluster handles all of the cluster's network traffic that is not covered by a port rule. Select **Next** +1. In **Cluster IP Addresses**, select **Add** and type the cluster IP address that is shared by every host in the cluster. NLB adds this IP address to the TCP/IP stack on the selected interface of all hosts that are chosen to be part of the cluster. Select **Next** +1. In **Cluster Parameters**, select values in **IP Address** and **Subnet mask** (for IPv6 addresses, a subnet mask value is not needed). Type the full Internet name that users will use to access this NLB cluster +1. In **Cluster operation mode**, select **Unicast** to specify that a unicast media access control (MAC) address should be used for cluster operations. In unicast mode, the MAC address of the cluster is assigned to the network adapter of the computer, and the built-in MAC address of the network adapter is not used. We recommend that you accept the unicast default settings. Select **Next** +1. In Port Rules, select Edit to modify the default port rules to use port 443 ### Additional AD FS Servers -1. To add more hosts to the cluster, right-click the new cluster, and then click **Add Host to Cluster**. -2. Configure the host parameters (including host priority, dedicated IP addresses, and load weight) for the additional hosts by following the same instructions that you used to configure the initial host. Because you are adding hosts to an already configured cluster, all the cluster-wide parameters remain the same. - ![NLB Manager - Cluster with nodes.](images/hello-nlb-cluster.png) +1. To add more hosts to the cluster, right-click the new cluster, and then select **Add Host to Cluster** +1. Configure the host parameters (including host priority, dedicated IP addresses, and load weight) for the additional hosts by following the same instructions that you used to configure the initial host. Because you are adding hosts to an already configured cluster, all the cluster-wide parameters remain the same ## Configure DNS for Device Registration -Sign-in the domain controller or administrative workstation with domain administrator equivalent credentials. You’ll need the Federation service name to complete this task. You can view the federation service name by clicking **Edit Federation Service Properties** from the **Action** pan of the **AD FS** management console, or by using `(Get-AdfsProperties).Hostname.` (PowerShell) on the AD FS server. +Sign-in the domain controller or administrative workstation with domain administrator equivalent credentials.\ +You'll need the *federation service* name to complete this task. You can view the federation service name by selecting **Edit Federation Service Properties** from the **Action** pan of the **AD FS** management console, or by using `(Get-AdfsProperties).Hostname.` (PowerShell) on the AD FS server. -1. Open the **DNS Management** console. -2. In the navigation pane, expand the domain controller name node and **Forward Lookup Zones**. -3. In the navigation pane, select the node that has the name of your internal Active Directory domain name. -4. In the navigation pane, right-click the domain name node and click **New Host (A or AAAA)**. -5. In the **name** box, type the name of the federation service. In the **IP address** box, type the IP address of your federation server. Click **Add Host**. -6. Close the DNS Management console. +1. Open the **DNS Management** console +1. In the navigation pane, expand the domain controller name node and **Forward Lookup Zones** +1. In the navigation pane, select the node that has the name of your internal Active Directory domain name +1. In the navigation pane, right-click the domain name node and select **New Host (A or AAAA)** +1. In the **name** box, type the name of the federation service. In the **IP address** box, type the IP address of your federation server. Select **Add Host** +1. Right-click the `` node and select **New Alias (CNAME)** +1. In the **New Resource Record** dialog box, type `enterpriseregistration` in the **Alias** name box +1. In the **fully qualified domain name (FQDN)** of the target host box, type `federation_service_farm_name. [!NOTE] +> If your forest has multiple UPN suffixes, please make sure that `enterpriseregistration.` is present for each suffix. ## Configure the Intranet Zone to include the federation service -The Windows Hello provisioning presents web pages from the federation service. Configuring the intranet zone to include the federation service enables the user to authenticate to the federation service using integrated authentication. Without this setting, the connection to the federation service during Windows Hello provisioning prompts the user for authentication. +The Windows Hello provisioning presents web pages from the federation service. Configuring the intranet zone to include the federation service enables the user to authenticate to the federation service using integrated authentication. Without this setting, the connection to the federation service during Windows Hello provisioning prompts the user for authentication. ### Create an Intranet Zone Group Policy -Sign-in the domain controller or administrative workstation with _Domain Admin_ equivalent credentials: - -1. Start the **Group Policy Management Console** (gpmc.msc). -2. Expand the domain and select the **Group Policy Object** node in the navigation pane. -3. Right-click **Group Policy object** and select **New**. -4. Type **Intranet Zone Settings** in the name box and click **OK**. -5. In the content pane, right-click the **Intranet Zone Settings** Group Policy object and click **Edit**. -6. In the navigation pane, expand **Policies** under **Computer Configuration**. -7. Expand **Administrative Templates > Windows Component > Internet Explorer > Internet Control Panel**, and select **Security Page**. -8. In the content pane, double-click **Site to Zone Assignment List**. Click **Enable**. -9. Click **Show**. In the **Value Name** column, type the url of the federation service beginning with https. In the **Value** column, type the number **1**. Click OK twice, then close the Group Policy Management Editor. +Sign-in the domain controller or administrative workstation with _Domain Admin_ equivalent credentials +1. Start the **Group Policy Management Console** (gpmc.msc) +1. Expand the domain and select the **Group Policy Object** node in the navigation pane +1. Right-click **Group Policy object** and select **New** +1. Type **Intranet Zone Settings** in the name box and select **OK** +1. In the content pane, right-click the **Intranet Zone Settings** Group Policy object and select **Edit** +1. In the navigation pane, expand **Policies** under **Computer Configuration** +1. Expand **Administrative Templates > Windows Component > Internet Explorer > Internet Control Panel >Security Page**. Open **Site to Zone Assignment List** +1. Select **Enable > Show**. In the **Value Name** column, type the url of the federation service beginning with https. In the **Value** column, type the number **1**. Select OK twice, then close the Group Policy Management Editor ### Deploy the Intranet Zone Group Policy object -1. Start the **Group Policy Management Console** (gpmc.msc). -2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO…** -3. In the **Select GPO** dialog box, select **Intranet Zone Settings** or the name of the Windows Hello for Business Group Policy object you previously created and click **OK**. +1. Start the **Group Policy Management Console** (gpmc.msc) +1. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and select **Link an existing GPO…** +1. In the **Select GPO** dialog box, select **Intranet Zone Settings** or the name of the Windows Hello for Business Group Policy object you previously created and select **OK** -## Review +## Review to validate the configuration Before you continue with the deployment, validate your deployment progress by reviewing the following items: -* Confirm you configured the correct enrollment agent certificate template based on the type of AD FS service account. -* Confirm only the AD FS service account has the allow enroll permission for the enrollment agent certificate template. -* Consider using an HSM to protect the enrollment agent certificate; however, understand the frequency and quantity of signature operations the enrollment agent server makes and understand the impact it has on overall performance. -* Confirm you properly configured the Windows Hello for Business authentication certificate template—to include: - * Issuance requirements of an authorized signature from a certificate request agent. - * The certificate template was properly marked as a Windows Hello for Business certificate template using certutil.exe. - * The Windows Hello for Business Users group, or equivalent has the allow enroll permissions. -* Confirm all certificate templates were properly published to the appropriate issuing certificate authorities. -* Confirm the AD FS service account has the allow enroll permission for the Windows Hello Business authentication certificate template. -* Confirm the AD FS certificate registration authority is properly configured using the `Get-AdfsCertificateAuthority` Windows PowerShell cmdlet. -* Confirm you restarted the AD FS service. -* Confirm you properly configured load-balancing (hardware or software). -* Confirm you created a DNS A Record for the federation service and the IP address used is the load-balanced IP address -* Confirm you created and deployed the Intranet Zone settings to prevent double authentication to the federation server. -## Validating your work - -You need to verify the AD FS service has properly enrolled for an enrollment agent certificate template. You can verify this is a variety ways, depending on if your service account is a normal user account or if the service account is a group managed service account. - -> [!IMPORTANT] -> After following the previous steps, if you are unable to validate that the devices are, in fact, being registered automatically, there is a Group Policy at: -> **Computer Configuration > Policies > Administrative Templates > Windows Components > Device Registration >** "Register Domain Joined Computers As Devices". Set the policy to **Enabled** -> and the registration will happen automatically. +> [!div class="checklist"] +> * Confirm only the AD FS service account has the allow enroll permission for the enrollment agent certificate template +> * Consider using an HSM to protect the enrollment agent certificate; however, understand the frequency and quantity of signature operations the enrollment agent server makes and understand the impact it has on overall performance +> * Confirm you properly configured the Windows Hello for Business authentication certificate template +> * Confirm all certificate templates were properly published to the appropriate issuing certificate authorities +> * Confirm the AD FS service account has the allow enroll permission for the Windows Hello Business authentication certificate template +> * Confirm the AD FS certificate registration authority is properly configured using the `Get-AdfsCertificateAuthority` Windows PowerShell cmdlet +> Confirm you restarted the AD FS service +> * Confirm you properly configured load-balancing (hardware or software) +> * Confirm you created a DNS A Record for the federation service and the IP address used is the load-balanced IP address +> * Confirm you created and deployed the Intranet Zone settings to prevent double authentication to the federation server. ### Event Logs -Use the event logs on the AD FS service to confirm the service account enrolled for an enrollment agent certificate. First, look for the AD FS event ID 443 that confirms certificate enrollment cycle has finished. Once confirmed the AD FS certificate enrollment cycle completed review the CertificateLifecycle-User event log. In this event log, look for event ID 1006, which indicates a new certificate was installed. Details of the event log should show: +Use the event logs on the AD FS service to confirm the service account enrolled for an enrollment agent certificate. First, look for the AD FS event ID 443 that confirms certificate enrollment cycle has finished. Once confirmed the AD FS certificate enrollment cycle completed review the *CertificateLifecycle-User* event log. In this event log, look for event ID 1006, which indicates a new certificate was installed. Details of the event log should show: -* The account name under which the certificate was enrolled. -* The action, which should read enroll. -* The thumbprint of the certificate -* The certificate template used to issue the certificate. +- The account name under which the certificate was enrolled +- The action, which should read enroll +-_ The thumbprint of the certificate +- The certificate template used to issue the certificate -### Normal Service Account +You cannot use the Certificate Manager to view enrolled certificates for group managed service accounts. Use the event log information to confirm the AD FS service account enrolled a certificate. Use certutil.exe to view the details of the certificate shown in the event log. -When using a normal service account, use the Microsoft Management Console (mmc.exe) and load the Certificate Manager snap-in for the service account and verify. +Group managed service accounts use user profiles to store user information, which included enrolled certificates. On the AD FS server, use a command prompt and navigate to `%systemdrive%\users\\appdata\roaming\Microsoft\systemcertificates\my\certificates`. -### Group Managed Service Account +Each file in this folder represents a certificate in the service account's Personal store (You may need to use `dir.exe /A` to view the files in the folder). Match the thumbprint of the certificate from the event log to one of the files in this folder. That file is the certificate. Use the `Certutil -q ` to view the basic information about the certificate. -You cannot use the Certificate Manager to view enrolled certificates for group managed service accounts. Use the event log information to confirm the AD FS service account enrolled a certificate. Use certutil.exe to view the details of the certificate now shown in the event log. +For detailed information about the certificate, use `Certutil -q -v `. -Group managed service accounts use user profiles to store user information, which included enrolled certificates. On the AD FS server, use a command prompt and navigate to `%systemdrive%\users\\appdata\roaming\Microsoft\systemcertificates\my\certificates` . - -Each file in this folder represents a certificate in the service account’s Personal store (You may need to use DIR /A to view the files in the folder). Match the thumbprint of the certificate from the event log to one of the files in this folder. That file is the certificate. Use the `Certutil -q ` to view the basic information about the certificate. - -For detailed information about the certificate, use `Certutil -q -v ` . - -## Follow the Windows Hello for Business on premises certificate trust deployment guide - -1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) -2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) -3. Prepare and Deploy Windows Server 2016 Active Directory Federation Services (*You are here*) -4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) -5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) \ No newline at end of file +> [!div class="nextstepaction"] +> [Next: validate and deploy multi-factor authentication (MFA)](hello-cert-trust-validate-deploy-mfa.md) \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md index 3b8de8ea72..870fc37596 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md @@ -1,155 +1,128 @@ --- -title: Configure Windows Hello for Business Policy settings - certificate trust -description: Configure Windows Hello for Business Policy settings for Windows Hello for Business. Certificate-based deployments need three group policy settings. -ms.prod: windows-client +title: Configure Windows Hello for Business Policy settings in an on-premises certificate trust +description: Configure Windows Hello for Business Policy settings for Windows Hello for Business in an on-premises certificate trust scenario ms.collection: - - M365-identity-device-management - highpri -ms.topic: article -localizationpriority: medium -ms.date: 08/20/2018 -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: prsriva -manager: aaroncz +ms.date: 12/12/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ On-premises deployments - - ✅ Certificate trust +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later +ms.topic: tutorial --- -# Configure Windows Hello for Business Policy settings - Certificate Trust +# Configure Windows Hello for Business group policy settings - on-premises certificate Trust -You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). -Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1703 or later. +[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)] -On-premises certificate-based deployments of Windows Hello for Business needs three Group Policy settings: -* Enable Windows Hello for Business -* Use certificate for on-premises authentication -* Enable automatic enrollment of certificates +On-premises certificate-based deployments of Windows Hello for Business need three Group Policy settings: +- Enable Windows Hello for Business +- Use certificate for on-premises authentication +- Enable automatic enrollment of certificates -## Enable Windows Hello for Business Group Policy +## Enable Windows Hello for Business group policy setting -The Group Policy setting determines whether users are allowed, and prompted, to enroll for Windows Hello for Business. It can be configured for computers or users. +The group policy setting determines whether users are allowed, and prompted, to enroll for Windows Hello for Business. It can be configured for computers or users. -If you configure the Group Policy for computers, all users that sign-in to those computers will be allowed and prompted to enroll for Windows Hello for Business. If you configure the Group Policy for users, only those users will be allowed and prompted to enroll for Windows Hello for Business . +If you configure the group policy for computers, all users that sign-in to those computers will be allowed and prompted to enroll for Windows Hello for Business. If you configure the group policy for users, only those users will be allowed and prompted to enroll for Windows Hello for Business. -## Use certificate for on-premises authentication +## Use certificate for on-premises authentication group policy setting -The Use certificate for on-premises authentication Group Policy setting determines if the on-premises deployment uses the key-trust or certificate trust on-premises authentication model. You must configure this Group Policy setting to configure Windows to enroll for a Windows Hello for Business authentication certificate. If you do not configure this policy setting, Windows considers the deployment to use key-trust on-premises authentication, which requires a sufficient number of Windows Server 2016 domain controllers to handle the Windows Hello for Business key-trust authentication requests. +The group policy setting determines if the on-premises deployment uses the key-trust or certificate trust on-premises authentication model. You must configure this group policy setting to configure Windows to enroll for a Windows Hello for Business authentication certificate. If you do not configure this policy setting, Windows considers the deployment to use key-trust on-premises authentication. -You can configure this Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users requesting a Windows Hello for Business authentication certificate. Deploying this policy setting to a user results in only that user requesting a Windows Hello for Business authentication certificate. Additionally, you can deploy the policy setting to a group of users so only those users request a Windows Hello for Business authentication certificate. If both user and computer policy settings are deployed, the user policy setting has precedence. +You can configure this setting for computer or users. Deploying this setting to computers results in *all* users requesting a Windows Hello for Business authentication certificate. Deploying this policy setting to a user results in only that user requesting a Windows Hello for Business authentication certificate. Additionally, you can deploy the policy setting to a group of users so only those users request a Windows Hello for Business authentication certificate. If both user and computer policy settings are deployed, the user policy setting has precedence. -## Enable automatic enrollment of certificates +## Enable automatic enrollment of certificates group policy setting -Windows Hello for Business provisioning performs the initial enrollment of the Windows Hello for Business authentication certificate. This certificate expires based on the duration configured in the Windows Hello for Business authentication certificate template. The Windows 10, version 1703 certificate auto enrollment was updated to renew these certificates before they expire, which significantly reduces user authentication failures from expired user certificates. +Windows Hello for Business provisioning performs the initial enrollment of the Windows Hello for Business authentication certificate. This certificate expires based on the duration configured in the Windows Hello for Business authentication certificate template. The process requires no user interaction provided the user signs-in using Windows Hello for Business. The certificate is renewed in the background before it expires. -The process requires no user interaction provided the user signs-in using Windows Hello for Business. The certificate is renewed in the background before it expires. +## Create the GPO -## Create the Windows Hello for Business Group Policy object +Sign in to a domain controller or management workstations with *Domain Administrator* equivalent credentials. -The Group Policy object contains the policy settings needed to trigger Windows Hello for Business provisioning and to ensure Windows Hello for Business authentication certificates are automatically renewed. 1. Start the **Group Policy Management Console** (gpmc.msc) -2. Expand the domain and select the **Group Policy Object** node in the navigation pane. -3. Right-click **Group Policy object** and select **New**. -4. Type *Enable Windows Hello for Business* in the name box and click **OK**. -5. In the content pane, right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**. -6. In the navigation pane, expand **Policies** under **User Configuration** (this is the only option for Windows Server 2016, but for Windows Server 2019 and later this step can also be done in **Computer Configuration**). -7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**. -8. In the content pane, double-click **Use Windows Hello for Business**. Click **Enable** and click **OK**. -9. Double-click **Use certificate for on-premises authentication**. Click **Enable** and click **OK**. Close the **Group Policy Management Editor**. +1. Expand the domain and select the **Group Policy Object** node in the navigation pane +1. Right-click **Group Policy object** and select **New** +1. Type *Enable Windows Hello for Business* in the name box and select **OK** +1. In the content pane, right-click the **Enable Windows Hello for Business** Group Policy object and select **Edit** +1. In the navigation pane, select **User Configuration > Policies > Administrative Templates > Windows Component > Windows Hello for Business** +1. In the content pane, double-click **Use Windows Hello for Business**. Select **Enable** and **OK** +1. Select **Use certificate for on-premises authentication > Enable > OK** +1. In the navigation pane, expand **Policies > User Configuration** +1. Expand **Windows Settings > Security Settings > Public Key Policies** +1. In the details pane, right-click **Certificate Services Client - Auto-Enrollment** and select **Properties** +1. Select **Enabled** from the **Configuration Model** list +1. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box +1. Select the **Update certificates that use certificate templates** check box +1. Select **OK** and close the **Group Policy Management Editor**. -## Configure Automatic Certificate Enrollment - -1. Start the **Group Policy Management Console** (gpmc.msc). -2. Expand the domain and select the **Group Policy Object** node in the navigation pane. -3. Right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**. -4. In the navigation pane, expand **Policies** under **User Configuration** (this is the only option for Windows Server 2016, but for Windows Server 2019 and later this step can also be done in **Computer Configuration**). -5. Expand **Windows Settings > Security Settings**, and click **Public Key Policies**. -6. In the details pane, right-click **Certificate Services Client – Auto-Enrollment** and select **Properties**. -7. Select **Enabled** from the **Configuration Model** list. -8. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box. -9. Select the **Update certificates that use certificate templates** check box. -10. Click **OK**. Close the **Group Policy Management Editor**. - -## Configure Security in the Windows Hello for Business Group Policy object +## Configure security in the Windows Hello for Business GPO The best way to deploy the Windows Hello for Business Group Policy object is to use security group filtering. The enables you to easily manage the users that should receive Windows Hello for Business by simply adding them to a group. This enables you to deploy Windows Hello for Business in phases. + +Sign in to a domain controller or management workstations with *Domain Administrator* equivalent credentials. + 1. Start the **Group Policy Management Console** (gpmc.msc) -2. Expand the domain and select the **Group Policy Object** node in the navigation pane. -3. Double-click the **Enable Windows Hello for Business** Group Policy object. -4. In the **Security Filtering** section of the content pane, click **Add**. Type *Windows Hello for Business Users* or the name of the security group you previously created and click **OK**. -5. Click the **Delegation** tab. Select **Authenticated Users** and click **Advanced**. -6. In the **Group or User names** list, select **Authenticated Users**. In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Click **OK**. +1. Expand the domain and select the **Group Policy Object** node in the navigation pane +1. Double-click the **Enable Windows Hello for Business** Group Policy object +1. In the **Security Filtering** section of the content pane, select **Add**. Type *Windows Hello for Business Users* or the name of the security group you previously created and select **OK** +1. Select the **Delegation** tab. Select **Authenticated Users** and **Advanced** +1. In the **Group or User names** list, select **Authenticated Users**. In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Select **OK** ## Deploy the Windows Hello for Business Group Policy object -The application of the Windows Hello for Business Group Policy object uses security group filtering. This enables you to link the Group Policy object at the domain, ensuring the Group Policy object is within scope to all users. However, the security group filtering ensures only the users included in the *Windows Hello for Business Users* global group receive and apply the Group Policy object, which results in the provisioning of Windows Hello for Business. -1. Start the **Group Policy Management Console** (gpmc.msc) -2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO…** -3. In the **Select GPO** dialog box, select **Enable Windows Hello for Business** or the name of the Windows Hello for Business Group Policy object you previously created and click **OK**. +The application of the Windows Hello for Business Group Policy object uses security group filtering. This solution enables you to link the Group Policy object at the domain level, ensuring the GPO is within scope to all users. However, the security group filtering ensures that only the users included in the *Windows Hello for Business Users* global group receive and apply the Group Policy object, which results in the provisioning of Windows Hello for Business. -Just to reassure, linking the **Windows Hello for Business** Group Policy object to the domain ensures the Group Policy object is in scope for all domain users. However, not all users will have the policy settings applied to them. Only users who are members of the Windows Hello for Business group receive the policy settings. All others users ignore the Group Policy object. +1. Start the **Group Policy Management Console** (gpmc.msc) +1. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and select **Link an existing GPO…** +1. In the **Select GPO** dialog box, select **Enable Windows Hello for Business** or the name of the Windows Hello for Business Group Policy object you previously created and select **OK** ## Other Related Group Policy settings -### Windows Hello for Business - There are other Windows Hello for Business policy settings you can configure to manage your Windows Hello for Business deployment. These policy settings are computer-based policy setting; so they are applicable to any user that sign-in from a computer with these policy settings. ### Use a hardware security device -The default configuration for Windows Hello for Business is to prefer hardware protected credentials; however, not all computers are able to create hardware protected credentials. When Windows Hello for Business enrollment encounters a computer that cannot create a hardware protected credential, it will create a software-based credential. +The default configuration for Windows Hello for Business is to prefer hardware protected credentials; however, not all computers are able to create hardware protected credentials. When Windows Hello for Business enrollment encounters a computer that cannot create a hardware protected credential, it will create a software-based credential. -You can enable and deploy the **Use a hardware security device** Group Policy Setting to force Windows Hello for Business to only create hardware protected credentials. Users that sign-in from a computer incapable of creating a hardware protected credential do not enroll for Windows Hello for Business. +You can enable and deploy the **Use a hardware security device** Group Policy Setting to force Windows Hello for Business to only create hardware protected credentials. Users that sign-in from a computer incapable of creating a hardware protected credential do not enroll for Windows Hello for Business. -Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiving during anti-hammering and PIN lockout activities. Therefore, some organization may want not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, simply select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object. +Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiving during anti-hammering and PIN lockout activities. Some organizations may not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object. ### Use biometrics Windows Hello for Business provides a great user experience when combined with the use of biometrics. Rather than providing a PIN to sign-in, a user can use a fingerprint or facial recognition to sign-in to Windows, without sacrificing security. -The default Windows Hello for Business enables users to enroll and use biometrics. However, some organization may want more time before using biometrics and want to disable their use until they are ready. To not allow users to use biometrics, configure the **Use biometrics** Group Policy setting to disabled and apply it to your computers. The policy setting disabled all biometrics. Currently, Windows does not provide granular policy setting that enable you to disable specific modalities of biometrics such as allow facial recognition, but disallow fingerprint. +The default Windows Hello for Business enables users to enroll and use biometrics. However, some organization may want more time before using biometrics and want to disable their use until they are ready. To not allow users to use biometrics, configure the **Use biometrics** Group Policy setting to disabled and apply it to your computers. The policy setting disables all biometrics. Currently, Windows does not provide the ability to set granular policies that enable you to disable specific modalities of biometrics, such as allowing facial recognition, but disallowing fingerprint recognition. ### PIN Complexity -PIN complexity is not specific to Windows Hello for Business. Windows enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed. +PIN complexity is not specific to Windows Hello for Business. Windows enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed. -Windows provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations. The policy settings included are: -* Require digits -* Require lowercase letters -* Maximum PIN length -* Minimum PIN length -* Expiration -* History -* Require special characters -* Require uppercase letters +Windows provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically. The policy settings included are: -In the Windows 10, version 1703, the PIN complexity Group Policy settings have moved to remove misunderstanding that PIN complexity policy settings were exclusive to Windows Hello for Business. The new location of these Group Policy settings is under Computer Configuration\Administrative Templates\System\PIN Complexity in the Group Policy editor. +- Require digits +- Require lowercase letters +- Maximum PIN length +- Minimum PIN length +- Expiration +- History +- Require special characters +- Require uppercase letters -## Review +The settings can be found in *Administrative Templates\System\PIN Complexity*, under both the Computer and User Configuration nodes of the Group Policy editor. + +## Review to validate the configuration Before you continue with the deployment, validate your deployment progress by reviewing the following items: -* Confirm you authored Group Policy settings using the latest ADMX/ADML files (from the Windows 10 Creators Editions) -* Confirm you configured the Enable Windows Hello for Business to the scope that matches your deployment (Computer vs. User) -* Confirm you configure the Use Certificate enrollment for on-premises authentication policy setting. -* Confirm you configure automatic certificate enrollment to the scope that matches your deployment (Computer vs. User) -* Confirm you configured the proper security settings for the Group Policy object - * Removed the allow permission for Apply Group Policy for Domain Users (Domain Users must always have the read permissions) - * Add the Windows Hello for Business Users group to the Group Policy object and gave the group the allow permission for Apply Group Policy - -* Linked the Group Policy object to the correct locations within Active Directory -* Deploy any additional Windows Hello for Business Group Policy setting is a policy separate from the one that enables it for users +> [!div class="checklist"] +> - Confirm you configured the Enable Windows Hello for Business to the scope that matches your deployment (Computer vs. User) +> - Confirm you configure the Use Certificate enrollment for on-premises authentication policy setting +> - Confirm you configured the proper security settings for the Group Policy object +> - Confirm you removed the allow permission for Apply Group Policy for Domain Users (Domain Users must always have the read permissions) +> - Confirm you added the Windows Hello for Business Users group to the Group Policy object, and gave the group the allow permission to Apply Group Policy +> - Linked the Group Policy object to the correct locations within Active Directory +> - Deployed any additional Windows Hello for Business Group Policy settings ## Add users to the Windows Hello for Business Users group -Users must receive the Windows Hello for Business group policy settings and have the proper permission to enroll for the WHFB Authentication certificate. You can provide users with these settings and permissions by adding the group used synchronize users to the Windows Hello for Business Users group. Users and groups that are not members of this group will not attempt to enroll for Windows Hello for Business. - - -## Follow the Windows Hello for Business on premises certificate trust deployment guide -1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) -2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) -3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) -4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) -5. Configure Windows Hello for Business Policy settings (*You are here*) +Users must receive the Windows Hello for Business group policy settings and have the proper permission to enroll for the Windows Hello for Business Authentication certificate. You can provide users with these settings and permissions by adding the group used synchronize users to the *Windows Hello for Business Users* group. Users and groups that are not members of this group will not attempt to enroll for Windows Hello for Business. \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md index 2ef4c3f4b0..bac1a4e528 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md @@ -1,83 +1,30 @@ --- -title: Update Active Directory schema for cert-trust deployment (Windows Hello for Business) -description: How to Validate Active Directory prerequisites for Windows Hello for Business when deploying with the certificate trust model. -ms.prod: windows-client -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium -ms.date: 08/19/2018 -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: prsriva -manager: aaroncz +title: Validate Active Directory prerequisites in an on-premises certificate trust +description: Validate Active Directory prerequisites when deploying Windows Hello for Business in a certificate trust model. +ms.date: 12/12/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ On-premises deployments - - ✅ Certificate trust +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later +ms.topic: tutorial --- -# Validate Active Directory prerequisites for cert-trust deployment +# Validate Active Directory prerequisites - on-premises certificate trust -The key registration process for the on-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema. +[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)] -> [!NOTE] -> If you already have a Windows Server 2016 or later domain controller in your forest, you can skip the "Updating the Schema" and "Create the KeyCredential Admins Security Global Group" steps that follow. +The key registration process for the on-premises deployment of Windows Hello for Business requires the Windows Server 2016 Active Directory or later schema. -Manually updating Active Directory uses the command-line utility **adprep.exe** located at **\:\support\adprep** on the Windows Server 2016 or later DVD or ISO. Before running adprep.exe, you must identify the domain controller hosting the schema master role. +## Create the Windows Hello for Business Users security group -## Discovering schema role +The *Windows Hello for Business Users* group is used to make it easy to deploy Windows Hello for Business in phases. You assign Group Policy permissions to this group to simplify the deployment by adding the users to the group. This provides users with the proper permissions to provision Windows Hello for Business. -To locate the schema master role holder, open and command prompt and type: +Sign-in to a domain controller or to a management workstation with a *Domain Administrator* equivalent credentials. -```Netdom query fsmo | findstr -i “schema”``` +1. Open **Active Directory Users and Computers** +1. Select **View > Advanced Features** +1. Expand the domain node from the navigation pane +1. Right-click the **Users** container. Select **New > Group** +1. Type *Windows Hello for Business Users* in the **Group Name** +1. Select **OK** -![Netdom example output.](images/hello-cmd-netdom.png) - -The command should return the name of the domain controller where you need to adprep.exe. Update the schema locally on the domain controller hosting the Schema master role. - -## Updating the Schema - -Windows Hello for Business uses asymmetric keys as user credentials (rather than passwords). During enrollment, the public key is registered in an attribute on the user object in Active Directory. The schema update adds this new attribute to Active Directory. - -Sign-in to the domain controller hosting the schema master operational role using enterprise administrator equivalent credentials. - -1. Mount the ISO file (or insert the DVD) containing the Windows Server 2016 or later installation media. -2. Open an elevated command prompt. -3. Type ```cd /d x:\support\adprep``` where *x* is the drive letter of the DVD or mounted ISO. -4. To update the schema, type ```adprep /forestprep```. -5. Read the Adprep Warning. Type the letter **C** and press **Enter** to update the schema. -6. Close the Command Prompt and sign-out. - -## Create the KeyCredential Admins Security Global Group - -The Windows Server 2016 Active Directory Federation Services (AD FS) role registers the public key on the user object during provisioning. You assign write and read permission to this group to the Active Directory attribute to ensure the AD FS service can add and remove keys are part of its normal workflow. - -Sign-in a domain controller or management workstation with domain administrator equivalent credentials. - -1. Open **Active Directory Users and Computers**. -2. Click **View** and click **Advance Features**. -3. Expand the domain node from the navigation pane. -4. Right-click the **Users** container. Click **New**. Click **Group**. -5. Type **KeyCredential Admins** in the **Group Name** text box. -6. Click **OK**. - -## Create the Windows Hello for Business Users Security Global Group - -The Windows Hello for Business Users group is used to make it easy to deploy Windows Hello for Business in phases. You assign Group Policy and Certificate template permissions to this group to simplify the deployment by simply adding the users to the group. This provides them the proper permissions to provision Windows Hello for Business and to enroll in the Windows Hello for Business authentication certificate. - -Sign into a domain controller or management workstation with domain administrator equivalent credentials. - -1. Open **Active Directory Users and Computers**. -2. Click **View** and click **Advanced Features**. -3. Expand the domain node from the navigation pane. -4. Right-click the **Users** container. Click **New**. Click **Group**. -5. Type **Windows Hello for Business Users** in the **Group Name** text box. -6. Click **OK**. - - -## Follow the Windows Hello for Business on premises certificate trust deployment guide -1. Validate Active Directory prerequisites (*You are here*) -2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) -3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) -4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) -5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) +> [!div class="nextstepaction"] +> [Next: validate and configure PKI >](hello-cert-trust-validate-pki.md) \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md index 546fd12013..e5c4b9a2a4 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md @@ -1,32 +1,28 @@ --- title: Validate and Deploy MFA for Windows Hello for Business with certificate trust -description: How to Validate and Deploy Multi-factor Authentication (MFA) Services for Windows Hello for Business with certificate trust -ms.prod: windows-client -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium -ms.date: 08/19/2018 -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: prsriva -manager: aaroncz +description: Validate and deploy multi-factor authentication (MFA) for Windows Hello for Business in an on-premises certificate trust model. +ms.date: 12/13/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ On-premises deployments - - ✅ Certificate trust +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later +ms.topic: tutorial --- -# Validate and Deploy Multi-Factor Authentication feature -Windows Hello for Business requires all users perform multi-factor authentication prior to creating and registering a Windows Hello for Business credential. On-premises deployments can use certificates, third-party authentication providers for AD FS, or a custom authentication provider for AD FS as an on-premises MFA option. +# Validate and deploy multi-factor authentication - on-premises certificate trust -For information on available third-party authentication methods, see [Configure Additional Authentication Methods for AD FS](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). For creating a custom authentication method, see [Build a Custom Authentication Method for AD FS in Windows Server](/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method) +[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)] -Follow the integration and deployment guide for the authentication provider you select to integrate and deploy it to AD FS. Make sure that the authentication provider is selected as a multi-factor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies, see [Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies). +Windows Hello for Business requires users perform multi-factor authentication (MFA) prior to enroll in the service. On-premises deployments can use, as MFA option: -## Follow the Windows Hello for Business on premises certificate trust deployment guide -1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) -2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) -3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) -4. Validate and Deploy Multi-factor Authentication Services (MFA) (*You're here*) -5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) \ No newline at end of file +- third-party authentication providers for AD FS +- custom authentication provider for AD FS + +> [!IMPORTANT] +> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multi-factor authentication from their users should use cloud-based Azure AD Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual. + +For information on available third-party authentication methods see [Configure Additional Authentication Methods for AD FS](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). For creating a custom authentication method see [Build a Custom Authentication Method for AD FS in Windows Server](/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method) + +Follow the integration and deployment guide for the authentication provider you select to integrate and deploy it to AD FS. Make sure that the authentication provider is selected as a multi-factor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies see [Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies). + +> [!div class="nextstepaction"] +> [Next: configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md index 900b6c7f79..f543372332 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md @@ -1,197 +1,348 @@ --- -title: Validate Public Key Infrastructure - certificate trust model (Windows Hello for Business) -description: How to Validate Public Key Infrastructure for Windows Hello for Business, under a certificate trust model. -ms.prod: windows-client -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium -ms.date: 08/19/2018 -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: prsriva -manager: aaroncz +title: Configure and validate the Public Key Infrastructure in an on-premises certificate trust model +description: Configure and validate the Public Key Infrastructure the Public Key Infrastructure when deploying Windows Hello for Business in a certificate trust model. +ms.date: 12/12/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ On-premises deployments - - ✅ Certificate trust +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later +ms.topic: tutorial --- -# Validate and Configure Public Key Infrastructure - Certificate Trust Model +# Configure and validate the Public Key Infrastructure - on-premises certificate trust -Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model. All trust models depend on the domain controllers having a certificate. The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller. The certificate trust model extends certificate issuance to client computers. During Windows Hello for Business provisioning, the user receives a sign-in certificate. +[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)] -## Deploy an enterprise certificate authority +Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* or *certificate trust* models. The domain controllers must have a certificate, which serves as a root of trust for clients. The certificate ensures that clients don't communicate with rogue domain controllers. The certificate trust model extends certificate issuance to client computers. During Windows Hello for Business provisioning, the user receives a sign-in certificate. -This guide assumes most enterprise have an existing public key infrastructure. Windows Hello for Business depends on a Windows enterprise public key infrastructure running the Active Directory Certificate Services role from Windows Server 2012 or later. +## Deploy an enterprise certification authority -### Lab-based public key infrastructure +This guide assumes most enterprises have an existing public key infrastructure. Windows Hello for Business depends on an enterprise PKI running the Windows Server *Active Directory Certificate Services* role. -The following instructions may be used to deploy simple public key infrastructure that is suitable for a lab environment. +### Lab-based PKI -Sign-in using _Enterprise Admin_ equivalent credentials on Windows Server 2012 or later server where you want the certificate authority installed. +The following instructions may be used to deploy simple public key infrastructure that is suitable **for a lab environment**. + +Sign in using *Enterprise Administrator* equivalent credentials on a Windows Server where you want the certification authority (CA) installed. >[!NOTE] ->Never install a certificate authority on a domain controller in a production environment. +>Never install a certification authority on a domain controller in a production environment. -1. Open an elevated Windows PowerShell prompt. -2. Use the following command to install the Active Directory Certificate Services role. +1. Open an elevated Windows PowerShell prompt +1. Use the following command to install the Active Directory Certificate Services role. ```PowerShell Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools ``` - -3. Use the following command to configure the Certificate Authority using a basic certificate authority configuration. +3. Use the following command to configure the CA using a basic certification authority configuration ```PowerShell Install-AdcsCertificationAuthority - ``` - -## Configure a Production Public Key Infrastructure + ``` -If you do have an existing public key infrastructure, please review [Certification Authority Guidance](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831574(v=ws.11)) from Microsoft TechNet to properly design your infrastructure. Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831348(v=ws.11)) for instructions on how to configure your public key infrastructure using the information from your design session. +## Configure a PKI -### Configure Domain Controller Certificates +If you have an existing PKI, review [Certification Authority Guidance](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831574(v=ws.11)) to properly design your infrastructure. Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831348(v=ws.11)) for instructions on how to configure your PKI using the information from your design session. -Clients need to trust domain controllers and the best way to do this is to ensure each domain controller has a Kerberos Authentication certificate. Installing a certificate on the domain controller enables the Key Distribution Center (KDC) to prove its identity to other members of the domain. This provides clients a root of trust external to the domain—namely the enterprise certificate authority. +Expand the following sections to configure the PKI for Windows Hello for Business. -Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise certificate authority is added to Active Directory. However, certificates based on the Domain Controller and Domain Controller Authentication certificate templates do not include the KDC Authentication object identifier (OID), which was later added to the Kerberos RFC. Therefore, domain controllers need to request a certificate based on the Kerberos Authentication certificate template. +
                              +
                              +Configure domain controller certificates -By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the Kerberos Authentication certificate template as a baseline to create an updated domain controller certificate template. +Clients must trust the domain controllers, and to it each domain controller must have a *Kerberos Authentication* certificate. Installing a certificate on the domain controllers enables the Key Distribution Center (KDC) to prove its identity to other members of the domain. The certificates provide clients a root of trust external to the domain, namely the *enterprise certification authority*. -Sign-in to a certificate authority or management workstations with _Domain Admin_ equivalent credentials. -1. Open the **Certificate Authority** management console. -2. Right-click **Certificate Templates** and click **Manage**. -3. In the **Certificate Templates Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**. -4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2008 R2** from the **Certification Authority** list. Select **Windows 7.Server 2008 R2** from the **Certification Recipient** list. -5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise’s needs. - **Note**If you use different template names, you’ll need to remember and substitute these names in different portions of the lab. -6. On the **Subject Name** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **None** from the **Subject name format** list. Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items. -7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**. -8. Close the console. +Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise CA is added to Active Directory. However, certificates based on the Domain Controller and Domain Controller Authentication certificate templates don't include the *KDC Authentication* object identifier (OID), which was later added to the Kerberos RFC. Therefore, domain controllers need to request a certificate based on the *Kerberos Authentication* certificate template. -### Superseding the existing Domain Controller certificate +By default, the Active Directory CA provides and publishes the *Kerberos Authentication* certificate template. The cryptography configuration included in the template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the *Kerberos Authentication* certificate template as a *baseline* to create an updated domain controller certificate template. -Many domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template from domain controllers—the domain controller certificate template. Later releases provided a new certificate template—the domain controller authentication certificate template. These certificate templates were provided prior to update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the KDC Authentication extension. +Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials. -The Kerberos Authentication certificate template is the most current certificate template designated for domain controllers and should be the one you deploy to all your domain controllers (2008 or later). The autoenrollment feature in Windows enables you to effortlessly replace these domain controller certificates. You can use the following configuration to replace older domain controller certificates with a new certificate using the Kerberos Authentication certificate template. +1. Open the **Certification Authority** management console +1. Right-click **Certificate Templates > Manage** +1. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and select **Duplicate Template** +1. On the **Compatibility** tab: + - Clear the **Show resulting changes** check box + - Select **Windows Server 2016** from the **Certification Authority** list + - Select **Windows 10 / Windows Server 2016** from the **Certificate Recipient** list +1. On the **General** tab + - Type *Domain Controller Authentication (Kerberos)* in Template display name + - Adjust the validity and renewal period to meet your enterprise's needs + > [!NOTE] + > If you use different template names, you'll need to remember and substitute these names in different portions of the lab. +1. On the **Subject Name** tab: + - Select the **Build from this Active Directory information** button if it isn't already selected + - Select **None** from the **Subject name format** list + - Select **DNS name** from the **Include this information in alternate subject** list + - Clear all other items +1. On the **Cryptography** tab: + - select **Key Storage Provider** from the **Provider Category** list + - Select **RSA** from the **Algorithm name** list + - Type *2048* in the **Minimum key size** text box + - Select **SHA256** from the **Request hash** list +1. Select **OK** +1. Close the console -Sign-in to a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials. -1. Open the **Certificate Authority** management console. -2. Right-click **Certificate Templates** and click **Manage**. -3. In the **Certificate Templates Console**, right-click the **Domain Controller Authentication (Kerberos)** (or the name of the certificate template you created in the previous section) template in the details pane and click **Properties**. -4. Click the **Superseded Templates** tab. Click **Add**. -5. From the **Add Superseded Template** dialog, select the **Domain Controller** certificate template and click **OK**. Click **Add**. -6. From the **Add Superseded Template** dialog, select the **Domain Controller Authentication** certificate template and click **OK**. Click **Add**. -7. From the **Add Superseded Template** dialog, select the **Kerberos Authentication** certificate template and click **OK**. Click **Add**. -8. Add any other enterprise certificate templates that were previously configured for domain controllers to the **Superseded Templates** tab. -9. Click **OK** and close the **Certificate Templates** console. +
                              -The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities. +
                              +
                              +Supersede existing domain controller certificates -### Configure an Internal Web Server Certificate template +The domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template for domain controllers called *domain controller certificate*. Later releases of Windows Server provided a new certificate template called *domain controller authentication certificate*. These certificate templates were provided prior to the update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the *KDC Authentication* extension. -Windows 10 or Windows 11 clients use the https protocol when communicating with Active Directory Federation Services. To meet this need, you must issue a server authentication certificate to all the nodes in the Active Directory Federation Services farm. On-premises deployments can use a server authentication certificate issued by their enterprise PKI. You must configure a server authentication certificate template so the host running the Active Directory Federation Service can request the certificate. +The *Kerberos Authentication* certificate template is the most current certificate template designated for domain controllers, and should be the one you deploy to all your domain controllers.\ +The *autoenrollment* feature allows you to replace the domain controller certificates. Use the following configuration to replace older domain controller certificates with new ones, using the *Kerberos Authentication* certificate template. -Sign-in to a certificate authority or management workstations with _Domain Admin_ equivalent credentials. -1. Open the **Certificate Authority** management console. -2. Right-click **Certificate Templates** and click **Manage**. -3. In the **Certificate Templates Console**, right-click the **Web Server** template in the details pane and click **Duplicate Template**. -4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. -5. On the **General** tab, type **Internal Web Server** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs. - **Note:** If you use different template names, you’ll need to remember and substitute these names in different portions of the lab. -6. On the **Request Handling** tab, select **Allow private key to be exported**. -7. On the **Subject Name** tab, select the **Supply in the request** button if it is not already selected. -8. On the **Security** tab, Click **Add**. Type **Domain Computers** in the **Enter the object names to select** box. Click **OK**. Select the **Allow** check box next to the **Enroll** permission. -9. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**. -10. Close the console. +Sign in to a CA or management workstations with *Enterprise Administrator* equivalent credentials. -### Unpublish Superseded Certificate Templates +1. Open the **Certification Authority** management console +1. Right-click **Certificate Templates > Manage** +1. In the **Certificate Template Console**, right-click the *Domain Controller Authentication (Kerberos)* (or the name of the certificate template you created in the previous section) template in the details pane and select **Properties** +1. Select the **Superseded Templates** tab. Select **Add** +1. From the **Add Superseded Template** dialog, select the *Domain Controller* certificate template and select **OK > Add** +1. From the **Add Superseded Template** dialog, select the *Domain Controller Authentication* certificate template and select **OK** +1. From the **Add Superseded Template** dialog, select the *Kerberos Authentication* certificate template and select **OK** +1. Add any other enterprise certificate templates that were previously configured for domain controllers to the **Superseded Templates** tab +1. Select **OK** and close the **Certificate Templates** console -The certificate authority only issues certificates based on published certificate templates. For defense in depth security, it is a good practice to unpublish certificate templates that the certificate authority is not configured to issue. This includes the pre-published certificate template from the role installation and any superseded certificate templates. +The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates isn't active until the certificate template is published to one or more certificate authorities. -The newly created domain controller authentication certificate template supersedes previous domain controller certificate templates. Therefore, you need to unpublish these certificate templates from all issuing certificate authorities. +
                              -Sign-in to the certificate authority or management workstation with _Enterprise Admin_ equivalent credentials. -1. Open the **Certificate Authority** management console. -2. Expand the parent node from the navigation pane. -3. Click **Certificate Templates** in the navigation pane. -4. Right-click the **Domain Controller** certificate template in the content pane and select **Delete**. Click **Yes** on the **Disable certificate templates** window. -5. Repeat step 4 for the **Domain Controller Authentication** and **Kerberos Authentication** certificate templates. +
                              +
                              +Configure an internal web server certificate template -### Publish Certificate Templates to the Certificate Authority +Windows clients use the https protocol when communicating with Active Directory Federation Services (AD FS). To meet this need, you must issue a server authentication certificate to all the nodes in the AD FS farm. On-premises deployments can use a server authentication certificate issued by their enterprise PKI. You must configure a server authentication certificate template so the host running theAD FS can request the certificate. -The certificate authority may only issue certificates for certificate templates that are published to that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate. +Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials. -Sign-in to the certificate authority or management workstations with an _enterprise administrator_ equivalent credentials. +1. Open the **Certification Authority** management console +1. Right-click **Certificate Templates** and select **Manage** +1. In the **Certificate Template Console**, right-click the **Web Server** template in the details pane and select **Duplicate Template** +1. On the **Compatibility** tab: + - Clear the **Show resulting changes** check box + - Select **Windows Server 2016** from the **Certification Authority** list + - Select **Windows 10 / Windows Server 2016** from the **Certificate recipient** list +1. On the **General** tab: + - Type *Internal Web Server* in **Template display name** + - Adjust the validity and renewal period to meet your enterprise's needs + > [!NOTE] + > If you use different template names, you'll need to remember and substitute these names in different portions of the lab. +1. On the **Request Handling** tab, select **Allow private key to be exported** +1. On the **Subject** tab, select the **Supply in the request** button if it isn't already selected +1. On the **Security** tab: + - Select **Add** + - Type **Domain Computers** in the **Enter the object names to select** box + - Select **OK** + - Select the **Allow** check box next to the **Enroll** permission +1. On the **Cryptography** tab: + - Select **Key Storage Provider** from the **Provider Category** list + - Select **RSA** from the **Algorithm name** list + - Type *2048* in the **Minimum key size** text box + - Select **SHA256** from the **Request hash** list + - Select **OK** +1. Close the console -1. Open the **Certificate Authority** management console. -2. Expand the parent node from the navigation pane. -3. Click **Certificate Templates** in the navigation pane. -4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template** to issue. -5. In the **Enable Certificates Templates** window, select the **Domain Controller Authentication (Kerberos)**, and **Internal Web Server** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority. -6. If you published the Domain Controller Authentication (Kerberos) certificate template, then you should unpublish the certificate templates you included in the superseded templates list. - * To unpublish a certificate template, right-click the certificate template you want to unpublish in the details pane of the Certificate Authority console and select **Delete**. Click **Yes** to confirm the operation. -7. Close the console. +
                              -### Configure Domain Controllers for Automatic Certificate Enrollment +
                              +
                              +Configure a certificate registration authority template -Domain controllers automatically request a certificate from the domain controller certificate template. However, the domain controller is unaware of newer certificate templates or superseded configurations on certificate templates. To continue automatic enrollment and renewal of domain controller certificates that understand newer certificate template and superseded certificate template configurations, create and configure a Group Policy object for automatic certificate enrollment and link the Group Policy object to the Domain Controllers OU. +A certificate registration authority (CRA) is a trusted authority that validates certificate request. Once it validates the request, it presents the request to the certification authority (CA) for issuance. The CA issues the certificate, returns it to the CRA, which returns the certificate to the requesting user. The Windows Hello for Business on-premises certificate-based deployment uses AD FS as the CRA. + +The CRA enrolls for an *enrollment agent* certificate. Once the CRA verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the CA. The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate. The CA only issues a certificate for that template if the registration authority signs the certificate request. + +Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials. + +1. Open the **Certification Authority** management console +1. Right-click **Certificate Templates** and select **Manage** +1. In the **Certificate Template Console**, right-click on the **Exchange Enrollment Agent (Offline request)** template details pane and select **Duplicate Template** +1. On the **Compatibility** tab: + - Clear the **Show resulting changes** check box + - Select **Windows Server 2016** from the **Certification Authority** list. + - Select **Windows 10 / Windows Server 2016** from the **Certificate Recipient** list +1. On the **General** tab: + - Type *WHFB Enrollment Agent* in **Template display name** + - Adjust the validity and renewal period to meet your enterprise's needs +1. On the **Subject** tab, select the **Supply in the request** button if it is not already selected + + > [!NOTE] + > Group Managed Service Accounts (GMSA) do not support the *Build from this Active Directory information* option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with *Supply in the request* to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate. + +1. On the **Cryptography** tab: + - Select **Key Storage Provider** from the **Provider Category** list + - Select **RSA** from the **Algorithm name** list + - Type *2048* in the **Minimum key size** text box + - Select **SHA256** from the **Request hash** list +1. On the **Security** tab, select **Add** +1. Select **Object Types** and select the **Service Accounts** check box. Select **OK** +1. Type *adfssvc* in the **Enter the object names to select** text box and select **OK** +1. Select the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section: + - In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission + - Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared + - Select **OK** +1. Close the console + +
                              + +
                              +
                              +Configure a Windows Hello for Business authentication certificate template + +During Windows Hello for Business provisioning, Windows clients request an authentication certificate from AD FS, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. + +Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials. + +1. Open the **Certification Authority** management console +1. Right-click **Certificate Templates** and select **Manage** +1. Right-click the **Smartcard Logon** template and choose **Duplicate Template** +1. On the **Compatibility** tab: + - Clear the **Show resulting changes** check box + - Select **Windows Server 2016** from the **Certification Authority** list + - Select **Windows 10 / Windows Server 2016** from the **Certificate Recipient** list +1. On the **General** tab: + - Type *WHFB Authentication* in **Template display name** + - Adjust the validity and renewal period to meet your enterprise's needs + > [!NOTE] + > If you use different template names, you'll need to remember and substitute these names in different portions of the deployment. +1. On the **Cryptography** tab + - Select **Key Storage Provider** from the **Provider Category** list + - Select **RSA** from the **Algorithm name** list + - Type *2048* in the **Minimum key size** text box + - Select **SHA256** from the **Request hash** list +1. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon** +1. On the **Issuance Requirements** tab, + - Select the **This number of authorized signatures** check box. Type *1* in the text box + - Select **Application policy** from the **Policy type required in signature** + - Select **Certificate Request Agent** from in the **Application policy** list + - Select the **Valid existing certificate** option +1. On the **Subject** tab, + - Select the **Build from this Active Directory information** button + - Select **Fully distinguished name** from the **Subject name format** list + - Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name** +1. On the **Request Handling** tab, select the **Renew with same key** check box +1. On the **Security** tab, select **Add**. Type *Window Hello for Business Users* in the **Enter the object names to select** text box and select **OK** +1. Select the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section: + - Select the **Allow** check box for the **Enroll** permission + - Excluding the **Windows Hello for Business Users** group, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared + - Select **OK** +1. If you previously issued Windows Hello for Business sign-in certificates using Configuration Manger and are switching to an AD FS registration authority, then on the **Superseded Templates** tab, add the previously used **Windows Hello for Business Authentication** template(s), so they will be superseded by this template for the users that have Enroll permission for this template +1. Select on the **Apply** to save changes and close the console + +#### Mark the template as the Windows Hello Sign-in template + +Sign in to a CA or management workstations with *Enterprise Administrator* equivalent credentials + +Open an elevated command prompt end execute the following command + +```cmd +certutil.exe -dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY +``` + +>[!NOTE] +>If you gave your Windows Hello for Business Authentication certificate template a different name, then replace *WHFBAuthentication* in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on your certification authority. + + +
                              + +
                              +
                              +Unpublish Superseded Certificate Templates + +The certification authority only issues certificates based on published certificate templates. For security, it's a good practice to unpublish certificate templates that the CA isn't configured to issue. This includes the pre-published certificate template from the role installation and any superseded certificate templates. + +The newly created *domain controller authentication* certificate template supersedes previous domain controller certificate templates. Therefore, you need to unpublish these certificate templates from all issuing certificate authorities. + +Sign in to the CA or management workstation with *Enterprise Administrator* equivalent credentials. + +1. Open the **Certification Authority** management console +1. Expand the parent node from the navigation pane > **Certificate Templates** +1. Right-click the *Domain Controller* certificate template and select **Delete**. Select **Yes** on the **Disable certificate templates** window +1. Repeat step 3 for the *Domain Controller Authentication* and *Kerberos Authentication* certificate templates + +
                              + +
                              +
                              +Publish certificate templates to the CA + +A certification authority can only issue certificates for certificate templates that are published to it. If you have more than one CA, and you want more CAs to issue certificates based on the certificate template, then you must publish the certificate template to them. + +Sign in to the CA or management workstations with **Enterprise Admin** equivalent credentials. + +1. Open the **Certification Authority** management console +1. Expand the parent node from the navigation pane +1. Select **Certificate Templates** in the navigation pane +1. Right-click the **Certificate Templates** node. Select **New > Certificate Template** to issue +1. In the **Enable Certificates Templates** window, select the *Domain Controller Authentication (Kerberos)*, *Internal Web Server*, *WHFB Enrollment Agent* and *WHFB Authentication* templates you created in the previous steps. Select **OK** to publish the selected certificate templates to the certification authority +1. If you published the *Domain Controller Authentication (Kerberos)* certificate template, then unpublish the certificate templates you included in the superseded templates list + - To unpublish a certificate template, right-click the certificate template you want to unpublish and select **Delete**. Select **Yes** to confirm the operation +1. Close the console + +
                              + +### Configure automatic certificate enrollment for the domain controllers + +Domain controllers automatically request a certificate from the *Domain controller certificate* template. However, domain controllers are unaware of newer certificate templates or superseded configurations on certificate templates. To continue automatic enrollment and renewal of domain controller certificates, create and configure a Group Policy Object (GPO) for automatic certificate enrollment, linking the Group Policy object to the *Domain Controllers* Organizational Unit (OU). + +1. Open the **Group Policy Management Console** (gpmc.msc) +1. Expand the domain and select the **Group Policy Object** node in the navigation pane +1. Right-click **Group Policy object** and select **New** +1. Type *Domain Controller Auto Certificate Enrollment* in the name box and select **OK** +1. Right-click the **Domain Controller Auto Certificate Enrollment** Group Policy object and select **Edit** +1. In the navigation pane, expand **Policies** under **Computer Configuration** +1. Expand **Windows Settings > Security Settings > Public Key Policies** +1. In the details pane, right-click **Certificate Services Client - Auto-Enrollment** and select **Properties** +1. Select **Enabled** from the **Configuration Model** list +1. Select the **Renew expired certificates, update pending certificates, and remove revoked certificates** check box +1. Select the **Update certificates that use certificate templates** check box +1. Select **OK** +1. Close the **Group Policy Management Editor** + +### Deploy the domain controller auto certificate enrollment GPO + +Sign in to domain controller or management workstations with *Domain Administrator* equivalent credentials. 1. Start the **Group Policy Management Console** (gpmc.msc) -2. Expand the domain and select the **Group Policy Object** node in the navigation pane. -3. Right-click **Group Policy object** and select **New** -4. Type *Domain Controller Auto Certificate Enrollment* in the name box and click **OK**. -5. Right-click the **Domain Controller Auto Certificate Enrollment** Group Policy object and click **Edit**. -6. In the navigation pane, expand **Policies** under **Computer Configuration**. -7. Expand **Windows Settings**, **Security Settings**, and click **Public Key Policies**. -8. In the details pane, right-click **Certificate Services Client – Auto-Enrollment** and select **Properties**. -9. Select **Enabled** from the **Configuration Model** list. -10. Select the **Renew expired certificates, update pending certificates, and remove revoked certificates** check box. -11. Select the **Update certificates that use certificate templates** check box. -12. Click **OK**. Close the **Group Policy Management Editor**. +1. In the navigation pane, expand the domain and expand the node with the Active Directory domain name. Right-click the **Domain Controllers** organizational unit and select **Link an existing GPO…** +1. In the **Select GPO** dialog box, select *Domain Controller Auto Certificate Enrollment* or the name of the domain controller certificate enrollment Group Policy object you previously created +1. Select **OK** -### Deploy the Domain Controller Auto Certificate Enrollment Group Policy Object +## Validate the configuration -Sign-in to a domain controller or management workstations with _Domain Admin_ equivalent credentials. -1. Start the **Group Policy Management Console** (gpmc.msc) -2. In the navigation pane, expand the domain and expand the node that has your Active Directory domain name. Right-click the **Domain Controllers** organizational unit and click **Link an existing GPO…** -3. In the **Select GPO** dialog box, select **Domain Controller Auto Certificate Enrollment** or the name of the domain controller certificate enrollment Group Policy object you previously created and click **OK**. +Windows Hello for Business is a distributed system, which on the surface appears complex and difficult. The key to a successful Windows Hello for Business deployment is to validate phases of work prior to moving to the next phase. -### Validating your work +You want to confirm your domain controllers enroll the correct certificates and not any unnecessary (superseded) certificate templates. You need to check each domain controller that autoenrollment for the computer occurred. -Windows Hello for Business is a distributed system, which on the surface appears complex and difficult. The key to a successful Windows Hello for Business deployment is to validate phases of work prior to moving to the next phase. +### Use the event logs -You want to confirm your domain controllers enroll the correct certificates and not any unnecessary (superseded) certificate templates. You need to check each domain controller that autoenrollment for the computer occurred. +Sign in to domain controller or management workstations with *Domain Administrator* equivalent credentials. -#### Use the Event Logs +1. Using the Event Viewer, navigate to the **Application and Services > Microsoft > Windows > CertificateServices-Lifecycles-System** event log +1. Look for an event indicating a new certificate enrollment (autoenrollment): + - The details of the event include the certificate template on which the certificate was issued + - The name of the certificate template used to issue the certificate should match the certificate template name included in the event + - The certificate thumbprint and EKUs for the certificate are also included in the event + - The EKU needed for proper Windows Hello for Business authentication is Kerberos Authentication, in addition to other EKUs provide by the certificate template -Windows Server 2012 and later include Certificate Lifecycle events to determine the lifecycles of certificates for both users and computers. Using the Event Viewer, navigate to the **CertificateServicesClient-Lifecycle-System** event log under **Application and Services/Microsoft/Windows**. +Certificates superseded by your new domain controller certificate generate an archive event in the event log. The archive event contains the certificate template name and thumbprint of the certificate that was superseded by the new certificate. -Look for an event indicating a new certificate enrollment (autoenrollment). The details of the event include the certificate template on which the certificate was issued. The name of the certificate template used to issue the certificate should match the certificate template name included in the event. The certificate thumbprint and EKUs for the certificate are also included in the event. The EKU needed for proper Windows Hello for Business authentication is Kerberos Authentication, in addition to other EKUs provide by the certificate template. +### Certificate Manager -Certificates superseded by your new domain controller certificate generate an archive event in the CertificateServicesClient-Lifecycle-System event. The archive event contains the certificate template name and thumbprint of the certificate that was superseded by the new certificate. +You can use the Certificate Manager console to validate the domain controller has the properly enrolled certificate based on the correct certificate template with the proper EKUs. Use **certlm.msc** to view certificate in the local computers certificate stores. Expand the **Personal** store and view the certificates enrolled for the computer. Archived certificates don't appear in Certificate Manager. +### Certutil.exe -#### Certificate Manager +You can use `certutil.exe` command to view enrolled certificates in the local computer. Certutil shows enrolled and archived certificates for the local computer. From an elevated command prompt, run `certutil.exe -q -store my` to view locally enrolled certificates. -You can use the Certificate Manager console to validate the domain controller has the properly enrolled certificate based on the correct certificate template with the proper EKUs. Use **certlm.msc** to view certificate in the local computers certificate stores. Expand the **Personal** store and view the certificates enrolled for the computer. Archived certificates do not appear in Certificate Manager. +To view detailed information about each certificate in the store, use `certutil.exe -q -v -store my` to validate automatic certificate enrollment enrolled the proper certificates. -#### Certutil.exe +### Troubleshooting -You can use **certutil.exe** to view enrolled certificates in the local computer. Certutil shows enrolled and archived certificates for the local computer. From an elevated command prompt, run `certutil -q -store my` to view locally enrolled certificates. +Windows triggers automatic certificate enrollment for the computer during boot, and when Group Policy updates. You can refresh Group Policy from an elevated command prompt using `gpupdate.exe /force`. -To view detailed information about each certificate in the store, use `certutil -q -v -store my` to validate automatic certificate enrollment enrolled the proper certificates. +Alternatively, you can forcefully trigger automatic certificate enrollment using `certreq.exe -autoenroll -q` from an elevated command prompt. -#### Troubleshooting +Use the event logs to monitor certificate enrollment and archive. Review the configuration, such as publishing certificate templates to issuing certification authority and the allow auto enrollment permissions. -Windows triggers automatic certificate enrollment for the computer during boot, and when Group Policy updates. You can refresh Group Policy from an elevated command prompt using `gpupdate /force`. - -Alternatively, you can forcefully trigger automatic certificate enrollment using `certreq -autoenroll -q` from an elevated command prompt. - -Use the event logs to monitor certificate enrollment and archive. Review the configuration, such as publishing certificate templates to issuing certificate authority and the allow auto enrollment permissions. - - -## Follow the Windows Hello for Business on premises certificate trust deployment guide -1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) -2. Validate and Configure Public Key Infrastructure (*You are here*) -3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) -4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) -5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) \ No newline at end of file +> [!div class="nextstepaction"] +> [Next: prepare and deploy AD FS >](hello-cert-trust-adfs.md) \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md index cc32057f9c..d19452cbd8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md @@ -1,29 +1,20 @@ --- -title: Windows Hello for Business Deployment Guide - On Premises Certificate Trust Deployment -description: A guide to on premises, certificate trust Windows Hello for Business deployment. -ms.prod: windows-client -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium -ms.date: 08/19/2018 -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: prsriva -manager: aaroncz +title: Windows Hello for Business deployment guide for the on-premises certificate trust model +description: Learn how to deploy Windows Hello for Business in an on-premises, certificate trust model. +ms.date: 12/12/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ On-premises deployments - - ✅ Certificate trust +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later +ms.topic: tutorial --- -# On Premises Certificate Trust Deployment +# Deployment guide overview - on-premises certificate trust -Windows Hello for Business replaces username and password sign-in to Windows with authentication using an asymmetric key pair. This deployment guide provides the information you'll need to successfully deploy Windows Hello for Business in an existing environment. +[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)] -Below, you can find all the information needed to deploy Windows Hello for Business in a Certificate Trust Model in your on-premises environment: +Windows Hello for Business replaces username and password authentication to Windows with an asymmetric key pair. This deployment guide provides the information to deploy Windows Hello for Business in an on-premises environment: 1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) -2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) -3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) -4. [Validate and Deploy Multi-factor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) -5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) +2. [Validate and configure a PKI](hello-cert-trust-validate-pki.md) +3. [Prepare and deploy AD FS](hello-cert-trust-adfs.md) +4. [Validate and deploy multi-factor authentication (MFA)](hello-cert-trust-validate-deploy-mfa.md) +5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md index 21fc22d1de..64b6af4819 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md @@ -1,24 +1,13 @@ --- title: Windows Hello for Business Deployment Overview description: Use this deployment guide to successfully deploy Windows Hello for Business in an existing environment. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: - - M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 02/15/2022 +appliesto: +- ✅ Windows 10 and later +ms.topic: article --- # Windows Hello for Business Deployment Overview -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 - Windows Hello for Business is the springboard to a world without passwords. It replaces username and password sign-in to Windows with strong user authentication based on an asymmetric key pair. This deployment overview is to guide you through deploying Windows Hello for Business. Your first step should be to use the Passwordless Wizard in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup) or the [Planning a Windows Hello for Business Deployment](hello-planning-guide.md) guide to determine the right deployment model for your organization. diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md index 7781a9a4ff..8c8fd3b65d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md @@ -1,16 +1,10 @@ --- title: Windows Hello for Business Deployment Known Issues description: A Troubleshooting Guide for Known Windows Hello for Business Deployment Issues -params: siblings_only -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 05/03/2021 +appliesto: +- ✅ Windows 10 and later +ms.topic: article --- # Windows Hello for Business Known Deployment Issues @@ -18,12 +12,6 @@ The content of this article is to help troubleshoot and workaround known deploym ## PIN Reset on Azure AD Join Devices Fails with "We can't open that page right now" error -Applies to: - -- Azure AD joined deployments -- Windows 10, version 1803 and later -- Windows 11 - PIN reset on Azure AD-joined devices uses a flow called web sign-in to authenticate the user above lock. Web sign in only allows navigation to specific domains. If it attempts to navigate to a domain that is not allowed it will show a page with the error message "We can't open that page right now". ### Identifying Azure AD joined PIN Reset Allowed Domains Issue diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md index 913d912198..34d860c531 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md @@ -1,29 +1,20 @@ --- -title: Windows Hello for Business Deployment Guide - On Premises Key Deployment -description: A guide to on premises, key trust Windows Hello for Business deployment. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium -ms.date: 08/20/2018 +title: Windows Hello for Business deployment guide for the on-premises key trust model +description: Learn how to deploy Windows Hello for Business in an on-premises, key trust model. +ms.date: 12/12/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ On-premises deployment - - ✅ Key trust +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later +ms.topic: tutorial --- -# On Premises Key Trust Deployment +# Deployment guide overview - on-premises key trust -Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in an existing environment. +[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)] -Below, you can find all the information you need to deploy Windows Hello for Business in a key trust model in your on-premises environment: +Windows Hello for Business replaces username and password authentication to Windows with an asymmetric key pair. This deployment guide provides the information to deploy Windows Hello for Business in an on-premises environment:: 1. [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md) -2. [Validate and Configure Public Key Infrastructure](hello-key-trust-validate-pki.md) -3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-key-trust-adfs.md) -4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-key-trust-validate-deploy-mfa.md) -5. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md) +1. [Validate and configure a PKI](hello-key-trust-validate-pki.md) +1. [Prepare and deploy AD FS](hello-key-trust-adfs.md) +1. [Validate and deploy multi-factor authentication (MFA)](hello-key-trust-validate-deploy-mfa.md) +1. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md) \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md index 2f4234f9b6..5fe62506a6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md @@ -1,204 +1,190 @@ --- -title: Deploying Certificates to Key Trust Users to Enable RDP -description: Learn how to deploy certificates to a Key Trust user to enable remote desktop with supplied credentials -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management +title: Deploy certificates for remote desktop sign-in +description: Learn how to deploy certificates to cloud Kerberos trust and key trust users, to enable remote desktop sign-in with supplied credentials. +ms.collection: + - ContentEngagementFY23 ms.topic: article -localizationpriority: medium -ms.date: 02/22/2021 +ms.date: 11/15/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Key trust - - ✅ Cloud Kerberos trust +- ✅ Windows 10 and later --- -# Deploy Certificates to Key Trust and Cloud Kerberos Trust Users to Enable RDP +# Deploy certificates for remote desktop (RDP) sign-in -Windows Hello for Business supports using a certificate as the supplied credential when establishing a remote desktop connection to a server or other device. For certificate trust deployments, creation of this certificate occurs at container creation time. +This document describes Windows Hello for Business functionalities or scenarios that apply to: +- **Deployment type:** [!INCLUDE [hybrid](../../includes/hello-deployment-hybrid.md)] +- **Trust type:** [!INCLUDE [cloud-kerberos](../../includes/hello-trust-cloud-kerberos.md)], [!INCLUDE [key](../../includes/hello-trust-key.md)] +- **Join type:** [!INCLUDE [hello-join-aadj](../../includes/hello-join-aad.md)], [!INCLUDE [hello-join-hybrid](../../includes/hello-join-hybrid.md)] +--- -This document discusses an approach for key trust and cloud Kerberos trust deployments where authentication certificates can be deployed to an existing WHFB user. +Windows Hello for Business supports using a certificate as the supplied credential, when establishing a remote desktop connection to another Windows device. This document discusses three approaches for *cloud Kerberos trust* and *key trust* deployments, where authentication certificates can be deployed to an existing Windows Hello for Business user: -Three approaches are documented here: +- Deploy certificates to hybrid joined devices using an on-premises Active Directory Certificate Services enrollment policy +- Deploy certificates to hybrid or Azure AD-joined devices using Intune +- Work with third-party PKIs -1. Deploying a certificate to hybrid joined devices using an on-premises Active Directory certificate enrollment policy. - -1. Deploying a certificate to hybrid or Azure AD-joined devices using Simple Certificate Enrollment Protocol (SCEP) and Intune. - -1. Working with non-Microsoft enterprise certificate authorities. - -## Deploying a certificate to a hybrid joined device using an on-premises Active Directory Certificate enrollment policy - -### Create a Windows Hello for Business certificate template - -1. Sign in to your issuing certificate authority (CA). - -1. Open the **Certificate Authority** Console (%windir%\system32\certsrv.msc). - -1. In the left pane of the MMC, expand **Certification Authority (Local)**, and then expand your CA within the Certification Authority list. - -1. Right-click **Certificate Templates** and then click **Manage** to open the **Certificate Templates** console. - -1. Right-click the **Smartcard Logon** template and click **Duplicate Template** - - ![Duplicating Smartcard Template.](images/rdpcert/duplicatetemplate.png) - -1. On the **Compatibility** tab: - 1. Clear the **Show resulting changes** check box - 1. Select **Windows Server 2012 or Windows Server 2012 R2** from the Certification Authority list - 1. Select **Windows Server 2012 or Windows Server 2012 R2** from the Certification Recipient list - -1. On the **General** tab: - 1. Specify a Template display name, such as **WHfB Certificate Authentication** - 1. Set the validity period to the desired value - 1. Take note of the Template name for later, which should be the same as the Template display name minus spaces (**WHfBCertificateAuthentication** in this example). - -1. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**. - -1. On the **Subject Name** tab: - 1. Select the **Build from this Active Directory** information button if it is not already selected - 1. Select **Fully distinguished name** from the **Subject name format** list if Fully distinguished name is not already selected - 1. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name** -1. On the **Request Handling** tab: - 1. Select the **Renew with same key** check box - 1. Set the Purpose to **Signature and smartcard logon** - 1. Click **Yes** when prompted to change the certificate purpose - 1. Click **Prompt the user during enrollment** - -1. On the **Cryptography** tab: - 1. Set the Provider Category to **Key Storage Provider** - 1. Set the Algorithm name to **RSA** - 1. Set the minimum key size to **2048** - 1. Select **Requests must use one of the following providers** - 1. Tick **Microsoft Software Key Storage Provider** - 1. Set the Request hash to **SHA256** - -1. On the **Security** tab, add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated** users group, and then select Enroll permissions for them. - -1. Click **OK** to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates. - -1. Close the Certificate Templates console. - -1. Open an elevated command prompt and change to a temporary working directory. - -1. Execute the following command: - - `certutil -dstemplate \ \> \.txt` - - Replace \ with the Template name you took note of earlier in step 7. - -1. Open the text file created by the command above. - 1. Delete the last line of the output from the file that reads **CertUtil: -dsTemplate command completed successfully.** - 1. Modify the line that reads **pKIDefaultCSPs = "1,Microsoft Software Key Storage Provider"** to **pKIDefaultCSPs = "1,Microsoft Passport Key Storage Provider"** - -1. Save the text file. - -1. Update the certificate template by executing the following command: - - certutil -dsaddtemplate \.txt - -1. In the Certificate Authority console, right-click **Certificate Templates**, select **New**, and select **Certificate Template to Issue** - - ![Selecting Certificate Template to Issue.](images/rdpcert/certificatetemplatetoissue.png) - -1. From the list of templates, select the template you previously created (**WHFB Certificate Authentication**) and click **OK**. It can take some time for the template to replicate to all servers and become available in this list. - -1. After the template replicates, in the MMC, right-click in the Certification Authority list, click **All Tasks** and then click **Stop Service**. Right-click the name of the CA again, click **All Tasks**, and then click **Start Service**. - -### Requesting a Certificate - -1. Ensure the hybrid Azure AD joined device has network line of sight to Active Directory domain controllers and the issuing certificate authority. - -1. Start the **Certificates – Current User** console (%windir%\system32\certmgr.msc). - -1. In the left pane of the MMC, right-click **Personal**, click **All Tasks**, and then click **Request New Certificate…** - - ![Request a new certificate.](images/rdpcert/requestnewcertificate.png) - -1. On the Certificate Enrollment screen, click **Next**. - -1. Under Select Certificate Enrollment Policy, ensure **Active Directory Enrollment Policy** is selected and then click **Next**. - -1. Under Request Certificates, click the check-box next to the certificate template you created in the previous section (WHfB Certificate Authentication) and then click **Enroll**. - -1. After a successful certificate request, click Finish on the Certificate Installation Results screen - -## Deploying a certificate to Hybrid or Azure AD Joined Devices using Simple Certificate Enrollment Protocol (SCEP) via Intune - -Deploying a certificate to Azure AD Joined Devices may be achieved with the Simple Certificate Enrollment Protocol (SCEP) via Intune. For guidance deploying the required infrastructure, refer to [Configure infrastructure to support SCEP certificate profiles with Microsoft Intune](/mem/intune/protect/certificates-scep-configure). - -Next you should deploy the root CA certificate (and any other intermediate certificate authority certificates) to Azure AD Joined Devices using a Trusted root certificate profile with Intune. For guidance, refer to [Create trusted certificate profiles in Microsoft Intune](/mem/intune/protect/certificates-trusted-root). - -Once these requirements have been met, a new device configuration profile may be configured from Intune that provisions a certificate for the user of the device. Proceed as follows: - -1. Sign in to the Microsoft [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). - -1. Navigate to Devices \> Configuration Profiles \> Create profile. - -1. Enter the following properties: - 1. For Platform, select **Windows 10 and later**. - 1. For Profile, select **SCEP Certificate**. - 1. Click **Create**. - -1. In **Basics**, enter the following parameters: - 1. **Name**: Enter a descriptive name for the profile. Name your profiles so you can easily identify them later. For example, a good profile name is SCEP profile for entire company. - 1. **Description**: Enter a description for the profile. This setting is optional, but recommended. - 1. Select **Next**. - -1. In the **Configuration settings**, complete the following: - 1. For Certificate Type, choose **User**. - 1. For Subject name format, set it to **CN={{UserPrincipalName}}**. - 1. Under Subject alternative name, select **User principal name (UPN)** from the drop-down menu and set the value to **CN={{UserPrincipalName}}**. - 1. For Certificate validity period, set a value of your choosing. - 1. For Key storage provider (KSP), choose **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)**. - 1. For Key usage, choose **Digital Signature**. - 1. For Key size (bits), choose **2048**. - 1. For Hash algorithm, choose **SHA-2**. - 1. Under Root Certificate, click **+Root Certificate** and select the trusted certificate profile you created earlier for the Root CA Certificate. - 1. Under Extended key usage, add the following: - - | Name | Object Identifier | Predefined Values | - |------|-------------------|-------------------| - | Smart Card Logon | 1.3.6.1.4.1.311.20.2.2 | Smart Card Logon | - | Client Authentication | 1.3.6.1.5.5.7.3.2 | Client Authentication | - - 1. For Renewal threshold (%), set a value of your choosing. - 1. For SCEP Server URLs, provide the public endpoint that you configured during the deployment of your SCEP infrastructure. - 1. Click **Next** -1. In Assignments, target the devices or users who should receive a certificate and click **Next** - -1. In Applicability Rules, provide additional issuance restrictions if required and click **Next** - -1. In Review + create, click **Create** - -Once the configuration profile has been created, targeted clients will receive the profile from Intune on their next refresh cycle. You should find a new certificate in the user store. To validate the certificate is present, do the following steps: - -1. Open the Certificates - Current User console (%windir%\system32\certmgr.msc) - -1. In the left pane of the MMC, expand **Personal** and select **Certificates** - -1. In the right-hand pane of the MMC, check for the new certificate +## Deploy certificates via Active Directory Certificate Services (AD CS) > [!NOTE] -> This infrastructure may also deploy the same certificates to co-managed or modern-managed Hybrid Azure Active Directory-Joined devices using Intune Policies. +> This process is applicable to *hybrid Azure AD joined* devices only. -## Using non-Microsoft Enterprise Certificate Authorities +To deploy certificates using an on-premises Active Directory Certificate Services enrollment policy, you must first create a *certificate template*, and then deploy certificates based on that template. -If you are using a Public Key Infrastructure that uses non-Microsoft services, the certificate templates published to the on-premises Active Directory may not be available. For guidance with integration of Intune/SCEP with non-Microsoft PKI deployments, refer to [Use third-party certification authorities (CA) with SCEP in Microsoft Intune](/mem/intune/protect/certificate-authority-add-scep-overview). +Expand the following sections to learn more about the process. -As an alternative to using SCEP or if none of the previously covered solutions will work in your environment, you can manually generate Certificate Signing Requests (CSR) for submission to your PKI. To assist with this approach, you can use the [Generate-CertificateRequest](https://www.powershellgallery.com/packages/Generate-CertificateRequest) PowerShell commandlet. +
                              +
                              +Create a Windows Hello for Business certificate template -The Generate-CertificateRequest commandlet will generate an .inf file for a pre-existing Windows Hello for Business key. The .inf can be used to generate a certificate request manually using certreq.exe. The commandlet will also generate a .req file, which can be submitted to your PKI for a certificate. +Follow these steps to create a certificate template: -## RDP Sign-in with Windows Hello for Business Certificate Authentication +1. Sign in to your issuing certificate authority (CA) and open *Server Manager* +1. Select **Tools > Certification Authority**. The Certification Authority Microsoft Management Console (MMC) opens +1. In the MMC, expand the CA name and right-click **Certificate Templates > Manage** +1. The Certificate Templates console opens. All of the certificate templates are displayed in the details pane +1. Right-click the **Smartcard Logon** template and select **Duplicate Template** +1. Use the following table to configure the template: -After adding the certificate using an approach from any of the previous sections, you should be able to RDP to any Windows device or server in the same Forest as the user’s on-premises Active Directory account, provided the PKI certificate chain for the issuing certificate authority is deployed to that target server. + | Tab Name | Configurations | + | --- | --- | + | *Compatibility* |
                              • Clear the **Show resulting changes** check box
                              • Select **Windows Server 2012 or Windows Server 2012 R2** from the *Certification Authority list*
                              • Select **Windows Server 2012 or Windows Server 2012 R2** from the *Certification Recipient list*
                              | + | *General* |
                              • Specify a **Template display name**, for example *WHfB Certificate Authentication*
                              • Set the validity period to the desired value
                              • Take note of the Template name for later, which should be the same as the Template display name minus spaces (*WHfBCertificateAuthentication* in this example)
                              | + | *Extensions* | Verify the **Application Policies** extension includes **Smart Card Logon**| + | *Subject Name* |
                              • Select the **Build from this Active Directory** information button if it isn't already selected
                              • Select **Fully distinguished name** from the **Subject name format** list if Fully distinguished name isn't already selected
                              • Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**

                              **Note:** If you deploy certificates via Intune, select **Supply in the request** instead of *Build from this Active Directory*.| + |*Request Handling*|
                              • Set the Purpose to **Signature and smartcard logon** and select **Yes** when prompted to change the certificate purpose
                              • Select the **Renew with same key** check box
                              • Select **Prompt the user during enrollment**
                              | + |*Cryptography*|
                              • Set the Provider Category to **Key Storage Provider**
                              • Set the Algorithm name to **RSA**
                              • Set the minimum key size to **2048**
                              • Select **Requests must use one of the following providers**
                              • Select **Microsoft Software Key Storage Provider**
                              • Set the Request hash to **SHA256**
                              | + |*Security*|Add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated** users group, and then select Enroll permissions for them| -1. Open the Remote Desktop Client (%windir%\system32\mstsc.exe) on the Hybrid Azure Active Directory-Joined client where the authentication certificate has been deployed. -1. Attempt an RDP session to a target server. -1. Use the certificate credential protected by your Windows Hello for Business gesture. +1. Select **OK** to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates +1. Close the Certificate Templates console +1. Open an elevated command prompt and change to a temporary working directory +1. Execute the following command, replacing `` with the **Template display name** noted above + + ```cmd + certutil.exe -dstemplate > + ``` + +1. Open the text file created by the command above. + - Delete the last line of the output from the file that reads\ + `CertUtil: -dsTemplate command completed successfully.` + - Modify the line that reads\ + `pKIDefaultCSPs = "1,Microsoft Software Key Storage Provider"` to\ + `pKIDefaultCSPs = "1,Microsoft Passport Key Storage Provider"` +1. Save the text file +1. Update the certificate template by executing the following command: + + ```cmd + certutil.exe -dsaddtemplate + ``` + +1. In the Certificate Authority console, right-click **Certificate Templates**, select **New > Certificate Template to Issue** +1. From the list of templates, select the template you previously created (**WHFB Certificate Authentication**) and select **OK**. It can take some time for the template to replicate to all servers and become available in this list +1. After the template replicates, in the MMC, right-click in the Certification Authority list, select **All Tasks > Stop Service**. Right-click the name of the CA again, select **All Tasks > Start Service** + +
                              + +
                              +
                              +Request a certificate + +1. Sign in to a client that is hybrid Azure AD joined, ensuring that the client has line of sight to a domain controller and the issuing CA +1. Open the **Certificates - Current User** Microsoft Management Console (MMC). To do so, you can execute the command `certmgr.msc` +1. In the left pane of the MMC, right-click **Personal > All Tasks > Request New Certificate…** +1. On the Certificate Enrollment screen, select **Next** +1. Under *Select Certificate Enrollment Policy*, select **Active Directory Enrollment Policy > Next** +1. Under *Request Certificates*, select the check-box for the certificate template you created in the previous section (*WHfB Certificate Authentication*) and then select **Enroll** +1. After a successful certificate request, select **Finish** on the Certificate Installation Results screen + +
                              + +## Deploy certificates via Intune + +> [!NOTE] +> This process is applicable to both *Azure AD joined* and *hybrid Azure AD joined* devices that are managed via Intune. + +Deploying a certificate to Azure AD joined or hybrid Azure AD joined devices may be achieved using the Simple Certificate Enrollment Protocol (SCEP) or PKCS (PFX) via Intune. For guidance deploying the required infrastructure, refer to: + +- [Configure infrastructure to support SCEP certificate profiles with Microsoft Intune][MEM-1] +- [Configure and use PKCS certificates with Intune][MEM-2] + +Next, you should deploy the root CA certificate (and any other intermediate certificate authority certificates) to Azure AD joined Devices using a *Trusted root certificate* policy with Intune. For guidance, refer to [Create trusted certificate profiles in Microsoft Intune][MEM-5]. + +Once these requirements are met, a policy can be configured in Intune that provisions certificates for the users on the targeted device. + +
                              +
                              +Create a policy in Intune + +This section describes how to configure a SCEP policy in Intune. Similar steps can be followed to configure a PKCS policy. + +1. Go to the Microsoft Endpoint Manager admin center +1. Select **Devices > Configuration profiles > Create profile** +1. Select **Platform > Windows 10 and later** and **Profile type > Templates > SCEP Certificate** +1. Select **Create** +1. In the *Basics* panel, provide a **Name** and, optionally, a **Description > Next** +1. In the *Configuration settings* panel, use the following table to configure the policy: + + | Setting| Configurations | + | --- | --- | + |*Certificate Type*| User | + |*Subject name format* | `CN={{UserPrincipalName}}` | + |*Subject alternative name* |From the dropdown, select **User principal name (UPN)** with a value of `{{UserPrincipalName}}` + |*Certificate validity period* | Configure a value of your choosing| + |*Key storage provider (KSP)* | **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)** + |*Key usage*| **Digital Signature**| + |*Key size (bits)* | **2048**| + |*For Hash algorithm*|**SHA-2**| + |*Root Certificate*| Select **+Root Certificate** and select the trusted certificate profile created earlier for the Root CA Certificate| + |*Extended key usage*|
                              • *Name:* **Smart Card Logon**
                              • *Object Identifier:* `1.3.6.1.4.1.311.20.2.2`
                              • *Predefined Values:* **Not configured**

                              • *Name:* **Client Authentication**
                              • *Object Identifier:* `1.3.6.1.5.5.7.3.2 `
                              • *Predefined Values:* **Client Authentication**
                              | + |*Renewal threshold (%)*|Configure a value of your choosing| + |*SCEP Server URLs*|Provide the public endpoint(s) that you configured during the deployment of your SCEP infrastructure| + +1. Select **Next** +1. In the *Assignments* panel, assign the policy to a security group that contains as members the devices or users that you want to configure and select **Next** +1. In the *Applicability Rules* panel, configure issuance restrictions, if needed, and select **Next** +1. In the *Review + create* panel, review the policy configuration and select **Create** + +For more information how to configure SCEP policies, see [Configure SCEP certificate profiles in Intune][MEM-3]. +To configure PKCS policies, see [Configure and use PKCS certificate with Intune][MEM-4]. + +
                              + +
                              +
                              +Request a certificate +Once the Intune policy is created, targeted clients will request a certificate during their next policy refresh cycle. To validate that the certificate is present in the user store, follow these steps: + +1. Sign in to a client targeted by the Intune policy +1. Open the **Certificates - Current User** Microsoft Management Console (MMC). To do so, you can execute the command `certmgr.msc` +1. In the left pane of the MMC, expand **Personal** and select **Certificates** +1. In the right-hand pane of the MMC, check for the new certificate + +
                              + +## Use third-party certification authorities + +If you're using a non-Microsoft PKI, the certificate templates published to the on-premises Active Directory may not be available. For guidance with integration of Intune/SCEP with non-Microsoft PKI deployments, refer to [Use third-party certification authorities (CA) with SCEP in Microsoft Intune][MEM-6]. + +As an alternative to using SCEP or if none of the previously covered solutions will work in your environment, you can manually generate Certificate Signing Requests (CSR) for submission to your PKI. To assist with this approach, you can use the [Generate-CertificateRequest][HTTP-1] PowerShell commandlet. + +The `Generate-CertificateRequest` commandlet will generate an *.inf* file for a pre-existing Windows Hello for Business key. The *.inf* can be used to generate a certificate request manually using `certreq.exe`. The commandlet will also generate a *.req* file, which can be submitted to your PKI for a certificate. + +## RDP sign-in with Windows Hello for Business certificate authentication + +After obtaining a certificate, users can RDP to any Windows devices in the same Active Directory forest as the user's Active Directory account. + +> [!NOTE] +> The certificate chain of the issuing CA must be trusted by the target server. + +1. Open the Remote Desktop Client (`mstsc.exe`) on the client where the authentication certificate has been deployed +1. Attempt an RDP session to a target server +1. Use the certificate credential protected by your Windows Hello for Business gesture to authenticate + +[MEM-1]: /mem/intune/protect/certificates-scep-configure +[MEM-2]: /mem/intune/protect/certificates-pfx-configure +[MEM-3]: /mem/intune/protect/certificates-profile-scep +[MEM-4]: /mem/intune/protect/certificates-pfx-configure +[MEM-5]: /mem/intune/protect/certificates-trusted-root +[MEM-6]: /mem/intune/protect/certificate-authority-add-scep-overview + +[HTTP-1]: https://www.powershellgallery.com/packages/Generate-CertificateRequest diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md index 200d0eba93..e1b28aec6f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md +++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md @@ -1,19 +1,10 @@ --- title: Windows Hello errors during PIN creation (Windows) description: When you set up Windows Hello in Windows 10/11, you may get an error during the Create a work PIN step. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: - - M365-identity-device-management ms.topic: troubleshooting -ms.localizationpriority: medium ms.date: 05/05/2018 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 +- ✅ Windows 10 and later --- # Windows Hello errors during PIN creation diff --git a/windows/security/identity-protection/hello-for-business/hello-event-300.md b/windows/security/identity-protection/hello-for-business/hello-event-300.md index aa8a027b1f..484985c43d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-event-300.md +++ b/windows/security/identity-protection/hello-for-business/hello-event-300.md @@ -1,18 +1,10 @@ --- title: Event ID 300 - Windows Hello successfully created (Windows) description: This event is created when a Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD). -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -ms.localizationpriority: medium ms.date: 07/27/2017 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 +- ✅ Windows 10 and later +ms.topic: article --- # Event ID 300 - Windows Hello successfully created diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 91cd2ed308..7d673787ba 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -1,10 +1,10 @@ ### YamlMime:FAQ metadata: title: Windows Hello for Business Frequently Asked Questions (FAQ) - description: Use these frequently asked questions (FAQ) to learn important details about Windows Hello for Business. + description: Use these frequently asked questions (FAQ) to learn important details about Windows Hello for Business. keywords: identity, PIN, biometric, Hello, passport - ms.prod: m365-security - ms.mktglfcycl: deploy + ms.prod: windows-client + ms.technology: itpro-security ms.sitesec: library ms.pagetype: security, mobile audience: ITPro @@ -13,14 +13,12 @@ metadata: manager: aaroncz ms.reviewer: prsriva ms.collection: - - M365-identity-device-management - highpri ms.topic: faq localizationpriority: medium - ms.date: 02/21/2022 - appliesto: - - ✅ Windows 10 - - ✅ Windows 11 + ms.date: 11/11/2022 + appliesto: + - ✅ Windows 10 and later title: Windows Hello for Business Frequently Asked Questions (FAQ) summary: | @@ -31,16 +29,16 @@ sections: - question: What is Windows Hello for Business cloud Kerberos trust? answer: | - Windows Hello for Business cloud Kerberos trust is a new trust model that is currently in preview. This trust model will enable Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). cloud Kerberos trust is the preferred deployment model if you do not need to support certificate authentication scenarios. For more information, see [Hybrid cloud Kerberos trust Deployment (Preview)](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust). + Windows Hello for Business *cloud Kerberos trust* is a **trust model** that enables Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). Cloud Kerberos trust is the preferred deployment model if you do not need to support certificate authentication scenarios. For more information, see [cloud Kerberos trust deployment](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust). - question: What about virtual smart cards? answer: | - Windows Hello for Business is the modern, two-factor credential for Windows 10. Microsoft will be deprecating virtual smart cards in the future, but no date is set at this time. Customers using Windows 10 and virtual smart cards should move to Windows Hello for Business. Microsoft will publish the date early to ensure customers have adequate lead time to move to Windows Hello for Business. Microsoft recommends that new Windows 10 deployments use Windows Hello for Business. Virtual smart cards remain supported for Windows 7 and Windows 8. + Windows Hello for Business is the modern, two-factor credential for Windows. Microsoft will be deprecating virtual smart cards in the future, but no date is set at this time. Customers using virtual smart cards should move to Windows Hello for Business. Microsoft will publish the date early to ensure customers have adequate lead time to move to Windows Hello for Business. Microsoft recommends that new Windows deployments use Windows Hello for Business. - question: What about convenience PIN? answer: | - Microsoft is committed to its vision of a world without passwords. We recognize the *convenience* provided by convenience PIN, but it stills uses a password for authentication. Microsoft recommends that customers using Windows 10 and convenience PINs should move to Windows Hello for Business. New Windows 10 deployments should deploy Windows Hello for Business and not convenience PINs. Microsoft will be deprecating convenience PINs in the future and will publish the date early to ensure customers have adequate lead time to deploy Windows Hello for Business. + While *convenience PIN* provides a convenient way to sign in to Windows, it stills uses a password for authentication. Customers using *convenience PINs* should move to **Windows Hello for Business**. New Windows deployments should deploy Windows Hello for Business and not convenience PINs. Microsoft will be deprecating convenience PINs in the future and will publish the date early to ensure customers have adequate lead time to deploy Windows Hello for Business. - question: Can I use Windows Hello for Business key trust and RDP? answer: | @@ -58,15 +56,31 @@ sections: - question: How many users can enroll for Windows Hello for Business on a single Windows 10 computer? answer: | The maximum number of supported enrollments on a single Windows 10 computer is 10. This lets 10 users each enroll their face and up to 10 fingerprints. For devices with more than 10 users, we strongly encourage the use of FIDO2 security keys. + + - question: Can I use Windows Hello for Business credentials in private browser mode or "incognito" mode? + answer: | + Windows Hello for Business credentials need access to device state, which is not available in private browser mode or incognito mode. Hence it can't be used in private browser or Incognito mode. - question: How can a PIN be more secure than a password? answer: | - When using Windows Hello for Business, the PIN isn't a symmetric key, whereas the password is a symmetric key. With passwords, there's a server that has some representation of the password. With Windows Hello for Business, the PIN is user-provided entropy used to load the private key in the Trusted Platform Module (TPM). The server doesn't have a copy of the PIN. For that matter, the Windows client doesn't have a copy of the current PIN either. The user must provide the entropy, the TPM-protected key, and the TPM that generated that key in order to successfully access the private key. + When using Windows Hello for Business, the PIN isn't a symmetric key, whereas the password is a symmetric key. With passwords, there's a server that has some representation of the password. With Windows Hello for Business, the PIN is user-provided entropy used to load the private key in the Trusted Platform Module (TPM). The server doesn't have a copy of the PIN. For that matter, the Windows client doesn't have a copy of the current PIN either. The user must provide the entropy, the TPM-protected key, and the TPM that generated that key in order to successfully access the private key. The statement "PIN is stronger than Password" is not directed at the strength of the entropy used by the PIN. It's about the difference between providing entropy versus continuing the use of a symmetric key (the password). The TPM has anti-hammering features that thwart brute-force PIN attacks (an attacker's continuous attempt to try all combination of PINs). Some organizations may worry about shoulder surfing. For those organizations, rather than increase the complexity of the PIN, implement the [Multifactor Unlock](feature-multifactor-unlock.md) feature. - + + - question: What's a container? + answer: | + In the context of Windows Hello for Business, it's shorthand for a logical grouping of key material or data. Windows Hello uses a single container that holds user key material for personal accounts, including key material associated with the user's Microsoft account or with other consumer identity providers, and credentials associated with a workplace or school account. + The container holds enterprise credentials only on devices that have been registered with an organization; it contains key material for the enterprise IDP, such as on-premises Active Directory or Azure AD. + Note that there are no physical containers on disk, in the registry, or elsewhere. Containers are logical units used to group related items. The keys, certificates, and credentials of Windows Hello stores, are protected without the creation of actual containers or folders. + The container contains a set of keys, some of which are used to protect other keys. The following image shows an example: the protector key is used to encrypt the authentication key, and the authentication key is used to encrypt the individual keys stored in the container. Each logical container holds one or more sets of keys.\ + :::image type="content" source="images/passport-fig3-logicalcontainer.png" alt-text="logical container with set of keys"::: + + - question: How do I delete a Windows Hello for Business container on a device? + answer: | + You can effectively disable Windows Hello for Business by launching `certutil.exe -deleteHelloContainer` on the end device under a user account, and then restarting the device. + - question: How does Windows Hello for Business work with Azure AD registered devices? answer: | - A user will be prompted to set up a Windows Hello for Business key on an Azure AD registered devices if the feature is enabled by policy. If the user has an existing Windows Hello container, the Windows Hello for Business key will be enrolled in that container and will be protected using their exiting gestures. + A user will be prompted to set up a Windows Hello for Business key on an Azure AD registered devices if the feature is enabled by policy. If the user has an existing Windows Hello container, the Windows Hello for Business key will be enrolled in that container and will be protected using their existing gestures. If a user has signed into their Azure AD registered device with Windows Hello, their Windows Hello for Business key will be used to authenticate the user's work identity when they try to use Azure AD resources. The Windows Hello for Business key meets Azure AD multi-factor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources. @@ -80,7 +94,7 @@ sections: - question: Can I use a convenience PIN with Azure Active Directory? answer: | - It's currently possible to set a convenience PIN on Azure Active Directory Joined or Hybrid Active Directory Joined devices. Convenience PIN isn't supported for Azure Active Directory user accounts (synchronized identities included). It's only supported for on-premises Domain Joined users and local account users. + It's currently possible to set a convenience PIN on Azure Active Directory Joined or Hybrid Active Directory Joined devices. However, convenience PIN isn't supported for Azure Active Directory user accounts (synchronized identities included). It's only supported for on-premises Domain Joined users and local account users. - question: Can I use an external Windows Hello compatible camera when my computer has a built-in Windows Hello compatible camera? answer: | @@ -88,7 +102,7 @@ sections: - question: Can I use an external Windows Hello compatible camera or other Windows Hello compatible accessory when my laptop lid is closed or docked? answer: | - Some laptops and tablets with keyboards that close may not use an external Windows Hello compatible camera or other Windows Hello compatible accessory when the computer is docked with the lid closed. The issue has been addressed in the latest Windows Insiders builds and will be available in the future version of Windows 11. + Some laptops and tablets with keyboards that close may not use an external Windows Hello compatible camera or other Windows Hello compatible accessory when the computer is docked with the lid closed. The issue has been addressed in Windows 11, version 22H2. - question: Why does authentication fail immediately after provisioning hybrid key trust? answer: | @@ -155,7 +169,7 @@ sections: - question: Where is Windows Hello biometrics data stored? answer: | - When you enroll in Windows Hello, a representation of your face called an enrollment profile is created more information can be found on [Windows Hello face authentication](/windows-hardware/design/device-experiences/windows-hello-face-authentication). This enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn't roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details, see [Windows Hello biometrics in the enterprise](/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored). + When you enroll in Windows Hello, a representation of your face called an enrollment profile is created more information can be found on [Windows Hello face authentication](/windows-hardware/design/device-experiences/windows-hello-face-authentication). This enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn't roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details, see [Windows Hello biometrics in the enterprise](/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored). - question: What is the format used to store Windows Hello biometrics data on the device? answer: | @@ -199,7 +213,7 @@ sections: - question: I have extended Active Directory to Azure Active Directory. Can I use the on-premises deployment model? answer: | - No. If your organization is federated or using online services, such as Azure AD Connect, Office 365, or OneDrive, then you must use a hybrid deployment model. On-premises deployments are exclusive to organizations who need more time before moving to the cloud and exclusively use Active Directory. + No. If your organization is using Microsoft cloud services, then you must use a hybrid deployment model. On-premises deployments are exclusive to organizations who need more time before moving to the cloud and exclusively use Active Directory. - question: Does Windows Hello for Business prevent the use of simple PINs? answer: | @@ -219,9 +233,9 @@ sections: - question: How does PIN caching work with Windows Hello for Business? answer: | - Windows Hello for Business provides a PIN caching user experience by using a ticketing system. Rather than caching a PIN, processes cache a ticket they can use to request private key operations. Azure AD and Active Directory sign-in keys are cached under lock. This means the keys remain available for use without prompting, as long as the user is interactively signed-in. Microsoft Account sign-in keys are transactional keys, which means the user is always prompted when accessing the key. + Windows Hello for Business provides a PIN caching user experience by using a ticketing system. Rather than caching a PIN, processes cache a ticket they can use to request private key operations. Azure AD and Active Directory sign-in keys are cached under lock. This means the keys remain available for use without prompting, as long as the user is interactively signed-in. Microsoft Account sign-in keys are transactional keys, which means the user is always prompted when accessing the key. - Beginning with Windows 10, version 1709, Windows Hello for Business used as a smart card (smart card emulation that is enabled by default) provides the same user experience of default smart card PIN caching. Each process requesting a private key operation will prompt the user for the PIN on first use. Subsequent private key operations won't prompt the user for the PIN. + Beginning with Windows 10, version 1709, Windows Hello for Business used as a smart card (smart card emulation that is enabled by default) provides the same user experience of default smart card PIN caching. Each process requesting a private key operation will prompt the user for the PIN on first use. Subsequent private key operations won't prompt the user for the PIN. The smart card emulation feature of Windows Hello for Business verifies the PIN and then discards the PIN in exchange for a ticket. The process doesn't receive the PIN, but rather the ticket that grants them private key operations. Windows 10 doesn't provide any Group Policy settings to adjust this caching. @@ -248,7 +262,7 @@ sections: Windows Hello for Business works with any third-party federation servers that support the protocols used during the provisioning experience.

                              | Protocol | Description | - | :---: | :--- | + | :--- | :--- | | [[MS-KPP]: Key Provisioning Protocol](/openspecs/windows_protocols/ms-kpp/25ff7bd8-50e3-4769-af23-bcfd0b4d4567) | Specifies the Key Provisioning Protocol, which defines a mechanism for a client to register a set of cryptographic keys on a user and device pair. | | [[MS-OAPX]: OAuth 2.0 Protocol Extensions](/openspecs/windows_protocols/ms-oapx/7612efd4-f4c8-43c3-aed6-f5c5ce359da2)| Specifies the OAuth 2.0 Protocol Extensions, which are used to extend the OAuth 2.0 Authorization Framework. These extensions enable authorization features such as resource specification, request identifiers, and log in hints. | | [[MS-OAPXBC]: OAuth 2.0 Protocol Extensions for Broker Clients](/openspecs/windows_protocols/ms-oapxbc/2f7d8875-0383-4058-956d-2fb216b44706) | Specifies the OAuth 2.0 Protocol Extensions for Broker Clients, extensions to RFC6749 (the OAuth 2.0 Authorization Framework) that allow a broker client to obtain access tokens on behalf of calling clients. | diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md b/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md index 2f6fbbe9f5..a96e6d66b5 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md @@ -1,15 +1,10 @@ --- title: Conditional Access description: Ensure that only approved users can access your devices, applications, and services from anywhere by enabling single sign-on with Azure Active Directory. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 09/09/2019 +appliesto: +- ✅ Windows 10 and later +ms.topic: article --- # Conditional access diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md index 9e5806c9c3..adfbe58657 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md @@ -1,15 +1,10 @@ --- title: Dual Enrollment description: Learn how to configure Windows Hello for Business dual enrollment. Also, learn how to configure Active Directory to support Domain Administrator enrollment. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 09/09/2019 +appliesto: +- ✅ Windows 10 and later +ms.topic: article --- # Dual Enrollment @@ -18,7 +13,6 @@ ms.date: 09/09/2019 * Hybrid and On-premises Windows Hello for Business deployments * Enterprise joined or Hybrid Azure joined devices -* Windows 10, version 1709 or later * Certificate trust > [!NOTE] diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md index 12f635cba9..6bae92fc12 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md @@ -1,18 +1,10 @@ --- title: Dynamic lock description: Learn how to set Dynamic lock on Windows 10 and Windows 11 devices, by configuring group policies. This feature locks a device when a Bluetooth signal falls below a set value. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 07/12/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 +- ✅ Windows 10 and later +ms.topic: article --- # Dynamic lock diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index d44b2c01e7..e1aa2e7acb 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -1,20 +1,12 @@ --- title: Pin Reset description: Learn how Microsoft PIN reset services enable you to help users recover who have forgotten their PIN. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva ms.collection: - - M365-identity-device-management - highpri -ms.topic: article -localizationpriority: medium ms.date: 07/29/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 +- ✅ Windows 10 and later +ms.topic: article --- # PIN reset @@ -30,11 +22,6 @@ There are two forms of PIN reset: There are two forms of PIN reset called destructive and non-destructive. Destructive PIN reset is the default and doesn't require configuration. During a destructive PIN reset, the user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned. For non-destructive PIN reset, you must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed. -**Requirements** - -- Reset from settings - Windows 10, version 1703 or later, Windows 11 -- Reset above Lock - Windows 10, version 1709 or later, Windows 11 - Destructive and non-destructive PIN reset use the same steps for initiating a PIN reset. If users have forgotten their PINs, but have an alternate sign-in method, they can navigate to Sign-in options in *Settings* and initiate a PIN reset from the PIN options. If users don't have an alternate way to sign into their devices, PIN reset can also be initiated from the Windows lock screen in the PIN credential provider. @@ -184,7 +171,11 @@ You can configure Windows devices to use the **Microsoft PIN Reset Service** usi - Value: **True** >[!NOTE] -> You must replace `TenantId` with the identifier of your Azure Active Directory tenant. +> You must replace `TenantId` with the identifier of your Azure Active Directory tenant. To look up your Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) or try the following, ensuring to sign-in with your organization's account:: + +```msgraph-interactive +GET https://graph.microsoft.com/v1.0/organization?$select=id +``` --- diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md index 7df9f23a47..2281821bdc 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md @@ -1,23 +1,15 @@ --- title: Remote Desktop description: Learn how Windows Hello for Business supports using biometrics with remote desktop -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 02/24/2021 +appliesto: +- ✅ Windows 10 and later +ms.topic: article --- # Remote Desktop **Requirements** - -- Windows 10 -- Windows 11 - Hybrid and On-premises Windows Hello for Business deployments - Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md index d255b5fc1a..27dde9400e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md @@ -1,18 +1,10 @@ --- title: How Windows Hello for Business works - Authentication description: Learn about the authentication flow for Windows Hello for Business. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 02/15/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 +- ✅ Windows 10 and later +ms.topic: article --- # Windows Hello for Business and Authentication diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md index 2f167aa675..6d250848d5 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md @@ -1,18 +1,10 @@ --- title: How Windows Hello for Business works - Provisioning description: Explore the provisioning flows for Windows Hello for Business, from within a variety of environments. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 2/15/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 +- ✅ Windows 10 and later +ms.topic: article --- # Windows Hello for Business Provisioning diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md index 17d08a88d2..7bec9c2543 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md @@ -1,18 +1,10 @@ --- title: How Windows Hello for Business works - technology and terms description: Explore technology and terms associated with Windows Hello for Business. Learn how Windows Hello for Business works. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 10/08/2018 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 +- ✅ Windows 10 and later +ms.topic: article --- # Technology and terms @@ -78,6 +70,7 @@ The certificate trust model uses a securely issued certificate based on the user - [Deployment type](#deployment-type) - [Hybrid Azure AD join](#hybrid-azure-ad-join) - [Hybrid deployment](#hybrid-deployment) +- [Cloud Kerberos trust](#cloud-kerberos-trust) - [Key trust](#key-trust) - [On-premises deployment](#on-premises-deployment) - [Trust type](#trust-type) @@ -110,6 +103,26 @@ In Windows 10 and Windows 11, cloud experience host is an application used while [Windows Hello for Business and device registration](./hello-how-it-works-device-registration.md) +## Cloud Kerberos trust + +The cloud Kerberos trust model offers a simplified deployment experience, when compared to the other trust types.\ +With cloud Kerberos trust, there's no need to deploy certificates to the users or to the domain controllers, which is ideal for environments without an existing PKI. + +Giving the simplicity offered by this model, cloud Kerberos trust is the recommended model when compared to the key trust model. It is also the preferred deployment model if you do not need to support certificate authentication scenarios. + +### Related to cloud Kerberos trust + +- [Deployment type](#deployment-type) +- [Hybrid Azure AD join](#hybrid-azure-ad-join) +- [Hybrid deployment](#hybrid-deployment) +- [Key trust](#key-trust) +- [On-premises deployment](#on-premises-deployment) +- [Trust type](#trust-type) + +### More information about cloud Kerberos trust + +[Cloud Kerberos trust deployment](hello-hybrid-cloud-kerberos-trust.md) + ## Deployment type Windows Hello for Business has three deployment models to accommodate the needs of different organizations. The three deployment models include: @@ -157,7 +170,7 @@ For certain devices that use firmware-based TPM produced by Intel or Qualcomm, t ## Federated environment -Primarily for large enterprise organizations with more complex authentication requirements, on-premises directory objects are synchronized with Azure AD and users accounts are managed on-premises. With AD FS, users have the same password on-premises and in the cloud and they don't have to sign in again to use Office 365 or other Azure-based applications. This federated authentication model can provide extra authentication requirements, such as smart card-based authentication or a third-party multi-factor authentication and is typically required when organizations have an authentication requirement not natively supported by Azure AD. +Primarily for large enterprise organizations with more complex authentication requirements, on-premises directory objects are synchronized with Azure AD and users accounts are managed on-premises. With AD FS, users have the same password on-premises and in the cloud and they don't have to sign in again to use Microsoft cloud services. This federated authentication model can provide extra authentication requirements, such as smart card-based authentication or a third-party multi-factor authentication and is typically required when organizations have an authentication requirement not natively supported by Azure AD. ### Related to federated environment @@ -193,7 +206,7 @@ If your environment has an on-premises AD footprint and you also want benefit fr ## Hybrid deployment -The Windows Hello for Business hybrid deployment is for organizations that have both on-premises and cloud resources that are accessed using a managed or federated identity that's synchronized with Azure AD. Hybrid deployments support devices that are Azure AD-registered, Azure AD-joined, and hybrid Azure AD-joined. The Hybrid deployment model supports two trust types for on-premises authentication, key trust and certificate trust. +The Windows Hello for Business hybrid deployment is for organizations that have both on-premises and cloud resources that are accessed using a managed or federated identity that's synchronized with Azure AD. Hybrid deployments support devices that are Azure AD-registered, Azure AD-joined, and hybrid Azure AD-joined. The Hybrid deployment model supports three trust types for on-premises authentication: cloud Kerberos trust, key trust and certificate trust. ### Related to hybrid deployment @@ -231,6 +244,7 @@ The key trust model uses the user's Windows Hello for Business identity to authe ### Related to key trust +- [Cloud Kerberos trust](#cloud-kerberos-trust) - [Certificate trust](#certificate-trust) - [Deployment type](#deployment-type) - [Hybrid Azure AD join](#hybrid-azure-ad-join) @@ -268,7 +282,7 @@ The Windows Hello for Business on-premises deployment is for organizations that ## Pass-through authentication -Pass-through authentication provides a simple password validation for Azure AD authentication services. It uses a software agent that runs on one or more on-premises servers to validate the users directly with your on-premises Active Directory. With pass-through authentication (PTA), you synchronize on-premises Active Directory user account objects with Office 365 and manage your users on-premises. Allows your users to sign in to both on-premises and Office 365 resources and applications using their on-premises account and password. This configuration validates users' passwords directly against your on-premises Active Directory without sending password hashes to Office 365. Companies with a security requirement to immediately enforce on-premises user account states, password policies, and sign-in hours would use this authentication method. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network. +Pass-through authentication provides a simple password validation for Azure AD authentication services. It uses a software agent that runs on one or more on-premises servers to validate the users directly with your on-premises Active Directory. With pass-through authentication (PTA), you synchronize on-premises Active Directory user account objects with Azure AD and manage your users on-premises. Allows your users to sign in to both on-premises and Microsoft cloud resources and applications using their on-premises account and password. This configuration validates users' passwords directly against your on-premises Active Directory without sending password hashes to Azure AD. Companies with a security requirement to immediately enforce on-premises user account states, password policies, and sign-in hours would use this authentication method. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network. ### Related to pass-through authentication @@ -282,7 +296,7 @@ Pass-through authentication provides a simple password validation for Azure AD a ## Password hash sync -Password hash sync is the simplest way to enable authentication for on-premises directory objects in Azure AD. With password hash sync (PHS), you synchronize your on-premises Active Directory user account objects with Office 365 and manage your users on-premises. Hashes of user passwords are synchronized from your on-premises Active Directory to Azure AD so that the users have the same password on-premises and in the cloud. When passwords are changed or reset on-premises, the new password hashes are synchronized to Azure AD so that your users can always use the same password for cloud resources and on-premises resources. The passwords are never sent to Azure AD or stored in Azure AD in clear text. Some premium features of Azure AD, such as Identity Protection, require PHS regardless of which authentication method is selected. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network. +Password hash sync is the simplest way to enable authentication for on-premises directory objects in Azure AD. With password hash sync (PHS), you synchronize your on-premises Active Directory user account objects with Azure AD and manage your users on-premises. Hashes of user passwords are synchronized from your on-premises Active Directory to Azure AD so that the users have the same password on-premises and in the cloud. When passwords are changed or reset on-premises, the new password hashes are synchronized to Azure AD so that your users can always use the same password for cloud resources and on-premises resources. The passwords are never sent to Azure AD or stored in Azure AD in clear text. Some premium features of Azure AD, such as Identity Protection, require PHS regardless of which authentication method is selected. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network. ### Related to password hash sync @@ -322,6 +336,7 @@ The trust type determines how a user authenticates to the Active Directory to ac ### Related to trust type +- [Cloud Kerberos trust](#cloud-kerberos-trust) - [Certificate trust](#certificate-trust) - [Hybrid deployment](#hybrid-deployment) - [Key trust](#key-trust) diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md index 3615e97d8f..9f3670151c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md @@ -1,22 +1,14 @@ --- title: How Windows Hello for Business works description: Learn how Windows Hello for Business works, and how it can help your users authenticate to services. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 05/05/2018 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 +- ✅ Windows 10 and later +ms.topic: article --- # How Windows Hello for Business works in Windows Devices -Windows Hello for Business is a modern, two-factor credential that is the more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Azure Active Directory-joined, Hybrid Azure Active Directory-joined, or Azure AD registered devices. Windows Hello for Business also works for domain joined devices. +Windows Hello for Business is a two-factor credential that is a more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Azure Active Directory-joined, Hybrid Azure Active Directory-joined, or Azure AD registered devices. Windows Hello for Business also works for domain joined devices. Watch this quick video where Pieter Wigleven gives a simple explanation of how Windows Hello for Business works and some of its supporting features. > [!VIDEO https://www.youtube.com/embed/G-GJuDWbBE8] diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index 37f7b13e82..a53b5977d6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -1,24 +1,15 @@ --- title: Configure Azure AD-joined devices for On-premises Single-Sign On using Windows Hello for Business description: Before adding Azure Active Directory (Azure AD) joined devices to your existing hybrid deployment, you need to verify the existing deployment can support them. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: - - M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 01/14/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Azure Active Directory-join - - ✅ Hybrid Deployment - - ✅ Key trust +- ✅ Windows 10 and later +ms.topic: article --- # Configure Azure AD-joined devices for On-premises Single-Sign On using Windows Hello for Business + +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-keycert-trust-aad.md)] + ## Prerequisites Before adding Azure Active Directory (Azure AD) joined devices to your existing hybrid deployment, you need to verify the existing deployment can support Azure AD-joined devices. Unlike hybrid Azure AD-joined devices, Azure AD-joined devices don't have a relationship with your Active Directory domain. This factor changes the way in which users authenticate to Active Directory. Validate the following configurations to ensure they support Azure AD-joined devices. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 9dbec8914c..e8e87a1d23 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -1,25 +1,16 @@ --- -title: Using Certificates for AADJ On-premises Single-sign On single sign-on +title: Use Certificates to enable SSO for Azure AD join devices description: If you want to use certificates for on-premises single-sign on for Azure Active Directory-joined devices, then follow these additional steps. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 08/19/2018 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Azure AD-join - - ✅ Hybrid Deployment - - ✅ Certificate trust +- ✅ Windows 10 and later +ms.topic: article --- # Using Certificates for AADJ On-premises Single-sign On +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust-aad.md)] + If you plan to use certificates for on-premises single-sign on, then follow these **additional** steps to configure the environment to enroll Windows Hello for Business certificates for Azure AD-joined devices. > [!IMPORTANT] @@ -306,7 +297,7 @@ Sign in a certificate authority or management workstations with _Domain Admin eq 3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**. -4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. +4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certificate Recipient** list. 5. On the **General** tab, type **AADJ WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md index 054c5e49da..1acc6aa213 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md @@ -1,21 +1,15 @@ --- title: Azure AD Join Single Sign-on Deployment description: Learn how to provide single sign-on to your on-premises resources for Azure Active Directory-joined devices, using Windows Hello for Business. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 08/19/2018 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 +- ✅ Windows 10 and later +ms.topic: article --- # Azure AD Join Single Sign-on Deployment +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-keycert-trust-aad.md)] + Windows Hello for Business combined with Azure Active Directory-joined devices makes it easy for users to securely access cloud-based resources using a strong, two-factor credential. Some resources may remain on-premises as enterprises transition resources to the cloud and Azure AD-joined devices may need to access these resources. With additional configurations to your current hybrid deployment, you can provide single sign-on to your on-premises resources for Azure Active Directory-joined devices using Windows Hello for Business, using a key or a certificate. ## Key vs. Certificate diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md index 11b796f23e..234f257566 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md @@ -1,23 +1,15 @@ --- title: Hybrid Azure AD joined Windows Hello for Business Trust New Installation (Windows Hello for Business) description: Learn about new installations for Windows Hello for Business certificate trust and the various technologies hybrid certificate trust deployments rely on. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Certificate trust +- ✅ Windows 10 and later +ms.topic: article --- # Hybrid Azure AD joined Windows Hello for Business Certificate Trust New Installation +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)] + Windows Hello for Business involves configuring distributed technologies that may or may not exist in your current infrastructure. Hybrid certificate trust deployments of Windows Hello for Business rely on these technologies - [Active Directory](#active-directory) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index 8cbbe74b30..997dbea6e9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -1,23 +1,15 @@ --- title: Configure Device Registration for Hybrid Azure AD joined Windows Hello for Business description: Azure Device Registration for Hybrid Certificate Trust Deployment (Windows Hello for Business) -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Certificate trust +- ✅ Windows 10 and later +ms.topic: article --- # Configure Device Registration for Hybrid Azure AD joined Windows Hello for Business +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust-ad.md)] + Your environment is federated and you're ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration and device write-back to enable proper device authentication. > [!IMPORTANT] diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md index 2c23053837..56e0d50918 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md @@ -1,23 +1,15 @@ --- title: Hybrid Azure AD joined Windows Hello for Business Prerequisites description: Learn these prerequisites for hybrid Windows Hello for Business deployments using certificate trust. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Certificate trust +- ✅ Windows 10 and later +ms.topic: article --- # Hybrid Azure AD joined Windows Hello for Business Prerequisites +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)] + Hybrid environments are distributed systems that enable organizations to use on-premises and Azure-based identities and resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources. The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include: diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md index 233b4c173b..caf8cfe867 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md @@ -1,38 +1,30 @@ --- title: Hybrid Certificate Trust Deployment (Windows Hello for Business) description: Learn the information you need to successfully deploy Windows Hello for Business in a hybrid certificate trust scenario. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 09/08/2017 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Certificate trust +- ✅ Windows 10 and later +ms.topic: article --- # Hybrid Azure AD joined Certificate Trust Deployment +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)] + Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid certificate trust scenario. It is recommended that you review the Windows Hello for Business planning guide prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. You can review the [planning guide](/windows/access-protection/hello-for-business/hello-planning-guide) and download the [planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514). -This deployment guide provides guidance for new deployments and customers who are already federated with Office 365. These two scenarios provide a baseline from which you can begin your deployment. +This deployment guide provides guidance for new deployments and customers who are already federated with Azure AD. These two scenarios provide a baseline from which you can begin your deployment. ## New Deployment Baseline -The new deployment baseline helps organizations who are moving to Azure and Office 365 to include Windows Hello for Business as part of their deployments. This baseline is good for organizations who are looking to deploy proof of concepts as well as IT professionals who want to familiarize themselves Windows Hello for Business by deploying a lab environment. +The new deployment baseline helps organizations who are moving to Azure AD to include Windows Hello for Business as part of their deployments. This baseline is good for organizations who are looking to deploy proof of concepts as well as IT professionals who want to familiarize themselves Windows Hello for Business by deploying a lab environment. This baseline provides detailed procedures to move your environment from an on-premises only environment to a hybrid environment using Windows Hello for Business to authenticate to Azure Active Directory and to your on-premises Active Directory using a single Windows sign-in. ## Federated Baseline -The federated baseline helps organizations that have completed their federation with Azure Active Directory and Office 365 and enables them to introduce Windows Hello for Business into their hybrid environment. This baseline exclusively focuses on the procedures needed to add Azure Device Registration and Windows Hello for Business to an existing hybrid deployment. +The federated baseline helps organizations that have completed their federation with Azure Active Directory and enables them to introduce Windows Hello for Business into their hybrid environment. This baseline exclusively focuses on the procedures needed to add Azure Device Registration and Windows Hello for Business to an existing hybrid deployment. Regardless of the baseline you choose, your next step is to familiarize yourself with the prerequisites needed for the deployment. Many of the prerequisites will be new for organizations and individuals pursuing the new deployment baseline. Organizations and individuals starting from the federated baseline will likely be familiar with most of the prerequisites, but should validate they are using the proper versions that include the latest updates. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md index 2facdf2055..fa4284edd5 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md @@ -1,23 +1,15 @@ --- title: Hybrid Azure AD joined Windows Hello for Business Certificate Trust Provisioning (Windows Hello for Business) description: In this article, learn about provisioning for hybrid certificate trust deployments of Windows Hello for Business. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Certificate trust +- ✅ Windows 10 and later +ms.topic: article --- # Hybrid Azure AD joined Windows Hello for Business Certificate Trust Provisioning +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)] + ## Provisioning The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md index b1fc0efe56..748cc46a44 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md @@ -1,23 +1,15 @@ --- title: Configure Hybrid Azure AD joined Windows Hello for Business - Active Directory (AD) description: Discussing the configuration of Active Directory (AD) in a Hybrid deployment of Windows Hello for Business -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Certificate trust +- ✅ Windows 10 and later +ms.topic: article --- # Configure Hybrid Azure AD joined Windows Hello for Business: Active Directory +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)] + The key synchronization process for the hybrid deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. ### Creating Security Groups diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md index 046b6a6f2f..83988357c9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md @@ -1,23 +1,15 @@ --- title: Configuring Hybrid Azure AD joined Windows Hello for Business - Active Directory Federation Services (ADFS) description: Discussing the configuration of Active Directory Federation Services (ADFS) in a Hybrid deployment of Windows Hello for Business -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Certificate trust +- ✅ Windows 10 and later +ms.topic: article --- # Configure Hybrid Azure AD joined Windows Hello for Business: Active Directory Federation Services +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)] + ## Federation Services The Windows Server 2016 Active Directory Federation Server Certificate Registration Authority (AD FS RA) enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md index 37d2dd92f9..5002843385 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md @@ -1,24 +1,16 @@ --- title: Configure Hybrid Azure AD joined Windows Hello for Business Directory Synch description: Discussing Directory Synchronization in a Hybrid deployment of Windows Hello for Business -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Certificate trust +- ✅ Windows 10 and later +ms.topic: article --- # Configure Hybrid Azure AD joined Windows Hello for Business- Directory Synchronization +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)] + ## Directory Synchronization In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index 742efcfa52..2b43ffad0a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -1,24 +1,16 @@ --- title: Configuring Hybrid Azure AD joined Windows Hello for Business - Public Key Infrastructure (PKI) description: Discussing the configuration of the Public Key Infrastructure (PKI) in a Hybrid deployment of Windows Hello for Business -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Certificate trust +- ✅ Windows 10 and later +ms.topic: article --- # Configure Hybrid Azure AD joined Windows Hello for Business - Public Key Infrastructure +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)] + Windows Hello for Business deployments rely on certificates. Hybrid deployments use publicly-issued server authentication certificates to validate the name of the server to which they are connecting and to encrypt the data that flows between them and the client computer. All deployments use enterprise issued certificates for domain controllers as a root of trust. Hybrid certificate trust deployments issue users with a sign-in certificate that enables them to authenticate using Windows Hello for Business credentials to non-Windows Server 2016 domain controllers. Additionally, hybrid certificate trust deployments issue certificates to registration authorities to provide defense-in-depth security when issuing user authentication certificates. @@ -45,7 +37,7 @@ Sign-in a certificate authority or management workstations with _Domain Admin_ e 3. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**. -4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2008 R2** from the **Certification Authority** list. Select **Windows 7.Server 2008 R2** from the **Certification Recipient** list. +4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2008 R2** from the **Certification Authority** list. Select **Windows 7.Server 2008 R2** from the **Certificate Recipient** list. 5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise's needs. @@ -111,7 +103,7 @@ Sign-in to a certificate authority or management workstation with _Domain Admin_ 3. In the **Certificate Template Console**, right click on the **Exchange Enrollment Agent (Offline request)** template details pane and click **Duplicate Template**. -4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. +4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certificate Recipient** list. 5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs. @@ -142,7 +134,7 @@ Sign-in to a certificate authority or management workstation with *Domain Admin* 3. In the **Certificate Template** console, right-click the **Exchange Enrollment Agent (Offline request)** template in the details pane and click **Duplicate Template**. -4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. +4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certificate Recipient** list. 5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs. @@ -168,7 +160,7 @@ Sign-in to a certificate authority or management workstation with _Domain Admin 3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**. -4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. +4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certificate Recipient** list. 5. On the **General** tab, type **WHFB Authentication** or your choice of template name in **Template display name**. Note the short template name for later use with CertUtil. Adjust the validity and renewal period to meet your enterprise's needs. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md index 85d6397be8..ad8ff6984f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md @@ -1,23 +1,14 @@ --- title: Configuring Hybrid Azure AD joined Windows Hello for Business - Group Policy description: Discussing the configuration of Group Policy in a Hybrid deployment of Windows Hello for Business -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Certificate trust +- ✅ Windows 10 and later +ms.topic: article --- # Configure Hybrid Azure AD joined Windows Hello for Business - Group Policy +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust-ad.md)] ## Policy Configuration diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md index 21cb247a84..360f679614 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md @@ -1,23 +1,15 @@ --- title: Configure Hybrid Windows Hello for Business Settings (Windows Hello for Business) description: Learn how to configure Windows Hello for Business settings in hybrid certificate trust deployment. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Certificate trust +- ✅ Windows 10 and later +ms.topic: article --- # Configure Hybrid Azure AD joined Windows Hello for Business +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)] + Your environment is federated and you are ready to configure your hybrid environment for Windows Hello for business using the certificate trust model. > [!IMPORTANT] > If your environment is not federated, review the [New Installation baseline](hello-hybrid-cert-new-install.md) section of this deployment document to learn how to federate your environment for your Windows Hello for Business deployment. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md index 8cce12eba7..ebcff732f3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md @@ -1,24 +1,16 @@ --- -title: Hybrid cloud Kerberos trust deployment (Windows Hello for Business) -description: Learn the information you need to successfully deploy Windows Hello for Business in a hybrid cloud Kerberos trust scenario. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium +title: Windows Hello for Business Cloud Kerberos trust deployment +description: Learn how to deploy Windows Hello for Business in a cloud Kerberos trust scenario. ms.date: 11/1/2022 appliesto: - - ✅ Windows 10, version 21H2 and later - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Hybrid cloud Kerberos trust +- ✅ Windows 10, version 21H2 and later +ms.topic: article --- -# Hybrid cloud Kerberos trust deployment +# Cloud Kerberos trust deployment -Windows Hello for Business replaces password sign-in with strong authentication, using an asymmetric key pair. This deployment guide provides the information to successfully deploy Windows Hello for Business in a hybrid cloud Kerberos trust scenario. +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cloudkerb-trust.md)] + +Windows Hello for Business replaces password sign-in with strong authentication, using an asymmetric key pair. This deployment guide provides the information to successfully deploy Windows Hello for Business in a cloud Kerberos trust scenario. ## Introduction to cloud Kerberos trust diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md index 65028cc803..32f0d91fc6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md @@ -1,23 +1,15 @@ --- title: Windows Hello for Business Hybrid Azure AD joined Key Trust New Installation description: Learn how to configure a hybrid key trust deployment of Windows Hello for Business for systems with no previous installations. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Key trust +- ✅ Windows 10 and later +ms.topic: article --- # Windows Hello for Business Hybrid Azure AD joined Key Trust New Installation +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)] + Windows Hello for Business involves configuring distributed technologies that may or may not exist in your current infrastructure. Hybrid key trust deployments of Windows Hello for Business rely on these technologies - [Active Directory](#active-directory) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md index fd9fad17ad..e6d1d3275c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md @@ -1,23 +1,15 @@ --- title: Configure Device Registration for Hybrid Azure AD joined key trust Windows Hello for Business description: Azure Device Registration for Hybrid Certificate Key Deployment (Windows Hello for Business) -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 05/04/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Key trust +- ✅ Windows 10 and later +ms.topic: article --- # Configure Device Registration for Hybrid Azure AD joined key trust Windows Hello for Business +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)] + You're ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration to enable proper device authentication. > [!NOTE] diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md index 58389706ba..18df532ca9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md @@ -1,23 +1,15 @@ --- title: Configure Directory Synchronization for Hybrid Azure AD joined key trust Windows Hello for Business description: Azure Directory Synchronization for Hybrid Certificate Key Deployment (Windows Hello for Business) -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Key trust +- ✅ Windows 10 and later +ms.topic: article --- # Configure Directory Synchronization for Hybrid Azure AD joined key trust Windows Hello for Business +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)] + You are ready to configure directory synchronization for your hybrid environment. Hybrid Windows Hello for Business deployment needs both a cloud and an on-premises identity to authenticate and access resources in the cloud or on-premises. ## Deploy Azure AD Connect diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index 7e0ee11ade..17e3fe7e61 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -1,23 +1,16 @@ --- title: Hybrid Azure AD joined Key trust Windows Hello for Business Prerequisites (Windows Hello for Business) description: Learn about the prerequisites for hybrid Windows Hello for Business deployments using key trust and what the next steps are in the deployment process. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Key trust +- ✅ Windows 10 and later +ms.topic: article --- # Hybrid Azure AD joined Key trust Windows Hello for Business Prerequisites -Hybrid environments are distributed systems that enable organizations to use on-premises and Azure-based identities and resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources. +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)] + +Hybrid environments are distributed systems that enable organizations to use on-premises and Azure AD-based identities and resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources. The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include: @@ -32,7 +25,7 @@ The distributed systems on which these technologies were built involved several Hybrid Windows Hello for Business needs two directories: on-premises Active Directory and a cloud Azure Active Directory. The minimum required domain functional and forest functional levels for Windows Hello for Business deployment is Windows Server 2008 R2. -A hybrid Windows Hello for Business deployment needs an Azure Active Directory subscription. The hybrid key trust deployment does not need a premium Azure Active Directory subscription. +A hybrid Windows Hello for Business deployment requires Azure Active Directory. The hybrid key trust deployment does not need a premium Azure Active Directory subscription. You can deploy Windows Hello for Business in any environment with Windows Server 2008 R2 or later domain controllers. If using the key trust deployment model, you MUST ensure that you have adequate (1 or more, depending on your authentication load) Windows Server 2016 or later Domain Controllers in each Active Directory site where users will be authenticating for Windows Hello for Business. @@ -112,7 +105,7 @@ You can deploy Windows Hello for Business key trust in non-federated and federat Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords. The provisioning process lets a user enroll in Windows Hello for Business using their user name and password as one factor, but needs a second factor of authentication. -Hybrid Windows Hello for Business deployments can use Azure's Multifactor Authentication (MFA) service or they can use multifactor authentication provided by AD FS beginning with Windows Server 2012 R2, which includes an adapter model that enables third parties to integrate their MFA into AD FS. The MFA enabled by an Office 365 license is sufficient for Azure AD. +Hybrid Windows Hello for Business deployments can use Azure's Multifactor Authentication (MFA) service or they can use multifactor authentication provided by AD FS, which includes an adapter model that enables third parties to integrate their MFA into AD FS. ### Section Review diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md index 139b688429..9ab687ded9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md @@ -1,32 +1,24 @@ --- title: Hybrid Key Trust Deployment (Windows Hello for Business) description: Review this deployment guide to successfully deploy Windows Hello for Business in a hybrid key trust scenario. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 08/20/2018 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Key trust +- ✅ Windows 10 and later +ms.topic: article --- # Hybrid Azure AD joined Key Trust Deployment +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)] + Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid key trust scenario. It is recommended that you review the Windows Hello for Business planning guide prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. You can review the [planning guide](/windows/access-protection/hello-for-business/hello-planning-guide) and download the [planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514). -This deployment guide provides guidance for new deployments and customers who are already federated with Office 365. These two scenarios provide a baseline from which you can begin your deployment. +This deployment guide provides guidance for new deployments and customers who are already federated with Azure AD. These two scenarios provide a baseline from which you can begin your deployment. ## New Deployment Baseline ## -The new deployment baseline helps organizations who are moving to Azure and Office 365 to include Windows Hello for Business as part of their deployments. This baseline is good for organizations who are looking to deploy proof of concepts as well as IT professionals who want to familiarize themselves Windows Hello for Business by deploying a lab environment. +The new deployment baseline helps organizations who are moving to Azure AD to include Windows Hello for Business as part of their deployments. This baseline is good for organizations who are looking to deploy proof of concepts as well as IT professionals who want to familiarize themselves Windows Hello for Business by deploying a lab environment. This baseline provides detailed procedures to move your environment from an on-premises only environment to a hybrid environment using Windows Hello for Business to authenticate to Azure Active Directory and to your on-premises Active Directory using a single Windows sign-in. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md index 7e8b605a06..b5c704fb93 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md @@ -1,22 +1,15 @@ --- title: Hybrid Azure AD joined Windows Hello for Business key trust Provisioning (Windows Hello for Business) description: Learn about provisioning for hybrid key trust deployments of Windows Hello for Business and learn where to find the hybrid key trust deployment guide. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Key trust +- ✅ Windows 10 and later +ms.topic: article --- # Hybrid Azure AD joined Windows Hello for Business Key Trust Provisioning + +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)] + ## Provisioning The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md index 82635e9dc7..cb30af909d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md @@ -1,23 +1,14 @@ --- title: Configuring Hybrid Azure AD joined key trust Windows Hello for Business - Active Directory (AD) description: Configuring Hybrid key trust Windows Hello for Business - Active Directory (AD) -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 +appliesto: +- ✅ Windows 10 and later +ms.topic: article --- # Configuring Hybrid Azure AD joined key trust Windows Hello for Business: Active Directory -appliesto: -- ✅ Windows 10 -- ✅ Windows 11 -- ✅ Hybrid deployment -- ✅ Key trust +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust-ad.md)] Configure the appropriate security groups to efficiently deploy Windows Hello for Business to users. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md index 450505d7d9..f19aab257d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md @@ -1,26 +1,18 @@ --- title: Hybrid Azure AD joined Windows Hello for Business - Directory Synchronization description: How to configure Hybrid key trust Windows Hello for Business - Directory Synchronization -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Key trust +- ✅ Windows 10 and later +ms.topic: article --- # Configure Hybrid Azure AD joined Windows Hello for Business: Directory Synchronization +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)] + ## Directory Synchronization -In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory. +In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure AD. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory. ### Group Memberships for the Azure AD Connect Service Account >[!IMPORTANT] diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md index f7988f68c5..9e36481b2a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md @@ -1,23 +1,15 @@ --- title: Configure Hybrid Azure AD joined key trust Windows Hello for Business description: Configuring Hybrid key trust Windows Hello for Business - Public Key Infrastructure (PKI) -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 04/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Key trust +- ✅ Windows 10 and later +ms.topic: article --- # Configure Hybrid Azure AD joined Windows Hello for Business: Public Key Infrastructure +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)] + Windows Hello for Business deployments rely on certificates. Hybrid deployments use publicly issued server authentication certificates to validate the name of the server to which they are connecting and to encrypt the data that flows them and the client computer. All deployments use enterprise issued certificates for domain controllers as a root of trust. @@ -41,7 +33,7 @@ Sign-in a certificate authority or management workstations with _Domain Admin_ e 1. Open the **Certificate Authority** management console. 2. Right-click **Certificate Templates** and click **Manage**. 3. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**. -4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2008 R2** from the **Certification Authority** list. Select **Windows 7.Server 2008 R2** from the **Certification Recipient** list. +4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2008 R2** from the **Certification Authority** list. Select **Windows 7.Server 2008 R2** from the **Certificate Recipient** list. 5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise's needs. > [!NOTE] > If you use different template names, you'll need to remember and substitute these names in different portions of the lab. @@ -84,7 +76,7 @@ The certificate template is configured to supersede all the certificate template The certificate authority may only issue certificates for certificate templates that are published to that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate. -Sign-in to the certificate authority or management workstations with an _enterprise administrator_ equivalent credentials. +Sign-in to the certificate authority or management workstations with _enterprise administrator_ equivalent credentials. 1. Open the **Certificate Authority** management console. 2. Expand the parent node from the navigation pane. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md index 7efeafa243..333f505d95 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md @@ -1,23 +1,15 @@ --- title: Configure Hybrid Azure AD joined Windows Hello for Business - Group Policy description: Configuring Hybrid key trust Windows Hello for Business - Group Policy -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Key trust +- ✅ Windows 10 and later +ms.topic: article --- # Configure Hybrid Azure AD joined Windows Hello for Business: Group Policy +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust-ad.md)] + ## Policy Configuration You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). @@ -27,7 +19,7 @@ Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10 C Domain controllers of Windows Hello for Business deployments need one Group Policy setting, which enables automatic certificate enrollment for the newly create domain controller authentication certificate. This policy setting ensures domain controllers (new and existing) automatically request and renew the correct domain controller certificate. -Hybrid Azure AD-joined devices needs one Group Policy setting: +Hybrid Azure AD-joined devices need one Group Policy setting: * Enable Windows Hello for Business ### Configure Domain Controllers for Automatic Certificate Enrollment @@ -123,13 +115,13 @@ The default configuration for Windows Hello for Business is to prefer hardware p You can enable and deploy the **Use a hardware security device** Group Policy Setting to force Windows Hello for Business to only create hardware protected credentials. Users that sign-in from a computer incapable of creating a hardware protected credential do not enroll for Windows Hello for Business. -Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiving during anti-hammering and PIN lockout activities. Therefore, some organization may want not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, simply select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object. +Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiving during anti-hammering and PIN lockout activities. Some organizations may not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object. #### Use biometrics Windows Hello for Business provides a great user experience when combined with the use of biometrics. Rather than providing a PIN to sign-in, a user can use a fingerprint or facial recognition to sign-in to Windows, without sacrificing security. -The default Windows Hello for Business enables users to enroll and use biometrics. However, some organization may want more time before using biometrics and want to disable their use until they are ready. To not allow users to use biometrics, configure the **Use biometrics** Group Policy setting to disabled and apply it to your computers. The policy setting disabled all biometrics. Currently, Windows does not provide granular policy setting that enable you to disable specific modalities of biometrics such as allow facial recognition, but disallow fingerprint. +The default Windows Hello for Business enables users to enroll and use biometrics. However, some organization may want more time before using biometrics and want to disable their use until they are ready. To not allow users to use biometrics, configure the **Use biometrics** Group Policy setting to disabled and apply it to your computers. The policy setting disabled all biometrics. Currently, Windows doesn't provide the ability to set granular policies that enable you to disable specific modalities of biometrics, such as allowing facial recognition but disallowing fingerprint recognition. ### PIN Complexity @@ -150,7 +142,7 @@ Windows provides eight PIN Complexity Group Policy settings that give you granul ## Add users to the Windows Hello for Business Users group -Users must receive the Windows Hello for Business group policy settings and have the proper permission to provision Windows Hello for Business . You can provide users with these settings and permissions by adding the users or groups to the **Windows Hello for Business Users** group. Users and groups who are not members of this group will not attempt to enroll for Windows Hello for Business. +Users must receive the Windows Hello for Business group policy settings and have the proper permission to provision Windows Hello for Business. You can provide users with these settings and permissions by adding the users or groups to the **Windows Hello for Business Users** group. Users and groups who are not members of this group will not attempt to enroll for Windows Hello for Business. ### Section Review > [!div class="checklist"] @@ -174,4 +166,4 @@ Users must receive the Windows Hello for Business group policy settings and have 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) 6. Configure Windows Hello for Business policy settings (*You are here*) -7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) \ No newline at end of file +7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md index 7ab9f2066d..5e24b6de2c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md @@ -1,25 +1,17 @@ --- title: Configure Hybrid Azure AD joined Windows Hello for Business key trust Settings description: Begin the process of configuring your hybrid key trust environment for Windows Hello for Business. Start with your Active Directory configuration. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Key trust +- ✅ Windows 10 and later +ms.topic: article --- # Configure Hybrid Azure AD joined Windows Hello for Business key trust settings +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)] + You are ready to configure your hybrid Azure AD joined key trust environment for Windows Hello for Business. - + > [!IMPORTANT] > Ensure your environment meets all the [prerequisites](hello-hybrid-key-trust-prereqs.md) before proceeding. Review the [New Installation baseline](hello-hybrid-key-new-install.md) section of this deployment document to learn how to prepare your environment for your Windows Hello for Business deployment. diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md index acc55181b3..e1ed3396b6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md +++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md @@ -1,17 +1,13 @@ --- title: Windows Hello for Business Deployment Prerequisite Overview description: Overview of all the different infrastructure requirements for Windows Hello for Business deployment models -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva ms.collection: - - M365-identity-device-management - - highpri +- highpri +ms.date: 12/13/2022 +appliesto: +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later ms.topic: article -localizationpriority: medium -ms.date: 2/15/2022 --- # Windows Hello for Business Deployment Prerequisite Overview @@ -20,12 +16,10 @@ This article lists the infrastructure requirements for the different deployment ## Azure AD Cloud Only Deployment -* Windows 10, version 1511 or later, or Windows 11 -* Microsoft Azure Account -* Azure Active Directory -* Azure AD Multifactor Authentication -* Modern Management (Intune or supported third-party MDM), *optional* -* Azure AD Premium subscription - *optional*, needed for automatic MDM enrollment when the device joins Azure Active Directory +- Azure Active Directory +- Azure AD Multifactor Authentication +- Device management solution (Intune or supported third-party MDM), *optional* +- Azure AD Premium subscription - *optional*, needed for automatic MDM enrollment when the device joins Azure Active Directory ## Hybrid Deployments @@ -33,44 +27,26 @@ The table shows the minimum requirements for each deployment. For key trust in a | Requirement | cloud Kerberos trust
                              Group Policy or Modern managed | Key trust
                              Group Policy or Modern managed | Certificate Trust
                              Mixed managed | Certificate Trust
                              Modern managed | | --- | --- | --- | --- | --- | -| **Windows Version** | Windows 10, version 21H2 with KB5010415; Windows 11 with KB5010414; or later | Windows 10, version 1511 or later| **Hybrid Azure AD Joined:**
                              *Minimum:* Windows 10, version 1703
                              *Best experience:* Windows 10, version 1709 or later (supports synchronous certificate enrollment).
                              **Azure AD Joined:**
                              Windows 10, version 1511 or later| Windows 10, version 1511 or later | -| **Schema Version** | No specific Schema requirement | Windows Server 2016 or later Schema | Windows Server 2016 or later Schema | Windows Server 2016 or later Schema | +| **Windows Version** | Any supported Windows client versions| Any supported Windows client versions | Any supported Windows client versions | +| **Schema Version** | No specific Schema requirement | Windows Server 2016 or later schema | Windows Server 2016 or later schema | Windows Server 2016 or later schema | | **Domain and Forest Functional Level** | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level |Windows Server 2008 R2 Domain/Forest functional level | -| **Domain Controller Version** | Windows Server 2016 or later | Windows Server 2016 or later | Windows Server 2008 R2 or later | Windows Server 2008 R2 or later | -| **Certificate Authority**| N/A | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | -| **AD FS Version** | N/A | N/A | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) (hybrid Azure AD joined clients managed by Group Policy),
                              and
                              Windows Server 2012 or later Network Device Enrollment Service (hybrid Azure AD joined & Azure AD joined managed by MDM) | Windows Server 2012 or later Network Device Enrollment Service | -| **MFA Requirement** | Azure MFA tenant, or
                              AD FS w/Azure MFA adapter, or
                              AD FS w/Azure MFA Server adapter, or
                              AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
                              AD FS w/Azure MFA adapter, or
                              AD FS w/Azure MFA Server adapter, or
                              AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
                              AD FS w/Azure MFA adapter, or
                              AD FS w/Azure MFA Server adapter, or
                              AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
                              AD FS w/Azure MFA adapter, or
                              AD FS w/Azure MFA Server adapter, or
                              AD FS w/3rd Party MFA Adapter | +| **Domain Controller Version** | Any supported Windows Server versions | Any supported Windows Server versions | Any supported Windows Server versions | Any supported Windows Server versions | +| **Certificate Authority**| N/A |Any supported Windows Server versions | Any supported Windows Server versions | Any supported Windows Server versions | +| **AD FS Version** | N/A | N/A | Any supported Windows Server versions | Any supported Windows Server versions | +| **MFA Requirement** | Azure MFA, or
                              AD FS w/Azure MFA adapter, or
                              AD FS w/Azure MFA Server adapter, or
                              AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
                              AD FS w/Azure MFA adapter, or
                              AD FS w/Azure MFA Server adapter, or
                              AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
                              AD FS w/Azure MFA adapter, or
                              AD FS w/Azure MFA Server adapter, or
                              AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
                              AD FS w/Azure MFA adapter, or
                              AD FS w/Azure MFA Server adapter, or
                              AD FS w/3rd Party MFA Adapter | | **Azure AD Connect** | N/A | Required | Required | Required | | **Azure AD License** | Azure AD Premium, optional | Azure AD Premium, optional | Azure AD Premium, needed for device write-back | Azure AD Premium, optional. Intune license required | -> [!Important] -> - Hybrid deployments support non-destructive PIN reset that works with Certificate Trust, Key Trust and cloud Kerberos trust models. -> -> **Requirements:** -> - Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903 -> - Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 -> -> - On-premises deployments support destructive PIN reset that works with both the certificate trust and the key trust models. -> -> **Requirements:** -> - Reset from settings - Windows 10, version 1703, Professional -> - Reset above lock screen - Windows 10, version 1709, Professional -> - Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 - ## On-premises Deployments The table shows the minimum requirements for each deployment. | Key trust
                              Group Policy managed | Certificate trust
                              Group Policy managed| | --- | --- | -| Windows 10, version 1703 or later | Windows 10, version 1703 or later | +|Any supported Windows client versions|Any supported Windows client versions| | Windows Server 2016 Schema | Windows Server 2016 Schema| | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level | -| Windows Server 2016 or later Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | -| Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | -| Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) | -| AD FS with 3rd Party MFA Adapter | AD FS with 3rd Party MFA Adapter | -| Azure Account, optional for Azure MFA billing | Azure Account, optional for Azure MFA billing | - -> [!IMPORTANT] -> For Windows Hello for Business key trust deployments, if you have several domains, at least one Windows Server Domain Controller 2016 or newer is required for each domain. For more information, see the [planning guide](./hello-adequate-domain-controllers.md). +| Any supported Windows Server versions | Any supported Windows Server versions | +| Any supported Windows Server versions | Any supported Windows Server versions | +| Any supported Windows Server versions | Any supported Windows Server versions | +| AD FS with 3rd Party MFA Adapter | AD FS with 3rd Party MFA Adapter | \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md index bba82b4054..b08abdb82d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md @@ -1,345 +1,261 @@ --- -title: Prepare & Deploy Windows Active Directory Federation Services with key trust (Windows Hello for Business) -description: How to Prepare and Deploy Windows Server 2016 Active Directory Federation Services for Windows Hello for Business using key trust. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium -ms.date: 08/19/2018 +title: Prepare and deploy Active Directory Federation Services in an on-premises key trust +description: Learn how to configure Active Directory Federation Services to support the Windows Hello for Business key trust model. +ms.date: 12/12/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ On-premises deployment - - ✅ Key trust +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later +ms.topic: tutorial --- -# Prepare and Deploy Windows Server 2016 Active Directory Federation Services with Key Trust +# Prepare and deploy Active Directory Federation Services - on-premises key trust -Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update. The on-premises key trust deployment uses Active Directory Federation Services roles for key registration and device registration. +[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)] -The following guidance describes deploying a new instance of Active Directory Federation Services 2016 using the Windows Information Database as the configuration database, which is ideal for environments with no more than 30 federation servers and no more than 100 relying party trusts. +Windows Hello for Business works exclusively with the Active Directory Federation Service (AD FS) role included with Windows Server. The on-premises key trust deployment model uses AD FS for *key registration* and *device registration*. -If your environment exceeds either of these factors or needs to provide SAML artifact resolution, token replay detection, or needs Active Directory Federation Services to operate in a federated provider role, then your deployment needs to use a SQL for your configuration database. To deploy the Active Directory Federation Services using SQL as its configuration database, please review the [Deploying a Federation Server Farm](/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm) checklist. +The following guidance describes the deployment of a new instance of AD FS using the Windows Information Database (WID) as the configuration database.\ +WID is ideal for environments with no more than **30 federation servers** and no more than **100 relying party trusts**. If your environment exceeds either of these factors, or needs to provide *SAML artifact resolution*, *token replay detection*, or needs AD FS to operate as a federated provider role, then the deployment requires the use of SQL as a configuration database.\ +To deploy AD FS using SQL as its configuration database, review the [Deploying a Federation Server Farm](/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm) checklist. -If your environment has an existing instance of Active Directory Federation Services, then you’ll need to upgrade all nodes in the farm to Windows Server 2016 along with the Windows Server 2016 update. If your environment uses Windows Internal Database (WID) for the configuration database, please read [Upgrading to AD FS in Windows Server 2016 using a WID database](/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016) to upgrade your environment. If your environment uses SQL for the configuration database, please read [Upgrading to AD FS in Windows Server 2016 with SQL Server](/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016-sql) to upgrade your environment. +A new AD FS farm should have a minimum of two federation servers for proper load balancing, which can be accomplished with external networking peripherals, or with using the Network Load Balancing Role included in Windows Server. -Ensure you apply the Windows Server 2016 Update to all nodes in the farm after you have successfully completed the upgrade. +Prepare the AD FS deployment by installing and **updating** two Windows Servers. -A new Active Directory Federation Services farm should have a minimum of two federation servers for proper load balancing, which can be accomplished with an external networking peripherals, or with using the Network Load Balancing Role included in Windows Server. +## Enroll for a TLS server authentication certificate -Prepare the Active Directory Federation Services deployment by installing and updating two Windows Server 2016 Servers. Ensure the update listed below is applied to each server before continuing. +Typically, a federation service is an edge facing role. However, the federation services and instance used with the on-premises deployment of Windows Hello for Business does not need Internet connectivity. -## Update Windows Server 2016 +The AD FS role needs a *server authentication* certificate for the federation services, and you can use a certificate issued by your enterprise (internal) CA. The server authentication certificate should have the following names included in the certificate, if you are requesting an individual certificate for each node in the federation farm: + - **Subject Name**: the internal FQDN of the federation server + - **Subject Alternate Name**: the federation service name (e.g. *sts.corp.contoso.com*) or an appropriate wildcard entry (e.g. *\*.corp.contoso.com*) -Sign-in the federation server with _local admin_ equivalent credentials. -1. Ensure Windows Server 2016 is current by running **Windows Update** from **Settings**. Continue this process until no further updates are needed. If you’re not using Windows Update for updates, please review the [Windows Server 2016 update history page](https://support.microsoft.com/help/4000825/windows-10-windows-server-2016-update-history) to make sure you have the latest updates available installed. -2. Ensure the latest server updates to the federation server includes [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889). +The federation service name is set when the AD FS role is configured. You can choose any name, but that name must be different than the name of the server or host. For example, you can name the host server *adfs* and the federation service *sts*. In this example, the FQDN of the host is *adfs.corp.contoso.com* and the FQDN of the federation service is *sts.corp.contoso.com*. + +You can also issue one certificate for all hosts in the farm. If you chose this option, leave the subject name *blank*, and include all the names in the subject alternate name when creating the certificate request. All names should include the FQDN of each host in the farm and the federation service name. + +When creating a wildcard certificate, mark the private key as exportable, so that the same certificate can be deployed across each federation server and web application proxy within the AD FS farm. Note that the certificate must be trusted (chain to a trusted root CA). Once you have successfully requested and enrolled the server authentication certificate on one node, you can export the certificate and private key to a PFX file using the Certificate Manager console. You can then import the certificate on the remaining nodes in the AD FS farm. + +Be sure to enroll or import the certificate into the AD FS server's computer certificate store. Also, ensure all nodes in the farm have the proper TLS server authentication certificate. + +### AD FS authentication certificate enrollment + +Sign-in the federation server with *domain administrator* equivalent credentials. + +1. Start the Local Computer **Certificate Manager** (certlm.msc) +1. Expand the **Personal** node in the navigation pane +1. Right-click **Personal**. Select **All Tasks > Request New Certificate** +1. Select **Next** on the **Before You Begin** page +1. Select **Next** on the **Select Certificate Enrollment Policy** page +1. On the **Request Certificates** page, select the **Internal Web Server** check box +1. Select the **⚠️ More information is required to enroll for this certificate. Click here to configure settings** link + :::image type="content" source="images/hello-internal-web-server-cert.png" lightbox="images/hello-internal-web-server-cert.png" alt-text="Example of Certificate Properties Subject Tab - This is what shows when you select the above link."::: +1. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the computer hosting the AD FS role and then select **Add** +1. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name that you will use for your federation services (*sts.corp.contoso.com*). The name you use here MUST match the name you use when configuring the AD FS server role. Select **Add** and **OK** when finished +1. Select **Enroll** + +A server authentication certificate should appear in the computer's personal certificate store. + +## Deploy the AD FS role + +AD FS provides *device registration* and *key registration* services to support the Windows Hello for Business on-premises deployments. >[!IMPORTANT] ->The above referenced updates are mandatory for Windows Hello for Business all on-premises deployment and hybrid certificate trust deployments for domain joined computers. +> Finish the entire AD FS configuration on the first server in the farm before adding the second server to the AD FS farm. Once complete, the second server receives the configuration through the shared configuration database when it is added the AD FS farm. -## Enroll for a TLS Server Authentication Certificate +Sign-in the federation server with *Enterprise Administrator* equivalent credentials. -Key trust Windows Hello for Business on-premises deployments need a federation server for device registration and key registration. Typically, a federation service is an edge facing role. However, the federation services and instance used with the on-premises deployment of Windows Hello for Business does not need Internet connectivity. +1. Start **Server Manager**. Select **Local Server** in the navigation pane +1. Select **Manage > Add Roles and Features** +1. Select **Next** on the **Before you begin** page +1. On the **Select installation type** page, select **Role-based or feature-based installation > Next** +1. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list and **Next** +1. On the **Select server roles** page, select **Active Directory Federation Services** and **Next** +1. Select **Next** on the **Select features** page +1. Select **Next** on the **Active Directory Federation Service** page +1. Select **Install** to start the role installation -The AD FS role needs a server authentication certificate for the federation services, but you can use a certificate issued by your enterprise (internal) certificate authority. The server authentication certificate should have the following names included in the certificate if you are requesting an individual certificate for each node in the federation farm: -* Subject Name: The internal FQDN of the federation server (the name of the computer running AD FS) -* Subject Alternate Name: Your federation service name, such as *fs.corp.contoso.com* (or an appropriate wildcard entry such as *.corp.contoso.com) - -You configure your federation service name when you configure the AD FS role. You can choose any name, but that name must be different than the name of the server or host. For example, you can name the host server **adfs** and the federation service **fs**. The FQDN of the host is adfs.corp.contoso.com and the FQDN of the federation service is fs.corp.contoso.com. - -You can, however, issue one certificate for all hosts in the farm. If you chose this option, then leave the subject name blank, and include all the names in the subject alternate name when creating the certificate request. All names should include the FQDN of each host in the farm and the federation service name. - -When creating a wildcard certificate, it is recommended that you mark the private key as exportable so that the same certificate can be deployed across each federation server and web application proxy within your AD FS farm. Note that the certificate must be trusted (chain to a trusted root CA). Once you have successfully requested and enrolled the server authentication certificate on one node, you can export the certificate and private key to a PFX file using the Certificate Manager console. You can then import the certificate on the remaining nodes in the AD FS farm. - -Be sure to enroll or import the certificate into the AD FS server’s computer certificate store. Also, ensure all nodes in the farm have the proper TLS server authentication certificate. - -### Internal Server Authentication Certificate Enrollment - -Sign-in the federation server with domain administrator equivalent credentials. -1. Start the Local Computer **Certificate Manager** (certlm.msc). -2. Expand the **Personal** node in the navigation pane. -3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**. -4. Click **Next** on the **Before You Begin** page. -5. Click **Next** on the **Select Certificate Enrollment Policy** page. -6. On the **Request Certificates** page, Select the **Internal Web Server** check box. -7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link - ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link.](images/hello-internal-web-server-cert.png) -8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the computer hosting the Active Directory Federation Services role and then click **Add**. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name you will use for your federation services (fs.corp.contoso.com). The name you use here MUST match the name you use when configuring the Active Directory Federation Services server role. Click **Add**. Click **OK** when finished. -9. Click **Enroll**. - -A server authentication certificate should appear in the computer’s Personal certificate store. - -## Deploy the Active Directory Federation Service Role - -The Active Directory Federation Service (AD FS) role provides the following services to support Windows Hello for Business on-premises deployments. -* Device registration -* Key registration - ->[!IMPORTANT] -> Finish the entire AD FS configuration on the first server in the farm before adding the second server to the AD FS farm. Once complete, the second server receives the configuration through the shared configuration database when it is added the AD FS farm. - -Windows Hello for Business depends on proper device registration. For on-premises key trust deployments, Windows Server 2016 AD FS handles device and key registration. - -Sign-in the federation server with _Enterprise Admin_ equivalent credentials. -1. Start **Server Manager**. Click **Local Server** in the navigation pane. -2. Click **Manage** and then click **Add Roles and Features**. -3. Click **Next** on the **Before you begin** page. -4. On the **Select installation type** page, select **Role-based or feature-based installation** and click **Next**. -5. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Click **Next**. -6. On the **Select server roles** page, select **Active Directory Federation Services**. Click **Next**. -7. Click **Next** on the **Select features** page. -8. Click **Next** on the **Active Directory Federation Service** page. -9. Click **Install** to start the role installation. - -## Review to validate +## Review to validate the AD FS deployment Before you continue with the deployment, validate your deployment progress by reviewing the following items: -* Confirm the AD FS farm uses the correct database configuration. -* Confirm the AD FS farm has an adequate number of nodes and is properly load balanced for the anticipated load. -* Confirm **all** AD FS servers in the farm have the latest updates. -* Confirm all AD FS servers have a valid server authentication certificate - * The subject of the certificate is the common name (FQDN) of the host or a wildcard name. - * The alternate name of the certificate contains a wildcard or the FQDN of the federation service -## Device Registration Service Account Prerequisite +> [!div class="checklist"] +> * Confirm the AD FS farm uses the correct database configuration +> * Confirm the AD FS farm has an adequate number of nodes and is properly load balanced for the anticipated load +> * Confirm **all** AD FS servers in the farm have the latest updates installed +> * Confirm all AD FS servers have a valid server authentication certificate -The service account used for the device registration server depends on the domain controllers in the environment. +## Device registration service account prerequisites ->[!NOTE] ->Follow the procedures below based on the domain controllers deployed in your environment. If the domain controller is not listed below, then it is not supported for Windows Hello for Business. +The use of Group Managed Service Accounts (GMSA) is the preferred way to deploy service accounts for services that support them. GMSAs have security advantages over normal user accounts because Windows handles password management. This means the password is long, complex, and changes periodically. AD FS supports GMSAs, and it should be configured using them for additional security. -### Windows Server 2012 or later Domain Controllers +GSMA uses the *Microsoft Key Distribution Service* that is located on the domain controllers. Before you can create a GSMA, you must first create a root key for the service. You can skip this if your environment already uses GSMA. -Windows Server 2012 or later domain controllers support Group Managed Service Accounts—the preferred way to deploy service accounts for services that support them. Group Managed Service Accounts, or GMSA have security advantages over normal user accounts because Windows handles password management. This means the password is long, complex, and changes periodically. The best part of GMSA is all this happens automatically. AD FS supports GMSA and should be configured using them for additional defense in depth security. +### Create KDS Root Key -GSMA uses the Microsoft Key Distribution Service that is located on Windows Server 2012 or later domain controllers. Windows uses the Microsoft Key Distribution Service to protect secrets stored and used by the GSMA. Before you can create a GSMA, you must first create a root key for the service. You can skip this if your environment already uses GSMA. +Sign-in a domain controller with *Enterprise Administrator* equivalent credentials. -#### Create KDS Root Key - -Sign-in a domain controller with _Enterprise Admin_ equivalent credentials. -1. Start an elevated Windows PowerShell console. -2. Type `Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)` - -### Windows Server 2008 or 2008 R2 Domain Controllers - -Windows Server 2008 and 2008 R2 domain controllers do not host the Microsoft Key Distribution Service, nor do they support Group Managed Service Accounts. Therefore, you must use create a normal user account as a service account where you are responsible for changing the password on a regular basis. - -#### Create an AD FS Service Account - -Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials. -1. Open **Active Directory Users and Computers**. -2. Right-click the **Users** container, Click **New**. Click **User**. -3. In the **New Object – User** window, type **adfssvc** in the **Full name** text box. Type **adfssvc** in the **User logon name** text box. Click **Next**. -4. Enter and confirm a password for the **adfssvc** user. Clear the **User must change password at next logon** check box. -5. Click **Next** and then click **Finish**. +Start an elevated PowerShell console and execute the following command: +```PowerShell +Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10) +``` ## Configure the Active Directory Federation Service Role ->[!IMPORTANT] ->Follow the procedures below based on the domain controllers deployed in your environment. If the domain controller is not listed below, then it is not supported for Windows Hello for Business. +Use the following procedures to configure AD FS. -### Windows Server 2016, 2012 R2 or later Domain Controllers +Sign-in to the federation server with *Domain Administrator* equivalent credentials. These procedures assume you are configuring the first federation server in a federation server farm. -Use the following procedures to configure AD FS when your environment uses **Windows Server 2012 or later Domain Controllers**. If you are not using Windows Server 2012 or later Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2008 or 2008R2 Domain Controllers)](#windows-server-2008-or-2008-r2-domain-controllers) section. +1. Start **Server Manager** +1. Select the notification flag in the upper right corner and select **Configure the federation services on this server** +1. On the **Welcome** page, select **Create the first federation server farm > Next** +1. On the **Connect to Active Directory Domain Services** page, select **Next** +1. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as *sts.corp.contoso.com* +1. Select the federation service name from the **Federation Service Name** list +1. Type the *Federation Service Display Name* in the text box. This is the name users see when signing in. Select **Next** +1. On the **Specify Service Account** page, select **Create a Group Managed Service Account**. In the **Account Name** box, type *adfssvc* +1. On the **Specify Configuration Database** page, select **Create a database on this server using Windows Internal Database** and select **Next** +1. On the **Review Options** page, select **Next** +1. On the **Pre-requisite Checks** page, select **Configure** +1. When the process completes, select **Close** -Sign-in the federation server with _Domain Admin_ equivalent credentials. These procedures assume you are configuring the first federation server in a federation server farm. -1. Start **Server Manager**. -2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**. - ![Example of pop-up notification as described above.](images/hello-adfs-configure-2012r2.png) +### Add the AD FS service account to the *Key Admins* group -3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**. -4. Click **Next** on the **Connect to Active Directory Domain Services** page. -5. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as *fs.corp.contoso.com* or *fs.contoso.com*. -6. Select the federation service name from the **Federation Service Name** list. -7. Type the Federation Service Display Name in the text box. This is the name users see when signing in. Click **Next**. -8. On the **Specify Service Account** page, select **Create a Group Managed Service Account**. In the **Account Name** box, type **adfssvc**. -9. On the **Specify Configuration Database** page, select **Create a database on this server using Windows Internal Database** and click **Next**. -10. On the **Review Options** page, click **Next**. -11. On the **Pre-requisite Checks** page, click **Configure**. -12. When the process completes, click **Close**. +During Windows Hello for Business enrollment, the public key is registered in an attribute of the user object in Active Directory. To ensure that the AD FS service can add and remove keys are part of its normal workflow, it must be a member of the *Key Admins* global group. -### Windows Server 2008 or 2008 R2 Domain Controllers +Sign-in to a domain controller or management workstation with *Domain Administrator* equivalent credentials. -Use the following procedures to configure AD FS when your environment uses **Windows Server 2008 or 2008 R2 Domain Controllers**. If you are not using Windows Server 2008 or 2008 R2 Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2012 or later Domain Controllers)](#windows-server-2012-or-later-domain-controllers) section. +1. Open **Active Directory Users and Computers** +1. Select the **Users** container in the navigation pane +1. Right-click **Key Admins** in the details pane and select **Properties** +1. Select the **Members > Add…** +1. In the **Enter the object names to select** text box, type *adfssvc*. Select **OK** +1. Select **OK** to return to **Active Directory Users and Computers** +1. Change to server hosting the AD FS role and restart it -Sign-in the federation server with _Domain Admin_ equivalent credentials. These instructions assume you are configuring the first federation server in a federation server farm. -1. Start **Server Manager**. -2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**. - ![Example of pop-up notification as described above.](images/hello-adfs-configure-2012r2.png) +## Configure the device registration service -3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**. -4. Click **Next** on the **Connect to Active Directory Domain Services** page. -5. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as fs.corp.mstepdemo.net or fs.mstepdemo.net. -6. Select the federation service name from the **Federation Service Name** list. -7. Type the Federation Service Display Name in the text box. This is the name users see when signing in. Click **Next**. -8. On the **Specify Service Account** page, Select **Use an existing domain user account or group Managed Service Account** and click **Select**. - * In the **Select User or Service Account** dialog box, type the name of the previously created AD FS service account (example adfssvc) and click **OK**. Type the password for the AD FS service account and click **Next**. -9. On the **Specify Configuration Database** page, select **Create a database on this server using Windows Internal Database** and click **Next**. -10. On the **Review Options** page, click **Next**. -11. On the **Pre-requisite Checks** page, click **Configure**. -12. When the process completes, click **Close**. -13. Do not restart the AD FS server. You will do this later. +Sign-in to the federation server with *Enterprise Administrator* equivalent credentials. These instructions assume you are configuring the first federation server in a federation server farm. +1. Open the **AD FS management** console +1. In the navigation pane, expand **Service**. Select **Device Registration** +1. In the details pane, select **Configure device registration** +1. In the **Configure Device Registration** dialog, Select **OK** -### Add the AD FS Service account to the KeyAdmins group +:::image type="content" source="images/adfs-device-registration.png" lightbox="images/adfs-device-registration.png" alt-text="AD FS device registration: configuration of the service connection point."::: -The KeyAdmins global group provides the AD FS service with the permissions needed to perform key registration. +Triggering device registration from AD FS, creates the service connection point (SCP) in the Active Directory configuration partition. The SCP is used to store the device registration information that Windows clients will automatically discover. -Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials. -1. Open **Active Directory Users and Computers**. -2. Click the **Users** container in the navigation pane. -3. Right-click **KeyAdmins** in the details pane and click **Properties**. -4. Click the **Members** tab and click **Add…** -5. In the **Enter the object names to select** text box, type **adfssvc**. Click **OK**. -6. Click **OK** to return to **Active Directory Users and Computers**. -7. Change to server hosting the AD FS role and restart it. +:::image type="content" source="images/adfs-scp.png" lightbox="images/adfs-scp.png" alt-text="AD FS device registration: service connection point object created by AD FS."::: - -## Configure the Device Registration Service - -Sign-in the federation server with _Enterprise Admin_ equivalent credentials. These instructions assume you are configuring the first federation server in a federation server farm. -1. Open the **AD FS management** console. -2. In the navigation pane, expand **Service**. Click **Device Registration**. -3. In the details pane, click **Configure Device Registration**. -4. In the **Configure Device Registration** dialog, click **OK**. - -## Review and validate +## Review to validate the AD FS and Active Directory configuration Before you continue with the deployment, validate your deployment progress by reviewing the following items: -* Confirm you followed the correct procedures based on the domain controllers used in your deployment - * Windows Server 2016, 2012 R2 or Windows Server 2012 R2 - * Windows Server 2008 or Windows Server 2008 R2 -* Confirm you have the correct service account based on your domain controller version. -* Confirm you properly installed the AD FS role on your Windows Server 2016 based on the proper sizing of your federation, the number of relying parties, and database needs. -* Confirm you used a certificate with the correct names as the server authentication certificate - * Record the expiration date of the certificate and set a renewal reminder at least six weeks before it expires that includes the: - * Certificate serial number - * Certificate thumbprint - * Common name of the certificate - * Subject alternate name of the certificate - * Name of the physical host server - * The issued date - * The expiration date - * Issuing CA Vendor (if a third-party certificate) -* Confirm you added the AD FS service account to the KeyAdmins group. -* Confirm you enabled the Device Registration service. +> [!div class="checklist"] +> * Record the information about the AD FS certificate, and set a renewal reminder at least six weeks before it expires. Relevant information includes: certificate serial number, thumbprint, common name, subject alternate name, name of the physical host server, the issued date, the expiration date, and issuing CA vendor (if a third-party certificate) +> * Confirm you added the AD FS service account to the KeyAdmins group +> * Confirm you enabled the Device Registration service -## Additional Federation Servers +## Additional federation servers -Organizations should deploy more than one federation server in their federation farm for high-availability. You should have a minimum of two federation services in your AD FS farm, however most organizations are likely to have more. This largely depends on the number of devices and users using the services provided by the AD FS farm. +Organizations should deploy more than one federation server in their federation farm for high-availability. You should have a minimum of two federation services in your AD FS farm, however most organizations are likely to have more. This largely depends on the number of devices and users using the services provided by the AD FS farm. -### Server Authentication Certificate +### Server authentication certificate -Each server you add to the AD FS farm must have a proper server authentication certificate. Refer to the [Enroll for a TLS Server Authentication Certificate](#enroll-for-a-tls-server-authentication-certificate) section of this document to determine the requirements for your server authentication certificate. As previously stated, AD FS servers used exclusively for on-premises deployments of Windows Hello for Business can use enterprise server authentication certificates rather than server authentication certificates issued by public certificate authorities. +Each server you add to the AD FS farm must have a proper server authentication certificate. Refer to the [Enroll for a TLS Server Authentication Certificate](#enroll-for-a-tls-server-authentication-certificate) section of this document to determine the requirements for your server authentication certificate. As previously stated, AD FS servers used exclusively for on-premises deployments of Windows Hello for Business can use enterprise server authentication certificates rather than server authentication certificates issued by public certificate authorities. -### Install Additional Servers +### Install additional servers -Adding federation servers to the existing AD FS farm begins with ensuring the server are fully patched, to include Windows Server 2016 Update needed to support Windows Hello for Business deployments (https://aka.ms/whfbadfs1703). Next, install the Active Directory Federation Service role on the additional servers and then configure the server as an additional server in an existing farm. +Adding federation servers to the existing AD FS farm begins with ensuring the server are fully patched, to include Windows Server 2016 Update needed to support Windows Hello for Business deployments (https://aka.ms/whfbadfs1703). Next, install the Active Directory Federation Service role on the additional servers and then configure the server as an additional server in an existing farm. -## Load Balance AD FS Federation Servers +## Load balance AD FS -Many environments load balance using hardware devices. Environments without hardware load-balancing capabilities can take advantage the network load-balancing feature included in Windows Server to load balance the AD FS servers in the federation farm. Install the Windows Network Load Balancing feature on all nodes participating in the AD FS farm that should be load balanced. +Many environments load balance using hardware devices. Environments without hardware load-balancing capabilities can take advantage the network load-balancing feature included in Windows Server to load balance the AD FS servers in the federation farm. Install the Windows Network Load Balancing feature on all nodes participating in the AD FS farm that should be load balanced. ### Install Network Load Balancing Feature on AD FS Servers -Sign-in the federation server with _Enterprise Admin_ equivalent credentials. -1. Start **Server Manager**. Click **Local Server** in the navigation pane. -2. Click **Manage** and then click **Add Roles and Features**. -3. Click **Next** On the **Before you begin** page. -4. On the **Select installation type** page, select **Role-based or feature-based installation** and click **Next**. -5. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Click **Next**. -6. On the **Select server roles** page, click **Next**. -7. Select **Network Load Balancing** on the **Select features** page. -8. Click **Install** to start the feature installation - ![Feature selection screen with NLB selected.](images/hello-nlb-feature-install.png) +Sign-in the federation server with *Enterprise Administrator* equivalent credentials. + +1. Start **Server Manager**. Select **Local Server** in the navigation pane +1. Select **Manage** and then select **Add Roles and Features** +1. Select **Next** On the **Before you begin** page +1. On the **Select installation type** page, select **Role-based or feature-based installation** and select **Next** +1. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Select **Next** +1. On the **Select server roles** page, select **Next** +1. Select **Network Load Balancing** on the **Select features** page +1. Select **Install** to start the feature installation ### Configure Network Load Balancing for AD FS -Before you can load balance all the nodes in the AD FS farm, you must first create a new load balance cluster. Once you have created the cluster, then you can add new nodes to that cluster. +Before you can load balance all the nodes in the AD FS farm, you must first create a new load balance cluster. Once you have created the cluster, then you can add new nodes to that cluster. -Sign-in a node of the federation farm with _Admin_ equivalent credentials. -1. Open **Network Load Balancing Manager** from **Administrative Tools**. - ![NLB Manager user interface.](images/hello-nlb-manager.png) -2. Right-click **Network Load Balancing Clusters**, and then click **New Cluster**. -3. To connect to the host that is to be a part of the new cluster, in the **Host** text box, type the name of the host, and then click **Connect**. - ![NLB Manager - Connect to new Cluster screen.](images/hello-nlb-connect.png) -4. Select the interface that you want to use with the cluster, and then click **Next**. (The interface hosts the virtual IP address and receives the client traffic to load balance.) -5. In **Host Parameters**, select a value in **Priority (Unique host identifier)**. This parameter specifies a unique ID for each host. The host with the lowest numerical priority among the current members of the cluster handles all of the cluster's network traffic that is not covered by a port rule. Click **Next**. -6. In **Cluster IP Addresses**, click **Add** and type the cluster IP address that is shared by every host in the cluster. NLB adds this IP address to the TCP/IP stack on the selected interface of all hosts that are chosen to be part of the cluster. Click **Next**. - ![NLB Manager - Add IP to New Cluster screen.](images/hello-nlb-add-ip.png) -7. In **Cluster Parameters**, select values in **IP Address** and **Subnet mask** (for IPv6 addresses, a subnet mask value is not needed). Type the full Internet name that users will use to access this NLB cluster. - ![NLB Manager - Cluster IP Configuration screen.](images/hello-nlb-cluster-ip-config.png) -8. In **Cluster operation mode**, click **Unicast** to specify that a unicast media access control (MAC) address should be used for cluster operations. In unicast mode, the MAC address of the cluster is assigned to the network adapter of the computer, and the built-in MAC address of the network adapter is not used. We recommend that you accept the unicast default settings. Click **Next**. -9. In Port Rules, click Edit to modify the default port rules to use port 443. - ![NLB Manager - Add\Edit Port Rule screen.](images/hello-nlb-cluster-port-rule.png) +Sign-in a node of the federation farm with *Administrator* equivalent credentials. + +1. Open **Network Load Balancing Manager** from **Administrative Tools** +1. Right-click **Network Load Balancing Clusters**, and then select **New Cluster** +1. To connect to the host that is to be a part of the new cluster, in the **Host** text box, type the name of the host, and then select **Connect** +1. Select the interface that you want to use with the cluster, and then select **Next** (the interface hosts the virtual IP address and receives the client traffic to load balance) +1. In **Host Parameters**, select a value in **Priority (Unique host identifier)**. This parameter specifies a unique ID for each host. The host with the lowest numerical priority among the current members of the cluster handles all of the cluster's network traffic that is not covered by a port rule. Select **Next** +1. In **Cluster IP Addresses**, select **Add** and type the cluster IP address that is shared by every host in the cluster. NLB adds this IP address to the TCP/IP stack on the selected interface of all hosts that are chosen to be part of the cluster. Select **Next** +1. In **Cluster Parameters**, select values in **IP Address** and **Subnet mask** (for IPv6 addresses, a subnet mask value is not needed). Type the full Internet name that users will use to access this NLB cluster +1. In **Cluster operation mode**, select **Unicast** to specify that a unicast media access control (MAC) address should be used for cluster operations. In unicast mode, the MAC address of the cluster is assigned to the network adapter of the computer, and the built-in MAC address of the network adapter is not used. We recommend that you accept the unicast default settings. Select **Next** +1. In Port Rules, select Edit to modify the default port rules to use port 443 ### Additional AD FS Servers -1. To add more hosts to the cluster, right-click the new cluster, and then click **Add Host to Cluster**. -2. Configure the host parameters (including host priority, dedicated IP addresses, and load weight) for the additional hosts by following the same instructions that you used to configure the initial host. Because you are adding hosts to an already configured cluster, all the cluster-wide parameters remain the same. - ![NLB Manager - Cluster with nodes.](images/hello-nlb-cluster.png) +1. To add more hosts to the cluster, right-click the new cluster, and then select **Add Host to Cluster** +1. Configure the host parameters (including host priority, dedicated IP addresses, and load weight) for the additional hosts by following the same instructions that you used to configure the initial host. Because you are adding hosts to an already configured cluster, all the cluster-wide parameters remain the same ## Configure DNS for Device Registration -Sign-in the domain controller or administrative workstation with domain administrator equivalent credentials. You’ll need the Federation service name to complete this task. You can view the federation service name by clicking **Edit Federation Service Properties** from the **Action** pan of the **AD FS** management console, or by using `(Get-AdfsProperties).Hostname.` (PowerShell) on the AD FS server. -1. Open the **DNS Management** console. -2. In the navigation pane, expand the domain controller name node and **Forward Lookup Zones**. -3. In the navigation pane, select the node that has the name of your internal Active Directory domain name. -4. In the navigation pane, right-click the domain name node and click **New Host (A or AAAA)**. -5. In the **name** box, type the name of the federation service. In the **IP address** box, type the IP address of your federation server. Click **Add Host**. -6. Right-click the `domain_name` node and select **New Alias (CNAME)**. -7. In the **New Resource Record** dialog box, type "enterpriseregistration" in the **Alias** name box. -8. In the **fully qualified domain name (FQDN)** of the target host box, type `federation_service_farm_name.domain_name.com`, and click OK. -9. Close the DNS Management console. +Sign-in the domain controller or administrative workstation with domain administrator equivalent credentials.\ +You'll need the *federation service* name to complete this task. You can view the federation service name by selecting **Edit Federation Service Properties** from the **Action** pan of the **AD FS** management console, or by using `(Get-AdfsProperties).Hostname.` (PowerShell) on the AD FS server. + +1. Open the **DNS Management** console +1. In the navigation pane, expand the domain controller name node and **Forward Lookup Zones** +1. In the navigation pane, select the node that has the name of your internal Active Directory domain name +1. In the navigation pane, right-click the domain name node and select **New Host (A or AAAA)** +1. In the **name** box, type the name of the federation service. In the **IP address** box, type the IP address of your federation server. Select **Add Host** +1. Right-click the `` node and select **New Alias (CNAME)** +1. In the **New Resource Record** dialog box, type `enterpriseregistration` in the **Alias** name box +1. In the **fully qualified domain name (FQDN)** of the target host box, type `federation_service_farm_name. [!NOTE] -> If your forest has multiple UPN suffixes, please make sure that `enterpriseregistration.upnsuffix.com` is present for each suffix. +> If your forest has multiple UPN suffixes, please make sure that `enterpriseregistration.` is present for each suffix. ## Configure the Intranet Zone to include the federation service -The Windows Hello provisioning presents web pages from the federation service. Configuring the intranet zone to include the federation service enables the user to authenticate to the federation service using integrated authentication. Without this setting, the connection to the federation service during Windows Hello provisioning prompts the user for authentication. +The Windows Hello provisioning presents web pages from the federation service. Configuring the intranet zone to include the federation service enables the user to authenticate to the federation service using integrated authentication. Without this setting, the connection to the federation service during Windows Hello provisioning prompts the user for authentication. ### Create an Intranet Zone Group Policy Sign-in the domain controller or administrative workstation with _Domain Admin_ equivalent credentials 1. Start the **Group Policy Management Console** (gpmc.msc) -2. Expand the domain and select the **Group Policy Object** node in the navigation pane. -3. Right-click **Group Policy object** and select **New** -4. Type **Intranet Zone Settings** in the name box and click **OK**. -5. In the content pane, right-click the **Intranet Zone Settings** Group Policy object and click **Edit**. -6. In the navigation pane, expand **Policies** under **Computer Configuration**. -7. Expand **Administrative Templates > Windows Component > Internet Explorer > Internet Control Panel**, and select **Security Page**. -8. In the content pane, double-click **Site to Zone Assignment List**. Click **Enable**. -9. Click **Show**. In the **Value Name** column, type the url of the federation service beginning with https. In the **Value** column, type the number **1**. Click OK twice, then close the Group Policy Management Editor. +1. Expand the domain and select the **Group Policy Object** node in the navigation pane +1. Right-click **Group Policy object** and select **New** +1. Type **Intranet Zone Settings** in the name box and select **OK** +1. In the content pane, right-click the **Intranet Zone Settings** Group Policy object and select **Edit** +1. In the navigation pane, expand **Policies** under **Computer Configuration** +1. Expand **Administrative Templates > Windows Component > Internet Explorer > Internet Control Panel >Security Page**. Open **Site to Zone Assignment List** +1. Select **Enable > Show**. In the **Value Name** column, type the url of the federation service beginning with https. In the **Value** column, type the number **1**. Select OK twice, then close the Group Policy Management Editor ### Deploy the Intranet Zone Group Policy object 1. Start the **Group Policy Management Console** (gpmc.msc) -2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO…** -3. In the **Select GPO** dialog box, select **Intranet Zone Settings** or the name of the Windows Hello for Business Group Policy object you previously created and click **OK**. +1. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and select **Link an existing GPO…** +1. In the **Select GPO** dialog box, select **Intranet Zone Settings** or the name of the Windows Hello for Business Group Policy object you previously created and select **OK** -## Review +## Review to validate the configuration Before you continue with the deployment, validate your deployment progress by reviewing the following items: -* Confirm all AD FS servers have a valid server authentication certificate - * The subject of the certificate is the common name (FQDN) of the host or a wildcard name. - * The alternate name of the certificate contains a wildcard or the FQDN of the federation service -* Confirm the AD FS farm has an adequate number of nodes and is properly load balanced for the anticipated load. -* Confirm **all** AD FS servers in the farm have the latest updates. -* Confirm you restarted the AD FS service. -* Confirm you created a DNS A Record for the federation service and the IP address used is the load-balanced IP address -* Confirm you created and deployed the Intranet Zone settings to prevent double authentication to the federation server. +> [!div class="checklist"] +> * Confirm all AD FS servers have a valid server authentication certificate. The subject of the certificate is the common name (FQDN) of the host or a wildcard name. The alternate name of the certificate contains a wildcard or the FQDN of the federation service +> * Confirm the AD FS farm has an adequate number of nodes and is properly load balanced for the anticipated load +> * Confirm you restarted the AD FS service +> * Confirm you created a DNS A Record for the federation service and the IP address used is the load-balanced IP address +> * Confirm you created and deployed the Intranet Zone settings to prevent double authentication to the federation server -## Follow the Windows Hello for Business on premises certificate trust deployment guide - -1. [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md) -2. [Validate and Configure Public Key Infrastructure](hello-key-trust-validate-pki.md) -3. Prepare and Deploy Windows Server 2016 Active Directory Federation Services (*You are here*) -4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-key-trust-validate-deploy-mfa.md) -5. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md) \ No newline at end of file +> [!div class="nextstepaction"] +> [Next: validate and deploy multi-factor authentication (MFA)](hello-key-trust-validate-deploy-mfa.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md index b5cae63015..03e7dbfe38 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md @@ -1,128 +1,108 @@ --- -title: Configure Windows Hello for Business Policy settings - key trust -description: Configure Windows Hello for Business Policy settings for Windows Hello for Business -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium -ms.date: 08/19/2018 +title: Configure Windows Hello for Business Policy settings in an on-premises key trust +description: Configure Windows Hello for Business Policy settings for Windows Hello for Business in an on-premises key trust scenario +ms.date: 12/12/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ On-premises deployment - - ✅ Key trust +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later +ms.topic: tutorial --- -# Configure Windows Hello for Business Policy settings - Key Trust +# Configure Windows Hello for Business group policy settings - on-premises key trust -You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). -Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1703 or later. +[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)] -Alternatively, you can create a copy of the .ADMX and .ADML files from a Windows 10, version 1703 installation setup template folder to their respective language folder on a Windows Server, or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for more information. +On-premises key trust deployments of Windows Hello for Business need one Group Policy setting: *Enable Windows Hello for Business*. +The Group Policy setting determines whether users are allowed, and prompted, to enroll for Windows Hello for Business. It can be configured for computers or users. -On-premises certificate-based deployments of Windows Hello for Business needs one Group Policy setting: Enable Windows Hello for Business +If you configure the Group Policy for computers, all users that sign-in to those computers will be allowed and prompted to enroll for Windows Hello for Business. If you configure the Group Policy for users, only those users will be allowed and prompted to enroll for Windows Hello for Business. -## Enable Windows Hello for Business Group Policy +## Enable Windows Hello for Business group policy setting -The Group Policy setting determines whether users are allowed, and prompted, to enroll for Windows Hello for Business. It can be configured for computers or users. +The Group Policy setting determines whether users are allowed, and prompted, to enroll for Windows Hello for Business. It can be configured for computers or users. -If you configure the Group Policy for computers, all users that sign-in to those computers will be allowed and prompted to enroll for Windows Hello for Business. If you configure the Group Policy for users, only those users will be allowed and prompted to enroll for Windows Hello for Business. For these settings to be configured using GPO, you need to download and install the latest Administrative Templates (.admx) for Windows. +If you configure the Group Policy for computers, all users that sign-in to those computers will be allowed and prompted to enroll for Windows Hello for Business. If you configure the Group Policy for users, only those users will be allowed and prompted to enroll for Windows Hello for Business . +## Create the GPO -## Create the Windows Hello for Business Group Policy object +Sign in to a domain controller or management workstations with *Domain Administrator* equivalent credentials. -The Group Policy object contains the policy settings needed to trigger Windows Hello for Business provisioning and to ensure Windows Hello for Business authentication certificates are automatically renewed. 1. Start the **Group Policy Management Console** (gpmc.msc) -2. Expand the domain and select the **Group Policy Object** node in the navigation pane. -3. Right-click **Group Policy object** and select **New**. -4. Type *Enable Windows Hello for Business* in the name box and click **OK**. -5. In the content pane, right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**. -6. In the navigation pane, expand **Policies** under **User Configuration**. -7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**. -8. In the content pane, double-click **Use Windows Hello for Business**. Click **Enable** and click **OK**. -9. Close the **Group Policy Management Editor**. +1. Expand the domain and select the **Group Policy Object** node in the navigation pane +1. Right-click **Group Policy object** and select **New** +1. Type *Enable Windows Hello for Business* in the name box and select **OK** +1. In the content pane, right-click the **Enable Windows Hello for Business** Group Policy object and select **Edit** +1. In the navigation pane, select **User Configuration > Policies > **Administrative Templates > Windows Component > Windows Hello for Business** +1. In the content pane, double-click **Use Windows Hello for Business**. Select **Enable** and **OK** +1. Close the **Group Policy Management Editor** -## Configure Security in the Windows Hello for Business Group Policy object +## Configure security in the Windows Hello for Business GPO The best way to deploy the Windows Hello for Business Group Policy object is to use security group filtering. The enables you to easily manage the users that should receive Windows Hello for Business by simply adding them to a group. This enables you to deploy Windows Hello for Business in phases. + +Sign in to a domain controller or management workstations with *Domain Administrator* equivalent credentials. + 1. Start the **Group Policy Management Console** (gpmc.msc) -2. Expand the domain and select the **Group Policy Object** node in the navigation pane. -3. Double-click the **Enable Windows Hello for Business** Group Policy object. -4. In the **Security Filtering** section of the content pane, click **Add**. Type *Windows Hello for Business Users* or the name of the security group you previously created and click **OK**. -5. Click the **Delegation** tab. Select **Authenticated Users** and click **Advanced**. -6. In the **Group or User names** list, select **Authenticated Users**. In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Click **OK**. +1. Expand the domain and select the **Group Policy Object** node in the navigation pane +1. Double-click the **Enable Windows Hello for Business** Group Policy object +1. In the **Security Filtering** section of the content pane, select **Add**. Type *Windows Hello for Business Users* or the name of the security group you previously created and select **OK** +1. Select the **Delegation** tab. Select **Authenticated Users** and **Advanced** +1. In the **Group or User names** list, select **Authenticated Users**. In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Select **OK** ## Deploy the Windows Hello for Business Group Policy object -The application of the Windows Hello for Business Group Policy object uses security group filtering. This enables you to link the Group Policy object at the domain, ensuring the Group Policy object is within scope to all users. However, the security group filtering ensures only the users included in the *Windows Hello for Business Users* global group receive and apply the Group Policy object, which results in the provisioning of Windows Hello for Business. -1. Start the **Group Policy Management Console** (gpmc.msc) -2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO…** -3. In the **Select GPO** dialog box, select **Enable Windows Hello for Business** or the name of the Windows Hello for Business Group Policy object you previously created and click **OK**. +The application of the Windows Hello for Business Group Policy object uses security group filtering. This solution enables you to link the Group Policy object at the domain level, ensuring the GPO is within scope to all users. However, the security group filtering ensures that only the users included in the *Windows Hello for Business Users* global group receive and apply the Group Policy object, which results in the provisioning of Windows Hello for Business. -Just to reassure, linking the **Windows Hello for Business** Group Policy object to the domain ensures the Group Policy object is in scope for all domain users. However, not all users will have the policy settings applied to them. Only users who are members of the Windows Hello for Business group receive the policy settings. All others users ignore the Group Policy object. +1. Start the **Group Policy Management Console** (gpmc.msc) +1. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and select **Link an existing GPO…** +1. In the **Select GPO** dialog box, select **Enable Windows Hello for Business** or the name of the Windows Hello for Business Group Policy object you previously created and select **OK** ## Other Related Group Policy settings -### Windows Hello for Business - There are other Windows Hello for Business policy settings you can configure to manage your Windows Hello for Business deployment. These policy settings are computer-based policy setting; so they are applicable to any user that sign-in from a computer with these policy settings. ### Use a hardware security device -The default configuration for Windows Hello for Business is to prefer hardware protected credentials; however, not all computers are able to create hardware protected credentials. When Windows Hello for Business enrollment encounters a computer that cannot create a hardware protected credential, it will create a software-based credential. +The default configuration for Windows Hello for Business is to prefer hardware protected credentials; however, not all computers are able to create hardware protected credentials. When Windows Hello for Business enrollment encounters a computer that cannot create a hardware protected credential, it will create a software-based credential. -You can enable and deploy the **Use a hardware security device** Group Policy Setting to force Windows Hello for Business to only create hardware protected credentials. Users that sign-in from a computer incapable of creating a hardware protected credential do not enroll for Windows Hello for Business. +You can enable and deploy the **Use a hardware security device** Group Policy Setting to force Windows Hello for Business to only create hardware protected credentials. Users that sign-in from a computer incapable of creating a hardware protected credential do not enroll for Windows Hello for Business. -Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiving during anti-hammering and PIN lockout activities. Therefore, some organization may want not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, simply select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object. +Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiving during anti-hammering and PIN lockout activities. Some organizations may not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object. ### Use biometrics Windows Hello for Business provides a great user experience when combined with the use of biometrics. Rather than providing a PIN to sign-in, a user can use a fingerprint or facial recognition to sign-in to Windows, without sacrificing security. -The default Windows Hello for Business enables users to enroll and use biometrics. However, some organization may want more time before using biometrics and want to disable their use until they are ready. To not allow users to use biometrics, configure the **Use biometrics** Group Policy setting to disabled and apply it to your computers. The policy setting disabled all biometrics. Currently, Windows does not provide granular policy setting that enable you to disable specific modalities of biometrics such as allow facial recognition, but disallow fingerprint. +The default Windows Hello for Business enables users to enroll and use biometrics. However, some organization may want more time before using biometrics and want to disable their use until they are ready. To not allow users to use biometrics, configure the **Use biometrics** Group Policy setting to disabled and apply it to your computers. The policy setting disables all biometrics. Currently, Windows does not provide the ability to set granular policies that enable you to disable specific modalities of biometrics, such as allowing facial recognition, but disallowing fingerprint recognition. ### PIN Complexity -PIN complexity is not specific to Windows Hello for Business. Windows enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed. +PIN complexity is not specific to Windows Hello for Business. Windows enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed. -Windows provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations. The policy settings included are: -* Require digits -* Require lowercase letters -* Maximum PIN length -* Minimum PIN length -* Expiration -* History -* Require special characters -* Require uppercase letters +Windows provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically. The policy settings included are: -In the Windows 10, version 1703, the PIN complexity Group Policy settings have moved to remove misunderstanding that PIN complexity policy settings were exclusive to Windows Hello for Business. The new location of these Group Policy settings is under Administrative Templates\System\PIN Complexity under both the Computer and User Configuration nodes of the Group Policy editor. +- Require digits +- Require lowercase letters +- Maximum PIN length +- Minimum PIN length +- Expiration +- History +- Require special characters +- Require uppercase letters -## Review +The settings can be found in *Administrative Templates\System\PIN Complexity*, under both the Computer and User Configuration nodes of the Group Policy editor. + +## Review to validate the configuration Before you continue with the deployment, validate your deployment progress by reviewing the following items: -* Confirm you authored Group Policy settings using the latest ADMX/ADML files (from the Windows 10 Creators Editions) -* Confirm you configured the Enable Windows Hello for Business to the scope that matches your deployment (Computer vs. User) -* Confirm you configure the Use Certificate enrollment for on-premises authentication policy setting. -* Confirm you configure automatic certificate enrollment to the scope that matches your deployment (Computer vs. User) -* Confirm you configured the proper security settings for the Group Policy object - * Removed the allow permission for Apply Group Policy for Domain Users (Domain Users must always have the read permissions) - * Add the Windows Hello for Business Users group to the Group Policy object and gave the group the allow permission for Apply Group Policy - -* Linked the Group Policy object to the correct locations within Active Directory -* Deploy any additional Windows Hello for Business Group Policy setting is a policy separate from the one that enables it for users +> [!div class="checklist"] +> * Confirm you configured the Enable Windows Hello for Business to the scope that matches your deployment (Computer vs. User) +> * Confirm you configured the proper security settings for the Group Policy object +> * Confirm you removed the allow permission for Apply Group Policy for Domain Users (Domain Users must always have the read permissions) +> * Confirm you added the Windows Hello for Business Users group to the Group Policy object, and gave the group the allow permission to Apply Group Policy +> * Linked the Group Policy object to the correct locations within Active Directory +> * Deployed any additional Windows Hello for Business Group Policy settings ## Add users to the Windows Hello for Business Users group -Users must receive the Windows Hello for Business group policy settings and have the proper permission to enroll for the Windows Hello for Business Authentication certificate. You can provide users with these settings and permissions by adding the group used synchronize users to the Windows Hello for Business Users group. Users and groups that are not members of this group will not attempt to enroll for Windows Hello for Business. - - -## Follow the Windows Hello for Business on premises certificate trust deployment guide -1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) -2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) -3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) -4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) -5. Configure Windows Hello for Business Policy settings (*You are here*) +Users must receive the Windows Hello for Business group policy settings and have the proper permission to enroll for the Windows Hello for Business Authentication certificate. You can provide users with these settings and permissions by adding the group used synchronize users to the *Windows Hello for Business Users* group. Users and groups that are not members of this group will not attempt to enroll for Windows Hello for Business. \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md index 52f79740bf..e53e1d194f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md @@ -1,47 +1,32 @@ --- -title: Key registration for on-premises deployment of Windows Hello for Business -description: How to Validate Active Directory prerequisites for Windows Hello for Business when deploying with the key trust model. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium -ms.date: 08/19/2018 +title: Validate Active Directory prerequisites in an on-premises key trust +description: Validate Active Directory prerequisites when deploying Windows Hello for Business in a key trust model. +ms.date: 12/12/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ On-premises deployment - - ✅ Key trust +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later +ms.topic: tutorial --- -# Validate Active Directory prerequisites - Key Trust +# Validate Active Directory prerequisites - on-premises key trust -Key trust deployments need an adequate number of 2016 or later domain controllers to ensure successful user authentication with Windows Hello for Business. To learn more about domain controller planning for key trust deployments, read the [Windows Hello for Business planning guide](hello-planning-guide.md), the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) section. +[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)] -> [!NOTE] ->There was an issue with key trust authentication on Windows Server 2019. If you are planning to use Windows Server 2019 domain controllers refer to [KB4487044](https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044) to fix this issue. +Key trust deployments need an adequate number of domain controllers to ensure successful user authentication with Windows Hello for Business. To learn more about domain controller planning for key trust deployments, read the [Windows Hello for Business planning guide](hello-planning-guide.md) and the [Planning an adequate number of Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) section. -The key registration process for the On-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 domain controller is added to the forest. The minimum required domain functional and forest functional levels for Windows Hello for Business deployment is Windows Server 2008 R2. +The key registration process for the on-premises deployment of Windows Hello for Business requires the Windows Server 2016 Active Directory or later schema. -## Create the Windows Hello for Business Users Security Global Group +## Create the Windows Hello for Business Users security group -The Windows Hello for Business Users group is used to make it easy to deploy Windows Hello for Business in phases. You assign Group Policy permissions to this group to simplify the deployment by simply adding the users to the group. This provides users with the proper permissions to provision Windows Hello for Business. +The *Windows Hello for Business Users* group is used to make it easy to deploy Windows Hello for Business in phases. You assign Group Policy permissions to this group to simplify the deployment by adding the users to the group. This provides users with the proper permissions to provision Windows Hello for Business. -Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials. +Sign-in to a domain controller or to a management workstation with a *Domain Administrator* equivalent credentials. -1. Open **Active Directory Users and Computers**. -2. Click **View** and click **Advanced Features**. -3. Expand the domain node from the navigation pane. -4. Right-click the **Users** container. Click **New**. Click **Group**. -5. Type **Windows Hello for Business Users** in the **Group Name** text box. -6. Click **OK**. +1. Open **Active Directory Users and Computers** +1. Select **View > Advanced Features** +1. Expand the domain node from the navigation pane +1. Right-click the **Users** container. Select **New > Group** +1. Type *Windows Hello for Business Users* in the **Group Name** +1. Select **OK** - -## Follow the Windows Hello for Business on premises certificate trust deployment guide -1. Validate Active Directory prerequisites (*You are here*) -2. [Validate and Configure Public Key Infrastructure](hello-key-trust-validate-pki.md) -3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-key-trust-adfs.md) -4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-key-trust-validate-deploy-mfa.md) -5. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md) +> [!div class="nextstepaction"] +> [Next: validate and configure PKI >](hello-key-trust-validate-pki.md) \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md index f2b2ad6a0c..6088986d1e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md @@ -1,36 +1,29 @@ --- title: Validate and Deploy MFA for Windows Hello for Business with key trust -description: How to Validate and Deploy Multifactor Authentication (MFA) Services for Windows Hello for Business with key trust -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium -ms.date: 08/19/2018 +description: Validate and deploy multi-factor authentication (MFA) for Windows Hello for Business in an on-premises key trust model. +ms.date: 12/12/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ On-premises deployment - - ✅ Key trust +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later +ms.topic: tutorial --- -# Validate and Deploy Multifactor Authentication (MFA) + +# Validate and deploy multi-factor authentication - on-premises key trust + +[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)] + +Windows Hello for Business requires users perform multi-factor authentication (MFA) prior to enroll in the service. On-premises deployments can use, as MFA option: + +- certificates +- third-party authentication providers for AD FS +- custom authentication provider for AD FS > [!IMPORTANT] -> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multifactor authentication from their users should use cloud-based Azure AD Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual. - -Windows Hello for Business requires all users perform multi-factor authentication prior to creating and registering a Windows Hello for Business credential. On-premises deployments can use certificates, third-party authentication providers for AD FS, or a custom authentication provider for AD FS as an on-premises MFA option. +> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multi-factor authentication from their users should use cloud-based Azure AD Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual. For information on available third-party authentication methods see [Configure Additional Authentication Methods for AD FS](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). For creating a custom authentication method see [Build a Custom Authentication Method for AD FS in Windows Server](/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method) Follow the integration and deployment guide for the authentication provider you select to integrate and deploy it to AD FS. Make sure that the authentication provider is selected as a multi-factor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies see [Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies). -## Follow the Windows Hello for Business on premises certificate trust deployment guide - -1. [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md) -2. [Validate and Configure Public Key Infrastructure](hello-key-trust-validate-pki.md) -3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-key-trust-adfs.md) -4. Validate and Deploy Multifactor Authentication Services (MFA) (*You are here*) -5. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md) \ No newline at end of file +> [!div class="nextstepaction"] +> [Next: configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md) \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md index 4e174f4e5d..dac396577a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md @@ -1,253 +1,248 @@ --- -title: Validate Public Key Infrastructure - key trust model (Windows Hello for Business) -description: How to Validate Public Key Infrastructure for Windows Hello for Business, under a key trust model. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium -ms.date: 08/19/2018 +title: Configure and validate the Public Key Infrastructure in an on-premises key trust model +description: Configure and validate the Public Key Infrastructure when deploying Windows Hello for Business in a key trust model. +ms.date: 12/12/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ On-premises deployment - - ✅ Key trust +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later +ms.topic: tutorial --- -# Validate and Configure Public Key Infrastructure - Key Trust +# Configure and validate the Public Key Infrastructure - on-premises key trust -Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model. All trust models depend on the domain controllers having a certificate. The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller. +[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)] -## Deploy an enterprise certificate authority +Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* or *certificate trust* models. The domain controllers must have a certificate, which serves as a root of trust for clients. The certificate ensures that clients don't communicate with rogue domain controllers. -This guide assumes most enterprise have an existing public key infrastructure. Windows Hello for Business depends on a Windows enterprise public key infrastructure running the Active Directory Certificate Services role from Windows Server 2012 or later. +## Deploy an enterprise certification authority -### Lab-based public key infrastructure +This guide assumes most enterprises have an existing public key infrastructure. Windows Hello for Business depends on an enterprise PKI running the Windows Server *Active Directory Certificate Services* role. -The following instructions may be used to deploy simple public key infrastructure that is suitable for a lab environment. +### Lab-based PKI -Sign-in using _Enterprise Admin_ equivalent credentials on Windows Server 2012 or later server where you want the certificate authority installed. +The following instructions may be used to deploy simple public key infrastructure that is suitable **for a lab environment**. + +Sign in using *Enterprise Administrator* equivalent credentials on a Windows Server where you want the certification authority (CA) installed. >[!NOTE] ->Never install a certificate authority on a domain controller in a production environment. +>Never install a certification authority on a domain controller in a production environment. -1. Open an elevated Windows PowerShell prompt. -2. Use the following command to install the Active Directory Certificate Services role. +1. Open an elevated Windows PowerShell prompt +1. Use the following command to install the Active Directory Certificate Services role. ```PowerShell Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools ``` - -3. Use the following command to configure the Certificate Authority using a basic certificate authority configuration. +3. Use the following command to configure the CA using a basic certification authority configuration ```PowerShell Install-AdcsCertificationAuthority - ``` - -## Configure a Production Public Key Infrastructure - -If you do have an existing public key infrastructure, please review [Certification Authority Guidance](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831574(v=ws.11)) from Microsoft TechNet to properly design your infrastructure. Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831348(v=ws.11)) for instructions on how to configure your public key infrastructure using the information from your design session. - -### Configure Domain Controller Certificates - -Clients need to trust domain controllers and the best way to do this is to ensure each domain controller has a Kerberos Authentication certificate. Installing a certificate on the domain controller enables the Key Distribution Center (KDC) to prove its identity to other members of the domain. This provides clients a root of trust external to the domain—namely the enterprise certificate authority. - -Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise certificate authority is added to Active Directory. However, certificates based on the Domain Controller and Domain Controller Authentication certificate templates do not include the KDC Authentication object identifier (OID), which was later added to the Kerberos RFC. Therefore, domain controllers need to request a certificate based on the Kerberos Authentication certificate template. - -By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the Kerberos Authentication certificate template as a baseline to create an updated domain controller certificate template. - -Sign-in to a certificate authority or management workstations with _Domain Admin_ equivalent credentials. - -1. Open the **Certificate Authority** management console. - -2. Right-click **Certificate Templates** and click **Manage**. - -3. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**. - -4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2008 R2** from the **Certification Authority** list. Select **Windows 7.Server 2008 R2** from the **Certification Recipient** list. - -5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise’s needs. - - > [!NOTE] - > If you use different template names, you’ll need to remember and substitute these names in different portions of the lab. - -6. On the **Subject Name** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **None** from the **Subject name format** list. Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items. - -7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**. - -8. Close the console. - -### Superseding the existing Domain Controller certificate - -Many domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template from domain controllers—the domain controller certificate template. Later releases provided a new certificate template—the domain controller authentication certificate template. These certificate templates were provided prior to update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the KDC Authentication extension. - -The Kerberos Authentication certificate template is the most current certificate template designated for domain controllers and should be the one you deploy to all your domain controllers (2008 or later). The autoenrollment feature in Windows enables you to effortlessly replace these domain controller certificates. You can use the following configuration to replace older domain controller certificates with a new certificate using the Kerberos Authentication certificate template. - -Sign-in to a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials. - -1. Open the **Certificate Authority** management console. - -2. Right-click **Certificate Templates** and click **Manage**. - -3. In the **Certificate Template Console**, right-click the **Domain Controller Authentication (Kerberos)** (or the name of the certificate template you created in the previous section) template in the details pane and click **Properties**. - -4. Click the **Superseded Templates** tab. Click **Add**. - -5. From the **Add Superseded Template** dialog, select the **Domain Controller** certificate template and click **OK**. Click **Add**. - -6. From the **Add Superseded Template** dialog, select the **Domain Controller Authentication** certificate template and click **OK**. - -7. From the **Add Superseded Template dialog**, select the **Kerberos Authentication** certificate template and click **OK**. - -8. Add any other enterprise certificate templates that were previously configured for domain controllers to the **Superseded Templates** tab. - -9. Click **OK** and close the **Certificate Templates** console. - -The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities. - -### Configure an Internal Web Server Certificate template - -Windows clients use the https protocol when communicating with Active Directory Federation Services. To meet this need, you must issue a server authentication certificate to all the nodes in the Active Directory Federation Services farm. On-premises deployments can use a server authentication certificate issued by their enterprise PKI. You must configure a server authentication certificate template so the host running the Active Directory Federation Service can request the certificate. - -Sign-in to a certificate authority or management workstations with _Domain Admin_ equivalent credentials. - -1. Open the **Certificate Authority** management console. - -2. Right-click **Certificate Templates** and click **Manage**. - -3. In the **Certificate Template Console**, right-click the **Web Server** template in the details pane and click **Duplicate Template**. - -4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. - -5. On the **General** tab, type **Internal Web Server** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs. - - > [!NOTE] - > If you use different template names, you’ll need to remember and substitute these names in different portions of the lab. - -6. On the **Request Handling** tab, select **Allow private key to be exported**. - -7. On the **Subject** tab, select the **Supply in the request** button if it is not already selected. - -8. On the **Security** tab, Click **Add**. Type **Domain Computers** in the **Enter the object names to select** box. Click **OK**. Select the **Allow** check box next to the **Enroll** permission. - -9. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**. - -10. Close the console. - -### Unpublish Superseded Certificate Templates - -The certificate authority only issues certificates based on published certificate templates. For defense in depth security, it is a good practice to unpublish certificate templates that the certificate authority is not configured to issue. This includes the pre-published certificate template from the role installation and any superseded certificate templates. - -The newly created domain controller authentication certificate template supersedes previous domain controller certificate templates. Therefore, you need to unpublish these certificate templates from all issuing certificate authorities. - -Sign-in to the certificate authority or management workstation with _Enterprise Admin_ equivalent credentials. - -1. Open the **Certificate Authority** management console. - -2. Expand the parent node from the navigation pane. - -3. Click **Certificate Templates** in the navigation pane. - -4. Right-click the **Domain Controller** certificate template in the content pane and select **Delete**. Click **Yes** on the **Disable certificate templates** window. - -5. Repeat step 4 for the **Domain Controller Authentication** and **Kerberos Authentication** certificate templates. - -### Publish Certificate Templates to the Certificate Authority - -The certificate authority may only issue certificates for certificate templates that are published to that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate. - -Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials. - -1. Open the **Certificate Authority** management console. - -2. Expand the parent node from the navigation pane. - -3. Click **Certificate Templates** in the navigation pane. - -4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template** to issue. - -5. In the **Enable Certificates Templates** window, select the **Domain Controller Authentication (Kerberos)**, and **Internal Web Server** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority. - -6. If you published the Domain Controller Authentication (Kerberos) certificate template, then you should unpublish the certificate templates you included in the superseded templates list. - - \* To unpublish a certificate template, right-click the certificate template you want to unpublish in the details pane of the Certificate Authority console and select **Delete**. Click **Yes** to confirm the operation. - -7. Close the console. - -### Configure Domain Controllers for Automatic Certificate Enrollment - -Domain controllers automatically request a certificate from the domain controller certificate template. However, the domain controller is unaware of newer certificate templates or superseded configurations on certificate templates. To continue automatic enrollment and renewal of domain controller certificates that understand newer certificate template and superseded certificate template configurations, create and configure a Group Policy object for automatic certificate enrollment and link the Group Policy object to the Domain Controllers OU. + ``` + +## Configure a PKI + +If you have an existing PKI, review [Certification Authority Guidance](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831574(v=ws.11)) to properly design your infrastructure. Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831348(v=ws.11)) for instructions on how to configure your PKI using the information from your design session. + +Expand the following sections to configure the PKI for Windows Hello for Business. + +
                              +
                              +Configure domain controller certificates + +Clients must trust the domain controllers, and to it each domain controller must have a *Kerberos Authentication* certificate. Installing a certificate on the domain controllers enables the Key Distribution Center (KDC) to prove its identity to other members of the domain. The certificates provide clients a root of trust external to the domain, namely the *enterprise certification authority*. + +Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise CA is added to Active Directory. However, certificates based on the Domain Controller and Domain Controller Authentication certificate templates don't include the *KDC Authentication* object identifier (OID), which was later added to the Kerberos RFC. Therefore, domain controllers need to request a certificate based on the *Kerberos Authentication* certificate template. + +By default, the Active Directory CA provides and publishes the *Kerberos Authentication* certificate template. The cryptography configuration included in the template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the *Kerberos Authentication* certificate template as a *baseline* to create an updated domain controller certificate template. + +Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials. + +1. Open the **Certification Authority** management console +1. Right-click **Certificate Templates > Manage** +1. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and select **Duplicate Template** +1. On the **Compatibility** tab: + - Clear the **Show resulting changes** check box + - Select **Windows Server 2016** from the **Certification Authority** list + - Select **Windows 10 / Windows Server 2016** from the **Certificate Recipient** list +1. On the **General** tab + - Type *Domain Controller Authentication (Kerberos)* in Template display name + - Adjust the validity and renewal period to meet your enterprise's needs + > [!NOTE] + > If you use different template names, you'll need to remember and substitute these names in different portions of the lab. +1. On the **Subject Name** tab: + - Select the **Build from this Active Directory information** button if it isn't already selected + - Select **None** from the **Subject name format** list + - Select **DNS name** from the **Include this information in alternate subject** list + - Clear all other items +1. On the **Cryptography** tab: + - select **Key Storage Provider** from the **Provider Category** list + - Select **RSA** from the **Algorithm name** list + - Type *2048* in the **Minimum key size** text box + - Select **SHA256** from the **Request hash** list +1. Select **OK** +1. Close the console + +
                              + + +
                              +
                              +Supersede existing domain controller certificates + +The domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template for domain controllers called *domain controller certificate*. Later releases of Windows Server provided a new certificate template called *domain controller authentication certificate*. These certificate templates were provided prior to the update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the *KDC Authentication* extension. + +The *Kerberos Authentication* certificate template is the most current certificate template designated for domain controllers, and should be the one you deploy to all your domain controllers.\ +The *autoenrollment* feature allows you to replace the domain controller certificates. Use the following configuration to replace older domain controller certificates with new ones, using the *Kerberos Authentication* certificate template. + +Sign in to a CA or management workstations with *Enterprise Administrator* equivalent credentials. + +1. Open the **Certification Authority** management console +1. Right-click **Certificate Templates > Manage** +1. In the **Certificate Template Console**, right-click the *Domain Controller Authentication (Kerberos)* (or the name of the certificate template you created in the previous section) template in the details pane and select **Properties** +1. Select the **Superseded Templates** tab. Select **Add** +1. From the **Add Superseded Template** dialog, select the *Domain Controller* certificate template and select **OK > Add** +1. From the **Add Superseded Template** dialog, select the *Domain Controller Authentication* certificate template and select **OK** +1. From the **Add Superseded Template** dialog, select the *Kerberos Authentication* certificate template and select **OK** +1. Add any other enterprise certificate templates that were previously configured for domain controllers to the **Superseded Templates** tab +1. Select **OK** and close the **Certificate Templates** console + +The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates isn't active until the certificate template is published to one or more certificate authorities. + +
                              + +
                              +
                              +Configure an internal web server certificate template + +Windows clients use the https protocol when communicating with Active Directory Federation Services (AD FS). To meet this need, you must issue a server authentication certificate to all the nodes in the AD FS farm. On-premises deployments can use a server authentication certificate issued by their enterprise PKI. You must configure a server authentication certificate template so the host running theAD FS can request the certificate. + +Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials. + +1. Open the **Certification Authority** management console +1. Right-click **Certificate Templates** and select **Manage** +1. In the **Certificate Template Console**, right-click the **Web Server** template in the details pane and select **Duplicate Template** +1. On the **Compatibility** tab: + - Clear the **Show resulting changes** check box + - Select **Windows Server 2016** from the **Certification Authority** list + - Select **Windows 10 / Windows Server 2016** from the **Certificate Recipient** list +1. On the **General** tab: + - Type *Internal Web Server* in **Template display name** + - Adjust the validity and renewal period to meet your enterprise's needs + > [!NOTE] + > If you use different template names, you'll need to remember and substitute these names in different portions of the lab. +1. On the **Request Handling** tab, select **Allow private key to be exported** +1. On the **Subject** tab, select the **Supply in the request** button if it isn't already selected +1. On the **Security** tab: + - Select **Add** + - Type **Domain Computers** in the **Enter the object names to select** box + - Select **OK** + - Select the **Allow** check box next to the **Enroll** permission +1. On the **Cryptography** tab: + - Select **Key Storage Provider** from the **Provider Category** list + - Select **RSA** from the **Algorithm name** list + - Type *2048* in the **Minimum key size** text box + - Select **SHA256** from the **Request hash** list + - Select **OK** +1. Close the console + +
                              + +
                              +
                              +Unpublish Superseded Certificate Templates + +The certification authority only issues certificates based on published certificate templates. For security, it's a good practice to unpublish certificate templates that the CA isn't configured to issue. This includes the pre-published certificate template from the role installation and any superseded certificate templates. + +The newly created *domain controller authentication* certificate template supersedes previous domain controller certificate templates. Therefore, you need to unpublish these certificate templates from all issuing certificate authorities. + +Sign in to the CA or management workstation with *Enterprise Administrator* equivalent credentials. + +1. Open the **Certification Authority** management console +1. Expand the parent node from the navigation pane > **Certificate Templates** +1. Right-click the *Domain Controller* certificate template and select **Delete**. Select **Yes** on the **Disable certificate templates** window +1. Repeat step 3 for the *Domain Controller Authentication* and *Kerberos Authentication* certificate templates + +
                              + +
                              +
                              +Publish certificate templates to the CA + +A certification authority can only issue certificates for certificate templates that are published to it. If you have more than one CA, and you want more CAs to issue certificates based on the certificate template, then you must publish the certificate template to them. + +Sign in to the CA or management workstations with **Enterprise Admin** equivalent credentials. + +1. Open the **Certification Authority** management console +1. Expand the parent node from the navigation pane +1. Select **Certificate Templates** in the navigation pane +1. Right-click the **Certificate Templates** node. Select **New > Certificate Template** to issue +1. In the **Enable Certificates Templates** window, select the *Domain Controller Authentication (Kerberos)*, and *Internal Web Server* templates you created in the previous steps. Select **OK** to publish the selected certificate templates to the certification authority +1. If you published the *Domain Controller Authentication (Kerberos)* certificate template, then unpublish the certificate templates you included in the superseded templates list + - To unpublish a certificate template, right-click the certificate template you want to unpublish and select **Delete**. Select **Yes** to confirm the operation +1. Close the console + +
                              + +### Configure automatic certificate enrollment for the domain controllers + +Domain controllers automatically request a certificate from the *Domain controller certificate* template. However, domain controllers are unaware of newer certificate templates or superseded configurations on certificate templates. To continue automatic enrollment and renewal of domain controller certificates, create and configure a Group Policy Object (GPO) for automatic certificate enrollment, linking the Group Policy object to the *Domain Controllers* Organizational Unit (OU). + +1. Open the **Group Policy Management Console** (gpmc.msc) +1. Expand the domain and select the **Group Policy Object** node in the navigation pane +1. Right-click **Group Policy object** and select **New** +1. Type *Domain Controller Auto Certificate Enrollment* in the name box and select **OK** +1. Right-click the **Domain Controller Auto Certificate Enrollment** Group Policy object and select **Edit** +1. In the navigation pane, expand **Policies** under **Computer Configuration** +1. Expand **Windows Settings > Security Settings > Public Key Policies** +1. In the details pane, right-click **Certificate Services Client - Auto-Enrollment** and select **Properties** +1. Select **Enabled** from the **Configuration Model** list +1. Select the **Renew expired certificates, update pending certificates, and remove revoked certificates** check box +1. Select the **Update certificates that use certificate templates** check box +1. Select **OK** +1. Close the **Group Policy Management Editor** + +### Deploy the domain controller auto certificate enrollment GPO + +Sign in to domain controller or management workstations with *Domain Administrator* equivalent credentials. 1. Start the **Group Policy Management Console** (gpmc.msc) +1. In the navigation pane, expand the domain and expand the node with the Active Directory domain name. Right-click the **Domain Controllers** organizational unit and select **Link an existing GPO…** +1. In the **Select GPO** dialog box, select *Domain Controller Auto Certificate Enrollment* or the name of the domain controller certificate enrollment Group Policy object you previously created +1. Select **OK** -2. Expand the domain and select the **Group Policy Object** node in the navigation pane. +## Validate the configuration -3. Right-click **Group Policy object** and select **New** +Windows Hello for Business is a distributed system, which on the surface appears complex and difficult. The key to a successful Windows Hello for Business deployment is to validate phases of work prior to moving to the next phase. -4. Type *Domain Controller Auto Certificate Enrollment* in the name box and click **OK**. +You want to confirm your domain controllers enroll the correct certificates and not any unnecessary (superseded) certificate templates. You need to check each domain controller that autoenrollment for the computer occurred. -5. Right-click the **Domain Controller Auto Certificate Enrollment** Group Policy object and click **Edit**. +### Use the event logs -6. In the navigation pane, expand **Policies** under **Computer Configuration**. +Sign in to domain controller or management workstations with *Domain Administrator* equivalent credentials. -7. Expand **Windows Settings**, **Security Settings**, and click **Public Key Policies**. +1. Using the Event Viewer, navigate to the **Application and Services > Microsoft > Windows > CertificateServices-Lifecycles-System** event log +1. Look for an event indicating a new certificate enrollment (autoenrollment): + - The details of the event include the certificate template on which the certificate was issued + - The name of the certificate template used to issue the certificate should match the certificate template name included in the event + - The certificate thumbprint and EKUs for the certificate are also included in the event + - The EKU needed for proper Windows Hello for Business authentication is Kerberos Authentication, in addition to other EKUs provide by the certificate template -8. In the details pane, right-click **Certificate Services Client – Auto-Enrollment** and select **Properties**. +Certificates superseded by your new domain controller certificate generate an archive event in the event log. The archive event contains the certificate template name and thumbprint of the certificate that was superseded by the new certificate. -9. Select **Enabled** from the **Configuration Model** list. +### Certificate Manager -10. Select the **Renew expired certificates, update pending certificates, and remove revoked certificates** check box. +You can use the Certificate Manager console to validate the domain controller has the properly enrolled certificate based on the correct certificate template with the proper EKUs. Use **certlm.msc** to view certificate in the local computers certificate stores. Expand the **Personal** store and view the certificates enrolled for the computer. Archived certificates don't appear in Certificate Manager. -11. Select the **Update certificates that use certificate templates** check box. +### Certutil.exe -12. Click **OK**. Close the **Group Policy Management Editor**. +You can use `certutil.exe` command to view enrolled certificates in the local computer. Certutil shows enrolled and archived certificates for the local computer. From an elevated command prompt, run `certutil.exe -q -store my` to view locally enrolled certificates. -### Deploy the Domain Controller Auto Certificate Enrollment Group Policy Object +To view detailed information about each certificate in the store, use `certutil.exe -q -v -store my` to validate automatic certificate enrollment enrolled the proper certificates. -Sign-in to a domain controller or management workstations with _Domain Admin_ equivalent credentials. +### Troubleshooting -1. Start the **Group Policy Management Console** (gpmc.msc). +Windows triggers automatic certificate enrollment for the computer during boot, and when Group Policy updates. You can refresh Group Policy from an elevated command prompt using `gpupdate.exe /force`. -2. In the navigation pane, expand the domain and expand the node that has your Active Directory domain name. Right-click the **Domain Controllers** organizational unit and click **Link an existing GPO…**. +Alternatively, you can forcefully trigger automatic certificate enrollment using `certreq.exe -autoenroll -q` from an elevated command prompt. -3. In the **Select GPO** dialog box, select **Domain Controller Auto Certificate Enrollment** or the name of the domain controller certificate enrollment Group Policy object you previously created and click **OK**. +Use the event logs to monitor certificate enrollment and archive. Review the configuration, such as publishing certificate templates to issuing certification authority and the allow auto enrollment permissions. -### Validating your work - -Windows Hello for Business is a distributed system, which on the surface appears complex and difficult. The key to a successful Windows Hello for Business deployment is to validate phases of work prior to moving to the next phase. - -You want to confirm your domain controllers enroll the correct certificates and not any unnecessary (superseded) certificate templates. You need to check each domain controller that autoenrollment for the computer occurred. - -#### Use the Event Logs - -Windows Server 2012 and later include Certificate Lifecycle events to determine the lifecycles of certificates for both users and computers. Using the Event Viewer, navigate to the CertificateServices-Lifecycles-System event log under Application and Services/Microsoft/Windows. - -Look for an event indicating a new certificate enrollment (autoenrollment). The details of the event include the certificate template on which the certificate was issued. The name of the certificate template used to issue the certificate should match the certificate template name included in the event. The certificate thumbprint and EKUs for the certificate are also included in the event. The EKU needed for proper Windows Hello for Business authentication is Kerberos Authentication, in addition to other EKUs provide by the certificate template. - -Certificates superseded by your new domain controller certificate generate an archive event in the CertificateServices-Lifecycles-System event. The archive event contains the certificate template name and thumbprint of the certificate that was superseded by the new certificate. - -#### Certificate Manager - -You can use the Certificate Manager console to validate the domain controller has the properly enrolled certificate based on the correct certificate template with the proper EKUs. Use **certlm.msc** to view certificate in the local computers certificate stores. Expand the **Personal** store and view the certificates enrolled for the computer. Archived certificates do not appear in Certificate Manager. - -#### Certutil.exe - -You can use **certutil.exe** to view enrolled certificates in the local computer. Certutil shows enrolled and archived certificates for the local computer. From an elevated command prompt, run `certutil -q -store my` to view locally enrolled certificates. - -To view detailed information about each certificate in the store, use `certutil -q -v -store my` to validate automatic certificate enrollment enrolled the proper certificates. - -#### Troubleshooting - -Windows triggers automatic certificate enrollment for the computer during boot, and when Group Policy updates. You can refresh Group Policy from an elevated command prompt using `gpupdate /force`. - -Alternatively, you can forcefully trigger automatic certificate enrollment using `certreq -autoenroll -q` from an elevated command prompt. - -Use the event logs to monitor certificate enrollment and archive. Review the configuration, such as publishing certificate templates to issuing certificate authority and the allow auto enrollment permissions. - -## Follow the Windows Hello for Business on premises key trust deployment guide - -1. [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md) -2. Validate and Configure Public Key Infrastructure (*You are here*) -3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-key-trust-adfs.md) -4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-key-trust-validate-deploy-mfa.md) -5. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md) +> [!div class="nextstepaction"] +> [Next: prepare and deploy AD FS >](hello-key-trust-adfs.md) \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md index 040e423688..a548960eab 100644 --- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md +++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md @@ -1,30 +1,20 @@ --- title: Manage Windows Hello in your organization (Windows) description: You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello for Business on devices running Windows 10. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva ms.collection: - - M365-identity-device-management - highpri -ms.topic: article -ms.localizationpriority: medium ms.date: 2/15/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 +- ✅ Windows 10 and later +ms.topic: article --- # Manage Windows Hello for Business in your organization -You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello on devices running Windows 10. +You can create a Group Policy or mobile device management (MDM) policy to configure Windows Hello for Business on Windows devices. >[!IMPORTANT] ->The Group Policy setting **Turn on PIN sign-in** does not apply to Windows Hello for Business. It still prevents or enables the creation of a convenience PIN for Windows 10, version 1507 and 1511. -> ->Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**. +>Windows Hello as a convenience PIN is disabled by default on all domain joined and Azure AD joined devices. To enable a convenience PIN, enable the Group Policy setting **Turn on convenience PIN sign-in**. > >Use **PIN Complexity** policy settings to manage PINs for Windows Hello for Business. @@ -143,9 +133,10 @@ All PIN complexity policies are grouped separately from feature enablement and a >- LowercaseLetters - 1 >- SpecialCharacters - 1 + diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index 7a7fb4b8fe..48c16385f3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -1,24 +1,16 @@ --- title: Windows Hello for Business Overview (Windows) description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices in Windows 10 and Windows 11. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva ms.collection: - - M365-identity-device-management - highpri ms.topic: conceptual -localizationpriority: medium appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Holographic for Business + - ✅ Windows 10 and later +ms.date: 12/31/2017 --- # Windows Hello for Business Overview -In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN. +Windows Hello for Business replaces passwords with strong two-factor authentication on devices. This authentication consists of a type of user credential that is tied to a device and uses a biometric or PIN. >[!NOTE] > When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. @@ -53,9 +45,9 @@ Windows stores biometric data that is used to implement Windows Hello securely o ## The difference between Windows Hello and Windows Hello for Business -- Individuals can create a PIN or biometric gesture on their personal devices for convenient sign-in. This use of Windows Hello is unique to the device on which it's set up, but can use a password hash depending on an individual's account type. This configuration is referred to as Windows Hello convenience PIN and it's not backed by asymmetric (public/private key) or certificate-based authentication. +- Individuals can create a PIN or biometric gesture on their personal devices for convenient sign-in. This use of Windows Hello is unique to the device on which it's set up, but can use a password hash depending on an individual's account type. This configuration is referred to as *Windows Hello convenience PIN* and it's not backed by asymmetric (public/private key) or certificate-based authentication. -- **Windows Hello for Business**, which is configured by group policy or mobile device management (MDM) policy, always uses key-based or certificate-based authentication. This behavior makes it more secure than **Windows Hello convenience PIN**. +- *Windows Hello for Business*, which is configured by group policy or mobile device management (MDM) policy, always uses key-based or certificate-based authentication. This behavior makes it more secure than *Windows Hello convenience PIN*. ## Benefits of Windows Hello diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index a47024a34d..c3c5912b26 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -1,19 +1,10 @@ --- title: Planning a Windows Hello for Business Deployment description: Learn about the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of your infrastructure. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: - - M365-identity-device-management -ms.topic: article -localizationpriority: conceptual ms.date: 09/16/2020 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 +- ✅ Windows 10 and later +ms.topic: article --- # Planning a Windows Hello for Business Deployment @@ -188,9 +179,9 @@ Hybrid Azure AD-joined devices managed by Group Policy need the Windows Server 2 Choose a trust type that is best suited for your organizations. Remember, the trust type determines two things. Whether you issue authentication certificates to your users and if your deployment needs Windows Server 2016 domain controllers. -One trust model is not more secure than the other. The major difference is based on the organization comfort with deploying Windows Server 2016 domain controllers and not enrolling users with end entity certificates (key-trust) against using existing domain controllers (Windows Server 2008R2 or later) and needing to enroll certificates for all their users (certificate trust). +One trust model is not more secure than the other. The major difference is based on the organization comfort with deploying Windows Server 2016 domain controllers and not enrolling users with end entity certificates (key-trust) against using existing domain controllers and needing to enroll certificates for all their users (certificate trust). -Because the certificate trust types issues certificates, there is more configuration and infrastructure needed to accommodate user certificate enrollment, which could also be a factor to consider in your decision. Additional infrastructure needed for certificate-trust deployments includes a certificate registration authority. In a federated environment, you need to activate the Device Writeback option in Azure AD Connect. +Because the certificate trust types issues certificates, there is more configuration and infrastructure needed to accommodate user certificate enrollment, which could also be a factor to consider in your decision. Additional infrastructure needed for certificate-trust deployments includes a certificate registration authority. In a federated environment, you need to activate the Device Writeback option in Azure AD Connect. If your organization wants to use the key trust type, write **key trust** in box **1b** on your planning worksheet. Write **Windows Server 2016** in box **4d**. Write **N/A** in box **5b**. diff --git a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md index 4a53de6f97..69e4a380e5 100644 --- a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md +++ b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md @@ -1,18 +1,10 @@ --- title: Prepare people to use Windows Hello (Windows) description: When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 08/19/2018 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 +- ✅ Windows 10 and later +ms.topic: article --- # Prepare people to use Windows Hello diff --git a/windows/security/identity-protection/hello-for-business/hello-videos.md b/windows/security/identity-protection/hello-for-business/hello-videos.md index 0cc2a08540..bf6f5a4ea0 100644 --- a/windows/security/identity-protection/hello-for-business/hello-videos.md +++ b/windows/security/identity-protection/hello-for-business/hello-videos.md @@ -1,18 +1,10 @@ --- title: Windows Hello for Business Videos description: View several informative videos describing features and experiences in Windows Hello for Business in Windows 10 and Windows 11. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 07/26/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 +- ✅ Windows 10 and later +ms.topic: article --- # Windows Hello for Business Videos ## Overview of Windows Hello for Business and Features diff --git a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md index d7dd7adec6..89fe8f84ce 100644 --- a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md +++ b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md @@ -1,25 +1,17 @@ --- title: Why a PIN is better than an online password (Windows) -description: Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) an online password . -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva +description: Windows Hello enables users to sign in to their device using a PIN. How is a PIN different from (and better than) an online password. ms.collection: - - M365-identity-device-management - highpri -ms.topic: article -ms.localizationpriority: medium ms.date: 10/23/2017 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 +- ✅ Windows 10 and later +ms.topic: article --- # Why a PIN is better than an online password -Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a local password? -On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than an online password, it's how it works. First we need to distinguish between two types of passwords: `local` passwords are validated against the machine's password store, whereas `online` passwords are validated against a server. This article mostly covers the benefits a PIN has over an online password, and also why it can be considered even better than a local password. +Windows Hello enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a local password? +On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than an online password, it's how it works. First we need to distinguish between two types of passwords: `local` passwords are validated against the machine's password store, whereas `online` passwords are validated against a server. This article mostly covers the benefits a PIN has over an online password, and also why it can be considered even better than a local password. Watch Dana Huang explain why a Windows Hello for Business PIN is more secure than an online password. diff --git a/windows/security/identity-protection/hello-for-business/images/adfs-device-registration.png b/windows/security/identity-protection/hello-for-business/images/adfs-device-registration.png new file mode 100644 index 0000000000..cf0b7aeff4 Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/adfs-device-registration.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/adfs-scp.png b/windows/security/identity-protection/hello-for-business/images/adfs-scp.png new file mode 100644 index 0000000000..5a806fadf0 Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/adfs-scp.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/hello-adfs-configure-2012r2.png b/windows/security/identity-protection/hello-for-business/images/hello-adfs-configure-2012r2.png deleted file mode 100644 index 374d8f1297..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hello-adfs-configure-2012r2.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hello-internal-web-server-cert.png b/windows/security/identity-protection/hello-for-business/images/hello-internal-web-server-cert.png index cc78ba41cf..5db53fa03c 100644 Binary files a/windows/security/identity-protection/hello-for-business/images/hello-internal-web-server-cert.png and b/windows/security/identity-protection/hello-for-business/images/hello-internal-web-server-cert.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/hello-nlb-add-ip.png b/windows/security/identity-protection/hello-for-business/images/hello-nlb-add-ip.png deleted file mode 100644 index 49b06a8cc2..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hello-nlb-add-ip.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hello-nlb-cluster-ip-config.png b/windows/security/identity-protection/hello-for-business/images/hello-nlb-cluster-ip-config.png deleted file mode 100644 index e74cc5f586..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hello-nlb-cluster-ip-config.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hello-nlb-cluster-port-rule.png b/windows/security/identity-protection/hello-for-business/images/hello-nlb-cluster-port-rule.png deleted file mode 100644 index c8d406f45f..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hello-nlb-cluster-port-rule.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hello-nlb-cluster.png b/windows/security/identity-protection/hello-for-business/images/hello-nlb-cluster.png deleted file mode 100644 index 3c4e29b213..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hello-nlb-cluster.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hello-nlb-connect.png b/windows/security/identity-protection/hello-for-business/images/hello-nlb-connect.png deleted file mode 100644 index c5aac0791e..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hello-nlb-connect.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hello-nlb-feature-install.png b/windows/security/identity-protection/hello-for-business/images/hello-nlb-feature-install.png deleted file mode 100644 index 3ab085a804..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hello-nlb-feature-install.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hello-nlb-manager.png b/windows/security/identity-protection/hello-for-business/images/hello-nlb-manager.png deleted file mode 100644 index 61af244a4c..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hello-nlb-manager.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/index.yml b/windows/security/identity-protection/hello-for-business/index.yml index 3907b4b422..0c6b760604 100644 --- a/windows/security/identity-protection/hello-for-business/index.yml +++ b/windows/security/identity-protection/hello-for-business/index.yml @@ -6,7 +6,8 @@ summary: Learn how to manage and deploy Windows Hello for Business. metadata: title: Windows Hello for Business documentation description: Learn how to manage and deploy Windows Hello for Business. - ms.prod: m365-security + ms.prod: windows-client + ms.technology: itpro-security ms.topic: landing-page author: paolomatarazzo ms.author: paoloma @@ -14,7 +15,6 @@ metadata: ms.reviewer: prsriva ms.date: 01/22/2021 ms.collection: - - M365-identity-device-management - highpri # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | whats-new diff --git a/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md b/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md deleted file mode 100644 index db16a0bdac..0000000000 --- a/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md +++ /dev/null @@ -1,31 +0,0 @@ ---- -title: Microsoft-compatible security key -description: Learn how a Microsoft-compatible security key for Windows is different (and better) than any other FIDO2 security key. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium -ms.date: 11/14/2018 ---- -# What is a Microsoft-compatible security key? - -> [!Warning] -> Some information relates to pre-released product that may change before it is commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - - -Microsoft has been aligned with the [FIDO Alliance](https://fidoalliance.org/) with a mission to replace passwords with an easy to use, strong 2FA credential. We have been working with our partners to extensively test and deliver a seamless and secure authentication experience to end users. See [FIDO2 security keys features and providers](/azure/active-directory/authentication/concept-authentication-passwordless#fido2-security-keys). - -The [FIDO2 CTAP specification](https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html) contains a few optional features and extensions which are crucial to provide that seamless and secure experience. - -A security key **MUST** implement the following features and extensions from the FIDO2 CTAP protocol to be Microsoft-compatible: - -| #
                              | Feature / Extension trust
                              | Why is this required?
                              | -| --- | --- | --- | -| 1 | Resident key | This feature enables the security key to be portable, where your credential is stored on the security key | -| 2 | Client pin | This feature enables you to protect your credentials with a second factor and applies to security keys that do not have an user interface| -| 3 | hmac-secret | This extension ensures you can sign-in to your device when it's off-line or in airplane mode | -| 4 | Multiple accounts per RP | This feature ensures you can use the same security key across multiple services like Microsoft Account (MSA) and Azure Active Directory (AAD) | diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 6da7cc1034..4b2daf06b4 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -1,23 +1,15 @@ --- title: Password-less strategy description: Learn about the password-less strategy and how Windows Hello for Business implements this strategy in Windows 10 and Windows 11. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management ms.topic: conceptual -localizationpriority: medium ms.date: 05/24/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 +- ✅ Windows 10 and later --- # Password-less strategy -This article describes Windows' password-less strategy. Learn how Windows Hello for Business implements this strategy in Windows 10 and Windows 11. +This article describes Windows' password-less strategy and how Windows Hello for Business implements this strategy. ## Four steps to password freedom @@ -308,7 +300,7 @@ The following image shows the SCRIL setting for a user in Active Directory Users :::image type="content" source="images/passwordless/aduc-account-scril.png" alt-text="Example user properties in Active Directory that shows the SCRIL setting on Account options."::: -When you configure a user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account don't allow the user to sign-in interactively with a password. Also, users will no longer be troubled with needing to change their password when it expires, because passwords for SCRIL users in domains with a Windows Server 2012 R2 or early domain functional level don't expire. The users are effectively password-less because: +When you configure a user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account don't allow the user to sign-in interactively with a password. Users will no longer need to change their password when it expires, because passwords for SCRIL users don't expire. The users are effectively password-less because: - They don't know their password. - Their password is 128 random bits of data and is likely to include non-typable characters. @@ -349,4 +341,4 @@ In this configuration, passwords for SCRIL-configured users expire based on Acti ## The road ahead -The information presented here is just the beginning. We'll update this guide with improved tools, methods, and scenarios, like Azure AD joined and MDM managed environments. As we continue to invest in a password-less future, we would love to hear from you. Your feedback is important. Send us an email at [pwdless@microsoft.com](mailto:pwdless@microsoft.com?subject=Passwordless%20Feedback). +The information presented here is just the beginning. We'll update this guide with improved tools, methods, and scenarios, like Azure AD joined and MDM managed environments. As we continue to invest in a password-less future, we would love to hear from you. Your feedback is important. Send us an email at [pwdlessQA@microsoft.com](mailto:pwdlessQA@microsoft.com?subject=Passwordless%20Feedback). diff --git a/windows/security/identity-protection/hello-for-business/reset-security-key.md b/windows/security/identity-protection/hello-for-business/reset-security-key.md deleted file mode 100644 index ecddd67b7f..0000000000 --- a/windows/security/identity-protection/hello-for-business/reset-security-key.md +++ /dev/null @@ -1,35 +0,0 @@ ---- -title: Reset-security-key -description: Windows 10 and Windows 11 enables users to sign in to their device using a security key. How to reset a security key -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium -ms.date: 11/14/2018 ---- -# How to reset a Microsoft-compatible security key? -> [!Warning] -> Some information relates to pre-released product that may change before it is commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - ->[!IMPORTANT] ->This operation will wipe everything from your security key and reset it to factory defaults.
                              **All data and credentials will be cleared.** - - -A [Microsoft-compatible security key](./microsoft-compatible-security-key.md) can be reset via Settings app (Settings > Accounts > Sign-in options > Security key). -
                              -Follow the instructions in the Settings app and look for specific instructions based on your security key manufacturer below: - - -|Security key manufacturer
                              | Reset instructions
                              | -| --- | --- | -|Yubico | **USB:** Remove and reinsert the security key. When the LED on the security key begins flashing, touch the metal contact
                              **NFC:** Tap the security key on the reader
                              | -|Feitian | Touch the blinking fingerprint sensor twice to reset the key| -|HID | Tap the card on the reader twice to reset it | - ->[!NOTE] ->The steps to reset your security key may vary based on the security key manufacturer.
                              ->If your security key is not listed here, please reach out to your security key manufacturer for reset instructions. diff --git a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md index 21756b8260..1987c05d33 100644 --- a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md +++ b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md @@ -1,16 +1,10 @@ --- title: How Windows Hello for Business works (Windows) description: Learn about registration, authentication, key material, and infrastructure for Windows Hello for Business. -ms.prod: windows-client -ms.localizationpriority: high -author: paolomatarazzo -ms.author: paoloma ms.date: 10/16/2017 -manager: aaroncz -ms.topic: article appliesto: - - ✅ Windows 10 - - ✅ Windows 11 +- ✅ Windows 10 and later +ms.topic: article --- # How Windows Hello for Business works in Windows devices diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml index 2c22050ab0..fb4c92826f 100644 --- a/windows/security/identity-protection/hello-for-business/toc.yml +++ b/windows/security/identity-protection/hello-for-business/toc.yml @@ -1,13 +1,11 @@ - name: Windows Hello for Business documentation href: index.yml -- name: Overview - items: - - name: Windows Hello for Business Overview - href: hello-overview.md - name: Concepts expanded: true items: - - name: Passwordless Strategy + - name: Windows Hello for Business overview + href: hello-overview.md + - name: Passwordless strategy href: passwordless-strategy.md - name: Why a PIN is better than a password href: hello-why-pin-is-better-than-password.md @@ -15,129 +13,160 @@ href: hello-biometrics-in-enterprise.md - name: How Windows Hello for Business works href: hello-how-it-works.md - - name: Technical Deep Dive - items: - - name: Provisioning - href: hello-how-it-works-provisioning.md - - name: Authentication - href: hello-how-it-works-authentication.md - - name: WebAuthn APIs - href: webauthn-apis.md -- name: How-to Guides +- name: Deployment guides items: - - name: Windows Hello for Business Deployment Overview + - name: Windows Hello for Business deployment overview href: hello-deployment-guide.md - - name: Planning a Windows Hello for Business Deployment + - name: Planning a Windows Hello for Business deployment href: hello-planning-guide.md - - name: Deployment Prerequisite Overview + - name: Deployment prerequisite overview href: hello-identity-verification.md - - name: Prepare people to use Windows Hello - href: hello-prepare-people-to-use.md - - name: Deployment Guides + - name: Cloud-only deployment + href: hello-aad-join-cloud-only-deploy.md + - name: Hybrid deployments items: - - name: Hybrid Cloud Kerberos Trust Deployment + - name: Cloud Kerberos trust deployment href: hello-hybrid-cloud-kerberos-trust.md - - name: Hybrid Azure AD Joined Key Trust + - name: Key trust deployment items: - - name: Hybrid Azure AD Joined Key Trust Deployment + - name: Overview href: hello-hybrid-key-trust.md - name: Prerequisites href: hello-hybrid-key-trust-prereqs.md - - name: New Installation Baseline + - name: New installation baseline href: hello-hybrid-key-new-install.md - - name: Configure Directory Synchronization + - name: Configure directory synchronization href: hello-hybrid-key-trust-dirsync.md - - name: Configure Azure Device Registration + - name: Configure Azure AD device registration href: hello-hybrid-key-trust-devreg.md - name: Configure Windows Hello for Business settings - href: hello-hybrid-key-whfb-settings.md - - name: Sign-in and Provisioning + items: + - name: Overview + href: hello-hybrid-key-whfb-settings.md + - name: Configure Active Directory + href: hello-hybrid-key-whfb-settings-ad.md + - name: Configure Azure AD Connect Sync + href: hello-hybrid-key-whfb-settings-dir-sync.md + - name: Configure PKI + href: hello-hybrid-key-whfb-settings-pki.md + - name: Configure Group Policy settings + href: hello-hybrid-key-whfb-settings-policy.md + - name: Sign-in and provision Windows Hello for Business href: hello-hybrid-key-whfb-provision.md - - name: Hybrid Azure AD Joined Certificate Trust + - name: On-premises SSO for Azure AD joined devices + href: hello-hybrid-aadj-sso.md + - name: Configure Azure AD joined devices for on-premises SSO + href: hello-hybrid-aadj-sso-base.md + - name: Certificate trust deployment items: - - name: Hybrid Azure AD Joined Certificate Trust Deployment + - name: Overview href: hello-hybrid-cert-trust.md - name: Prerequisites href: hello-hybrid-cert-trust-prereqs.md - - name: New Installation Baseline + - name: New installation baseline href: hello-hybrid-cert-new-install.md - - name: Configure Azure Device Registration + - name: Configure Azure AD device registration href: hello-hybrid-cert-trust-devreg.md - name: Configure Windows Hello for Business settings - href: hello-hybrid-cert-whfb-settings.md - - name: Sign-in and Provisioning + items: + - name: Overview + href: hello-hybrid-cert-whfb-settings.md + - name: Configure Active Directory + href: hello-hybrid-cert-whfb-settings-ad.md + - name: Configure Azure AD Connect Sync + href: hello-hybrid-cert-whfb-settings-dir-sync.md + - name: Configure PKI + href: hello-hybrid-cert-whfb-settings-pki.md + - name: Configure AD FS + href: hello-hybrid-cert-whfb-settings-adfs.md + - name: Configure Group Policy settings + href: hello-hybrid-cert-whfb-settings-policy.md + - name: Sign-in and provision Windows Hello for Business href: hello-hybrid-cert-whfb-provision.md - - name: On-premises SSO for Azure AD Joined Devices - items: - - name: On-premises SSO for Azure AD Joined Devices Deployment + - name: On-premises SSO for Azure AD joined devices href: hello-hybrid-aadj-sso.md - - name: Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business + - name: Configure Azure AD joined devices for on-premises SSO href: hello-hybrid-aadj-sso-base.md - - name: Using Certificates for AADJ On-premises Single-sign On + - name: Using certificates for on-premises SSO href: hello-hybrid-aadj-sso-cert.md - - name: On-premises Key Trust + - name: Planning for Domain Controller load + href: hello-adequate-domain-controllers.md + - name: On-premises deployments + items: + - name: Key trust deployment items: - - name: On-premises Key Trust Deployment + - name: Overview href: hello-deployment-key-trust.md - - name: Validate Active Directory Prerequisites + - name: Validate Active Directory prerequisites href: hello-key-trust-validate-ad-prereq.md - - name: Validate and Configure Public Key Infrastructure + - name: Configure and validate Public Key Infrastructure (PKI) href: hello-key-trust-validate-pki.md - - name: Prepare and Deploy Windows Server 2016 Active Directory Federation Services + - name: Prepare and deploy Active Directory Federation Services (AD FS) href: hello-key-trust-adfs.md - - name: Validate and Deploy Multi-factor Authentication (MFA) Services + - name: Validate and deploy multi-factor authentication (MFA) services href: hello-key-trust-validate-deploy-mfa.md - name: Configure Windows Hello for Business policy settings href: hello-key-trust-policy-settings.md - - name: On-premises Certificate Trust + - name: Certificate trust deployment items: - - name: On-premises Certificate Trust Deployment + - name: Overview href: hello-deployment-cert-trust.md - - name: Validate Active Directory Prerequisites + - name: Validate Active Directory prerequisites href: hello-cert-trust-validate-ad-prereq.md - - name: Validate and Configure Public Key Infrastructure + - name: Configure and validate Public Key Infrastructure (PKI) href: hello-cert-trust-validate-pki.md - - name: Prepare and Deploy Windows Server 2016 Active Directory Federation Services + - name: Prepare and Deploy Active Directory Federation Services (AD FS) href: hello-cert-trust-adfs.md - - name: Validate and Deploy Multi-factor Authentication (MFA) Services + - name: Validate and deploy multi-factor authentication (MFA) services href: hello-cert-trust-validate-deploy-mfa.md - name: Configure Windows Hello for Business policy settings href: hello-cert-trust-policy-settings.md - - name: Azure AD join cloud only deployment - href: hello-aad-join-cloud-only-deploy.md - - name: Managing Windows Hello for Business in your organization - href: hello-manage-in-organization.md - - name: Deploying Certificates to Key Trust Users to Enable RDP - href: hello-deployment-rdp-certs.md - - name: Windows Hello for Business Features - items: - - name: Conditional Access - href: hello-feature-conditional-access.md - - name: PIN Reset - href: hello-feature-pin-reset.md - - name: Dual Enrollment - href: hello-feature-dual-enrollment.md - - name: Dynamic Lock - href: hello-feature-dynamic-lock.md - - name: Multi-factor Unlock - href: feature-multifactor-unlock.md - - name: Remote Desktop - href: hello-feature-remote-desktop.md - - name: Troubleshooting - items: - - name: Known Deployment Issues - href: hello-deployment-issues.md - - name: Errors During PIN Creation - href: hello-errors-during-pin-creation.md - - name: Event ID 300 - Windows Hello successfully created - href: hello-event-300.md - - name: Windows Hello and password changes - href: hello-and-password-changes.md + - name: Planning for Domain Controller load + href: hello-adequate-domain-controllers.md + - name: Deploy certificates for remote desktop (RDP) sign-in + href: hello-deployment-rdp-certs.md +- name: How-to Guides + items: + - name: Prepare people to use Windows Hello + href: hello-prepare-people-to-use.md + - name: Manage Windows Hello for Business in your organization + href: hello-manage-in-organization.md +- name: Windows Hello for Business features + items: + - name: Conditional access + href: hello-feature-conditional-access.md + - name: PIN Reset + href: hello-feature-pin-reset.md + - name: Dual Enrollment + href: hello-feature-dual-enrollment.md + - name: Dynamic Lock + href: hello-feature-dynamic-lock.md + - name: Multi-factor Unlock + href: feature-multifactor-unlock.md + - name: Remote desktop (RDP) sign-in + href: hello-feature-remote-desktop.md +- name: Troubleshooting + items: + - name: Known deployment issues + href: hello-deployment-issues.md + - name: Errors during PIN creation + href: hello-errors-during-pin-creation.md + - name: Event ID 300 - Windows Hello successfully created + href: hello-event-300.md + - name: Windows Hello and password changes + href: hello-and-password-changes.md - name: Reference items: - - name: Technology and Terminology + - name: How Windows Hello for Business provisioning works + href: hello-how-it-works-provisioning.md + - name: How Windows Hello for Business authentication works + href: hello-how-it-works-authentication.md + - name: WebAuthn APIs + href: webauthn-apis.md + - name: Technology and terminology href: hello-how-it-works-technology.md - name: Frequently Asked Questions (FAQ) href: hello-faq.yml - name: Windows Hello for Business videos href: hello-videos.md + diff --git a/windows/security/identity-protection/hello-for-business/webauthn-apis.md b/windows/security/identity-protection/hello-for-business/webauthn-apis.md index 9d8fa5c21b..42e5d338b1 100644 --- a/windows/security/identity-protection/hello-for-business/webauthn-apis.md +++ b/windows/security/identity-protection/hello-for-business/webauthn-apis.md @@ -1,18 +1,10 @@ --- title: WebAuthn APIs description: Learn how to use WebAuthn APIs to enable passwordless authentication for your sites and apps. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 09/15/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 +- ✅ Windows 10 and later +ms.topic: article --- # WebAuthn APIs for passwordless authentication on Windows @@ -24,7 +16,7 @@ Starting in **Windows 11, version 22H2**, WebAuthn APIs support ECC algorithms. ## What does this mean? -By using WebAuthn APIs, developer partners and the developer community can use [Windows Hello](./index.yml) or [FIDO2 Security Keys](./microsoft-compatible-security-key.md) to implement passwordless multi-factor authentication for their applications on Windows devices. +By using WebAuthn APIs, developer partners and the developer community can use [Windows Hello](./index.yml) or [FIDO2 Security Keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) to implement passwordless multi-factor authentication for their applications on Windows devices. Users of these apps or sites can use any browser that supports WebAuthn APIs for passwordless authentication. Users will have a familiar and consistent experience on Windows, no matter which browser they use. diff --git a/windows/security/identity-protection/index.md b/windows/security/identity-protection/index.md index cf8573f679..c42735cfe2 100644 --- a/windows/security/identity-protection/index.md +++ b/windows/security/identity-protection/index.md @@ -5,13 +5,13 @@ ms.prod: windows-client author: paolomatarazzo ms.author: paoloma manager: aaroncz -ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 02/05/2018 appliesto: - ✅ Windows 10 - ✅ Windows 11 +ms.technology: itpro-security --- # Identity and access management diff --git a/windows/security/identity-protection/password-support-policy.md b/windows/security/identity-protection/password-support-policy.md index 5b65618db7..fe76412c23 100644 --- a/windows/security/identity-protection/password-support-policy.md +++ b/windows/security/identity-protection/password-support-policy.md @@ -11,6 +11,7 @@ author: paolomatarazzo ms.author: paoloma manager: aaroncz ms.date: 11/20/2019 +ms.technology: itpro-security --- # Technical support policy for lost or forgotten passwords diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md index 81ceb05cfd..e094da893b 100644 --- a/windows/security/identity-protection/remote-credential-guard.md +++ b/windows/security/identity-protection/remote-credential-guard.md @@ -6,7 +6,6 @@ author: paolomatarazzo ms.author: paoloma manager: aaroncz ms.collection: - - M365-identity-device-management - highpri ms.topic: article ms.localizationpriority: medium @@ -14,6 +13,7 @@ ms.date: 01/12/2018 appliesto: - ✅ Windows 10 - ✅ Windows Server 2016 +ms.technology: itpro-security --- # Protect Remote Desktop credentials with Windows Defender Remote Credential Guard diff --git a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md index 45274c687c..7c25e23d15 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md +++ b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md @@ -6,7 +6,6 @@ author: paolomatarazzo ms.author: paoloma ms.reviewer: ardenw manager: aaroncz -ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 09/24/2021 @@ -16,6 +15,7 @@ appliesto: - ✅ Windows Server 2016 - ✅ Windows Server 2019 - ✅ Windows Server 2022 +ms.technology: itpro-security --- # Smart Card and Remote Desktop Services diff --git a/windows/security/identity-protection/smart-cards/smart-card-architecture.md b/windows/security/identity-protection/smart-cards/smart-card-architecture.md index 7277b044d4..0b300b959d 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md +++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md @@ -6,7 +6,6 @@ author: paolomatarazzo ms.author: paoloma ms.reviewer: ardenw manager: aaroncz -ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 09/24/2021 @@ -16,6 +15,7 @@ appliesto: - ✅ Windows Server 2016 - ✅ Windows Server 2019 - ✅ Windows Server 2022 +ms.technology: itpro-security --- # Smart Card Architecture diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md index 00b2152267..ad23803395 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md +++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md @@ -6,7 +6,6 @@ author: paolomatarazzo ms.author: paoloma ms.reviewer: ardenw manager: aaroncz -ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 08/24/2021 @@ -16,6 +15,7 @@ appliesto: - ✅ Windows Server 2016 - ✅ Windows Server 2019 - ✅ Windows Server 2022 +ms.technology: itpro-security --- # Certificate Propagation Service diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md index 5707ce0650..dfcc5f5c94 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md +++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md @@ -6,7 +6,6 @@ author: paolomatarazzo ms.author: paoloma ms.reviewer: ardenw manager: aaroncz -ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 09/24/2021 @@ -16,6 +15,7 @@ appliesto: - ✅ Windows Server 2016 - ✅ Windows Server 2019 - ✅ Windows Server 2022 +ms.technology: itpro-security --- # Certificate Requirements and Enumeration diff --git a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md index 7604db531a..3c1b301625 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md +++ b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md @@ -7,7 +7,6 @@ ms.author: paoloma ms.reviewer: ardenw manager: aaroncz ms.collection: - - M365-identity-device-management - highpri ms.topic: article ms.localizationpriority: medium @@ -18,6 +17,7 @@ appliesto: - ✅ Windows Server 2016 - ✅ Windows Server 2019 - ✅ Windows Server 2022 +ms.technology: itpro-security --- # Smart Card Troubleshooting diff --git a/windows/security/identity-protection/smart-cards/smart-card-events.md b/windows/security/identity-protection/smart-cards/smart-card-events.md index fd2d69b73f..ed07b57089 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-events.md +++ b/windows/security/identity-protection/smart-cards/smart-card-events.md @@ -6,7 +6,6 @@ author: paolomatarazzo ms.author: paoloma ms.reviewer: ardenw manager: aaroncz -ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 09/24/2021 @@ -16,6 +15,7 @@ appliesto: - ✅ Windows Server 2016 - ✅ Windows Server 2019 - ✅ Windows Server 2022 +ms.technology: itpro-security --- # Smart Card Events diff --git a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md index c32bc12fe2..a14fa3345b 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md +++ b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md @@ -6,7 +6,6 @@ author: paolomatarazzo ms.author: paoloma ms.reviewer: ardenw manager: aaroncz -ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 11/02/2021 @@ -16,6 +15,7 @@ appliesto: - ✅ Windows Server 2016 - ✅ Windows Server 2019 - ✅ Windows Server 2022 +ms.technology: itpro-security --- # Smart Card Group Policy and Registry Settings diff --git a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md index 7faa54e44a..b0989b839d 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md +++ b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md @@ -6,8 +6,6 @@ author: paolomatarazzo ms.author: paoloma ms.reviewer: ardenw manager: aaroncz -ms.collection: - - M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 09/24/2021 @@ -17,6 +15,7 @@ appliesto: - ✅ Windows Server 2016 - ✅ Windows Server 2019 - ✅ Windows Server 2022 +ms.technology: itpro-security --- # How Smart Card Sign-in Works in Windows diff --git a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md index bd2846b176..1df09c74c0 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md +++ b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md @@ -6,7 +6,6 @@ author: paolomatarazzo ms.author: paoloma ms.reviewer: ardenw manager: aaroncz -ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 09/24/2021 @@ -16,6 +15,7 @@ appliesto: - ✅ Windows Server 2016 - ✅ Windows Server 2019 - ✅ Windows Server 2022 +ms.technology: itpro-security --- # Smart Card Removal Policy Service diff --git a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md index af5b9e8bb6..187d0bc8a9 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md +++ b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md @@ -6,7 +6,6 @@ author: paolomatarazzo ms.author: paoloma ms.reviewer: ardenw manager: aaroncz -ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 09/24/2021 @@ -16,6 +15,7 @@ appliesto: - ✅ Windows Server 2016 - ✅ Windows Server 2019 - ✅ Windows Server 2022 +ms.technology: itpro-security --- # Smart Cards for Windows Service diff --git a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md index 106071d129..c543380fcd 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md +++ b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md @@ -6,7 +6,6 @@ author: paolomatarazzo ms.author: paoloma ms.reviewer: ardenw manager: aaroncz -ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 09/24/2021 @@ -16,6 +15,7 @@ appliesto: - ✅ Windows Server 2016 - ✅ Windows Server 2019 - ✅ Windows Server 2022 +ms.technology: itpro-security --- # Smart Card Tools and Settings diff --git a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md index f1676735c7..9ba3ee5da6 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md +++ b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md @@ -6,7 +6,6 @@ author: paolomatarazzo ms.author: paoloma ms.reviewer: ardenw manager: aaroncz -ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 09/24/2021 @@ -16,6 +15,7 @@ appliesto: - ✅ Windows Server 2016 - ✅ Windows Server 2019 - ✅ Windows Server 2022 +ms.technology: itpro-security --- # Smart Card Technical Reference diff --git a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md index 49a56c854a..a968914652 100644 --- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md +++ b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md @@ -1,23 +1,14 @@ --- title: How User Account Control works (Windows) description: User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: sulahiri -manager: aaroncz ms.collection: - - M365-identity-device-management - highpri ms.topic: article ms.localizationpriority: medium ms.date: 09/23/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later --- # How User Account Control works @@ -26,7 +17,7 @@ User Account Control (UAC) is a fundamental component of Microsoft's overall sec ## UAC process and interactions -Each app that requires the administrator access token must prompt for consent. The one exception is the relationship that exists between parent and child processes. Child processes inherit the user's access token from the parent process. Both the parent and child processes, however, must have the same integrity level. Windows protects processes by marking their integrity levels. Integrity levels are measurements of trust. A "high" integrity application is one that performs tasks that modify system data, such as a disk partitioning application, while a "low" integrity application is one that performs tasks that could potentially compromise the operating system, such as a Web browser. Apps with lower integrity levels cannot modify data in applications with higher integrity levels. When a standard user attempts to run an app that requires an administrator access token, UAC requires that the user provide valid administrator credentials. +Each app that requires the administrator access token must prompt for consent. The one exception is the relationship that exists between parent and child processes. Child processes inherit the user's access token from the parent process. Both the parent and child processes, however, must have the same integrity level. Windows protects processes by marking their integrity levels. Integrity levels are measurements of trust. A "high" integrity application is one that performs tasks that modify system data, such as a disk partitioning application, while a "low" integrity application is one that performs tasks that could potentially compromise the operating system, such as a Web browser. Apps with lower integrity levels cannot modify data in applications with higher integrity levels. When a standard user attempts to run an app that requires an administrator access token, UAC requires that the user provide valid administrator credentials. To better understand how this process happens, let's look at the Windows logon process. @@ -40,17 +31,17 @@ By default, standard users and administrators access resources and run apps in t When an administrator logs on, two separate access tokens are created for the user: a standard user access token and an administrator access token. The standard user access token contains the same user-specific information as the administrator access token, but the administrative Windows privileges and SIDs are removed. The standard user access token is used to start apps that do not perform administrative tasks (standard user apps). The standard user access token is then used to display the desktop (explorer.exe). Explorer.exe is the parent process from which all other user-initiated processes inherit their access token. As a result, all apps run as a standard user unless a user provides consent or credentials to approve an app to use a full administrative access token. -A user that is a member of the Administrators group can log on, browse the Web, and read e-mail while using a standard user access token. When the administrator needs to perform a task that requires the administrator access token, Windows 10 or Windows 11 automatically prompts the user for approval. This prompt is called an elevation prompt, and its behavior can be configured by using the Local Security Policy snap-in (Secpol.msc) or Group Policy. For more info, see [User Account Control security policy settings](user-account-control-security-policy-settings.md). +A user that is a member of the Administrators group can log on, browse the Web, and read e-mail while using a standard user access token. When the administrator needs to perform a task that requires the administrator access token, Windows automatically prompts the user for approval. This prompt is called an elevation prompt, and its behavior can be configured by using the Local Security Policy snap-in (Secpol.msc) or Group Policy. For more info, see [User Account Control security policy settings](user-account-control-security-policy-settings.md). ### The UAC User Experience -When UAC is enabled, the user experience for standard users is different from that of administrators in Admin Approval Mode. The recommended and more secure method of running Windows 10 or Windows 11 is to make your primary user account a standard user account. Running as a standard user helps to maximize security for a managed environment. With the built-in UAC elevation component, standard users can easily perform an administrative task by entering valid credentials for a local administrator account. The default, built-in UAC elevation component for standard users is the credential prompt. +When UAC is enabled, the user experience for standard users is different from that of administrators in Admin Approval Mode. The recommended and more secure method of running Windows, is to make your primary user account a standard user account. Running as a standard user helps to maximize security for a managed environment. With the built-in UAC elevation component, standard users can easily perform an administrative task by entering valid credentials for a local administrator account. The default, built-in UAC elevation component for standard users is the credential prompt. The alternative to running as a standard user is to run as an administrator in Admin Approval Mode. With the built-in UAC elevation component, members of the local Administrators group can easily perform an administrative task by providing approval. The default, built-in UAC elevation component for an administrator account in Admin Approval Mode is called the consent prompt. **The consent and credential prompts** -With UAC enabled, Windows 10 or Windows 11 prompts for consent or prompts for credentials of a valid local administrator account before starting a program or task that requires a full administrator access token. This prompt ensures that no malicious software can be silently installed. +With UAC enabled, Windows prompts for consent or prompts for credentials of a valid local administrator account before starting a program or task that requires a full administrator access token. This prompt ensures that no malicious software can be silently installed. **The consent prompt** @@ -68,18 +59,18 @@ The following is an example of the UAC credential prompt. **UAC elevation prompts** -The UAC elevation prompts are color-coded to be app-specific, enabling for immediate identification of an application's potential security risk. When an app attempts to run with an administrator's full access token, Windows 10 or Windows 11 first analyzes the executable file to determine its publisher. Apps are first separated into three categories based on the file's publisher: Windows 10 or Windows 11, publisher verified (signed), and publisher not verified (unsigned). The following diagram illustrates how Windows determines which color elevation prompt to present to the user. +The UAC elevation prompts are color-coded to be app-specific, enabling for immediate identification of an application's potential security risk. When an app attempts to run with an administrator's full access token, Windows first analyzes the executable file to determine its publisher. Apps are first separated into three categories based on the file's publisher: Windows 10 or Windows 11, publisher verified (signed), and publisher not verified (unsigned). The following diagram illustrates how Windows determines which color elevation prompt to present to the user. The elevation prompt color-coding is as follows: -- Red background with a red shield icon: The app is blocked by Group Policy or is from a publisher that is blocked. -- Blue background with a blue and gold shield icon: The application is a Windows 10 and Windows 11 administrative app, such as a Control Panel item. -- Blue background with a blue shield icon: The application is signed by using Authenticode and is trusted by the local computer. -- Yellow background with a yellow shield icon: The application is unsigned or signed but is not yet trusted by the local computer. +- Red background with a red shield icon: The app is blocked by Group Policy or is from a publisher that is blocked. +- Blue background with a blue and gold shield icon: The application is a Windows 10 and Windows 11 administrative app, such as a Control Panel item. +- Blue background with a blue shield icon: The application is signed by using Authenticode and is trusted by the local computer. +- Yellow background with a yellow shield icon: The application is unsigned or signed but is not yet trusted by the local computer. **Shield icon** -Some Control Panel items, such as **Date and Time Properties**, contain a combination of administrator and standard user operations. Standard users can view the clock and change the time zone, but a full administrator access token is required to change the local system time. The following is a screen shot of the **Date and Time Properties** Control Panel item. +Some Control Panel items, such as **Date and Time Properties**, contain a combination of administrator and standard user operations. Standard users can view the clock and change the time zone, but a full administrator access token is required to change the local system time. The following is a screenshot of the **Date and Time Properties** Control Panel item. :::image type="content" source="images/uacshieldicon.png" alt-text="UAC Shield Icon in Date and Time Properties"::: @@ -87,7 +78,7 @@ The shield icon on the **Change date and time** button indicates that the proces **Securing the elevation prompt** -The elevation process is further secured by directing the prompt to the secure desktop. The consent and credential prompts are displayed on the secure desktop by default in Windows 10 and Windows 11. Only Windows processes can access the secure desktop. For higher levels of security, we recommend keeping the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting enabled. +The elevation process is further secured by directing the prompt to the secure desktop. The consent and credential prompts are displayed on the secure desktop by default in Windows 10 and Windows 11. Only Windows processes can access the secure desktop. For higher levels of security, we recommend keeping the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting enabled. When an executable file requests elevation, the interactive desktop, also called the user desktop, is switched to the secure desktop. The secure desktop dims the user desktop and displays an elevation prompt that must be responded to before continuing. When the user clicks **Yes** or **No**, the desktop switches back to the user desktop. @@ -133,9 +124,9 @@ To better understand each component, review the table below: The slider will never turn UAC completely off. If you set it to **Never notify**, it will: -- Keep the UAC service running. -- Cause all elevation request initiated by administrators to be auto-approved without showing a UAC prompt. -- Automatically deny all elevation requests for standard users. +- Keep the UAC service running. +- Cause all elevation request initiated by administrators to be auto-approved without showing a UAC prompt. +- Automatically deny all elevation requests for standard users. > [!IMPORTANT] > In order to fully disable UAC you must disable the policy **User Account Control: Run all administrators in Admin Approval Mode**. @@ -147,17 +138,17 @@ The slider will never turn UAC completely off. If you set it to **Never notify** Because system administrators in enterprise environments attempt to secure systems, many line-of-business (LOB) applications are designed to use only a standard user access token. As a result, you do not need to replace the majority of apps when UAC is turned on. -Windows 10 and Windows 11 include file and registry virtualization technology for apps that are not UAC-compliant and that require an administrator's access token to run correctly. When an administrative apps that is not UAC-compliant attempts to write to a protected folder, such as Program Files, UAC gives the app its own virtualized view of the resource it is attempting to change. The virtualized copy is maintained in the user's profile. This strategy creates a separate copy of the virtualized file for each user that runs the non-compliant app. +Windows 10 and Windows 11 include file and registry virtualization technology for apps that are not UAC-compliant and that require an administrator's access token to run correctly. When an administrative app that is not UAC-compliant attempts to write to a protected folder, such as Program Files, UAC gives the app its own virtualized view of the resource it is attempting to change. The virtualized copy is maintained in the user's profile. This strategy creates a separate copy of the virtualized file for each user that runs the non-compliant app. Most app tasks operate properly by using virtualization features. Although virtualization allows a majority of applications to run, it is a short-term fix and not a long-term solution. App developers should modify their apps to be compliant as soon as possible, rather than relying on file, folder, and registry virtualization. Virtualization is not an option in the following scenarios: -- Virtualization does not apply to apps that are elevated and run with a full administrative access token. +- Virtualization does not apply to apps that are elevated and run with a full administrative access token. -- Virtualization supports only 32-bit apps. Non-elevated 64-bit apps simply receive an access denied message when they attempt to acquire a handle (a unique identifier) to a Windows object. Native Windows 64-bit apps are required to be compatible with UAC and to write data into the correct locations. +- Virtualization supports only 32-bit apps. Non-elevated 64-bit apps simply receive an access denied message when they attempt to acquire a handle (a unique identifier) to a Windows object. Native Windows 64-bit apps are required to be compatible with UAC and to write data into the correct locations. -- Virtualization is disabled if the app includes an app manifest with a requested execution level attribute. +- Virtualization is disabled if the app includes an app manifest with a requested execution level attribute. ### Request execution levels @@ -167,22 +158,22 @@ All UAC-compliant apps should have a requested execution level added to the appl ### Installer detection technology -Installation programs are apps designed to deploy software. Most installation programs write to system directories and registry keys. These protected system locations are typically writeable only by an administrator in Installer detection technology, which means that standard users do not have sufficient access to install programs. Windows 10 and Windows 11 heuristically detect installation programs and requests administrator credentials or approval from the administrator user in order to run with access privileges. Windows 10 and Windows 11 also heuristically detect updates and programs that uninstall applications. One of the design goals of UAC is to prevent installations from being run without the user's knowledge and consent because installation programs write to protected areas of the file system and registry. +Installation programs are apps designed to deploy software. Most installation programs write to system directories and registry keys. These protected system locations are typically writeable only by an administrator in Installer detection technology, which means that standard users do not have sufficient access to install programs. Windows 10 and Windows 11 heuristically detect installation programs and requests administrator credentials or approval from the administrator user in order to run with access privileges. Windows 10 and Windows 11 also heuristically detect updates and programs that uninstall applications. One of the design goals of UAC is to prevent installations from being run without the user's knowledge and consent because installation programs write to protected areas of the file system and registry. Installer detection only applies to: -- 32-bit executable files. -- Applications without a requested execution level attribute. -- Interactive processes running as a standard user with UAC enabled. +- 32-bit executable files. +- Applications without a requested execution level attribute. +- Interactive processes running as a standard user with UAC enabled. Before a 32-bit process is created, the following attributes are checked to determine whether it is an installer: -- The file name includes keywords such as "install," "setup," or "update." -- Versioning Resource fields contain the following keywords: Vendor, Company Name, Product Name, File Description, Original Filename, Internal Name, and Export Name. -- Keywords in the side-by-side manifest are embedded in the executable file. -- Keywords in specific StringTable entries are linked in the executable file. -- Key attributes in the resource script data are linked in the executable file. -- There are targeted sequences of bytes within the executable file. +- The file name includes keywords such as "install," "setup," or "update." +- Versioning Resource fields contain the following keywords: Vendor, Company Name, Product Name, File Description, Original Filename, Internal Name, and Export Name. +- Keywords in the side-by-side manifest are embedded in the executable file. +- Keywords in specific StringTable entries are linked in the executable file. +- Key attributes in the resource script data are linked in the executable file. +- There are targeted sequences of bytes within the executable file. > [!NOTE] > The keywords and sequences of bytes were derived from common characteristics observed from various installer technologies. diff --git a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md index 540e4342f1..f3c8c14d4e 100644 --- a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md +++ b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md @@ -1,23 +1,13 @@ --- title: User Account Control Group Policy and registry key settings (Windows) description: Here's a list of UAC Group Policy and registry key settings that your organization can use to manage UAC. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: sulahiri -manager: aaroncz ms.collection: - - M365-identity-device-management - highpri ms.topic: article -ms.localizationpriority: medium ms.date: 04/19/2017 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later --- # User Account Control Group Policy and registry key settings diff --git a/windows/security/identity-protection/user-account-control/user-account-control-overview.md b/windows/security/identity-protection/user-account-control/user-account-control-overview.md index 39dfcbd0bc..35851d61af 100644 --- a/windows/security/identity-protection/user-account-control/user-account-control-overview.md +++ b/windows/security/identity-protection/user-account-control/user-account-control-overview.md @@ -1,23 +1,13 @@ --- title: User Account Control (Windows) description: User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. -ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: sulahiri -manager: aaroncz ms.collection: - - M365-identity-device-management - highpri ms.topic: article ms.date: 09/24/2011 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later --- # User Account Control diff --git a/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md index 040697c29c..28f209a22e 100644 --- a/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md +++ b/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md @@ -1,22 +1,11 @@ --- title: User Account Control security policy settings (Windows) description: You can use security policies to configure how User Account Control works in your organization. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: sulahiri -manager: aaroncz -ms.collection: - - M365-identity-device-management ms.topic: article -ms.localizationpriority: medium ms.date: 09/24/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later --- # User Account Control security policy settings diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md index 0f5fef56ab..a29f378683 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md @@ -5,13 +5,13 @@ ms.prod: windows-client author: paolomatarazzo ms.author: paoloma manager: aaroncz -ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 04/19/2017 appliesto: - ✅ Windows 10 - ✅ Windows Server 2016 +ms.technology: itpro-security --- # Deploy Virtual Smart Cards diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md index f5ce64521a..c2913cb244 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md @@ -5,13 +5,13 @@ ms.prod: windows-client author: paolomatarazzo ms.author: paoloma manager: aaroncz -ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 04/19/2017 appliesto: - ✅ Windows 10 - ✅ Windows Server 2016 +ms.technology: itpro-security --- # Evaluate Virtual Smart Card Security diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md index ab366df26d..d29782a291 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md @@ -5,13 +5,13 @@ ms.prod: windows-client author: paolomatarazzo ms.author: paoloma manager: aaroncz -ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 04/19/2017 appliesto: - ✅ Windows 10 - ✅ Windows Server 2016 +ms.technology: itpro-security --- # Get Started with Virtual Smart Cards: Walkthrough Guide diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md index acb3e89bb3..22c293e635 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md @@ -5,13 +5,13 @@ ms.prod: windows-client author: paolomatarazzo ms.author: paoloma manager: aaroncz -ms.collection: M365-identity-device-management ms.topic: conceptual ms.localizationpriority: medium ms.date: 10/13/2017 appliesto: - ✅ Windows 10 - ✅ Windows Server 2016 +ms.technology: itpro-security --- # Virtual Smart Card Overview diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md index 45e7c18037..521d0afec7 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md @@ -5,13 +5,13 @@ ms.prod: windows-client author: paolomatarazzo ms.author: paoloma manager: aaroncz -ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 04/19/2017 appliesto: - ✅ Windows 10 - ✅ Windows Server 2016 +ms.technology: itpro-security --- # Tpmvscmgr diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md index 6b9c28ede3..0475663ff5 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md @@ -5,13 +5,13 @@ ms.prod: windows-client author: paolomatarazzo ms.author: paoloma manager: aaroncz -ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 04/19/2017 appliesto: - ✅ Windows 10 - ✅ Windows Server 2016 +ms.technology: itpro-security --- # Understanding and Evaluating Virtual Smart Cards diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md index 713f1ab1f6..beb70ccddd 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md @@ -5,13 +5,13 @@ ms.prod: windows-client author: paolomatarazzo ms.author: paoloma manager: aaroncz -ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 10/13/2017 appliesto: - ✅ Windows 10 - ✅ Windows Server 2016 +ms.technology: itpro-security --- # Use Virtual Smart Cards diff --git a/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md index 863eec92a6..188fe97442 100644 --- a/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md +++ b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md @@ -11,6 +11,8 @@ ms.reviewer: pesmith appliesto: - ✅ Windows 10 - ✅ Windows 11 +ms.technology: itpro-security +ms.topic: how-to --- # How to configure Diffie Hellman protocol over IKEv2 VPN connections diff --git a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md index d7cefe3eee..e44a13a1a8 100644 --- a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md +++ b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md @@ -1,62 +1,66 @@ --- -title: How to use Single Sign-On (SSO) over VPN and Wi-Fi connections (Windows 10 and Windows 11) +title: How to use Single Sign-On (SSO) over VPN and Wi-Fi connections description: Explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over WiFi or VPN connections. ms.prod: windows-client author: paolomatarazzo -ms.date: 03/22/2022 +ms.date: 12/28/2022 manager: aaroncz ms.author: paoloma ms.reviewer: pesmith appliesto: - ✅ Windows 10 - ✅ Windows 11 +ms.technology: itpro-security +ms.topic: how-to --- # How to use Single Sign-On (SSO) over VPN and Wi-Fi connections This article explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over WiFi or VPN connections. The following scenarios are typically used: -- Connecting to a network using Wi-Fi or VPN. -- Use credentials for WiFi or VPN authentication to also authenticate requests to access a domain resource without being prompted for your domain credentials. +- Connecting to a network using Wi-Fi or VPN +- Use credentials for Wi-Fi or VPN authentication to also authenticate requests to access domain resources, without being prompted for domain credentials For example, you want to connect to a corporate network and access an internal website that requires Windows integrated authentication. -The credentials that are used for the connection authentication are placed in Credential Manager as the default credentials for the logon session. Credential Manager stores credentials that can be used for specific domain resources. These are based on the target name of the resource: -- For VPN, the VPN stack saves its credential as the session default. -- For WiFi, Extensible Authentication Protocol (EAP) provides support. +The credentials that are used for the connection authentication are placed in *Credential Manager* as the default credentials for the **logon session**. Credential Manager stores credentials that can be used for specific domain resources. These are based on the target name of the resource: -The credentials are placed in Credential Manager as a "\*Session" credential. -A "\*Session" credential implies that it is valid for the current user session. -The credentials are also cleaned up when the WiFi or VPN connection is disconnected. +- For VPN, the VPN stack saves its credential as the **session default** +- For WiFi, Extensible Authentication Protocol (EAP) provides support + +The credentials are placed in Credential Manager as a *session credential*: + +- A *session credential* implies that it is valid for the current user session +- The credentials are cleaned up when the WiFi or VPN connection is disconnected > [!NOTE] -> In Windows 10, version 21h2 and later, the "\*Session" credential is not visible in Credential Manager. +> In Windows 10, version 21H2 and later, the *session credential* is not visible in Credential Manager. -For example, if someone using Microsoft Edge tries to access a domain resource, Microsoft Edge has the right Enterprise Authentication capability. This allows [WinInet](/windows/win32/wininet/wininet-reference) to release the credentials that it gets from the Credential Manager to the SSP that is requesting it. +For example, if someone using Microsoft Edge tries to access a domain resource, Microsoft Edge has the right Enterprise Authentication capability. This allows [WinInet](/windows/win32/wininet/wininet-reference) to release the credentials that it gets from Credential Manager to the SSP that is requesting it. For more information about the Enterprise Authentication capability, see [App capability declarations](/windows/uwp/packaging/app-capability-declarations). The local security authority will look at the device application to determine if it has the right capability. This includes items such as a Universal Windows Platform (UWP) application. If the app isn't a UWP, it doesn't matter. -But if the application is a UWP app, it will evaluate at the device capability for Enterprise Authentication. +But, if the application is a UWP app, it will evaluate at the device capability for Enterprise Authentication. If it does have that capability and if the resource that you're trying to access is in the Intranet zone in the Internet Options (ZoneMap), then the credential will be released. This behavior helps prevent credentials from being misused by untrusted third parties. ## Intranet zone -For the Intranet zone, by default it only allows single-label names, such as Http://finance. +For the Intranet zone, by default it only allows single-label names, such as *http://finance*. If the resource that needs to be accessed has multiple domain labels, then the workaround is to use the [Registry CSP](/windows/client-management/mdm/registry-csp). ### Setting the ZoneMap The ZoneMap is controlled using a registry that can be set through MDM. -By default, single-label names such as http://finance are already in the intranet zone. -For multi-label names, such as http://finance.net, the ZoneMap needs to be updated. +By default, single-label names such as *http://finance* are already in the intranet zone. +For multi-label names, such as *http://finance.net*, the ZoneMap needs to be updated. ## MDM Policy OMA URI example: -./Vendor/MSFT/Registry/HKU/S-1-5-21-2702878673-795188819-444038987-2781/Software/Microsoft/Windows/CurrentVersion/Internet%20Settings/ZoneMap/Domains/``/* as an Integer Value of 1 for each of the domains that you want to SSO into from your device. This adds the specified domains to the Intranet Zone of the Microsoft Edge browser. +`./Vendor/MSFT/Registry/HKU/S-1-5-21-2702878673-795188819-444038987-2781/Software/Microsoft/Windows/CurrentVersion/Internet%20Settings/ZoneMap/Domains/` as an `Integer` value of `1` for each of the domains that you want to SSO into from your device. This adds the specified domains to the Intranet Zone of the Microsoft Edge browser. ## Credential requirements @@ -64,10 +68,10 @@ For VPN, the following types of credentials will be added to credential manager - Username and password - Certificate-based authentication: - - TPM Key Storage Provider (KSP) Certificate - - Software Key Storage Provider (KSP) Certificates - - Smart Card Certificate - - Windows Hello for Business Certificate + - TPM Key Storage Provider (KSP) Certificate + - Software Key Storage Provider (KSP) Certificates + - Smart Card Certificate + - Windows Hello for Business Certificate The username should also include a domain that can be reached over the connection (VPN or WiFi). @@ -77,10 +81,10 @@ If the credentials are certificate-based, then the elements in the following tab | Template element | Configuration | |------------------|---------------| -| SubjectName | The user’s distinguished name (DN) where the domain components of the distinguished name reflect the internal DNS namespace when the SubjectAlternativeName does not have the fully qualified UPN required to find the domain controller.
                              This requirement is relevant in multi-forest environments as it ensures a domain controller can be located. | -| SubjectAlternativeName | The user’s fully qualified UPN where a domain name component of the user’s UPN matches the organizations internal domain’s DNS namespace.
                              This requirement is relevant in multi-forest environments as it ensures a domain controller can be located when the SubjectName does not have the DN required to find the domain controller. | +| SubjectName | The user's distinguished name (DN) where the domain components of the distinguished name reflect the internal DNS namespace when the SubjectAlternativeName does not have the fully qualified UPN required to find the domain controller.
                              This requirement is relevant in multi-forest environments as it ensures a domain controller can be located. | +| SubjectAlternativeName | The user's fully qualified UPN where a domain name component of the user's UPN matches the organizations internal domain's DNS namespace.
                              This requirement is relevant in multi-forest environments as it ensures a domain controller can be located when the SubjectName does not have the DN required to find the domain controller. | | Key Storage Provider (KSP) | If the device is joined to Azure AD, a discrete SSO certificate is used. | -| EnhancedKeyUsage | One or more of the following EKUs is required:
                              - Client Authentication (for the VPN)
                              - EAP Filtering OID (for Windows Hello for Business)
                              - SmartCardLogon (for Azure AD-joined devices)
                              If the domain controllers require smart card EKU either:
                              - SmartCardLogon
                              - id-pkinit-KPClientAuth (1.3.6.1.5.2.3.4)
                              Otherwise:
                              - TLS/SSL Client Authentication (1.3.6.1.5.5.7.3.2) | +| EnhancedKeyUsage | One or more of the following EKUs is required:
                              • Client Authentication (for the VPN)
                              • EAP Filtering OID (for Windows Hello for Business)
                              • SmartCardLogon (for Azure AD-joined devices)
                              If the domain controllers require smart card EKU either:
                              • SmartCardLogon
                              • id-pkinit-KPClientAuth (1.3.6.1.5.2.3.4)
                              Otherwise:
                              • TLS/SSL Client Authentication (1.3.6.1.5.5.7.3.2)
                              | ## NDES server configuration diff --git a/windows/security/identity-protection/vpn/vpn-authentication.md b/windows/security/identity-protection/vpn/vpn-authentication.md index 508f1851bc..a44aa1b079 100644 --- a/windows/security/identity-protection/vpn/vpn-authentication.md +++ b/windows/security/identity-protection/vpn/vpn-authentication.md @@ -11,6 +11,8 @@ ms.reviewer: pesmith appliesto: - ✅ Windows 10 - ✅ Windows 11 +ms.technology: itpro-security +ms.topic: conceptual --- # VPN authentication options diff --git a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md index 84b2d6c66b..61044232d2 100644 --- a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md +++ b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md @@ -11,6 +11,8 @@ ms.reviewer: pesmith appliesto: - ✅ Windows 10 - ✅ Windows 11 +ms.technology: itpro-security +ms.topic: conceptual --- # VPN auto-triggered profile options diff --git a/windows/security/identity-protection/vpn/vpn-conditional-access.md b/windows/security/identity-protection/vpn/vpn-conditional-access.md index 2589095203..5da2a635a4 100644 --- a/windows/security/identity-protection/vpn/vpn-conditional-access.md +++ b/windows/security/identity-protection/vpn/vpn-conditional-access.md @@ -11,6 +11,8 @@ ms.date: 09/23/2021 appliesto: - ✅ Windows 10 - ✅ Windows 11 +ms.technology: itpro-security +ms.topic: conceptual --- # VPN and conditional access diff --git a/windows/security/identity-protection/vpn/vpn-connection-type.md b/windows/security/identity-protection/vpn/vpn-connection-type.md index 473b6fede7..e9eecdbbb9 100644 --- a/windows/security/identity-protection/vpn/vpn-connection-type.md +++ b/windows/security/identity-protection/vpn/vpn-connection-type.md @@ -11,6 +11,8 @@ ms.reviewer: pesmith appliesto: - ✅ Windows 10 - ✅ Windows 11 +ms.technology: itpro-security +ms.topic: conceptual --- # VPN connection types diff --git a/windows/security/identity-protection/vpn/vpn-guide.md b/windows/security/identity-protection/vpn/vpn-guide.md index 54ef63f227..f8cf27d242 100644 --- a/windows/security/identity-protection/vpn/vpn-guide.md +++ b/windows/security/identity-protection/vpn/vpn-guide.md @@ -11,6 +11,8 @@ ms.reviewer: pesmith appliesto: - ✅ Windows 10 - ✅ Windows 11 +ms.technology: itpro-security +ms.topic: conceptual --- # Windows VPN technical guide diff --git a/windows/security/identity-protection/vpn/vpn-name-resolution.md b/windows/security/identity-protection/vpn/vpn-name-resolution.md index cc0d1c17d1..34f201d00a 100644 --- a/windows/security/identity-protection/vpn/vpn-name-resolution.md +++ b/windows/security/identity-protection/vpn/vpn-name-resolution.md @@ -11,6 +11,8 @@ ms.reviewer: pesmith appliesto: - ✅ Windows 10 - ✅ Windows 11 +ms.technology: itpro-security +ms.topic: conceptual --- # VPN name resolution diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md index 3512900011..6e45c35a7e 100644 --- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md +++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md @@ -12,6 +12,7 @@ ms.reviewer: pesmith appliesto: - ✅ Windows 10 - ✅ Windows 11 +ms.technology: itpro-security --- # Optimizing Office 365 traffic for remote workers with the native Windows 10 and Windows 11 VPN client diff --git a/windows/security/identity-protection/vpn/vpn-profile-options.md b/windows/security/identity-protection/vpn/vpn-profile-options.md index ca5caf8f25..d5725508e4 100644 --- a/windows/security/identity-protection/vpn/vpn-profile-options.md +++ b/windows/security/identity-protection/vpn/vpn-profile-options.md @@ -11,6 +11,8 @@ ms.date: 05/17/2018 appliesto: - ✅ Windows 10 - ✅ Windows 11 +ms.technology: itpro-security +ms.topic: conceptual --- # VPN profile options diff --git a/windows/security/identity-protection/vpn/vpn-routing.md b/windows/security/identity-protection/vpn/vpn-routing.md index 8a4d2a49b8..be5bc1caf0 100644 --- a/windows/security/identity-protection/vpn/vpn-routing.md +++ b/windows/security/identity-protection/vpn/vpn-routing.md @@ -11,6 +11,8 @@ ms.reviewer: pesmith appliesto: - ✅ Windows 10 - ✅ Windows 11 +ms.technology: itpro-security +ms.topic: conceptual --- # VPN routing decisions diff --git a/windows/security/identity-protection/vpn/vpn-security-features.md b/windows/security/identity-protection/vpn/vpn-security-features.md index 852ee0c9d5..f8fb6861a0 100644 --- a/windows/security/identity-protection/vpn/vpn-security-features.md +++ b/windows/security/identity-protection/vpn/vpn-security-features.md @@ -11,6 +11,8 @@ ms.reviewer: pesmith appliesto: - ✅ Windows 10 - ✅ Windows 11 +ms.technology: itpro-security +ms.topic: conceptual --- # VPN security features diff --git a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md index 1e475ba610..aee7a82d2d 100644 --- a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md +++ b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md @@ -5,13 +5,13 @@ ms.prod: windows-client author: paolomatarazzo ms.author: paoloma manager: aaroncz -ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 04/19/2017 appliesto: - ✅ Windows 10 - ✅ Windows 11 +ms.technology: itpro-security --- # Windows Credential Theft Mitigation Guide Abstract diff --git a/windows/security/identity.md b/windows/security/identity.md index 6ef1e3db59..c773cf7055 100644 --- a/windows/security/identity.md +++ b/windows/security/identity.md @@ -5,9 +5,10 @@ ms.reviewer: manager: aaroncz ms.author: paoloma author: paolomatarazzo -ms.collection: M365-security-compliance ms.prod: windows-client ms.technology: itpro-security +ms.date: 12/31/2017 +ms.topic: article --- # Windows identity and privacy diff --git a/windows/security/images/icons/information.svg b/windows/security/images/icons/information.svg new file mode 100644 index 0000000000..bc692eabb9 --- /dev/null +++ b/windows/security/images/icons/information.svg @@ -0,0 +1,3 @@ + + + \ No newline at end of file diff --git a/windows/security/includes/hello-cloud.md b/windows/security/includes/hello-cloud.md new file mode 100644 index 0000000000..1c41485f11 --- /dev/null +++ b/windows/security/includes/hello-cloud.md @@ -0,0 +1,11 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/08/2022 +ms.topic: include +--- + +[!INCLUDE [hello-intro](hello-intro.md)] +- **Deployment type:** [!INCLUDE [hello-deployment-cloud](hello-deployment-cloud.md)] +- **Join type:** [!INCLUDE [hello-join-aad](hello-join-aad.md)] +--- \ No newline at end of file diff --git a/windows/security/includes/hello-deployment-cloud.md b/windows/security/includes/hello-deployment-cloud.md new file mode 100644 index 0000000000..8152da9722 --- /dev/null +++ b/windows/security/includes/hello-deployment-cloud.md @@ -0,0 +1,8 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/08/2022 +ms.topic: include +--- + +[cloud :::image type="icon" source="../images/icons/information.svg" border="false":::](../identity-protection/hello-for-business/hello-how-it-works-technology.md#cloud-deployment "For organizations using Azure AD-only identities. Device management is usually done via Intune/MDM") \ No newline at end of file diff --git a/windows/security/includes/hello-deployment-hybrid.md b/windows/security/includes/hello-deployment-hybrid.md new file mode 100644 index 0000000000..b35d4b548e --- /dev/null +++ b/windows/security/includes/hello-deployment-hybrid.md @@ -0,0 +1,8 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/08/2022 +ms.topic: include +--- + +[hybrid :::image type="icon" source="../images/icons/information.svg" border="false":::](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-deployment "For organizations using Active Directory identities synchronized to Azure AD. Device management is usually done via Group Policy or Intune/MDM") \ No newline at end of file diff --git a/windows/security/includes/hello-deployment-onpremises.md b/windows/security/includes/hello-deployment-onpremises.md new file mode 100644 index 0000000000..8746a5e9c7 --- /dev/null +++ b/windows/security/includes/hello-deployment-onpremises.md @@ -0,0 +1,8 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/08/2022 +ms.topic: include +--- + +[on-premises :::image type="icon" source="../images/icons/information.svg" border="false":::](../identity-protection/hello-for-business/hello-how-it-works-technology.md#on-premises-deployment "For organizations using Active Directory identities, not synchronized to Azure AD. Device management is usually done via Group Policy") \ No newline at end of file diff --git a/windows/security/includes/hello-hybrid-cert-trust-aad.md b/windows/security/includes/hello-hybrid-cert-trust-aad.md new file mode 100644 index 0000000000..57c03e95a3 --- /dev/null +++ b/windows/security/includes/hello-hybrid-cert-trust-aad.md @@ -0,0 +1,12 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/08/2022 +ms.topic: include +--- + +[!INCLUDE [hello-intro](hello-intro.md)] +- **Deployment type:** [!INCLUDE [hello-deployment-hybrid](hello-deployment-hybrid.md)] +- **Trust type:** [!INCLUDE [hello-trust-certificate](hello-trust-certificate.md)] +- **Join type:** [!INCLUDE [hello-join-aadj](hello-join-aad.md)] +--- \ No newline at end of file diff --git a/windows/security/includes/hello-hybrid-cert-trust-ad.md b/windows/security/includes/hello-hybrid-cert-trust-ad.md new file mode 100644 index 0000000000..4691d86bc0 --- /dev/null +++ b/windows/security/includes/hello-hybrid-cert-trust-ad.md @@ -0,0 +1,12 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/08/2022 +ms.topic: include +--- + +[!INCLUDE [hello-intro](hello-intro.md)] +- **Deployment type:** [!INCLUDE [hello-deployment-hybrid](hello-deployment-hybrid.md)] +- **Trust type:** [!INCLUDE [hello-trust-cloud-kerberos](hello-trust-cloud-kerberos.md)] +- **Join type:** [!INCLUDE [hello-join-hybrid](hello-join-hybrid.md)] +--- \ No newline at end of file diff --git a/windows/security/includes/hello-hybrid-cert-trust.md b/windows/security/includes/hello-hybrid-cert-trust.md new file mode 100644 index 0000000000..d6ca6e8f5d --- /dev/null +++ b/windows/security/includes/hello-hybrid-cert-trust.md @@ -0,0 +1,12 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/08/2022 +ms.topic: include +--- + +[!INCLUDE [hello-intro](hello-intro.md)] +- **Deployment type:** [!INCLUDE [hello-deployment-hybrid](hello-deployment-hybrid.md)] +- **Trust type:** [!INCLUDE [hello-trust-certificate](hello-trust-certificate.md)] +- **Join type:** [!INCLUDE [hello-join-aadj](hello-join-aad.md)], [!INCLUDE [hello-join-hybrid](hello-join-hybrid.md)] +--- \ No newline at end of file diff --git a/windows/security/includes/hello-hybrid-cloudkerb-trust.md b/windows/security/includes/hello-hybrid-cloudkerb-trust.md new file mode 100644 index 0000000000..61346cd80e --- /dev/null +++ b/windows/security/includes/hello-hybrid-cloudkerb-trust.md @@ -0,0 +1,12 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/08/2022 +ms.topic: include +--- + +[!INCLUDE [hello-intro](hello-intro.md)] +- **Deployment type:** [!INCLUDE [hello-deployment-hybrid](hello-deployment-hybrid.md)] +- **Trust type:** [!INCLUDE [hello-trust-cloud-kerberos](hello-trust-cloud-kerberos.md)] +- **Join type:** [!INCLUDE [hello-join-aadj](hello-join-aad.md)], [!INCLUDE [hello-join-hybrid](hello-join-hybrid.md)] +--- \ No newline at end of file diff --git a/windows/security/includes/hello-hybrid-key-trust-ad.md b/windows/security/includes/hello-hybrid-key-trust-ad.md new file mode 100644 index 0000000000..a5074f5bd4 --- /dev/null +++ b/windows/security/includes/hello-hybrid-key-trust-ad.md @@ -0,0 +1,12 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/08/2022 +ms.topic: include +--- + +[!INCLUDE [hello-intro](hello-intro.md)] +- **Deployment type:** [!INCLUDE [hello-deployment-hybrid](hello-deployment-hybrid.md)] +- **Trust type:** [!INCLUDE [hello-trust-key](hello-trust-key.md)] +- **Join type:** [!INCLUDE [hello-join-hybrid](hello-join-hybrid.md)] +--- \ No newline at end of file diff --git a/windows/security/includes/hello-hybrid-key-trust.md b/windows/security/includes/hello-hybrid-key-trust.md new file mode 100644 index 0000000000..d9feebc213 --- /dev/null +++ b/windows/security/includes/hello-hybrid-key-trust.md @@ -0,0 +1,12 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/08/2022 +ms.topic: include +--- + +[!INCLUDE [hello-intro](hello-intro.md)] +- **Deployment type:** [!INCLUDE [hello-deployment-hybrid](hello-deployment-hybrid.md)] +- **Trust type:** [!INCLUDE [hello-trust-key](hello-trust-key.md)] +- **Join type:** [!INCLUDE [hello-join-aadj](hello-join-aad.md)], [!INCLUDE [hello-join-hybrid](hello-join-hybrid.md)] +--- \ No newline at end of file diff --git a/windows/security/includes/hello-hybrid-keycert-trust-aad.md b/windows/security/includes/hello-hybrid-keycert-trust-aad.md new file mode 100644 index 0000000000..4c073f0897 --- /dev/null +++ b/windows/security/includes/hello-hybrid-keycert-trust-aad.md @@ -0,0 +1,12 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/08/2022 +ms.topic: include +--- + +[!INCLUDE [hello-intro](hello-intro.md)] +- **Deployment type:** [!INCLUDE [hello-deployment-hybrid](hello-deployment-hybrid.md)] +- **Trust type:** [!INCLUDE [hello-trust-key](hello-trust-key.md)], [!INCLUDE [hello-trust-certificate](hello-trust-certificate.md)] +- **Join type:** [!INCLUDE [hello-join-aadj](hello-join-aad.md)] +--- \ No newline at end of file diff --git a/windows/security/includes/hello-intro.md b/windows/security/includes/hello-intro.md new file mode 100644 index 0000000000..46d97c93e6 --- /dev/null +++ b/windows/security/includes/hello-intro.md @@ -0,0 +1,8 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/08/2022 +ms.topic: include +--- + +This document describes Windows Hello for Business functionalities or scenarios that apply to: \ No newline at end of file diff --git a/windows/security/includes/hello-join-aad.md b/windows/security/includes/hello-join-aad.md new file mode 100644 index 0000000000..5709970576 --- /dev/null +++ b/windows/security/includes/hello-join-aad.md @@ -0,0 +1,8 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/08/2022 +ms.topic: include +--- + +[Azure AD join :::image type="icon" source="../images/icons/information.svg" border="false":::](../identity-protection/hello-for-business/hello-how-it-works-technology.md#azure-active-directory-join "Devices that are Azure AD joined do not have any dependencies on Active Directory. Only local users accounts and Azure AD users can sign in to these devices") \ No newline at end of file diff --git a/windows/security/includes/hello-join-domain.md b/windows/security/includes/hello-join-domain.md new file mode 100644 index 0000000000..0385e2089a --- /dev/null +++ b/windows/security/includes/hello-join-domain.md @@ -0,0 +1,8 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/08/2022 +ms.topic: include +--- + +[domain join :::image type="icon" source="../images/icons/information.svg" border="false":::](../identity-protection/hello-for-business/hello-how-it-works-technology.md "Devices that are domain joined do not have any dependencies on Azure AD. Only local users accounts and Active Directory users can sign in to these devices") \ No newline at end of file diff --git a/windows/security/includes/hello-join-hybrid.md b/windows/security/includes/hello-join-hybrid.md new file mode 100644 index 0000000000..3d3e75c6b6 --- /dev/null +++ b/windows/security/includes/hello-join-hybrid.md @@ -0,0 +1,8 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/08/2022 +ms.topic: include +--- + +[hybrid Azure AD join :::image type="icon" source="../images/icons/information.svg" border="false":::](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-azure-ad-join "Devices that are hybrid Azure AD joined don't have any dependencies on Azure AD. Only local users accounts and Active Directory users can sign in to these devices. Active Directory users that are synchronized to Azure AD will have single-sign on to both Active Directory and Azure AD-protected resources") \ No newline at end of file diff --git a/windows/security/includes/hello-on-premises-cert-trust.md b/windows/security/includes/hello-on-premises-cert-trust.md new file mode 100644 index 0000000000..b106b5b8c8 --- /dev/null +++ b/windows/security/includes/hello-on-premises-cert-trust.md @@ -0,0 +1,12 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/08/2022 +ms.topic: include +--- + +[!INCLUDE [hello-intro](hello-intro.md)] +- **Deployment type:** [!INCLUDE [hello-deployment-onpremises](hello-deployment-onpremises.md)] +- **Trust type:** [!INCLUDE [hello-trust-certificate](hello-trust-certificate.md)] +- **Join type:** [!INCLUDE [hello-join-domain](hello-join-domain.md)] +--- \ No newline at end of file diff --git a/windows/security/includes/hello-on-premises-key-trust.md b/windows/security/includes/hello-on-premises-key-trust.md new file mode 100644 index 0000000000..f290b0d975 --- /dev/null +++ b/windows/security/includes/hello-on-premises-key-trust.md @@ -0,0 +1,12 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/08/2022 +ms.topic: include +--- + +[!INCLUDE [hello-intro](hello-intro.md)] +- **Deployment type:** [!INCLUDE [hello-deployment-onpremises](hello-deployment-onpremises.md)] +- **Trust type:** [!INCLUDE [hello-trust-key](hello-trust-key.md)] +- **Join type:** [!INCLUDE [hello-join-domain](hello-join-domain.md)] +--- \ No newline at end of file diff --git a/windows/security/includes/hello-trust-certificate.md b/windows/security/includes/hello-trust-certificate.md new file mode 100644 index 0000000000..ffc705fde0 --- /dev/null +++ b/windows/security/includes/hello-trust-certificate.md @@ -0,0 +1,8 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/08/2022 +ms.topic: include +--- + +[certificate trust :::image type="icon" source="../images/icons/information.svg" border="false":::](../identity-protection/hello-for-business/hello-how-it-works-technology.md#certificate-trust "This trust type uses a certificate to authenticate the users to Active Directory. It's required to issue certificates to the users and to the domain controllers") \ No newline at end of file diff --git a/windows/security/includes/hello-trust-cloud-kerberos.md b/windows/security/includes/hello-trust-cloud-kerberos.md new file mode 100644 index 0000000000..5ddac53ba9 --- /dev/null +++ b/windows/security/includes/hello-trust-cloud-kerberos.md @@ -0,0 +1,8 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/08/2022 +ms.topic: include +--- + +[cloud Kerberos trust :::image type="icon" source="../images/icons/information.svg" border="false":::](../identity-protection/hello-for-business/hello-how-it-works-technology.md#cloud-kerberos-trust "This trust type uses security keys to authenticate the users to Active Directory. It's not required to issue any certificates, making it the recommended choice for environments that do not need certificate authentication") \ No newline at end of file diff --git a/windows/security/includes/hello-trust-key.md b/windows/security/includes/hello-trust-key.md new file mode 100644 index 0000000000..133f7f5204 --- /dev/null +++ b/windows/security/includes/hello-trust-key.md @@ -0,0 +1,8 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/08/2022 +ms.topic: include +--- + +[key trust :::image type="icon" source="../images/icons/information.svg" border="false":::](../identity-protection/hello-for-business/hello-how-it-works-technology.md#key-trust "This trust type uses a raw key to authenticate the users to Active Directory. It's not required to issue certificates to users, but it's required to deploy certificates to domain controllers") \ No newline at end of file diff --git a/windows/security/includes/improve-request-performance.md b/windows/security/includes/improve-request-performance.md index 24aaa25d9f..f928705138 100644 --- a/windows/security/includes/improve-request-performance.md +++ b/windows/security/includes/improve-request-performance.md @@ -1,14 +1,8 @@ --- -title: Improve request performance -description: Improve request performance -search.product: eADQiWindows 10XVcnh -ms.prod: m365-security -ms.localizationpriority: medium -ms.collection: M365-security-compliance -ms.topic: article author: paolomatarazzo ms.author: paoloma -manager: aaroncz +ms.date: 12/08/2022 +ms.topic: include --- >[!TIP] diff --git a/windows/security/includes/machineactionsnote.md b/windows/security/includes/machineactionsnote.md index 31e3d1ac98..d4b4560d8f 100644 --- a/windows/security/includes/machineactionsnote.md +++ b/windows/security/includes/machineactionsnote.md @@ -1,12 +1,8 @@ --- -title: Perform a Machine Action via the Microsoft Defender for Endpoint API -description: This page focuses on performing a machine action via the Microsoft Defender for Endpoint API. -ms.date: 08/28/2017 -ms.reviewer: author: paolomatarazzo ms.author: paoloma -manager: aaroncz -ms.prod: m365-security +ms.date: 12/08/2022 +ms.topic: include --- >[!Note] diff --git a/windows/security/includes/microsoft-defender-api-usgov.md b/windows/security/includes/microsoft-defender-api-usgov.md index 74cfd90cbb..0b0b2be701 100644 --- a/windows/security/includes/microsoft-defender-api-usgov.md +++ b/windows/security/includes/microsoft-defender-api-usgov.md @@ -1,14 +1,8 @@ --- -title: Microsoft Defender for Endpoint API URIs for US Government -description: Microsoft Defender for Endpoint API URIs for US Government -search.product: eADQiWindows 10XVcnh -ms.prod: m365-security author: paolomatarazzo ms.author: paoloma -manager: aaroncz -ms.localizationpriority: medium -ms.collection: M365-security-compliance -ms.topic: article +ms.date: 12/08/2022 +ms.topic: include --- >[!NOTE] diff --git a/windows/security/includes/microsoft-defender.md b/windows/security/includes/microsoft-defender.md index 0aade34b01..bd9a8d2c0d 100644 --- a/windows/security/includes/microsoft-defender.md +++ b/windows/security/includes/microsoft-defender.md @@ -1,13 +1,7 @@ --- -title: Microsoft 365 Defender important guidance -description: A note in regard to important Microsoft 365 Defender guidance. -ms.date: -ms.reviewer: -manager: aaroncz author: paolomatarazzo ms.author: paoloma -manager: aaroncz -ms.prod: m365-security +ms.date: 12/08/2022 ms.topic: include --- diff --git a/windows/security/includes/prerelease.md b/windows/security/includes/prerelease.md index 58b056c484..c0212561bd 100644 --- a/windows/security/includes/prerelease.md +++ b/windows/security/includes/prerelease.md @@ -1,12 +1,8 @@ --- -title: Microsoft Defender for Endpoint Pre-release Disclaimer -description: Disclaimer for pre-release version of Microsoft Defender for Endpoint. -ms.date: 08/28/2017 -ms.reviewer: author: paolomatarazzo ms.author: paoloma -manager: aaroncz -ms.prod: m365-security +ms.date: 12/08/2022 +ms.topic: include --- > [!IMPORTANT] diff --git a/windows/security/index.yml b/windows/security/index.yml index bca2ee7b90..2aa8f670fe 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -1,21 +1,19 @@ ### YamlMime:Landing -title: Windows security # < 60 chars -summary: Built with Zero Trust principles at the core to safeguard data and access anywhere, keeping you protected and productive. # < 160 chars +title: Windows security +summary: Built with Zero Trust principles at the core to safeguard data and access anywhere, keeping you protected and productive. metadata: - title: Windows security # Required; page title displayed in search results. Include the brand. < 60 chars. - description: Learn about Windows security # Required; article description that is displayed in search results. < 160 chars. - ms.topic: landing-page # Required - ms.prod: windows + title: Windows security + description: Learn about Windows security technologies and how to use them to protect your data and devices. + ms.topic: landing-page + ms.prod: windows-client + ms.technology: itpro-security ms.collection: - - m365-security-compliance - highpri - ms.custom: intro-hub-or-landing author: paolomatarazzo ms.author: paoloma - ms.date: 09/20/2021 - localization_priority: Priority + ms.date: 12/19/2022 # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new diff --git a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md index 4a3b3e57ca..c8a7446c07 100644 --- a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md +++ b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md @@ -1,260 +1,257 @@ --- title: BCD settings and BitLocker (Windows 10) -description: This topic for IT professionals describes the BCD settings that are used by BitLocker. +description: This article for IT professionals describes the BCD settings that are used by BitLocker. ms.reviewer: ms.prod: windows-client ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: frankroj +ms.author: frankroj manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 02/28/2019 +ms.date: 11/08/2022 ms.custom: bitlocker +ms.technology: itpro-security --- # Boot Configuration Data settings and BitLocker -**Applies to** +This article for IT professionals describes the Boot Configuration Data (BCD) settings that are used by BitLocker. -This topic for IT professionals describes the Boot Configuration Data (BCD) settings that are used by BitLocker. - -When protecting data at rest on an operating system volume, during the boot process BitLocker verifies that the security sensitive BCD settings have not changed since BitLocker was last enabled, resumed, or recovered. +When protecting data at rest on an operating system volume, during the boot process BitLocker verifies that the security sensitive BCD settings haven't changed since BitLocker was last enabled, resumed, or recovered. ## BitLocker and BCD Settings In Windows 7 and Windows Server 2008 R2, BitLocker validated BCD settings with the winload, winresume, and memtest prefixes to a large degree. However, this high degree of validation caused BitLocker to go into recovery mode for benign setting changes, for example, when applying a language pack, BitLocker would enter recovery mode. -In Windows 8, Windows Server 2012, and later operating systems, BitLocker narrows the set of BCD settings validated to reduce the chance of benign changes causing a BCD validation problem. If you believe that there is a risk in excluding a particular BCD setting from the validation profile, include that BCD setting in the BCD validation coverage to suit your validation preferences. -If a default BCD setting is found to persistently trigger a recovery for benign changes, exclude that BCD setting from the validation coverage. +In Windows 8, Windows Server 2012, and later operating systems, BitLocker narrows the set of BCD settings validated to reduce the chance of benign changes causing a BCD validation problem. If it's believed that there's a risk in excluding a particular BCD setting from the validation profile, include that BCD setting in the BCD validation coverage to suit the preferences for validation. If a default BCD setting is found to persistently trigger a recovery for benign changes, exclude that BCD setting from the validation coverage. ### When secure boot is enabled Computers with UEFI firmware can use secure boot to provide enhanced boot security. When BitLocker is able to use secure boot for platform and BCD integrity validation, as defined by the **Allow Secure Boot for integrity validation** group policy setting, the **Use enhanced Boot Configuration Data validation profile** group policy is ignored. -One of the benefits of using secure boot is that it can correct BCD settings during boot without triggering recovery events. Secure boot enforces the same BCD settings as BitLocker. Secure boot BCD enforcement is not configurable from within the operating system. +One of the benefits of using secure boot is that it can correct BCD settings during boot without triggering recovery events. Secure boot enforces the same BCD settings as BitLocker. Secure boot BCD enforcement isn't configurable from within the operating system. ## Customizing BCD validation settings To modify the BCD settings that are validated by BitLocker, the administrator will add or exclude BCD settings from the platform validation profile by enabling and configuring the **Use enhanced Boot Configuration Data validation profile** group policy setting. -For the purposes of BitLocker validation, BCD settings are associated with a specific set of Microsoft boot applications. These BCD settings can also be applied to the other Microsoft boot applications that are not part of the set to which the BCD settings are already applicable to. This can be done by attaching any of the following prefixes to the BCD settings which are being entered in the group policy settings dialog: +For the purposes of BitLocker validation, BCD settings are associated with a specific set of Microsoft boot applications. These BCD settings can also be applied to the other Microsoft boot applications that aren't part of the set to which the BCD settings are already applicable for. This setting can be done by attaching any of the following prefixes to the BCD settings that are being entered in the group policy settings dialog: -- winload -- winresume -- memtest -- all of the above +- winload +- winresume +- memtest +- all of the above -All BCD settings are specified by combining the prefix value with either a hexadecimal (hex) value or a “friendly name.” +All BCD settings are specified by combining the prefix value with either a hexadecimal (hex) value or a "friendly name." The BCD setting hex value is reported when BitLocker enters recovery mode and is stored in the event log (event ID 523). The hex value uniquely identifies the BCD setting that caused the recovery event. -You can quickly obtain the friendly name for the BCD settings on your computer by using the command “`bcdedit.exe /enum all`”. +You can quickly obtain the friendly name for the BCD settings on a computer by using the command `bcdedit.exe /enum all`. Not all BCD settings have friendly names; for those settings without a friendly name, the hex value is the only way to configure an exclusion policy. When specifying BCD values in the **Use enhanced Boot Configuration Data validation profile** group policy setting, use the following syntax: -- Prefix the setting with the boot application prefix -- Append a colon ‘:’ -- Append either the hex value or the friendly name -- If entering more than one BCD setting, you will need to enter each BCD setting on a new line +- Prefix the setting with the boot application prefix +- Append a colon `:` +- Append either the hex value or the friendly name +- If entering more than one BCD setting, each BCD setting will need to be entered on a new line -For example, either “`winload:hypervisordebugport`” or “`winload:0x250000f4`” yields the same value. +For example, either "`winload:hypervisordebugport`" or "`winload:0x250000f4`" yields the same value. -A setting that applies to all boot applications may be applied only to an individual application; however, the reverse is not true. For example, one can specify either “`all:locale`” or “`winresume:locale`”, but as the BCD setting “`win-pe`” does not apply to all boot applications, “`winload:winpe`” is valid, but “`all:winpe`” is not valid. The setting that controls boot debugging (“`bootdebug`” or 0x16000010) will always be validated and will have no effect if it is included in the provided fields. +A setting that applies to all boot applications may be applied only to an individual application. However, the reverse isn't true. For example, one can specify either "`all:locale`" or "`winresume:locale`", but as the BCD setting "`win-pe`" doesn't apply to all boot applications, "`winload:winpe`" is valid, but "`all:winpe`" isn't valid. The setting that controls boot debugging ("`bootdebug`" or 0x16000010) will always be validated and will have no effect if it's included in the provided fields. > [!NOTE] > Take care when configuring BCD entries in the Group Policy setting. The Local Group Policy Editor does not validate the correctness of the BCD entry. BitLocker will fail to be enabled if the Group Policy setting specified is invalid. -  + ### Default BCD validation profile The following table contains the default BCD validation profile used by BitLocker in Windows 8, Windows Server 2012, and subsequent versions: | Hex Value | Prefix | Friendly Name | | - | - | - | -| 0x11000001 | all | device| -| 0x12000002 | all | path| +| 0x11000001 | all | device| +| 0x12000002 | all | path| | 0x12000030 | all | loadoptions| -| 0x16000010 | all | bootdebug| -| 0x16000040 | all | advancedoptions| -| 0x16000041 | all| optionsedit| -| 0x16000048| all| nointegritychecks| -| 0x16000049| all| testsigning| -| 0x16000060| all| isolatedcontext| +| 0x16000010 | all | bootdebug| +| 0x16000040 | all | advancedoptions| +| 0x16000041 | all| optionsedit| +| 0x16000048| all| nointegritychecks| +| 0x16000049| all| testsigning| +| 0x16000060| all| isolatedcontext| | 0x1600007b| all| forcefipscrypto| -| 0x22000002| winload| systemroot| -| 0x22000011| winload| kernel| -| 0x22000012| winload| hal| -| 0x22000053| winload| evstore| -| 0x25000020| winload| nx| -| 0x25000052| winload| restrictapiccluster| -| 0x26000022| winload| winpe| -| 0x26000025 |winload|lastknowngood| -| 0x26000081| winload| safebootalternateshell| -| 0x260000a0| winload| debug| -| 0x260000f2| winload| hypervisordebug| -| 0x26000116| winload| hypervisorusevapic| -| 0x21000001| winresume| filedevice| -| 0x22000002| winresume| filepath| -| 0x26000006| winresume| debugoptionenabled| +| 0x22000002| winload| systemroot| +| 0x22000011| winload| kernel| +| 0x22000012| winload| hal| +| 0x22000053| winload| evstore| +| 0x25000020| winload| nx| +| 0x25000052| winload| restrictapiccluster| +| 0x26000022| winload| winpe| +| 0x26000025 |winload|lastknowngood| +| 0x26000081| winload| safebootalternateshell| +| 0x260000a0| winload| debug| +| 0x260000f2| winload| hypervisordebug| +| 0x26000116| winload| hypervisorusevapic| +| 0x21000001| winresume| filedevice| +| 0x22000002| winresume| filepath| +| 0x26000006| winresume| debugoptionenabled| ### Full list of friendly names for ignored BCD settings -This following is a full list of BCD settings with friendly names, which are ignored by default. These settings are not part of the default BitLocker validation profile, but can be added if you see a need to validate any of these settings before allowing a BitLocker–protected operating system drive to be unlocked. +The following list is a full list of BCD settings with friendly names, which are ignored by default. These settings aren't part of the default BitLocker validation profile, but can be added if you see a need to validate any of these settings before allowing a BitLocker-protected operating system drive to be unlocked. > [!NOTE] > Additional BCD settings exist that have hex values but do not have friendly names. These settings are not included in this list. | Hex Value | Prefix | Friendly Name | | - | - | - | -| 0x12000004 | all | description | -| 0x12000005 | all | locale | -| 0x12000016 | all | targetname | -| 0x12000019| all| busparams| -| 0x1200001d| all| key| -| 0x1200004a| all| fontpath| -| 0x14000006| all| inherit| -| 0x14000008| all| recoverysequence| -| 0x15000007| all| truncatememory| -| 0x1500000c| all| firstmegabytepolicy| -| 0x1500000d| all| relocatephysical| -| 0x1500000e| all| avoidlowmemory| -| 0x15000011| all| debugtype| -| 0x15000012 |all|debugaddress| -| 0x15000013| all| debugport| -| 0x15000014|all|baudrate| -| 0x15000015 | all| channel| -| 0x15000018 | all| debugstart| -| 0x1500001a | all| hostip| -| 0x1500001b | all| port| -| 0x15000022 | all| emsport| -| 0x15000023 | all| emsbaudrate| -| 0x15000042 | all| keyringaddress| -| 0x15000047 | all| configaccesspolicy| -| 0x1500004b | all| integrityservices| -| 0x1500004c | all| volumebandid| -| 0x15000051 | all| initialconsoleinput| -| 0x15000052 | all| graphicsresolution| -| 0x15000065 | all| displaymessage| +| 0x12000004 | all | description | +| 0x12000005 | all | locale | +| 0x12000016 | all | targetname | +| 0x12000019| all| busparams| +| 0x1200001d| all| key| +| 0x1200004a| all| fontpath| +| 0x14000006| all| inherit| +| 0x14000008| all| recoverysequence| +| 0x15000007| all| truncatememory| +| 0x1500000c| all| firstmegabytepolicy| +| 0x1500000d| all| relocatephysical| +| 0x1500000e| all| avoidlowmemory| +| 0x15000011| all| debugtype| +| 0x15000012 |all|debugaddress| +| 0x15000013| all| debugport| +| 0x15000014|all|baudrate| +| 0x15000015 | all| channel| +| 0x15000018 | all| debugstart| +| 0x1500001a | all| hostip| +| 0x1500001b | all| port| +| 0x15000022 | all| emsport| +| 0x15000023 | all| emsbaudrate| +| 0x15000042 | all| keyringaddress| +| 0x15000047 | all| configaccesspolicy| +| 0x1500004b | all| integrityservices| +| 0x1500004c | all| volumebandid| +| 0x15000051 | all| initialconsoleinput| +| 0x15000052 | all| graphicsresolution| +| 0x15000065 | all| displaymessage| | 0x15000066 | all| displaymessageoverride| | 0x15000081 | all| logcontrol| -| 0x16000009 | all| recoveryenabled| -| 0x1600000b | all| badmemoryaccess| -| 0x1600000f | all| traditionalkseg| -| 0x16000017 | all| noumex| -| 0x1600001c | all| dhcp| -| 0x1600001e | all| vm| -| 0x16000020 | all| bootems| -| 0x16000046 | all| graphicsmodedisabled| -| 0x16000050 | all| extendedinput| -| 0x16000053 | all| restartonfailure| -| 0x16000054 | all| highestmode| -| 0x1600006c | all| bootuxdisabled| -| 0x16000072 | all| nokeyboard| -| 0x16000074 | all| bootshutdowndisabled| -| 0x1700000a | all| badmemorylist| -| 0x17000077 | all| allowedinmemorysettings| -| 0x22000040 | all| fverecoveryurl| -| 0x22000041 | all| fverecoverymessage| -| 0x31000003 | all| ramdisksdidevice| +| 0x16000009 | all| recoveryenabled| +| 0x1600000b | all| badmemoryaccess| +| 0x1600000f | all| traditionalkseg| +| 0x16000017 | all| noumex| +| 0x1600001c | all| dhcp| +| 0x1600001e | all| vm| +| 0x16000020 | all| bootems| +| 0x16000046 | all| graphicsmodedisabled| +| 0x16000050 | all| extendedinput| +| 0x16000053 | all| restartonfailure| +| 0x16000054 | all| highestmode| +| 0x1600006c | all| bootuxdisabled| +| 0x16000072 | all| nokeyboard| +| 0x16000074 | all| bootshutdowndisabled| +| 0x1700000a | all| badmemorylist| +| 0x17000077 | all| allowedinmemorysettings| +| 0x22000040 | all| fverecoveryurl| +| 0x22000041 | all| fverecoverymessage| +| 0x31000003 | all| ramdisksdidevice| | 0x32000004 | all| ramdisksdipath| -| 0x35000001| all | ramdiskimageoffset| -| 0x35000002 | all| ramdisktftpclientport| -| 0x35000005 | all| ramdiskimagelength| -| 0x35000007 | all| ramdisktftpblocksize| -| 0x35000008 | all| ramdisktftpwindowsize| -| 0x36000006 | all| exportascd| -| 0x36000009 | all| ramdiskmcenabled| -| 0x3600000a | all| ramdiskmctftpfallback| -| 0x3600000b | all| ramdisktftpvarwindow| -| 0x21000001 | winload| osdevice| -| 0x22000013 | winload| dbgtransport| -| 0x220000f9 | winload| hypervisorbusparams| -| 0x22000110 | winload| hypervisorusekey| +| 0x35000001| all | ramdiskimageoffset| +| 0x35000002 | all| ramdisktftpclientport| +| 0x35000005 | all| ramdiskimagelength| +| 0x35000007 | all| ramdisktftpblocksize| +| 0x35000008 | all| ramdisktftpwindowsize| +| 0x36000006 | all| exportascd| +| 0x36000009 | all| ramdiskmcenabled| +| 0x3600000a | all| ramdiskmctftpfallback| +| 0x3600000b | all| ramdisktftpvarwindow| +| 0x21000001 | winload| osdevice| +| 0x22000013 | winload| dbgtransport| +| 0x220000f9 | winload| hypervisorbusparams| +| 0x22000110 | winload| hypervisorusekey| | 0x23000003 |winload| resumeobject| -| 0x25000021| winload| pae| -| 0x25000031 |winload| removememory| -| 0x25000032 | winload| increaseuserva| -| 0x25000033 | winload| perfmem| -| 0x25000050 | winload| clustermodeaddressing| -| 0x25000055 | winload| x2apicpolicy| -| 0x25000061 | winload| numproc| +| 0x25000021| winload| pae| +| 0x25000031 |winload| removememory| +| 0x25000032 | winload| increaseuserva| +| 0x25000033 | winload| perfmem| +| 0x25000050 | winload| clustermodeaddressing| +| 0x25000055 | winload| x2apicpolicy| +| 0x25000061 | winload| numproc| | 0x25000063 | winload| configflags| | 0x25000066| winload| groupsize| | 0x25000071 | winload| msi| -| 0x25000072 | winload| pciexpress| -| 0x25000080 | winload| safeboot| -| 0x250000a6 | winload| tscsyncpolicy| -| 0x250000c1| winload| driverloadfailurepolicy| -| 0x250000c2| winload| bootmenupolicy| -| 0x250000e0 |winload| bootstatuspolicy| -| 0x250000f0 | winload| hypervisorlaunchtype| -| 0x250000f3 | winload| hypervisordebugtype| -| 0x250000f4 | winload| hypervisordebugport| -| 0x250000f5 | winload| hypervisorbaudrate| -| 0x250000f6 | winload| hypervisorchannel| -| 0x250000f7 | winload| bootux| -| 0x250000fa | winload| hypervisornumproc| -| 0x250000fb | winload| hypervisorrootprocpernode| -| 0x250000fd | winload| hypervisorhostip| -| 0x250000fe | winload| hypervisorhostport| -| 0x25000100 | winload| tpmbootentropy| -| 0x25000113 | winload| hypervisorrootproc| -| 0x25000115 | winload| hypervisoriommupolicy| -| 0x25000120 | winload| xsavepolicy| -| 0x25000121 | winload| xsaveaddfeature0| -| 0x25000122 | winload| xsaveaddfeature1| -| 0x25000123 | winload| xsaveaddfeature2| -| 0x25000124 | winload| xsaveaddfeature3| -| 0x25000125 | winload| xsaveaddfeature4| -| 0x25000126 | winload| xsaveaddfeature5| -| 0x25000127 | winload| xsaveaddfeature6| -| 0x25000128 | winload| xsaveaddfeature7| -| 0x25000129 | winload| xsaveremovefeature| -| 0x2500012a | winload| xsaveprocessorsmask| -| 0x2500012b | winload| xsavedisable| -| 0x25000130 | winload| claimedtpmcounter| -| 0x26000004 | winload| stampdisks| -| 0x26000010 | winload| detecthal| -| 0x26000024 | winload| nocrashautoreboot| -| 0x26000030 | winload| nolowmem| -| 0x26000040 | winload| vga| -| 0x26000041 | winload| quietboot| -| 0x26000042 | winload| novesa| -| 0x26000043 | winload| novga| -| 0x26000051 | winload| usephysicaldestination| -| 0x26000054 | winload| uselegacyapicmode| -| 0x26000060 | winload| onecpu| -| 0x26000062 | winload| maxproc| -| 0x26000064 | winload| maxgroup| -| 0x26000065 | winload| groupaware| -| 0x26000070| winload| usefirmwarepcisettings| +| 0x25000072 | winload| pciexpress| +| 0x25000080 | winload| safeboot| +| 0x250000a6 | winload| tscsyncpolicy| +| 0x250000c1| winload| driverloadfailurepolicy| +| 0x250000c2| winload| bootmenupolicy| +| 0x250000e0 |winload| bootstatuspolicy| +| 0x250000f0 | winload| hypervisorlaunchtype| +| 0x250000f3 | winload| hypervisordebugtype| +| 0x250000f4 | winload| hypervisordebugport| +| 0x250000f5 | winload| hypervisorbaudrate| +| 0x250000f6 | winload| hypervisorchannel| +| 0x250000f7 | winload| bootux| +| 0x250000fa | winload| hypervisornumproc| +| 0x250000fb | winload| hypervisorrootprocpernode| +| 0x250000fd | winload| hypervisorhostip| +| 0x250000fe | winload| hypervisorhostport| +| 0x25000100 | winload| tpmbootentropy| +| 0x25000113 | winload| hypervisorrootproc| +| 0x25000115 | winload| hypervisoriommupolicy| +| 0x25000120 | winload| xsavepolicy| +| 0x25000121 | winload| xsaveaddfeature0| +| 0x25000122 | winload| xsaveaddfeature1| +| 0x25000123 | winload| xsaveaddfeature2| +| 0x25000124 | winload| xsaveaddfeature3| +| 0x25000125 | winload| xsaveaddfeature4| +| 0x25000126 | winload| xsaveaddfeature5| +| 0x25000127 | winload| xsaveaddfeature6| +| 0x25000128 | winload| xsaveaddfeature7| +| 0x25000129 | winload| xsaveremovefeature| +| 0x2500012a | winload| xsaveprocessorsmask| +| 0x2500012b | winload| xsavedisable| +| 0x25000130 | winload| claimedtpmcounter| +| 0x26000004 | winload| stampdisks| +| 0x26000010 | winload| detecthal| +| 0x26000024 | winload| nocrashautoreboot| +| 0x26000030 | winload| nolowmem| +| 0x26000040 | winload| vga| +| 0x26000041 | winload| quietboot| +| 0x26000042 | winload| novesa| +| 0x26000043 | winload| novga| +| 0x26000051 | winload| usephysicaldestination| +| 0x26000054 | winload| uselegacyapicmode| +| 0x26000060 | winload| onecpu| +| 0x26000062 | winload| maxproc| +| 0x26000064 | winload| maxgroup| +| 0x26000065 | winload| groupaware| +| 0x26000070| winload| usefirmwarepcisettings| | 0x26000090 | winload| bootlog| -| 0x26000091 | winload| sos| -| 0x260000a1 | winload| halbreakpoint| -| 0x260000a2 | winload| useplatformclock| -| 0x260000a3 |winload| forcelegacyplatform| -| 0x260000a4 | winload| useplatformtick| -| 0x260000a5 | winload| disabledynamictick| -| 0x260000b0 | winload| ems| -| 0x260000c3 | winload| onetimeadvancedoptions| -| 0x260000c4 | winload| onetimeoptionsedit| -| 0x260000e1| winload| disableelamdrivers| -| 0x260000f8 | winload| hypervisordisableslat| -| 0x260000fc | winload| hypervisoruselargevtlb| -| 0x26000114 | winload| hypervisordhcp| +| 0x26000091 | winload| sos| +| 0x260000a1 | winload| halbreakpoint| +| 0x260000a2 | winload| useplatformclock| +| 0x260000a3 |winload| forcelegacyplatform| +| 0x260000a4 | winload| useplatformtick| +| 0x260000a5 | winload| disabledynamictick| +| 0x260000b0 | winload| ems| +| 0x260000c3 | winload| onetimeadvancedoptions| +| 0x260000c4 | winload| onetimeoptionsedit| +| 0x260000e1| winload| disableelamdrivers| +| 0x260000f8 | winload| hypervisordisableslat| +| 0x260000fc | winload| hypervisoruselargevtlb| +| 0x26000114 | winload| hypervisordhcp| | 0x21000005 | winresume| associatedosdevice| -| 0x25000007 | winresume| bootux| +| 0x25000007 | winresume| bootux| | 0x25000008 | winresume| bootmenupolicy| -| 0x26000003| winresume |customsettings| +| 0x26000003| winresume |customsettings| | 0x26000004 | winresume| pae| -| 0x25000001 | memtest| passcount| -| 0x25000002 | memtest| testmix| -| 0x25000005 | memtest| stridefailcount| -| 0x25000006 | memtest| invcfailcount| -| 0x25000007 | memtest| matsfailcount| -| 0x25000008 | memtest| randfailcount| +| 0x25000001 | memtest| passcount| +| 0x25000002 | memtest| testmix| +| 0x25000005 | memtest| stridefailcount| +| 0x25000006 | memtest| invcfailcount| +| 0x25000007 | memtest| matsfailcount| +| 0x25000008 | memtest| randfailcount| | 0x25000009 |memtest| chckrfailcount| | 0x26000003| memtest| cacheenable| | 0x26000004 | memtest| failuresenabled| diff --git a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml index 5278e578b5..b917a468f8 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml @@ -2,27 +2,22 @@ metadata: title: BitLocker and Active Directory Domain Services (AD DS) FAQ (Windows 10) description: Learn more about how BitLocker and Active Directory Domain Services (AD DS) can work together to keep devices secure. - ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee - ms.reviewer: - ms.prod: m365-security - ms.mktglfcycl: explore - ms.sitesec: library - ms.pagetype: security - ms.localizationpriority: medium - author: dansimp - ms.author: dansimp + ms.prod: windows-client + ms.technology: itpro-security + author: frankroj + ms.author: frankroj manager: aaroncz audience: ITPro ms.collection: - - M365-security-compliance - highpri ms.topic: faq - ms.date: 02/28/2019 + ms.date: 11/08/2022 ms.custom: bitlocker title: BitLocker and Active Directory Domain Services (AD DS) FAQ summary: | - **Applies to** - - Windows 10 + **Applies to:** + - Windows 10 and later + - Windows Server 2016 and later @@ -34,20 +29,20 @@ sections: answer: | Stored information | Description -------------------|------------ - Hash of the TPM owner password | Beginning with Windows 10, the password hash is not stored in AD DS by default. The password hash can be stored only if the TPM is owned and the ownership was taken by using components of Windows 8.1 or earlier, such as the BitLocker Setup Wizard or the TPM snap-in. - BitLocker recovery password | The recovery password allows you to unlock and access the drive after a recovery incident. Domain administrators can view the BitLocker recovery password by using the BitLocker Recovery Password Viewer. For more information about this tool, see [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md). + Hash of the TPM owner password | Beginning with Windows 10, the password hash isn't stored in AD DS by default. The password hash can be stored only if the TPM is owned and the ownership was taken by using components of Windows 8.1 or earlier, such as the BitLocker Setup Wizard or the TPM snap-in. + BitLocker recovery password | The recovery password allows unlocking of and access to the drive after a recovery incident. Domain administrators can view the BitLocker recovery password by using the BitLocker Recovery Password Viewer. For more information about this tool, see [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md). BitLocker key package | The key package helps to repair damage to the hard disk that would otherwise prevent standard recovery. Using the key package for recovery requires the BitLocker Repair Tool, `Repair-bde`. - question: | What if BitLocker is enabled on a computer before the computer has joined the domain? answer: | - If BitLocker is enabled on a drive before Group Policy has been applied to enforce a backup, the recovery information will not be automatically backed up to AD DS when the computer joins the domain or when Group Policy is subsequently applied. However, you can use the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed drives can be recovered**, and **Choose how BitLocker-protected removable drives can be recovered** Group Policy settings to require the computer to be connected to a domain before BitLocker can be enabled to help ensure that recovery information for BitLocker-protected drives in your organization is backed up to AD DS. + If BitLocker is enabled on a drive before Group Policy has been applied to enforce a backup, the recovery information won't be automatically backed up to AD DS when the computer joins the domain or when Group Policy is subsequently applied. However, the Group Policy settings **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed drives can be recovered**, and **Choose how BitLocker-protected removable drives can be recovered** can be chosen to require the computer to be connected to a domain before BitLocker can be enabled to help ensure that recovery information for BitLocker-protected drives in the organization is backed up to AD DS. For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md). - The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information; however, BitLocker does not automatically manage this process. The `manage-bde` command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the `$env:SystemDrive` to AD DS, you would use the following command script from an elevated command prompt: + The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information. However, BitLocker doesn't automatically manage this process. The `manage-bde.exe` command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the `$env:SystemDrive` to AD DS, the following command script can be used from an elevated command prompt: - ```PowerShell + ```powershell $BitLocker = Get-BitLockerVolume -MountPoint $env:SystemDrive $RecoveryProtector = $BitLocker.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' } @@ -56,29 +51,29 @@ sections: ``` > [!IMPORTANT] - > Joining a computer to the domain should be the first step for new computers within an organization. After computers are joined to a domain, storing the BitLocker recovery key to AD DS is automatic (when enabled in Group Policy). + > Joining a computer to the domain should be the first step for new computers within an organization. After computers are joined to a domain, storing the BitLocker recovery key to AD DS is automatic (when enabled in Group Policy). - question: | Is there an event log entry recorded on the client computer to indicate the success or failure of the Active Directory backup? answer: | - Yes, an event log entry that indicates the success or failure of an Active Directory backup is recorded on the client computer. However, even if an event log entry says "Success," the information could have been subsequently removed from AD DS, or BitLocker could have been reconfigured in such a way that the Active Directory information can no longer unlock the drive (such as by removing the recovery password key protector). In addition, it is also possible that the log entry could be spoofed. + Yes, an event log entry that indicates the success or failure of an Active Directory backup is recorded on the client computer. However, even if an event log entry says "Success," the information could have been subsequently removed from AD DS, or BitLocker could have been reconfigured in such a way that the Active Directory information can no longer unlock the drive (such as by removing the recovery password key protector). In addition, it's also possible that the log entry could be spoofed. - Ultimately, determining whether a legitimate backup exists in AD DS requires querying AD DS with domain administrator credentials by using the BitLocker password viewer tool. + Ultimately, determining whether a legitimate backup exists in AD DS requires querying AD DS with domain administrator credentials by using the BitLocker password viewer tool. - question: | - If I change the BitLocker recovery password on my computer and store the new password in AD DS, will AD DS overwrite the old password? + If I change the BitLocker recovery password on my computer and store the new password in AD DS, will AD DS overwrite the old password? answer: | - No. By design, BitLocker recovery password entries do not get deleted from AD DS; therefore, you might see multiple passwords for each drive. To identify the latest password, check the date on the object. + No. By design, BitLocker recovery password entries don't get deleted from AD DS. Therefore, multiple passwords might be seen for each drive. To identify the latest password, check the date on the object. - question: | What happens if the backup initially fails? Will BitLocker retry it? answer: | - If the backup initially fails, such as when a domain controller is unreachable at the time when the BitLocker setup wizard is run, BitLocker does not try again to back up the recovery information to AD DS. + If the backup initially fails, such as when a domain controller is unreachable at the time when the BitLocker setup wizard is run, BitLocker doesn't try again to back up the recovery information to AD DS. - When an administrator selects the **Require BitLocker backup to AD DS** check box of the **Store BitLocker recovery information in Active Directory Domain Service (Windows 2008 and Windows Vista)** policy setting, or the equivalent **Do not enable BitLocker until recovery information is stored in AD DS for (operating system | fixed data | removable data) drives** check box in any of the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed data drives can be recovered**, and **Choose how BitLocker-protected removable data drives can be recovered** policy settings, users can't enable BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. With these settings configured if the backup fails, BitLocker cannot be enabled, ensuring that administrators will be able to recover BitLocker-protected drives in the organization. + When an administrator selects the **Require BitLocker backup to AD DS** check box of the **Store BitLocker recovery information in Active Directory Domain Service (Windows 2008 and Windows Vista)** policy setting, or the equivalent **Do not enable BitLocker until recovery information is stored in AD DS for (operating system | fixed data | removable data) drives** check box in any of the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed data drives can be recovered**, and **Choose how BitLocker-protected removable data drives can be recovered** policy settings, users can't enable BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. With these settings configured if the backup fails, BitLocker can't be enabled, ensuring that administrators will be able to recover BitLocker-protected drives in the organization. For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md). - When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker will not automatically retry the backup if it fails. Instead, administrators can create a backup script, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain-) to capture the information after connectivity is restored. + When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker won't automatically retry the backup if it fails. Instead, administrators can create a backup script, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain-) to capture the information after connectivity is restored. diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index 76f08567b4..3518062515 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -4,25 +4,24 @@ description: This article for the IT professional explains how BitLocker feature ms.reviewer: ms.prod: windows-client ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: frankroj +ms.author: frankroj manager: aaroncz -ms.collection: - - M365-security-compliance ms.topic: conceptual -ms.date: 02/28/2019 +ms.date: 11/08/2022 ms.custom: bitlocker +ms.technology: itpro-security --- # BitLocker basic deployment -**Applies to** +**Applies to:** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above +- Windows 10 +- Windows 11 +- Windows Server 2016 and above -This article for the IT professional explains how BitLocker features can be used to protect your data through drive encryption. +This article for the IT professional explains how BitLocker features can be used to protect data through drive encryption. ## Using BitLocker to encrypt volumes @@ -33,77 +32,148 @@ If the drive was prepared as a single contiguous space, BitLocker requires a new > [!NOTE] > For more info about using this tool, see [Bdehdcfg](/windows-server/administration/windows-commands/bdehdcfg) in the Command-Line Reference. -BitLocker encryption can be done using the following methods: +BitLocker encryption can be enabled and managed using the following methods: -- BitLocker control panel -- Windows Explorer -- `manage-bde` command-line interface -- BitLocker Windows PowerShell cmdlets +- BitLocker control panel +- Windows Explorer +- `manage-bde.exe` command-line interface +- BitLocker Windows PowerShell cmdlets ### Encrypting volumes using the BitLocker control panel -Encrypting volumes with the BitLocker control panel (select **Start**, type *Bitlocker*, select **Manage BitLocker**) is how many users will use BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data, and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet. +Encrypting volumes with the BitLocker control panel (select **Start**, enter `Bitlocker`, select **Manage BitLocker**) is how many users will use BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data, and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet. -To start encryption for a volume, select **Turn on BitLocker** for the appropriate drive to initialize the BitLocker Drive Encryption Wizard. BitLocker Drive Encryption Wizard options vary based on volume type (operating system volume or data volume). +To start encryption for a volume, select **Turn on BitLocker** for the appropriate drive to initialize the **BitLocker Drive Encryption Wizard**. **BitLocker Drive Encryption Wizard** options vary based on volume type (operating system volume or data volume). -### Operating system volume +#### Operating system volume -When the BitLocker Drive Encryption Wizard launches, it verifies the computer meets the BitLocker system requirements for encrypting an operating system volume. By default, the system requirements are: +For the operating system volume the **BitLocker Drive Encryption Wizard** presents several screens that prompt for options while it performs several actions: -|Requirement|Description| -|--- |--- | -|Hardware configuration|The computer must meet the minimum requirements for the supported Windows versions.| -|Operating system|BitLocker is an optional feature that can be installed by Server Manager on Windows Server 2012 and later.| -|Hardware TPM|TPM version 1.2 or 2.0.

                              A TPM isn't required for BitLocker; however, only a computer with a TPM can provide the additional security of pre-startup system integrity verification and multifactor authentication.| -|BIOS configuration|

                            • A Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware.
                            • The boot order must be set to start first from the hard disk, and not the USB or CD drives.
                            • The firmware must be able to read from a USB flash drive during startup.
                              • | -|File system| One FAT32 partition for the system drive and one NTFS partition for the operating system drive. This is applicable for computers that boot natively with UEFI firmware.
                              For computers with legacy BIOS firmware, at least two NTFS disk partitions, one for the system drive and one for the operating system drive.
                              For either firmware, the system drive partition must be at least 350 megabytes (MB) and set as the active partition.| -|Hardware encrypted drive prerequisites (optional)|To use a hardware encrypted drive as the boot drive, the drive must be in the uninitialized state and in the security inactive state. In addition, the system must always boot with native UEFI version 2.3.1 or higher and the CSM (if any) disabled.| +1. When the **BitLocker Drive Encryption Wizard** first launches, it verifies the computer meets the BitLocker system requirements for encrypting an operating system volume. By default, the system requirements are: -Upon passing the initial configuration, users are required to enter a password for the volume. If the volume doesn't pass the initial configuration for BitLocker, the user is presented with an error dialog describing the appropriate actions to be taken. -Once a strong password has been created for the volume, a recovery key will be generated. The BitLocker Drive Encryption Wizard will prompt for a location to save this key. A BitLocker recovery key is a special key that you can create when you turn on BitLocker Drive Encryption for the first time on each drive that you encrypt. You can use the recovery key to gain access to your computer if the drive that Windows is installed on (the operating system drive) is encrypted using BitLocker Drive Encryption and BitLocker detects a condition that prevents it from unlocking the drive when the computer is starting up. A recovery key can also be used to gain access to your files and folders on a removable data drive (such as an external hard drive or USB flash drive) that is encrypted using BitLocker To Go, if for some reason you forget the password or your computer can't access the drive. + |Requirement|Description| + |--- |--- | + |Hardware configuration|The computer must meet the minimum requirements for the supported Windows versions.| + |Operating system|BitLocker is an optional feature that can be installed by Server Manager on Windows Server 2012 and later.| + |Hardware TPM|TPM version 1.2 or 2.0.

                              A TPM isn't required for BitLocker; however, only a computer with a TPM can provide the additional security of pre-startup system integrity verification and multifactor authentication.| + |UEFI firmware/BIOS configuration|
                              • A Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware.
                              • The boot order must be set to start first from the hard disk, and not the USB or CD drives.
                              • The firmware must be able to read from a USB flash drive during startup.
                              | + |File system| One FAT32 partition for the system drive and one NTFS partition for the operating system drive. This requirement is applicable for computers that boot natively with UEFI firmware.
                              For computers with legacy BIOS firmware, at least two NTFS disk partitions, one for the system drive and one for the operating system drive.
                              For either firmware, the system drive partition must be at least 350 megabytes (MB) and set as the active partition.| + |Hardware encrypted drive prerequisites (optional)|To use a hardware encrypted drive as the boot drive, the drive must be in the uninitialized state and in the security inactive state. In addition, the system must always boot with native UEFI version 2.3.1 or higher and the CSM (if any) disabled.| -You should store the recovery key by printing it, saving it on removable media, or saving it as a file in a network folder or on your OneDrive, or on another drive of your computer that you aren't encrypting. You can't save the recovery key to the root directory of a non-removable drive and can't be stored on the encrypted volume. You can't save the recovery key for a removable data drive (such as a USB flash drive) on removable media. Ideally, you should store the recovery key separate from your computer. After you create a recovery key, you can use the BitLocker control panel to make additional copies. + If the volume doesn't pass the initial configuration for BitLocker, the user is presented with an error dialog describing the appropriate actions to be taken. -- Encrypt used disk space only - Encrypts only disk space that contains data -- Encrypt entire drive - Encrypts the entire volume including free space +2. Upon passing the initial configuration, users may be prompted to enter a password for the volume, for example, if a TPM isn't available. If a TPM is available, the password screen will be skipped. -It's recommended that drives with little to no data use the **used disk space only** encryption option and that drives with data or an operating system use the **encrypt entire drive** option. +3. After the initial configuration/password screens, a recovery key will be generated. The **BitLocker Drive Encryption Wizard** will prompt for a location to save the recovery key. A BitLocker recovery key is a special key that is created when BitLocker Drive Encryption is turned on for the first time on each drive that is encrypted. The recovery key can be used to gain access to the computer if: -> [!NOTE] -> Deleted files appear as free space to the file system, which isn't encrypted by **used disk space only**. Until they are wiped or overwritten, deleted files hold information that could be recovered with common data forensic tools. + - The drive that Windows is installed on (the operating system drive) is encrypted using BitLocker Drive Encryption + - BitLocker detects a condition that prevents it from unlocking the drive when the computer is starting up -Selecting an encryption type and choosing **Next** will give the user the option of running a BitLocker system check (selected by default) which will ensure that BitLocker can properly access the recovery and encryption keys before the volume encryption begins. We recommend running this system check before starting the encryption process. If the system check isn't run and a problem is encountered when the operating system attempts to start, the user will need to provide the recovery key to start Windows. + A recovery key can also be used to gain access to the files and folders on a removable data drive (such as an external hard drive or USB flash drive) that is encrypted using BitLocker To Go, if for some reason the password is forgotten or the computer can't access the drive. + The recovery key can be stored using the following methods: -After completing the system check (if selected), the BitLocker Drive Encryption Wizard restarts the computer to begin encryption. Upon reboot, users are required to enter the password chosen to boot into the operating system volume. Users can check encryption status by checking the system notification area or the BitLocker control panel. + - **Save to your Azure AD account** (if applicable) + - **Save to a USB flash drive** + - **Save to a file** - the file needs to be saved to a location that isn't on the computer itself such as a network folder or OneDrive + - **Print the recovery key** + + The recovery key can't be stored at the following locations: + + - The drive being encrypted + - The root directory of a non-removable/fixed drive + - An encrypted volume + + > [!TIP] + > Ideally, a computer's recovery key should be stored separate from the computer itself. + + > [!NOTE] + > After a recovery key is created, the BitLocker control panel can be used to make additional copies of the recovery key. + +4. The **BitLocker Drive Encryption Wizard** will then prompt how much of the drive to encrypt. The **BitLocker Drive Encryption Wizard** will have two options that determine how much of the drive is encrypted: + + - **Encrypt used disk space only** - Encrypts only disk space that contains data. + - **Encrypt entire drive** - Encrypts the entire volume including free space. Also known as full disk encryption. + + Each of the methods is recommended in the following scenarios: + + - **Encrypt used disk space only**: + + - The drive has never had data + - Formatted or erased drives that in the past have never had confidential data that was never encrypted + + - **Encrypt entire drive** (full disk encryption): + + - Drives that currently have data + - Drives that currently have an operating system + - Formatted or erased drives that in the past had confidential data that was never encrypted + + > [!IMPORTANT] + > Deleted files appear as free space to the file system, which isn't encrypted by **used disk space only**. Until they are wiped or overwritten, deleted files hold information that could be recovered with common data forensic tools. + +5. The **BitLocker Drive Encryption Wizard** will then prompt for an encryption mode: + + - **New encryption mode** + - **Compatible mode** + + Normally **New encryption mode** should be chosen, but if the drive will be potentially moved to another computer with an older Windows operating system, then select **Compatible mode**. + +6. After selecting an encryption mode, the **BitLocker Drive Encryption Wizard** will give the option of running a BitLocker system check via the option **Run BitLocker system check**. This system check will ensure that BitLocker can properly access the recovery and encryption keys before the volume encryption begins. it's recommended run this system check before starting the encryption process. If the system check isn't run and a problem is encountered when the operating system attempts to start, the user will need to provide the recovery key to start Windows. + +After completing the system check (if selected), the **BitLocker Drive Encryption Wizard** will begin encryption. A reboot may be initiated to start encryption. If a reboot was initiated, if there was no TPM and a password was specified, the password will need to be entered to boot into the operating system volume. + +Users can check encryption status by checking the system notification area or the BitLocker control panel. Until encryption is completed, the only available options for managing BitLocker involve manipulation of the password protecting the operating system volume, backing up the recovery key, and turning off BitLocker. -### Data volume +#### Data volume -Encrypting data volumes using the BitLocker control panel interface works in a similar fashion to encryption of the operating system volumes. Users select **Turn on BitLocker** within the control panel to begin the BitLocker Drive Encryption wizard. -Unlike for operating system volumes, data volumes aren't required to pass any configuration tests for the wizard to proceed. Upon launching the wizard, a choice of authentication methods to unlock the drive appears. The available options are **password** and **smart card** and **automatically unlock this drive on this computer**. Disabled by default, the latter option will unlock the data volume without user input when the operating system volume is unlocked. +Encrypting data volumes using the BitLocker control panel works in a similar fashion to encryption of the operating system volumes. Users select **Turn on BitLocker** within the BitLocker control panel to begin the **BitLocker Drive Encryption Wizard**. -After selecting the desired authentication method and choosing **Next**, the wizard presents options for storage of the recovery key. These options are the same as for operating system volumes. -With the recovery key saved, selecting **Next** in the wizard will show available options for encryption. These options are the same as for operating system volumes; **used disk space only** and **full drive encryption**. If the volume being encrypted is new or empty, it's recommended that used space only encryption is selected. +1. Upon launching the **BitLocker Drive Encryption Wizard**, unlike for operating system volumes, data volumes aren't required to pass any configuration tests for the **BitLocker Drive Encryption Wizard** to proceed -With an encryption method chosen, a final confirmation screen is displayed before the encryption process begins. Selecting **Start encrypting** begins encryption. +2. A choice of authentication methods to unlock the drive appears. The available options are: + + - **Use a password to unlock the drive** + - **Use my smart card to unlock the drive** + - **Automatically unlock this drive on this computer** - Disabled by default but if enabled, this option will unlock the data volume without user input when the operating system volume is unlocked. + +3. The **BitLocker Drive Encryption Wizard** presents options for storage of the recovery key. These options are the same as for operating system volumes: + + - **Save to your Azure AD account** (if applicable) + - **Save to a USB flash drive** + - **Save to a file** - the file needs to be saved to a location that isn't on the computer itself such as a network folder or OneDrive + - **Print the recovery key** + +4. After saving the recovery key, the **BitLocker Drive Encryption Wizard** will show available options for encryption. These options are the same as for operating system volumes: + + - **Encrypt used disk space only** - Encrypts only disk space that contains data. + - **Encrypt entire drive** - Encrypts the entire volume including free space. Also known as full disk encryption. + +5. The **BitLocker Drive Encryption Wizard** will then prompt for an encryption mode: + + - **New encryption mode** + - **Compatible mode** + + Normally **New encryption mode** should be chosen, but if the drive will be potentially moved to another computer with an older Windows operating system, then select **Compatible mode**. + +6. The **BitLocker Drive Encryption Wizard** will display a final confirmation screen before the encryption process begins. Selecting **Start encrypting** begins encryption. Encryption status displays in the notification area or within the BitLocker control panel. -### OneDrive option +### OneDrive option -There's a new option for storing the BitLocker recovery key using the OneDrive. This option requires that computers aren't members of a domain and that the user is using a Microsoft Account. Local accounts don't give the option to use OneDrive. Using the OneDrive option is the default, recommended recovery key storage method for computers that aren't joined to a domain. +There's an option for storing the BitLocker recovery key using OneDrive. This option requires that computers aren't members of a domain and that the user is using a Microsoft Account. Local accounts don't give the option to use OneDrive. Using the OneDrive option is the default recommended recovery key storage method for computers that aren't joined to a domain. -Users can verify whether the recovery key was saved properly by checking their OneDrive for the BitLocker folder which is created automatically during the save process. The folder will contain two files, a readme.txt and the recovery key. For users storing more than one recovery password on their OneDrive, they can identify the required recovery key by looking at the file name. The recovery key ID is appended to the end of the file name. +Users can verify whether the recovery key was saved properly by checking OneDrive for the BitLocker folder. The BitLocker folder on OneDrive is created automatically during the save process. The folder will contain two files, a `readme.txt` and the recovery key. For users storing more than one recovery password on their OneDrive, they can identify the required recovery key by looking at the file name. The recovery key ID is appended to the end of the file name. ### Using BitLocker within Windows Explorer -Windows Explorer allows users to launch the BitLocker Drive Encryption wizard by right-clicking a volume and selecting **Turn On BitLocker**. This option is available on client computers by default. On servers, you must first install the BitLocker and Desktop-Experience features for this option to be available. After selecting **Turn on BitLocker**, the wizard works exactly as it does when launched using the BitLocker control panel. +Windows Explorer allows users to launch the **BitLocker Drive Encryption Wizard** by right-clicking a volume and selecting **Turn On BitLocker**. This option is available on client computers by default. On servers, the BitLocker feature and the Desktop-Experience feature must first be installed for this option to be available. After selecting **Turn on BitLocker**, the wizard works exactly as it does when launched using the BitLocker control panel. -## Down-level compatibility +## Down-level compatibility -The following table shows the compatibility matrix for systems that have been BitLocker-enabled and then presented to a different version of Windows. +The following table shows the compatibility matrix for systems that have been BitLocker enabled and then presented to a different version of Windows. Table 1: Cross compatibility for Windows 11, Windows 10, Windows 8.1, Windows 8, and Windows 7 encrypted volumes @@ -114,67 +184,81 @@ Table 1: Cross compatibility for Windows 11, Windows 10, Windows 8.1, Windows 8, |Fully encrypted volume from Windows 7|Presents as fully encrypted|Presented as fully encrypted|N/A| |Partially encrypted volume from Windows 7|Windows 11, Windows 10, and Windows 8.1 will complete encryption regardless of policy|Windows 8 will complete encryption regardless of policy|N/A| -## Encrypting volumes using the manage-bde command-line interface +## Encrypting volumes using the `manage-bde.exe` command-line interface -Manage-bde is a command-line utility that can be used for scripting BitLocker operations. Manage-bde offers additional options not displayed in the BitLocker control panel. For a complete list of the options, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde). +`Manage-bde.exe` is a command-line utility that can be used for scripting BitLocker operations. `Manage-bde.exe` offers additional options not displayed in the BitLocker control panel. For a complete list of the options, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde). -Manage-bde offers a multitude of wider options for configuring BitLocker. So using the command syntax may require care and possibly later customization by the user. For example, using just the `manage-bde -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected. +`Manage-bde.exe` offers a multitude of wider options for configuring BitLocker. Using the command syntax may require care. For example, using just the `manage-bde.exe -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed. For the volume to be fully protected, an authentication method needs to also be added to the volume in addition to running the `manage-bde.exe`command. Command-line users need to determine the appropriate syntax for a given situation. The following section covers general encryption for operating system volumes and data volumes. -### Operating system volume +### Operating system volume commands -Listed below are examples of basic valid commands for operating system volumes. In general, using only the `manage-bde -on ` command encrypts the operating system volume with a TPM-only protector and no recovery key. However, many environments require more secure protectors such as passwords or PIN and expect to be able to recover information with a recovery key. +Listed below are examples of basic valid commands for operating system volumes. In general, using only the `manage-bde.exe -on ` command encrypts the operating system volume with a TPM-only protector and no recovery key. However, many environments require more secure protectors such as passwords or PIN and expect to be able to recover information with a recovery key. -**Determining volume status** +#### Determining volume status -A good practice when using manage-bde is to determine the volume status on the target system. Use the following command to determine volume status: +A good practice when using `manage-bde.exe` is to determine the volume status on the target system. Use the following command to determine volume status: -`manage-bde -status` +`manage-bde.exe -status` This command returns the volumes on the target, current encryption status, and volume type (operating system or data) for each volume. Using this information, users can determine the best encryption method for their environment. -**Enabling BitLocker without a TPM** +#### Enabling BitLocker without a TPM -For example, suppose that you want to enable BitLocker on a computer without a TPM chip. To properly enable BitLocker for the operating system volume, you'll need to use a USB flash drive as a startup key to boot (in this example, the drive letter E). You would first create the startup key needed for BitLocker using the –protectors option and save it to the USB drive on E: and then begin the encryption process. You'll need to reboot the computer when prompted to complete the encryption process. +Suppose BitLocker is desired on a computer without a TPM. In this scenario, a USB flash drive is needed as a startup key for the operating system volume. The startup key will then allow the computer to boot. To create the startup key using `manage-bde.exe`, the `-protectors` switch would be used specifying the `-startupkey` option. Assuming the USB flash drive is drive letter `E:`, then the following `manage-bde.exe` commands would be used t create the startup key and start the BitLocker encryption: ```powershell -manage-bde –protectors -add C: -startupkey E: -manage-bde -on C: +manage-bde.exe -protectors -add C: -startupkey E: +manage-bde.exe -on C: ``` -**Enabling BitLocker with a TPM only** +If prompted, reboot the computer to complete the encryption process. -It's possible to encrypt the operating system volume without any defined protectors by using manage-bde. Use this command: +#### Enabling BitLocker with a TPM only -`manage-bde -on C:` +It's possible to encrypt the operating system volume without any defined protectors by using `manage-bde.exe`. Use this command: -This will encrypt the drive using the TPM as the protector. If users are unsure of the protector for a volume, they can use the -protectors option in manage-bde to list this information by executing the following command: +```cmd +manage-bde.exe -on C: +``` -`manage-bde -protectors -get ` +This command will encrypt the drive using the TPM as the protector. If users are unsure of the protector for a volume, they can use the `-protectors` option in `manage-bde.exe` to list this information by executing the following command: -**Provisioning BitLocker with two protectors** +```cmd +manage-bde.exe -protectors -get +``` -Another example is a user on a non-TPM hardware who wishes to add a password and SID-based protector to the operating system volume. In this instance, the user adds the protectors first. This is done with the command: +#### Provisioning BitLocker with two protectors -`manage-bde -protectors -add C: -pw -sid ` +Another example is a user on a non-TPM hardware who wishes to add a password and SID-based protector to the operating system volume. In this instance, the user adds the protectors first. Adding the protectors is done with the command: -This command requires the user to enter and then confirm the password protectors before adding them to the volume. With the protectors enabled on the volume, the user just needs to turn BitLocker on. +```cmd +manage-bde.exe -protectors -add C: -pw -sid +``` -### Data volume +This command requires the user to enter and then confirm the password protectors before adding them to the volume. With the protectors enabled on the volume, the user just needs to turn on BitLocker. -Data volumes use the same syntax for encryption as operating system volumes but they don't require protectors for the operation to complete. Encrypting data volumes can be done using the base command: `manage-bde -on ` or users can choose to add protectors to the volume. We recommend that you add at least one primary protector and a recovery protector to a data volume. +### Data volume commands -**Enabling BitLocker with a password** +Data volumes use the same syntax for encryption as operating system volumes but they don't require protectors for the operation to complete. Encrypting data volumes can be done using the base command: -A common protector for a data volume is the password protector. In the example below, we add a password protector to the volume and turn on BitLocker. +```cmd +manage-bde.exe -on +``` + +Or users can choose to add protectors to the volume. It is recommended to add at least one primary protector and a recovery protector to a data volume. + +#### Enabling BitLocker with a password + +A common protector for a data volume is the password protector. In the example below, a password protector is added to the volume and turn on BitLocker. ```powershell -manage-bde -protectors -add -pw C: -manage-bde -on C: +manage-bde.exe -protectors -add -pw C: +manage-bde.exe -on C: ``` -## Encrypting volumes using the BitLocker Windows PowerShell cmdlets +## Encrypting volumes using the BitLocker Windows PowerShell cmdlets Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Using Windows PowerShell's scripting capabilities, administrators can integrate BitLocker options into existing scripts with ease. The list below displays the available BitLocker cmdlets. @@ -193,11 +277,11 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us |**Suspend-BitLocker**|
                            • Confirm
                            • MountPoint
                            • RebootCount
                            • WhatIf| |**Unlock-BitLocker**|
                            • AdAccountOrGroup
                            • Confirm
                            • MountPoint
                            • Password
                            • RecoveryKeyPath
                            • RecoveryPassword
                            • RecoveryPassword
                            • WhatIf| -Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they're encrypting prior to running Windows PowerShell cmdlets. +Similar to `manage-bde.exe`, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with `manage-bde.exe`, users need to consider the specific needs of the volume they're encrypting prior to running Windows PowerShell cmdlets. -A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the `Get-BitLocker` volume cmdlet. The output from this cmdlet displays information on the volume type, protectors, protection status, and other useful information. +A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the `Get-BitLocker` volume PowerShell cmdlet. The output from this cmdlet displays information on the volume type, protectors, protection status, and other useful information. -Occasionally, all protectors may not be shown when using **Get-BitLockerVolume** due to lack of space in the output display. If you don't see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a listing of the protectors. +Occasionally, all protectors may not be shown when using **Get-BitLockerVolume** due to lack of space in the output display. If all of the protectors for a volume aren't seen, the Windows PowerShell pipe command (`|`) can be used to format a listing of the protectors. > [!NOTE] > In the event that there are more than four protectors for a volume, the pipe command may run out of display space. For volumes with more than four protectors, use the method described in the section below to generate a listing of all protectors with protector ID. @@ -205,7 +289,8 @@ Occasionally, all protectors may not be shown when using **Get-BitLockerVolume** ```powershell Get-BitLockerVolume C: | fl ``` -If you want to remove the existing protectors prior to provisioning BitLocker on the volume, you can utilize the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this requires the GUID associated with the protector to be removed. + +If the existing protectors need to be removed prior to provisioning BitLocker on the volume, the `Remove-BitLockerKeyProtector` cmdlet can be used. Accomplishing this action requires the GUID associated with the protector to be removed. A simple script can pipe out the values of each **Get-BitLockerVolume** return to another variable as seen below: ```powershell @@ -213,18 +298,18 @@ $vol = Get-BitLockerVolume $keyprotectors = $vol.KeyProtector ``` -Using this script, we can display the information in the **$keyprotectors** variable to determine the GUID for each protector. -Using this information, we can then remove the key protector for a specific volume using the command: +Using this script, the information in the **$keyprotectors** variable can be displayed to determine the GUID for each protector. This information can then be used to remove the key protector for a specific volume using the command: ```powershell Remove-BitLockerKeyProtector : -KeyProtectorID "{GUID}" ``` + > [!NOTE] > The BitLocker cmdlet requires the key protector GUID (enclosed in quotation marks) to execute. Ensure the entire GUID, with braces, is included in the command. -### Operating system volume +### Operating system volume PowerShell cmdlets -Using the BitLocker Windows PowerShell cmdlets is similar to working with the manage-bde tool for encrypting operating system volumes. Windows PowerShell offers users a lot of flexibility. For example, users can add the desired protector as part command for encrypting the volume. Below are examples of common user scenarios and steps to accomplish them using the BitLocker cmdlets for Windows PowerShell. +Using the BitLocker Windows PowerShell cmdlets is similar to working with the `manage-bde.exe` tool for encrypting operating system volumes. Windows PowerShell offers users flexibility. For example, users can add the desired protector as part command for encrypting the volume. Below are examples of common user scenarios and steps to accomplish them using the BitLocker cmdlets for Windows PowerShell. To enable BitLocker with just the TPM protector, use this command: @@ -238,11 +323,10 @@ The example below adds one additional protector, the StartupKey protectors, and Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath -SkipHardwareTest ``` -### Data volume +### Data volume PowerShell cmdlets Data volume encryption using Windows PowerShell is the same as for operating system volumes. You should add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a SecureString value to store the user-defined password. Last, encryption begins. - ```powershell $pw = Read-Host -AsSecureString @@ -251,12 +335,12 @@ Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw ### Using an SID-based protector in Windows PowerShell -The ADAccountOrGroup protector is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it doesn't unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding an SID-based protector for the Cluster Name Object (CNO) that lets the disk properly failover and be unlocked to any member computer of the cluster. +The **ADAccountOrGroup** protector is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it doesn't unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding an SID-based protector for the Cluster Name Object (CNO) that lets the disk properly failover and unlock to any member computer of the cluster. > [!WARNING] -> The SID-based protector requires the use of an additional protector (such as TPM, PIN, recovery key, etc.) when used on operating system volumes. +> The SID-based protector requires the use of an additional protector such as TPM, PIN, recovery key, etc. when used on operating system volumes. -To add an ADAccountOrGroup protector to a volume, you need either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G. +To add an **ADAccountOrGroup** protector to a volume, either the domain SID is needed or the group name preceded by the domain and a backslash. In the example below, the **CONTOSO\\Administrator** account is added as a protector to the data volume G. ```powershell Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Administrator @@ -267,23 +351,25 @@ For users who wish to use the SID for the account or group, the first step is to ```powershell Get-ADUser -filter {samaccountname -eq "administrator"} ``` + > [!NOTE] > Use of this command requires the RSAT-AD-PowerShell feature. > [!TIP] -> In addition to the Windows PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This doesn't require the use of additional features. +> In addition to the Windows PowerShell command above, information about the locally logged on user and group membership can be found using: `WHOAMI /ALL`. This doesn't require the use of additional features. In the example below, the user wishes to add a domain SID-based protector to the previously encrypted operating system volume. The user knows the SID for the user account or group they wish to add and uses the following command: ```powershell Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup "" ``` + > [!NOTE] > Active Directory-based protectors are normally used to unlock Failover Cluster-enabled volumes. -## Checking BitLocker status +## Checking BitLocker status -To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker control panel applet, Windows Explorer, manage-bde command-line tool, or Windows PowerShell cmdlets. Each option offers different levels of detail and ease of use. We'll look at each of the available methods in the following section. +To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker control panel applet, Windows Explorer, `manage-bde.exe` command-line tool, or Windows PowerShell cmdlets. Each option offers different levels of detail and ease of use. We'll look at each of the available methods in the following section. ### Checking BitLocker status with the control panel @@ -296,21 +382,21 @@ Checking BitLocker status with the control panel is the most common method used | **Suspended** | BitLocker is suspended and not actively protecting the volume | | **Waiting for Activation**| BitLocker is enabled with a clear protector key and requires further action to be fully protected| -If a drive is pre-provisioned with BitLocker, a status of "Waiting for Activation" displays with a yellow exclamation icon on the volume. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume isn't in a protected state and needs to have a secure key added to the volume before the drive is fully protected. Administrators can use the control panel, manage-bde tool, or WMI APIs to add an appropriate key protector. Once complete, the control panel will update to reflect the new status. +If a drive is pre-provisioned with BitLocker, a status of "Waiting for Activation" displays with a yellow exclamation icon on the volume. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume isn't in a protected state and needs to have a secure key added to the volume before the drive is fully protected. Administrators can use the control panel, `manage-bde.exe` tool, or WMI APIs to add an appropriate key protector. Once complete, the control panel will update to reflect the new status. Using the control panel, administrators can choose **Turn on BitLocker** to start the BitLocker Drive Encryption wizard and add a protector, like PIN for an operating system volume (or password if no TPM exists), or a password or smart card protector to a data volume. The drive security window displays prior to changing the volume status. Selecting **Activate BitLocker** will complete the encryption process. Once BitLocker protector activation is completed, the completion notice is displayed. -### Checking BitLocker status with manage-bde +### Checking BitLocker status with `manage-bde.exe` -Administrators who prefer a command-line interface can utilize manage-bde to check volume status. Manage-bde is capable of returning more information about the volume than the graphical user interface tools in the control panel. For example, manage-bde can display the BitLocker version in use, the encryption type, and the protectors associated with a volume. +Administrators who prefer a command-line interface can utilize `manage-bde.exe` to check volume status. Manage-bde is capable of returning more information about the volume than the graphical user interface tools in the control panel. For example, `manage-bde.exe` can display the BitLocker version in use, the encryption type, and the protectors associated with a volume. -To check the status of a volume using manage-bde, use the following command: +To check the status of a volume using `manage-bde.exe`, use the following command: ```powershell -manage-bde -status +manage-bde.exe -status ``` > [!NOTE] @@ -318,22 +404,23 @@ manage-bde -status ### Checking BitLocker status with Windows PowerShell -Windows PowerShell commands offer another way to query BitLocker status for volumes. Like manage-bde, Windows PowerShell includes the advantage of being able to check the status of a volume on a remote computer. +Windows PowerShell commands offer another way to query BitLocker status for volumes. Like `manage-bde.exe`, Windows PowerShell includes the advantage of being able to check the status of a volume on a remote computer. Using the Get-BitLockerVolume cmdlet, each volume on the system displays its current BitLocker status. To get information that is more detailed on a specific volume, use the following command: ```powershell Get-BitLockerVolume -Verbose | fl ``` -This command displays information about the encryption method, volume type, key protectors, etc. + +This command displays information about the encryption method, volume type, key protectors, and more. ### Provisioning BitLocker during operating system deployment -Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation environment. This is done with a randomly generated clear key protector applied to the formatted volume and by encrypting the volume prior to running the Windows setup process. If the encryption uses the **Used Disk Space Only** option described later in this document, this step takes only a few seconds and incorporates well into regular deployment processes. +Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation environment. Enabling BitLocker prior to the operating system deployment is done with a randomly generated clear key protector applied to the formatted volume and by encrypting the volume prior to running the Windows setup process. If the encryption uses the **Used Disk Space Only** option described later in this document, this step takes only a few seconds and incorporates well into regular deployment processes. ### Decrypting BitLocker volumes -Decrypting volumes removes BitLocker and any associated protectors from the volumes. Decryption should occur when protection is no longer required. BitLocker decryption shouldn't occur as a troubleshooting step. BitLocker can be removed from a volume using the BitLocker control panel applet, manage-bde, or Windows PowerShell cmdlets. We'll discuss each method further below. +Decrypting volumes removes BitLocker and any associated protectors from the volumes. Decryption should occur when protection is no longer required. BitLocker decryption shouldn't occur as a troubleshooting step. BitLocker can be removed from a volume using the BitLocker control panel applet, `manage-bde.exe`, or Windows PowerShell cmdlets. We'll discuss each method further below. ### Decrypting volumes using the BitLocker control panel applet @@ -344,22 +431,23 @@ The control panel doesn't report decryption progress but displays it in the noti Once decryption is complete, the drive updates its status in the control panel and becomes available for encryption. -### Decrypting volumes using the manage-bde command-line interface +### Decrypting volumes using the `manage-bde.exe` command-line interface -Decrypting volumes using manage-bde is straightforward. Decryption with manage-bde offers the advantage of not requiring user confirmation to start the process. Manage-bde uses the -off command to start the decryption process. A sample command for decryption is: +Decrypting volumes using `manage-bde.exe` is straightforward. Decryption with `manage-bde.exe` offers the advantage of not requiring user confirmation to start the process. Manage-bde uses the -off command to start the decryption process. A sample command for decryption is: ```powershell -manage-bde -off C: +manage-bde.exe -off C: ``` + This command disables protectors while it decrypts the volume and removes all protectors when decryption is complete. If users wish to check the status of the decryption, they can use the following command: ```powershell -manage-bde -status C: +manage-bde.exe -status C: ``` ### Decrypting volumes using the BitLocker Windows PowerShell cmdlets -Decryption with Windows PowerShell cmdlets is straightforward, similar to manage-bde. Windows PowerShell offers the ability to decrypt multiple drives in one pass. In the example below, the user has three encrypted volumes, which they wish to decrypt. +Decryption with Windows PowerShell cmdlets is straightforward, similar to `manage-bde.exe`. Windows PowerShell offers the ability to decrypt multiple drives in one pass. In the example below, the user has three encrypted volumes, which they wish to decrypt. Using the Disable-BitLocker command, they can remove all protectors and encryption at the same time without the need for more commands. An example of this command is: @@ -373,7 +461,7 @@ If a user didn't want to input each mount point individually, using the `-MountP Disable-BitLocker -MountPoint E:,F:,G: ``` -## See also +## Related articles - [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) - [BitLocker recovery guide](bitlocker-recovery-guide-plan.md) diff --git a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md index 857466fec6..32a6c0816b 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md +++ b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md @@ -1,65 +1,57 @@ --- title: BitLocker Countermeasures (Windows 10) -description: Windows uses technologies including TPM, Secure Boot, Trusted Boot, and Early Launch Antimalware (ELAM) to protect against attacks on the BitLocker encryption key. +description: Windows uses technologies including TPM, Secure Boot, Trusted Boot, and Early Launch Anti-malware (ELAM) to protect against attacks on the BitLocker encryption key. ms.reviewer: ms.prod: windows-client ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: frankroj +ms.author: frankroj manager: aaroncz -ms.collection: - - M365-security-compliance ms.topic: conceptual -ms.date: 02/28/2019 +ms.date: 11/08/2022 ms.custom: bitlocker +ms.technology: itpro-security --- # BitLocker Countermeasures -**Applies to** +**Applies to:** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above +- Windows 10 +- Windows 11 +- Windows Server 2016 and above -Windows uses technologies including trusted platform module (TPM), secure boot, and measured boot to help protect BitLocker encryption keys against attacks. -BitLocker is part of a strategic approach to securing data against offline attacks through encryption technology. -Data on a lost or stolen computer is vulnerable. -For example, there could be unauthorized access, either by running a software attack tool against the computer or by transferring the computer’s hard disk to a different computer. +Windows uses technologies including trusted platform module (TPM), secure boot, and measured boot to help protect BitLocker encryption keys against attacks. BitLocker is part of a strategic approach to securing data against offline attacks through encryption technology. Data on a lost or stolen computer is vulnerable. For example, there could be unauthorized access, either by running a software attack tool against the computer or by transferring the computer's hard disk to a different computer. BitLocker helps mitigate unauthorized data access on lost or stolen computers before the authorized operating system is started. This mitigation is done by: -- **Encrypting volumes on your computer.** For example, you can turn on BitLocker for your operating system volume, or a volume on a fixed or removable data drive (such as a USB flash drive, SD card, and so on). Turning on BitLocker for your operating system volume encrypts all system files on the volume, including the paging files and hibernation files. The only exception is for the System partition, which includes the Windows Boot Manager and minimal boot collateral required for decryption of the operating system volume after the key is unsealed. -- **Ensuring the integrity of early boot components and boot configuration data.** On devices that have a TPM version 1.2 or higher, BitLocker uses the enhanced security capabilities of the TPM to make data accessible only if the computer’s BIOS firmware code and configuration, original boot sequence, boot components, and BCD configuration all appear unaltered and the encrypted disk is located in the original computer. On systems that leverage TPM PCR[7], BCD setting changes deemed safe are permitted to improve usability. - +- **Encrypting volumes on a computer.** For example, BitLocker can be turned on for the operating system volume, a volume on a fixed drive. or removable data drive (such as a USB flash drive, SD card, etc.) Turning on BitLocker for the operating system volume encrypts all system files on the volume, including the paging files and hibernation files. The only exception is for the System partition, which includes the Windows Boot Manager and minimal boot collateral required for decryption of the operating system volume after the key is unsealed. + +- **Ensuring the integrity of early boot components and boot configuration data.** On devices that have a TPM version 1.2 or higher, BitLocker uses the enhanced security capabilities of the TPM to make data accessible only if the computer's BIOS firmware code and configuration, original boot sequence, boot components, and BCD configuration all appear unaltered and the encrypted disk is located in the original computer. On systems that use TPM PCR[7], BCD setting changes deemed safe are permitted to improve usability. + The next sections provide more details about how Windows protects against various attacks on the BitLocker encryption keys in Windows 11, Windows 10, Windows 8.1, and Windows 8. -For more information about how to enable the best overall security configuration for devices beginning with Windows 10 version 1803 or Windows 11, see [Standards for a highly secure Windows device](/windows-hardware/design/device-experiences/oem-highly-secure). +For more information about how to enable the best overall security configuration for devices beginning with Windows 10 version 1803, see [Standards for a highly secure Windows device](/windows-hardware/design/device-experiences/oem-highly-secure). ## Protection before startup -Before Windows starts, you must rely on security features implemented as part of the device hardware and firmware, including TPM and secure boot. Fortunately, many modern computers feature a TPM and secure boot. +Before Windows starts, security features implemented as part of the device hardware and firmware must be relied on, including TPM and secure boot. Fortunately, many modern computers feature a TPM and secure boot. ### Trusted Platform Module -A trusted platform module (TPM) is a microchip designed to provide basic security-related functions, primarily involving encryption keys. -On some platforms, TPM can alternatively be implemented as a part of secure firmware. -BitLocker binds encryption keys with the TPM to ensure that a computer hasn't been tampered with while the system was offline. -For more info about TPM, see [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview). +A trusted platform module (TPM) is a microchip designed to provide basic security-related functions, primarily involving encryption keys. On some platforms, TPM can alternatively be implemented as a part of secure firmware. BitLocker binds encryption keys with the TPM to ensure that a computer hasn't been tampered with while the system was offline. For more info about TPM, see [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview). ### UEFI and secure boot -Unified Extensible Firmware Interface (UEFI) is a programmable boot environment that initializes devices and starts the operating system’s bootloader. +Unified Extensible Firmware Interface (UEFI) is a programmable boot environment that initializes devices and starts the operating system's bootloader. -The UEFI specification defines a firmware execution authentication process called [Secure Boot](../secure-the-windows-10-boot-process.md). -Secure Boot blocks untrusted firmware and bootloaders (signed or unsigned) from being able to start on the system. +The UEFI specification defines a firmware execution authentication process called [Secure Boot](../secure-the-windows-10-boot-process.md). Secure Boot blocks untrusted firmware and bootloaders (signed or unsigned) from being able to start on the system. -By default, BitLocker provides integrity protection for Secure Boot by utilizing the TPM PCR[7] measurement. -An unauthorized EFI firmware, EFI boot application, or bootloader can't run and acquire the BitLocker key. +By default, BitLocker provides integrity protection for Secure Boot by utilizing the TPM PCR[7] measurement. An unauthorized EFI firmware, EFI boot application, or bootloader can't run and acquire the BitLocker key. ### BitLocker and reset attacks -To defend against malicious reset attacks, BitLocker leverages the TCG Reset Attack Mitigation, also known as MOR bit (Memory Overwrite Request), before extracting keys into memory. +To defend against malicious reset attacks, BitLocker uses the TCG Reset Attack Mitigation, also known as MOR bit (Memory Overwrite Request), before extracting keys into memory. >[!NOTE] >This does not protect against physical attacks where an attacker opens the case and attacks the hardware. @@ -70,89 +62,88 @@ The next sections cover pre-boot authentication and DMA policies that can provid ### Pre-boot authentication -Pre-boot authentication with BitLocker is a policy setting that requires the use of either user input, such as a PIN, a startup key, or both to authenticate prior to making the contents of the system drive accessible. -The Group Policy setting is [Require additional authentication at startup](./bitlocker-group-policy-settings.md) and the corresponding setting in the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) is SystemDrivesRequireStartupAuthentication. +Pre-boot authentication with BitLocker is a policy setting that requires the use of either user input, such as a PIN, a startup key, or both to authenticate prior to making the contents of the system drive accessible. The Group Policy setting is [Require additional authentication at startup](./bitlocker-group-policy-settings.md) and the corresponding setting in the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) is SystemDrivesRequireStartupAuthentication. -BitLocker accesses and stores the encryption keys in memory only after pre-boot authentication is completed. -If Windows can’t access the encryption keys, the device can’t read or edit the files on the system drive. The only option for bypassing pre-boot authentication is entering the recovery key. +BitLocker accesses and stores the encryption keys in memory only after pre-boot authentication is completed. If Windows can't access the encryption keys, the device can't read or edit the files on the system drive. The only option for bypassing pre-boot authentication is entering the recovery key. -Pre-boot authentication is designed to prevent the encryption keys from being loaded to system memory without the trusted user supplying another authentication factor such as a PIN or startup key. -This helps mitigate DMA and memory remanence attacks. +Pre-boot authentication is designed to prevent the encryption keys from being loaded to system memory without the trusted user supplying another authentication factor such as a PIN or startup key. This feature helps mitigate DMA and memory remanence attacks. On computers with a compatible TPM, operating system drives that are BitLocker-protected can be unlocked in four ways: - **TPM-only.** Using TPM-only validation doesn't require any interaction with the user to unlock and provide access to the drive. If the TPM validation succeeds, the user sign-in experience is the same as a standard sign-in. If the TPM is missing or changed or if BitLocker detects changes to the BIOS or UEFI code or configuration, critical operating system startup files, or the boot configuration, BitLocker enters recovery mode, and the user must enter a recovery password to regain access to the data. This option is more convenient for sign-in but less secure than the other options, which require an additional authentication factor. + - **TPM with startup key.** In addition to the protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, referred to as a startup key. Data on the encrypted volume can't be accessed without the startup key. + - **TPM with PIN.** In addition to the protection that the TPM provides, BitLocker requires that the user enters a PIN. Data on the encrypted volume can't be accessed without entering the PIN. TPMs also have [anti-hammering protection](/windows/security/hardware-protection/tpm/tpm-fundamentals#anti-hammering) that is designed to prevent brute force attacks that attempt to determine the PIN. + - **TPM with startup key and PIN.** In addition to the core component protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, and a PIN is required to authenticate the user to the TPM. This configuration provides multifactor authentication so that if the USB key is lost or stolen, it can't be used for access to the drive, because the correct PIN is also required. In the following group policy example, TPM + PIN is required to unlock an operating system drive: ![Pre-boot authentication setting in Group Policy.](images/pre-boot-authentication-group-policy.png) -Pre-boot authentication with a PIN can mitigate an attack vector for devices that use a bootable eDrive because an exposed eDrive bus can allow an attacker to capture the BitLocker encryption key during startup. -Pre-boot authentication with a PIN can also mitigate DMA port attacks during the window of time between when BitLocker unlocks the drive and Windows boots to the point that Windows can set any port-related policies that have been configured. +Pre-boot authentication with a PIN can mitigate an attack vector for devices that use a bootable eDrive because an exposed eDrive bus can allow an attacker to capture the BitLocker encryption key during startup. Pre-boot authentication with a PIN can also mitigate DMA port attacks during the window of time between when BitLocker unlocks the drive and Windows boots to the point that Windows can set any port-related policies that have been configured. -On the other hand, Pre-boot authentication-prompts can be inconvenient to users. -In addition, users who forget their PIN or lose their startup key are denied access to their data until they can contact their organization’s support team to obtain a recovery key. -Pre-boot authentication can also make it more difficult to update unattended desktops and remotely administered servers because a PIN needs to be entered when a computer reboots or resumes from hibernation. +On the other hand, Pre-boot authentication-prompts can be inconvenient to users. In addition, users who forget their PIN or lose their startup key are denied access to their data until they can contact their organization's support team to obtain a recovery key. Pre-boot authentication can also make it more difficult to update unattended desktops and remotely administered servers because a PIN needs to be entered when a computer reboots or resumes from hibernation. -To address these issues, you can deploy [BitLocker Network Unlock](./bitlocker-how-to-enable-network-unlock.md). -Network Unlock allows systems within the physical enterprise security perimeter that meet the hardware requirements and have BitLocker enabled with TPM+PIN to boot into Windows without user intervention. -It requires direct ethernet connectivity to an enterprise Windows Deployment Services (WDS) server. +To address these issues, [BitLocker Network Unlock](./bitlocker-how-to-enable-network-unlock.md) can be deployed. Network Unlock allows systems within the physical enterprise security perimeter that meet the hardware requirements and have BitLocker enabled with TPM+PIN to boot into Windows without user intervention. It requires direct ethernet connectivity to an enterprise Windows Deployment Services (WDS) server. ### Protecting Thunderbolt and other DMA ports -There are a few different options to protect DMA ports, such as Thunderbolt™3. -Beginning with Windows 10 version 1803 or Windows 11, new Intel-based devices have kernel protection against DMA attacks via Thunderbolt™ 3 ports enabled by default. -This Kernel DMA Protection is available only for new systems beginning with Windows 10 version 1803 or Windows 11, as it requires changes in the system firmware and/or BIOS. +There are a few different options to protect DMA ports, such as Thunderbolt™3. Beginning with Windows 10 version 1803, new Intel-based devices have kernel protection against DMA attacks via Thunderbolt™ 3 ports enabled by default. This Kernel DMA Protection is available only for new systems beginning with Windows 10 version 1803, as it requires changes in the system firmware and/or BIOS. -You can use the System Information desktop app (MSINFO32) to check if a device has kernel DMA protection enabled: +You can use the System Information desktop app `MSINFO32.exe` to check if a device has kernel DMA protection enabled: ![Kernel DMA protection.](images/kernel-dma-protection.png) -If kernel DMA protection is *not* enabled, follow these steps to protect Thunderbolt™ 3-enabled ports: +If kernel DMA protection isn't enabled, follow these steps to protect Thunderbolt™ 3 enabled ports: + +1. Require a password for BIOS changes -1. Require a password for BIOS changes 2. Intel Thunderbolt Security must be set to User Authorization in BIOS settings. Refer to [Intel Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating System documentation](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) + 3. Additional DMA security may be added by deploying policy (beginning with Windows 10 version 1607 or Windows 11): - - MDM: [DataProtection/AllowDirectMemoryAccess](/windows/client-management/mdm/policy-csp-dataprotection#dataprotection-allowdirectmemoryaccess) policy + - MDM: [DataProtection/AllowDirectMemoryAccess](/windows/client-management/mdm/policy-csp-dataprotection#dataprotection-allowdirectmemoryaccess) policy + - Group Policy: [Disable new DMA devices when this computer is locked](./bitlocker-group-policy-settings.md#disable-new-dma-devices-when-this-computer-is-locked) (This setting isn't configured by default.) -For Thunderbolt v1 and v2 (DisplayPort Connector), refer to the “Thunderbolt Mitigation” section in [KB 2516445](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d). -For SBP-2 and 1394 (a.k.a. Firewire), refer to the “SBP-2 Mitigation” section in [KB 2516445](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d). - +For Thunderbolt v1 and v2 (DisplayPort Connector), refer to the **Thunderbolt Mitigation** section in [Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d). For SBP-2 and 1394 (also known as Firewire), refer to the **SBP-2 Mitigation** section in [Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d). + ## Attack countermeasures This section covers countermeasures for specific types of attacks. ### Bootkits and rootkits -A physically present attacker might attempt to install a bootkit or rootkit-like piece of software into the boot chain in an attempt to steal the BitLocker keys. -The TPM should observe this installation via PCR measurements, and the BitLocker key won't be released. +A physically present attacker might attempt to install a bootkit or rootkit-like piece of software into the boot chain in an attempt to steal the BitLocker keys. The TPM should observe this installation via PCR measurements, and the BitLocker key won't be released. -This is the default configuration. +> [!NOTE] +> BitLocker protects against this attack by default. -A BIOS password is recommended for defense-in-depth in case a BIOS exposes settings that may weaken the BitLocker security promise. -Intel Boot Guard and AMD Hardware Verified Boot support stronger implementations of Secure Boot that provide additional resilience against malware and physical attacks. -Intel Boot Guard and AMD Hardware Verified Boot are part of platform boot verification [standards for a highly secure Windows device](/windows-hardware/design/device-experiences/oem-highly-secure). +A BIOS password is recommended for defense-in-depth in case a BIOS exposes settings that may weaken the BitLocker security promise. Intel Boot Guard and AMD Hardware Verified Boot support stronger implementations of Secure Boot that provide additional resilience against malware and physical attacks. Intel Boot Guard and AMD Hardware Verified Boot are part of platform boot verification [standards for a highly secure Windows device](/windows-hardware/design/device-experiences/oem-highly-secure). ### Brute force attacks against a PIN -Require TPM + PIN for anti-hammering protection. + +Require TPM + PIN for anti-hammering protection. ### DMA attacks See [Protecting Thunderbolt and other DMA ports](#protecting-thunderbolt-and-other-dma-ports) earlier in this article. ### Paging file, crash dump, and Hyberfil.sys attacks -These files are secured on an encrypted volume by default when BitLocker is enabled on OS drives. -It also blocks automatic or manual attempts to move the paging file. + +These files are secured on an encrypted volume by default when BitLocker is enabled on OS drives. It also blocks automatic or manual attempts to move the paging file. ### Memory remanence -Enable secure boot and mandatorily prompt a password to change BIOS settings. -For customers requiring protection against these advanced attacks, configure a TPM+PIN protector, disable Standby power management, and shut down or hibernate the device before it leaves the control of an authorized user. +Enable secure boot and mandatorily prompt a password to change BIOS settings. For customers requiring protection against these advanced attacks, configure a TPM+PIN protector, disable Standby power management, and shut down or hibernate the device before it leaves the control of an authorized user. + +### Tricking BitLocker to pass the key to a rogue operating system + +An attacker might modify the boot manager configuration database (BCD) which is stored on a non-encrypted partition and add an entry point to a rogue operating system on a different partition. During the boot process, BitLocker code will make sure that the operating system that the encryption key obtained from the TPM is given to, is cryptographically verified to be the intended recipient. Because this strong cryptographic verification already exists, we don’t recommend storing a hash of a disk partition table in Platform Configuration Register (PCR) 5. + +An attacker might also replace the entire operating system disk while preserving the platform hardware and firmware and could then extract a protected BitLocker key blob from the metadata of the victim OS partition. The attacker could then attempt to unseal that BitLocker key blob by calling the TPM API from an operating system under their control. This will not succeed because when Windows seals the BitLocker key to the TPM, it does it with a PCR 11 value of 0, and to successfully unseal the blob, PCR 11 in the TPM must have a value of 0. However, when the boot manager passes the control to any boot loader (legitimate or rogue) it always changes PCR 11 to a value of 1. Since the PCR 11 value is guaranteed to be different after exiting the boot manager, the attacker can't unlock the BitLocker key. ## Attacker countermeasures @@ -160,12 +151,12 @@ The following sections cover mitigations for different types of attackers. ### Attacker without much skill or with limited physical access -Physical access may be limited by a form factor that doesn't expose buses and memory. -For example, there are no external DMA-capable ports, no exposed screws to open the chassis, and memory is soldered to the mainboard. +Physical access may be limited by a form factor that doesn't expose buses and memory. For example, there are no external DMA-capable ports, no exposed screws to open the chassis, and memory is soldered to the mainboard. -This attacker of opportunity doesn't use destructive methods or sophisticated forensics hardware/software. +This attacker of opportunity doesn't use destructive methods or sophisticated forensics hardware/software. + +Mitigation: -Mitigation: - Pre-boot authentication set to TPM only (the default) ### Attacker with skill and lengthy physical access @@ -173,27 +164,32 @@ Mitigation: Targeted attack with plenty of time; this attacker will open the case, will solder, and will use sophisticated hardware or software. Mitigation: + - Pre-boot authentication set to TPM with a PIN protector (with a sophisticated alphanumeric PIN [enhanced pin] to help the TPM anti-hammering mitigation). -And- -- Disable Standby power management and shut down or hibernate the device before it leaves the control of an authorized user. This can be set using Group Policy: +- Disable Standby power management and shut down or hibernate the device before it leaves the control of an authorized user. This configuration can be set using the following Group Policy: - - Computer Configuration|Policies|Administrative Templates|Windows Components|File Explorer|Show hibernate in the power options menu - - Computer Configuration|Policies|Administrative Templates|System|Power Management|Sleep Settings|Allow standby states (S1-S3) when sleeping (plugged in) - - Computer Configuration|Policies|Administrative Templates|System|Power Management|Sleep Settings|Allow standby states (S1-S3) when sleeping (on battery) + - *Computer Configuration* > *Policies* > *Administrative Templates* > *Windows Components* > *File Explorer* > **Show hibernate in the power options menu** -These settings are **Not configured** by default. + - *Computer Configuration* > *Policies* > *Administrative Templates* > *Power Management* > *Sleep Settings* > **Allow standby states (S1-S3) when sleeping (plugged in)** + + - *Computer Configuration* > *Policies* > *Administrative Templates* > *Power Management* > *Sleep Settings* > **Allow standby states (S1-S3) when sleeping (on battery)** + +> [!IMPORTANT] +> These settings are **not configured** by default. For some systems, bypassing TPM-only may require opening the case, and may require soldering, but could possibly be done for a reasonable cost. Bypassing a TPM with a PIN protector would cost much more, and require brute forcing the PIN. With a sophisticated enhanced PIN, it could be nearly impossible. The Group Policy setting for [enhanced PIN](./bitlocker-group-policy-settings.md) is: -Computer Configuration|Administrative Templates|Windows Components|BitLocker Drive Encryption|Operating System Drives|Allow enhanced PINs for startup +- *Computer Configuration* > *Policies* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives* > **Allow enhanced PINs for startup** -This setting is **Not configured** by default. +> [!IMPORTANT] +> This setting is **not configured** by default. For secure administrative workstations, Microsoft recommends a TPM with PIN protector and to disable Standby power management and shut down or hibernate the device. -## See also +## Related articles - [Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d) - [BitLocker Group Policy settings](./bitlocker-group-policy-settings.md) diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml index 2b9f32384a..dbea4c718a 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml @@ -2,25 +2,19 @@ metadata: title: BitLocker deployment and administration FAQ (Windows 10) description: Browse frequently asked questions about BitLocker deployment and administration, such as, "Can BitLocker deployment be automated in an enterprise environment?" - ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee - ms.reviewer: - ms.prod: m365-security - ms.mktglfcycl: explore - ms.sitesec: library - ms.pagetype: security - ms.localizationpriority: medium - author: dansimp - ms.author: dansimp + ms.prod: windows-client + ms.technology: itpro-security + author: frankroj + ms.author: frankroj manager: aaroncz - audience: ITPro - ms.collection: M365-security-compliance ms.topic: faq - ms.date: 02/28/2019 + ms.date: 11/08/2022 ms.custom: bitlocker title: BitLocker frequently asked questions (FAQ) summary: | - **Applies to** - - Windows 10 + **Applies to:** + - Windows 10 and later + - Windows Server 2016 and later sections: @@ -28,7 +22,7 @@ sections: questions: - question: Can BitLocker deployment be automated in an enterprise environment? answer: | - Yes, you can automate the deployment and configuration of BitLocker and the TPM using either WMI or Windows PowerShell scripts. How you choose to implement the scripts depends on your environment. You can also use Manage-bde.exe to locally or remotely configure BitLocker. For more info about writing scripts that use the BitLocker WMI providers, see [BitLocker Drive Encryption Provider](/windows/win32/secprov/bitlocker-drive-encryption-provider). For more info about using Windows PowerShell cmdlets with BitLocker Drive Encryption, see [BitLocker Cmdlets in Windows PowerShell](/powershell/module/bitlocker/index?view=win10-ps). + Yes, the deployment and configuration of both BitLocker and the TPM can be automated using either WMI or Windows PowerShell scripts. Which method is chosen to implement the automation depends on the environment. `Manage-bde.exe` can also be used to locally or remotely configure BitLocker. For more info about writing scripts that use the BitLocker WMI providers, see [BitLocker Drive Encryption Provider](/windows/win32/secprov/bitlocker-drive-encryption-provider). For more info about using Windows PowerShell cmdlets with BitLocker Drive Encryption, see [BitLocker Cmdlets in Windows PowerShell](/powershell/module/bitlocker/index?view=win10-ps). - question: Can BitLocker encrypt more than just the operating system drive? answer: Yes. @@ -38,58 +32,58 @@ sections: - question: How long will initial encryption take when BitLocker is turned on? answer: | - Although BitLocker encryption occurs in the background while you continue to work, and the system remains usable, encryption times vary depending on the type of drive that is being encrypted, the size of the drive, and the speed of the drive. If you are encrypting large drives, you may want to set encryption to occur during times when you will not be using the drive. + Although BitLocker encryption occurs in the background while a user continues to work with the system remaining usable, encryption times vary depending on the type of drive that is being encrypted, the size of the drive, and the speed of the drive. If encrypting large drives, encryption may want to be scheduled during times when the drive isn't being used. - You can also choose whether or not BitLocker should encrypt the entire drive or just the used space on the drive when you turn on BitLocker. On a new hard drive, encrypting just the used spaced can be considerably faster than encrypting the entire drive. When this encryption option is selected, BitLocker automatically encrypts data as it is saved, ensuring that no data is stored unencrypted. + When BitLocker is enabled, BitLocker can also be set to encrypt the entire drive or just the used space on the drive. On a new hard drive, encrypting just the used spaced can be considerably faster than encrypting the entire drive. When this encryption option is selected, BitLocker automatically encrypts data as it is saved, ensuring that no data is stored unencrypted. - question: What happens if the computer is turned off during encryption or decryption? - answer: If the computer is turned off or goes into hibernation, the BitLocker encryption and decryption process will resume where it stopped the next time Windows starts. This is true even if the power is suddenly unavailable. + answer: If the computer is turned off or goes into hibernation, the BitLocker encryption and decryption process will resume where it stopped the next time Windows starts. BitLocker resuming encryption or decryption is true even if the power is suddenly unavailable. - question: Does BitLocker encrypt and decrypt the entire drive all at once when reading and writing data? - answer: No, BitLocker does not encrypt and decrypt the entire drive when reading and writing data. The encrypted sectors in the BitLocker-protected drive are decrypted only as they are requested from system read operations. Blocks that are written to the drive are encrypted before the system writes them to the physical disk. No unencrypted data is ever stored on a BitLocker-protected drive. + answer: No, BitLocker doesn't encrypt and decrypt the entire drive when reading and writing data. The encrypted sectors in the BitLocker-protected drive are decrypted only as they're requested from system read operations. Blocks that are written to the drive are encrypted before the system writes them to the physical disk. No unencrypted data is ever stored on a BitLocker-protected drive. - question: How can I prevent users on a network from storing data on an unencrypted drive? answer: | - You can configure Group Policy settings to require that data drives be BitLocker-protected before a BitLocker-protected computer can write data to them. For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md). - When these policy settings are enabled, the BitLocker-protected operating system will mount any data drives that are not protected by BitLocker as read-only. + Group Policy settings can be configured to require that data drives be BitLocker-protected before a BitLocker-protected computer can write data to them. For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md). + When these policy settings are enabled, the BitLocker-protected operating system will mount any data drives that aren't protected by BitLocker as read-only. - question: What is Used Disk Space Only encryption? answer: | - BitLocker in Windows 10 lets users choose to encrypt just their data. Although it's not the most secure way to encrypt a drive, this option can reduce encryption time by more than 99 percent, depending on how much data that needs to be encrypted. For more information, see [Used Disk Space Only encryption](bitlocker-device-encryption-overview-windows-10.md#used-disk-space-only-encryption). + BitLocker in Windows 10 lets users choose to encrypt just their data. Although it's not the most secure way to encrypt a drive, this option can reduce encryption time by more than 99 percent, depending on how much data that needs to be encrypted. For more information, see [Used Disk Space Only encryption](bitlocker-device-encryption-overview-windows-10.md#used-disk-space-only-encryption). - question: What system changes would cause the integrity check on my operating system drive to fail? answer: | The following types of system changes can cause an integrity check failure and prevent the TPM from releasing the BitLocker key to decrypt the protected operating system drive: - - Moving the BitLocker-protected drive into a new computer. - - Installing a new motherboard with a new TPM. - - Turning off, disabling, or clearing the TPM. - - Changing any boot configuration settings. - - Changing the BIOS, UEFI firmware, master boot record, boot sector, boot manager, option ROM, or other early boot components or boot configuration data. + - Moving the BitLocker-protected drive into a new computer. + - Installing a new motherboard with a new TPM. + - Turning off, disabling, or clearing the TPM. + - Changing any boot configuration settings. + - Changing the BIOS, UEFI firmware, master boot record, boot sector, boot manager, option ROM, or other early boot components or boot configuration data. - question: What causes BitLocker to start into recovery mode when attempting to start the operating system drive? answer: | - Because BitLocker is designed to protect your computer from numerous attacks, there are numerous reasons why BitLocker could start in recovery mode. + Because BitLocker is designed to protect computers from numerous attacks, there are numerous reasons why BitLocker could start in recovery mode. For example: - Changing the BIOS boot order to boot another drive in advance of the hard drive. - - Adding or removing hardware, such as inserting a new card in the computer, including some PCMIA wireless cards. + - Adding or removing hardware, such as inserting a new card in the computer. - Removing, inserting, or completely depleting the charge on a smart battery on a portable computer. In BitLocker, recovery consists of decrypting a copy of the volume master key using either a recovery key stored on a USB flash drive or a cryptographic key derived from a recovery password. - The TPM is not involved in any recovery scenarios, so recovery is still possible if the TPM fails boot component validation, malfunctions, or is removed. + The TPM isn't involved in any recovery scenarios, so recovery is still possible if the TPM fails boot component validation, malfunctions, or is removed. - question: What can prevent BitLocker from binding to PCR 7? - answer: BitLocker can be prevented from binding to PCR 7 if a non-Windows OS booted prior to Windows, or if Secure Boot is not available to the device, either because it has been disabled or the hardware does not support it. + answer: BitLocker can be prevented from binding to PCR 7 if a non-Windows OS booted prior to Windows, or if Secure Boot isn't available to the device, either because it has been disabled or the hardware doesn't support it. - question: Can I swap hard disks on the same computer if BitLocker is enabled on the operating system drive? - answer: Yes, you can swap multiple hard disks on the same computer if BitLocker is enabled, but only if the hard disks were BitLocker-protected on the same computer. The BitLocker keys are unique to the TPM and operating system drive. So if you want to prepare a backup operating system or data drive in case a disk fails, make sure that they were matched with the correct TPM. You can also configure different hard drives for different operating systems and then enable BitLocker on each one with different authentication methods (such as one with TPM-only and one with TPM+PIN) without any conflicts. + answer: Yes, multiple hard disks can be swapped on the same computer if BitLocker is enabled, but only if the hard disks were BitLocker-protected on the same computer. The BitLocker keys are unique to the TPM and the operating system drive. If a backup operating system or data drive needs to be prepared in case of a disk failure, make sure that they were matched with the correct TPM. Different hard drives can also be configured for different operating systems and then enable BitLocker on each one with different authentication methods (such as one with TPM-only and one with TPM+PIN) without any conflicts. - question: Can I access my BitLocker-protected drive if I insert the hard disk into a different computer? - answer: Yes, if the drive is a data drive, you can unlock it from the **BitLocker Drive Encryption** Control Panel item just as you would any other data drive by using a password or smart card. If the data drive was configured for automatic unlock only, you will have to unlock it by using the recovery key. The encrypted hard disk can be unlocked by a data recovery agent (if one was configured) or it can be unlocked by using the recovery key. + answer: Yes, if the drive is a data drive, it can be unlocked from the **BitLocker Drive Encryption** Control Panel item by using a password or smart card. If the data drive was configured for automatic unlock only, it will need to be unlocked by using the recovery key. The encrypted hard disk can be unlocked by a data recovery agent (if one was configured) or it can be unlocked by using the recovery key. - - question: Why is "Turn BitLocker on" not available when I right-click a drive? - answer: Some drives cannot be encrypted with BitLocker. Reasons a drive cannot be encrypted include insufficient disk size, an incompatible file system, if the drive is a dynamic disk, or a drive is designated as the system partition. By default, the system drive (or system partition) is hidden from display. However, if it is not created as a hidden drive when the operating system was installed due to a custom installation process, that drive might be displayed but cannot be encrypted. + - question: Why is **Turn BitLocker on** not available when I right-click a drive? + answer: Some drives can't be encrypted with BitLocker. Reasons a drive can't be encrypted include insufficient disk size, an incompatible file system, if the drive is a dynamic disk, or a drive is designated as the system partition. By default, the system drive (or system partition) is hidden from display. However, if it isn't created as a hidden drive when the operating system was installed due to a custom installation process, that drive might be displayed but can't be encrypted. - question: What type of disk configurations are supported by BitLocker? answer: Any number of internal, fixed data drives can be protected with BitLocker. On some versions ATA and SATA-based, direct-attached storage devices are also supported. diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md index 58f168e9a7..bb9df0cf68 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md @@ -3,22 +3,22 @@ title: BitLocker deployment comparison (Windows 10) description: This article shows the BitLocker deployment comparison chart. ms.prod: windows-client ms.localizationpriority: medium -author: lovina-saldanha -ms.author: v-lsaldanha +author: frankroj +ms.author: frankroj manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 05/20/2021 +ms.date: 11/08/2022 ms.custom: bitlocker +ms.technology: itpro-security --- # BitLocker deployment comparison -**Applies to** +**Applies to:** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above +- Windows 10 +- Windows 11 +- Windows Server 2016 and above This article depicts the BitLocker deployment comparison chart. @@ -26,37 +26,37 @@ This article depicts the BitLocker deployment comparison chart. | Requirements |Microsoft Intune |Microsoft Configuration Manager |Microsoft BitLocker Administration and Monitoring (MBAM) | |---------|---------|---------|---------| -|Minimum client operating system version |Windows 11 and Windows 10 | Windows 11, Windows 10, and Windows 8.1 | Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 10 IoT, and Windows 11 | -|Supported Windows SKUs | Enterprise, Pro, Education | Enterprise, Pro, Education | Enterprise | -|Minimum Windows version |1909 | None | None | -|Supported domain-joined status | Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined | Active Directory-joined, hybrid Azure AD joined | Active Directory-joined | -|Permissions required to manage policies | Endpoint security manager or custom | Full administrator or custom | Domain Admin or Delegated GPO access | -|Cloud or on premises | Cloud | On premises | On premises | +|*Minimum client operating system version* |Windows 11 and Windows 10 | Windows 11, Windows 10, and Windows 8.1 | Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 10 IoT, and Windows 11 | +|*Supported Windows SKUs* | Enterprise, Pro, Education | Enterprise, Pro, Education | Enterprise | +|*Minimum Windows version* |1909 | None | None | +|*Supported domain-joined status* | Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined | Active Directory-joined, hybrid Azure AD joined | Active Directory-joined | +|*Permissions required to manage policies* | Endpoint security manager or custom | Full administrator or custom | Domain Admin or Delegated GPO access | +|*Cloud or on premises* | Cloud | On premises | On premises | |Server components required? | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Additional agent required? | No (device enrollment only) | Configuration Manager client | MBAM client | -|Administrative plane | Microsoft Endpoint Manager admin center | Configuration Manager console | Group Policy Management Console and MBAM sites | -|Administrative portal installation required | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Compliance reporting capabilities | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Force encryption | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Encryption for storage cards (mobile) | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | | -|Allow recovery password | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Manage startup authentication | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Select cipher strength and algorithms for fixed drives | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Select cipher strength and algorithms for removable drives | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Select cipher strength and algorithms for operating environment drives | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Standard recovery password storage location | Azure AD or Active Directory | Configuration Manager site database | MBAM database | -|Store recovery password for operating system and fixed drives to Azure AD or Active Directory | Yes (Active Directory and Azure AD) | Yes (Active Directory only) | Yes (Active Directory only) | -|Customize preboot message and recovery link | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Allow/deny key file creation | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Deny Write permission to unprotected drives | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Can be administered outside company network | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | | -|Support for organization unique IDs | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Self-service recovery | Yes (through Azure AD or Company Portal app) | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Recovery password rotation for fixed and operating environment drives | Yes (Windows 10, version 1909 and later or Windows 11) | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Wait to complete encryption until recovery information is backed up to Azure AD | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | | | -|Wait to complete encryption until recovery information is backed up to Active Directory | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Allow or deny Data Recovery Agent | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Unlock a volume using certificate with custom object identifier | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Prevent memory overwrite on restart | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Configure custom Trusted Platform Module Platform Configuration Register profiles | | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|Manage auto-unlock functionality | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|*Additional agent required?* | No (device enrollment only) | Configuration Manager client | MBAM client | +|*Administrative plane* | Microsoft Endpoint Manager admin center | Configuration Manager console | Group Policy Management Console and MBAM sites | +|*Administrative portal installation required* | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|*Compliance reporting capabilities* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|*Force encryption* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|*Encryption for storage cards (mobile)* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | | +|*Allow recovery password* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|*Manage startup authentication* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|*Select cipher strength and algorithms for fixed drives* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|*Select cipher strength and algorithms for removable drives* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|*Select cipher strength and algorithms for operating environment drives* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|*Standard recovery password storage location* | Azure AD or Active Directory | Configuration Manager site database | MBAM database | +|*Store recovery password for operating system and fixed drives to Azure AD or Active Directory* | Yes (Active Directory and Azure AD) | Yes (Active Directory only) | Yes (Active Directory only) | +|*Customize preboot message and recovery link* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|*Allow/deny key file creation* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|*Deny Write permission to unprotected drives* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|*Can be administered outside company network* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | | +|*Support for organization unique IDs* | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|*Self-service recovery* | Yes (through Azure AD or Company Portal app) | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|*Recovery password rotation for fixed and operating environment drives* | Yes (Windows 10, version 1909 and later) | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|*Wait to complete encryption until recovery information is backed up to Azure AD* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | | | +|*Wait to complete encryption until recovery information is backed up to Active Directory* | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|*Allow or deny Data Recovery Agent* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|*Unlock a volume using certificate with custom object identifier* | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|*Prevent memory overwrite on restart* | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|*Configure custom Trusted Platform Module Platform Configuration Register profiles* | | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|*Manage auto-unlock functionality* | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md index 9ee83c9b95..811287a4d3 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md +++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md @@ -3,55 +3,56 @@ title: Overview of BitLocker Device Encryption in Windows description: This article provides an overview of how BitLocker Device Encryption can help protect data on devices running Windows. ms.prod: windows-client ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: frankroj +ms.author: frankroj manager: aaroncz ms.collection: - - M365-security-compliance - highpri ms.topic: conceptual -ms.date: 03/10/2022 +ms.date: 11/08/2022 ms.custom: bitlocker +ms.technology: itpro-security --- # Overview of BitLocker Device Encryption in Windows -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and later +**Applies to:** -This article explains how BitLocker Device Encryption can help protect data on devices running Windows. For a general overview and list of articles about BitLocker, see [BitLocker](bitlocker-overview.md). +- Windows 10 +- Windows 11 +- Windows Server 2016 and above -When users travel, their organization’s confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives. Windows consistently improves data protection by improving existing options and providing new strategies. +This article explains how BitLocker Device Encryption can help protect data on devices running Windows. See [BitLocker](bitlocker-overview.md) for a general overview and list of articles. -Table 2 lists specific data-protection concerns and how they're addressed in Windows 11, Windows 10, and Windows 7. +When users travel, their organization's confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives. Windows consistently improves data protection by improving existing options and providing new strategies. -**Table 2. Data Protection in Windows 11, Windows 10, and Windows 7** +## Data Protection in Windows 11, Windows 10, and Windows 7 -| Windows 7 | Windows 11 and Windows 10 | +The below table lists specific data-protection concerns and how they're addressed in Windows 11, Windows 10, and Windows 7. + + +| Windows 7 | Windows 11 and Windows 10 | |---|---| | When BitLocker is used with a PIN to protect startup, PCs such as kiosks can't be restarted remotely. | Modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box and support SSO to seamlessly protect the BitLocker encryption keys from cold boot attacks.

                              Network Unlock allows PCs to start automatically when connected to the internal network. | | When BitLocker is enabled, the provisioning process can take several hours. | BitLocker pre-provisioning, encrypting hard drives, and Used Space Only encryption allow administrators to enable BitLocker quickly on new computers. | | There's no support for using BitLocker with self-encrypting drives (SEDs). | BitLocker supports offloading encryption to encrypted hard drives. | | Administrators have to use separate tools to manage encrypted hard drives. | BitLocker supports encrypted hard drives with onboard encryption hardware built in, which allows administrators to use the familiar BitLocker administrative tools to manage them. | | Encrypting a new flash drive can take more than 20 minutes. | Used Space Only encryption in BitLocker To Go allows users to encrypt removable data drives in seconds. | -| BitLocker could require users to enter a recovery key when system configuration changes occur. | BitLocker requires the user to enter a recovery key only when disk corruption occurs or when you lose the PIN or password. | -| Users need to enter a PIN to start the PC, and then their password to sign in to Windows. | Modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box and support SSO to help protect the BitLocker encryption keys from cold boot attacks. | +| BitLocker could require users to enter a recovery key when system configuration changes occur. | BitLocker requires the user to enter a recovery key only when disk corruption occurs or when the PIN or password is lost. | +| Users need to enter a PIN to start the PC, and then their password to sign in to Windows. | Modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box and support SSO to help protect the BitLocker encryption keys from cold boot attacks. | ## Prepare for drive and file encryption -The best type of security measures is transparent to the user during implementation and use. Every time there's a possible delay or difficulty because of a security feature, there's strong likelihood that users will try to bypass security. This situation is especially true for data protection, and that’s a scenario that organizations need to avoid. -Whether you’re planning to encrypt entire volumes, removable devices, or individual files, Windows 11 and Windows 10 meet your needs by providing streamlined, usable solutions. In fact, you can take several steps in advance to prepare for data encryption and make the deployment quick and smooth. +The best type of security measures is transparent to the user during implementation and use. Every time there's a possible delay or difficulty because of a security feature, there's a strong likelihood that users will try to bypass security. This situation is especially true for data protection, and that's a scenario that organizations need to avoid. Whether planning to encrypt entire volumes, removable devices, or individual files, Windows 11 and Windows 10 meet these needs by providing streamlined, usable solutions. In fact, several steps can be taken in advance to prepare for data encryption and make the deployment quick and smooth. ### TPM pre-provisioning -In Windows 7, preparing the TPM for use offered a couple of challenges: +In Windows 7, preparing the TPM offered a few challenges: -* You can turn on the TPM in the BIOS, which requires someone to either go into the BIOS settings to turn it on or to install a driver to turn it on from within Windows. -* When you enable the TPM, it may require one or more restarts. +- Turning on the TPM required going into the BIOS or UEFI firmware of the device. Turning on the TPM at the device requires someone to either physically go into the BIOS or UEFI firmware settings of the device to turn on the TPM, or to install a driver in Windows to turn on the TPM from within Windows. +- When the TPM is enabled, it may require one or more restarts. -Basically, it was a hassle. If IT staff were provisioning new PCs, they could handle all of this, but if you wanted to add BitLocker to devices that were already in users’ hands, those users would have struggled with the technical challenges and would either call IT for support or leave BitLocker disabled. +This made preparing the TPM in Windows 7 problematic. If IT staff are provisioning new PCs, they can handle the required steps for preparing a TPM. However, if BitLocker needed to be enabled on devices that are already in users' hands, those users would probably struggle with the technical challenges. The user would then either call to IT for support or leave BitLocker disabled. Microsoft includes instrumentation in Windows 11 and Windows 10 that enable the operating system to fully manage the TPM. There's no need to go into the BIOS, and all scenarios that required a restart have been eliminated. @@ -61,65 +62,83 @@ BitLocker is capable of encrypting entire hard drives, including both system and With earlier versions of Windows, administrators had to enable BitLocker after Windows had been installed. Although this process could be automated, BitLocker would need to encrypt the entire drive, a process that could take anywhere from several hours to more than a day depending on drive size and performance, which delayed deployment. Microsoft has improved this process through multiple features in Windows 11 and Windows 10. -## BitLocker device encryption +## BitLocker Device Encryption -Beginning in Windows 8.1, Windows automatically enables BitLocker Device Encryption on devices that support Modern Standby. With Windows 11 and Windows 10, Microsoft offers BitLocker Device Encryption support on a much broader range of devices, including those that are Modern Standby, and devices that run Windows 10 Home edition or Windows 11. +Beginning in Windows 8.1, Windows automatically enables BitLocker Device Encryption on devices that support Modern Standby. With Windows 11 and Windows 10, Microsoft offers BitLocker Device Encryption support on a much broader range of devices, including those devices that are Modern Standby, and devices that run Home edition of Windows 10 or Windows 11. -Microsoft expects that most devices in the future will pass the testing requirements, which makes BitLocker device encryption pervasive across modern Windows devices. BitLocker device encryption further protects the system by transparently implementing device-wide data encryption. +Microsoft expects that most devices in the future will pass the requirements for BitLocker Device Encryption that will make BitLocker Device Encryption pervasive across modern Windows devices. BitLocker Device Encryption further protects the system by transparently implementing device-wide data encryption. -Unlike a standard BitLocker implementation, BitLocker device encryption is enabled automatically so that the device is always protected. The following list outlines how this happens: +Unlike a standard BitLocker implementation, BitLocker Device Encryption is enabled automatically so that the device is always protected. The following list outlines how BitLocker Device Encryption is enabled automatically: -* When a clean installation of Windows 11 or Windows 10 is completed and the out-of-box experience is finished, the computer is prepared for first use. As part of this preparation, BitLocker Device Encryption is initialized on the operating system drive and fixed data drives on the computer with a clear key (this is the equivalent of standard BitLocker suspended state). In this state, the drive is shown with a warning icon in Windows Explorer. The yellow warning icon is removed after the TPM protector is created and the recovery key is backed up, as explained in the following bullet points. -* If the device isn't domain joined, a Microsoft account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user will be guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using his or her Microsoft account credentials. -* If the user uses a domain account to sign in, the clear key isn't removed until the user joins the device to a domain and the recovery key is successfully backed up to Active Directory Domain Services (AD DS). You must enable the **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives** Group Policy setting, and select the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** option. With this configuration, the recovery password is created automatically when the computer joins the domain, and then the recovery key is backed up to AD DS, the TPM protector is created, and the clear key is removed. -* Similar to signing in with a domain account, the clear key is removed when the user signs in to an Azure AD account on the device. As described in the bullet point above, the recovery password is created automatically when the user authenticates to Azure AD. Then, the recovery key is backed up to Azure AD, the TPM protector is created, and the clear key is removed. +- When a clean installation of Windows 11 or Windows 10 is completed and the out-of-box experience is finished, the computer is prepared for first use. As part of this preparation, BitLocker Device Encryption is initialized on the operating system drive and fixed data drives on the computer with a clear key that is the equivalent of standard BitLocker suspended state. In this state, the drive is shown with a warning icon in Windows Explorer. The yellow warning icon is removed after the TPM protector is created and the recovery key is backed up, as explained in the following bullet points. -Microsoft recommends that BitLocker Device Encryption be enabled on any systems that support it, but the automatic BitLocker Device Encryption process can be prevented by changing the following registry setting: -- **Subkey**: HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\BitLocker -- **Value**: PreventDeviceEncryption equal to True (1) -- **Type**: REG\_DWORD +- If the device isn't domain joined, a Microsoft account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user will be guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using their Microsoft account credentials. -Administrators can manage domain-joined devices that have BitLocker device encryption enabled through Microsoft BitLocker Administration and Monitoring (MBAM). In this case, BitLocker device encryption automatically makes additional BitLocker options available. No conversion or encryption is required, and MBAM can manage the full BitLocker policy set if any configuration changes are required. +- If the user uses a domain account to sign in, the clear key isn't removed until the user joins the device to a domain, and the recovery key is successfully backed up to Active Directory Domain Services (AD DS). The following Group Policy settings must be enabled for the recovery key to be backed up to AD DS: + + *Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives* > **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** + + With this configuration, the recovery password is created automatically when the computer joins the domain, and then the recovery key is backed up to AD DS, the TPM protector is created, and the clear key is removed. + +- Similar to signing in with a domain account, the clear key is removed when the user signs in to an Azure AD account on the device. As described in the bullet point above, the recovery password is created automatically when the user authenticates to Azure AD. Then, the recovery key is backed up to Azure AD, the TPM protector is created, and the clear key is removed. + +Microsoft recommends automatically enabling BitLocker Device Encryption on any systems that support it. However, the automatic BitLocker Device Encryption process can be prevented by changing the following registry setting: + +- **Subkey**: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker` +- **Type**: `REG_DWORD` +- **Value**: `PreventDeviceEncryption` equal to `1` (True) + +Administrators can manage domain-joined devices that have BitLocker Device Encryption enabled through Microsoft BitLocker Administration and Monitoring (MBAM). In this case, BitLocker Device Encryption automatically makes additional BitLocker options available. No conversion or encryption is required, and MBAM can manage the full BitLocker policy set if any configuration changes are required. > [!NOTE] -> BitLocker Device Encryption uses the XTS-AES 128-bit encryption method. In case you need to use a different encryption method and/or cipher strength, the device must be configured and decrypted (if already encrypted) first. After that, different BitLocker settings can be applied. +> BitLocker Device Encryption uses the XTS-AES 128-bit encryption method. If a different encryption method and/or cipher strength is needed but the device is already encrypted, it must first be decrypted before the new encryption method and/or cipher strength can be applied. After the device has been decrypted, different BitLocker settings can be applied. ## Used Disk Space Only encryption -BitLocker in earlier Windows versions could take a long time to encrypt a drive, because it encrypted every byte on the volume (including parts that didn't have data). That is still the most secure way to encrypt a drive, especially if a drive has previously contained confidential data that has since been moved or deleted. In that case, traces of the confidential data could remain on portions of the drive marked as unused. -But why encrypt a new drive when you can encrypt the data as it is being written? To reduce encryption time, BitLocker in Windows 11 and Windows 10 let users choose to encrypt just their data. Depending on the amount of data on the drive, this option can reduce encryption time by more than 99 percent. -Exercise caution when encrypting only used space on an existing volume on which confidential data may have already been stored in an unencrypted state, however, because those sectors can be recovered through disk-recovery tools until they're overwritten by new encrypted data. In contrast, encrypting only used space on a brand-new volume can significantly decrease deployment time without the security risk because all new data will be encrypted as it's written to the disk. +BitLocker in earlier Windows versions could take a long time to encrypt a drive because it encrypted every byte on the volume including areas that didn't have data. Encrypting every byte on the volume including areas that didn't have data is known as full disk encryption. Full disk encryption is still the most secure way to encrypt a drive, especially if a drive has previously contained confidential data that has since been moved or deleted. If a drive previously had confidential data that has been moved or deleted, traces of the confidential data could remain on portions of the drive marked as unused. + +To reduce encryption time, BitLocker in Windows 11 and Windows 10 let users choose to encrypt just the areas of the disk that contain data. Areas of the disk that don't contain data and are empty won't be encrypted. Any new data is encrypted as it's created. Depending on the amount of data on the drive, this option can reduce the initial encryption time by more than 99 percent. + +Exercise caution when encrypting only used space on an existing volume on which confidential data may have already been stored in an unencrypted state. When using used space encryption, sectors where previously unencrypted data are stored can be recovered through disk-recovery tools until they're overwritten by new encrypted data. In contrast, encrypting only used space on a brand-new volume can significantly decrease deployment time without the security risk because all new data will be encrypted as it's written to the disk. ## Encrypted hard drive support -SEDs have been available for years, but Microsoft couldn’t support their use with some earlier versions of Windows because the drives lacked important key management features. Microsoft worked with storage vendors to improve the hardware capabilities, and now BitLocker supports the next generation of SEDs, which are called encrypted hard drives. -Encrypted hard drives provide onboard cryptographic capabilities to encrypt data on drives, which improves both drive and system performance by offloading cryptographic calculations from the PC’s processor to the drive itself and rapidly encrypting the drive by using dedicated, purpose-built hardware. If you plan to use, whole-drive encryption with Windows 11 or Windows 10, Microsoft recommends that you investigate hard drive manufacturers and models to determine whether any of their encrypted hard drives meet your security and budget requirements. -For more information about encrypted hard drives, see [Encrypted Hard Drive](../encrypted-hard-drive.md). +SEDs have been available for years, but Microsoft couldn't support their use with some earlier versions of Windows because the drives lacked important key management features. Microsoft worked with storage vendors to improve the hardware capabilities, and now BitLocker supports the next generation of SEDs, which are called encrypted hard drives. + +Encrypted hard drives provide onboard cryptographic capabilities to encrypt data on drives. This feature improves both drive and system performance by offloading cryptographic calculations from the PC's processor to the drive itself. Data is rapidly encrypted by the drive by using dedicated, purpose-built hardware. If planning to use whole-drive encryption with Windows 11 or Windows 10, Microsoft recommends researching hard drive manufacturers and models to determine whether any of their encrypted hard drives meet the security and budget requirements. + +For more information about encrypted hard drives, see [Encrypted hard drive](../encrypted-hard-drive.md). ## Preboot information protection An effective implementation of information protection, like most security controls, considers usability and security. Users typically prefer a simple security experience. In fact, the more transparent a security solution becomes, the more likely users are to conform to it. + It's crucial that organizations protect information on their PCs regardless of the state of the computer or the intent of users. This protection shouldn't be cumbersome to users. One undesirable and previously commonplace situation is when the user is prompted for input during preboot, and then again during Windows sign-in. Challenging users for input more than once should be avoided. -Windows 11 and Windows 10 can enable a true SSO experience from the preboot environment on modern devices and in some cases even on older devices when robust information protection configurations are in place. The TPM in isolation is able to securely protect the BitLocker encryption key while it is at rest, and it can securely unlock the operating system drive. When the key is in use and thus in memory, a combination of hardware and Windows capabilities can secure the key and prevent unauthorized access through cold-boot attacks. Although other countermeasures like PIN-based unlock are available, they aren't as user-friendly; depending on the devices’ configuration they may not offer additional security when it comes to key protection. For more information, see [BitLocker Countermeasures](bitlocker-countermeasures.md). + +Windows 11 and Windows 10 can enable a true SSO experience from the preboot environment on modern devices and in some cases even on older devices when robust information protection configurations are in place. The TPM in isolation is able to securely protect the BitLocker encryption key while it is at rest, and it can securely unlock the operating system drive. When the key is in use and thus in memory, a combination of hardware and Windows capabilities can secure the key and prevent unauthorized access through cold-boot attacks. Although other countermeasures like PIN-based unlock are available, they aren't as user-friendly; depending on the devices' configuration they may not offer additional security when it comes to key protection. For more information, see [BitLocker Countermeasures](bitlocker-countermeasures.md). ## Manage passwords and PINs -When BitLocker is enabled on a system drive and the PC has a TPM, you can choose to require that users type a PIN before BitLocker will unlock the drive. Such a PIN requirement can prevent an attacker who has physical access to a PC from even getting to the Windows sign-in, which makes it virtually impossible for the attacker to access or modify user data and system files. +When BitLocker is enabled on a system drive and the PC has a TPM, users can be required to type a PIN before BitLocker will unlock the drive. Such a PIN requirement can prevent an attacker who has physical access to a PC from even getting to the Windows sign-in, which makes it almost impossible for the attacker to access or modify user data and system files. + +Requiring a PIN at startup is a useful security feature because it acts as a second authentication factor. However, this configuration comes with some costs. One of the most significant costs is the need to change the PIN regularly. In enterprises that used BitLocker with Windows 7 and the Windows Vista operating system, users had to contact systems administrators to update their BitLocker PIN or password. This requirement not only increased management costs but made users less willing to change their BitLocker PIN or password regularly. -Requiring a PIN at startup is a useful security feature because it acts as a second authentication factor (a second “something you know”). This configuration comes with some costs, however. One of the most significant is the need to change the PIN regularly. In enterprises that used BitLocker with Windows 7 and the Windows Vista operating system, users had to contact systems administrators to update their BitLocker PIN or password. This requirement not only increased management costs but made users less willing to change their BitLocker PIN or password regularly. Windows 11 and Windows 10 users can update their BitLocker PINs and passwords themselves, without administrator credentials. Not only will this feature reduce support costs, but it could improve security, too, because it encourages users to change their PINs and passwords more often. In addition, Modern Standby devices don't require a PIN for startup: They're designed to start infrequently and have other mitigations in place that further reduce the attack surface of the system. + For more information about how startup security works and the countermeasures that Windows 11 and Windows 10 provide, see [Protect BitLocker from pre-boot attacks](./bitlocker-countermeasures.md). ## Configure Network Unlock -Some organizations have location-specific data security requirements. This is most common in environments where high-value data is stored on PCs. The network environment may provide crucial data protection and enforce mandatory authentication; therefore, policy states that those PCs shouldn't leave the building or be disconnected from the corporate network. Safeguards like physical security locks and geofencing may help enforce this policy as reactive controls. Beyond these, a proactive security control that grants data access only when the PC is connected to the corporate network is necessary. +Some organizations have location specific data security requirements. Location specific data security requirements are most common in environments where high-value data is stored on PCs. The network environment may provide crucial data protection and enforce mandatory authentication. Therefore, policy states that those PCs shouldn't leave the building or be disconnected from the corporate network. Safeguards like physical security locks and geofencing may help enforce this policy as reactive controls. Beyond these safeguards, a proactive security control that grants data access only when the PC is connected to the corporate network is necessary. Network Unlock enables BitLocker-protected PCs to start automatically when connected to a wired corporate network on which Windows Deployment Services runs. Anytime the PC isn't connected to the corporate network, a user must type a PIN to unlock the drive (if PIN-based unlock is enabled). Network Unlock requires the following infrastructure: -* Client PCs that have Unified Extensible Firmware Interface (UEFI) firmware version 2.3.1 or later, which supports Dynamic Host Configuration Protocol (DHCP) -* A server running at least Windows Server 2012 with the Windows deployment services role -* A server with the DHCP server role installed +- Client PCs that have Unified Extensible Firmware Interface (UEFI) firmware version 2.3.1 or later, which supports Dynamic Host Configuration Protocol (DHCP) + +- A server running at least Windows Server 2012 with the Windows deployment services (WDS) role + +- A server with the DHCP server role installed For more information about how to configure Network unlock feature, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md). @@ -127,21 +146,31 @@ For more information about how to configure Network unlock feature, see [BitLock Part of the Microsoft Desktop Optimization Pack, Microsoft BitLocker Administration and Monitoring (MBAM) makes it easier to manage and support BitLocker and BitLocker To Go. MBAM 2.5 with Service Pack 1, the latest version, has the following key features: -* Enables administrators to automate the process of encrypting volumes on client computers across the enterprise. -* Enables security officers to quickly determine the compliance state of individual computers or even of the enterprise itself. -* Provides centralized reporting and hardware management with Microsoft Configuration Manager. -* Reduces the workload on the help desk to assist end users with BitLocker recovery requests. -* Enables end users to recover encrypted devices independently by using the Self-Service Portal. -* Enables security officers to easily audit access to recovery key information. -* Empowers Windows Enterprise users to continue working anywhere with the assurance that their corporate data is protected. -* Enforces the BitLocker encryption policy options that you set for your enterprise. -* Integrates with existing management tools, such as Microsoft Configuration Manager. -* Offers an IT-customizable recovery user experience. -* Supports Windows 11 and Windows 10. +- Enables administrators to automate the process of encrypting volumes on client computers across the enterprise. + +- Enables security officers to quickly determine the compliance state of individual computers or even of the enterprise itself. + +- Provides centralized reporting and hardware management with Microsoft Configuration Manager. + +- Reduces the workload on the help desk to assist end users with BitLocker recovery requests. + +- Enables end users to recover encrypted devices independently by using the Self-Service Portal. + +- Enables security officers to easily audit access to recovery key information. + +- Empowers Windows Enterprise users to continue working anywhere with the assurance that their corporate data is protected. + +- Enforces the BitLocker encryption policy options that are set for the enterprise. + +- Integrates with existing management tools, such as Microsoft Configuration Manager. + +- Offers an IT-customizable recovery user experience. + +- Supports Windows 11 and Windows 10. > [!IMPORTANT] > Enterprises could use MBAM to manage client computers with BitLocker that are domain-joined on-premises until mainstream support ended in July 2019, or they could receive extended support until April 2026. -Going forward, the functionality of MBAM will be incorporated into Configuration Manager. For more information, see [Features in Configuration Manager technical preview version 1909](/mem/configmgr/core/get-started/2019/technical-preview-1909#bkmk_bitlocker). +Going forward, the functionality of MBAM will be incorporated into Configuration Manager. For more information, see [Plan for BitLocker management](/mem/configmgr/protect/plan-design/bitlocker-management). Enterprises not using Configuration Manager can use the built-in features of Azure AD and Microsoft Intune for administration and monitoring. For more information, see [Monitor device encryption with Intune](/mem/intune/protect/encryption-monitor). diff --git a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml index 3f48006d72..24016c5ca6 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml @@ -2,39 +2,34 @@ metadata: title: BitLocker FAQ (Windows 10) description: Find the answers you need by exploring this brief hub page listing FAQ pages for various aspects of BitLocker. - ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee - ms.reviewer: - ms.prod: m365-security - ms.mktglfcycl: explore - ms.sitesec: library - ms.pagetype: security - ms.localizationpriority: medium - author: dansimp - ms.author: dansimp + ms.prod: windows-client + ms.technology: itpro-security + author: frankroj + ms.author: frankroj manager: aaroncz audience: ITPro ms.collection: - - M365-security-compliance - highpri ms.topic: faq - ms.date: 02/28/2019 + ms.date: 11/08/2022 ms.custom: bitlocker title: BitLocker frequently asked questions (FAQ) resources summary: | - **Applies to** - - Windows 10 + **Applies to:** + - Windows 10 and later + - Windows Server 2016 and later - This topic links to frequently asked questions about BitLocker. BitLocker is a data protection feature that encrypts drives on your computer to help prevent data theft or exposure. BitLocker-protected computers can also delete data more securely when they are decommissioned because it is much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive. + This article links to frequently asked questions about BitLocker. BitLocker is a data protection feature that encrypts drives on computers to help prevent data theft or exposure. BitLocker-protected computers can also delete data more securely when they're decommissioned because it's much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive. - - [Overview and requirements](bitlocker-overview-and-requirements-faq.yml) - - [Upgrading](bitlocker-upgrading-faq.yml) - - [Deployment and administration](bitlocker-deployment-and-administration-faq.yml) - - [Key management](bitlocker-key-management-faq.yml) - - [BitLocker To Go](bitlocker-to-go-faq.yml) - - [Active Directory Domain Services (AD DS)](bitlocker-and-adds-faq.yml) - - [Security](bitlocker-security-faq.yml) - - [BitLocker Network Unlock](bitlocker-network-unlock-faq.yml) - - [Using BitLocker with other programs and general questions](bitlocker-using-with-other-programs-faq.yml) + - [Overview and requirements](bitlocker-overview-and-requirements-faq.yml) + - [Upgrading](bitlocker-upgrading-faq.yml) + - [Deployment and administration](bitlocker-deployment-and-administration-faq.yml) + - [Key management](bitlocker-key-management-faq.yml) + - [BitLocker To Go](bitlocker-to-go-faq.yml) + - [Active Directory Domain Services (AD DS)](bitlocker-and-adds-faq.yml) + - [Security](bitlocker-security-faq.yml) + - [BitLocker Network Unlock](bitlocker-network-unlock-faq.yml) + - [Using BitLocker with other programs and general questions](bitlocker-using-with-other-programs-faq.yml) @@ -44,11 +39,11 @@ sections: - question: | More information answer: | - - [Prepare your organization for BitLocker: Planning and Policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) - - [BitLocker Group Policy settings](bitlocker-group-policy-settings.md) - - [BCD settings and BitLocker](bcd-settings-and-bitlocker.md) - - [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) - - [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md) - - [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md) - - [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md) - - [BitLocker Cmdlets in Windows PowerShell](/powershell/module/bitlocker/index?view=win10-ps&preserve-view=true) + - [Prepare your organization for BitLocker: Planning and Policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) + - [BitLocker Group Policy settings](bitlocker-group-policy-settings.md) + - [BCD settings and BitLocker](bcd-settings-and-bitlocker.md) + - [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) + - [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md) + - [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md) + - [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md) + - [BitLocker Cmdlets in Windows PowerShell](/powershell/module/bitlocker/index?view=win10-ps&preserve-view=true) diff --git a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md index 8f2e37d39f..948d296fa0 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md +++ b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md @@ -4,37 +4,41 @@ description: This article for IT professionals describes the function, location, ms.reviewer: ms.prod: windows-client ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: frankroj +ms.author: frankroj manager: aaroncz ms.collection: - - M365-security-compliance - highpri ms.topic: conceptual -ms.date: 04/17/2019 +ms.date: 11/08/2022 ms.custom: bitlocker +ms.technology: itpro-security --- # BitLocker group policy settings **Applies to:** -- Windows 10, Windows 11, Windows Server 2019, Windows Server 2016, Windows 8.1, and Windows Server 2012 R2 +- Windows 10 +- Windows 11 +- Windows Server 2016 and above This article for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption. -To control the drive encryption tasks the user can perform from the Windows Control Panel or to modify other configuration options, you can use Group Policy administrative templates or local computer policy settings. How you configure these policy settings depends on how you implement BitLocker and what level of user interaction will be allowed. +Group Policy administrative templates or local computer policy settings can be used to control what BitLocker drive encryption tasks and configurations can be performed by users, for example through the **BitLocker Drive Encryption** control panel. Which of these policies are configured and how they're configured depends on how BitLocker is implemented and what level of interaction is desired for end users. > [!NOTE] > A separate set of Group Policy settings supports the use of the Trusted Platform Module (TPM). For details about those settings, see [Trusted Platform Module Group Policy settings](../tpm/trusted-platform-module-services-group-policy-settings.md). -BitLocker Group Policy settings can be accessed using the Local Group Policy Editor and the Group Policy Management Console (GPMC) under **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption**. -Most of the BitLocker Group Policy settings are applied when BitLocker is initially turned on for a drive. If a computer isn't compliant with existing Group Policy settings, BitLocker may not be turned on or modified until the computer is in a compliant state. When a drive is out of compliance with Group Policy settings (for example, if a Group Policy setting was changed after the initial BitLocker deployment in your organization, and then the setting was applied to previously encrypted drives), no change can be made to the BitLocker configuration of that drive except a change that will bring it into compliance. +BitLocker Group Policy settings can be accessed using the Local Group Policy Editor and the Group Policy Management Console (GPMC) under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption**. -If multiple changes are necessary to bring the drive into compliance, you must suspend BitLocker protection, make the necessary changes, and then resume protection. This situation could occur, for example, if a removable drive is initially configured to be unlocked with a password and then Group -Policy settings are changed to disallow passwords and require smart cards. In this situation, you need to suspend BitLocker protection by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool, delete the password unlock method, and add the smart card method. After this is complete, BitLocker is compliant with the Group Policy setting and BitLocker protection on the drive can be resumed. +Most of the BitLocker Group Policy settings are applied when BitLocker is initially turned on for a drive. If a computer isn't compliant with existing Group Policy settings, BitLocker may not be turned on, or BitLocker configuration may be modified until the computer is in a compliant state. When a drive becomes out of compliance with Group Policy settings, only changes to the BitLocker configuration that will bring it into compliance are allowed. This scenario could occur, for example, if a previously encrypted drive was brought out of compliance by change in Group Policy settings. -## BitLocker group policy settings +If multiple changes are necessary to bring the drive into compliance, BitLocker protection may need to be suspended, the necessary changes made, and then protection resumed. This situation could occur, for example, if a removable drive is initially configured for unlock with a password but then Group Policy settings are changed to disallow passwords and require smart cards. In this situation, BitLocker protection needs to be suspended by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool, delete the password unlock method, and add the smart card method. After this process is complete, BitLocker is compliant with the Group Policy setting, and BitLocker protection on the drive can be resumed. + +In other scenarios, to bring the drive into compliance with a change in Group Policy settings, BitLocker may need to be disabled and the drive decrypted followed by reenabling BitLocker and then re-encrypting the drive. An example of this scenario is when the BitLocker encryption method or cipher strength is changed. The [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line can also be used in this scenario to help bring the device into compliance. + +## BitLocker group policy settings details > [!NOTE] > For more details about Active Directory configuration related to BitLocker enablement, please see [Set up MDT for BitLocker](/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker). @@ -43,290 +47,281 @@ The following sections provide a comprehensive list of BitLocker group policy se The following policy settings can be used to determine how a BitLocker-protected drive can be unlocked. -- [Allow devices with Secure Boot and protected DMA ports to opt out of preboot PIN](#bkmk-hstioptout) -- [Allow network unlock at startup](#bkmk-netunlock) -- [Require additional authentication at startup](#bkmk-unlockpol1) -- [Allow enhanced PINs for startup](#bkmk-unlockpol2) -- [Configure minimum PIN length for startup](#bkmk-unlockpol3) -- [Disable new DMA devices when this computer is locked](#disable-new-dma-devices-when-this-computer-is-locked) -- [Disallow standard users from changing the PIN or password](#bkmk-dpinchange) -- [Configure use of passwords for operating system drives](#bkmk-ospw) -- [Require additional authentication at startup (Windows Server 2008 and Windows Vista)](#bkmk-unlockpol4) -- [Configure use of smart cards on fixed data drives](#bkmk-unlockpol5) -- [Configure use of passwords on fixed data drives](#bkmk-unlockpol6) -- [Configure use of smart cards on removable data drives](#bkmk-unlockpol7) -- [Configure use of passwords on removable data drives](#bkmk-unlockpol8) -- [Validate smart card certificate usage rule compliance](#bkmk-unlockpol9) -- [Enable use of BitLocker authentication requiring preboot keyboard input on slates](#bkmk-slates) +- [Allow devices with Secure Boot and protected DMA ports to opt out of preboot PIN](#allow-devices-with-secure-boot-and-protected-dma-ports-to-opt-out-of-preboot-pin) +- [Allow network unlock at startup](#allow-network-unlock-at-startup) +- [Require additional authentication at startup](#require-additional-authentication-at-startup) +- [Allow enhanced PINs for startup](#allow-enhanced-pins-for-startup) +- [Configure minimum PIN length for startup](#configure-minimum-pin-length-for-startup) +- [Disable new DMA devices when this computer is locked](#disable-new-dma-devices-when-this-computer-is-locked) +- [Disallow standard users from changing the PIN or password](#disallow-standard-users-from-changing-the-pin-or-password) +- [Configure use of passwords for operating system drives](#configure-use-of-passwords-for-operating-system-drives) +- [Require additional authentication at startup (Windows Server 2008 and Windows Vista)](#require-additional-authentication-at-startup-windows-server-2008-and-windows-vista) +- [Configure use of smart cards on fixed data drives](#configure-use-of-smart-cards-on-fixed-data-drives) +- [Configure use of passwords on fixed data drives](#configure-use-of-passwords-on-fixed-data-drives) +- [Configure use of smart cards on removable data drives](#configure-use-of-smart-cards-on-removable-data-drives) +- [Configure use of passwords on removable data drives](#configure-use-of-passwords-on-removable-data-drives) +- [Validate smart card certificate usage rule compliance](#validate-smart-card-certificate-usage-rule-compliance) +- [Enable use of BitLocker authentication requiring preboot keyboard input on slates](#enable-use-of-bitlocker-authentication-requiring-preboot-keyboard-input-on-slates) The following policy settings are used to control how users can access drives and how they can use BitLocker on their computers. -- [Deny write access to fixed drives not protected by BitLocker](#bkmk-driveaccess1) -- [Deny write access to removable drives not protected by BitLocker](#bkmk-driveaccess2) -- [Control use of BitLocker on removable drives](#bkmk-driveaccess3) +- [Deny write access to fixed drives not protected by BitLocker](#deny-write-access-to-fixed-drives-not-protected-by-bitlocker) +- [Deny write access to removable drives not protected by BitLocker](#deny-write-access-to-removable-drives-not-protected-by-bitlocker) +- [Control use of BitLocker on removable drives](#control-use-of-bitlocker-on-removable-drives) The following policy settings determine the encryption methods and encryption types that are used with BitLocker. -- [Choose drive encryption method and cipher strength](#bkmk-encryptmeth) -- [Configure use of hardware-based encryption for fixed data drives](#bkmk-hdefxd) -- [Configure use of hardware-based encryption for operating system drives](#bkmk-hdeosd) -- [Configure use of hardware-based encryption for removable data drives](#bkmk-hderdd) -- [Enforce drive encryption type on fixed data drives](#bkmk-detypefdd) -- [Enforce drive encryption type on operating system drives](#bkmk-detypeosd) -- [Enforce drive encryption type on removable data drives](#bkmk-detyperdd) +- [Choose drive encryption method and cipher strength](#choose-drive-encryption-method-and-cipher-strength) +- [Configure use of hardware-based encryption for fixed data drives](#configure-use-of-hardware-based-encryption-for-fixed-data-drives) +- [Configure use of hardware-based encryption for operating system drives](#configure-use-of-hardware-based-encryption-for-operating-system-drives) +- [Configure use of hardware-based encryption for removable data drives](#configure-use-of-hardware-based-encryption-for-removable-data-drives) +- [Enforce drive encryption type on fixed data drives](#enforce-drive-encryption-type-on-fixed-data-drives) +- [Enforce drive encryption type on operating system drives](#enforce-drive-encryption-type-on-operating-system-drives) +- [Enforce drive encryption type on removable data drives](#enforce-drive-encryption-type-on-removable-data-drives) The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used. -- [Choose how BitLocker-protected operating system drives can be recovered](#bkmk-rec1) -- [Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista)](#bkmk-rec2) -- [Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)](#bkmk-rec3) -- [Choose default folder for recovery password](#bkmk-rec4) -- [Choose how BitLocker-protected fixed drives can be recovered](#bkmk-rec6) -- [Choose how BitLocker-protected removable drives can be recovered](#bkmk-rec7) -- [Configure the pre-boot recovery message and URL](#bkmk-configurepreboot) +- [Choose how BitLocker-protected operating system drives can be recovered](#choose-how-bitlocker-protected-operating-system-drives-can-be-recovered) +- [Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista)](#choose-how-users-can-recover-bitlocker-protected-drives-windows-server-2008-and-windows-vista) +- [Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)](#store-bitlocker-recovery-information-in-active-directory-domain-services-windows-server-2008-and-windows-vista) +- [Choose default folder for recovery password](#choose-default-folder-for-recovery-password) +- [Choose how BitLocker-protected fixed drives can be recovered](#choose-how-bitlocker-protected-fixed-drives-can-be-recovered) +- [Choose how BitLocker-protected removable drives can be recovered](#choose-how-bitlocker-protected-removable-drives-can-be-recovered) +- [Configure the pre-boot recovery message and URL](#configure-the-pre-boot-recovery-message-and-url) -The following policies are used to support customized deployment scenarios in your organization. +The following policies are used to support customized deployment scenarios in an organization. -- [Allow Secure Boot for integrity validation](#bkmk-secboot) -- [Provide the unique identifiers for your organization](#bkmk-depopt1) -- [Prevent memory overwrite on restart](#bkmk-depopt2) -- [Configure TPM platform validation profile for BIOS-based firmware configurations](#bkmk-tpmbios) -- [Configure TPM platform validation profile (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)](#bkmk-depopt3) -- [Configure TPM platform validation profile for native UEFI firmware configurations](#bkmk-tpmvaluefi) -- [Reset platform validation data after BitLocker recovery](#bkmk-resetrec) -- [Use enhanced Boot Configuration Data validation profile](#bkmk-enbcd) -- [Allow access to BitLocker-protected fixed data drives from earlier versions of Windows](#bkmk-depopt4) -- [Allow access to BitLocker-protected removable data drives from earlier versions of Windows](#bkmk-depopt5) +- [Allow Secure Boot for integrity validation](#allow-secure-boot-for-integrity-validation) +- [Provide the unique identifiers for your organization](#provide-the-unique-identifiers-for-your-organization) +- [Prevent memory overwrite on restart](#prevent-memory-overwrite-on-restart) +- [Configure TPM platform validation profile for BIOS-based firmware configurations](#configure-tpm-platform-validation-profile-for-bios-based-firmware-configurations) +- [Configure TPM platform validation profile (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)](#configure-tpm-platform-validation-profile-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2) +- [Configure TPM platform validation profile for native UEFI firmware configurations](#configure-tpm-platform-validation-profile-for-native-uefi-firmware-configurations) +- [Reset platform validation data after BitLocker recovery](#reset-platform-validation-data-after-bitlocker-recovery) +- [Use enhanced Boot Configuration Data validation profile](#use-enhanced-boot-configuration-data-validation-profile) +- [Allow access to BitLocker-protected fixed data drives from earlier versions of Windows](#allow-access-to-bitlocker-protected-fixed-data-drives-from-earlier-versions-of-windows) +- [Allow access to BitLocker-protected removable data drives from earlier versions of Windows](#allow-access-to-bitlocker-protected-removable-data-drives-from-earlier-versions-of-windows) -### Allow devices with secure boot and protected DMA ports to opt out of preboot PIN +### Allow devices with secure boot and protected DMA ports to opt out of preboot PIN -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can allow TPM-only protection for newer, more secure devices, such as devices that support Modern Standby or HSTI, while requiring PIN on older devices.| -|**Introduced**|Windows 10, version 1703, or Windows 11| +|**Policy description**|With this policy setting, TPM-only protection can be allowed for newer, more secure devices, such as devices that support Modern Standby or HSTI, while requiring PIN on older devices.| +|**Introduced**|Windows 10, version 1703| |**Drive type**|Operating system drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| -|**Conflicts**|This setting overrides the **Require startup PIN with TPM** option of the [Require additional authentication at startup](#bkmk-unlockpol1) policy on compliant hardware.| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*| +|**Conflicts**|This setting overrides the **Require startup PIN with TPM** option of the [Require additional authentication at startup](#require-additional-authentication-at-startup) policy on compliant hardware.| |**When enabled**|Users on Modern Standby and HSTI compliant devices will have the choice to turn on BitLocker without preboot authentication.| -|**When disabled or not configured**|The options of the [Require additional authentication at startup](#bkmk-unlockpol1) policy apply.| +|**When disabled or not configured**|The options of the [Require additional authentication at startup](#require-additional-authentication-at-startup) policy apply.| -**Reference** +#### Reference: Allow devices with secure boot and protected DMA ports to opt out of preboot PIN -The preboot authentication option **Require startup PIN with TPM** of the [Require additional authentication at startup](#bkmk-unlockpol1) policy is often enabled to help ensure security for older devices that don't support Modern Standby. But visually impaired users have no audible way to know when to enter a PIN. +The preboot authentication option **Require startup PIN with TPM** of the [Require additional authentication at startup](#require-additional-authentication-at-startup) policy is often enabled to help ensure security for older devices that don't support Modern Standby. But visually impaired users have no audible way to know when to enter a PIN. This setting enables an exception to the PIN-required policy on secure hardware. -### Allow network unlock at startup +### Allow network unlock at startup This policy controls a portion of the behavior of the Network Unlock feature in BitLocker. This policy is required to enable BitLocker Network Unlock on a network because it allows clients running BitLocker to create the necessary network key protector during encryption. This policy is used with the BitLocker Drive Encryption Network Unlock Certificate security policy (located in the **Public Key Policies** folder of Local Computer Policy) to allow systems that are connected to a trusted network to properly utilize the Network Unlock feature. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can control whether a BitLocker-protected computer that is connected to a trusted local area network and joined to a domain can create and use network key protectors on TPM-enabled computers to automatically unlock the operating system drive when the computer is started.| +|**Policy description**|With this policy setting, it can be controlled whether a BitLocker-protected computer that is connected to a trusted local area network and joined to a domain can create and use network key protectors on TPM-enabled computers to automatically unlock the operating system drive when the computer is started.| |**Introduced**|Windows Server 2012 and Windows 8| |**Drive type**|Operating system drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*| |**Conflicts**|None| |**When enabled**|Clients configured with a BitLocker Network Unlock certificate can create and use Network Key Protectors.| -|**When disabled or not configured**|Clients can't create and use Network Key Protectors| +|**When disabled or not configured**|Clients can't create and use Network Key Protectors.| -**Reference** +#### Reference: Allow network unlock at startup -To use a network key protector to unlock the computer, the computer and the server that hosts BitLocker Drive Encryption Network Unlock must be provisioned with a Network Unlock certificate. The Network Unlock certificate is used to create a network key protector and to protect the information exchange with the server to unlock the computer. You can use the Group Policy setting **Computer Configuration\\Windows Settings\\Security Settings\\Public Key Policies\\BitLocker Drive Encryption Network Unlock Certificate** on the domain controller to distribute this certificate to computers in your organization. This unlock method uses the TPM on the computer, so computers that don't have a TPM can't create network key protectors to automatically unlock by using Network Unlock. +To use a network key protector to unlock the computer, the computer and the server that hosts BitLocker Drive Encryption Network Unlock must be provisioned with a Network Unlock certificate. The Network Unlock certificate is used to create a network key protector and to protect the information exchange with the server to unlock the computer. The Group Policy setting **Computer Configuration** > **Windows Settings** > **Security Settings** > **Public Key Policies** > **BitLocker Drive Encryption Network Unlock Certificate** can be used on the domain controller to distribute this certificate to computers in the organization. This unlock method uses the TPM on the computer, so computers that don't have a TPM can't create network key protectors to automatically unlock by using Network Unlock. > [!NOTE] > For reliability and security, computers should also have a TPM startup PIN that can be used when the computer is disconnected from the wired network or can't connect to the domain controller at startup. For more information about Network Unlock feature, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md). -### Require additional authentication at startup +### Require additional authentication at startup This policy setting is used to control which unlock options are available for operating system drives. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker.| +|**Policy description**|With this policy setting, it can be configured whether BitLocker requires additional authentication each time the computer starts and whether BitLocker will be used with a Trusted Platform Module (TPM). This policy setting is applied when BitLocker is turned on.| |**Introduced**|Windows Server 2008 R2 and Windows 7| |**Drive type**|Operating system drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*| |**Conflicts**|If one authentication method is required, the other methods can't be allowed. Use of BitLocker with a TPM startup key or with a TPM startup key and a PIN must be disallowed if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled.| |**When enabled**|Users can configure advanced startup options in the BitLocker Setup Wizard.| -|**When disabled or not configured**|Users can configure only basic options on computers with a TPM.

                              Only one of the additional authentication options can be required at startup; otherwise, a policy error occurs.| +|**When disabled or not configured**|Users can configure only basic options on computers with a TPM.

                              Only one of the additional authentication options can be required at startup; otherwise, a policy error occurs.| -**Reference** +#### Reference: Require additional authentication at startup -If you want to use BitLocker on a computer without a TPM, select **Allow BitLocker without a compatible TPM**. In this mode, a password or USB drive is required for startup. The USB drive stores the startup key that is used to encrypt the drive. When the USB drive is inserted, the startup key is authenticated and the operating system drive is accessible. If the USB drive is lost or unavailable, BitLocker recovery is required to access the drive. +If BitLocker needs to be used on a computer without a TPM, select **Allow BitLocker without a compatible TPM**. In this mode, a password or USB drive is required for startup. The USB drive stores the startup key that is used to encrypt the drive. When the USB drive is inserted, the startup key is authenticated, and the operating system drive is accessible. If the USB drive is lost or unavailable, BitLocker recovery is required to access the drive. On a computer with a compatible TPM, additional authentication methods can be used at startup to improve protection for encrypted data. When the computer starts, it can use: -- Only the TPM -- Insertion of a USB flash drive containing the startup key -- The entry of a 4-digit to 20-digit personal identification number (PIN) -- A combination of the PIN and the USB flash drive +- Only the TPM +- Insertion of a USB flash drive containing the startup key +- The entry of a 4-digit to 20-digit personal identification number (PIN) +- A combination of the PIN and the USB flash drive There are four options for TPM-enabled computers or devices: -- Configure TPM startup +- Configure TPM startup + - Allow TPM + - Require TPM + - Do not allow TPM +- Configure TPM startup PIN - - Allow TPM - - Require TPM - - Do not allow TPM -- Configure TPM startup PIN + - Allow startup PIN with TPM + - Require startup PIN with TPM + - Do not allow startup PIN with TPM - - Allow startup PIN with TPM - - Require startup PIN with TPM - - Do not allow startup PIN with TPM -- Configure TPM startup key +- Configure TPM startup key + - Allow startup key with TPM + - Require startup key with TPM + - Do not allow startup key with TPM - - Allow startup key with TPM - - Require startup key with TPM - - Do not allow startup key with TPM -- Configure TPM startup key and PIN +- Configure TPM startup key and PIN + - Allow TPM startup key with PIN + - Require startup key and PIN with TPM + - Do not allow TPM startup key with PIN - - Allow TPM startup key with PIN - - Require startup key and PIN with TPM - - Do not allow TPM startup key with PIN +### Allow enhanced PINs for startup -### Allow enhanced PINs for startup +This policy setting permits the use of enhanced PINs when an unlock method that includes a PIN is used. -This policy setting permits the use of enhanced PINs when you use an unlock method that includes a PIN. - -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can configure whether enhanced startup PINs are used with BitLocker.| +|**Policy description**|With this policy setting, it can be configured whether enhanced startup PINs are used with BitLocker.| |**Introduced**|Windows Server 2008 R2 and Windows 7| |**Drive type**|Operating system drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*| |**Conflicts**|None| |**When enabled**|All new BitLocker startup PINs that are set will be enhanced PINs. Existing drives that were protected by using standard startup PINs aren't affected.| -|**When disabled or not configured**|Enhanced PINs will not be used.| +|**When disabled or not configured**|Enhanced PINs won't be used.| -**Reference** +#### Reference: Allow enhanced PINs for startup -Enhanced startup PINs permit the use of characters (including uppercase and lowercase letters, symbols, numbers, and spaces). This policy setting is applied when you turn on BitLocker. +Enhanced startup PINs permit the use of characters (including uppercase and lowercase letters, symbols, numbers, and spaces). This policy setting is applied when BitLocker is turned on. > [!IMPORTANT] > Not all computers support enhanced PIN characters in the preboot environment. It's strongly recommended that users perform a system check during the BitLocker setup to verify that enhanced PIN characters can be used. -### Configure minimum PIN length for startup +### Configure minimum PIN length for startup -This policy setting is used to set a minimum PIN length when you use an unlock method that includes a PIN. +This policy setting is used to set a minimum PIN length when an unlock method that includes a PIN is used. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can configure a minimum length for a TPM startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of four digits, and it can have a maximum length of 20 digits. By default, the minimum PIN length is 6.| +|**Policy description**|With this policy setting, it can be configured a minimum length for a TPM startup PIN. This policy setting is applied when BitLocker is turned on. The startup PIN must have a minimum length of four digits, and it can have a maximum length of 20 digits. By default, the minimum PIN length is 6.| |**Introduced**|Windows Server 2008 R2 and Windows 7| |**Drive type**|Operating system drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*| |**Conflicts**|None| -|**When enabled**|You can require that startup PINs set by users must have a minimum length you choose that is between 4 and 20 digits.| +|**When enabled**|The required minimum length of startup PINs set by users can be set between 4 and 20 digits.| |**When disabled or not configured**|Users can configure a startup PIN of any length between 6 and 20 digits.| -**Reference** +#### Reference: Configure minimum PIN length for startup -This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of four digits and can have a maximum length of 20 digits. +This policy setting is applied when BitLocker is turned on. The startup PIN must have a minimum length of four digits and can have a maximum length of 20 digits. -Originally, BitLocker allowed a length from 4 to 20 characters for a PIN. -Windows Hello has its own PIN for logon, length of which can be 4 to 127 characters. -Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks. +Originally, BitLocker allowed a length from 4 to 20 characters for a PIN. Windows Hello has its own PIN for sign-in, length of which can be 4 to 127 characters. Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks. The TPM can be configured to use Dictionary Attack Prevention parameters ([lockout threshold and lockout duration](../tpm/trusted-platform-module-services-group-policy-settings.md)) to control how many failed authorizations attempts are allowed before the TPM is locked out, and how much time must elapse before another attempt can be made. -The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability. -For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time. -A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours. -This totals a maximum of about 4415 guesses per year. -If the PIN is four digits, all 9999 possible PIN combinations could be attempted in a little over two years. +The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability. For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time. A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours. This number of attempts totals to a maximum of about 4415 guesses per year. If the PIN is four digits, all 9999 possible PIN combinations could be attempted in a little over two years. -Increasing the PIN length requires a greater number of guesses for an attacker. -In that case, the lockout duration between each guess can be shortened to allow legitimate users to retry a failed attempt sooner, while maintaining a similar level of protection. +Increasing the PIN length requires a greater number of guesses for an attacker. In that case, the lockout duration between each guess can be shortened to allow legitimate users to retry a failed attempt sooner, while maintaining a similar level of protection. -Beginning with Windows 10, version 1703, or Windows 11, the minimum length for the BitLocker PIN was increased to six characters to better align with other Windows features that use TPM 2.0, including Windows Hello. -To help organizations with the transition, beginning with Windows 10, version 1709 and Windows 10, version 1703 with the October 2017, or Windows 11 [cumulative update](https://support.microsoft.com/help/4018124) installed, the BitLocker PIN length is six characters by default, but it can be reduced to four characters. -If the minimum PIN length is reduced from the default of six characters, then the TPM 2.0 lockout period will be extended. +Beginning with Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to six characters to better align with other Windows features that use TPM 2.0, including Windows Hello. To help organizations with the transition, beginning with Windows 10, version 1709 and Windows 10, version 1703 with the October 2017 [cumulative update](https://support.microsoft.com/help/4018124) installed, the BitLocker PIN length is six characters by default, but it can be reduced to four characters. If the minimum PIN length is reduced from the default of six characters, then the TPM 2.0 lockout period will be extended. ### Disable new DMA devices when this computer is locked -This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI ports until a user signs in to Windows. +This policy setting allows blocking of direct memory access (DMA) for all hot pluggable PCI ports until a user signs in to Windows. -| |   | +| Item | Info | |:---|:---| |**Policy description**|This setting helps prevent attacks that use external PCI-based devices to access BitLocker keys.| -|**Introduced**|Windows 10, version 1703, or Windows 11| +|**Introduced**|Windows 10, version 1703| |**Drive type**|Operating system drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption*| |**Conflicts**|None| |**When enabled**|Every time the user locks the scree, DMA will be blocked on hot pluggable PCI ports until the user signs in again.| |**When disabled or not configured**|DMA is available on hot pluggable PCI devices if the device is turned on, regardless of whether a user is signed in.| -**Reference** +#### Reference: Disable new DMA devices when this computer is locked This policy setting is only enforced when BitLocker or device encryption is enabled. As explained in the [Microsoft Security Guidance blog](/archive/blogs/secguide/issue-with-bitlockerdma-setting-in-windows-10-fall-creators-update-v1709), in some cases when this setting is enabled, internal, PCI-based peripherals can fail, including wireless network drivers and input and audio peripherals. This problem is fixed in the [April 2018 quality update](https://support.microsoft.com/help/4093105). -### Disallow standard users from changing the PIN or password +### Disallow standard users from changing the PIN or password -This policy setting allows you to configure whether standard users are allowed to change the PIN or password that is used to protect the operating system drive. +This policy setting allows configuration of whether standard users are allowed to change the PIN or password that is used to protect the operating system drive. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can configure whether standard users are allowed to change the PIN or password used to protect the operating system drive.| +|**Policy description**|With this policy setting, it can be configured whether standard users are allowed to change the PIN or password used to protect the operating system drive.| |**Introduced**|Windows Server 2012 and Windows 8| |**Drive type**|Operating system drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*| |**Conflicts**|None| |**When enabled**|Standard users aren't allowed to change BitLocker PINs or passwords.| |**When disabled or not configured**|Standard users are permitted to change BitLocker PINs or passwords.| -**Reference** +#### Reference: Disallow standard users from changing the PIN or password -To change the PIN or password, the user must be able to provide the current PIN or password. This policy setting is applied when you turn on BitLocker. +To change the PIN or password, the user must be able to provide the current PIN or password. This policy setting is applied when BitLocker is turned on. -### Configure use of passwords for operating system drives +### Configure use of passwords for operating system drives This policy controls how non-TPM based systems utilize the password protector. Used with the **Password must meet complexity requirements** policy, this policy allows administrators to require password length and complexity for using the password protector. By default, passwords must be eight characters in length. Complexity configuration options determine how important domain connectivity is for the client. For the strongest password security, administrators should choose **Require password complexity** because it requires domain connectivity, and it requires that the BitLocker password meets the same password complexity requirements as domain sign-in passwords. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can specify the constraints for passwords that are used to unlock operating system drives that are protected with BitLocker.| +|**Policy description**|With this policy setting, the constraints for passwords that are used to unlock operating system drives that are protected with BitLocker can be specified.| |**Introduced**|Windows Server 2012 and Windows 8| |**Drive type**|Operating system drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| -|**Conflicts**|Passwords can't be used if FIPS-compliance is enabled.


                              **NOTE:** The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting, which is located at **Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options** specifies whether FIPS-compliance is enabled.| -|**When enabled**|Users can configure a password that meets the requirements you define. To enforce complexity requirements for the password, select **Require complexity**.| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*| +|**Conflicts**|Passwords can't be used if FIPS-compliance is enabled.

                              **NOTE:** The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting, which is located at *Computer Configuration* > *Windows Settings* > *Security Settings* > *Local Policies* > *Security Options* specifies whether FIPS-compliance is enabled.
                              | +|**When enabled**|Users can configure a password that meets the defined requirements. To enforce complexity requirements for the password, select **Require complexity**.| |**When disabled or not configured**|The default length constraint of eight characters will apply to operating system drive passwords and no complexity checks will occur.| -**Reference** +#### Reference: Configure use of passwords for operating system drives -If non-TPM protectors are allowed on operating system drives, you can provision a password, enforce complexity requirements on the password, and configure a minimum length for the password. For the complexity requirement setting to be effective, the group policy setting **Password must meet complexity requirements**, which is located at **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\**, must be also enabled. +If non-TPM protectors are allowed on operating system drives, a password, enforcement of complexity requirements on the password, and configuration of a minimum length for the password can all be provisioned. For the complexity requirement setting to be effective, the group policy setting **Password must meet complexity requirements**, which is located at *Computer Configuration* > *Windows Settings* > *Security Settings* > *Account Policies* > *Password Policy*, must be also enabled. > [!NOTE] > These settings are enforced when turning on BitLocker, not when unlocking a volume. BitLocker allows unlocking a drive with any of the protectors that are available on the drive. -When set to **Require complexity**, a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password. When set to **Allow complexity**, a connection to a domain controller is attempted to validate that the complexity adheres to the rules set by the policy. If no domain controllers are found, the password will be accepted regardless of actual password complexity, and the drive will be encrypted by using that password as a protector. When set to **Do not allow complexity**, there is no password complexity validation. +When set to **Require complexity**, a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password. When set to **Allow complexity**, a connection to a domain controller is attempted to validate that the complexity adheres to the rules set by the policy. If no domain controllers are found, the password will be accepted regardless of actual password complexity, and the drive will be encrypted by using that password as a protector. When set to **Do not allow complexity**, there's no password complexity validation. + Passwords must be at least eight characters. To configure a greater minimum length for the password, enter the desired number of characters in the **Minimum password length** box. -When this policy setting is enabled, you can set the option **Configure password complexity for operating system drives** to: +When this policy setting is enabled, the option **Configure password complexity for operating system drives** can be set to: -- Allow password complexity -- Deny password complexity -- Require password complexity +- Allow password complexity +- Deny password complexity +- Require password complexity -### Require additional authentication at startup (Windows Server 2008 and Windows Vista) +### Require additional authentication at startup (Windows Server 2008 and Windows Vista) This policy setting is used to control what unlock options are available for computers running Windows Server 2008 or Windows Vista. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can control whether the BitLocker Setup Wizard on computers running Windows Vista or Windows Server 2008 can set up an additional authentication method that is required each time the computer starts.| +|**Policy description**|With this policy setting, it can be controlled whether the BitLocker Setup Wizard on computers running Windows Vista or Windows Server 2008 can set up an additional authentication method that is required each time the computer starts.| |**Introduced**|Windows Server 2008 and Windows Vista| |**Drive type**|Operating system drives (Windows Server 2008 and Windows Vista)| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| -|**Conflicts**|If you choose to require an additional authentication method, other authentication methods can't be allowed.| -|**When enabled**|The BitLocker Setup Wizard displays the page that allows the user to configure advanced startup options for BitLocker. You can further configure setting options for computers with or without a TPM.| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*| +|**Conflicts**|If an additional authentication method is chosen, other authentication methods can't be allowed.| +|**When enabled**|The BitLocker Setup Wizard displays the page that allows the user to configure advanced startup options for BitLocker. Setting options can be further configured for computers with or without a TPM.| |**When disabled or not configured**|The BitLocker Setup Wizard displays basic steps that allow users to enable BitLocker on computers with a TPM. In this basic wizard, no additional startup key or startup PIN can be configured.| -**Reference** +#### Reference: Require additional authentication at startup (Windows Server 2008 and Windows Vista) On a computer with a compatible TPM, two authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can prompt users to insert a USB drive that contains a startup key. It can also prompt users to enter a startup PIN with a length between 6 and 20 digits. @@ -334,57 +329,56 @@ A USB drive that contains a startup key is needed on computers without a compati There are two options for TPM-enabled computers or devices: -- Configure TPM startup PIN +- Configure TPM startup PIN + - Allow startup PIN with TPM + - Require startup PIN with TPM + - Do not allow startup PIN with TPM - - Allow startup PIN with TPM - - Require startup PIN with TPM - - Do not allow startup PIN with TPM -- Configure TPM startup key +- Configure TPM startup key + - Allow startup key with TPM + - Require startup key with TPM + - Do not allow startup key with TPM - - Allow startup key with TPM - - Require startup key with TPM - - Do not allow startup key with TPM - -These options are mutually exclusive. If you require the startup key, you must not allow the startup PIN. If you require the startup PIN, you must not allow the startup key. Otherwise, a policy error will occur. +These options are mutually exclusive. If a startup key is required, a startup PIN isn't allowed. If startup PIN is required, startup key isn't allowed. If these policies are in conflict, a policy error will occur. To hide the advanced page on a TPM-enabled computer or device, set these options to **Do not allow** for the startup key and for the startup PIN. -### Configure use of smart cards on fixed data drives +### Configure use of smart cards on fixed data drives This policy setting is used to require, allow, or deny the use of smart cards with fixed data drives. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can specify whether smart cards can be used to authenticate user access to the BitLocker-protected fixed data drives on a computer.| +|**Policy description**|This policy setting can be used to specify whether smart cards can be used to authenticate user access to the BitLocker-protected fixed data drives on a computer.| |**Introduced**|Windows Server 2008 R2 and Windows 7| |**Drive type**|Fixed data drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives| -|**Conflicts**|To use smart cards with BitLocker, you may also need to modify the object identifier setting in the **Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance** policy setting to match the object identifier of your smart card certificates.| -|**When enabled**|Smart cards can be used to authenticate user access to the drive. You can require smart card authentication by selecting the **Require use of smart cards on fixed data drives** check box.| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Fixed Data Drives*| +|**Conflicts**|To use smart cards with BitLocker, the object identifier setting in the **Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance** policy setting may need to be modified to match the object identifier of the smart card certificates.| +|**When enabled**|Smart cards can be used to authenticate user access to the drive. Smart card authentication can be required by selecting the **Require use of smart cards on fixed data drives** check box.| |**When disabled**|Users can't use smart cards to authenticate their access to BitLocker-protected fixed data drives.| |**When not configured**|Smart cards can be used to authenticate user access to a BitLocker-protected drive.| -**Reference** +#### Reference: Configure use of smart cards on fixed data drives > [!NOTE] > These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive by using any of the protectors that are available on the drive. -### Configure use of passwords on fixed data drives +### Configure use of passwords on fixed data drives This policy setting is used to require, allow, or deny the use of passwords with fixed data drives. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can specify whether a password is required to unlock BitLocker-protected fixed data drives.| +|**Policy description**|With this policy setting, it can be specified whether a password is required to unlock BitLocker-protected fixed data drives.| |**Introduced**|Windows Server 2008 R2 and Windows 7| |**Drive type**|Fixed data drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Fixed Data Drives*| |**Conflicts**|To use password complexity, the **Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements** policy setting must also be enabled.| -|**When enabled**|Users can configure a password that meets the requirements you define. To require the use of a password, select **Require password for fixed data drive**. To enforce complexity requirements on the password, select **Require complexity**.| +|**When enabled**|Users can configure a password that meets the defined requirements. To require the use of a password, select **Require password for fixed data drive**. To enforce complexity requirements on the password, select **Require complexity**.| |**When disabled**|The user isn't allowed to use a password.| |**When not configured**|Passwords are supported with the default settings, which don't include password complexity requirements and require only eight characters.| -**Reference** +#### Reference: Configure use of passwords on fixed data drives When set to **Require complexity**, a connection to a domain controller is necessary to validate the complexity of the password when BitLocker is enabled. @@ -397,53 +391,51 @@ Passwords must be at least eight characters. To configure a greater minimum leng > [!NOTE] > These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive. -For the complexity requirement setting to be effective, the Group Policy setting **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Password must meet complexity requirements** must also be enabled. -This policy setting is configured on a per-computer basis. This means that it applies to local user accounts and domain user accounts. Because the password filter that's used to validate password complexity is located on the domain controllers, local user accounts can't access the password filter because they're not authenticated for domain access. When this policy setting is enabled, if you sign in with a local user account, and you attempt to encrypt a drive or change a password on an existing BitLocker-protected drive, an "Access denied" error message is displayed. In this situation, the password key protector can't be added to the drive. +For the complexity requirement setting to be effective, the Group Policy setting **Computer Configuration** > **Windows Settings** > **Security Settings** > **Account Policies** > **Password Policy** > **Password must meet complexity requirements** must also be enabled. This policy setting is configured on a per-computer basis. The policy setting also applies to both local user accounts and domain user accounts. Because the password filter that's used to validate password complexity is located on the domain controllers, local user accounts can't access the password filter because they're not authenticated for domain access. When this policy setting is enabled, if a local user account signs in, and a drive is attempted to be encrypted or a password changed on an existing BitLocker-protected drive, an **Access denied** error message is displayed. In this situation, the password key protector can't be added to the drive. -Enabling this policy setting requires that connectivity to a domain be established before adding a password key protector to a BitLocker-protected drive. Users who work remotely and have periods of time in which they can't connect to the domain should be made aware of this requirement so that they can schedule a time when they will be connected to the domain to turn on BitLocker or to change a password on a BitLocker-protected data drive. +Enabling this policy setting requires that a device is connected to a domain before adding a password key protector to a BitLocker-protected drive. Users who work remotely and have periods of time in which they can't connect to the domain should be made aware of this requirement so that they can schedule a time when they'll be connected to the domain to turn on BitLocker or to change a password on a BitLocker-protected data drive. > [!IMPORTANT] -> Passwords can't be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in **Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** specifies whether FIPS compliance is enabled. +> Passwords can't be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in *Computer Configuration* > *Windows Settings* > *Security Settings* > *Local Policies* > *Security Options* specifies whether FIPS compliance is enabled. -### Configure use of smart cards on removable data drives +### Configure use of smart cards on removable data drives This policy setting is used to require, allow, or deny the use of smart cards with removable data drives. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can specify whether smart cards can be used to authenticate user access to BitLocker-protected removable data drives on a computer.| +|**Policy description**|This policy setting can be used to specify whether smart cards can be used to authenticate user access to BitLocker-protected removable data drives on a computer.| |**Introduced**|Windows Server 2008 R2 and Windows 7| |**Drive type**|Removable data drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives| -|**Conflicts**|To use smart cards with BitLocker, you may also need to modify the object identifier setting in the **Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance** policy setting to match the object identifier of your smart card certificates.| -|**When enabled**|Smart cards can be used to authenticate user access to the drive. You can require smart card authentication by selecting the **Require use of smart cards on removable data drives** check box.| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Removable Data Drives*| +|**Conflicts**|To use smart cards with BitLocker, the object identifier setting in the **Computer Configuration** > **Administrative Templates** > **BitLocker Drive Encryption** > **Validate smart card certificate usage rule compliance** policy setting may also need to be modified to match the object identifier of the smart card certificates.| +|**When enabled**|Smart cards can be used to authenticate user access to the drive. Smart card authentication can be required by selecting the **Require use of smart cards on removable data drives** check box.| |**When disabled or not configured**|Users aren't allowed to use smart cards to authenticate their access to BitLocker-protected removable data drives.| |**When not configured**|Smart cards are available to authenticate user access to a BitLocker-protected removable data drive.| -**Reference** +#### Reference: Configure use of smart cards on removable data drives > [!NOTE] > These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive. -### Configure use of passwords on removable data drives +### Configure use of passwords on removable data drives This policy setting is used to require, allow, or deny the use of passwords with removable data drives. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can specify whether a password is required to unlock BitLocker-protected removable data drives.| +|**Policy description**|With this policy setting, it can be specified whether a password is required to unlock BitLocker-protected removable data drives.| |**Introduced**|Windows Server 2008 R2 and Windows 7| |**Drive type**|Removable data drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Removable Data Drives*| |**Conflicts**|To use password complexity, the **Password must meet complexity requirements** policy setting, which is located at **Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy** must also be enabled.| -|**When enabled**|Users can configure a password that meets the requirements you define. To require the use of a password, select **Require password for removable data drive**. To enforce complexity requirements on the password, select **Require complexity**.| +|**When enabled**|Users can configure a password that meets the defined requirements. To require the use of a password, select **Require password for removable data drive**. To enforce complexity requirements on the password, select **Require complexity**.| |**When disabled**|The user isn't allowed to use a password.| |**When not configured**|Passwords are supported with the default settings, which don't include password complexity requirements and require only eight characters.| -**Reference** +#### Reference: Configure use of passwords on removable data drives -If you choose to allow the use of a password, you can require a password to be used, enforce complexity requirements, and configure a minimum length. For the complexity requirement setting to be effective, the group policy setting **Password must meet complexity requirements**, which is located at -**Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy**, must also be enabled. +If use of passwords is allowed, requiring a password to be used, enforcement of password complexity requirements, and password minimum length can all be configured. For the complexity requirement setting to be effective, the group policy setting **Password must meet complexity requirements**, which is located at *Computer Configuration* > *Windows Settings* > *Security Settings* > *Account Policies* > *Password Policy*, must also be enabled. > [!NOTE] > These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive. @@ -452,32 +444,32 @@ Passwords must be at least eight characters. To configure a greater minimum leng When set to **Require complexity**, a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity of the password. -When set to **Allow complexity**, a connection to a domain controller is be attempted to validate that the complexity adheres to the rules set by the policy. However, if no domain controllers are found, the password is still be accepted regardless of actual password complexity and the drive is encrypted by using that password as a protector. +When set to **Allow complexity**, a connection to a domain controller is attempted to validate that the complexity adheres to the rules set by the policy. However, if no domain controllers are found, the password is still be accepted regardless of actual password complexity and the drive is encrypted by using that password as a protector. When set to **Do not allow complexity**, no password complexity validation is done. > [!NOTE] -> Passwords can't be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in **Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** specifies whether FIPS compliance is enabled. +> Passwords can't be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options** specifies whether FIPS compliance is enabled. For information about this setting, see [System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing](../../threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md). -### Validate smart card certificate usage rule compliance +### Validate smart card certificate usage rule compliance This policy setting is used to determine what certificate to use with BitLocker. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can associate an object identifier from a smart card certificate to a BitLocker-protected drive.| +|**Policy description**|With this policy setting, an object identifier from a smart card certificate can be associated to a BitLocker-protected drive.| |**Introduced**|Windows Server 2008 R2 and Windows 7| |**Drive type**|Fixed and removable data drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption*| |**Conflicts**|None| |**When enabled**|The object identifier that is specified in the **Object identifier** setting must match the object identifier in the smart card certificate.| |**When disabled or not configured**|The default object identifier is used.| -**Reference** +#### Reference: Validate smart card certificate usage rule compliance -This policy setting is applied when you turn on BitLocker. +This policy setting is applied when BitLocker is turned on. The object identifier is specified in the enhanced key usage (EKU) of a certificate. BitLocker can identify which certificates can be used to authenticate a user certificate to a BitLocker-protected drive by matching the object identifier in the certificate with the object identifier that is defined by this policy setting. @@ -486,138 +478,143 @@ The default object identifier is 1.3.6.1.4.1.311.67.1.1. > [!NOTE] > BitLocker doesn't require that a certificate have an EKU attribute; however, if one is configured for the certificate, it must be set to an object identifier that matches the object identifier configured for BitLocker. -### Enable use of BitLocker authentication requiring preboot keyboard input on slates +### Enable use of BitLocker authentication requiring preboot keyboard input on slates -### Enable use of BitLocker authentication requiring pre-boot keyboard input on slates - -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can allow users to enable authentication options that require user input from the preboot environment, even if the platform indicates a lack of preboot input capability.| +|**Policy description**|With this policy setting, users can be allowed to enable authentication options that require user input from the preboot environment, even if the platform indicates a lack of preboot input capability.| |**Introduced**|Windows Server 2012 and Windows 8| |**Drive type**|Operating system drive| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drive| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*| |**Conflicts**|None| |**When enabled**|Devices must have an alternative means of preboot input (such as an attached USB keyboard).| |**When disabled or not configured**|The Windows Recovery Environment must be enabled on tablets to support entering the BitLocker recovery password.| -**Reference** +#### Reference: Enable use of BitLocker authentication requiring preboot keyboard input on slates The Windows touch keyboard (such as used by tablets) isn't available in the preboot environment where BitLocker requires additional information, such as a PIN or password. It's recommended that administrators enable this policy only for devices that are verified to have an alternative means of preboot input, such as attaching a USB keyboard. -When the Windows Recovery Environment isn't enabled and this policy isn't enabled, you can't turn on BitLocker on a device that uses the Windows touch keyboard. +When the Windows Recovery Environment (WinRE) isn't enabled and this policy isn't enabled, BitLocker can't be turned on a device that uses the Windows touch keyboard. -If you don't enable this policy setting, the following options in the **Require additional authentication at startup** policy might not be available: +If this policy setting isn't enabled, the following options in the **Require additional authentication at startup** policy might not be available: -- Configure TPM startup PIN: Required and Allowed -- Configure TPM startup key and PIN: Required and Allowed -- Configure use of passwords for operating system drives +- Configure TPM startup PIN: Required and Allowed +- Configure TPM startup key and PIN: Required and Allowed +- Configure use of passwords for operating system drives -### Deny write access to fixed drives not protected by BitLocker +### Deny write access to fixed drives not protected by BitLocker This policy setting is used to require encryption of fixed drives prior to granting Write access. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can set whether BitLocker protection is required for fixed data drives to be writable on a computer.| +|**Policy description**|With this policy setting, it can be set whether BitLocker protection is required for fixed data drives to be writable on a computer.| |**Introduced**|Windows Server 2008 R2 and Windows 7| |**Drive type**|Fixed data drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Fixed Data Drives*| |**Conflicts**|See the Reference section for a description of conflicts.| |**When enabled**|All fixed data drives that aren't BitLocker-protected are mounted as Read-only. If the drive is protected by BitLocker, it's mounted with Read and Write access.| |**When disabled or not configured**|All fixed data drives on the computer are mounted with Read and Write access.| -**Reference** +#### Reference: Deny write access to fixed drives not protected by BitLocker -This policy setting is applied when you turn on BitLocker. +This policy setting is applied when BitLocker is turned on. Conflict considerations include: -1. When this policy setting is enabled, users receive "Access denied" error messages when they try to save data to unencrypted fixed data drives. See the Reference section for additional conflicts. -2. If BdeHdCfg.exe is run on a computer when this policy setting is enabled, you could encounter the following issues: +1. When this policy setting is enabled, users receive **Access denied** error messages when they try to save data to unencrypted fixed data drives. See the Reference section for additional conflicts. - - If you attempted to shrink the drive and create the system drive, the drive size is successfully reduced and a raw partition is created. However, the raw partition isn't formatted. The following error message is displayed: "The new active drive cannot be formatted. You may need to manually prepare your drive for BitLocker." - - If you attempt to use unallocated space to create the system drive, a raw partition will be created. However, the raw partition will not be formatted. The following error message is displayed: "The new active drive cannot be formatted. You may need to manually prepare your drive for BitLocker." - - If you attempt to merge an existing drive into the system drive, the tool fails to copy the required boot file onto the target drive to create the system drive. The following error message is displayed: "BitLocker setup failed to copy boot files. You may need to manually prepare your drive for BitLocker." +2. If `BdeHdCfg.exe` is run on a computer when this policy setting is enabled, the following issues could be encountered: -3. If this policy setting is enforced, a hard drive can't be repartitioned because the drive is protected. If you are upgrading computers in your organization from a previous version of Windows, and those computers were configured with a single partition, you should create the required BitLocker system partition before you apply this policy setting to the computers. + - If it was attempted to shrink a drive to create the system drive, the drive size is successfully reduced, and a raw partition is created. However, the raw partition isn't formatted. The following error message is displayed: **The new active drive cannot be formatted. You may need to manually prepare your drive for BitLocker.** -### Deny write access to removable drives not protected by BitLocker + - If it was attempted to use unallocated space to create the system drive, a raw partition will be created. However, the raw partition won't be formatted. The following error message is displayed: **The new active drive cannot be formatted. You may need to manually prepare your drive for BitLocker.** + + - If it was attempted to merge an existing drive into the system drive, the tool fails to copy the required boot file onto the target drive to create the system drive. The following error message is displayed: **BitLocker setup failed to copy boot files. You may need to manually prepare your drive for BitLocker.** + +3. If this policy setting is enforced, a hard drive can't be repartitioned because the drive is protected. If computers are being upgrading in an organization from a previous version of Windows, and those computers were configured with a single partition, the required BitLocker system partition should be created before applying this policy setting to the computers. + +### Deny write access to removable drives not protected by BitLocker This policy setting is used to require that removable drives are encrypted prior to granting Write access, and to control whether BitLocker-protected removable drives that were configured in another organization can be opened with Write access. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can configure whether BitLocker protection is required for a computer to be able to write data to a removable data drive.| +|**Policy description**|With this policy setting, it can be configured whether BitLocker protection is required for a computer to be able to write data to a removable data drive.| |**Introduced**|Windows Server 2008 R2 and Windows 7| |**Drive type**|Removable data drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Removable Data Drives*| |**Conflicts**|See the Reference section for a description of conflicts.| |**When enabled**|All removable data drives that aren't BitLocker-protected are mounted as Read-only. If the drive is protected by BitLocker, it's mounted with Read and Write access.| |**When disabled or not configured**|All removable data drives on the computer are mounted with Read and Write access.| -**Reference** +#### Reference: Deny write access to removable drives not protected by BitLocker If the **Deny write access to devices configured in another organization** option is selected, only drives with identification fields that match the computer's identification fields are given Write access. When a removable data drive is accessed, it's checked for a valid identification field and allowed identification fields. These fields are defined by the **Provide the unique identifiers for your organization** policy setting. > [!NOTE] -> You can override this policy setting with the policy settings under **User Configuration\\Administrative Templates\\System\\Removable Storage Access**. If the **Removable Disks: Deny write access** policy setting is enabled, this policy setting will be ignored. +> This policy setting can be overridden with the policy settings under **User Configuration** > **Administrative Templates** > **System** > **Removable Storage Access**. If the **Removable Disks: Deny write access** policy setting is enabled, this policy setting will be ignored. Conflict considerations include: -1. Use of BitLocker with the TPM plus a startup key or with the TPM plus a PIN and startup key must be disallowed if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled. -2. Use of recovery keys must be disallowed if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled. -3. You must enable the **Provide the unique identifiers for your organization** policy setting if you want to deny Write access to drives that were configured in another organization. +1. Use of BitLocker with the TPM plus a startup key or with the TPM plus a PIN and startup key must be disallowed if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled. -### Control use of BitLocker on removable drives +2. Use of recovery keys must be disallowed if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled. + +3. The **Provide the unique identifiers for your organization** policy setting must be enabled if Write access needs to be denied to drives that were configured in another organization. + +### Control use of BitLocker on removable drives This policy setting is used to prevent users from turning BitLocker on or off on removable data drives. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can control the use of BitLocker on removable data drives.| +|**Policy description**|With this policy setting, it can be controlled the use of BitLocker on removable data drives.| |**Introduced**|Windows Server 2008 R2 and Windows 7| |**Drive type**|Removable data drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Removable Data Drives*| |**Conflicts**|None| -|**When enabled**|You can select property settings that control how users can configure BitLocker.| +|**When enabled**|Property settings can be selected that control how users can configure BitLocker.| |**When disabled**|Users can't use BitLocker on removable data drives.| |**When not configured**|Users can use BitLocker on removable data drives.| -**Reference** +#### Reference: Control use of BitLocker on removable drives -This policy setting is applied when you turn on BitLocker. +This policy setting is applied when BitLocker is turned on. For information about suspending BitLocker protection, see [BitLocker Basic Deployment](bitlocker-basic-deployment.md). The options for choosing property settings that control how users can configure BitLocker are: -- **Allow users to apply BitLocker protection on removable data drives** Enables the user to run the BitLocker Setup Wizard on a removable data drive. -- **Allow users to suspend and decrypt BitLocker on removable data drives** Enables the user to remove BitLocker from the drive or to suspend the encryption while performing maintenance. +- **Allow users to apply BitLocker protection on removable data drives** Enables the user to run the BitLocker Setup Wizard on a removable data drive. -### Choose drive encryption method and cipher strength +- **Allow users to suspend and decrypt BitLocker on removable data drives** Enables the user to remove BitLocker from the drive or to suspend the encryption while performing maintenance. + +### Choose drive encryption method and cipher strength This policy setting is used to control the encryption method and cipher strength. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can control the encryption method and strength for drives.| +|**Policy description**|With this policy setting, it can be controlled the encryption method and strength for drives.| |**Introduced**|Windows Server 2012 and Windows 8| |**Drive type**|All drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption*| |**Conflicts**|None| -|**When enabled**|You can choose an encryption algorithm and key cipher strength for BitLocker to use to encrypt drives.| -|**When disabled or not configured**|Beginning with Windows 10, version 1511, or Windows 11, BitLocker uses the default encryption method of XTS-AES 128-bit or the encryption method that is specified by the setup script. +|**When enabled**|An encryption algorithm and key cipher strength for BitLocker can be chosen to use to encrypt drives.| +|**When disabled or not configured**|Beginning with Windows 10, version 1511, BitLocker uses the default encryption method of XTS-AES 128-bit or the encryption method that is specified by the setup script. -**Reference** +#### Reference: Choose drive encryption method and cipher strength -The values of this policy determine the strength of the cipher that BitLocker uses for encryption. -Enterprises may want to control the encryption level for increased security (AES-256 is stronger than AES-128). +The values of this policy determine the strength of the cipher that BitLocker uses for encryption. Enterprises may want to control the encryption level for increased security (AES-256 is stronger than AES-128). -If you enable this setting, you can configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. -For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. -For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that aren't running Windows 10, version 1511 or later, or Windows 11. +If this setting is enabled, it can be configured an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. + +- For fixed and operating system drives, it's recommended to use the XTS-AES algorithm. + +- For removable drives, AES-CBC 128-bit or AES-CBC 256-bit should be used if the drive will be used in other devices that aren't running Windows 10, version 1511 or later. Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress. In these cases, this policy setting is ignored. @@ -626,171 +623,171 @@ Changing the encryption method has no effect if the drive is already encrypted o When this policy setting is disabled or not configured, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method that is specified in the setup script. -### Configure use of hardware-based encryption for fixed data drives +### Configure use of hardware-based encryption for fixed data drives This policy controls how BitLocker reacts to systems that are equipped with encrypted drives when they're used as fixed data volumes. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can manage BitLocker’s use of hardware-based encryption on fixed data drives and to specify which encryption algorithms BitLocker can use with hardware-based encryption.| +|**Policy description**|This policy setting allows management of BitLocker's use of hardware-based encryption on fixed data drives and to specify which encryption algorithms BitLocker can use with hardware-based encryption.| |**Introduced**|Windows Server 2012 and Windows 8| |**Drive type**|Fixed data drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Fixed Data Drives*| |**Conflicts**|None| -|**When enabled**|You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that don't support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.| +|**When enabled**|Additional options can be specified that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that don't support hardware-based encryption. It can also be specified to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.| |**When disabled**|BitLocker can't use hardware-based encryption with fixed data drives, and BitLocker software-based encryption is used by default when the drive in encrypted.| |**When not configured**|BitLocker software-based encryption is used irrespective of hardware-based encryption ability.| -**Reference** +#### Reference: Configure use of hardware-based encryption for fixed data drives > [!NOTE] > The **Choose drive encryption method and cipher strength** policy setting doesn't apply to hardware-based encryption. -The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive isn't available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example: +The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables restriction of the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive isn't available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example: -- Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2 -- AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42 +- Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2 +- AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42 -### Configure use of hardware-based encryption for operating system drives +### Configure use of hardware-based encryption for operating system drives This policy controls how BitLocker reacts when encrypted drives are used as operating system drives. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can manage BitLocker’s use of hardware-based encryption on operating system drives and specify which encryption algorithms it can use with hardware-based encryption.| +|**Policy description**|This policy setting allows management of BitLocker's use of hardware-based encryption on operating system drives and specifies which encryption algorithms it can use with hardware-based encryption.| |**Introduced**|Windows Server 2012 and Windows 8| |**Drive type**|Operating system drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*| |**Conflicts**|None| -|**When enabled**|You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that don't support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.| +|**When enabled**|Additional options can be specified that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that don't support hardware-based encryption. It can also be specified to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.| |**When disabled**|BitLocker can't use hardware-based encryption with operating system drives, and BitLocker software-based encryption is used by default when the drive in encrypted.| |**When not configured**|BitLocker software-based encryption is used irrespective of hardware-based encryption ability.| -**Reference** +#### Reference: Configure use of hardware-based encryption for operating system drives If hardware-based encryption isn't available, BitLocker software-based encryption is used instead. > [!NOTE] > The **Choose drive encryption method and cipher strength** policy setting doesn't apply to hardware-based encryption. -The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive isn't available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example: +The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables restriction of the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive isn't available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example: -- Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2 -- AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42 +- Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2 +- AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42 -### Configure use of hardware-based encryption for removable data drives +### Configure use of hardware-based encryption for removable data drives This policy controls how BitLocker reacts to encrypted drives when they're used as removable data drives. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can manage BitLocker’s use of hardware-based encryption on removable data drives and specify which encryption algorithms it can use with hardware-based encryption.| +|**Policy description**|This policy setting allows management of BitLocker's use of hardware-based encryption on removable data drives and specifies which encryption algorithms it can use with hardware-based encryption.| |**Introduced**|Windows Server 2012 and Windows 8| |**Drive type**|Removable data drive| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Removable Data Drives*| |**Conflicts**|None| -|**When enabled**|You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that don't support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.| +|**When enabled**|Additional options can be specified that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that don't support hardware-based encryption. It can also be specified to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.| |**When disabled**|BitLocker can't use hardware-based encryption with removable data drives, and BitLocker software-based encryption is used by default when the drive in encrypted.| |**When not configured**|BitLocker software-based encryption is used irrespective of hardware-based encryption ability.| -**Reference** +#### Reference: Configure use of hardware-based encryption for removable data drives If hardware-based encryption isn't available, BitLocker software-based encryption is used instead. > [!NOTE] > The **Choose drive encryption method and cipher strength** policy setting doesn't apply to hardware-based encryption. -The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive isn't available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example: +The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables restriction of the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive isn't available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example: -- Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2 -- AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42 +- Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2 +- AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42 -### Enforce drive encryption type on fixed data drives +### Enforce drive encryption type on fixed data drives This policy controls whether fixed data drives utilize Used Space Only encryption or Full encryption. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page so no encryption selection displays to the user. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can configure the encryption type that is used by BitLocker.| +|**Policy description**|With this policy setting, it can be configured the encryption type that is used by BitLocker.| |**Introduced**|Windows Server 2012 and Windows 8| |**Drive type**|Fixed data drive| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Fixed Data Drives*| |**Conflicts**|None| |**When enabled**|This policy defines the encryption type that BitLocker uses to encrypt drives, and the encryption type option isn't presented in the BitLocker Setup Wizard.| |**When disabled or not configured**|The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.| -**Reference** +#### Reference: Enforce drive encryption type on fixed data drives -This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to make it mandatory for the entire drive to be encrypted when BitLocker is turned on. Choose Used Space Only encryption to make it mandatory to encrypt only that portion of the drive that is used to store data when BitLocker is turned on. +This policy setting is applied when BitLocker is turned on. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to make it mandatory for the entire drive to be encrypted when BitLocker is turned on. Choose Used Space Only encryption to make it mandatory to encrypt only that portion of the drive that is used to store data when BitLocker is turned on. > [!NOTE] -> This policy is ignored when you are shrinking or expanding a volume and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that is using Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde -w`. If the volume is shrunk, no action is taken for the new free space. +> This policy is ignored when a volume is being shrunk or expanded and the BitLocker drive uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that is using Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde.exe -w`. If the volume is shrunk, no action is taken for the new free space. For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde). -### Enforce drive encryption type on operating system drives +### Enforce drive encryption type on operating system drives This policy controls whether operating system drives utilize Full encryption or Used Space Only encryption. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page, so no encryption selection displays to the user. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can configure the encryption type that is used by BitLocker.| +|**Policy description**|With this policy setting, it can be configured the encryption type that is used by BitLocker.| |**Introduced**|Windows Server 2012 and Windows 8| |**Drive type**|Operating system drive| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*| |**Conflicts**|None| |**When enabled**|The encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option isn't presented in the BitLocker Setup Wizard.| |**When disabled or not configured**|The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.| -**Reference** +#### Reference: Enforce drive encryption type on operating system drives -This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to make it mandatory for the entire drive to be encrypted when BitLocker is turned on. Choose Used Space Only encryption to make it mandatory to encrypt only that portion of the drive that is used to store data when BitLocker is turned on. +This policy setting is applied when BitLocker is turned on. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to make it mandatory for the entire drive to be encrypted when BitLocker is turned on. Choose Used Space Only encryption to make it mandatory to encrypt only that portion of the drive that is used to store data when BitLocker is turned on. > [!NOTE] -> This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that uses Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde -w`. If the volume is shrunk, no action is taken for the new free space. +> This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that uses Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde.exe -w`. If the volume is shrunk, no action is taken for the new free space. For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde). -### Enforce drive encryption type on removable data drives +### Enforce drive encryption type on removable data drives This policy controls whether fixed data drives utilize Full encryption or Used Space Only encryption. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page, so no encryption selection displays to the user. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can configure the encryption type that is used by BitLocker.| +|**Policy description**|With this policy setting, it can be configured the encryption type that is used by BitLocker.| |**Introduced**|Windows Server 2012 and Windows 8| |**Drive type**|Removable data drive| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Removable Data Drives*| |**Conflicts**|None| |**When enabled**|The encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option isn't presented in the BitLocker Setup Wizard.| |**When disabled or not configured**|The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.| -**Reference** +#### Reference: Enforce drive encryption type on removable data drives -This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to make it mandatory for the entire drive to be encrypted when BitLocker is turned on. Choose Used Space Only encryption to make it mandatory to encrypt only that portion of the drive that is used to store data when BitLocker is turned on. +This policy setting is applied when BitLocker is turned on. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to make it mandatory for the entire drive to be encrypted when BitLocker is turned on. Choose Used Space Only encryption to make it mandatory to encrypt only that portion of the drive that is used to store data when BitLocker is turned on. > [!NOTE] -> This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that is using Full Encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde -w`. If the volume is shrunk, no action is taken for the new free space. +> This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that is using Full Encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde.exe -w`. If the volume is shrunk, no action is taken for the new free space. For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde). -### Choose how BitLocker-protected operating system drives can be recovered +### Choose how BitLocker-protected operating system drives can be recovered This policy setting is used to configure recovery methods for operating system drives. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information.| +|**Policy description**|With this policy setting, it can be controlled how BitLocker-protected operating system drives are recovered in the absence of the required startup key information.| |**Introduced**|Windows Server 2008 R2 and Windows 7| |**Drive type**|Operating system drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| -|**Conflicts**|You must disallow the use of recovery keys if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled.

                              When using data recovery agents, you must enable the **Provide the unique identifiers for your organization** policy setting.| -|**When enabled**|You can control the methods that are available to users to recover data from BitLocker-protected operating system drives.| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*| +|**Conflicts**|The use of recovery keys must be disallowed if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled.

                              When using data recovery agents, the **Provide the unique identifiers for your organization** policy setting must be enabled.| +|**When enabled**|it can be controlled the methods that are available to users to recover data from BitLocker-protected operating system drives.| |**When disabled or not configured**|The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information isn't backed up to AD DS.| -**Reference** +#### Reference: Choose how BitLocker-protected operating system drives can be recovered -This policy setting is applied when you turn on BitLocker. +This policy setting is applied when BitLocker is turned on. The **Allow data recovery agent** check box is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used, it must be added from **Public Key Policies**, which is located in the Group Policy Management Console (GPMC) or in the Local Group Policy Editor. @@ -798,377 +795,380 @@ For more information about adding data recovery agents, see [BitLocker basic dep In **Configure user storage of BitLocker recovery information**, select whether users are allowed, required, or not allowed to generate a 48-digit recovery password. -Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This means that you can't specify which recovery option to use when you enable BitLocker. Instead, BitLocker recovery options for -the drive are determined by the policy setting. +Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This policy setting means that which recovery option to use when BitLocker is enabled can't be specified. Instead, BitLocker recovery options for the drive are determined by the policy setting. -In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information to store in Active Directory Domain Services (AD DS) for operating system drives. If you select **Store recovery password and key packages**, the BitLocker recovery password and the key package are stored in AD DS. Storing the key package supports the recovery of data from a drive that is physically corrupted. If you select **Store recovery password only**, only the recovery password is stored in AD DS. +In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information to store in Active Directory Domain Services (AD DS) for operating system drives. If **Store recovery password and key packages** is selected, the BitLocker recovery password and the key package are stored in AD DS. Storing the key package supports the recovery of data from a drive that is physically corrupted. If **Store recovery password only** is selected, only the recovery password is stored in AD DS. -Select the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. +Select the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** check box if users need to be prevented from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. > [!NOTE] > If the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** check box is selected, a recovery password is automatically generated. -### Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista) +### Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista) This policy setting is used to configure recovery methods for BitLocker-protected drives on computers running Windows Server 2008 or Windows Vista. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can control whether the BitLocker Setup Wizard can display and specify BitLocker recovery options.| +|**Policy description**|With this policy setting, it can be controlled whether the BitLocker Setup Wizard can display and specify BitLocker recovery options.| |**Introduced**|Windows Server 2008 and Windows Vista| |**Drive type**|Operating system drives and fixed data drives on computers running Windows Server 2008 and Windows Vista| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption| -|**Conflicts**|This policy setting provides an administrative method of recovering data that is encrypted by BitLocker to prevent data loss due to lack of key information. If you choose the **Do not allow** option for both user recovery options, you must enable the **Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)** policy setting to prevent a policy error.| -|**When enabled**|You can configure the options that the BitLocker Setup Wizard displays to users for recovering BitLocker encrypted data.| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption*| +|**Conflicts**|This policy setting provides an administrative method of recovering data that is encrypted by BitLocker to prevent data loss due to lack of key information. If the **Do not allow** option is chosen for both user recovery options, the **Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)** policy setting must be enabled to prevent a policy error.| +|**When enabled**|The options that the BitLocker Setup Wizard displays to users for recovering BitLocker encrypted data can be configured.| |**When disabled or not configured**|The BitLocker Setup Wizard presents users with ways to store recovery options.| -**Reference** +#### Reference: Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista) -This policy is only applicable to computers running Windows Server 2008 or Windows Vista. This policy setting is applied when you turn on BitLocker. +This policy is only applicable to computers running Windows Server 2008 or Windows Vista. This policy setting is applied when BitLocker is turned on. Two recovery options can be used to unlock BitLocker-encrypted data in the absence of the required startup key information. Users can type a 48-digit numerical recovery password, or they can insert a USB drive that contains a 256-bit recovery key. -Saving the recovery password to a USB drive stores the 48-digit recovery password as a text file and the 256-bit recovery key as a hidden file. Saving the recovery password to a folder stores the 48-digit recovery password as a text file. Printing the recovery password sends the 48-digit recovery password to the default printer. For example, not allowing the 48-digit recovery password prevents users from printing or saving recovery information to a folder. +- Saving the recovery password to a USB drive stores the 48-digit recovery password as a text file and the 256-bit recovery key as a hidden file. +- Saving the recovery password to a folder stores the 48-digit recovery password as a text file. +- Printing the recovery password sends the 48-digit recovery password to the default printer. + +For example, not allowing the 48-digit recovery password prevents users from printing or saving recovery information to a folder. > [!IMPORTANT] > If TPM initialization is performed during the BitLocker setup, TPM owner information is saved or printed with the BitLocker recovery information. > The 48-digit recovery password isn't available in FIPS-compliance mode. > [!IMPORTANT] -> To prevent data loss, you must have a way to recover BitLocker encryption keys. If you don't allow both recovery options, you must enable the backup of BitLocker recovery information to AD DS. Otherwise, a policy error occurs. +> To prevent data loss, there must be a way to recover BitLocker encryption keys. If both recovery options are not allowed, backup of BitLocker recovery information to AD DS must be enabled. Otherwise, a policy error occurs. -### Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista) +### Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista) -This policy setting is used to configure the storage of BitLocker recovery information in AD DS. This provides an administrative method of recovering data that is encrypted by BitLocker to prevent data loss due to lack of key information. +This policy setting is used to configure the storage of BitLocker recovery information in AD DS. This policy setting provides an administrative method of recovering data that is encrypted by BitLocker to prevent data loss due to lack of key information. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can manage the AD DS backup of BitLocker Drive Encryption recovery information.| +|**Policy description**|This policy setting allows management of the AD DS backup of BitLocker Drive Encryption recovery information.| |**Introduced**|Windows Server 2008 and Windows Vista| |**Drive type**|Operating system drives and fixed data drives on computers running Windows Server 2008 and Windows Vista.| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption*| |**Conflicts**|None| |**When enabled**|BitLocker recovery information is automatically and silently backed up to AD DS when BitLocker is turned on for a computer.| |**When disabled or not configured**|BitLocker recovery information isn't backed up to AD DS.| -**Reference** +#### Reference: Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista) This policy is only applicable to computers running Windows Server 2008 or Windows Vista. -This policy setting is applied when you turn on BitLocker. +This policy setting is applied when BitLocker is turned on. -BitLocker recovery information includes the recovery password and unique identifier data. You can also include a package that contains an encryption key for a BitLocker-protected drive. This key package is secured by one or more recovery passwords, and it can help perform specialized recovery when the disk is damaged or corrupted. +BitLocker recovery information includes the recovery password and unique identifier data. A package that contains an encryption key for a BitLocker-protected drive can also be included. This key package is secured by one or more recovery passwords, and it can help perform specialized recovery when the disk is damaged or corrupted. -If you select **Require BitLocker backup to AD DS**, BitLocker can't be turned on unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. This option is selected by default to help ensure that BitLocker recovery is possible. +If **Require BitLocker backup to AD DS** is selected, BitLocker can't be turned on unless the computer is connected to the domain, and the backup of BitLocker recovery information to AD DS succeeds. This option is selected by default to help ensure that BitLocker recovery is possible. -A recovery password is a 48-digit number that unlocks access to a BitLocker-protected drive. A key package contains a drive’s BitLocker encryption key, which is secured by one or more recovery passwords. Key packages may help perform specialized recovery when the disk is damaged or corrupted. +A recovery password is a 48-digit number that unlocks access to a BitLocker-protected drive. A key package contains a drive's BitLocker encryption key, which is secured by one or more recovery passwords. Key packages may help perform specialized recovery when the disk is damaged or corrupted. If the **Require BitLocker backup to AD DS** option isn't selected, AD DS backup is attempted, but network or other backup failures don't prevent the BitLocker setup. The Backup process isn't automatically retried, and the recovery password might not be stored in AD DS during BitLocker setup. -TPM initialization might be needed during the BitLocker setup. Enable the **Turn on TPM backup to Active Directory Domain Services** policy setting in **Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services** to ensure that TPM information is also backed up. +TPM initialization might be needed during the BitLocker setup. Enable the **Turn on TPM backup to Active Directory Domain Services** policy setting in **Computer Configuration** > **Administrative Templates** > **System** > **Trusted Platform Module Services** to ensure that TPM information is also backed up. For more information about this setting, see [TPM Group Policy settings](/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings). -### Choose default folder for recovery password +### Choose default folder for recovery password This policy setting is used to configure the default folder for recovery passwords. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can specify the default path that is displayed when the BitLocker Setup Wizard prompts the user to enter the location of a folder in which to save the recovery password.| +|**Policy description**|With this policy setting, the default path that is displayed when the BitLocker Setup Wizard prompts the user to enter the location of a folder in which to save the recovery password can be specified.| |**Introduced**|Windows Vista| |**Drive type**|All drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption*| |**Conflicts**|None| -|**When enabled**|You can specify the path that will be used as the default folder location when the user chooses the option to save the recovery password in a folder. You can specify a fully qualified path or include the target computer's environment variables in the path. If the path isn't valid, the BitLocker Setup Wizard displays the computer's top-level folder view.| +|**When enabled**|The path that will be used as the default folder location when the user chooses the option to save the recovery password in a folder can be specified. A fully qualified path can be specified. The target computer's environment variables can also be included in the path. If the path isn't valid, the BitLocker Setup Wizard displays the computer's top-level folder view.| |**When disabled or not configured**|The BitLocker Setup Wizard displays the computer's top-level folder view when the user chooses the option to save the recovery password in a folder.| -**Reference** +#### Reference: Choose default folder for recovery password -This policy setting is applied when you turn on BitLocker. +This policy setting is applied when BitLocker is turned on. > [!NOTE] > This policy setting doesn't prevent the user from saving the recovery password in another folder. -### Choose how BitLocker-protected fixed drives can be recovered +### Choose how BitLocker-protected fixed drives can be recovered This policy setting is used to configure recovery methods for fixed data drives. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials.| +|**Policy description**|With this policy setting, it can be controlled how BitLocker-protected fixed data drives are recovered in the absence of the required credentials.| |**Introduced**|Windows Server 2008 R2 and Windows 7| |**Drive type**|Fixed data drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives| -|**Conflicts**|You must disallow the use of recovery keys if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled.

                              When using data recovery agents, you must enable and configure the **Provide the unique identifiers for your organization** policy setting.| -|**When enabled**|You can control the methods that are available to users to recover data from BitLocker-protected fixed data drives.| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Fixed Data Drives*| +|**Conflicts**|The use of recovery keys must be disallowed if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled.

                              When using data recovery agents, the **Provide the unique identifiers for your organization** policy setting must be enabled.| +|**When enabled**|it can be controlled the methods that are available to users to recover data from BitLocker-protected fixed data drives.| |**When disabled or not configured**|The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information isn't backed up to AD DS.| -**Reference** +#### Reference: Choose how BitLocker-protected fixed drives can be recovered -This policy setting is applied when you turn on BitLocker. +This policy setting is applied when BitLocker is turned on. The **Allow data recovery agent** check box is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used, it must be added from **Public Key Policies**, which is located in the Group Policy Management Console (GPMC) or in the Local Group Policy Editor. In **Configure user storage of BitLocker recovery information**, select whether users can be allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. -Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This means that you can't specify which recovery option to use when you enable BitLocker. Instead, BitLocker recovery options for the drive are determined by the policy setting. +Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This policy setting means that which recovery option to use when BitLocker is enabled can't be specified. Instead, BitLocker recovery options for the drive are determined by the policy setting. -In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select **Backup recovery password and key package**, the BitLocker recovery password and the key package are stored in AD DS. -Storing the key package supports recovering data from a drive that has been physically corrupted. To recover this data, you can use the `Repair-bde` command-line tool. If you select **Backup recovery password only**, only the recovery password is stored in AD DS. +In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information to store in AD DS for fixed data drives. If **Backup recovery password and key package** is selected, the BitLocker recovery password and the key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. To recover this data, the `Repair-bde.exe` command-line tool can be used. If **Backup recovery password only** is selected, only the recovery password is stored in AD DS. For more information about the BitLocker repair tool, see [Repair-bde](/windows-server/administration/windows-commands/repair-bde). -Select the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. +Select the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box if users should be prevented from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. > [!NOTE] > If the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box is selected, a recovery password is automatically generated. -### Choose how BitLocker-protected removable drives can be recovered +### Choose how BitLocker-protected removable drives can be recovered This policy setting is used to configure recovery methods for removable data drives. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can control how BitLocker-protected removable data drives are recovered in the absence of the required credentials.| +|**Policy description**|With this policy setting, it can be controlled how BitLocker-protected removable data drives are recovered in the absence of the required credentials.| |**Introduced**|Windows Server 2008 R2 and Windows 7| |**Drive type**|Removable data drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives| -|**Conflicts**|You must disallow the use of recovery keys if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled.

                              When using data recovery agents, you must enable and configure the **Provide the unique identifiers for your organization** policy setting.| -|**When enabled**|You can control the methods that are available to users to recover data from BitLocker-protected removable data drives.| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Removable Data Drives*| +|**Conflicts**|The use of recovery keys must be disallowed if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled.

                              When using data recovery agents, the **Provide the unique identifiers for your organization** policy setting must be enabled.| +|**When enabled**|it can be controlled the methods that are available to users to recover data from BitLocker-protected removable data drives.| |**When disabled or not configured**|The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information isn't backed up to AD DS.| -**Reference** +#### Reference: Choose how BitLocker-protected removable drives can be recovered -This policy setting is applied when you turn on BitLocker. +This policy setting is applied when BitLocker is turned on. The **Allow data recovery agent** check box is used to specify whether a data recovery agent can be used with BitLocker-protected removable data drives. Before a data recovery agent can be used, it must be added from **Public Key Policies** , which is accessed using the GPMC or the Local Group Policy Editor. In **Configure user storage of BitLocker recovery information**, select whether users can be allowed, required, or not allowed to generate a 48-digit recovery password. -Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This means that you can't specify which recovery option to use when you enable BitLocker. Instead, BitLocker recovery options for the drive are determined by the policy setting. +Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This policy setting means that which recovery option to use when BitLocker is enabled can't be specified. Instead, BitLocker recovery options for the drive are determined by the policy setting. -In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information is to be stored in AD DS for removable data drives. If you select **Backup recovery password and key package**, the BitLocker recovery password and the key package are stored in AD DS. If you select **Backup recovery password only**, only the recovery password is stored in AD DS. +In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information is to be stored in AD DS for removable data drives. If **Backup recovery password and key package** is selected, the BitLocker recovery password and the key package are stored in AD DS. If **Backup recovery password only** is selected, only the recovery password is stored in AD DS. -Select the **Do not enable BitLocker until recovery information is stored in AD DS for removable data drives** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. +Select the **Do not enable BitLocker until recovery information is stored in AD DS for removable data drives** check box if users should be prevented from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. > [!NOTE] > If the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box is selected, a recovery password is automatically generated. -### Configure the pre-boot recovery message and URL +### Configure the pre-boot recovery message and URL This policy setting is used to configure the entire recovery message and to replace the existing URL that is displayed on the pre-boot recovery screen when the operating system drive is locked. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can configure the BitLocker recovery screen to display a customized message and URL.| +|**Policy description**|With this policy setting, it can be configured the BitLocker recovery screen to display a customized message and URL.| |**Introduced**|Windows| |**Drive type**|Operating system drives| -|**Policy path**|Computer Configuration \ Administrative Templates \ Windows Components \ BitLocker Drive Encryption \ Operating System Drives \ Configure pre-boot recovery message and URL| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives* > *Configure pre-boot recovery message and URL*| |**Conflicts**|None| -|**When enabled**|The customized message and URL are displayed on the pre-boot recovery screen. If you have previously enabled a custom recovery message and URL and want to revert to the default message and URL, you must keep the policy setting enabled and select the **Use default recovery message and URL** option.| +|**When enabled**|The customized message and URL are displayed on the pre-boot recovery screen. If a custom recovery message and URL has been previously enabled and the message and URL need to be reverted back to the default message and URL, the policy setting must be enabled and the **Use default recovery message and URL** option selected.| |**When disabled or not configured**|If the setting hasn't been previously enabled, then the default pre-boot recovery screen is displayed for BitLocker recovery. If the setting previously was enabled and is later disabled, then the last message in Boot Configuration Data (BCD) is displayed whether it was the default recovery message or the custom message.| -**Reference** +#### Reference: Configure the pre-boot recovery message and URL -Enabling the **Configure the pre-boot recovery message and URL** policy setting allows you to customize the default recovery screen message and URL to assist customers in recovering their key. +Enabling the **Configure the pre-boot recovery message and URL** policy setting allows customization of the default recovery screen message and URL to assist customers in recovering their key. -Once you enable the setting, you have three options: +Once the setting is enabled, three options are available: -- If you select the **Use default recovery message and URL** option, the default BitLocker recovery message and URL will be displayed on the pre-boot recovery screen. -- If you select the **Use custom recovery message** option, type the custom message in the **Custom recovery message option** text box. The message that you type in the **Custom recovery message option** text box is displayed on the pre-boot recovery screen. If a recovery URL is available, include it in the message. -- If you select the **Use custom recovery URL** option, type the custom message URL in the **Custom recovery URL option** text box. The URL that you type in the **Custom recovery URL option** text box replaces the default URL in the default recovery message, which is displayed on the pre-boot recovery screen. +- If the **Use default recovery message and URL** option is selected, the default BitLocker recovery message and URL will be displayed on the pre-boot recovery screen. +- If the **Use custom recovery message** option is selected, enter the custom message in the **Custom recovery message option** text box. The message that is entered in the **Custom recovery message option** text box is displayed on the pre-boot recovery screen. If a recovery URL is available, include it in the message. +- If the **Use custom recovery URL** option is selected, enter the custom message URL in the **Custom recovery URL option** text box. The URL that is entered in the **Custom recovery URL option** text box replaces the default URL in the default recovery message, which is displayed on the pre-boot recovery screen. > [!IMPORTANT] -> Not all characters and languages are supported in the pre-boot environment. We strongly recommended that you verify the correct appearance of the characters that you use for the custom message and URL on the pre-boot recovery screen. +> Not all characters and languages are supported in the pre-boot environment. It is strongly recommended to verify the correct appearance of the characters that are used for the custom message and URL on the pre-boot recovery screen. > [!IMPORTANT] -> Because you can alter the BCDEdit commands manually before you have set Group Policy settings, you can't return the policy setting to the default setting by selecting the **Not Configured** option after you have configured this policy setting. To return to the default pre-boot recovery screen leave the policy setting enabled and select the **Use default message** options from the **Choose an option for the pre-boot recovery message** drop-down list box. +> Because BCDEdit commands can be altered manually before Group Policy settings have been set, the policy setting can't be returned to the default setting by selecting the **Not Configured** option after this policy setting has been configured. To return to the default pre-boot recovery screen leave the policy setting enabled and select the **Use default message** options from the **Choose an option for the pre-boot recovery message** drop-down list box. -### Allow Secure Boot for integrity validation +### Allow Secure Boot for integrity validation This policy controls how BitLocker-enabled system volumes are handled with the Secure Boot feature. Enabling this feature forces Secure Boot validation during the boot process and verifies Boot Configuration Data (BCD) settings according to the Secure Boot policy. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can configure whether Secure Boot will be allowed as the platform integrity provider for BitLocker operating system drives.| +|**Policy description**|With this policy setting, it can be configured whether Secure Boot will be allowed as the platform integrity provider for BitLocker operating system drives.| |**Introduced**|Windows Server 2012 and Windows 8| |**Drive type**|All drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| -|**Conflicts**|If you enable **Allow Secure Boot for integrity validation**, make sure the **Configure TPM platform validation profile for native UEFI firmware configurations** Group Policy setting isn't enabled or include PCR 7 to allow BitLocker to use Secure Boot for platform or BCD integrity validation.

                              For more information about PCR 7, see [Platform Configuration Register (PCR)](#bkmk-pcr) in this article.| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*| +|**Conflicts**|If **Allow Secure Boot for integrity validation** is enabled, make sure the Configure TPM platform validation profile for native UEFI firmware configurations Group Policy setting isn't enabled, or include PCR 7 to allow BitLocker to use Secure Boot for platform or BCD integrity validation.

                              For more information about PCR 7, see [About the Platform Configuration Register (PCR)](#about-the-platform-configuration-register-pcr) in this article.| |**When enabled or not configured**|BitLocker uses Secure Boot for platform integrity if the platform is capable of Secure Boot-based integrity validation.| |**When disabled**|BitLocker uses legacy platform integrity validation, even on systems that are capable of Secure Boot-based integrity validation.| -**Reference** +#### Reference: Allow Secure Boot for integrity validation Secure boot ensures that the computer's pre-boot environment loads only firmware that is digitally signed by authorized software publishers. Secure boot also started providing more flexibility for managing pre-boot configurations than BitLocker integrity checks prior to Windows Server 2012 and Windows 8. + When this policy is enabled and the hardware is capable of using secure boot for BitLocker scenarios, the **Use enhanced Boot Configuration Data validation profile** group policy setting is ignored, and secure boot verifies BCD settings according to the secure boot policy setting, which is configured separately from BitLocker. > [!WARNING] -> Disabling this policy might result in BitLocker recovery when manufacturer-specific firmware is updated. If you disable this policy, suspend BitLocker prior to applying firmware updates. +> Disabling this policy might result in BitLocker recovery when manufacturer-specific firmware is updated. If this policy is disabled, suspend BitLocker prior to applying firmware updates. -### Provide the unique identifiers for your organization +### Provide the unique identifiers for your organization -This policy setting is used to establish an identifier that is applied to all drives that are encrypted in your organization. +This policy setting is used to establish an identifier that is applied to all drives that are encrypted in an organization. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can associate unique organizational identifiers to a new drive that is enabled with BitLocker.| +|**Policy description**|With this policy setting, unique organizational identifiers can be associated to a new drive that is enabled with BitLocker.| |**Introduced**|Windows Server 2008 R2 and Windows 7| |**Drive type**|All drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption*| |**Conflicts**|Identification fields are required to manage certificate-based data recovery agents on BitLocker-protected drives. BitLocker manages and updates certificate-based data recovery agents only when the identification field is present on a drive and it's identical to the value that is configured on the computer.| -|**When enabled**|You can configure the identification field on the BitLocker-protected drive and any allowed identification field that is used by your organization.| +|**When enabled**|The identification field on the BitLocker-protected drive and any allowed identification field that is used by an organization can be configured.| |**When disabled or not configured**|The identification field isn't required.| -**Reference** +#### Reference: Provide the unique identifiers for your organization -These identifiers are stored as the identification field and the allowed identification field. The identification field allows you to associate a unique organizational identifier to BitLocker-protected drives. This identifier is automatically added to new BitLocker-protected drives, and it can be updated on existing BitLocker-protected drives by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool. +These identifiers are stored as the identification field and the allowed identification field. The identification field allows association of a unique organizational identifier to BitLocker-protected drives. This identifier is automatically added to new BitLocker-protected drives, and it can be updated on existing BitLocker-protected drives by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool. An identification field is required to manage certificate-based data recovery agents on BitLocker-protected drives and for potential updates to the BitLocker To Go Reader. BitLocker manages and updates data recovery agents only when the identification field on the drive matches the value that is configured in the identification field. In a similar manner, BitLocker updates the BitLocker To Go Reader only when the identification field's value on the drive matches the value that is configured for the identification field. For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde). -The allowed identification field is used in combination with the **Deny write access to removable drives not protected by BitLocker** policy setting to help control the use of removable drives in your organization. It's a comma-separated list of identification fields from your organization or external organizations. +The allowed identification field is used in combination with the **Deny write access to removable drives not protected by BitLocker** policy setting to help control the use of removable drives in an organization. It's a comma-separated list of identification fields from an internal organization or external organizations. -You can configure the identification fields on existing drives by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool. +The identification fields on existing drives can be configured by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool. When a BitLocker-protected drive is mounted on another BitLocker-enabled computer, the identification field and the allowed identification field are used to determine whether the drive is from an external organization. Multiple values separated by commas can be entered in the identification and allowed identification fields. The identification field can be any value upto 260 characters. -### Prevent memory overwrite on restart +### Prevent memory overwrite on restart This policy setting is used to control whether the computer's memory will be overwritten the next time the computer is restarted. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can control computer restart performance at the risk of exposing BitLocker secrets.| +|**Policy description**|With this policy setting, it can be controlled computer restart performance at the risk of exposing BitLocker secrets.| |**Introduced**|Windows Vista| |**Drive type**|All drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption*| |**Conflicts**|None| -|**When enabled**|The computer will not overwrite memory when it restarts. Preventing memory overwrite may improve restart performance, but it increases the risk of exposing BitLocker secrets.| +|**When enabled**|The computer won't overwrite memory when it restarts. Preventing memory overwrite may improve restart performance, but it increases the risk of exposing BitLocker secrets.| |**When disabled or not configured**|BitLocker secrets are removed from memory when the computer restarts.| -**Reference** +#### Reference: Prevent memory overwrite on restart -This policy setting is applied when you turn on BitLocker. BitLocker secrets include key material that is used to encrypt data. This policy setting applies only when BitLocker protection is enabled. +This policy setting is applied when BitLocker is turned on. BitLocker secrets include key material that is used to encrypt data. This policy setting applies only when BitLocker protection is enabled. -### Configure TPM platform validation profile for BIOS-based firmware configurations +### Configure TPM platform validation profile for BIOS-based firmware configurations This policy setting determines what values the TPM measures when it validates early boot components before it unlocks an operating system drive on a computer with a BIOS configuration or with UEFI firmware that has the Compatibility Support Module (CSM) enabled. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can configure how the computer's TPM security hardware secures the BitLocker encryption key.| +|**Policy description**|With this policy setting, it can be configured how the computer's TPM security hardware secures the BitLocker encryption key.| |**Introduced**|Windows Server 2012 and Windows 8| |**Drive type**|Operating system drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*| |**Conflicts**|None| -|**When enabled**|You can configure the boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, then the TPM doesn't release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.| +|**When enabled**|The boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive can be configured. If any of these components change while BitLocker protection is in effect, then the TPM doesn't release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.| |**When disabled or not configured**|The TPM uses the default platform validation profile or the platform validation profile that is specified by the setup script.| -**Reference** +#### Reference: Configure TPM platform validation profile for BIOS-based firmware configurations This policy setting doesn't apply if the computer doesn't have a compatible TPM or if BitLocker has already been turned on with TPM protection. > [!IMPORTANT] > This Group Policy setting only applies to computers with BIOS configurations or to computers with UEFI firmware with the CSM enabled. Computers that use a native UEFI firmware configuration store different values in the Platform Configuration Registers (PCRs). Use the **Configure TPM platform validation profile for native UEFI firmware configurations** Group Policy setting to configure the TPM PCR profile for computers that use native UEFI firmware. -A platform validation profile consists of a set of PCR indices that range from 0 to 23. The default platform validation profile secures the encryption key against changes to the following: +A platform validation profile consists of a set of PCR indices that range from 0 to 23. The default platform validation profile secures the encryption key against changes to the following PCRs: -- Core Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions (PCR 0) -- Option ROM Code (PCR 2) -- Master Boot Record (MBR) Code (PCR 4) -- NTFS Boot Sector (PCR 8) -- NTFS Boot Block (PCR 9) -- Boot Manager (PCR 10) -- BitLocker Access Control (PCR 11) +- Core Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions (PCR 0) +- Option ROM Code (PCR 2) +- Master Boot Record (MBR) Code (PCR 4) +- NTFS Boot Sector (PCR 8) +- NTFS Boot Block (PCR 9) +- Boot Manager (PCR 10) +- BitLocker Access Control (PCR 11) > [!NOTE] -> Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker’s sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs. +> Changing from the default platform validation profile affects the security and manageability of a computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs. The following list identifies all of the available PCRs: -- PCR 0: Core root-of-trust for measurement, BIOS, and platform extensions -- PCR 1: Platform and motherboard configuration and data. -- PCR 2: Option ROM code -- PCR 3: Option ROM data and configuration -- PCR 4: Master Boot Record (MBR) code -- PCR 5: Master Boot Record (MBR) partition table -- PCR 6: State transition and wake events -- PCR 7: Computer manufacturer-specific -- PCR 8: NTFS boot sector -- PCR 9: NTFS boot block -- PCR 10: Boot manager -- PCR 11: BitLocker access control -- PCR 12-23: Reserved for future use +- PCR 0: Core root-of-trust for measurement, BIOS, and platform extensions +- PCR 1: Platform and motherboard configuration and data. +- PCR 2: Option ROM code +- PCR 3: Option ROM data and configuration +- PCR 4: Master Boot Record (MBR) code +- PCR 5: Master Boot Record (MBR) partition table +- PCR 6: State transition and wake events +- PCR 7: Computer manufacturer-specific +- PCR 8: NTFS boot sector +- PCR 9: NTFS boot block +- PCR 10: Boot manager +- PCR 11: BitLocker access control +- PCR 12-23: Reserved for future use -### Configure TPM platform validation profile (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2) +### Configure TPM platform validation profile (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2) This policy setting determines what values the TPM measures when it validates early boot components before unlocking a drive on a computer running Windows Vista, Windows Server 2008, or Windows 7. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can configure how the computer's TPM security hardware secures the BitLocker encryption key.| +|**Policy description**|With this policy setting, it can be configured how the computer's TPM security hardware secures the BitLocker encryption key.| |**Introduced**|Windows Server 2008 and Windows Vista| |**Drive type**|Operating system drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*| |**Conflicts**|None| -|**When enabled**|You can configure the boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM doesn't release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.| +|**When enabled**|The boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive can be configured. If any of these components change while BitLocker protection is in effect, the TPM doesn't release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.| |**When disabled or not configured**|The TPM uses the default platform validation profile or the platform validation profile that is specified by the setup script.| -**Reference** +#### Reference: Configure TPM platform validation profile (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2) This policy setting doesn't apply if the computer doesn't have a compatible TPM or if BitLocker is already turned on with TPM protection. -A platform validation profile consists of a set of PCR indices that range from 0 to 23. The default platform validation profile secures the encryption key against changes to the following: +A platform validation profile consists of a set of PCR indices that range from 0 to 23. The default platform validation profile secures the encryption key against changes to the following PCRs: -- Core Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions (PCR 0) -- Option ROM Code (PCR 2) -- Master Boot Record (MBR) Code (PCR 4) -- NTFS Boot Sector (PCR 8) -- NTFS Boot Block (PCR 9) -- Boot Manager (PCR 10) -- BitLocker Access Control (PCR 11) +- Core Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions (PCR 0) +- Option ROM Code (PCR 2) +- Master Boot Record (MBR) Code (PCR 4) +- NTFS Boot Sector (PCR 8) +- NTFS Boot Block (PCR 9) +- Boot Manager (PCR 10) +- BitLocker Access Control (PCR 11) > [!NOTE] > The default TPM validation profile PCR settings for computers that use an Extensible Firmware Interface (EFI) are the PCRs 0, 2, 4, and 11 only. The following list identifies all of the available PCRs: -- PCR 0: Core root-of-trust for measurement, EFI boot and run-time services, EFI drivers embedded in system ROM, ACPI static tables, embedded SMM code, and BIOS code -- PCR 1: Platform and motherboard configuration and data. Hand-off tables and EFI variables that affect system configuration -- PCR 2: Option ROM code -- PCR 3: Option ROM data and configuration -- PCR 4: Master Boot Record (MBR) code or code from other boot devices -- PCR 5: Master Boot Record (MBR) partition table. Various EFI variables and the GPT table -- PCR 6: State transition and wake events -- PCR 7: Computer manufacturer-specific -- PCR 8: NTFS boot sector -- PCR 9: NTFS boot block -- PCR 10: Boot manager -- PCR 11: BitLocker access control -- PCR 12 - 23: Reserved for future use +- PCR 0: Core root-of-trust for measurement, EFI boot and run-time services, EFI drivers embedded in system ROM, ACPI static tables, embedded SMM code, and BIOS code +- PCR 1: Platform and motherboard configuration and data. Hand-off tables and EFI variables that affect system configuration +- PCR 2: Option ROM code +- PCR 3: Option ROM data and configuration +- PCR 4: Master Boot Record (MBR) code or code from other boot devices +- PCR 5: Master Boot Record (MBR) partition table. Various EFI variables and the GPT table +- PCR 6: State transition and wake events +- PCR 7: Computer manufacturer-specific +- PCR 8: NTFS boot sector +- PCR 9: NTFS boot block +- PCR 10: Boot manager +- PCR 11: BitLocker access control +- PCR 12 - 23: Reserved for future use > [!WARNING] -> Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs. +> Changing from the default platform validation profile affects the security and manageability of a computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs. -### Configure TPM platform validation profile for native UEFI firmware configurations +### Configure TPM platform validation profile for native UEFI firmware configurations This policy setting determines what values the TPM measures when it validates early boot components before unlocking an operating system drive on a computer with native UEFI firmware configurations. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can configure how the computer's Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key.| +|**Policy description**|With this policy setting, it can be configured how the computer's Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key.| |**Introduced**|Windows Server 2012 and Windows 8| |**Drive type**|Operating system drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| -|**Conflicts**|Setting this policy with PCR 7 omitted, overrides the **Allow Secure Boot for integrity validation** Group Policy setting, and it prevents BitLocker from using Secure Boot for platform or Boot Configuration Data (BCD) integrity validation.

                              If your environments use TPM and Secure Boot for platform integrity checks, this policy is configured.

                              For more information about PCR 7, see [Platform Configuration Register (PCR)](#bkmk-pcr) in this article.| -|**When enabled**|Before you turn on BitLocker, you can configure the boot components that the TPM validates before it unlocks access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM doesn't release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*| +|**Conflicts**|Setting this policy with PCR 7 omitted overrides the **Allow Secure Boot for integrity validation** Group Policy setting, and it prevents BitLocker from using Secure Boot for platform or Boot Configuration Data (BCD) integrity validation.

                              If an environment uses TPM and Secure Boot for platform integrity checks, this policy is configured.

                              For more information about PCR 7, see [About the Platform Configuration Register (PCR)](#about-the-platform-configuration-register-pcr) in this article.| +|**When enabled**|Before BitLocker is turned on, the boot components that the TPM validates before it unlocks access to the BitLocker-encrypted operating system drive can be configured. If any of these components change while BitLocker protection is in effect, the TPM doesn't release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.| |**When disabled or not configured**|BitLocker uses the default platform validation profile or the platform validation profile that is specified by the setup script.| -**Reference** +#### Reference: Configure TPM platform validation profile for native UEFI firmware configurations This policy setting doesn't apply if the computer doesn't have a compatible TPM or if BitLocker is already turned on with TPM protection. @@ -1179,161 +1179,160 @@ A platform validation profile consists of a set of PCR indices ranging from 0 to The following list identifies all of the available PCRs: -- PCR 0: Core System Firmware executable code -- PCR 1: Core System Firmware data -- PCR 2: Extended or pluggable executable code -- PCR 3: Extended or pluggable firmware data -- PCR 4: Boot Manager -- PCR 5: GPT/Partition Table -- PCR 6: Resume from S4 and S5 Power State Events -- PCR 7: Secure Boot State +- PCR 0: Core System Firmware executable code +- PCR 1: Core System Firmware data +- PCR 2: Extended or pluggable executable code +- PCR 3: Extended or pluggable firmware data +- PCR 4: Boot Manager +- PCR 5: GPT/Partition Table +- PCR 6: Resume from S4 and S5 Power State Events +- PCR 7: Secure Boot State - For more information about this PCR, see [Platform Configuration Register (PCR)](#bkmk-pcr) in this article. + For more information about this PCR, see [About the Platform Configuration Register (PCR)](#about-the-platform-configuration-register-pcr) in this article. -- PCR 8: Initialized to 0 with no Extends (reserved for future use) -- PCR 9: Initialized to 0 with no Extends (reserved for future use) -- PCR 10: Initialized to 0 with no Extends (reserved for future use) -- PCR 11: BitLocker access control -- PCR 12: Data events and highly volatile events -- PCR 13: Boot Module Details -- PCR 14: Boot Authorities -- PCR 15 – 23: Reserved for future use +- PCR 8: Initialized to 0 with no Extends (reserved for future use) +- PCR 9: Initialized to 0 with no Extends (reserved for future use) +- PCR 10: Initialized to 0 with no Extends (reserved for future use) +- PCR 11: BitLocker access control +- PCR 12: Data events and highly volatile events +- PCR 13: Boot Module Details +- PCR 14: Boot Authorities +- PCR 15 - 23: Reserved for future use > [!WARNING] -> Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs. +> Changing from the default platform validation profile affects the security and manageability of a computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs. -### Reset platform validation data after BitLocker recovery +### Reset platform validation data after BitLocker recovery -This policy setting determines if you want platform validation data to refresh when Windows is started following a BitLocker recovery. A platform validation data profile consists of the values in a set of Platform Configuration Register (PCR) indices that range from 0 to 23. +This policy setting determines if platform validation data should refresh when Windows is started following a BitLocker recovery. A platform validation data profile consists of the values in a set of Platform Configuration Register (PCR) indices that range from 0 to 23. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can control whether platform validation data is refreshed when Windows is started following a BitLocker recovery.| +|**Policy description**|With this policy setting, it can be controlled whether platform validation data is refreshed when Windows is started following a BitLocker recovery.| |**Introduced**|Windows Server 2012 and Windows 8| |**Drive type**|Operating system drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*| |**Conflicts**|None| |**When enabled**|Platform validation data is refreshed when Windows is started following a BitLocker recovery.| |**When disabled**|Platform validation data isn't refreshed when Windows is started following a BitLocker recovery.| |**When not configured**|Platform validation data is refreshed when Windows is started following a BitLocker recovery.| -**Reference** +#### Reference: Reset platform validation data after BitLocker recovery For more information about the recovery process, see the [BitLocker recovery guide](bitlocker-recovery-guide-plan.md). -### Use enhanced Boot Configuration Data validation profile +### Use enhanced Boot Configuration Data validation profile This policy setting determines specific Boot Configuration Data (BCD) settings to verify during platform validation. A platform validation uses the data in the platform validation profile, which consists of a set of Platform Configuration Register (PCR) indices that range from 0 to 23. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can specify Boot Configuration Data (BCD) settings to verify during platform validation.| +|**Policy description**|With this policy setting, Boot Configuration Data (BCD) settings to verify during platform validation can be specified.| |**Introduced**|Windows Server 2012 and Windows 8| |**Drive type**|Operating system drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*| |**Conflicts**|When BitLocker is using Secure Boot for platform and Boot Configuration Data integrity validation, the **Use enhanced Boot Configuration Data validation profile** Group Policy setting is ignored (as defined by the **Allow Secure Boot for integrity validation** Group Policy setting).| -|**When enabled**|You can add additional BCD settings, exclude the BCD settings you specify, or combine inclusion and exclusion lists to create a customized BCD validation profile, which gives you the ability to verify those BCD settings.| +|**When enabled**|Additional BCD settings can be added and specified BCD settings can be excluded. Also a customized BCD validation profile can be created by combining inclusion and exclusion lists. The customized BCD validation profile gives the ability to verify BCD settings.| |**When disabled**|The computer reverts to a BCD profile validation similar to the default BCD profile that is used by Windows 7.| |**When not configured**|The computer verifies the default BCD settings in Windows.| -**Reference** +#### Reference: Use enhanced Boot Configuration Data validation profile > [!NOTE] > The setting that controls boot debugging (0x16000010) is always validated, and it has no effect if it's included in the inclusion or the exclusion list. -### Allow access to BitLocker-protected fixed data drives from earlier versions of Windows +### Allow access to BitLocker-protected fixed data drives from earlier versions of Windows This policy setting is used to control whether access to drives is allowed by using the BitLocker To Go Reader, and whether BitLocker To Go Reader can be installed on the drive. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can configure whether fixed data drives that are formatted with the FAT file system can be unlocked and viewed on computers running Windows Vista, Windows XP with Service Pack 3 (SP3), or Windows XP with Service Pack 2 (SP2).| +|**Policy description**|With this policy setting, it can be configured whether fixed data drives that are formatted with the FAT file system can be unlocked and viewed on computers running Windows Vista, Windows XP with Service Pack 3 (SP3), or Windows XP with Service Pack 2 (SP2).| |**Introduced**|Windows Server 2008 R2 and Windows 7| |**Drive type**|Fixed data drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Fixed Data Drives*| |**Conflicts**|None| |**When enabled and When not configured**|Fixed data drives that are formatted with the FAT file system can be unlocked on computers running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have Read-only access to BitLocker-protected drives.| |**When disabled**|Fixed data drives that are formatted with the FAT file system and are BitLocker-protected can't be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. BitLocker To Go Reader (bitlockertogo.exe) isn't installed.| -**Reference** +#### Reference: Allow access to BitLocker-protected fixed data drives from earlier versions of Windows > [!NOTE] > This policy setting doesn't apply to drives that are formatted with the NTFS file system. When this policy setting is enabled, select the **Do not install BitLocker To Go Reader on FAT formatted fixed drives** check box to help prevent users from running BitLocker To Go Reader from their fixed drives. If BitLocker To Go Reader (bitlockertogo.exe) is present on a drive that doesn't have an identification field specified, or if the drive has the same identification field as specified in the **Provide unique identifiers for your organization** policy setting, the user is prompted to update BitLocker, and BitLocker To Go Reader is deleted from the drive. In this situation, for the fixed drive to be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, BitLocker To Go Reader must be installed on the computer. If this check box isn't selected, then BitLocker To Go Reader will be installed on the fixed drive to enable users to unlock the drive on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. -### Allow access to BitLocker-protected removable data drives from earlier versions of Windows +### Allow access to BitLocker-protected removable data drives from earlier versions of Windows This policy setting controls access to removable data drives that are using the BitLocker To Go Reader and whether the BitLocker To Go Reader can be installed on the drive. -| |   | +| Item | Info | |:---|:---| -|**Policy description**|With this policy setting, you can configure whether removable data drives that are formatted with the FAT file system can be unlocked and viewed on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2.| +|**Policy description**|With this policy setting, it can be configured whether removable data drives that are formatted with the FAT file system can be unlocked and viewed on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2.| |**Introduced**|Windows Server 2008 R2 and Windows 7| |**Drive type**|Removable data drives| -|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives| +|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Removable Data Drives*| |**Conflicts**|None| |**When enabled and When not configured**|Removable data drives that are formatted with the FAT file system can be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have Read-only access to BitLocker-protected drives.| |**When disabled**|Removable data drives that are formatted with the FAT file system that are BitLocker-protected can't be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. BitLocker To Go Reader (bitlockertogo.exe) isn't installed.| -**Reference** +#### Reference: Allow access to BitLocker-protected removable data drives from earlier versions of Windows > [!NOTE] > This policy setting doesn't apply to drives that are formatted with the NTFS file system. -When this policy setting is enabled, select the **Do not install BitLocker To Go Reader on FAT formatted removable drives** check box to help prevent users from running BitLocker To Go Reader from their removable drives. If BitLocker To Go Reader (bitlockertogo.exe) is present on a drive that doesn't have an identification field specified, or if the drive has the same identification field as specified in the **Provide unique identifiers for your organization** policy setting, the user will be prompted to update BitLocker, and BitLocker To Go Reader is deleted from the drive. In this situation, for the removable drive to be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, BitLocker To Go Reader must be installed on the computer. If this check box isn't selected, then BitLocker To Go Reader will be installed on the removable drive to enable users to unlock the drive on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2 that don't have BitLocker To Go Reader installed. +When this policy setting is enabled, select the **Do not install BitLocker To Go Reader on FAT formatted removable drives** check box to help prevent users from running BitLocker To Go Reader from their removable drives. If BitLocker To Go Reader (bitlockertogo.exe) is present on a drive that doesn't have an identification field specified, or if the drive has the same identification field as specified in the **Provide unique identifiers for your organization** policy setting, the user will be prompted to update BitLocker, and BitLocker To Go Reader is deleted from the drive. In this situation, for the removable drive to be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, BitLocker To Go Reader must be installed on the computer. If this check box isn't selected, then BitLocker To Go Reader will be installed on the removable drive to enable users to unlock the drive on computers running Windows Vista or Windows XP that don't have BitLocker To Go Reader installed. ## FIPS setting -You can configure the Federal Information Processing Standard (FIPS) setting for FIPS compliance. As an effect of FIPS compliance, users can't create or save a BitLocker password for recovery or as a key protector. The use of a recovery key is permitted. +The Federal Information Processing Standard (FIPS) setting for FIPS compliance can be configured. As an effect of FIPS compliance, users can't create or save a BitLocker password for recovery or as a key protector. The use of a recovery key is permitted. -| |   | +| Item | Info | |:---|:---| |**Policy description**|Notes| |**Introduced**|Windows Server 2003 with SP1| |**Drive type**|System-wide| -|**Policy path**|Local Policies\Security Options\System cryptography: **Use FIPS compliant algorithms for encryption, hashing, and signing**| +|**Policy path**|*Local Policies* > *Security Options* > *System cryptography*: **Use FIPS compliant algorithms for encryption, hashing, and signing**| |**Conflicts**|Some applications, such as Terminal Services, don't support FIPS-140 on all operating systems.| -|**When enabled**|Users will be unable to save a recovery password to any location. This includes AD DS and network folders. Also, you can't use WMI or the BitLocker Drive Encryption Setup wizard to create a recovery password.| +|**When enabled**|Users will be unable to save a recovery password to any location. This policy setting includes AD DS and network folders. Also, WMI or the BitLocker Drive Encryption Setup wizard can't be used to create a recovery password.| |**When disabled or not configured**|No BitLocker encryption key is generated| -**Reference** +### Reference: FIPS setting This policy must be enabled before any encryption key is generated for BitLocker. When this policy is enabled, BitLocker prevents creating or using recovery passwords, so recovery keys should be used instead. -You can save the optional recovery key to a USB drive. Because recovery passwords can't be saved to AD DS when FIPS is enabled, an error is caused if AD DS backup is required by Group Policy. +The optional recovery key can be saved to a USB drive. Because recovery passwords can't be saved to AD DS when FIPS is enabled, an error is caused if AD DS backup is required by Group Policy. -You can edit the FIPS setting by using the Security Policy Editor (Secpol.msc) or by editing the Windows registry. You must be an administrator to perform these procedures. +The FIPS setting can be edited by using the Security Policy Editor (`Secpol.msc`) or by editing the Windows registry. Only administrators can perform these procedures. For more information about setting this policy, see [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](../../threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md). ## Power management group policy settings: Sleep and Hibernate -PCs default power settings for a computer will cause the computer to enter Sleep mode frequently to conserve power when idle and to help extend the system’s battery life. When a computer transitions to Sleep, open programs and documents are persisted in memory. When a computer resumes from Sleep, users aren't required to reauthenticate with a PIN or USB startup key to access encrypted data. This might lead to conditions where data security is compromised. +PCs default power settings for a computer will cause the computer to enter Sleep mode frequently to conserve power when idle and to help extend the system's battery life. When a computer transitions to Sleep, open programs and documents are persisted in memory. When a computer resumes from Sleep, users aren't required to reauthenticate with a PIN or USB startup key to access encrypted data. Not needing to reauthenticate when resuming from Sleep might lead to conditions where data security is compromised. However, when a computer hibernates the drive is locked, and when it resumes from hibernation the drive is unlocked, which means that users will need to provide a PIN or a startup key if using multifactor authentication with BitLocker. Therefore, organizations that use BitLocker may want to use Hibernate instead of Sleep for improved security. This setting doesn't have an impact on TPM-only mode, because it provides a transparent user experience at startup and when resuming from the Hibernate states. -You can disable the following Group Policy settings, which are located in **Computer Configuration\\Administrative Templates\\System\\Power Management** to disable all available sleep states: +To disable all available sleep states, disable the Group Policy settings located in **Computer Configuration** > **Administrative Templates** > **System** > **Power Management** : -- Allow Standby States (S1-S3) When Sleeping (Plugged In) -- Allow Standby States (S1-S3) When Sleeping (Battery) +- **Allow Standby States (S1-S3) When Sleeping (Plugged In)** +- **Allow Standby States (S1-S3) When Sleeping (Battery)** -## About the Platform Configuration Register (PCR) +## About the Platform Configuration Register (PCR) A platform validation profile consists of a set of PCR indices that range from 0 to 23. The scope of the values can be specific to the version of the operating system. -Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker’s sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs. +Changing from the default platform validation profile affects the security and manageability of a computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs. -**About PCR 7** +### About PCR 7 -PCR 7 measures the state of Secure Boot. With PCR 7, BitLocker can use Secure Boot for integrity validation. Secure Boot ensures that the computer's preboot environment loads only firmware that is digitally signed by authorized software publishers. PCR 7 measurements indicate whether Secure Boot is on and which keys are trusted on the platform. If Secure Boot is on and the firmware measures PCR 7 correctly per the UEFI specification, BitLocker can bind to this information rather than to PCRs 0, 2, and 4, which have the measurements of the exact firmware and Bootmgr images loaded. This -reduces the likelihood of BitLocker starting in recovery mode as a result of firmware and image updates, and it provides you with greater flexibility to manage the preboot configuration. +PCR 7 measures the state of Secure Boot. With PCR 7, BitLocker can use Secure Boot for integrity validation. Secure Boot ensures that the computer's preboot environment loads only firmware that is digitally signed by authorized software publishers. PCR 7 measurements indicate whether Secure Boot is on and which keys are trusted on the platform. If Secure Boot is on and the firmware measures PCR 7 correctly per the UEFI specification, BitLocker can bind to this information rather than to PCRs 0, 2, and 4, which have the measurements of the exact firmware and Bootmgr images loaded. This process reduces the likelihood of BitLocker starting in recovery mode as a result of firmware and image updates, and it provides with greater flexibility to manage the preboot configuration. PCR 7 measurements must follow the guidance that is described in [Appendix A Trusted Execution Environment EFI Protocol](/windows-hardware/test/hlk/testref/trusted-execution-environment-efi-protocol). PCR 7 measurements are a mandatory logo requirement for systems that support Modern Standby (also known as Always On, Always Connected PCs), such as the Microsoft Surface RT. On such systems, if the TPM with PCR 7 measurement and secure boot are correctly configured, BitLocker binds to PCR 7 and PCR 11 by default. -## See also +## Related articles - [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview) - [TPM Group Policy settings](/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings) diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md index 17dd8a1f09..9d743637c9 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md +++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md @@ -4,55 +4,72 @@ description: This article for the IT professional explains how to deploy BitLock ms.reviewer: ms.prod: windows-client ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: frankroj +ms.author: frankroj manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 02/28/2019 +ms.date: 11/08/2022 ms.custom: bitlocker +ms.technology: itpro-security --- # BitLocker: How to deploy on Windows Server 2012 and later -> Applies to: Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019 +**Applies to:** + +- Windows Server 2012 +- Windows Server 2012 R2 +- Windows Server 2016 and above This article explains how to deploy BitLocker on Windows Server 2012 and later versions. For all Windows Server editions, BitLocker can be installed using Server Manager or Windows PowerShell cmdlets. BitLocker requires administrator privileges on the server on which it's to be installed. -## Installing BitLocker +## Installing BitLocker -### To install BitLocker using server manager +### To install BitLocker using server manager -1. Open server manager by selecting the server manager icon or running servermanager.exe. -2. Select **Manage** from the **Server Manager Navigation** bar and select **Add Roles and Features** to start the **Add Roles and Features Wizard.** -3. With the **Add Roles and Features** wizard open, select **Next** at the **Before you begin** pane (if shown). -4. Select **Role-based or feature-based installation** on the **Installation type** pane of the **Add Roles and Features** wizard and select **Next** to continue. -5. Select the **Select a server from the server pool** option in the **Server Selection** pane and confirm the server on which the BitLocker feature is to be installed. -6. Select **Next** on the **Server Roles** pane of the **Add Roles and Features** wizard to proceed to the **Features** pane. - **Note**: Server roles and features are installed by using the same wizard in Server Manager. -7. Select the check box next to **BitLocker Drive Encryption** within the **Features** pane of the **Add Roles and Features** wizard. The wizard shows the extra management features available for BitLocker. If you don't want to install these features, deselect the **Include management tools -** and select **Add Features**. Once optional features selection is complete, select **Next** to proceed in the wizard. +1. Open server manager by selecting the server manager icon or running servermanager.exe. - > **Note:**   The **Enhanced Storage** feature is a required feature for enabling BitLocker. This feature enables support for encrypted hard drives on capable systems. -   -8. Select **Install** on the **Confirmation** pane of the **Add Roles and Features** wizard to begin BitLocker feature installation. The BitLocker feature requires a restart for its installation to be complete. Selecting the **Restart the destination server automatically if required** option in the **Confirmation** pane forces a restart of the computer after installation is complete. -9. If the **Restart the destination server automatically if required** check box isn't selected, the **Results** pane of the **Add Roles and Features** wizard displays the success or failure of the BitLocker feature installation. If necessary, a notification of other action necessary to complete the feature installation, such as the restart of the computer, will be displayed in the results text. +2. Select **Manage** from the **Server Manager Navigation** bar and select **Add Roles and Features** to start the **Add Roles and Features Wizard.** -### To install BitLocker using Windows PowerShell +3. With the **Add Roles and Features** wizard open, select **Next** at the **Before you begin** pane (if shown). -Windows PowerShell offers administrators another option for BitLocker feature installation. Windows PowerShell installs features using the `servermanager` or `dism` module; however, the `servermanager` and `dism` modules don't always share feature name parity. Because of this, it's advisable to confirm the feature or role name prior to installation. +4. Select **Role-based or feature-based installation** on the **Installation type** pane of the **Add Roles and Features** wizard and select **Next** to continue. + +5. Select the **Select a server from the server pool** option in the **Server Selection** pane and confirm the server on which the BitLocker feature is to be installed. + +6. Select **Next** on the **Server Roles** pane of the **Add Roles and Features** wizard to proceed to the **Features** pane. + + > [!NOTE] + > Server roles and features are installed by using the same wizard in Server Manager. + +7. Select the check box next to **BitLocker Drive Encryption** within the **Features** pane of the **Add Roles and Features** wizard. The wizard shows the extra management features available for BitLocker. If the extra management features are not needed and/or don't need to be installed, deselect the **Include management tools**. + + > [!NOTE] + > The **Enhanced Storage** feature is a required feature for enabling BitLocker. This feature enables support for encrypted hard drives on capable systems. + +8. Select **Add Features**. Once optional features selection is complete, select **Next** to proceed in the wizard. + +9. Select **Install** on the **Confirmation** pane of the **Add Roles and Features** wizard to begin BitLocker feature installation. The BitLocker feature requires a restart for its installation to be complete. Selecting the **Restart the destination server automatically if required** option in the **Confirmation** pane forces a restart of the computer after installation is complete. + +10. If the **Restart the destination server automatically if required** check box isn't selected, the **Results** pane of the **Add Roles and Features** wizard displays the success or failure of the BitLocker feature installation. If necessary, a notification of other action necessary to complete the feature installation, such as the restart of the computer, will be displayed in the results text. + +### To install BitLocker using Windows PowerShell + +Windows PowerShell offers administrators another option for BitLocker feature installation. Windows PowerShell installs features using the `servermanager` or `dism.exe` module. However, the `servermanager` and `dism.exe` modules don't always share feature name parity. Because of this mismatch of feature name parity, it's advisable to confirm the feature or role name prior to installation. + +> [!NOTE] +> The server must be restarted to complete the installation of BitLocker. ->**Note:**  You must restart the server to complete the installation of BitLocker. -  ### Using the servermanager module to install BitLocker -The `servermanager` Windows PowerShell module can use either the `Install-WindowsFeature` or `Add-WindowsFeature` to install the BitLocker feature. The `Add-WindowsFeature` cmdlet is merely a stub to the `Install-WindowsFeature`. This example uses the `Install-WindowsFeature` cmdlet. The feature name for BitLocker in the `servermanager` module is `BitLocker`. +The `servermanager` Windows PowerShell module can use either the `Install-WindowsFeature` or `Add-WindowsFeature` to install the BitLocker feature. The `Add-WindowsFeature` cmdlet is merely a stub to the `Install-WindowsFeature`. This example uses the `Install-WindowsFeature` cmdlet. The feature name for BitLocker in the `servermanager` module is `BitLocker`. -By default, installation of features in Windows PowerShell doesn't include optional sub-features or management tools as part of the installation process. This can be seen using the `-WhatIf` option in Windows PowerShell. +By default, installation of features in Windows PowerShell doesn't include optional sub-features or management tools as part of the installation process. What is installed as part of the installation process can be seen using the `-WhatIf` option in Windows PowerShell. ```powershell Install-WindowsFeature BitLocker -WhatIf ``` + The results of this command show that only the BitLocker Drive Encryption feature is installed using this command. To see what would be installed with the BitLocker feature, including all available management tools and sub-features, use the following command: @@ -63,13 +80,13 @@ Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools - The result of this command displays the following list of all the administration tools for BitLocker, which would be installed along with the feature, including tools for use with Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). -- BitLocker Drive Encryption -- BitLocker Drive Encryption Tools -- BitLocker Drive Encryption Administration Utilities -- BitLocker Recovery Password Viewer -- AD DS Snap-Ins and Command-Line Tools -- AD DS Tools -- AD DS and AD LDS Tools +- BitLocker Drive Encryption +- BitLocker Drive Encryption Tools +- BitLocker Drive Encryption Administration Utilities +- BitLocker Recovery Password Viewer +- AD DS Snap-Ins and Command-Line Tools +- AD DS Tools +- AD DS and AD LDS Tools The command to complete a full installation of the BitLocker feature with all available sub-features and then to reboot the server at completion is: @@ -77,19 +94,20 @@ The command to complete a full installation of the BitLocker feature with all av Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart ``` ->**Important:**  Installing the BitLocker feature using Windows PowerShell does not install the Enhanced Storage feature. Administrators wishing to support Encrypted Hard Drives in their environment will need to install the Enhanced Storage feature separately. -  +> [!IMPORTANT] +> Installing the BitLocker feature using Windows PowerShell does not install the Enhanced Storage feature. Administrators wishing to support Encrypted Hard Drives in their environment will need to install the Enhanced Storage feature separately. + ### Using the dism module to install BitLocker -The `dism` Windows PowerShell module uses the `Enable-WindowsOptionalFeature` cmdlet to install features. The BitLocker feature name for BitLocker is `BitLocker`. The `dism` module doesn't support wildcards when searching for feature names. To list feature names for the `dism` module, use the `Get-WindowsOptionalFeatures` cmdlet. The following command will list all of the optional features in an online (running) operating system. +The `dism.exe` Windows PowerShell module uses the `Enable-WindowsOptionalFeature` cmdlet to install features. The BitLocker feature name for BitLocker is `BitLocker`. The `dism.exe` module doesn't support wildcards when searching for feature names. To list feature names for the `dism.exe` module, use the `Get-WindowsOptionalFeatures` cmdlet. The following command will list all of the optional features in an online (running) operating system. ```powershell Get-WindowsOptionalFeature -Online | ft ``` -From this output, we can see that there are three BitLocker-related optional feature names: BitLocker, BitLocker-Utilities and BitLocker-NetworkUnlock. To install the BitLocker feature, the BitLocker and BitLocker-Utilities features are the only required items. +From this output, it can be seen that there are three BitLocker-related optional feature names: **BitLocker**, **BitLocker-Utilities** and **BitLocker-NetworkUnlock**. To install the BitLocker feature, the **BitLocker** and **BitLocker-Utilities** features are the only required items. -To install BitLocker using the `dism` module, use the following command: +To install BitLocker using the `dism.exe` module, use the following command: ```powershell Enable-WindowsOptionalFeature -Online -FeatureName BitLocker -All @@ -100,7 +118,8 @@ This command prompts the user for a reboot. The Enable-WindowsOptionalFeature cm ```powershell Enable-WindowsOptionalFeature -Online -FeatureName BitLocker, BitLocker-Utilities -All ``` -## More information + +## Related articles - [BitLocker overview](bitlocker-overview.md) - [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml) diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md index 4face62ddf..37a5af8983 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md +++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md @@ -4,92 +4,97 @@ description: This article for the IT professional describes how BitLocker Networ ms.reviewer: ms.prod: windows-client ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: frankroj +ms.author: frankroj manager: aaroncz -ms.collection: - - M365-security-compliance ms.topic: conceptual -ms.date: 02/28/2019 +ms.date: 11/08/2022 ms.custom: bitlocker +ms.technology: itpro-security --- -# BitLocker: How to enable network unlock +# BitLocker: How to enable Network Unlock -**Applies to** +**Applies to:** - Windows 10 - Windows 11 - Windows Server 2016 and above -This topic describes how BitLocker network unlock works and how to configure it. +This article describes how BitLocker Network Unlock works and how to configure it. -Network Unlock was introduced in Windows 8 and Windows Server 2012 as a BitLocker protector option for operating system volumes. Network unlock enables easier management for BitLocker-enabled desktops and servers in a domain environment by providing automatic unlock of operating system volumes at system reboot when connected to a wired corporate network. This feature requires the client hardware to have a DHCP driver implemented in its UEFI firmware. -Without Network Unlock, operating system volumes protected by TPM+PIN protectors require a PIN to be entered when a computer reboots or resumes from hibernation (for example, by Wake on LAN). This can make it difficult to enterprises to roll out software patches to unattended desktops and remotely administered servers. +Network Unlock is a BitLocker protector option for operating system volumes. Network Unlock enables easier management for BitLocker-enabled desktops and servers in a domain environment by providing automatic unlock of operating system volumes at system reboot when connected to a wired corporate network. This feature requires the client hardware to have a DHCP driver implemented in its UEFI firmware. Without Network Unlock, operating system volumes protected by TPM+PIN protectors require a PIN to be entered when a computer reboots or resumes from hibernation (for example, by Wake on LAN). Requiring a PIN after a reboot can make it difficult to enterprises to roll out software patches to unattended desktops and remotely administered servers. -Network unlock allows BitLocker-enabled systems that have a TPM+PIN and that meet the hardware requirements to boot into Windows without user intervention. Network unlock works in a similar fashion to the TPM+StartupKey at boot. Rather than needing to read the StartupKey from USB media, however, the Network Unlock feature needs the key to be composed from a key stored in the TPM and an encrypted network key that is sent to the server, decrypted and returned to the client in a secure session. +Network Unlock allows BitLocker-enabled systems that have a TPM+PIN and that meet the hardware requirements to boot into Windows without user intervention. Network Unlock works in a similar fashion to the TPM+StartupKey at boot. Rather than needing to read the StartupKey from USB media, however, the Network Unlock feature needs the key to be composed from a key stored in the TPM and an encrypted network key that is sent to the server, decrypted and returned to the client in a secure session. -## Network unlock core requirements +## Network Unlock core requirements Network Unlock must meet mandatory hardware and software requirements before the feature can automatically unlock domain-joined systems. These requirements include: -- Windows 8 or Windows Server 2012 as the current operating system. -- Any supported operating system with UEFI DHCP drivers that can serve as Network Unlock clients. -- Network Unlock clients with a TPM chip and at least one TPM protector. -- A server running the Windows Deployment Services (WDS) role on any supported server operating system. -- BitLocker Network Unlock optional feature installed on any supported server operating system. -- A DHCP server, separate from the WDS server. -- Properly configured public/private key pairing. -- Network Unlock group policy settings configured. - -The network stack must be enabled to use the Network Unlock feature. Equipment manufacturers deliver their products in various states and with different BIOS menus; therefore, you need to confirm that the network stack has been enabled in the BIOS before starting the computer. +- Currently supported Windows operating system +- Any supported operating system with UEFI DHCP drivers that can serve as Network Unlock clients +- Network Unlock clients with a TPM chip and at least one TPM protector +- A server running the Windows Deployment Services (WDS) role on any supported server operating system +- BitLocker Network Unlock optional feature installed on any supported server operating system +- A DHCP server, separate from the WDS server +- Properly configured public/private key pairing +- Network Unlock group policy settings configured +- Network stack enabled in the UEFI firmware of client devices > [!NOTE] > To properly support DHCP within UEFI, the UEFI-based system should be in native mode and shouldn't have a compatibility support module (CSM) enabled. -On computers that run Windows 8 and later, the first network adapter on the computer, usually the onboard adapter, must be configured to support DHCP. This adapter must be used for Network Unlock. +For Network Unlock to work reliably on computers, the first network adapter on the computer, usually the onboard adapter, must be configured to support DHCP. This first network adapter must be used for Network Unlock. This configuration is especially worth noting when the device has multiple adapters, and some adapters are configured without DHCP, such as for use with a lights-out management protocol. This configuration is necessary because Network Unlock stops enumerating adapters when it reaches one with a DHCP port failure for any reason. Thus, if the first enumerated adapter doesn't support DHCP, isn't plugged into the network, or fails to report availability of the DHCP port for any reason, then Network Unlock fails. -For network unlock to work reliably on computers running Windows 8 and later versions, the first network adapter on the computer, usually the onboard adapter, must be configured to support DHCP and must be used for Network Unlock. This is especially worth noting when you have multiple adapters, and you wish to configure one without DHCP, such as for a lights-out management protocol. This configuration is necessary because network unlock stops enumerating adapters when it reaches one with a DHCP port failure for any reason. Thus, if the first enumerated adapter does not support DHCP, is not plugged into the network, or fails to report availability of the DHCP port for any reason, then Network Unlock fails. - The Network Unlock server component is installed on supported versions of Windows Server 2012 and later as a Windows feature that uses Server Manager or Windows PowerShell cmdlets. The feature name is BitLocker Network Unlock in Server Manager and BitLocker-NetworkUnlock in Windows PowerShell. This feature is a core requirement. -Network unlock requires Windows Deployment Services (WDS) in the environment where the feature will be utilized. Configuration of the WDS installation is not required; however, the WDS service must be running on the server. +Network Unlock requires Windows Deployment Services (WDS) in the environment where the feature will be utilized. Configuration of the WDS installation isn't required. However, the WDS service must be running on the server. The network key is stored on the system drive along with an AES 256 session key and encrypted with the 2048-bit RSA public key of the Unlock server certificate. The network key is decrypted with the help of a provider on a supported version of Windows Server running WDS, and returned encrypted with its corresponding session key. -## Network Unlock sequence +## Network Unlock sequence -The unlock sequence starts on the client side when the Windows boot manager detects the existence of network unlock protector. It leverages the DHCP driver in UEFI to obtain an IP address for IPv4 and then broadcasts a vendor-specific DHCP request that contains the network key and a session key for the reply, all encrypted by the server's Network Unlock certificate, as described above. The Network Unlock provider on the supported WDS server recognizes the vendor-specific request, decrypts it with the RSA private key, and returns the network key encrypted with the session key via its own vendor-specific DHCP reply. +The unlock sequence starts on the client side when the Windows boot manager detects the existence of Network Unlock protector. It uses the DHCP driver in UEFI to obtain an IP address for IPv4 and then broadcasts a vendor-specific DHCP request that contains the network key and a session key for the reply, all encrypted by the server's Network Unlock certificate, as described above. The Network Unlock provider on the supported WDS server recognizes the vendor-specific request, decrypts it with the RSA private key, and returns the network key encrypted with the session key via its own vendor-specific DHCP reply. -On the server side, the WDS server role has an optional plugin component, like a PXE provider, which is what handles the incoming network unlock requests. You can also configure the provider with subnet restrictions, which would require that the IP address provided by the client in the network unlock request belong to a permitted subnet to release the network key to the client. In instances where the Network Unlock provider is unavailable, BitLocker fails over to the next available protector to unlock the drive. In a typical configuration, this means the standard TPM+PIN unlock screen is presented to unlock the drive. +On the server side, the WDS server role has an optional plugin component, like a PXE provider, which is what handles the incoming Network Unlock requests. The provider can also be configured with subnet restrictions, which would require that the IP address provided by the client in the Network Unlock request belong to a permitted subnet to release the network key to the client. In instances where the Network Unlock provider is unavailable, BitLocker fails over to the next available protector to unlock the drive. In a typical configuration, the standard TPM+PIN unlock screen is presented to unlock the drive. The server side configuration to enable Network Unlock also requires provisioning a 2048-bit RSA public/private key pair in the form of an X.509 certificate, and distributing the public key certificate to the clients. This certificate must be managed and deployed through the Group Policy editor directly on a domain controller with at least a Domain Functional Level of Windows Server 2012. This certificate is the public key that encrypts the intermediate network key (which is one of the two secrets required to unlock the drive; the other secret is stored in the TPM). Manage and deploy this certificate through the Group Policy editor directly on a domain controller that has a domain functional level of at least Windows Server 2012. This certificate is the public key that encrypts the intermediate network key. The intermediate network key is one of the two secrets that are required to unlock the drive; the other secret is stored in the TPM. -![Diagram showing the BitLocker network unlock sequence.](images/bitlockernetworkunlocksequence.png) +![Diagram showing the BitLocker Network Unlock sequence.](images/bitlockernetworkunlocksequence.png) The Network Unlock process follows these phases: -1. The Windows boot manager detects a Network Unlock protector in the BitLocker configuration. -2. The client computer uses its DHCP driver in the UEFI to get a valid IPv4 IP address. -3. The client computer broadcasts a vendor-specific DHCP request that contains: - 1. A network key (a 256-bit intermediate key) that is encrypted by using the 2048-bit RSA Public Key of the network unlock certificate from the WDS server. - 2. An AES-256 session key for the reply. -4. The Network Unlock provider on the WDS server recognizes the vendor-specific request. -5. The provider decrypts the request by using the WDS server's BitLocker Network Unlock certificate RSA private key. -6. The WDS provider returns the network key encrypted with the session key by using its own vendor-specific DHCP reply to the client computer. This key is an intermediate key. -7. The returned intermediate key is combined with another local 256-bit intermediate key. This key can be decrypted only by the TPM. -8. This combined key is used to create an AES-256 key that unlocks the volume. -9. Windows continues the boot sequence. +1. The Windows boot manager detects a Network Unlock protector in the BitLocker configuration. -## Configure network unlock +2. The client computer uses its DHCP driver in the UEFI to get a valid IPv4 IP address. -The following steps allow an administrator to configure network unlock in a domain where the Domain Functional Level is at least Windows Server 2012. +3. The client computer broadcasts a vendor-specific DHCP request that contains: -### Install the WDS server role + 1. A network key (a 256-bit intermediate key) that is encrypted by using the 2048-bit RSA Public Key of the Network Unlock certificate from the WDS server. -The BitLocker network unlock feature installs the WDS role if it is not already installed. If you want to install it separately before you install BitLocker network unlock, you can use Server Manager or Windows PowerShell. To install the role using Server Manager, select the **Windows Deployment Services** role in Server Manager. + 2. An AES-256 session key for the reply. + +4. The Network Unlock provider on the WDS server recognizes the vendor-specific request. + +5. The provider decrypts the request by using the WDS server's BitLocker Network Unlock certificate RSA private key. + +6. The WDS provider returns the network key encrypted with the session key by using its own vendor-specific DHCP reply to the client computer. This key is an intermediate key. + +7. The returned intermediate key is combined with another local 256-bit intermediate key. This key can be decrypted only by the TPM. + +8. This combined key is used to create an AES-256 key that unlocks the volume. + +9. Windows continues the boot sequence. + +## Configure Network Unlock + +The following steps allow an administrator to configure Network Unlock in a domain where the Domain Functional Level is at least Windows Server 2012. + +### Install the WDS server role + +The BitLocker Network Unlock feature installs the WDS role if it isn't already installed. WDS can be installed separately before BitLocker Network Unlock is installed by using **Server Manager** or **Windows PowerShell**. To install the role using Server Manager, select the **Windows Deployment Services** role in **Server Manager**. To install the role by using Windows PowerShell, use the following command: @@ -97,94 +102,132 @@ To install the role by using Windows PowerShell, use the following command: Install-WindowsFeature WDS-Deployment ``` -You must configure the WDS server so that it can communicate with DHCP (and optionally AD DS) and the client computer. You can configure using the WDS management tool, wdsmgmt.msc, which starts the Windows Deployment Services Configuration wizard. +The WDS server must be configured so that it can communicate with DHCP (and optionally AD DS) and the client computer. The WDS server can be configured using the WDS management tool, `wdsmgmt.msc`, which starts the Windows Deployment Services Configuration wizard. -### Confirm the WDS service is running +### Confirm the WDS service is running -To confirm that the WDS service is running, use the Services Management Console or Windows PowerShell. To confirm that the service is running in Services Management Console, open the console using **services.msc** and check the status of the Windows Deployment Services service. +To confirm that the WDS service is running, use the Services Management Console or Windows PowerShell. To confirm that the service is running in Services Management Console, open the console using `services.msc` and check the status of the Windows Deployment Services service. To confirm that the service is running using Windows PowerShell, use the following command: ```powershell Get-Service WDSServer ``` -### Install the Network Unlock feature -To install the network unlock feature, use Server Manager or Windows PowerShell. To install the feature using Server Manager, select the **BitLocker Network Unlock** feature in the Server Manager console. +### Install the Network Unlock feature + +To install the Network Unlock feature, use Server Manager or Windows PowerShell. To install the feature using Server Manager, select the **BitLocker Network Unlock** feature in the Server Manager console. To install the feature by using Windows PowerShell, use the following command: ```powershell Install-WindowsFeature BitLocker-NetworkUnlock ``` -### Create the certificate template for Network Unlock + +### Create the certificate template for Network Unlock A properly configured Active Directory Services Certification Authority can use this certificate template to create and issue Network Unlock certificates. -1. Open the Certificates Template snap-in (certtmpl.msc). -2. Locate the User template, right-click the template name and select **Duplicate Template**. -3. On the **Compatibility** tab, change the **Certification Authority** and **Certificate recipient** fields to Windows Server 2012 and Windows 8, respectively. Ensure that the **Show resulting changes** dialog box is selected. -4. Select the **General** tab of the template. The **Template display name** and **Template name** should clearly identify that the template will be used for Network Unlock. Clear the check box for the **Publish certificate in Active Directory** option. -5. Select the **Request Handling** tab. Select **Encryption** from the **Purpose** drop-down menu. Ensure that the **Allow private key to be exported** option is selected. -6. Select the **Cryptography** tab. Set the **Minimum key size** to 2048. (Any Microsoft cryptographic provider that supports RSA can be used for this template, but for simplicity and forward compatibility, we recommend using **Microsoft Software Key Storage Provider**.) -7. Select the **Requests must use one of the following providers** option and clear all options except for the cryptography provider you selected, such as **Microsoft Software Key Storage Provider**. -8. Select the **Subject Name** tab. Select **Supply in the request**. Click **OK** if the certificate templates pop-up dialog appears. -9. Select the **Issuance Requirements** tab. Select both **CA certificate manager approval** and **Valid existing certificate** options. +1. Open the Certificates Template snap-in (`certtmpl.msc`). + +2. Locate the User template, right-click the template name and select **Duplicate Template**. + +3. On the **Compatibility** tab, change the **Certification Authority** and **Certificate recipient** fields to Windows Server 2012 and Windows 8, respectively. Ensure that the **Show resulting changes** dialog box is selected. + +4. Select the **General** tab of the template. The **Template display name** and **Template name** should clearly identify that the template will be used for Network Unlock. Clear the check box for the **Publish certificate in Active Directory** option. + +5. Select the **Request Handling** tab. Select **Encryption** from the **Purpose** drop-down menu. Ensure that the **Allow private key to be exported** option is selected. + +6. Select the **Cryptography** tab. Set the **Minimum key size** to 2048. Any Microsoft cryptographic provider that supports RSA can be used for this template, but for simplicity and forward compatibility, it is recommended to use **Microsoft Software Key Storage Provider**. + +7. Select the **Requests must use one of the following providers** option and clear all options except for the cryptography provider selected, such as **Microsoft Software Key Storage Provider**. + +8. Select the **Subject Name** tab. Select **Supply in the request**. Select **OK** if the certificate templates pop-up dialog appears. + +9. Select the **Issuance Requirements** tab. Select both **CA certificate manager approval** and **Valid existing certificate** options. + 10. Select the **Extensions** tab. Select **Application Policies** and choose **Edit…**. + 11. In the **Edit Application Policies Extension** options dialog box, select **Client Authentication**, **Encrypting File System**, **and Secure Email** and choose **Remove**. + 12. On the **Edit Application Policies Extension** dialog box, select **Add**. -13. On the **Add Application Policy** dialog box, select **New**. In the **New Application Policy** dialog box, enter the following information in the space provided and then click **OK** to create the BitLocker Network Unlock application policy: - - **Name:** **BitLocker Network Unlock** - - **Object Identifier:** **1.3.6.1.4.1.311.67.1.1** +13. On the **Add Application Policy** dialog box, select **New**. In the **New Application Policy** dialog box, enter the following information in the space provided and then select **OK** to create the BitLocker Network Unlock application policy: + + - *Name:* **BitLocker Network Unlock** + - *Object Identifier:* **1.3.6.1.4.1.311.67.1.1** + +14. Select the newly created **BitLocker Network Unlock** application policy and select **OK**. -14. Select the newly created **BitLocker Network Unlock** application policy and click **OK**. 15. With the **Extensions** tab still open, select the **Edit Key Usage Extension** dialog. Select the **Allow key exchange only with key encryption (key encipherment)** option. Select the **Make this extension critical** option. + 16. Select the **Security** tab. Confirm that the **Domain Admins** group has been granted **Enroll** permission. -17. Click **OK** to complete configuration of the template. + +17. Select **OK** to complete configuration of the template. To add the Network Unlock template to the certificate authority, open the certificate authority snap-in (`certsrv.msc`). Right-click **Certificate Templates**, and then choose **New, Certificate Template to issue**. Select the previously created BitLocker Network Unlock certificate. -After you add the Network Unlock template to the certificate authority, you can use this certificate to configure BitLocker Network Unlock. +After the Network Unlock template is added to the certificate authority, this certificate can be used to configure BitLocker Network Unlock. -### Create the Network Unlock certificate +### Create the Network Unlock certificate Network Unlock can use imported certificates from an existing public key infrastructure (PKI). Or it can use a self-signed certificate. To enroll a certificate from an existing certificate authority: -1. On the WDS server, open Certificate Manager by using `certmgr.msc`. -2. Under **Certificates - Current User**, right-click **Personal**. -3. Select **All Tasks** > **Request New Certificate**. -4. When the Certificate Enrollment wizard opens, select **Next**. -5. Select **Active Directory Enrollment Policy**. -6. Choose the certificate template that was created for Network Unlock on the domain controller. Then select **Enroll**. -1. When you're prompted for more information, select **Subject Name** and provide a friendly name value. Your friendly name should include information for the domain or organizational unit for the certificate. Here's an example: *BitLocker Network Unlock Certificate for Contoso domain*. -7. Create the certificate. Ensure the certificate appears in the **Personal** folder. -8. Export the public key certificate for Network Unlock: - 1. Create a .cer file by right-clicking the previously created certificate, selecting **All Tasks**, and then selecting **Export**. - 2. Select **No, do not export the private key**. - 3. Select **DER encoded binary X.509** and complete exporting the certificate to a file. - 4. Give the file a name such as BitLocker-NetworkUnlock.cer. +1. On the WDS server, open Certificate Manager by using `certmgr.msc`. -9. Export the public key with a private key for Network Unlock. +2. Under **Certificates - Current User**, right-click **Personal**. - 1. Create a .pfx file by right-clicking the previously created certificate, selecting **All Tasks**, and then selecting **Export**. - 2. Select **Yes, export the private key**. - 3. Complete the steps to create the *.pfx* file. +3. Select **All Tasks** > **Request New Certificate**. -To create a self-signed certificate, either use the `New-SelfSignedCertificate` cmdlet in Windows PowerShell or use `certreq`. +4. When the Certificate Enrollment wizard opens, select **Next**. -Here's a Windows PowerShell example: +5. Select **Active Directory Enrollment Policy**. + +6. Choose the certificate template that was created for Network Unlock on the domain controller. Then select **Enroll**. + +7. When prompted for more information, select **Subject Name** and provide a friendly name value. The friendly name should include information for the domain or organizational unit for the certificate. For example: + + *BitLocker Network Unlock Certificate for Contoso domain* + +8. Create the certificate. Ensure the certificate appears in the **Personal** folder. + +9. Export the public key certificate for Network Unlock: + + 1. Create a `.cer` file by right-clicking the previously created certificate, selecting **All Tasks**, and then selecting **Export**. + + 2. Select **No, do not export the private key**. + + 3. Select **DER encoded binary X.509** and complete exporting the certificate to a file. + + 4. Give the file a name such as BitLocker-NetworkUnlock.cer. + +10. Export the public key with a private key for Network Unlock. + + 1. Create a `.pfx` file by right-clicking the previously created certificate, selecting **All Tasks**, and then selecting **Export**. + + 2. Select **Yes, export the private key**. + + 3. Complete the steps to create the `.pfx` file. + +To create a self-signed certificate, either use the `New-SelfSignedCertificate` cmdlet in Windows PowerShell or use `certreq.exe`. For example: + +**Windows PowerShell:** ```powershell New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Subject "CN=BitLocker Network Unlock certificate" -Provider "Microsoft Software Key Storage Provider" -KeyUsage KeyEncipherment -KeyUsageProperty Decrypt,Sign -KeyLength 2048 -HashAlgorithm sha512 -TextExtension @("1.3.6.1.4.1.311.21.10={text}OID=1.3.6.1.4.1.311.67.1.1","2.5.29.37={text}1.3.6.1.4.1.311.67.1.1") ``` -Here's a `certreq` example: +**certreq.exe:** -1. Create a text file with an .inf extension, for example, notepad.exe BitLocker-NetworkUnlock.inf. -2. Add the following contents to the previously created file: +1. Create a text file with an `.inf` extension, for example: + + ```cmd + notepad.exe BitLocker-NetworkUnlock.inf + ``` + +2. Add the following contents to the previously created file: ```ini [NewRequest] @@ -205,61 +248,82 @@ Here's a `certreq` example: _continue_ = "1.3.6.1.4.1.311.67.1.1" ``` -3. Open an elevated command prompt and use the `certreq` tool to create a new certificate. Use the following command, specifying the full path to the file that you created previously. Also specify the file name. +3. Open an elevated command prompt and use the `certreq.exe` tool to create a new certificate. Use the following command, specifying the full path to the file that was created previously along with the file name: ```cmd - certreq -new BitLocker-NetworkUnlock.inf BitLocker-NetworkUnlock.cer + certreq.exe -new BitLocker-NetworkUnlock.inf BitLocker-NetworkUnlock.cer ``` -4. Verify that certificate was properly created by the previous command by confirming that the .cer file exists. -5. Launch Certificates - Local Machine by running **certlm.msc**. -6. Create a .pfx file by opening the **Certificates – Local Computer\\Personal\\Certificates** path in the navigation pane, right-clicking the previously imported certificate, selecting **All Tasks**, and then selecting **Export**. Follow through the wizard to create the .pfx file. -### Deploy the private key and certificate to the WDS server +4. Verify that certificate was properly created by the previous command by confirming that the `.cer` file exists. -Now that you've created the certificate and key, deploy them to the infrastructure to properly unlock systems. To deploy the certificates: +5. Launch the **Certificates - Local Computer** console by running `certlm.msc`. -1. On the WDS server, open a new MMC and add the certificates snap-in. Select the computer account and local computer when given the options. -2. Right-click the Certificates (Local Computer) - BitLocker Drive Encryption Network Unlock item -, select **All Tasks**, and then select **Import**. -3. In the **File to Import** dialog, choose the .pfx file created previously. -4. Enter the password used to create the .pfx and complete the wizard. +6. Create a `.pfx` file by following the below steps the **Certificates - Local Computer** console: -### Configure group policy settings for network unlock + 1. Navigate to **Certificates - Local Computer** > **Personal** > **Certificates** -With certificate and key deployed to the WDS server for Network Unlock, the final step is to use group policy settings to deploy the public key certificate to computers that you want to be able to unlock using the Network Unlock key. Group policy settings for BitLocker can be found under **\\Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption** using the Local Group Policy Editor or the Microsoft Management Console. + 2. Right-click the previously imported certificate, select **All Tasks**, and then select **Export** -The following steps describe how to enable the group policy setting that is a requirement for configuring network unlock. + 3. Follow through the wizard to create the `.pfx` file. -1. Open Group Policy Management Console (`gpmc.msc`). -2. Enable the policy **Require additional authentication at startup**, and then select **Require startup PIN with TPM** or **Allow startup PIN with TPM**. -3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers. +### Deploy the private key and certificate to the WDS server + +After creating the certificate and key, deploy them to the infrastructure to properly unlock systems. To deploy the certificates: + +1. On the WDS server, launch the **Certificates - Local Computer** console by running `certlm.msc`. + +2. Right-click **BitLocker Drive Encryption Network Unlock** item under **Certificates (Local Computer)**, select **All Tasks**, and then select **Import**. + +3. In the **File to Import** dialog, choose the `.pfx` file created previously. + +4. Enter the password used to create the `.pfx` and complete the wizard. + +### Configure group policy settings for Network Unlock + +With certificate and key deployed to the WDS server for Network Unlock, the final step is to use group policy settings to deploy the public key certificate to the desired computers that will use the Network Unlock key to unlock. Group policy settings for BitLocker can be found under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** using the Local Group Policy Editor or the Microsoft Management Console. + +The following steps describe how to enable the group policy setting that is a requirement for configuring Network Unlock. + +1. Open Group Policy Management Console (`gpmc.msc`). +2. Enable the policy **Require additional authentication at startup**, and then select **Require startup PIN with TPM** or **Allow startup PIN with TPM**. +3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers. The following steps describe how to deploy the required group policy setting: > [!NOTE] -> The group policy settings **Allow network unlock at startup** and **Add Network Unlock Certificate** were introduced in Windows Server 2012. - -1. Copy the *.cer* file that you created for Network Unlock to the domain controller. -2. On the domain controller, open Group Policy Management Console (`gpmc.msc`). -3. Create a new Group Policy Object or modify an existing object to enable the **Allow network unlock at startup** setting. -4. Deploy the public certificate to clients: - 1. Within group policy management console, navigate to the following location: **Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Public Key Policies\\BitLocker Drive Encryption Network Unlock Certificate**. - 2. Right-click the folder and select **Add Network Unlock Certificate**. - 3. Follow the wizard steps and import the .cer file that was copied earlier. +> The group policy settings **Allow Network Unlock at startup** and **Add Network Unlock Certificate** were introduced in Windows Server 2012. + +1. Copy the `.cer` file that was created for Network Unlock to the domain controller. + +2. On the domain controller, open Group Policy Management Console (`gpmc.msc`). + +3. Create a new Group Policy Object or modify an existing object to enable the **Allow Network Unlock at startup** setting. + +4. Deploy the public certificate to clients: + + 1. Within group policy management console, navigate to the following location: + + **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Public Key Policies** > **BitLocker Drive Encryption Network Unlock Certificate**. + + 2. Right-click the folder and select **Add Network Unlock Certificate**. + + 3. Follow the wizard steps and import the `.cer` file that was copied earlier. > [!NOTE] - > Only one network unlock certificate can be available at a time. If you need a new certificate, delete the current certificate before you deploy a new one. The Network Unlock certificate is located in the *HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP* key on the client computer. + > Only one Network Unlock certificate can be available at a time. If a new certificate is needed, delete the current certificate before deploying a new one. The Network Unlock certificate is located under the **`HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\FVE_NKP`** registry key on the client computer. + +5. Reboot the clients after the Group Policy is deployed. -5. Reboot the clients after you deploy the Group Policy. > [!NOTE] > The **Network (Certificate Based)** protector will be added only after a reboot, with the policy enabled and a valid certificate present in the FVE_NKP store. - + ### Subnet policy configuration files on the WDS server (optional) -By default, all clients with the correct network unlock certificate and valid Network Unlock protectors that have wired access to a network unlock-enabled WDS server via DHCP are unlocked by the server. A subnet policy configuration file on the WDS server can be created to limit which are the subnet(s) the network unlock clients can use to unlock. +By default, all clients with the correct Network Unlock certificate and valid Network Unlock protectors that have wired access to a Network Unlock-enabled WDS server via DHCP are unlocked by the server. A subnet policy configuration file on the WDS server can be created to limit which are the subnet(s) the Network Unlock clients can use to unlock. -The configuration file, called bde-network-unlock.ini, must be located in the same directory as the network unlock provider DLL (%windir%\System32\Nkpprov.dll) and it applies to both IPv6 and IPv4 DHCP implementations. If the subnet configuration policy becomes corrupted, the provider fails and stops responding to requests. +The configuration file, called bde-network-unlock.ini, must be located in the same directory as the Network Unlock provider DLL (`%windir%\System32\Nkpprov.dll`) and it applies to both IPv6 and IPv4 DHCP implementations. If the subnet configuration policy becomes corrupted, the provider fails and stops responding to requests. -The subnet policy configuration file must use a “\[SUBNETS\]” section to identify the specific subnets. The named subnets may then be used to specify restrictions in certificate subsections. Subnets are defined as simple name–value pairs, in the common INI format, where each subnet has its own line, with the name on the left of the equal-sign, and the subnet identified on the right of the equal-sign as a Classless Inter-Domain Routing (CIDR) address or range. The key word “ENABLED” is disallowed for subnet names. +The subnet policy configuration file must use a **\[SUBNETS\]** section to identify the specific subnets. The named subnets may then be used to specify restrictions in certificate subsections. Subnets are defined as simple name-value pairs, in the common INI format, where each subnet has its own line, with the name on the left of the equal-sign, and the subnet identified on the right of the equal-sign as a Classless Inter-Domain Routing (CIDR) address or range. The key word **ENABLED** is disallowed for subnet names. ```ini [SUBNETS] @@ -268,13 +332,15 @@ SUBNET2=10.185.252.200/28 SUBNET3= 2001:4898:a:2::/64 ; an IPv6 subnet SUBNET4=2001:4898:a:3::/64; in production, the admin would likely give more useful names, like BUILDING9-EXCEPT-RECEP. ``` -Following the \[SUBNETS\] section, there can be sections for each Network Unlock certificate, identified by the certificate thumbprint formatted without any spaces, which define the subnets clients that can be unlocked from that certificate. + +Following the **\[SUBNETS\]** section, there can be sections for each Network Unlock certificate, identified by the certificate thumbprint formatted without any spaces, which define the subnets clients that can be unlocked from that certificate. > [!NOTE] > When specifying the certificate thumbprint, do not include any spaces. If spaces are included in the thumbprint, the subnet configuration fails because the thumbprint will not be recognized as valid. -Subnet restrictions are defined within each certificate section by denoting the allowed list of permitted subnets. If any subnets are listed in a certificate section, then only those subnets are permitted for that certificate. If no subnet is listed in a certificate section, then all subnets are permitted for that certificate. If a certificate does not have a section in the subnet policy configuration file, then no subnet restrictions are applied for unlocking with that certificate. This means for restrictions to apply to every certificate, there must be a certificate section for every network unlock certificate on the server, and an explicit allowed list set for each certificate section. -Subnet lists are created by putting the name of a subnet from the \[SUBNETS\] section on its own line below the certificate section header. Then, the server will only unlock clients with this certificate on the subnet(s) specified as in the list. For troubleshooting, a subnet can be quickly excluded without deleting it from the section by simply commenting it out with a prepended semi-colon. +Subnet restrictions are defined within each certificate section by denoting the allowed list of permitted subnets. If any subnets are listed in a certificate section, then only those subnets are permitted for that certificate. If no subnet is listed in a certificate section, then all subnets are permitted for that certificate. If a certificate doesn't have a section in the subnet policy configuration file, then no subnet restrictions are applied for unlocking with that certificate. For restrictions to apply to every certificate, there must be a certificate section for every Network Unlock certificate on the server, and an explicit allowed list set for each certificate section. + +Subnet lists are created by putting the name of a subnet from the **\[SUBNETS\]** section on its own line below the certificate section header. Then, the server will only unlock clients with this certificate on the subnet(s) specified as in the list. For troubleshooting, a subnet can be quickly excluded without deleting it from the section by commenting it out with a prepended semi-colon. ```ini [2158a767e1c14e88e27a4c0aee111d2de2eafe60] @@ -287,94 +353,115 @@ SUBNET3 To disallow the use of a certificate altogether, add a `DISABLED` line to its subnet list. -## Turn off Network Unlock +## Turn off Network Unlock - -To turn off the unlock server, the PXE provider can be unregistered from the WDS server or uninstalled altogether. However, to stop clients from creating network unlock protectors, the **Allow Network Unlock at startup** group policy setting should be disabled. When this policy setting is updated to **disabled** on client computers, any Network Unlock key protector on the computer is deleted. Alternatively, the BitLocker network unlock certificate policy can be deleted on the domain controller to accomplish the same task for an entire domain. +To turn off the unlock server, the PXE provider can be unregistered from the WDS server or uninstalled altogether. However, to stop clients from creating Network Unlock protectors, the **Allow Network Unlock at startup** group policy setting should be disabled. When this policy setting is updated to **disabled** on client computers, any Network Unlock key protector on the computer is deleted. Alternatively, the BitLocker Network Unlock certificate policy can be deleted on the domain controller to accomplish the same task for an entire domain. > [!NOTE] -> Removing the FVE_NKP certificate store that contains the network unlock certificate and key on the WDS server will also effectively disable the server’s ability to respond to unlock requests for that certificate. However, this is seen as an error condition and is not a supported or recommended method for turning off the network unlock server. - -## Update Network Unlock certificates +> Removing the FVE_NKP certificate store that contains the Network Unlock certificate and key on the WDS server will also effectively disable the server's ability to respond to unlock requests for that certificate. However, this is seen as an error condition and is not a supported or recommended method for turning off the Network Unlock server. -To update the certificates used by network unlock, administrators need to import or generate the new certificate for the server and then update the network unlock certificate group policy setting on the domain controller. +## Update Network Unlock certificates + +To update the certificates used by Network Unlock, administrators need to import or generate the new certificate for the server, and then update the Network Unlock certificate group policy setting on the domain controller. > [!NOTE] > Servers that don't receive the Group Policy Object (GPO) will require a PIN when they boot. In such cases, find out why the server didn't receive the GPO to update the certificate. -## Troubleshoot Network Unlock +## Troubleshoot Network Unlock -Troubleshooting network unlock issues begins by verifying the environment. Many times, a small configuration issue can be the root cause of the failure. Items to verify include: +Troubleshooting Network Unlock issues begins by verifying the environment. Many times, a small configuration issue can be the root cause of the failure. Items to verify include: + +- Verify that the client hardware is UEFI-based and is on firmware version 2.3.1 and that the UEFI firmware is in native mode without a Compatibility Support Module (CSM) for BIOS mode enabled. Verification can be done by checking that the firmware doesn't have an option enabled such as "Legacy mode" or "Compatibility mode" or that the firmware doesn't appear to be in a BIOS-like mode. -- Verify that the client hardware is UEFI-based and is on firmware version 2.3.1 and that the UEFI firmware is in native mode without a Compatibility Support Module (CSM) for BIOS mode enabled. Do this by checking that the firmware does not have an option enabled such as "Legacy mode" or "Compatibility mode" or that the firmware does not appear to be in a BIOS-like mode. - All required roles and services are installed and started. -- Public and private certificates have been published and are in the proper certificate containers. The presence of the network unlock certificate can be verified in the Microsoft Management Console (MMC.exe) on the WDS server with the certificate snap-ins for the local computer enabled. The client certificate can be verified by checking the registry key **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP** on the client computer. -- Group policy for network unlock is enabled and linked to the appropriate domains. -- Verify whether group policy is reaching the clients properly. This can be done using the GPRESULT.exe or RSOP.msc utilities. + +- Public and private certificates have been published and are in the proper certificate containers. The presence of the Network Unlock certificate can be verified in the Microsoft Management Console (MMC.exe) on the WDS server with the certificate snap-ins for the local computer enabled. The client certificate can be verified by checking the registry key **`HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\FVE_NKP`** on the client computer. + +- Group policy for Network Unlock is enabled and linked to the appropriate domains. + +- Verify whether group policy is reaching the clients properly. Verification of group policy can be done using the `GPRESULT.exe` or `RSOP.msc` utilities. + - Verify whether the clients were rebooted after applying the policy. -- Verify whether the **Network (Certificate Based)** protector is listed on the client. This can be done using either manage-bde or Windows PowerShell cmdlets. For example, the following command will list the key protectors currently configured on the C: drive of the local computer: + +- Verify whether the **Network (Certificate Based)** protector is listed on the client. Verification of the protector can be done using either manage-bde or Windows PowerShell cmdlets. For example, the following command will list the key protectors currently configured on the C: drive of the local computer: ```powershell - manage-bde -protectors -get C: + manage-bde.exe -protectors -get C: ``` + > [!NOTE] - > Use the output of `manage-bde` along with the WDS debug log to determine whether the proper certificate thumbprint is being used for Network Unlock. - + > Use the output of `manage-bde.exe` along with the WDS debug log to determine whether the proper certificate thumbprint is being used for Network Unlock. + Gather the following files to troubleshoot BitLocker Network Unlock. - The Windows event logs. Specifically, get the BitLocker event logs and the Microsoft-Windows-Deployment-Services-Diagnostics-Debug log. - Debug logging is turned off by default for the WDS server role, so you need to enable it before you can retrieve it. Use either of the following two methods to turn on WDS debug logging. + Debug logging is turned off by default for the WDS server role. To retrieve WDS debug logs, the WDS debug logs first need to be enabled. Use either of the following two methods to turn on WDS debug logging. - - Start an elevated command prompt, and then run the following command: + - Start an elevated command prompt, and then run the following command: - ```cmd - wevtutil sl Microsoft-Windows-Deployment-Services-Diagnostics/Debug /e:true - ``` - - Open Event Viewer on the WDS server: + ```cmd + wevtutil.exe sl Microsoft-Windows-Deployment-Services-Diagnostics/Debug /e:true + ``` + + - Open **Event Viewer** on the WDS server: + + 1. In the left pane, navigate to **Applications and Services Logs** > **Microsoft** > **Windows** > **Deployment-Services-Diagnostics** > **Debug**. + 2. In the right pane, select **Enable Log**. - 1. In the left pane, select **Applications and Services Logs** > **Microsoft** > **Windows** > **Deployment-Services-Diagnostics** > **Debug**. - 1. In the right pane, select **Enable Log**. - The DHCP subnet configuration file (if one exists). -- The output of the BitLocker status on the volume. Gather this output into a text file by using `manage-bde -status`. Or in Windows PowerShell, use `Get-BitLockerVolume`. + +- The output of the BitLocker status on the volume. Gather this output into a text file by using `manage-bde.exe -status`. Or in Windows PowerShell, use `Get-BitLockerVolume`. + - The Network Monitor capture on the server that hosts the WDS role, filtered by client IP address. -## Configure Network Unlock Group Policy settings on earlier versions + -- [BitLocker overview](bitlocker-overview.md) -- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml) -- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) +## Related articles + +- [BitLocker overview](bitlocker-overview.md) +- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml) +- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) diff --git a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml index 369d16d8e8..ad23cc6714 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml @@ -2,25 +2,20 @@ metadata: title: BitLocker Key Management FAQ (Windows 10) description: Browse frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker. - ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee - ms.reviewer: - ms.prod: m365-security - ms.mktglfcycl: explore - ms.sitesec: library - ms.pagetype: security - ms.localizationpriority: medium - author: dansimp - ms.author: dansimp + ms.prod: windows-client + ms.technology: itpro-security + author: frankroj + ms.author: frankroj manager: aaroncz audience: ITPro - ms.collection: M365-security-compliance ms.topic: faq - ms.date: 02/28/2019 + ms.date: 11/08/2022 ms.custom: bitlocker title: BitLocker Key Management FAQ summary: | - **Applies to** - - Windows 10 + **Applies to:** + - Windows 10 and later + - Windows Server 2016 and later sections: @@ -28,9 +23,11 @@ sections: questions: - question: How can I authenticate or unlock my removable data drive? answer: | - You can unlock removable data drives by using a password, a smart card, or you can configure a SID protector to unlock a drive by using your domain credentials. After you've started encryption, the drive can also be automatically unlocked on a specific computer for a specific user account. System administrators can configure which options are available for users, as well as password complexity and minimum length requirements. To unlock by using a SID protector, use Manage-bde: + Removable data drives can be unlocked using a password or a smart card. An SID protector can also be configured to unlock a drive by using user domain credentials. After encryption has started, the drive can also be automatically unlocked on a specific computer for a specific user account. System administrators can configure which options are available for users including password complexity and minimum length requirements. To unlock by using a SID protector, use `manage-bde.exe`: - Manage-bde -protectors -add e: -sid domain\username + ```cmd + Manage-bde.exe -protectors -add e: -sid domain\username + ``` - question: What is the difference between a recovery password, recovery key, PIN, enhanced PIN, and startup key? answer: | @@ -38,83 +35,85 @@ sections: - question: How can the recovery password and recovery key be stored? answer: | - The recovery password and recovery key for an operating system drive or a fixed data drive can be saved to a folder, saved to one or more USB devices, saved to your Microsoft Account, or printed. + The recovery password and recovery key for an operating system drive or a fixed data drive can be saved to a folder, saved to one or more USB devices, saved to a Microsoft Account, or printed. - For removable data drives, the recovery password and recovery key can be saved to a folder, saved to your Microsoft Account, or printed. By default, you cannot store a recovery key for a removable drive on a removable drive. + For removable data drives, the recovery password and recovery key can be saved to a folder, saved to a Microsoft Account, or printed. By default, a recovery key for a removable drive can't be stored on a removable drive. - A domain administrator can additionally configure Group Policy to automatically generate recovery passwords and store them in Active Directory Domain Services (AD DS) for any BitLocker-protected drive. + A domain administrator can also configure Group Policy to automatically generate recovery passwords and store them in Active Directory Domain Services (AD DS) for any BitLocker-protected drive. - question: Is it possible to add an additional method of authentication without decrypting the drive if I only have the TPM authentication method enabled? answer: | - You can use the Manage-bde.exe command-line tool to replace your TPM-only authentication mode with a multifactor authentication mode. For example, if BitLocker is enabled with TPM authentication only and you want to add PIN authentication, use the following commands from an elevated command prompt, replacing *4-20 digit numeric PIN* with the numeric PIN you want to use: + The `Manage-bde.exe` command-line tool can be used to replace TPM-only authentication mode with a multifactor authentication mode. For example, if BitLocker is enabled with TPM authentication only and PIN authentication needs to be added, use the following commands from an elevated command prompt, replacing *4-20 digit numeric PIN* with the desired numeric PIN: - manage-bde –protectors –delete %systemdrive% -type tpm - - manage-bde –protectors –add %systemdrive% -tpmandpin 4-20 digit numeric PIN + ```cmd + manage-bde.exe -protectors -delete %systemdrive% -type tpm + + manage-bde.exe -protectors -add %systemdrive% -tpmandpin <4-20 digit numeric PIN> + ``` - question: When should an additional method of authentication be considered? answer: | - New hardware that meets [Windows Hardware Compatibility Program](/windows-hardware/design/compatibility/) requirements make a PIN less critical as a mitigation, and having a TPM-only protector is likely sufficient when combined with policies like device lockout. For example, Surface Pro and Surface Book do not have external DMA ports to attack. - For older hardware, where a PIN may be needed, it’s recommended to enable [enhanced PINs](bitlocker-group-policy-settings.md#bkmk-unlockpol2) that allow non-numeric characters such as letters and punctuation marks, and to set the PIN length based on your risk tolerance and the hardware anti-hammering capabilities available to the TPMs in your computers. + New hardware that meets [Windows Hardware Compatibility Program](/windows-hardware/design/compatibility/) requirements make a PIN less critical as a mitigation, and having a TPM-only protector is likely sufficient when combined with policies like device lockout. For example, Surface Pro and Surface Book don't have external DMA ports to attack. + For older hardware, where a PIN may be needed, it's recommended to enable [enhanced PINs](bitlocker-group-policy-settings.md#allow-enhanced-pins-for-startup) that allow non-numeric characters such as letters and punctuation marks, and to set the PIN length based on the risk tolerance and the hardware anti-hammering capabilities available to the TPMs on the computers. - question: If I lose my recovery information, will the BitLocker-protected data be unrecoverable? answer: | BitLocker is designed to make the encrypted drive unrecoverable without the required authentication. When in recovery mode, the user needs the recovery password or recovery key to unlock the encrypted drive. > [!IMPORTANT] - > Store the recovery information in AD DS, along with your Microsoft Account, or another safe location. + > Store the recovery information in AD DS, along with in a Microsoft Account, or another safe location. - question: Can the USB flash drive that is used as the startup key also be used to store the recovery key? - answer: While this is technically possible, it is not a best practice to use one USB flash drive to store both keys. If the USB flash drive that contains your startup key is lost or stolen, you also lose access to your recovery key. In addition, inserting this key would cause your computer to automatically boot from the recovery key even if TPM-measured files have changed, which circumvents the TPM's system integrity check. + answer: While using a USB flash drive as both the startup key and for storage of the recovery key is technically possible, it isn't a best practice to use one USB flash drive to store both keys. If the USB flash drive that contains the startup key is lost or stolen, the recovery key will also be lost. In addition, inserting this key would cause the computer to automatically boot from the recovery key even if TPM-measured files have changed, which circumvents the TPM's system integrity check. - question: Can I save the startup key on multiple USB flash drives? - answer: Yes, you can save a computer's startup key on multiple USB flash drives. Right-clicking a BitLocker-protected drive and selecting **Manage BitLocker** will provide you the options to duplicate the recovery keys as needed. + answer: Yes, computer's startup key can be saved on multiple USB flash drives. Right-clicking a BitLocker-protected drive and selecting **Manage BitLocker** will provide the options to save the recovery keys on additional USB flash drives as needed. - question: Can I save multiple (different) startup keys on the same USB flash drive? - answer: Yes, you can save BitLocker startup keys for different computers on the same USB flash drive. + answer: Yes, BitLocker startup keys for different computers can be saved on the same USB flash drive. - question: Can I generate multiple (different) startup keys for the same computer? - answer: You can generate different startup keys for the same computer through scripting. However, for computers that have a TPM, creating different startup keys prevents BitLocker from using the TPM's system integrity check. + answer: Generating different startup keys for the same computer can be done through scripting. However, for computers that have a TPM, creating different startup keys prevents BitLocker from using the TPM's system integrity check. - question: Can I generate multiple PIN combinations? - answer: You cannot generate multiple PIN combinations. + answer: Generating multiple PIN combinations can't be done. - question: What encryption keys are used in BitLocker? How do they work together? - answer: Raw data is encrypted with the full volume encryption key, which is then encrypted with the volume master key. The volume master key is in turn encrypted by one of several possible methods depending on your authentication (that is, key protectors or TPM) and recovery scenarios. + answer: Raw data is encrypted with the full volume encryption key, which is then encrypted with the volume master key. The volume master key is in turn encrypted by one of several possible methods depending on the authentication (that is, key protectors or TPM) and recovery scenarios. - question: Where are the encryption keys stored? answer: | The full volume encryption key is encrypted by the volume master key and stored in the encrypted drive. The volume master key is encrypted by the appropriate key protector and stored in the encrypted drive. If BitLocker has been suspended, the clear key that is used to encrypt the volume master key is also stored in the encrypted drive, along with the encrypted volume master key. - This storage process ensures that the volume master key is never stored unencrypted and is protected unless you disable BitLocker. The keys are also saved to two additional locations on the drive for redundancy. The keys can be read and processed by the boot manager. + This storage process ensures that the volume master key is never stored unencrypted and is protected unless BitLocker is disabled. The keys are also saved to two additional locations on the drive for redundancy. The keys can be read and processed by the boot manager. - question: Why do I have to use the function keys to enter the PIN or the 48-character recovery password? answer: | - The F1 through F10 keys are universally mapped scan codes available in the pre-boot environment on all computers and in all languages. The numeric keys 0 through 9 are not usable in the pre-boot environment on all keyboards. + The F1 through F10 keys are universally mapped scan codes available in the pre-boot environment on all computers and in all languages. The numeric keys 0 through 9 aren't usable in the pre-boot environment on all keyboards. When using an enhanced PIN, users should run the optional system check during the BitLocker setup process to ensure that the PIN can be entered correctly in the pre-boot environment. - question: How does BitLocker help prevent an attacker from discovering the PIN that unlocks my operating system drive? answer: | - It is possible that a personal identification number (PIN) can be discovered by an attacker performing a brute force attack. A brute force attack occurs when an attacker uses an automated tool to try different PIN combinations until the correct one is discovered. For BitLocker-protected computers, this type of attack, also known as a dictionary attack, requires that the attacker have physical access to the computer. + It's possible that a personal identification number (PIN) can be discovered by an attacker performing a brute force attack. A brute force attack occurs when an attacker uses an automated tool to try different PIN combinations until the correct one is discovered. For BitLocker-protected computers, this type of attack, also known as a dictionary attack, requires that the attacker has physical access to the computer. - The TPM has the built-in ability to detect and react to these types of attacks. Because different manufacturers' TPMs may support different PIN and attack mitigations, contact your TPM's manufacturer to determine how your computer's TPM mitigates PIN brute force attacks. - After you have determined your TPM's manufacturer, contact the manufacturer to gather the TPM's vendor-specific information. Most manufacturers use the PIN authentication failure count to exponentially increase lockout time to the PIN interface. However, each manufacturer has different policies regarding when and how the failure counter is decreased or reset. + The TPM has the built-in ability to detect and react to these types of attacks. Because different manufacturers' TPMs may support different PIN and attack mitigations, contact the TPM's manufacturer to determine how the computer's TPM mitigates PIN brute force attacks. + After the TPM's manufacturer has been determined, contact the manufacturer to gather the TPM's vendor-specific information. Most manufacturers use the PIN authentication failure count to exponentially increase lockout time to the PIN interface. However, each manufacturer has different policies regarding when and how the failure counter is decreased or reset. - question: How can I determine the manufacturer of my TPM? - answer: You can determine your TPM manufacturer in **Windows Defender Security Center** > **Device Security** > **Security processor details**. + answer: The TPM manufacturer can be determined in **Windows Defender Security Center** > **Device Security** > **Security processor details**. - question: How can I evaluate a TPM's dictionary attack mitigation mechanism? answer: | - The following questions can assist you when asking a TPM manufacturer about the design of a dictionary attack mitigation mechanism: + The following questions can assist when asking a TPM manufacturer about the design of a dictionary attack mitigation mechanism: - - How many failed authorization attempts can occur before lockout? - - What is the algorithm for determining the duration of a lockout based on the number of failed attempts and any other relevant parameters? - - What actions can cause the failure count and lockout duration to be decreased or reset? + - How many failed authorization attempts can occur before lockout? + - What is the algorithm for determining the duration of a lockout based on the number of failed attempts and any other relevant parameters? + - What actions can cause the failure count and lockout duration to be decreased or reset? - question: Can PIN length and complexity be managed with Group Policy? answer: | - Yes and No. You can configure the minimum personal identification number (PIN) length by using the **Configure minimum PIN length for startup** Group Policy setting and allow the use of alphanumeric PINs by enabling the **Allow enhanced PINs for startup** Group Policy setting. However, you cannot require PIN complexity by Group Policy. + Yes and No. The minimum personal identification number (PIN) length can be configured by using the **Configure minimum PIN length for startup** Group Policy setting and allow the use of alphanumeric PINs by enabling the **Allow enhanced PINs for startup** Group Policy setting. However, PIN complexity can't be required via Group Policy. For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md). diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md index cc4705af8e..b86eb930d8 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md +++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md @@ -3,64 +3,64 @@ title: BitLocker Management Recommendations for Enterprises (Windows 10) description: Refer to relevant documentation, products, and services to learn about managing BitLocker for enterprises and see recommendations for different computers. ms.prod: windows-client ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: frankroj +ms.author: frankroj manager: aaroncz -ms.collection: - - M365-security-compliance ms.topic: conceptual -ms.date: 02/28/2019 +ms.date: 11/08/2022 ms.custom: bitlocker +ms.technology: itpro-security --- # BitLocker management for enterprises -The ideal solution for BitLocker management is to eliminate the need for IT administrators to set management policies using tools or other mechanisms by having Windows perform tasks that are more practical to automate. This vision leverages modern hardware developments. The growth of TPM 2.0, secure boot, and other hardware improvements, for example, have helped to alleviate the support burden on the helpdesk, and we are seeing a consequent decrease in support-call volumes, yielding improved user satisfaction. Windows continues to be the focus for new features and improvements for built-in encryption management, such as automatically enabling encryption on devices that support Modern Standby beginning with Windows 8.1. +The ideal solution for BitLocker management is to eliminate the need for IT administrators to set management policies using tools or other mechanisms by having Windows perform tasks that are more practical to automate. This vision leverages modern hardware developments. The growth of TPM 2.0, secure boot, and other hardware improvements, for example, have helped to alleviate the support burden on help desks and a decrease in support-call volumes, yielding improved user satisfaction. Windows continues to be the focus for new features and improvements for built-in encryption management, such as automatically enabling encryption on devices that support Modern Standby beginning with Windows 8.1. -Though much Windows BitLocker [documentation](bitlocker-overview.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently asked questions, and also provides BitLocker recommendations for different types of computers. - - -> [!IMPORTANT] -> Microsoft BitLocker Administration and Monitoring (MBAM) capabilities will be offered from [ConfigMgr in on-prem scenarios](/configmgr/core/get-started/2019/technical-preview-1909#bkmk_bitlocker/) in the future. +Though much Windows [BitLocker documentation](bitlocker-overview.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently asked questions, and also provides BitLocker recommendations for different types of computers. ## Managing domain-joined computers and moving to cloud -Companies that image their own computers using Configuration Manager can use an existing task sequence to [pre-provision BitLocker](/configmgr/osd/understand/task-sequence-steps#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](/configmgr/osd/understand/task-sequence-steps#BKMK_EnableBitLocker). This can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use Configuration Manager to pre-set any desired [BitLocker Group Policy](./bitlocker-group-policy-settings.md). +Companies that image their own computers using Configuration Manager can use an existing task sequence to [pre-provision BitLocker](/configmgr/osd/understand/task-sequence-steps#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](/configmgr/osd/understand/task-sequence-steps#BKMK_EnableBitLocker). These steps during an operating system deployment can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use Configuration Manager to pre-set any desired [BitLocker Group Policy](./bitlocker-group-policy-settings.md). Enterprises can use [Microsoft BitLocker Administration and Monitoring (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/) to manage client computers with BitLocker that are domain-joined on-premises until [mainstream support ends in July 2019](/lifecycle/products/?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201%2F) or they can receive extended support until April 2026. Thus, over the next few years, a good strategy for enterprises will be to plan and move to cloud-based management for BitLocker. Refer to the [PowerShell examples](#powershell-examples) to see how to store recovery keys in Azure Active Directory (Azure AD). +> [!IMPORTANT] +> Microsoft BitLocker Administration and Monitoring (MBAM) capabilities are offered through Configuration Manager BitLocker Management. See [Plan for BitLocker management](/mem/configmgr/protect/plan-design/bitlocker-management) in the Configuration Manager documentation for additional information. + ## Managing devices joined to Azure Active Directory -Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as Microsoft Intune. Without Windows 10, version 1809, or Windows 11, only local administrators can enable BitLocker via Intune policy. Starting with Windows 10, version 1809, or Windows 11, Intune can enable BitLocker for standard users. [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider/), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access/) to services like Exchange Online and SharePoint Online. +Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as Microsoft Intune. Prior to Windows 10, version 1809, only local administrators can enable BitLocker via Intune policy. Starting with Windows 10, version 1809, Intune can enable BitLocker for standard users. [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider/), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access/) to services like Exchange Online and SharePoint Online. -Starting with Windows 10 version 1703 (also known as the Windows Creators Update), or Windows 11, the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider/) or the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 11, Windows 10, and on Windows phones. +Starting with Windows 10 version 1703, the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider/) or the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 11, Windows 10, and on Windows phones. -For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if required. For older devices that are not yet encrypted, beginning with Windows 10 version 1703 (the Windows 10 Creators Update), or Windows 11, admins can use the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/) to trigger encryption and store the recovery key in Azure AD. +For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if necessary. For older devices that aren't yet encrypted, beginning with Windows 10 version 1703, admins can use the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/) to trigger encryption and store the recovery key in Azure AD. This process and feature is applicable to Azure Hybrid AD as well. -This is applicable to Azure Hybrid AD as well. +> [!NOTE] +> To manage Bitlocker, except to enable and disable it, one of the following licenses must be assigned to your users: +> - Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, and E5). +> - Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 and A5). ## Managing workplace-joined PCs and phones For Windows PCs and Windows Phones that are enrolled using **Connect to work or school account**, BitLocker Device Encryption is managed over MDM, the same as devices joined to Azure AD. - ## Managing servers -Servers are often installed, configured, and deployed using PowerShell; therefore, the recommendation is to also use [PowerShell to enable BitLocker on a server](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#bitlocker-cmdlets-for-windows-powershell), ideally as part of the initial setup. BitLocker is an Optional Component (OC) in Windows Server; therefore, follow the directions in [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server.md) to add the BitLocker OC. +Servers are often installed, configured, and deployed using PowerShell; therefore, the recommendation is to also use [PowerShell to enable BitLocker on a server](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#bitlocker-cmdlets-for-windows-powershell), ideally as part of the initial setup. BitLocker is an Optional Component (OC) in Windows Server; therefore, follow the directions in [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server.md) to add the BitLocker OC. -The Minimal Server Interface is a prerequisite for some of the BitLocker administration tools. On a [Server Core](/windows-server/get-started/getting-started-with-server-core/) installation, you must add the necessary GUI components first. The steps to add shell components to Server Core are described in [Using Features on Demand with Updated Systems and Patched Images](/archive/blogs/server_core/using-features-on-demand-with-updated-systems-and-patched-images) and [How to update local source media to add roles and features](/archive/blogs/joscon/how-to-update-local-source-media-to-add-roles-and-features). +The Minimal Server Interface is a prerequisite for some of the BitLocker administration tools. On a [Server Core](/windows-server/get-started/getting-started-with-server-core/) installation, the necessary GUI components must be added first. The steps to add shell components to Server Core are described in [Using Features on Demand with Updated Systems and Patched Images](/archive/blogs/server_core/using-features-on-demand-with-updated-systems-and-patched-images) and [How to update local source media to add roles and features](/archive/blogs/joscon/how-to-update-local-source-media-to-add-roles-and-features). -If you are installing a server manually, such as a stand-alone server, then choosing [Server with Desktop Experience](/windows-server/get-started/getting-started-with-server-with-desktop-experience/) is the easiest path because you can avoid performing the steps to add a GUI to Server Core. +If a server is being installed manually, such as a stand-alone server, then choosing [Server with Desktop Experience](/windows-server/get-started/getting-started-with-server-with-desktop-experience/) is the easiest path because it avoids performing the steps to add a GUI to Server Core. - Additionally, lights-out data centers can take advantage of the enhanced security of a second factor while avoiding the need for user intervention during reboots by optionally using a combination of BitLocker (TPM+PIN) and BitLocker Network Unlock. BitLocker Network Unlock brings together the best of hardware protection, location dependence, and automatic unlock, while in the trusted location. For the configuration steps, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md). + Additionally, lights-out data centers can take advantage of the enhanced security of a second factor while avoiding the need for user intervention during reboots by optionally using a combination of BitLocker (TPM+PIN) and BitLocker Network Unlock. BitLocker Network Unlock brings together the best of hardware protection, location dependence, and automatic unlock, while in the trusted location. For the configuration steps, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md). + For more information, see the BitLocker FAQs article and other useful links in [Related Articles](#related-articles). - For more information, see the Bitlocker FAQs article and other useful links in [Related Articles](#related-articles). -  ## PowerShell examples For Azure AD-joined computers, including virtual machines, the recovery password should be stored in Azure AD. -*Example: Use PowerShell to add a recovery password and back it up to Azure AD before enabling BitLocker* +**Example**: *Use PowerShell to add a recovery password and back it up to Azure AD before enabling BitLocker* + ```powershell Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector @@ -69,9 +69,10 @@ $BLV = Get-BitLockerVolume -MountPoint "C:" BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId ``` -For domain-joined computers, including servers, the recovery password should be stored in Active Directory Domain Services (AD DS). +For domain-joined computers, including servers, the recovery password should be stored in Active Directory Domain Services (AD DS). + +**Example**: *Use PowerShell to add a recovery password and back it up to AD DS before enabling BitLocker* -*Example: Use PowerShell to add a recovery password and back it up to AD DS before enabling BitLocker* ```powershell Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector @@ -80,55 +81,44 @@ $BLV = Get-BitLockerVolume -MountPoint "C:" Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId ``` -Subsequently, you can use PowerShell to enable BitLocker. +PowerShell can then be used to enable BitLocker: + +**Example**: *Use PowerShell to enable BitLocker with a TPM protector* -*Example: Use PowerShell to enable BitLocker with a TPM protector* ```powershell Enable-BitLocker -MountPoint "D:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -TpmProtector ``` -*Example: Use PowerShell to enable BitLocker with a TPM+PIN protector, in this case with a PIN set to 123456* +**Example**: *Use PowerShell to enable BitLocker with a TPM+PIN protector, in this case with a PIN set to 123456* + ```powershell $SecureString = ConvertTo-SecureString "123456" -AsPlainText -Force Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -Pin $SecureString -TPMandPinProtector -``` +``` ## Related Articles -[BitLocker: FAQs](bitlocker-frequently-asked-questions.yml) - -[Microsoft BitLocker Administration and Management (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/) - -[Overview of BitLocker Device Encryption in Windows](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) - -[BitLocker Group Policy Reference](./bitlocker-group-policy-settings.md) - -[Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune/) +- [BitLocker: FAQs](bitlocker-frequently-asked-questions.yml) +- [Microsoft BitLocker Administration and Management (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/) +- [Overview of BitLocker Device Encryption in Windows](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) +- [BitLocker Group Policy Reference](./bitlocker-group-policy-settings.md) +- [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune/) *(Overview)* - -[Configuration Settings Providers](/windows/client-management/mdm/policy-configuration-service-provider) +- [Configuration Settings Providers](/windows/client-management/mdm/policy-configuration-service-provider) *(Policy CSP: See [Security-RequireDeviceEncryption](/windows/client-management/mdm/policy-csp-security#security-policies))* +- [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/) -[BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/) +### Windows Server setup tools -**Windows Server setup tools** +- [Windows Server Installation Options](/windows-server/get-started-19/install-upgrade-migrate-19/) +- [How to update local source media to add roles and features](/archive/blogs/joscon/how-to-update-local-source-media-to-add-roles-and-features) +- [How to add or remove optional components on Server Core](/archive/blogs/server_core/using-features-on-demand-with-updated-systems-and-patched-images) *(Features on Demand)* +- [BitLocker: How to deploy on Windows Server 2012 and newer](bitlocker-how-to-deploy-on-windows-server.md) +- [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) +- [Shielded VMs and Guarded Fabric](https://blogs.technet.microsoft.com/windowsserver/2016/05/10/a-closer-look-at-shielded-vms-in-windows-server-2016/) -[Windows Server Installation Options](/windows-server/get-started-19/install-upgrade-migrate-19/) +### PowerShell -[How to update local source media to add roles and features](/archive/blogs/joscon/how-to-update-local-source-media-to-add-roles-and-features) - -[How to add or remove optional components on Server Core](/archive/blogs/server_core/using-features-on-demand-with-updated-systems-and-patched-images) *(Features on Demand)* - -[BitLocker: How to deploy on Windows Server 2012 and newer](bitlocker-how-to-deploy-on-windows-server.md) - -[BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) - -[Shielded VMs and Guarded Fabric](https://blogs.technet.microsoft.com/windowsserver/2016/05/10/a-closer-look-at-shielded-vms-in-windows-server-2016/) - - -**PowerShell** - -[BitLocker cmdlets for Windows PowerShell](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#bitlocker-cmdlets-for-windows-powershell) - -[Surface Pro Specifications](https://www.microsoft.com/surface/support/surface-pro-specs/) \ No newline at end of file +- [BitLocker cmdlets for Windows PowerShell](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#bitlocker-cmdlets-for-windows-powershell) +- [Surface Pro Specifications](https://www.microsoft.com/surface/support/surface-pro-specs/) diff --git a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml index 11fe756cf9..9683743787 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml @@ -2,24 +2,22 @@ metadata: title: BitLocker Network Unlock FAQ (Windows 10) description: Familiarize yourself with BitLocker Network Unlock. Learn how it can make desktop and server management easier within domain environments. - ms.prod: m365-security - ms.mktglfcycl: explore - ms.sitesec: library - ms.pagetype: security - ms.localizationpriority: medium - author: dansimp - ms.author: dansimp + ms.prod: windows-client + ms.technology: itpro-security + author: frankroj + ms.author: frankroj manager: aaroncz audience: ITPro - ms.collection: M365-security-compliance ms.topic: faq - ms.date: 02/28/2019 + ms.date: 11/08/2022 ms.reviewer: ms.custom: bitlocker title: BitLocker Network Unlock FAQ summary: | - **Applies to** - - Windows 10 + **Applies to:** + - Windows 10 + - Windows 11 + - Windows Server 2016 and above sections: - name: Ignored @@ -29,10 +27,10 @@ sections: answer: | BitLocker Network Unlock enables easier management for BitLocker-enabled desktops and servers that use the TPM+PIN protection method in a domain environment. When a computer that is connected to a wired corporate network is rebooted, Network Unlock allows the PIN entry prompt to be bypassed. It automatically unlocks BitLocker-protected operating system volumes by using a trusted key that is provided by the Windows Deployment Services server as its secondary authentication method. - To use Network Unlock you must also have a PIN configured for your computer. When your computer isn't connected to the network you'll need to provide the PIN to unlock it. + To use Network Unlock, a PIN must be configured for the computer. When the computer isn't connected to the network, a PIN will need to be provided to unlock it. - BitLocker Network Unlock has software and hardware requirements for both client computers, Windows Deployment services, and domain controllers that must be met before you can use it. + BitLocker Network Unlock has software and hardware requirements for both client computers, Windows Deployment services, and domain controllers that must be met before it can be used. - Network Unlock uses two protectors, the TPM protector and the one provided by the network or by your PIN, whereas automatic unlock uses a single protector, the one stored in the TPM. If the computer is joined to a network without the key protector, it will prompt you to enter your PIN. If the PIN isn't available, you'll need to use the recovery key to unlock the computer if it can't be connected to the network. + Network Unlock uses two protectors - the TPM protector and the protector provided by the network or by the PIN. Automatic unlock uses a single protector - the one stored in the TPM. If the computer is joined to a network without the key protector, it will prompt to enter a PIN. If the PIN isn't available, the recovery key will need to be used to unlock the computer if it can't be connected to the network. For more info, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md). diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml index 46325ab4f4..8398ff5cb5 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml @@ -2,28 +2,22 @@ metadata: title: BitLocker overview and requirements FAQ (Windows 10) description: This article for IT professionals answers frequently asked questions concerning the requirements to use BitLocker. - ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee - ms.reviewer: - ms.prod: m365-security - ms.mktglfcycl: explore - ms.sitesec: library - ms.pagetype: security - ms.localizationpriority: medium - author: dansimp - ms.author: dansimp + ms.prod: windows-client + ms.technology: itpro-security + author: frankroj + ms.author: frankroj manager: aaroncz audience: ITPro ms.collection: - - M365-security-compliance - highpri ms.topic: faq - ms.date: 07/27/2021 + ms.date: 11/08/2022 ms.custom: bitlocker title: BitLocker Overview and Requirements FAQ summary: | - **Applies to** - - Windows 10 - - Windows 11 + **Applies to:** + - Windows 10 and later + - Windows Server 2016 and later sections: @@ -33,21 +27,21 @@ sections: answer: | **How BitLocker works with operating system drives** - You can use BitLocker to mitigate unauthorized data access on lost or stolen computers by encrypting all user files and system files on the operating system drive, including the swap files and hibernation files, and checking the integrity of early boot components and boot configuration data. + BitLocker Can be used to mitigate unauthorized data access on lost or stolen computers by encrypting all user files and system files on the operating system drive, including the swap files and hibernation files, and checking the integrity of early boot components and boot configuration data. **How BitLocker works with fixed and removable data drives** - You can use BitLocker to encrypt the entire contents of a data drive. You can use Group Policy to require that BitLocker be enabled on a drive before the computer can write data to the drive. BitLocker can be configured with a variety of unlock methods for data drives, and a data drive supports multiple unlock methods. + BitLocker can be used to encrypt the entire contents of a data drive. Group Policy can be used to require BitLocker be enabled on a drive before the computer can write data to the drive. BitLocker can be configured with various unlock methods for data drives, and a data drive supports multiple unlock methods. - question: Does BitLocker support multifactor authentication? - answer: Yes, BitLocker supports multifactor authentication for operating system drives. If you enable BitLocker on a computer that has a TPM version 1.2 or later, you can use additional forms of authentication with the TPM protection. + answer: Yes, BitLocker supports multifactor authentication for operating system drives. If BitLocker is enabled on a computer that has a TPM version 1.2 or later, additional forms of authentication can be used with the TPM protection. - question: What are the BitLocker hardware and software requirements? answer: | For requirements, see [System requirements](bitlocker-overview.md#system-requirements). > [!NOTE] - > Dynamic disks are not supported by BitLocker. Dynamic data volumes will not be displayed in the Control Panel. Although the operating system volume will always be displayed in the Control Panel, regardless of whether it is a Dynamic disk, if it is a dynamic disk it cannot be protected by BitLocker. + > Dynamic disks aren't supported by BitLocker. Dynamic data volumes won't be displayed in the Control Panel. Although the operating system volume will always be displayed in the Control Panel, regardless of whether it's a Dynamic disk, if it's a dynamic disk it can't be protected by BitLocker. - question: Why are two partitions required? Why does the system drive have to be so large? answer: Two partitions are required to run BitLocker because pre-startup authentication and system integrity verification must occur on a separate partition from the encrypted operating system drive. This configuration helps protect the operating system and the information in the encrypted drive. @@ -57,27 +51,27 @@ sections: BitLocker supports TPM version 1.2 or higher. BitLocker support for TPM 2.0 requires Unified Extensible Firmware Interface (UEFI) for the device. > [!NOTE] - > TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature. + > TPM 2.0 isn't supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security, enable the Secure Boot feature. > - > Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](/windows/deployment/mbr-to-gpt) before changing the BIOS mode which will prepare the OS and the disk to support UEFI. + > Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](/windows/deployment/mbr-to-gpt) before changing the BIOS mode that will prepare the OS and the disk to support UEFI. - - question: How can I tell if a TPM is on my computer? - answer: Beginning with Windows 10, version 1803, you can check TPM status in **Windows Defender Security Center** > **Device Security** > **Security processor details**. In previous versions of Windows, open the TPM MMC console (tpm.msc) and look under the **Status** heading. You can also run [**Get-TPM**](/powershell/module/trustedplatformmodule/get-tpm?view=windowsserver2019-ps)** in PowerShell to get more details about the TPM on the current computer. + - question: How can I tell if a computer has a TPM? + answer: Beginning with Windows 10, version 1803, the TPM status can be checked in **Windows Defender Security Center** > **Device Security** > **Security processor details**. In previous versions of Windows, open the TPM MMC console (tpm.msc) and look under the **Status** heading. [**Get-TPM**](/powershell/module/trustedplatformmodule/get-tpm?view=windowsserver2019-ps)** can also be run in PowerShell to get more details about the TPM on the current computer. - question: Can I use BitLocker on an operating system drive without a TPM? answer: | - Yes, you can enable BitLocker on an operating system drive without a TPM version 1.2 or higher, if the BIOS or UEFI firmware has the ability to read from a USB flash drive in the boot environment. This is because BitLocker will not unlock the protected drive until BitLocker's own volume master key is first released by either the computer's TPM or by a USB flash drive containing the BitLocker startup key for that computer. However, computers without TPMs will not be able to use the system integrity verification that BitLocker can also provide. + Yes, BitLocker can be enabled on an operating system drive without a TPM version 1.2 or higher, if the BIOS or UEFI firmware has the ability to read from a USB flash drive in the boot environment. BitLocker won't unlock the protected drive until BitLocker's own volume master key is first released by either the computer's TPM or by a USB flash drive containing the BitLocker startup key for that computer. However, computers without TPMs won't be able to use the system integrity verification that BitLocker can also provide. To help determine whether a computer can read from a USB device during the boot process, use the BitLocker system check as part of the BitLocker setup process. This system check performs tests to confirm that the computer can properly read from the USB devices at the appropriate time and that the computer meets other BitLocker requirements. - question: How do I obtain BIOS support for the TPM on my computer? answer: | Contact the computer manufacturer to request a Trusted Computing Group (TCG)-compliant BIOS or UEFI boot firmware that meets the following requirements: - - It is compliant with the TCG standards for a client computer. - - It has a secure update mechanism to help prevent a malicious BIOS or boot firmware from being installed on the computer. + - It's compliant with the TCG standards for a client computer. + - It has a secure update mechanism to help prevent a malicious BIOS or boot firmware from being installed on the computer. - question: What credentials are required to use BitLocker? answer: To turn on, turn off, or change configurations of BitLocker on operating system and fixed data drives, membership in the local **Administrators** group is required. Standard users can turn on, turn off, or change configurations of BitLocker on removable data drives. - question: What is the recommended boot order for computers that are going to be BitLocker-protected? - answer: You should configure the startup options of your computer to have the hard disk drive first in the boot order, before any other drives such as CD/DVD drives or USB drives. If the hard disk is not first and you typically boot from hard disk, then a boot order change may be detected or assumed when removable media is found during boot. The boot order typically affects the system measurement that is verified by BitLocker and a change in boot order will cause you to be prompted for your BitLocker recovery key. For the same reason, if you have a laptop with a docking station, ensure that the hard disk drive is first in the boot order both when docked and undocked.  + answer: The computer's startup options should be configured to have the hard disk drive first in the boot order, before any other drives such as CD/DVD drives or USB drives. If the hard disk isn't first and the computer typically boots from the hard disk, then a boot order change may be detected or assumed when removable media is found during boot. The boot order typically affects the system measurement that is verified by BitLocker and a change in boot order will cause a prompt for the BitLocker recovery key. For the same reason, if a laptop is used with a docking station, ensure that the hard disk drive is first in the boot order both when the laptop is docked and undocked. diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md index 8d83958580..5cc2a4ae6c 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview.md +++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md @@ -1,67 +1,68 @@ --- title: BitLocker -description: This topic provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features. -ms.author: dansimp +description: This article provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features. +ms.author: frankroj ms.prod: windows-client ms.localizationpriority: medium -author: dansimp +author: frankroj manager: aaroncz ms.collection: - - M365-security-compliance - highpri ms.topic: conceptual -ms.date: 01/26/2018 +ms.date: 11/08/2022 ms.custom: bitlocker +ms.technology: itpro-security --- # BitLocker -**Applies to** +**Applies to:** - Windows 10 - Windows 11 - Windows Server 2016 and above -This topic provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features. +This article provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features. -## BitLocker overview +## BitLocker overview BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. -BitLocker provides the maximum protection when used with a Trusted Platform Module (TPM) version 1.2 or later versions. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline. +BitLocker provides the maximum protection when used with a Trusted Platform Module (TPM) version 1.2 or later versions. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer hasn't been tampered with while the system was offline. -On computers that do not have a TPM version 1.2 or later versions, you can still use BitLocker to encrypt the Windows operating system drive. However, this implementation requires the user to insert a USB startup key to start the computer or resume from hibernation. Starting with Windows 8, you can use an operating system volume password to protect the operating system volume on a computer without TPM. Both options do not provide the pre-startup system integrity verification offered by BitLocker with a TPM. +On computers that don't have a TPM version 1.2 or later versions, BitLocker can still be used to encrypt the Windows operating system drive. However, this implementation requires the user to insert a USB startup key to start the computer or resume from hibernation. Starting with Windows 8, an operating system volume password can be used to protect the operating system volume on a computer without TPM. Both options don't provide the pre-startup system integrity verification offered by BitLocker with a TPM. -In addition to the TPM, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device, such as a USB flash drive, that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer will not start or resume from hibernation until the correct PIN or startup key is presented. +In addition to the TPM, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device (such as a USB flash drive) that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer won't start or resume from hibernation until the correct PIN or startup key is presented. -## Practical applications +## Practical applications Data on a lost or stolen computer is vulnerable to unauthorized access, either by running a software-attack tool against it or by transferring the computer's hard disk to a different computer. BitLocker helps mitigate unauthorized data access by enhancing file and system protections. BitLocker also helps render data inaccessible when BitLocker-protected computers are decommissioned or recycled. -There are two additional tools in the Remote Server Administration Tools which you can use to manage BitLocker. +There are two additional tools in the Remote Server Administration Tools that can be used to manage BitLocker. -- **BitLocker Recovery Password Viewer**. The BitLocker Recovery Password Viewer enables you to locate and view BitLocker Drive Encryption recovery passwords that have been backed up to Active Directory Domain Services (AD DS). You can use this tool to help recover data that is stored on a drive that has been encrypted by using BitLocker. The BitLocker Recovery Password Viewer tool is an extension for the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in. - By using this tool, you can examine a computer object's **Properties** dialog box to view the corresponding BitLocker recovery passwords. Additionally, you can right-click a domain container and then search for a BitLocker recovery password across all the domains in the Active Directory forest. To view recovery passwords, you must be a domain administrator, or you must have been delegated permissions by a domain administrator. +- **BitLocker Recovery Password Viewer**. The BitLocker Recovery Password Viewer enables the BitLocker Drive Encryption recovery passwords that have been backed up to Active Directory Domain Services (AD DS) to be located and viewed. This tool can be used to help recover data that is stored on a drive that has been encrypted by using BitLocker. The BitLocker Recovery Password Viewer tool is an extension for the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in. -- **BitLocker Drive Encryption Tools**. BitLocker Drive Encryption Tools include the command-line tools, manage-bde and repair-bde, and the BitLocker cmdlets for Windows PowerShell. Both manage-bde and the BitLocker cmdlets can be used to perform any task that can be accomplished through the -BitLocker control panel, and they are appropriate to be used for automated deployments and other scripting scenarios. Repair-bde is provided for disaster recovery scenarios in which a BitLocker-protected drive cannot be unlocked normally or by using the recovery console. + By using this tool, a computer object's **Properties** dialog box can be examined to view the corresponding BitLocker recovery passwords. Additionally, a domain container can be searched for a BitLocker recovery password across all the domains in the Active Directory forest by right clicking on the domain container. Viewing recovery passwords can only be viewed by domain administrator or having delegated permissions by a domain administrator. -## New and changed functionality +- **BitLocker Drive Encryption Tools**. BitLocker Drive Encryption Tools include the command-line tools, manage-bde and repair-bde, and the BitLocker cmdlets for Windows PowerShell. Both manage-bde and the BitLocker cmdlets can be used to perform any task that can be accomplished through the +BitLocker control panel, and they're appropriate to be used for automated deployments and other scripting scenarios. Repair-bde is provided for disaster recovery scenarios in which a BitLocker-protected drive can't be unlocked normally or by using the recovery console. + +## New and changed functionality + +To find out what's new in BitLocker for Windows, such as support for the XTS-AES encryption algorithm, see [What's new in Windows 10, versions 1507 and 1511 for IT Pros: BitLocker](/windows/whats-new/whats-new-windows-10-version-1507-and-1511#bitlocker). -To find out what's new in BitLocker for Windows, such as support for the XTS-AES encryption algorithm, see the [BitLocker](/windows/whats-new/whats-new-windows-10-version-1507-and-1511#bitlocker) section in "What's new in Windows 10." -  ## System requirements BitLocker has the following hardware requirements: -For BitLocker to use the system integrity check provided by a TPM, the computer must have TPM 1.2 or later versions. If your computer does not have a TPM, enabling BitLocker makes it mandatory for you to save a startup key on a removable device, such as a USB flash drive. +For BitLocker to use the system integrity check provided by a TPM, the computer must have TPM 1.2 or later versions. If a computer doesn't have a TPM, saving a startup key on a removable drive, such as a USB flash drive, becomes mandatory when enabling BitLocker. -A computer with a TPM must also have a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware. The BIOS or UEFI firmware establishes a chain of trust for the pre-operating system startup, and it must include support for TCG-specified Static Root of Trust Measurement. A computer without a TPM does not require TCG-compliant firmware. +A computer with a TPM must also have a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware. The BIOS or UEFI firmware establishes a chain of trust for the pre-operating system startup, and it must include support for TCG-specified Static Root of Trust Measurement. A computer without a TPM doesn't require TCG-compliant firmware. The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support the USB mass storage device class, including reading small files on a USB flash drive in the pre-operating system environment. > [!IMPORTANT] -> From Windows 7, you can encrypt an OS drive without a TPM and USB flash drive. For this procedure, see [Tip of the Day: Bitlocker without TPM or USB](https://social.technet.microsoft.com/Forums/en-US/eac2cc67-8442-42db-abad-2ed173879751/bitlocker-without-tpm?forum=win10itprosetup). +> From Windows 7, an OS drive can be encrypted without a TPM and USB flash drive. For this procedure, see [Tip of the Day: Bitlocker without TPM or USB](https://social.technet.microsoft.com/Forums/en-US/eac2cc67-8442-42db-abad-2ed173879751/bitlocker-without-tpm?forum=win10itprosetup). > [!NOTE] > TPM 2.0 is not supported in Legacy and Compatibility Support Module (CSM) modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as native UEFI only. The Legacy and CSM options must be disabled. For added security, enable the secure boot feature. @@ -70,35 +71,31 @@ The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support th The hard disk must be partitioned with at least two drives: -- The operating system drive (or boot drive) contains the operating system and its support files. It must be formatted with the NTFS file system. -- The system drive contains the files that are needed to load Windows after the firmware has prepared the system hardware. BitLocker is not enabled on this drive. For BitLocker to work, the system drive must not be encrypted, must differ from the operating system drive, and must be formatted with the FAT32 file system on computers that use UEFI-based firmware or with the NTFS file system on computers that use BIOS firmware. We recommend that system drive be approximately 350 MB in size. After BitLocker is turned on, it should have approximately 250 MB of free space. +- The operating system drive (or boot drive) contains the operating system and its support files. It must be formatted with the NTFS file system. +- The system drive contains the files that are needed to load Windows after the firmware has prepared the system hardware. BitLocker isn't enabled on this drive. For BitLocker to work, the system drive must not be encrypted, must differ from the operating system drive, and must be formatted with the FAT32 file system on computers that use UEFI-based firmware or with the NTFS file system on computers that use BIOS firmware. It's recommended that the system drive be approximately 350 MB in size. After BitLocker is turned on, it should have approximately 250 MB of free space. When installed on a new computer, Windows automatically creates the partitions that are required for BitLocker. -A partition subject to encryption cannot be marked as an active partition (this applies to the operating system, fixed data, and removable data drives). +A partition subject to encryption can't be marked as an active partition. This requirement applies to the operating system drives, fixed data drives, and removable data drives. - -When installing the BitLocker optional component on a server, you will also need to install the Enhanced Storage feature, which is used to support hardware encrypted drives. +When installing the BitLocker optional component on a server, the Enhanced Storage feature also needs to be installed. The Enhanced Storage feature is used to support hardware encrypted drives. ## In this section -| Topic | Description | +| Article | Description | | - | - | -| [Overview of BitLocker Device Encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md) | This topic provides an overview of the ways in which BitLocker Device Encryption can help protect data on devices running Windows 10. | -| [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml) | This topic answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.| -| [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)| This topic explains the procedure you can use to plan your BitLocker deployment. | -| [BitLocker basic deployment](bitlocker-basic-deployment.md) | This topic explains how BitLocker features can be used to protect your data through drive encryption. | -| [BitLocker: How to deploy on Windows Server](bitlocker-how-to-deploy-on-windows-server.md)| This topic explains how to deploy BitLocker on Windows Server.| -| [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) | This topic describes how BitLocker Network Unlock works and how to configure it. | -| [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)| This topic describes how to use tools to manage BitLocker.| -| [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md) | This topic describes how to use the BitLocker Recovery Password Viewer. | -| [BitLocker Group Policy settings](bitlocker-group-policy-settings.md) | This topic describes the function, location, and effect of each group policy setting that is used to manage BitLocker. | -| [BCD settings and BitLocker](bcd-settings-and-bitlocker.md) | This topic describes the BCD settings that are used by BitLocker.| -| [BitLocker Recovery Guide](bitlocker-recovery-guide-plan.md)| This topic describes how to recover BitLocker keys from AD DS. | -| [Protect BitLocker from pre-boot attacks](./bitlocker-countermeasures.md)| This detailed guide helps you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device’s configuration. | -| [Troubleshoot BitLocker](troubleshoot-bitlocker.md) | This guide describes the resources that can help you troubleshoot BitLocker issues, and provides solutions for several common BitLocker issues. | -| [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This topic describes how to protect CSVs and SANs with BitLocker.| -| [Enabling Secure Boot and BitLocker Device Encryption on Windows IoT Core](/windows/iot-core/secure-your-device/SecureBootAndBitLocker) | This topic describes how to use BitLocker with Windows IoT Core | - - - +| [Overview of BitLocker Device Encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md) | This article provides an overview of the ways in which BitLocker Device Encryption can help protect data on devices running Windows 10. | +| [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml) | This article answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.| +| [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)| This article explains the procedure you can use to plan your BitLocker deployment. | +| [BitLocker basic deployment](bitlocker-basic-deployment.md) | This article explains how BitLocker features can be used to protect your data through drive encryption. | +| [BitLocker: How to deploy on Windows Server](bitlocker-how-to-deploy-on-windows-server.md)| This article explains how to deploy BitLocker on Windows Server.| +| [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) | This article describes how BitLocker Network Unlock works and how to configure it. | +| [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)| This article describes how to use tools to manage BitLocker.| +| [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md) | This article describes how to use the BitLocker Recovery Password Viewer. | +| [BitLocker Group Policy settings](bitlocker-group-policy-settings.md) | This article describes the function, location, and effect of each group policy setting that is used to manage BitLocker. | +| [BCD settings and BitLocker](bcd-settings-and-bitlocker.md) | This article describes the BCD settings that are used by BitLocker.| +| [BitLocker Recovery Guide](bitlocker-recovery-guide-plan.md)| This article describes how to recover BitLocker keys from AD DS. | +| [Protect BitLocker from pre-boot attacks](./bitlocker-countermeasures.md)| This detailed guide helps you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device's configuration. | +| [Troubleshoot BitLocker](/troubleshoot/windows-client/windows-security/bitlocker-issues-troubleshooting) | This guide describes the resources that can help you troubleshoot BitLocker issues, and provides solutions for several common BitLocker issues. | +| [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This article describes how to protect CSVs and SANs with BitLocker.| +| [Enabling Secure Boot and BitLocker Device Encryption on Windows IoT Core](/windows/iot-core/secure-your-device/SecureBootAndBitLocker) | This article describes how to use BitLocker with Windows IoT Core | diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index 390b943e87..495549c66c 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -1,6 +1,6 @@ --- title: BitLocker recovery guide -description: This article for IT professionals describes how to recover BitLocker keys from Active Directory Domain Services (AD DS). +description: This article for IT professionals describes how to recover BitLocker keys from Active Directory Domain Services (AD DS). ms.prod: windows-client ms.technology: itpro-security ms.localizationpriority: medium @@ -9,10 +9,9 @@ ms.author: frankroj ms.reviewer: rafals manager: aaroncz ms.collection: - - M365-security-compliance - highpri ms.topic: conceptual -ms.date: 02/28/2019 +ms.date: 11/08/2022 ms.custom: bitlocker --- @@ -22,264 +21,312 @@ ms.custom: bitlocker - Windows 10 - Windows 11 -- Windows Server 2016 and later +- Windows Server 2016 and above This article describes how to recover BitLocker keys from AD DS. -Organizations can use BitLocker recovery information saved in Active Directory Domain Services (AD DS) to access BitLocker-protected data. It's recommended to create a recovery model for BitLocker while you are planning your BitLocker deployment. +Organizations can use BitLocker recovery information saved in Active Directory Domain Services (AD DS) to access BitLocker-protected data. It's recommended to create a recovery model for BitLocker while planning for BitLocker deployment. -This article assumes that you understand how to set up AD DS to back up BitLocker recovery information automatically, and what types of recovery information are saved to AD DS. +This article assumes that it's understood how to set up AD DS to back up BitLocker recovery information automatically, and what types of recovery information are saved to AD DS. -This article does not detail how to configure AD DS to store the BitLocker recovery information. +This article doesn't detail how to configure AD DS to store the BitLocker recovery information. +## What is BitLocker recovery? -## What is BitLocker recovery? +BitLocker recovery is the process by which access can be restored to a BitLocker-protected drive if the drive can't be unlocked normally. In a recovery scenario, the following options to restore access to the drive are available: -BitLocker recovery is the process by which you can restore access to a BitLocker-protected drive in the event that you cannot unlock the drive normally. In a recovery scenario, you have the following options to restore access to the drive: +- **The user can supply the recovery password.** If the organization allows users to print or store recovery passwords, the users can enter in the 48-digit recovery password that they printed or stored on a USB drive or with a Microsoft account online. Saving a recovery password with a Microsoft account online is only allowed when BitLocker is used on a PC that isn't a member of a domain. -- **The user can supply the recovery password.** If your organization allows users to print or store recovery passwords, the users can type in the 48-digit recovery password that they printed or stored on a USB drive or with your Microsoft account online. (Saving a recovery password with your Microsoft account online is only allowed when BitLocker is used on a PC that is not a member of a domain). -- **Data recovery agents can use their credentials to unlock the drive.** If the drive is an operating system drive, the drive must be mounted as a data drive on another computer for the data recovery agent to unlock it. -- **A domain administrator can obtain the recovery password from AD DS and use it to unlock the drive.** Storing recovery passwords in AD DS is recommended to provide a way for IT professionals to be able to obtain recovery passwords for drives in their organization if needed. This method makes it mandatory for you to enable this recovery method in the BitLocker group policy setting **Choose how BitLocker-protected operating system drives can be recovered** located at **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives** in the Local Group Policy Editor. For more information, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md). +- **Data recovery agents can use their credentials to unlock the drive.** If the drive is an operating system drive, the drive must be mounted as a data drive on another computer for the data recovery agent to unlock it. + +- **A domain administrator can obtain the recovery password from AD DS and use it to unlock the drive.** Storing recovery passwords in AD DS is recommended to provide a way for IT professionals to be able to obtain recovery passwords for drives in an organization if needed. This method makes it mandatory to enable this recovery method in the BitLocker group policy setting **Choose how BitLocker-protected operating system drives can be recovered** located at **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** in the Local Group Policy Editor. For more information, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md). ### What causes BitLocker recovery? The following list provides examples of specific events that will cause BitLocker to enter recovery mode when attempting to start the operating system drive: -- On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md) only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality, administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor. Or they can use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](/Exchange/clients/exchange-activesync/exchange-activesync) (also configurable through [Microsoft Intune](/mem/intune)), to limit the number of failed password attempts before the device goes into Device Lockout. -- On devices with TPM 1.2, changing the BIOS or firmware boot device order causes BitLocker recovery. However, devices with TPM 2.0 do not start BitLocker recovery in this case. TPM 2.0 does not consider a firmware change of boot device order as a security threat because the OS Boot Loader is not compromised. +- On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md) only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality, administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options** in the Local Group Policy Editor. Or they can use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](/Exchange/clients/exchange-activesync/exchange-activesync) (also configurable through [Microsoft Intune](/mem/intune)), to limit the number of failed password attempts before the device goes into Device Lockout. + +- On devices with TPM 1.2, changing the BIOS or firmware boot device order causes BitLocker recovery. However, devices with TPM 2.0 don't start BitLocker recovery in this case. TPM 2.0 doesn't consider a firmware change of boot device order as a security threat because the OS Boot Loader isn't compromised. + - Having the CD or DVD drive before the hard drive in the BIOS boot order and then inserting or removing a CD or DVD. + - Failing to boot from a network drive before booting from the hard drive. -- Docking or undocking a portable computer. In some instances (depending on the computer manufacturer and the BIOS), the docking condition of the portable computer is part of the system measurement and must be consistent to validate the system status and unlock BitLocker. So if a portable computer is connected to its docking station when BitLocker is turned on, then it might also need to be connected to the docking station when it is unlocked. Conversely, if a portable computer is not connected to its docking station when BitLocker is turned on, then it might need to be disconnected from the docking station when it is unlocked. + +- Docking or undocking a portable computer. In some instances (depending on the computer manufacturer and the BIOS), the docking condition of the portable computer is part of the system measurement and must be consistent to validate the system status and unlock BitLocker. So if a portable computer is connected to its docking station when BitLocker is turned on, then it might also need to be connected to the docking station when it's unlocked. Conversely, if a portable computer isn't connected to its docking station when BitLocker is turned on, then it might need to be disconnected from the docking station when it's unlocked. + - Changes to the NTFS partition table on the disk including creating, deleting, or resizing a primary partition. + - Entering the personal identification number (PIN) incorrectly too many times so that the anti-hammering logic of the TPM is activated. Anti-hammering logic is software or hardware methods that increase the difficulty and cost of a brute force attack on a PIN by not accepting PIN entries until after a certain amount of time has passed. -- Turning off the support for reading the USB device in the pre-boot environment from the BIOS or UEFI firmware if you are using USB-based keys instead of a TPM. + +- Turning off the support for reading the USB device in the pre-boot environment from the BIOS or UEFI firmware if using USB-based keys instead of a TPM. + - Turning off, disabling, deactivating, or clearing the TPM. + - Upgrading critical early startup components, such as a BIOS or UEFI firmware upgrade, causing the related boot measurements to change. + - Forgetting the PIN when PIN authentication has been enabled. + - Updating option ROM firmware. + - Upgrading TPM firmware. + - Adding or removing hardware; for example, inserting a new card in the computer, including some PCMIA wireless cards. + - Removing, inserting, or completely depleting the charge on a smart battery on a portable computer. + - Changes to the master boot record on the disk. + - Changes to the boot manager on the disk. -- Hiding the TPM from the operating system. Some BIOS or UEFI settings can be used to prevent the enumeration of the TPM to the operating system. When implemented, this option can make the TPM hidden from the operating system. When the TPM is hidden, BIOS and UEFI secure startup are disabled, and the TPM does not respond to commands from any software. -- Using a different keyboard that does not correctly enter the PIN or whose keyboard map does not match the keyboard map assumed by the pre-boot environment. This problem can prevent the entry of enhanced PINs. + +- Hiding the TPM from the operating system. Some BIOS or UEFI settings can be used to prevent the enumeration of the TPM to the operating system. When implemented, this option can make the TPM hidden from the operating system. When the TPM is hidden, BIOS and UEFI secure startup are disabled, and the TPM doesn't respond to commands from any software. + +- Using a different keyboard that doesn't correctly enter the PIN or whose keyboard map doesn't match the keyboard map assumed by the pre-boot environment. This problem can prevent the entry of enhanced PINs. + - Modifying the Platform Configuration Registers (PCRs) used by the TPM validation profile. For example, including **PCR\[1\]** would result in BitLocker measuring most changes to BIOS settings, causing BitLocker to enter recovery mode even when non-boot critical BIOS settings change. > [!NOTE] > Some computers have BIOS settings that skip measurements to certain PCRs, such as **PCR\[2\]**. Changing this setting in the BIOS would cause BitLocker to enter recovery mode because the PCR measurement will be different. - Moving the BitLocker-protected drive into a new computer. + - Upgrading the motherboard to a new one with a new TPM. + - Losing the USB flash drive containing the startup key when startup key authentication has been enabled. + - Failing the TPM self-test. -- Having a BIOS, UEFI firmware, or an option ROM component that is not compliant with the relevant Trusted Computing Group standards for a client computer. For example, a non-compliant implementation may record volatile data (such as time) in the TPM measurements, causing different measurements on each startup and causing BitLocker to start in recovery mode. + +- Having a BIOS, UEFI firmware, or an option ROM component that isn't compliant with the relevant Trusted Computing Group standards for a client computer. For example, a non-compliant implementation may record volatile data (such as time) in the TPM measurements, causing different measurements on each startup and causing BitLocker to start in recovery mode. + - Changing the usage authorization for the storage root key of the TPM to a non-zero value. > [!NOTE] > The BitLocker TPM initialization process sets the usage authorization value to zero, so another user or process must explicitly have changed this value. - Disabling the code integrity check or enabling test signing on Windows Boot Manager (Bootmgr). + - Pressing the F8 or F10 key during the boot process. + - Adding or removing add-in cards (such as video or network cards), or upgrading firmware on add-in cards. + - Using a BIOS hot key during the boot process to change the boot order to something other than the hard drive. - > [!NOTE] -> Before you begin recovery, we recommend that you determine what caused recovery. This might help prevent the problem from occurring again in the future. For instance, if you determine that an attacker has modified your computer by obtaining physical access, you can create new security policies for tracking who has physical presence. After the recovery password has been used to recover access to the PC, BitLocker reseals the encryption key to the current values of the measured components. - -For planned scenarios, such as a known hardware or firmware upgrades, you can avoid initiating recovery by temporarily suspending BitLocker protection. Because suspending BitLocker leaves the drive fully encrypted, the administrator can quickly resume BitLocker protection after the planned task has been completed. Using suspend and resume also reseals the encryption key without requiring the entry of the recovery key. +> Before beginning recovery, it is recommend to determine what caused recovery. This might help prevent the problem from occurring again in the future. For instance, if it is determined that an attacker has modified the computer by obtaining physical access, new security policies can be created for tracking who has physical presence. After the recovery password has been used to recover access to the PC, BitLocker reseals the encryption key to the current values of the measured components. + +For planned scenarios, such as a known hardware or firmware upgrades, initiating recovery can be avoided by temporarily suspending BitLocker protection. Because suspending BitLocker leaves the drive fully encrypted, the administrator can quickly resume BitLocker protection after the planned task has been completed. Using suspend and resume also reseals the encryption key without requiring the entry of the recovery key. > [!NOTE] > If suspended BitLocker will automatically resume protection when the PC is rebooted, unless a reboot count is specified using the manage-bde command line tool. -If software maintenance requires the computer to be restarted and you are using two-factor authentication, you can enable BitLocker network unlock feature to provide the secondary authentication factor when the computers do not have an on-premises user to provide the additional authentication method. +If software maintenance requires the computer to be restarted and two-factor authentication is being used, the BitLocker network unlock feature can be enabled to provide the secondary authentication factor when the computers don't have an on-premises user to provide the additional authentication method. -Recovery has been described within the context of unplanned or undesired behavior, but you can also cause recovery as an intended production scenario, in order to manage access control. For example, when you redeploy desktop or laptop computers to other departments or employees in your enterprise, you can force BitLocker into recovery before the computer is given to a new user. +Recovery has been described within the context of unplanned or undesired behavior. However, recovery can also be caused as an intended production scenario, for example in order to manage access control. When desktop or laptop computers are redeployed to other departments or employees in the enterprise, BitLocker can be forced into recovery before the computer is given to a new user. -## Testing recovery +## Testing recovery -Before you create a thorough BitLocker recovery process, we recommend that you test how the recovery process works for both end users (people who call your helpdesk for the recovery password) and administrators (people who help the end user get the recovery password). The -forcerecovery command of manage-bde is an easy way for you to step through the recovery process before your users encounter a recovery situation. +Before a thorough BitLocker recovery process is created, it's recommended to test how the recovery process works for both end users (people who call the helpdesk for the recovery password) and administrators (people who help the end user get the recovery password). The `-forcerecovery` command of `manage-bde.exe` is an easy way to step through the recovery process before users encounter a recovery situation. **To force a recovery for the local computer:** -1. Select the **Start** button, type **cmd** in the **Start Search** box, and select and hold **cmd.exe**, and then select **Run as administrator**. -2. At the command prompt, type the following command and then press **ENTER**: +1. Select the **Start** button and type in **cmd** - `manage-bde -forcerecovery ` +2. Right select on **cmd.exe** or **Command Prompt** and then select **Run as administrator**. + +3. At the command prompt, enter the following command: + + ```cmd + manage-bde.exe -forcerecovery + ``` **To force recovery for a remote computer:** -1. On the Start screen, type **cmd.exe**, and then select **Run as administrator**. +1. Select the **Start** button and type in **cmd** -2. At the command prompt, type the following command and then press **ENTER**: +2. Right select on **cmd.exe** or **Command Prompt** and then select **Run as administrator**. - `manage-bde -ComputerName -forcerecovery ` +3. At the command prompt, enter the following command: + + ```cmd + manage-bde.exe -ComputerName -forcerecovery + ``` > [!NOTE] > Recovery triggered by `-forcerecovery` persists for multiple restarts until a TPM protector is added or protection is suspended by the user. When using Modern Standby devices (such as Surface devices), the `-forcerecovery` option is not recommended because BitLocker will have to be unlocked and disabled manually from the WinRE environment before the OS can boot up again. For more information, see [BitLocker Troubleshooting: Continuous reboot loop with BitLocker recovery on a slate device](https://social.technet.microsoft.com/wiki/contents/articles/18671.bitlocker-troubleshooting-continuous-reboot-loop-with-bitlocker-recovery-on-a-slate-device.aspx). +## Planning the recovery process -## Planning your recovery process +When planning the BitLocker recovery process, first consult the organization's current best practices for recovering sensitive information. For example: How does the enterprise handle lost Windows passwords? How does the organization perform smart card PIN resets? These best practices and related resources (people and tools) can be used to help formulate a BitLocker recovery model. -When planning the BitLocker recovery process, first consult your organization's current best practices for recovering sensitive information. For example: How does your enterprise handle lost Windows passwords? How does your organization perform smart card PIN resets? You can use these best practices and related resources (people and tools) to help formulate a BitLocker recovery model. +Organizations that rely on BitLocker Drive Encryption and BitLocker To Go to protect data on a large number of computers and removable drives running the Windows 11, Windows 10, Windows 8, or Windows 7 operating systems and Windows to Go should consider using the Microsoft BitLocker Administration and Monitoring (MBAM) Tool version 2.0, which is included in the Microsoft Desktop Optimization Pack (MDOP) for Microsoft Software Assurance. MBAM makes BitLocker implementations easier to deploy and manage and allows administrators to provision and monitor encryption for operating system and fixed drives. MBAM prompts the user before encrypting fixed drives. MBAM also manages recovery keys for fixed and removable drives, making recovery easier to manage. MBAM can be used as part of a Microsoft System Center deployment or as a stand-alone solution. For more info, see [Microsoft BitLocker Administration and Monitoring](/microsoft-desktop-optimization-pack/mbam-v25/). -Organizations that rely on BitLocker Drive Encryption and BitLocker To Go to protect data on a large number of computers and removable drives running the Windows 11, Windows 10, Windows 8, or Windows 7 operating systems and Windows to Go should consider using the Microsoft BitLocker Administration and Monitoring (MBAM) Tool version 2.0, which is included in the Microsoft Desktop Optimization Pack (MDOP) for Microsoft Software Assurance. MBAM makes BitLocker implementations easier to deploy and manage and allows administrators to provision and monitor encryption for operating system and fixed drives. MBAM prompts the user before encrypting fixed drives. MBAM also manages recovery keys for fixed and removable drives, making recovery easier to manage. MBAM can be used as part of a Microsoft System Center deployment or as a stand-alone solution. For more info, see [Microsoft BitLocker Administration and Monitoring](/microsoft-desktop-optimization-pack/mbam-v25/). +After a BitLocker recovery has been initiated, users can use a recovery password to unlock access to encrypted data. Consider both self-recovery and recovery password retrieval methods for the organization. -After a BitLocker recovery has been initiated, users can use a recovery password to unlock access to encrypted data. Consider both self-recovery and recovery password retrieval methods for your organization. +When the recovery process is determined: -When you determine your recovery process, you should: +- Become familiar with how a recovery password can be retrieved. See: -- Become familiar with how you can retrieve the recovery password. See: - - - [Self-recovery](#bkmk-selfrecovery) - - [Recovery password retrieval](#bkmk-recoveryretrieval) + - [Self-recovery](#self-recovery) + - [Recovery password retrieval](#recovery-password-retrieval) - Determine a series of steps for post-recovery, including analyzing why the recovery occurred and resetting the recovery password. See: - - [Post-recovery analysis](#bkmk-planningpostrecovery) + - [Post-recovery analysis](#post-recovery-analysis) +### Self-recovery -### Self-recovery +In some cases, users might have the recovery password in a printout or a USB flash drive and can perform self-recovery. It's recommended that the organization creates a policy for self-recovery. If self-recovery includes using a password or recovery key stored on a USB flash drive, the users must be warned not to store the USB flash drive in the same place as the PC, especially during travel. For example, if both the PC and the recovery items are in the same bag it would be easy for access to be gained to the PC by an unauthorized user. Another policy to consider is having users contact the Helpdesk before or after performing self-recovery so that the root cause can be identified. -In some cases, users might have the recovery password in a printout or a USB flash drive and can perform self-recovery. We recommend that your organization creates a policy for self-recovery. If self-recovery includes using a password or recovery key stored on a USB flash drive, the users must be warned not to store the USB flash drive in the same place as the PC, especially during travel. For example, if both the PC and the recovery items are in the same bag it would be very easy for access to be gained to the PC by an unauthorized user. Another policy to consider is having users contact the Helpdesk before or after performing self-recovery so that the root cause can be identified. +### Recovery password retrieval -### Recovery password retrieval +If the user doesn't have a recovery password printed or on a USB flash drive, the user will need to be able to retrieve the recovery password from an online source. If the PC is a member of a domain, the recovery password can be backed up to AD DS. **However, back up of the recovery password to AD DS does not happen by default.** Backup of the recovery password to AD DS has to be configured via the appropriate group policy settings **before** BitLocker was enabled on the PC. BitLocker group policy settings can be found in the Local Group Policy Editor or the Group Policy Management Console (GPMC) under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption**. The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used. -If the user does not have a recovery password in a printout or on a USB flash drive, the user will need to be able to retrieve the recovery password from an online source. If the PC is a member of a domain, the recovery password can be backed up to AD DS. However, this does not happen by default; you must have configured the appropriate group policy settings before BitLocker was enabled on the PC. BitLocker group policy settings can be found in the Local Group Policy Editor or the Group Policy Management Console (GPMC) under **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption**. The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used. +- **Choose how BitLocker-protected operating system drives can be recovered** -- **Choose how BitLocker-protected operating system drives can be recovered** -- **Choose how BitLocker-protected fixed drives can be recovered** -- **Choose how BitLocker-protected removable drives can be recovered** -In each of these policies, select **Save BitLocker recovery information to Active Directory Domain Services** and then choose which BitLocker recovery information to store in AD DS. Check the **Do not enable BitLocker until recovery information is stored in AD -DS** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information for the drive to AD DS succeeds. +- **Choose how BitLocker-protected fixed drives can be recovered** + +- **Choose how BitLocker-protected removable drives can be recovered** + +In each of these policies, select **Save BitLocker recovery information to Active Directory Domain Services** and then choose which BitLocker recovery information to store in AD DS. Check the **Do not enable BitLocker until recovery information is stored in AD +DS** check box if it's desired to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information for the drive to AD DS succeeds. > [!NOTE] -> If the PCs are part of a workgroup, users are advised to save their BitLocker recovery password with their Microsoft account online. Having an online copy of your BitLocker recovery password is recommended to help ensure that you do not lose access to your data in the event of a recovery being required. - +> If the PCs are part of a workgroup, users are advised to save their BitLocker recovery password with their Microsoft account online. Having an online copy of the BitLocker recovery password is recommended to help ensure access to data is not lost in the event of a recovery being required. + The BitLocker Recovery Password Viewer for Active Directory Users and Computers tool allows domain administrators to view BitLocker recovery passwords for specific computer objects in Active Directory. -You can use the following list as a template for creating your own recovery process for recovery password retrieval. This sample process uses the BitLocker Recovery Password Viewer for Active Directory Users and Computers tool. +The following list can be used as a template for creating a recovery process for recovery password retrieval. This sample process uses the BitLocker Recovery Password Viewer for Active Directory Users and Computers tool. -- [Record the name of the user's computer](#bkmk-recordcomputername) -- [Verify the user's identity](#bkmk-verifyidentity) -- [Locate the recovery password in AD DS](#bkmk-locatepassword) -- [Gather information to determine why recovery occurred](#bkmk-gatherinfo) -- [Give the user the recovery password](#bkmk-givepassword) +- [Record the name of the user's computer](#record-the-name-of-the-users-computer) +- [Verify the user's identity](#verify-the-users-identity) +- [Locate the recovery password in AD DS](#locate-the-recovery-password-in-ad-ds) +- [Gather information to determine why recovery occurred](#gather-information-to-determine-why-recovery-occurred) +- [Give the user the recovery password](#give-the-user-the-recovery-password) +### Record the name of the user's computer -### Record the name of the user's computer +The name of the user's computer can be used to locate the recovery password in AD DS. If the user doesn't know the name of the computer, ask the user to read the first word of the **Drive Label** in the **BitLocker Drive Encryption Password Entry** user interface. This word is the computer name when BitLocker was enabled and is probably the current name of the computer. -You can use the name of the user's computer to locate the recovery password in AD DS. If the user does not know the name of the computer, ask the user to read the first word of the **Drive Label** in the **BitLocker Drive Encryption Password Entry** user interface. This is the computer name when BitLocker was enabled and is probably the current name of the computer. +### Verify the user's identity +The person who is asking for the recovery password should be verified as the authorized user of that computer. It should also be verified whether the computer for which the user provided the name belongs to the user. -### Verify the user's identity - -You should verify whether the person who is asking for the recovery password is truly the authorized user of that computer. You may also wish to verify whether the computer for which the user provided the name belongs to the user. - -### Locate the recovery password in AD DS - -Locate the computer object with the matching name in AD DS. Because computer object names are listed in the AD DS global catalog, you should be able to locate the object even if you have a multi-domain forest. +### Locate the recovery password in AD DS +Locate the computer object with the matching name in AD DS. Because computer object names are listed in the AD DS global catalog, the object should be able to be located even if it's a multi-domain forest. ### Multiple recovery passwords -If multiple recovery passwords are stored under a computer object in AD DS, the name of the BitLocker recovery information object includes the date on which the password was created. +If multiple recovery passwords are stored under a computer object in AD DS, the name of the BitLocker recovery information object includes the date on which the password was created. -If at any time you are unsure about the password to be provided, or if you think you might be providing the incorrect password, ask the user to read the 8-character password ID that is displayed in the recovery console. +To make sure the correct password is provided and/or to prevent providing the incorrect password, ask the user to read the eight character password ID that is displayed in the recovery console. -Since the password ID is a unique value that is associated with each recovery password stored in AD DS, running a query using this ID finds the correct password to unlock the encrypted volume. +Since the password ID is a unique value that is associated with each recovery password stored in AD DS, running a query using this ID finds the correct password to unlock the encrypted volume. +### Gather information to determine why recovery occurred -### Gather information to determine why recovery occurred +Before giving the user the recovery password, information should be gatherer that will help determine why the recovery was needed. This information can be used to analyze the root cause during the post-recovery analysis. For more information about post-recovery analysis, see [Post-recovery analysis](#post-recovery-analysis). -Before you give the user the recovery password, you should gather any information that will help determine why the recovery was needed, in order to analyze the root cause during the post-recovery analysis. For more information about post-recovery analysis, see [Post-recovery analysis](#bkmk-planningpostrecovery). +### Give the user the recovery password - -### Give the user the recovery password - -Because the recovery password is 48 digits long, the user may need to record the password by writing it down or typing it on a different computer. If you are using MBAM, the recovery password will be regenerated after it is recovered from the MBAM database to avoid the security risks associated with an uncontrolled password. +Because the recovery password is 48 digits long, the user may need to record the password by writing it down or typing it on a different computer. If using MBAM or Configuration Manager BitLocker Management, the recovery password will be regenerated after it's recovered from the MBAM or Configuration Manager database to avoid the security risks associated with an uncontrolled password. > [!NOTE] > Because the 48-digit recovery password is long and contains a combination of digits, the user might mishear or mistype the password. The boot-time recovery console uses built-in checksum numbers to detect input errors in each 6-digit block of the 48-digit recovery password, and offers the user the opportunity to correct such errors. -### Post-recovery analysis +### Post-recovery analysis -When a volume is unlocked using a recovery password, an event is written to the event log and the platform validation measurements are reset in the TPM to match the current configuration. Unlocking the volume means that the encryption key has been released and is ready for on-the-fly encryption when data is written to the volume, and on-the-fly decryption when data is read from the volume. After the volume is unlocked, BitLocker behaves the same way, regardless of how the access was granted. +When a volume is unlocked using a recovery password, an event is written to the event log, and the platform validation measurements are reset in the TPM to match the current configuration. Unlocking the volume means that the encryption key has been released and is ready for on-the-fly encryption when data is written to the volume, and on-the-fly decryption when data is read from the volume. After the volume is unlocked, BitLocker behaves the same way, regardless of how the access was granted. -If you notice that a computer is having repeated recovery password unlocks, you might want to have an administrator perform post-recovery analysis to determine the root cause of the recovery and refresh BitLocker platform validation so that the user no longer needs to enter a recovery password each time that the computer starts up. See: +If it's noticed that a computer is having repeated recovery password unlocks, an administrator might want to perform post-recovery analysis to determine the root cause of the recovery, and refresh BitLocker platform validation so that the user no longer needs to enter a recovery password each time that the computer starts up. For more information, see: -- [Determine the root cause of the recovery](#bkmk-determinecause) -- [Refresh BitLocker protection](#bkmk-refreshprotection) +- [Determine the root cause of the recovery](#determine-the-root-cause-of-the-recovery) +- [Resolve the root cause](#resolve-the-root-cause) -### Determine the root cause of the recovery +### Determine the root cause of the recovery -If a user needed to recover the drive, it is important to determine the root cause that initiated the recovery as soon as possible. Properly analyzing the state of the computer and detecting tampering may reveal threats that have broader implications for enterprise security. +If a user needed to recover the drive, it's important to determine the root cause that initiated the recovery as soon as possible. Properly analyzing the state of the computer and detecting tampering may reveal threats that have broader implications for enterprise security. While an administrator can remotely investigate the cause of recovery in some cases, the end user might need to bring the computer that contains the recovered drive on site to analyze the root cause further. -Review and answer the following questions for your organization: +Review and answer the following questions for the organization: -1. Which BitLocker protection mode is in effect (TPM, TPM + PIN, TPM + startup key, startup key only)? Which PCR profile is in use on the PC? -2. Did the user merely forget the PIN or lose the startup key? If a token was lost, where might the token be? -3. If TPM mode was in effect, was recovery caused by a boot file change? -4. If recovery was caused by a boot file change, is the boot file change due to an intended user action (for example, BIOS upgrade), or a malicious software? -5. When was the user last able to start the computer successfully, and what might have happened to the computer since then? -6. Might the user have encountered malicious software or left the computer unattended since the last successful startup? +1. Which BitLocker protection mode is in effect (TPM, TPM + PIN, TPM + startup key, startup key only)? Which PCR profile is in use on the PC? -To help you answer these questions, use the BitLocker command-line tool to view the current configuration and protection mode (for example, **manage-bde -status**). Scan the event log to find events that help indicate why recovery was initiated (for example, if a boot file change occurred). Both of these capabilities can be performed remotely. +2. Did the user merely forget the PIN or lose the startup key? If a token was lost, where might the token be? -### Resolve the root cause +3. If TPM mode was in effect, was recovery caused by a boot file change? -After you have identified what caused recovery, you can reset BitLocker protection and avoid recovery on every startup. +4. If recovery was caused by a boot file change, is the boot file change due to an intended user action (for example, BIOS upgrade), or a malicious software? -The details of this reset can vary according to the root cause of the recovery. If you cannot determine the root cause, or if a malicious software or a rootkit might have infected the computer, Helpdesk should apply best-practice virus policies to react appropriately. +5. When was the user last able to start the computer successfully, and what might have happened to the computer since then? + +6. Might the user have encountered malicious software or left the computer unattended since the last successful startup? + +To help answer these questions, use the BitLocker command-line tool to view the current configuration and protection mode: + +```cmd +manage-bde.exe -status +``` + +Scan the event log to find events that help indicate why recovery was initiated (for example, if a boot file change occurred). Both of these capabilities can be performed remotely. + +### Resolve the root cause + +After it has been identified what caused recovery, BitLocker protection can be reset to avoid recovery on every startup. + +The details of this reset can vary according to the root cause of the recovery. If root cause can't be determined, or if a malicious software or a rootkit might have infected the computer, Helpdesk should apply best-practice virus policies to react appropriately. > [!NOTE] -> You can perform a BitLocker validation profile reset by suspending and resuming BitLocker. +> BitLocker validation profile reset can be performed by suspending and resuming BitLocker. -- [Unknown PIN](#bkmk-unknownpin) -- [Lost startup key](#bkmk-loststartup) -- [Changes to boot files](#bkmk-changebootknown) +- [Unknown PIN](#unknown-pin) +- [Lost startup key](#lost-startup-key) +- [Changes to boot files](#changes-to-boot-files) +### Unknown PIN -### Unknown PIN +If a user has forgotten the PIN, the PIN must be reset while signed on to the computer in order to prevent BitLocker from initiating recovery each time the computer is restarted. -If a user has forgotten the PIN, you must reset the PIN while you are logged on to the computer in order to prevent BitLocker from initiating recovery each time the computer is restarted. +#### To prevent continued recovery due to an unknown PIN -**To prevent continued recovery due to an unknown PIN** +1. Unlock the computer using the recovery password. -1. Unlock the computer using the recovery password. -2. Reset the PIN: - 1. Select and hold the drive and then select **Change PIN** - 2. In the BitLocker Drive Encryption dialog, select **Reset a forgotten PIN**. If you are not logged in with an administrator account, you must provide administrative credentials at this time. - 3. In the PIN reset dialog, provide and confirm the new PIN to be used and then select **Finish**. -3. You will use the new PIN the next time you unlock the drive. +2. Reset the PIN: -### Lost startup key + 1. Select and hold the drive and then select **Change PIN** -If you have lost the USB flash drive that contains the startup key, then you must unlock the drive by using the recovery key and then create a new startup key. + 2. In the BitLocker Drive Encryption dialog, select **Reset a forgotten PIN**. If the signed in account isn't an administrator account, administrative credentials must be provided at this time. -**To prevent continued recovery due to a lost startup key** + 3. In the PIN reset dialog, provide and confirm the new PIN to be used and then select **Finish**. -1. Log on as an administrator to the computer that has its startup key lost. -2. Open Manage BitLocker. -3. Select **Duplicate start up key**, insert the clean USB drive on which you are going to write the key, and then select **Save**. +3. The new PIN can be used the next time the drive needs to be unlocked. -### Changes to boot files +### Lost startup key -This error occurs if you updated the firmware. As a best practice, you should suspend BitLocker before making changes to the firmware and then resume protection after the update has completed. This prevents the computer from going into recovery mode. However, if changes were made when BitLocker protection was on, you can simply log on to the computer using the recovery password and the platform validation profile will be updated so that recovery will not occur the next time. +If the USB flash drive that contains the startup key has been lost, then drive must be unlocked by using the recovery key. A new startup can then be created. + +#### To prevent continued recovery due to a lost startup key + +1. Sign in as an administrator to the computer that has its startup key lost. + +2. Open Manage BitLocker. + +3. Select **Duplicate start up key**, insert the clean USB drive where the key will be written, and then select **Save**. + +### Changes to boot files + +This error occurs if the firmware is updated. As a best practice, BitLocker should be suspended before making changes to the firmware. Protection should then be resumed after the firmware update has completed. Suspending BitLocker prevents the computer from going into recovery mode. However, if changes were made when BitLocker protection was on, the recovery password can be used to unlock the drive and the platform validation profile will be updated so that recovery won't occur the next time. ## Windows RE and BitLocker Device Encryption -Windows Recovery Environment (RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair automatically starts. When Startup Repair is launched automatically due to boot failures, it executes only operating system and driver file repairs, provided that the boot logs or any available crash dump points to a specific corrupted file. In Windows 8.1 and later versions, devices that include firmware to support specific TPM measurements for PCR\[7\] **the TPM** can validate that Windows RE is a trusted operating environment and unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example, the TPM has been disabled, the drives stay locked until the BitLocker recovery key is provided. If Startup Repair is not able to be run automatically from the PC and instead, Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker–protected drives. +Windows Recovery Environment (RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair automatically starts. When Startup Repair is launched automatically due to boot failures, it executes only operating system and driver file repairs if the boot logs or any available crash dump points to a specific corrupted file. In Windows 8.1 and later versions, devices that include firmware to support specific TPM measurements for PCR\[7\] **the TPM** can validate that Windows RE is a trusted operating environment and unlock any BitLocker-protected drives if Windows RE hasn't been modified. If the Windows RE environment has been modified, for example, the TPM has been disabled, the drives stay locked until the BitLocker recovery key is provided. If Startup Repair isn't able to run automatically from the PC and instead, Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker-protected drives. -Windows RE will also ask for your BitLocker recovery key when you start a "Remove everything" reset from Windows RE on a device that uses the "TPM + PIN" or "Password for OS drive" protector. If you start BitLocker recovery on a keyboardless device with TPM-only protection, Windows RE, not the boot manager, will ask for the BitLocker recovery key. After you enter the key, you can access Windows RE troubleshooting tools or start Windows normally. +Windows RE will also ask for a BitLocker recovery key when a **Remove everything** reset from Windows RE is started on a device that uses **TPM + PIN** or **Password for OS drive** protectors. If BitLocker recovery is started on a keyboardless device with TPM-only protection, Windows RE, not the boot manager, will ask for the BitLocker recovery key. After the key is entered, Windows RE troubleshooting tools can be accessed, or Windows can be started normally. -The BitLocker recovery screen that's shown by Windows RE has the accessibility tools like narrator and on-screen keyboard to help you enter your BitLocker recovery key. If the BitLocker recovery key is requested by the Windows boot manager, those tools might not be available. +The BitLocker recovery screen that's shown by Windows RE has the accessibility tools like narrator and on-screen keyboard to help enter the BitLocker recovery key. If the BitLocker recovery key is requested by the Windows boot manager, those tools might not be available. -To activate the narrator during BitLocker recovery in Windows RE, press **Windows** + **CTRL** + **Enter**. -To activate the on-screen keyboard, tap on a text input control. +To activate the narrator during BitLocker recovery in Windows RE, press **Windows** + **CTRL** + **Enter**. To activate the on-screen keyboard, tap on a text input control. :::image type="content" source="images/bl-narrator.png" alt-text="A screenshot of the BitLocker recovery screen showing Narrator activated."::: @@ -287,44 +334,50 @@ To activate the on-screen keyboard, tap on a text input control. During BitLocker recovery, Windows displays a custom recovery message and a few hints that identify where a key can be retrieved from. These improvements can help a user during BitLocker recovery. - ### Custom recovery message -BitLocker Group Policy settings in Windows 10, version 1511, or Windows 11, let you configure a custom recovery message and URL on the BitLocker recovery screen, which can include the address of the BitLocker self-service recovery portal, the IT internal website, or a phone number for support. +BitLocker Group Policy settings starting in Windows 10, version 1511, allows configuring a custom recovery message and URL on the BitLocker recovery screen. The custom recovery message and URL can include the address of the BitLocker self-service recovery portal, the IT internal website, or a phone number for support. This policy can be configured using GPO under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Configure pre-boot recovery message and URL**. -It can also be configured using Intune mobile device management (MDM) in the BitLocker CSP: -*\./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage\* +It can also be configured using mobile device management (MDM), including in Intune, using the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp): + +**`./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage`** ![Custom URL.](./images/bl-intune-custom-url.png) -Example of customized recovery screen: +Example of a customized recovery screen: ![Customized BitLocker Recovery Screen.](./images/bl-password-hint1.png) - ### BitLocker recovery key hints -BitLocker metadata has been enhanced in Windows 10, version 1903 or Windows 11 to include information about when and where the BitLocker recovery key was backed up. This information is not exposed through the UI or any public API. It is used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume's recovery key. Hints are displayed on the recovery screen and refer to the location where the key has been saved. Hints are displayed on both the modern (blue) and legacy (black) recovery screen. This applies to both the boot manager recovery screen and the WinRE unlock screen. +BitLocker metadata has been enhanced starting in Windows 10, version 1903, to include information about when and where the BitLocker recovery key was backed up. This information isn't exposed through the UI or any public API. It's used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume's recovery key. Hints are displayed on the recovery screen and refer to the location where the key has been saved. Hints are displayed on both the modern (blue) and legacy (black) recovery screen. The hints apply to both the boot manager recovery screen and the WinRE unlock screen. ![Customized BitLocker recovery screen.](./images/bl-password-hint2.png) > [!IMPORTANT] -> We don't recommend printing recovery keys or saving them to a file. Instead, use Active Directory backup or a cloud-based backup. Cloud-based backup includes Azure Active Directory (Azure AD) and Microsoft account. +> It is not recommend to print recovery keys or saving them to a file. Instead, use Active Directory backup or a cloud-based backup. Cloud-based backup includes Azure Active Directory (Azure AD) and Microsoft account. There are rules governing which hint is shown during the recovery (in the order of processing): 1. Always display custom recovery message if it has been configured (using GPO or MDM). -2. Always display generic hint: "For more information, go to https://aka.ms/recoverykeyfaq." -3. If multiple recovery keys exist on the volume, prioritize the last-created (and successfully backed up) recovery key. -4. Prioritize keys with successful backup over keys that have never been backed up. -5. Prioritize backup hints in the following order for remote backup locations: **Microsoft Account > Azure AD > Active Directory**. -6. If a key has been printed and saved to file, display a combined hint, “Look for a printout or a text file with the key,” instead of two separate hints. -7. If multiple backups of the same type (remove vs. local) have been performed for the same recovery key, prioritize backup info with latest backed-up date. -8. There is no specific hint for keys saved to an on-premises Active Directory. In this case, a custom message (if configured) or a generic message, “Contact your organization’s help desk,” is displayed. -9. If two recovery keys are present on the disk, but only one has been successfully backed up, the system asks for a key that has been backed up, even if another key is newer. +2. Always display generic hint: `For more information, go to https://aka.ms/recoverykeyfaq.` + +3. If multiple recovery keys exist on the volume, prioritize the last-created (and successfully backed up) recovery key. + +4. Prioritize keys with successful backup over keys that have never been backed up. + +5. Prioritize backup hints in the following order for remote backup locations: **Microsoft Account > Azure AD > Active Directory**. + +6. If a key has been printed and saved to file, display a combined hint, "Look for a printout or a text file with the key," instead of two separate hints. + +7. If multiple backups of the same type (remove vs. local) have been performed for the same recovery key, prioritize backup info with latest backed-up date. + +8. There's no specific hint for keys saved to an on-premises Active Directory. In this case, a custom message (if configured) or a generic message, "Contact your organization's help desk," is displayed. + +9. If two recovery keys are present on the disk, but only one has been successfully backed up, the system asks for a key that has been backed up, even if another key is newer. #### Example 1 (single recovery key with single backup) @@ -336,12 +389,10 @@ There are rules governing which hint is shown during the recovery (in the order | Printed | No | | Saved to file | No | - **Result:** The hints for the Microsoft account and custom URL are displayed. ![Example 1 of Customized BitLocker recovery screen.](./images/rp-example1.png) - #### Example 2 (single recovery key with single backup) | Custom URL | Yes | @@ -356,7 +407,6 @@ There are rules governing which hint is shown during the recovery (in the order ![Example 2 of customized BitLocker recovery screen.](./images/rp-example2.png) - #### Example 3 (single recovery key with multiple backups) | Custom URL | No | @@ -371,7 +421,6 @@ There are rules governing which hint is shown during the recovery (in the order ![Example 3 of customized BitLocker recovery screen.](./images/rp-example3.png) - #### Example 4 (multiple recovery passwords) | Custom URL | No | @@ -384,8 +433,8 @@ There are rules governing which hint is shown during the recovery (in the order | Creation time | **1PM** | | Key ID | A564F193 | -  -  +
                              +
                              | Custom URL | No | |----------------------|-----------------| @@ -401,7 +450,6 @@ There are rules governing which hint is shown during the recovery (in the order ![Example 4 of customized BitLocker recovery screen.](./images/rp-example4.png) - #### Example 5 (multiple recovery passwords) | Custom URL | No | @@ -414,9 +462,6 @@ There are rules governing which hint is shown during the recovery (in the order | Creation time | **1PM** | | Key ID | 99631A34 | -  -  - | Custom URL | No | |----------------------|-----------------| | Saved to Microsoft Account | No | @@ -431,70 +476,81 @@ There are rules governing which hint is shown during the recovery (in the order ![Example 5 of customized BitLocker recovery screen.](./images/rp-example5.png) - -## Using additional recovery information +## Using additional recovery information Besides the 48-digit BitLocker recovery password, other types of recovery information are stored in Active Directory. This section describes how this additional information can be used. - ### BitLocker key package -If the recovery methods discussed earlier in this document do not unlock the volume, you can use the BitLocker Repair tool to decrypt the volume at the block level. The tool uses the BitLocker key package to help recover encrypted data from severely damaged drives. You can then use this recovered data to salvage encrypted data, even after the correct recovery password has failed to unlock the damaged volume. We recommend that you still save the recovery password. A key package cannot be used without the corresponding recovery password. +If the recovery methods discussed earlier in this document don't unlock the volume, the BitLocker Repair tool can be used to decrypt the volume at the block level. The tool uses the BitLocker key package to help recover encrypted data from severely damaged drives. The recovered data can then be used to salvage encrypted data, even after the correct recovery password has failed to unlock the damaged volume. It's recommended to still save the recovery password. A key package can't be used without the corresponding recovery password. > [!NOTE] -> You must use the BitLocker Repair tool **repair-bde** to use the BitLocker key package. +> The BitLocker Repair tool `repair-bde.exe` must be used to use the BitLocker key package. -The BitLocker key package is not saved by default. To save the package along with the recovery password in AD DS you must select the **Backup recovery password and key package** option in the group policy settings that control the recovery method. You can also export the key package from a working volume. For more details on how to export key packages, see [Retrieving the BitLocker Key Package](#bkmk-appendixc). +The BitLocker key package isn't saved by default. To save the package along with the recovery password in AD DS, the **Backup recovery password and key package** option must be selected in the group policy settings that control the recovery method. The key package can also be exported from a working volume. For more information on how to export key packages, see [Retrieving the BitLocker Key Package](#retrieving-the-bitlocker-key-package). -## Resetting recovery passwords +## Resetting recovery passwords -You must invalidate a recovery password after it has been provided and used, and when you intentionally want to invalidate an existing recovery password for any reason. +It's recommended to invalidate a recovery password after it has been provided and used. The recovery password can be invalidated when it has been provided and used or for any other valid reason. -You can reset the recovery password in two ways: +The recovery password and be invalidated and reset in two ways: -- **Use manage-bde**: You can use manage-bde to remove the old recovery password and add a new recovery password. The procedure identifies the command and the syntax for this method. -- **Run a script**: You can run a script to reset the password without decrypting the volume. The sample script in the procedure illustrates this functionality. The sample script creates a new recovery password and invalidates all other passwords. +- **Use `manage-bde.exe`**: `manage-bde.exe` can be used to remove the old recovery password and add a new recovery password. The procedure identifies the command and the syntax for this method. -**To reset a recovery password using manage-bde:** +- **Run a script**: A script can be run to reset the password without decrypting the volume. The sample script in the procedure illustrates this functionality. The sample script creates a new recovery password and invalidates all other passwords. -1. Remove the previous recovery password. +### Resetting a recovery password using `manage-bde.exe` - ```powershell - Manage-bde –protectors –delete C: –type RecoveryPassword +1. Remove the previous recovery password. + + ```cmd + `manage-bde.exe` -protectors -delete C: -type RecoveryPassword ``` -2. Add the new recovery password. - ```powershell - Manage-bde –protectors –add C: -RecoveryPassword +2. Add the new recovery password. + + ```cmd + `manage-bde.exe` -protectors -add C: -RecoveryPassword ``` -3. Get the ID of the new recovery password. From the screen, copy the ID of the recovery password. - ```powershell - Manage-bde –protectors –get C: -Type RecoveryPassword +3. Get the ID of the new recovery password. From the screen, copy the ID of the recovery password. + + ```cmd + `manage-bde.exe` -protectors -get C: -Type RecoveryPassword ``` -4. Back up the new recovery password to AD DS. - ```powershell - Manage-bde –protectors –adbackup C: -id {EXAMPLE6-5507-4924-AA9E-AFB2EB003692} +4. Back up the new recovery password to AD DS. + + ```cmd + `manage-bde.exe` -protectors -adbackup C: -id {EXAMPLE6-5507-4924-AA9E-AFB2EB003692} ``` > [!WARNING] - > You must include the braces in the ID string. + > The braces `{}` must be included in the ID string. -**To run the sample recovery password script:** +### Running the sample recovery password script to reset the recovery passwords -1. Save the following sample script in a VBScript file. For example: ResetPassword.vbs. -2. At the command prompt, type a command similar to the following: +1. Save the following sample script in a VBScript file. For example: - **cscript ResetPassword.vbs** + `ResetPassword.vbs`. + +2. At the command prompt, enter the following command:: + + ```cmd + cscript.exe ResetPassword.vbs + ``` > [!IMPORTANT] - > This sample script is configured to work only for the C volume. You must customize the script to match the volume where you want to test password reset. + > This sample script is configured to work only for the C volume. If necessary, customize the script to match the volume where the password reset needs to be tested. > [!NOTE] -> To manage a remote computer, you must specify the remote computer name rather than the local computer name. +> To manage a remote computer, specify the remote computer name rather than the local computer name. -You can use the following sample VBScript to reset the recovery passwords: +The following sample VBScript can be used to reset the recovery passwords: + +
                              +

                              + Expand to view sample recovery password VBscript to reset the recovery passwords ```vb ' Target drive letter @@ -564,27 +620,36 @@ Next WScript.Echo "A new recovery password has been added. Old passwords have been removed." ' - some advanced output (hidden) 'WScript.Echo "" -'WScript.Echo "Type ""manage-bde -protectors -get " & strDriveLetter & " -type recoverypassword"" to view existing passwords." +'WScript.Echo "Type ""manage-bde.exe -protectors -get " & strDriveLetter & " -type recoverypassword"" to view existing passwords." ``` +
                              -## Retrieving the BitLocker key package +## Retrieving the BitLocker key package -You can use two methods to retrieve the key package, as described in [Using Additional Recovery Information](#bkmk-usingaddrecovery): +Two methods can be used to retrieve the key package as described in [Using Additional Recovery Information](#using-additional-recovery-information): -- **Export a previously saved key package from AD DS.** You must have Read access to BitLocker recovery passwords that are stored in AD DS. -- **Export a new key package from an unlocked, BitLocker-protected volume.** You must have local administrator access to the working volume, before any damage has occurred. +- **Export a previously saved key package from AD DS.** Read access is required to BitLocker recovery passwords that are stored in AD DS. -The following sample script exports all previously saved key packages from AD DS. +- **Export a new key package from an unlocked, BitLocker-protected volume.** Local administrator access to the working volume is required before any damage occurred to the volume. -**To run the sample key package retrieval script:** +### Running the sample key package retrieval script that exports all previously saved key packages from AD DS -1. Save the following sample script in a VBScript file. For example: GetBitLockerKeyPackageADDS.vbs. -2. At the command prompt, type a command similar to the following sample script: +The following steps and sample script exports all previously saved key packages from AD DS. - **cscript GetBitLockerKeyPackageADDS.vbs -?** +1. Save the following sample script in a VBScript file. For example: `GetBitLockerKeyPackageADDS.vbs`. -You can use the following sample script to create a VBScript file to retrieve the BitLocker key package from AD DS: +2. At the command prompt, enter a command similar to the following sample script: + + ```cmd + cscript.exe GetBitLockerKeyPackageADDS.vbs -? + ``` + +The following sample script can be used to create a VBScript file to retrieve the BitLocker key package from AD DS: + +
                              +
                              + Expand to view sample key package retrieval VBscript that exports all previously saved key packages from AD DS ```vb ' -------------------------------------------------------------------------------- @@ -724,14 +789,23 @@ End Function WScript.Quit ``` -The following sample script exports a new key package from an unlocked, encrypted volume. +
                              -**To run the sample key package retrieval script:** +### Running the sample key package retrieval script that exports a new key package from an unlocked, encrypted volume -1. Save the following sample script in a VBScript file. For example: GetBitLockerKeyPackage.vbs -2. Open an administrator command prompt, and then type a command similar to the following sample script: +The following steps and sample script exports a new key package from an unlocked, encrypted volume. - **cscript GetBitLockerKeyPackage.vbs -?** +1. Save the following sample script in a VBScript file. For example: `GetBitLockerKeyPackage.vbs` + +2. Open an administrator command prompt, and then enter a command similar to the following sample script: + + ```cmd + cscript.exe GetBitLockerKeyPackage.vbs -? + ``` + +
                              +
                              + Expand to view sample VBscript that exports a new key package from an unlocked, encrypted volume ```vb ' -------------------------------------------------------------------------------- @@ -826,7 +900,7 @@ End If ' Fail case: no recovery key protectors exist. If strDefaultKeyProtectorID = "" Then WScript.Echo "FAILURE: Cannot create backup key package because no recovery passwords or recovery keys exist. Check that BitLocker protection is on for this drive." -WScript.Echo "For help adding recovery passwords or recovery keys, type ""manage-bde -protectors -add -?""." +WScript.Echo "For help adding recovery passwords or recovery keys, enter ""manage-bde.exe -protectors -add -?""." WScript.Quit -1 End If End If @@ -886,7 +960,7 @@ End If WScript.Echo "Save this recovery password: " & sNumericalPassword ElseIf nDefaultKeyProtectorType = nExternalKeyProtectorType Then WScript.Echo "The saved key file is named " & strDefaultKeyProtectorID & ".BEK" -WScript.Echo "For help re-saving this external key file, type ""manage-bde -protectors -get -?""" +WScript.Echo "For help re-saving this external key file, enter ""manage-bde.exe -protectors -get -?""" End If '---------------------------------------------------------------------------------------- ' Utility functions to save binary data @@ -911,7 +985,8 @@ Function BinaryToString(Binary) End Function ``` +
                              -## See also +## Related articles - [BitLocker overview](bitlocker-overview.md) diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md index 62c8fe56d0..11ce21de12 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md @@ -3,32 +3,40 @@ title: Breaking out of a BitLocker recovery loop description: This article for IT professionals describes how to break out of a BitLocker recovery loop. ms.prod: windows-client ms.localizationpriority: medium -author: aczechowski -ms.author: aaroncz +author: frankroj +ms.author: frankroj manager: aaroncz ms.collection: - - M365-security-compliance - highpri ms.topic: conceptual -ms.date: 10/28/2019 +ms.date: 11/08/2022 ms.custom: bitlocker +ms.technology: itpro-security --- # Breaking out of a BitLocker recovery loop -Sometimes, following a crash, you might be unable to successfully boot into your operating system, due to the recovery screen repeatedly prompting you to enter your recovery key. This experience can be frustrating. +Sometimes, following a crash, the operating system might not be able to successful boot due to the recovery screen repeatedly prompting to enter a recovery key. This experience can be frustrating. -If you've entered the correct BitLocker recovery key multiple times, and are still unable to continue past the initial recovery screen, follow these steps to break out of the loop. +If the correct BitLocker recovery key has been entered multiple times but are unable to continue past the initial recovery screen, follow these steps to break out of the loop: > [!NOTE] -> Try these steps only after you have restarted your device at least once. +> Try these steps only after the device has been restarted at least once. -1. On the initial recovery screen, don't enter your recovery key, instead, select **Skip this drive**. +1. On the initial recovery screen, don't enter The recovery key. Instead, select **Skip this drive**. 2. Navigate to **Troubleshoot** > **Advanced options**, and select **Command prompt**. -3. From the WinRE command prompt, manually unlock your drive: `manage-bde.exe -unlock C: -rp ` +3. From the WinRE command prompt, manually unlock the drive with the following command: -4. Suspend operating system drive protection: `manage-bde.exe -protectors -disable C:` +```cmd +manage-bde.exe -unlock C: -rp +``` -5. Once the last command is run, you can exit the command prompt and continue to boot into your operating system. +4. Suspend the protection on the operating system with the following command: + +```cmd +manage-bde.exe -protectors -disable C: +``` + +5. Once the command is run, exit the command prompt and continue to boot into the operating system. diff --git a/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml index 465a4c3d6d..8b53e2e639 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml @@ -1,26 +1,21 @@ ### YamlMime:FAQ metadata: - title: BitLocker Security FAQ (Windows 10) + title: BitLocker Security FAQ description: Learn more about how BitLocker security works. Browse frequently asked questions, such as, "What form of encryption does BitLocker use?" - ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee - ms.reviewer: - ms.prod: m365-security - ms.mktglfcycl: explore - ms.sitesec: library - ms.pagetype: security - ms.localizationpriority: medium - author: dansimp - ms.author: dansimp + ms.prod: windows-client + ms.technology: itpro-security + author: frankroj + ms.author: frankroj manager: aaroncz audience: ITPro - ms.collection: M365-security-compliance ms.topic: faq - ms.date: 03/14/2022 + ms.date: 11/08/2022 ms.custom: bitlocker title: BitLocker Security FAQ summary: | - **Applies to** - - Windows 10 + **Applies to:** + - Windows 10 and later + - Windows Server 2016 and later @@ -35,17 +30,17 @@ sections: - question: | What is the best practice for using BitLocker on an operating system drive? answer: | - The recommended practice for BitLocker configuration on an operating system drive is to implement BitLocker on a computer with a TPM version 1.2 or higher, and a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware implementation, along with a PIN. By requiring a PIN that was set by the user in addition to the TPM validation, a malicious user that has physical access to the computer cannot simply start the computer. + The recommended practice for BitLocker configuration on an operating system drive is to implement BitLocker on a computer with a TPM version 1.2 or higher, and a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware implementation, along with a PIN. By requiring a PIN that was set by the user in addition to the TPM validation, a malicious user that has physical access to the computer can't start the computer. - question: | What are the implications of using the sleep or hibernate power management options? answer: | - BitLocker on operating system drives in its basic configuration (with a TPM but without other startup authentication) provides extra security for the hibernate mode. However, BitLocker provides greater security when it is configured to use another startup authentication factor (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires authentication. In sleep mode, the computer is vulnerable to direct memory access attacks, since it remains unprotected data in RAM. Therefore, for improved security, we recommend disabling sleep mode and that you use TPM+PIN for the authentication method. Startup authentication can be configured by using [Group Policy](./bitlocker-group-policy-settings.md) or Mobile Device Management with the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp). + BitLocker on operating system drives in its basic configuration (with a TPM but without other startup authentication) provides extra security for the hibernate mode. However, BitLocker provides greater security when it's configured to use another startup authentication factor (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires authentication. In sleep mode, the computer is vulnerable to direct memory access attacks, since unprotected data remains in RAM. Therefore, for improved security, it's recommended to disable sleep mode and to use TPM+PIN for the authentication method. Startup authentication can be configured by using [Group Policy](./bitlocker-group-policy-settings.md) or Mobile Device Management with the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp). - question: | What are the advantages of a TPM? answer: | - Most operating systems use a shared memory space and rely on the operating system to manage physical memory. A TPM is a hardware component that uses its own internal firmware and logic circuits for processing instructions, thus shielding it from external software vulnerabilities. Attacking the TPM requires physical access to the computer. Additionally, the tools and skills necessary to attack hardware are often more expensive, and usually are not as available as the ones used to attack software. And because each TPM is unique to the computer that contains it, attacking multiple TPM computers would be difficult and time-consuming. + Most operating systems use a shared memory space and rely on the operating system to manage physical memory. A TPM is a hardware component that uses its own internal firmware and logic circuits for processing instructions, thus shielding it from external software vulnerabilities. Attacking the TPM requires physical access to the computer. Additionally, the tools and skills necessary to attack hardware are often more expensive, and usually aren't as available as the ones used to attack software. And because each TPM is unique to the computer that contains it, attacking multiple TPM computers would be difficult and time-consuming. > [!NOTE] > Configuring BitLocker with an additional factor of authentication provides even more protection against TPM hardware attacks. diff --git a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml index e318b5ed29..c780b6ee5a 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml @@ -1,26 +1,20 @@ ### YamlMime:FAQ metadata: - title: BitLocker To Go FAQ (Windows 10) + title: BitLocker To Go FAQ description: "Learn more about BitLocker To Go" - ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee - ms.reviewer: - ms.author: dansimp - ms.prod: m365-security - ms.mktglfcycl: deploy - ms.sitesec: library - ms.pagetype: security - ms.localizationpriority: medium - author: dansimp + ms.prod: windows-client + ms.technology: itpro-security + ms.author: frankroj + author: frankroj manager: aaroncz audience: ITPro - ms.collection: M365-security-compliance ms.topic: faq - ms.date: 07/10/2018 + ms.date: 11/08/2022 ms.custom: bitlocker title: BitLocker To Go FAQ summary: | - **Applies to** - - Windows 10 + **Applies to:** + - Windows 10 sections: @@ -37,4 +31,4 @@ sections: Drive partitioning must meet the [BitLocker Drive Encryption Partitioning Requirements](/windows-hardware/manufacture/desktop/bitlocker-drive-encryption#bitlocker-drive-encryption-partitioning-requirements). - As with BitLocker, you can open drives that are encrypted by BitLocker To Go by using a password or smart card on another computer. In Control Panel, use **BitLocker Drive Encryption**. + As with BitLocker, drives that are encrypted by BitLocker To Go can be opened by using a password or smart card on another computer. In Control Panel, use **BitLocker Drive Encryption**. diff --git a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml index 40fdb23d9d..13441d1f58 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml @@ -1,32 +1,28 @@ ### YamlMime:FAQ metadata: - title: BitLocker Upgrading FAQ (Windows 10) + title: BitLocker Upgrading FAQ description: Learn more about upgrading systems that have BitLocker enabled. Find frequently asked questions, such as, "Can I upgrade to Windows 10 with BitLocker enabled?" - ms.prod: m365-security - ms.mktglfcycl: explore - ms.sitesec: library - ms.pagetype: security - ms.localizationpriority: medium - author: dansimp - ms.author: dansimp + ms.prod: windows-client + ms.technology: itpro-security + author: frankroj + ms.author: frankroj manager: aaroncz - audience: ITPro - ms.collection: M365-security-compliance ms.topic: faq - ms.date: 02/28/2019 + ms.date: 11/08/2022 ms.reviewer: ms.custom: bitlocker title: BitLocker Upgrading FAQ summary: | - **Applies to** - - Windows 10 + **Applies to:** + - Windows 10 and later + - Windows Server 2016 and later sections: - name: Ignored questions: - question: | - Can I upgrade to Windows 10 with BitLocker enabled? + Can I upgrade to Windows 10 with BitLocker enabled? answer: | Yes. @@ -43,12 +39,12 @@ sections: No user action is required for BitLocker in order to apply updates from Microsoft, including [Windows quality updates and feature updates](/windows/deployment/update/waas-quick-start). Users need to suspend BitLocker for Non-Microsoft software updates, such as: - - Some TPM firmware updates if these updates clear the TPM outside of the Windows API. Not every TPM firmware update will clear the TPM and this happens if a known vulnerability has been discovered in the TPM firmware. Users don’t have to suspend BitLocker if the TPM firmware update uses Windows API to clear the TPM because in this case, BitLocker will be automatically suspended. We recommend users testing their TPM firmware updates if they don’t want to suspend BitLocker protection. + - Some TPM firmware updates if these updates clear the TPM outside of the Windows API. Not every TPM firmware update will clear the TPM. Users don't have to suspend BitLocker if the TPM firmware update uses Windows API to clear the TPM because in this case, BitLocker will be automatically suspended. It's recommended that users test their TPM firmware updates if they don't want to suspend BitLocker protection. - Non-Microsoft application updates that modify the UEFI\BIOS configuration. - Manual or third-party updates to secure boot databases (only if BitLocker uses Secure Boot for integrity validation). - - Updates to UEFI\BIOS firmware, installation of additional UEFI drivers, or UEFI applications without using the Windows update mechanism (only if you update and BitLocker does not use Secure Boot for integrity validation). - - You can check if BitLocker uses Secure Boot for integrity validation with manage-bde -protectors -get C: (and see if "Uses Secure Boot for integrity validation" is reported). + - Updates to UEFI\BIOS firmware, installation of additional UEFI drivers, or UEFI applications without using the Windows update mechanism (only if BitLocker doesn't use Secure Boot for integrity validation during updates). + - BitLocker can be checked if it uses Secure Boot for integrity validation with the command line `manage-bde.exe -protectors -get C:`. If Secure Boot for integrity validation is being used, it will be report **Uses Secure Boot for integrity validation**. > [!NOTE] - > If you have suspended BitLocker, you can resume BitLocker protection after you have installed the upgrade or update. Upon resuming protection, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade or update. If these types of upgrades or updates are applied without suspending BitLocker, your computer will enter recovery mode when restarting and will require a recovery key or password to access the computer. + > If BitLocker has been suspended, BitLocker protection can be resumed after the upgrade or update has been installed. Upon resuming protection, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade or update. If these types of upgrades or updates are applied without suspending BitLocker, the computer will enter recovery mode when restarting and will require a recovery key or password to access the computer. diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md index c276611731..ea25cc99da 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md +++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md @@ -4,20 +4,20 @@ description: This article for the IT professional describes how to use tools to ms.reviewer: ms.prod: windows-client ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: frankroj +ms.author: frankroj manager: aaroncz ms.collection: - - M365-security-compliance - highpri ms.topic: conceptual -ms.date: 02/28/2019 +ms.date: 11/08/2022 ms.custom: bitlocker +ms.technology: itpro-security --- # BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker -**Applies to** +**Applies to:** - Windows 10 - Windows 11 @@ -29,98 +29,110 @@ BitLocker Drive Encryption Tools include the command-line tools manage-bde and r Both manage-bde and the BitLocker cmdlets can be used to perform any task that can be accomplished through the BitLocker control panel and are appropriate to use for automated deployments and other scripting scenarios. -Repair-bde is a special circumstance tool that is provided for disaster recovery scenarios in which a BitLocker protected drive cannot be unlocked normally or using the recovery console. +Repair-bde is a special circumstance tool that is provided for disaster recovery scenarios in which a BitLocker protected drive can't be unlocked normally or using the recovery console. -1. [Manage-bde](#bkmk-managebde) -2. [Repair-bde](#bkmk-repairbde) -3. [BitLocker cmdlets for Windows PowerShell](#bkmk-blcmdlets) +1. [Manage-bde](#manage-bde) +2. [Repair-bde](#repair-bde) +3. [BitLocker cmdlets for Windows PowerShell](#bitlocker-cmdlets-for-windows-powershell) -## Manage-bde +## Manage-bde -Manage-bde is a command-line tool that can be used for scripting BitLocker operations. Manage-bde offers additional options not displayed in the BitLocker control panel. For a complete list of the manage-bde options, see the [Manage-bde](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ff829849(v=ws.11)) command-line reference. +Manage-bde is a command-line tool that can be used for scripting BitLocker operations. Manage-bde offers additional options not displayed in the BitLocker control panel. For a complete list of the `manage-bde.exe` options, see the [Manage-bde](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ff829849(v=ws.11)) command-line reference. -Manage-bde includes fewer default settings and requires greater customization for configuring BitLocker. For example, using just the `manage-bde -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected. The following sections provide examples of common usage scenarios for manage-bde. +Manage-bde includes fewer default settings and requires greater customization for configuring BitLocker. For example, using just the `manage-bde.exe -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected. The following sections provide examples of common usage scenarios for manage-bde. ### Using manage-bde with operating system volumes -Listed below are examples of basic valid commands for operating system volumes. In general, using only the `manage-bde -on ` command will encrypt the operating system volume with a TPM-only protector and no recovery key. However, many environments require more secure protectors such as passwords or PIN and expect to be able to recover information with a recovery key. We recommend that you add at least one primary protector and a recovery protector to an operating system volume. +Listed below are examples of basic valid commands for operating system volumes. In general, using only the `manage-bde.exe -on ` command will encrypt the operating system volume with a TPM-only protector and no recovery key. However, many environments require more secure protectors such as passwords or PIN and expect information recovery with a recovery key. It's recommended to add at least one primary protector plus a recovery protector to an operating system volume. -A good practice when using manage-bde is to determine the volume status on the target system. Use the following command to determine volume status: +A good practice when using `manage-bde.exe` is to determine the volume status on the target system. Use the following command to determine volume status: -```powershell -manage-bde -status +```cmd +manage-bde.exe -status ``` This command returns the volumes on the target, current encryption status, encryption method, and volume type (operating system or data) for each volume: ![Using manage-bde to check encryption status.](images/manage-bde-status.png) -The following example illustrates enabling BitLocker on a computer without a TPM chip. Before beginning the encryption process, you must create the startup key needed for BitLocker and save it to the USB drive. When BitLocker is enabled for the operating system volume, the BitLocker will need to access the USB flash drive to obtain the encryption key (in this example, the drive letter E represents the USB drive). You will be prompted to reboot to complete the encryption process. +The following example illustrates enabling BitLocker on a computer without a TPM chip. Before beginning the encryption process, the startup key needed for BitLocker must be created and saved to a USB drive. When BitLocker is enabled for the operating system volume, BitLocker will need to access the USB flash drive to obtain the encryption key. In this example, the drive letter E represents the USB drive. Once the commands are run, it will prompt to reboot the computer to complete the encryption process. -```powershell -manage-bde –protectors -add C: -startupkey E: -manage-bde -on C: +```cmd +manage-bde.exe -protectors -add C: -startupkey E: +manage-bde.exe -on C: ``` > [!NOTE] > After the encryption is completed, the USB startup key must be inserted before the operating system can be started. - -An alternative to the startup key protector on non-TPM hardware is to use a password and an **ADaccountorgroup** protector to protect the operating system volume. In this scenario, you would add the protectors first. To add them, use this command: -```powershell -manage-bde -protectors -add C: -pw -sid +An alternative to the startup key protector on non-TPM hardware is to use a password and an **ADaccountorgroup** protector to protect the operating system volume. In this scenario, the protectors are added first. To add the protectors, enter the following command: + +```cmd +manage-bde.exe -protectors -add C: -pw -sid ``` -This command will require you to enter and then confirm the password protector before adding them to the volume. With the protectors enabled on the volume, you can then turn on BitLocker. +The above command will require the password protector to be entered and confirmed before adding them to the volume. With the protectors enabled on the volume, BitLocker can then be turned on. -On computers with a TPM, it is possible to encrypt the operating system volume without any defined protectors using manage-bde. Use this command: +On computers with a TPM, it's possible to encrypt the operating system volume without defining any protectors using `manage-bde.exe`. To enable BitLocker on a computer with a TPM without defining any protectors, enter the following command: -```powershell -manage-bde -on C: +```cmd +manage-bde.exe -on C: ``` -This command encrypts the drive using the TPM as the default protector. If you are not sure if a TPM protector is available, to list the protectors available for a volume, run the following command: +The above command encrypts the drive using the TPM as the default protector. If verify if a TPM protector is available, the list of protectors available for a volume can be listed by running the following command: -```powershell - manage-bde -protectors -get +```cmd + manage-bde.exe -protectors -get ``` + ### Using manage-bde with data volumes -Data volumes use the same syntax for encryption as operating system volumes but they do not require protectors for the operation to complete. Encrypting data volumes can be done using the base command: `manage-bde -on ` or you can choose to add additional protectors to the volume first. We recommend that you add at least one primary protector and a recovery protector to a data volume. +Data volumes use the same syntax for encryption as operating system volumes but they don't require protectors for the operation to complete. Encrypting data volumes can be done using the base command: -A common protector for a data volume is the password protector. In the example below, we add a password protector to the volume and turn on BitLocker. +`manage-bde.exe -on ` -```powershell -manage-bde -protectors -add -pw C: -manage-bde -on C: +or additional protectors can be added to the volume first. It's recommended to add at least one primary protector plus a recovery protector to a data volume. + +A common protector for a data volume is the password protector. In the example below, a password protector is added to the volume and then BitLocker is turned on. + +```cmd +manage-bde.exe -protectors -add -pw C: +manage-bde.exe -on C: ``` -## Repair-bde +## Repair-bde -You may experience a problem that damages an area of a hard disk on which BitLocker stores critical information. This kind of problem may be caused by a hard disk failure or if Windows exits unexpectedly. +Hard disk areas on which BitLocker stores critical information could be damaged, for example, when a hard disk fails or if Windows exits unexpectedly. -The BitLocker Repair Tool (Repair-bde) can be used to access encrypted data on a severely damaged hard disk if the drive was encrypted by using BitLocker. Repair-bde can reconstruct critical parts of the drive and salvage recoverable data as long as a valid recovery password or recovery key is used to decrypt the data. If the BitLocker metadata data on the drive has become corrupt, you must be able to supply a backup key package in addition to the recovery password or recovery key. This key package is backed up in Active Directory Domain Services (AD DS) if you used the default setting for AD DS backup. With this key package and either the recovery password or recovery key, you can decrypt portions of a BitLocker-protected drive if the disk is corrupted. Each key package will work only for a drive that has the corresponding drive identifier. You can use the BitLocker Recovery Password Viewer to obtain this key package from AD DS. +The BitLocker Repair Tool (Repair-bde) can be used to access encrypted data on a severely damaged hard disk if the drive was encrypted with BitLocker. Repair-bde can reconstruct critical parts of the drive and salvage recoverable data as long as a valid recovery password or recovery key is used to decrypt the data. If the BitLocker metadata data on the drive has become corrupt, the backup key package in addition to the recovery password or recovery key must be supplied. This key package is backed up in Active Directory Domain Services (AD DS) if the default settings for AD DS backup are used. With this key package and either the recovery password or recovery key, portions of a corrupted BitLocker-protected drive can be decrypted. Each key package will work only for a drive that has the corresponding drive identifier. The BitLocker Recovery Password Viewer can be used to obtain this key package from AD DS. > [!TIP] -> If you are not backing up recovery information to AD DS or if you want to save key packages alternatively, you can use the command `manage-bde -KeyPackage` to generate a key package for a volume. - -The Repair-bde command-line tool is intended for use when the operating system does not start or when you cannot start the BitLocker Recovery Console. Use Repair-bde if the following conditions are true: +> If recovery information is not being backed up to AD DS or if key packages need to be saved in an alternative way, the command: +> +> `manage-bde.exe -KeyPackage` +> +> can be used to generate a key package for a volume. -- You have encrypted the drive by using BitLocker Drive Encryption. -- Windows does not start, or you cannot start the BitLocker recovery console. -- You do not have a copy of the data that is contained on the encrypted drive. +The Repair-bde command-line tool is intended for use when the operating system doesn't start or when the BitLocker Recovery Console can't be started. Use Repair-bde if the following conditions are true: + +- The drive has been encrypted using BitLocker Drive Encryption. + +- Windows doesn't start, or the BitLocker recovery console can't be started. + +- There isn't a backup copy of the data that is contained on the encrypted drive. > [!NOTE] -> Damage to the drive may not be related to BitLocker. Therefore, we recommend that you try other tools to help diagnose and resolve the problem with the drive before you use the BitLocker Repair Tool. The Windows Recovery Environment (Windows RE) provides additional options to repair computers. - +> Damage to the drive may not be related to BitLocker. Therefore, it is recommended to try other tools to help diagnose and resolve the problem with the drive before using the BitLocker Repair Tool. The Windows Recovery Environment (Windows RE) provides additional options to repair computers. + The following limitations exist for Repair-bde: -- The Repair-bde command-line tool cannot repair a drive that failed during the encryption or decryption process. -- The Repair-bde command-line tool assumes that if the drive has any encryption, then the drive has been fully encrypted. +- The Repair-bde command-line tool can't repair a drive that failed during the encryption or decryption process. + +- The Repair-bde command-line tool assumes that if the drive has any encryption, then the drive has been fully encrypted. For more information about using repair-bde, see [Repair-bde](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ff829851(v=ws.11)). -## BitLocker cmdlets for Windows PowerShell +## BitLocker cmdlets for Windows PowerShell Windows PowerShell cmdlets provide a new way for administrators to use when working with BitLocker. Using Windows PowerShell's scripting capabilities, administrators can integrate BitLocker options into existing scripts with ease. The list below displays the available BitLocker cmdlets. @@ -138,18 +150,19 @@ Windows PowerShell cmdlets provide a new way for administrators to use when work |**Resume-BitLocker**|
                            • Confirm
                            • MountPoint
                            • WhatIf| |**Suspend-BitLocker**|
                            • Confirm
                            • MountPoint
                            • RebootCount
                            • WhatIf| |**Unlock-BitLocker**|
                            • AdAccountOrGroup
                            • Confirm
                            • MountPoint
                            • Password
                            • RecoveryKeyPath
                            • RecoveryPassword
                            • RecoveryPassword
                            • WhatIf| - -Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they are encrypting prior to running Windows PowerShell cmdlets. -A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the Get-BitLockerVolume cmdlet. +Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they're encrypting prior to running Windows PowerShell cmdlets. -The Get-BitLockerVolume cmdlet output gives information on the volume type, protectors, protection status, and other details. +A good initial step is to determine the current state of the volume(s) on the computer. Determining the current state of the volume(s) can be done using the `Get-BitLockerVolume` cmdlet. + +The `Get-BitLockerVolume` cmdlet output gives information on the volume type, protectors, protection status, and other details. > [!TIP] -> Occasionally, all protectors may not be shown when using `Get-BitLockerVolume` due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a full listing of the protectors. -`Get-BitLockerVolume C: | fl` - -If you want to remove the existing protectors prior to provisioning BitLocker on the volume, you could use the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this requires the GUID associated with the protector to be removed. +> Occasionally, all protectors may not be shown when using `Get-BitLockerVolume` due to lack of space in the output display. If all of the protectors for a volume are not seen, use the Windows PowerShell pipe command (|) to format a full listing of the protectors: +> +> `Get-BitLockerVolume C: | fl` + +To remove the existing protectors prior to provisioning BitLocker on the volume, use the `Remove-BitLockerKeyProtector` cmdlet. Running this cmdlet requires the GUID associated with the protector to be removed. A simple script can pipe the values of each Get-BitLockerVolume return out to another variable as seen below: @@ -158,9 +171,9 @@ $vol = Get-BitLockerVolume $keyprotectors = $vol.KeyProtector ``` -By using this script, you can display the information in the $keyprotectors variable to determine the GUID for each protector. +By using this script, the information in the $keyprotectors variable can be displayed to determine the GUID for each protector. -By using this information, you can then remove the key protector for a specific volume using the command: +By using this information, the key protector for a specific volume can be removed using the command: ```powershell Remove-BitLockerKeyProtector : -KeyProtectorID "{GUID}" @@ -168,10 +181,10 @@ Remove-BitLockerKeyProtector : -KeyProtectorID "{GUID}" > [!NOTE] > The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command. - + ### Using the BitLocker Windows PowerShell cmdlets with operating system volumes -Using the BitLocker Windows PowerShell cmdlets is similar to working with the manage-bde tool for encrypting operating system volumes. Windows PowerShell offers users a lot of flexibility. For example, users can add the desired protector as part command for encrypting the volume. Below are examples of common user scenarios and steps to accomplish them in BitLocker Windows PowerShell. +Using the BitLocker Windows PowerShell cmdlets is similar to working with the manage-bde tool for encrypting operating system volumes. Windows PowerShell offers users flexibility. For example, users can add the desired protector as part command for encrypting the volume. Below are examples of common user scenarios and steps to accomplish them in BitLocker Windows PowerShell. The following example shows how to enable BitLocker on an operating system drive using only the TPM protector: @@ -198,11 +211,11 @@ Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw ### Using an AD Account or Group protector in Windows PowerShell -The **ADAccountOrGroup** protector, introduced in Windows 8 and Windows Server 2012, is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it does not unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly fail over to and be unlocked by any member computer of the cluster. +The **ADAccountOrGroup** protector, introduced in Windows 8 and Windows Server 2012, is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it doesn't unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly fail over to and become unlocked by any member computer of the cluster. > [!WARNING] > The **ADAccountOrGroup** protector requires the use of an additional protector for use (such as TPM, PIN, or recovery key) when used on operating system volumes - + To add an **ADAccountOrGroup** protector to a volume, use either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G. ```powershell @@ -213,14 +226,14 @@ For users who wish to use the SID for the account or group, the first step is to > [!NOTE] > Use of this command requires the RSAT-AD-PowerShell feature. - + ```powershell get-aduser -filter {samaccountname -eq "administrator"} ``` > [!TIP] -> In addition to the PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features. - +> In addition to the PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This doesn't require the use of additional features. + The following example adds an **ADAccountOrGroup** protector to the previously encrypted operating system volume using the SID of the account: ```powershell @@ -229,8 +242,8 @@ Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup S-1-5- > [!NOTE] > Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes. - -## More information + +## Related articles - [BitLocker overview](bitlocker-overview.md) - [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml) diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md index 56d645428f..315672e456 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md +++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md @@ -1,66 +1,72 @@ --- title: BitLocker Use BitLocker Recovery Password Viewer (Windows 10) -description: This topic for the IT professional describes how to use the BitLocker Recovery Password Viewer. +description: This article for the IT professional describes how to use the BitLocker Recovery Password Viewer. ms.reviewer: ms.prod: windows-client ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: frankroj +ms.author: frankroj manager: aaroncz ms.collection: - - M365-security-compliance - highpri ms.topic: conceptual -ms.date: 02/28/2019 +ms.date: 11/08/2022 ms.custom: bitlocker +ms.technology: itpro-security --- # BitLocker: Use BitLocker Recovery Password Viewer -**Applies to** +**Applies to:** - Windows 10 - Windows 11 - Windows Server 2016 and above -This topic describes how to use the BitLocker Recovery Password Viewer. +This article describes how to use the BitLocker Recovery Password Viewer. -The BitLocker Recovery Password Viewer tool is an optional tool included with the Remote Server Administration Tools (RSAT). It lets you locate and view BitLocker recovery passwords that are stored in Active Directory Domain Services (AD DS). You can use this tool to help recover data that is stored on a drive that has been encrypted by using BitLocker. The BitLocker Active Directory Recovery Password Viewer tool is an extension for the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in. Using this tool, you can examine a computer object's **Properties** dialog box to view the corresponding BitLocker recovery passwords. Additionally you can right-click a domain container and then search for a BitLocker recovery password across all the domains in the Active Directory forest. You can also search for a password by password identifier (ID). +The BitLocker Recovery Password Viewer tool is an optional tool included with the Remote Server Administration Tools (RSAT). It lets BitLocker recovery passwords that are stored in Active Directory Domain Services (AD DS) be located and viewed. This tool can be used to help recover data that is stored on a drive that has been encrypted by using BitLocker. The BitLocker Active Directory Recovery Password Viewer tool is an extension for the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in. Using this tool, a computer object's **Properties** dialog box can be examined to view the corresponding BitLocker recovery passwords. -## Before you start +Additionally a domain container can be searched for BitLocker recovery password across all the domains in the Active Directory forest via a right-click. Passwords can also be searched by password identifier (ID). -To complete the procedures in this scenario: +## Before starting -- You must have domain administrator credentials. -- Your test computers must be joined to the domain. -- On the domain-joined test computers, BitLocker must have been turned on. +To complete the procedures in this scenario, the following requirements must be met: + +- Domain administrator credentials. +- Test computers must be joined to the domain. +- On the domain-joined test computers, BitLocker must have been turned on. The following procedures describe the most common tasks performed by using the BitLocker Recovery Password Viewer. -**To view the recovery passwords for a computer** +### To view the recovery passwords for a computer -1. In **Active Directory Users and Computers**, locate and then click the container in which the computer is located. -2. Right-click the computer object, and then click **Properties**. -3. In the **Properties** dialog box, click the **BitLocker Recovery** tab to view the BitLocker recovery passwords that are associated with the computer. +1. In **Active Directory Users and Computers**, locate and then select the container in which the computer is located. -**To copy the recovery passwords for a computer** +2. Right-click the computer object, and then select **Properties**. -1. Follow the steps in the previous procedure to view the BitLocker recovery passwords. -2. On the **BitLocker Recovery** tab of the **Properties** dialog box, right-click the BitLocker recovery password that you want to copy, and then click **Copy Details**. -3. Press CTRL+V to paste the copied text to a destination location, such as a text file or spreadsheet. +3. In the **Properties** dialog box, select the **BitLocker Recovery** tab to view the BitLocker recovery passwords that are associated with the computer. -**To locate a recovery password by using a password ID** +### To copy the recovery passwords for a computer -1. In Active Directory Users and Computers, right-click the domain container, and then click **Find BitLocker Recovery Password**. -2. In the **Find BitLocker Recovery Password** dialog box, type the first eight characters of the recovery password in the **Password ID (first 8 characters)** box, and then click **Search**. -By completing the procedures in this scenario, you have viewed and copied the recovery passwords for a computer and used a password ID to locate a recovery password. +1. Follow the steps in the previous procedure to view the BitLocker recovery passwords. -## More information +2. On the **BitLocker Recovery** tab of the **Properties** dialog box, right-click the BitLocker recovery password that needs to be copied, and then select **Copy Details**. + +3. Press CTRL+V to paste the copied text to a destination location, such as a text file or spreadsheet. + +### To locate a recovery password by using a password ID + +1. In Active Directory Users and Computers, right-click the domain container, and then select **Find BitLocker Recovery Password**. + +2. In the **Find BitLocker Recovery Password** dialog box, type the first eight characters of the recovery password in the **Password ID (first 8 characters)** box, and then select **Search**. + +By completing the procedures in this scenario, the recovery passwords for a computer have been viewed and copied and a password ID was used to locate a recovery password. + +## Replated articles - [BitLocker Overview](bitlocker-overview.md) - [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml) - [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) - [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md) - [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md) -  -  diff --git a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml index bb221372e1..4d0267a25a 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml @@ -1,26 +1,19 @@ ### YamlMime:FAQ metadata: - title: Using BitLocker with other programs FAQ (Windows 10) - description: Learn how to integrate BitLocker with other software on your device. - ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee - ms.reviewer: - ms.prod: m365-security - ms.mktglfcycl: explore - ms.sitesec: library - ms.pagetype: security - ms.localizationpriority: medium - author: dansimp - ms.author: dansimp + title: Using BitLocker with other programs FAQ + description: Learn how to integrate BitLocker with other software on a device. + ms.prod: windows-client + ms.technology: itpro-security + author: frankroj + ms.author: frankroj manager: aaroncz - audience: ITPro - ms.collection: M365-security-compliance ms.topic: faq - ms.date: 02/28/2019 - ms.custom: bitlocker + ms.date: 11/08/2022 title: Using BitLocker with other programs FAQ summary: | - **Applies to** - - Windows 10 + **Applies to:** + - Windows 10 and later + - Windows Server 2016 and later sections: @@ -29,12 +22,12 @@ sections: - question: | Can I use EFS with BitLocker? answer: | - Yes, you can use Encrypting File System (EFS) to encrypt files on a BitLocker-protected drive. BitLocker helps protect the entire operating system drive against offline attacks, whereas EFS can provide additional user-based file level encryption for security separation between multiple users of the same computer. You can also use EFS in Windows to encrypt files on other drives that are not encrypted by BitLocker. The root secrets of EFS are stored by default on the operating system drive; therefore, if BitLocker is enabled for the operating system drive, data that is encrypted by EFS on other drives is also indirectly protected by BitLocker. + Yes, Encrypting File System (EFS) can be used to encrypt files on a BitLocker-protected drive. BitLocker helps protect the entire operating system drive against offline attacks, whereas EFS can provide additional user-based file level encryption for security separation between multiple users of the same computer. EFS can also be used in Windows to encrypt files on other drives that aren't encrypted by BitLocker. The root secrets of EFS are stored by default on the operating system drive; therefore, if BitLocker is enabled for the operating system drive, data that is encrypted by EFS on other drives is also indirectly protected by BitLocker. - question: | Can I run a kernel debugger with BitLocker? answer: | - Yes. However, the debugger should be turned on before enabling BitLocker. Turning on the debugger ensures that the correct measurements are calculated when sealing to the TPM, allowing the computer to start properly. If you need to turn debugging on or off when using BitLocker, be sure to suspend BitLocker first to avoid putting your computer into recovery mode. + Yes. However, the debugger should be turned on before enabling BitLocker. Turning on the debugger ensures that the correct measurements are calculated when sealing to the TPM, allowing the computer to start properly. If debugging needs to be turned on or off when using BitLocker, be sure to suspend BitLocker first to avoid putting the computer into recovery mode. - question: | How does BitLocker handle memory dumps? @@ -44,80 +37,82 @@ sections: - question: | Can BitLocker support smart cards for pre-boot authentication? answer: | - BitLocker does not support smart cards for pre-boot authentication. There is no single industry standard for smart card support in the firmware, and most computers either do not implement firmware support for smart cards, or only support specific smart cards and readers. This lack of standardization makes supporting them difficult. + BitLocker doesn't support smart cards for pre-boot authentication. There's no single industry standard for smart card support in the firmware, and most computers either don't implement firmware support for smart cards, or only support specific smart cards and readers. This lack of standardization makes supporting them difficult. - question: | Can I use a non-Microsoft TPM driver? answer: | - Microsoft does not support non-Microsoft TPM drivers and strongly recommends against using them with BitLocker. Attempting to use a non-Microsoft TPM driver with BitLocker may cause BitLocker to report that a TPM is not present on the computer and not allow the TPM to be used with BitLocker. + Microsoft doesn't support non-Microsoft TPM drivers and strongly recommends against using them with BitLocker. Attempting to use a non-Microsoft TPM driver with BitLocker may cause BitLocker to report that a TPM isn't present on the computer and not allow the TPM to be used with BitLocker. - question: | Can other tools that manage or modify the master boot record work with BitLocker? answer: | - We do not recommend modifying the master boot record on computers whose operating system drives are BitLocker-protected for a number of security, reliability, and product support reasons. Changes to the master boot record (MBR) could change the security environment and prevent the computer from starting normally, as well as complicate any efforts to recover from a corrupted MBR. Changes made to the MBR by anything other than Windows might force the computer into recovery mode or prevent it from booting entirely. + We don't recommend modifying the master boot record on computers whose operating system drives are BitLocker-protected for several security, reliability, and product support reasons. Changes to the master boot record (MBR) could change the security environment and prevent the computer from starting normally and complicate any efforts to recover from a corrupted MBR. Changes made to the MBR by anything other than Windows might force the computer into recovery mode or prevent it from booting entirely. - question: | - Why is the system check failing when I am encrypting my operating system drive? + Why is the system check failing when I'm encrypting my operating system drive? answer: | - The system check is designed to ensure your computer's BIOS or UEFI firmware is compatible with BitLocker and that the TPM is working correctly. The system check can fail for several reasons: + The system check is designed to ensure the computer's BIOS or UEFI firmware is compatible with BitLocker and that the TPM is working correctly. The system check can fail for several reasons: - - The computer's BIOS or UEFI firmware cannot read USB flash drives. - - The computer's BIOS, uEFI firmware, or boot menu does not have reading USB flash drives enabled. - - There are multiple USB flash drives inserted into the computer. - - The PIN was not entered correctly. - - The computer's BIOS or UEFI firmware only supports using the function keys (F1–F10) to enter numerals in the pre-boot environment. - - The startup key was removed before the computer finished rebooting. - - The TPM has malfunctioned and fails to unseal the keys. + - The computer's BIOS or UEFI firmware can't read USB flash drives. + - The computer's BIOS, uEFI firmware, or boot menu doesn't have reading USB flash drives enabled. + - There are multiple USB flash drives inserted into the computer. + - The PIN wasn't entered correctly. + - The computer's BIOS or UEFI firmware only supports using the function keys (F1-F10) to enter numerals in the pre-boot environment. + - The startup key was removed before the computer finished rebooting. + - The TPM has malfunctioned and fails to unseal the keys. - question: | - What can I do if the recovery key on my USB flash drive cannot be read? + What can I do if the recovery key on my USB flash drive can't be read? answer: | - Some computers cannot read USB flash drives in the pre-boot environment. First, check your BIOS or UEFI firmware and boot settings to ensure that the use of USB drives is enabled. If it is not enabled, enable the use of USB drives in the BIOS or UEFI firmware and boot settings and then try to read the recovery key from the USB flash drive again. If it still cannot be read, you will have to mount the hard drive as a data drive on another computer so that there is an operating system to attempt to read the recovery key from the USB flash drive. If the USB flash drive has been corrupted or damaged, you may need to supply a recovery password or use the recovery information that was backed up to AD DS. Also, if you are using the recovery key in the pre-boot environment, ensure that the drive is formatted by using the NTFS, FAT16, or FAT32 file system. + Some computers can't read USB flash drives in the pre-boot environment. First, check the BIOS or UEFI firmware and boot settings to ensure that the use of USB drives is enabled. If it isn't enabled, enable the use of USB drives in the BIOS or UEFI firmware and boot settings, and then try to read the recovery key from the USB flash drive again. If the USB flash drive still can't be read, the hard drive will need to be mounted as a data drive on another computer so that there's an operating system to attempt to read the recovery key from the USB flash drive. If the USB flash drive has been corrupted or damaged, a recovery password may need to be supplied or use the recovery information that was backed up to AD DS. Also, if the recovery key is being used in the pre-boot environment, ensure that the drive is formatted by using the NTFS, FAT16, or FAT32 file system. - question: | Why am I unable to save my recovery key to my USB flash drive? answer: | - The **Save to USB** option is not shown by default for removable drives. If the option is unavailable, it means that a system administrator has disallowed the use of recovery keys. + The **Save to USB** option isn't shown by default for removable drives. If the option is unavailable, it means that a system administrator has disallowed the use of recovery keys. - question: | Why am I unable to automatically unlock my drive? answer: | - Automatic unlocking for fixed data drives requires the operating system drive to also be protected by BitLocker. If you are using a computer that does not have a BitLocker-protected operating system drive, the drive cannot be automatically unlocked. For removable data drives, you can add automatic unlocking by right-clicking the drive in Windows Explorer and clicking **Manage BitLocker**. You will still be able to use the password or smart card credentials you supplied when you turned on BitLocker to unlock the removable drive on other computers. + Automatic unlocking for fixed data drives requires the operating system drive to also be protected by BitLocker. If a computer is being used that doesn't have a BitLocker-protected operating system drive, then the fixed drive can't be automatically unlocked. For removable data drives, automatic unlocking can be added by right-clicking the drive in Windows Explorer and selecting **Manage BitLocker**. Password or smart card credentials that were supplied when BitLocker was turned on can still be used to unlock the removable drive on other computers. - question: | Can I use BitLocker in Safe Mode? answer: | - Limited BitLocker functionality is available in Safe Mode. BitLocker-protected drives can be unlocked and decrypted by using the **BitLocker Drive Encryption** Control Panel item. Right-clicking to access BitLocker options from Windows Explorer is not available in Safe Mode. + Limited BitLocker functionality is available in Safe Mode. BitLocker-protected drives can be unlocked and decrypted by using the **BitLocker Drive Encryption** Control Panel item. Right-clicking to access BitLocker options from Windows Explorer isn't available in Safe Mode. - question: | How do I "lock" a data drive? answer: | - Both fixed and removable data drives can be locked by using the Manage-bde command-line tool and the –lock command. + Both fixed and removable data drives can be locked by using the Manage-bde command-line tool and the -lock command. > [!NOTE] > Ensure all data is saved to the drive before locking it. Once locked, the drive will become inaccessible. The syntax of this command is: - manage-bde driveletter -lock + ```cmd + manage-bde.exe -lock + ```` Outside of using this command, data drives will be locked on shutdown and restart of the operating system. A removable data drive will also be locked automatically when the drive is removed from the computer. - question: | Can I use BitLocker with the Volume Shadow Copy Service? answer: | - Yes. However, shadow copies made prior to enabling BitLocker will be automatically deleted when BitLocker is enabled on software-encrypted drives. If you are using a hardware encrypted drive, the shadow copies are retained. + Yes. However, shadow copies made prior to enabling BitLocker will be automatically deleted when BitLocker is enabled on software-encrypted drives. If a hardware encrypted drive is being used, the shadow copies are retained. - question: | Does BitLocker support virtual hard disks (VHDs)? answer: | BitLocker should work like any specific physical machine within its hardware limitations as long as the environment (physical or virtual) meets Windows Operating System requirements to run. - - With TPM: Yes, it is supported. - - Without TPM: Yes, it is supported (with password protector). + - With TPM: Yes, it's supported. + - Without TPM: Yes, it's supported (with password protector). - BitLocker is also supported on data volume VHDs, such as those used by clusters, if you are running Windows 10, Windows 8.1, Windows 8, Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012. + BitLocker is also supported on data volume VHDs, such as those used by clusters, if running Windows 10, Windows 8.1, Windows 8, Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012. - question: | Can I use BitLocker with virtual machines (VMs)? answer: | - Yes. Password protectors and virtual TPMs can be used with BitLocker to protect virtual machines. VMs can be domain joined, Azure AD-joined, or workplace-joined (via **Settings** > **Accounts** > **Access work or school** > **Connect**) to receive policy. You can enable encryption either while creating the VM or by using other existing management tools such as the BitLocker CSP, or even by using a startup script or logon script delivered by Group Policy. Windows Server 2016 also supports [Shielded VMs and guarded fabric](/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node) to protect VMs from malicious administrators. + Yes. Password protectors and virtual TPMs can be used with BitLocker to protect virtual machines. VMs can be domain joined, Azure AD-joined, or workplace-joined (via **Settings** > **Accounts** > **Access work or school** > **Connect**) to receive policy. Encryption can be enabled either while creating the VM or by using other existing management tools such as the BitLocker CSP, or even by using a startup script or sign-in script delivered by Group Policy. Windows Server 2016 also supports [Shielded VMs and guarded fabric](/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node) to protect VMs from malicious administrators. diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index 079b849ca8..07323ba946 100644 --- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -1,22 +1,21 @@ --- -title: Prepare your organization for BitLocker Planning and policies (Windows 10) -description: This article for the IT professional explains how can you plan your BitLocker deployment. +title: Prepare the organization for BitLocker Planning and policies (Windows 10) +description: This article for the IT professional explains how can to plan for a BitLocker deployment. ms.reviewer: ms.prod: windows-client ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: frankroj +ms.author: frankroj manager: aaroncz -ms.collection: - - M365-security-compliance ms.topic: conceptual -ms.date: 04/24/2019 +ms.date: 11/08/2022 ms.custom: bitlocker +ms.technology: itpro-security --- -# Prepare your organization for BitLocker: Planning and policies +# Prepare an organization for BitLocker: Planning and policies -**Applies to** +**Applies to:** - Windows 10 - Windows 11 @@ -24,18 +23,22 @@ ms.custom: bitlocker This article for the IT professional explains how to plan BitLocker deployment. -When you design your BitLocker deployment strategy, define the appropriate policies and configuration requirements based on the business requirements of your organization. The following sections will help you collect information. Use this information to help with your decision-making process about deploying and managing BitLocker systems. +When BitLocker deployment strategy is defined, define the appropriate policies and configuration requirements based on the business requirements of the organization. The following sections will help with collecting information. Use this information to help with the decision-making process about deploying and managing BitLocker systems. -## Audit your environment +## Audit the environment -To plan your BitLocker deployment, understand your current environment. Do an informal audit to define your current policies, procedures, and hardware environment. Review your existing disk encryption software corporate security policies. If your organization isn't using disk encryption software, then none of these policies will exist. If you use disk encryption software, then you might need to change your organization's policies to use the BitLocker features. +To plan a BitLocker deployment, understand the current environment. Perform an informal audit to define the current policies, procedures, and hardware environment. Review the existing disk encryption software corporate security policies. If the organization isn't using disk encryption software, then none of these policies will exist. If disk encryption software is being used, then the organization's policies might need to be changed to use the BitLocker features. -To help you document your organization's current disk encryption security policies, answer the following questions: +To help document the organization's current disk encryption security policies, answer the following questions: 1. Are there policies to determine which computers will use BitLocker and which computers won't use BitLocker? + 2. What policies exist to control recovery password and recovery key storage? + 3. What are the policies for validating the identity of users who need to perform BitLocker recovery? + 4. What policies exist to control who in the organization has access to recovery data? + 5. What policies exist to control computer decommissioning or retirement? ## Encryption keys and authentication @@ -47,51 +50,52 @@ BitLocker helps prevent unauthorized access to data on lost or stolen computers The trusted platform module (TPM) is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data. And, help make sure a computer hasn't been tampered with while the system was offline. -Also, BitLocker can lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable USB device, such as a flash drive, that contains a startup key. These extra security measures provide multifactor authentication. They also make sure that the computer won't start or resume from hibernation until the correct PIN or startup key is presented. +Also, BitLocker can lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable USB device that contains a startup key. These extra security measures provide multifactor authentication. They also make sure that the computer won't start or resume from hibernation until the correct PIN or startup key is presented. -On computers that don't have a TPM version 1.2 or higher, you can still use BitLocker to encrypt the Windows operating system volume. However, this implementation requires the user to insert a USB startup key to start the computer or resume from hibernation. It doesn't provide the pre-startup system integrity verification offered by BitLocker working with a TPM. +On computers that don't have a TPM version 1.2 or higher, BitLocker can still be used to encrypt the Windows operating system volume. However, this implementation requires the user to insert a USB startup key to start the computer or resume from hibernation. It doesn't provide the pre-startup system integrity verification offered by BitLocker working with a TPM. ### BitLocker key protectors + | Key protector | Description | | - | - | -| TPM | A hardware device used to help establish a secure root-of-trust. BitLocker only supports TPM 1.2 or higher versions.| -| PIN | A user-entered numeric key protector that can only be used in addition to the TPM.| -| Enhanced PIN | A user-entered alphanumeric key protector that can only be used in addition to the TPM.| -| Startup key | An encryption key that can be stored on most removable media. This key protector can be used alone on non-TPM computers, or in conjunction with a TPM for added security.| -| Recovery password | A 48-digit number used to unlock a volume when it is in recovery mode. Numbers can often be typed on a regular keyboard. If the numbers on the normal keyboard are not responding, you can always use the function keys (F1-F10) to input the numbers.| -| Recovery key| An encryption key stored on removable media that can be used for recovering data encrypted on a BitLocker volume.| +| *TPM* | A hardware device used to help establish a secure root-of-trust. BitLocker only supports TPM 1.2 or higher versions.| +| *PIN* | A user-entered numeric key protector that can only be used in addition to the TPM.| +| *Enhanced PIN* | A user-entered alphanumeric key protector that can only be used in addition to the TPM.| +| *Startup key* | An encryption key that can be stored on most removable media. This key protector can be used alone on non-TPM computers, or with a TPM for added security.| +| *Recovery password* | A 48-digit number used to unlock a volume when it is in recovery mode. Numbers can often be typed on a regular keyboard. If the numbers on the normal keyboard aren't responding, the function keys (F1-F10) can be used to input the numbers.| +| *Recovery key*| An encryption key stored on removable media that can be used for recovering data encrypted on a BitLocker volume.| ### BitLocker authentication methods | Authentication method | Requires user interaction | Description | | - | - | - | -| TPM only| No| TPM validates early boot components.| -| TPM + PIN | Yes| TPM validates early boot components. The user must enter the correct PIN before the start-up process can continue, and before the drive can be unlocked. The TPM enters lockout if the incorrect PIN is entered repeatedly, to protect the PIN from brute force attacks. The number of repeated attempts that will trigger a lockout is variable.| -| TPM + Network key | No | The TPM successfully validates early boot components, and a valid encrypted network key has been provided from the WDS server. This authentication method provides automatic unlock of operating system volumes at system reboot while still maintaining multifactor authentication. | -| TPM + startup key| Yes| The TPM successfully validates early boot components, and a USB flash drive containing the startup key has been inserted.| -| Startup key only | Yes| The user is prompted for the USB flash drive that has the recovery key and/or startup key, and then reboot the computer.| +| *TPM only*| No| TPM validates early boot components.| +| *TPM + PIN* | Yes| TPM validates early boot components. The user must enter the correct PIN before the start-up process can continue, and before the drive can be unlocked. The TPM enters lockout if the incorrect PIN is entered repeatedly, to protect the PIN from brute force attacks. The number of repeated attempts that will trigger a lockout is variable.| +| *TPM + Network key* | No | The TPM successfully validates early boot components, and a valid encrypted network key has been provided from the WDS server. This authentication method provides automatic unlock of operating system volumes at system reboot while still maintaining multifactor authentication. | +| *TPM + startup key* | Yes| The TPM successfully validates early boot components, and a USB flash drive containing the startup key has been inserted.| +| *Startup key only* | Yes| The user is prompted for the USB flash drive that has the recovery key and/or startup key, and then reboot the computer.| -**Will you support computers without TPM 1.2 or higher versions?** +#### Will computers without TPM 1.2 or higher versions be supported? -Determine whether you will support computers that don't have a TPM 1.2 or higher versions in your environment. If you choose to support BitLocker on this type of computer, a user must use a USB startup key to boot the system. This startup key requires extra support processes similar to multifactor authentication. +Determine whether computers that don't have a TPM 1.2 or higher versions in the environment will be supported. If it's decided to support computers with TPM 1.2 or higher versions, a user must use a USB startup key to boot the system. This startup key requires extra support processes similar to multifactor authentication. -**What areas of your organization need a baseline level of data protection?** +#### What areas of the organization need a baseline level of data protection? The TPM-only authentication method provides the most transparent user experience for organizations that need a baseline level of data protection to meet security policies. It has the lowest total cost of ownership. TPM-only might also be more appropriate for computers that are unattended or that must reboot unattended. -However, TPM-only authentication method offers the lowest level of data protection. This authentication method protects against attacks that modify early boot components. But, the level of protection can be affected by potential weaknesses in hardware or in the early boot components. BitLocker’s multifactor authentication methods significantly increase the overall level of data protection. +However, TPM-only authentication method offers the lowest level of data protection. This authentication method protects against attacks that modify early boot components. But, the level of protection can be affected by potential weaknesses in hardware or in the early boot components. BitLocker's multifactor authentication methods significantly increase the overall level of data protection. -**What areas of your organization need a more secure level of data protection?** +#### What areas of the organization need a more secure level of data protection? -If there are user computers with highly sensitive data, then deploy BitLocker with multifactor authentication on those systems. Requiring the user to input a PIN significantly increases the level of protection for the system. You can also use BitLocker Network Unlock to allow these computers to automatically unlock when connected to a trusted wired network that can provide the Network Unlock key. +If there are user computers with highly sensitive data, then deploy BitLocker with multifactor authentication on those systems. Requiring the user to input a PIN significantly increases the level of protection for the system. BitLocker Network Unlock can also be used to allow these computers to automatically unlock when connected to a trusted wired network that can provide the Network Unlock key. -**What multifactor authentication method does your organization prefer?** +#### What multifactor authentication method does the organization prefer? The protection differences provided by multifactor authentication methods can't be easily quantified. Consider each authentication method's impact on Helpdesk support, user education, user productivity, and any automated systems management processes. ## TPM hardware configurations -In your deployment plan, identify what TPM-based hardware platforms will be supported. Document the hardware models from an OEM of your choice so that their configurations can be tested and supported. TPM hardware requires special consideration during all aspects of planning and deployment. +In the deployment plan, identify what TPM-based hardware platforms will be supported. Document the hardware models from an OEM(s) being used by the organization so that their configurations can be tested and supported. TPM hardware requires special consideration during all aspects of planning and deployment. ### TPM 1.2 states and initialization @@ -101,7 +105,7 @@ For TPM 1.2, there are multiple possible states. Windows automatically initializ For a TPM to be usable by BitLocker, it must contain an endorsement key, which is an RSA key pair. The private half of the key pair is held inside the TPM and is never revealed or accessible outside the TPM. If the TPM doesn't have an endorsement key, BitLocker will force the TPM to generate one automatically as part of BitLocker setup. -An endorsement key can be created at various points in the TPM’s lifecycle, but needs to be created only once for the lifetime of the TPM. If an endorsement key doesn't exist for the TPM, it must be created before TPM ownership can be taken. +An endorsement key can be created at various points in the TPM's lifecycle, but needs to be created only once for the lifetime of the TPM. If an endorsement key doesn't exist for the TPM, it must be created before TPM ownership can be taken. For more information about the TPM and the TCG, see the Trusted Computing Group: Trusted Platform Module (TPM) Specifications (). @@ -109,13 +113,13 @@ For more information about the TPM and the TCG, see the Trusted Computing Group: Devices that don't include a TPM can still be protected by drive encryption. Windows To Go workspaces can be BitLocker protected using a startup password and PCs without a TPM can use a startup key. -Use the following questions to identify issues that might affect your deployment in a non-TPM configuration: +Use the following questions to identify issues that might affect the deployment in a non-TPM configuration: - Are password complexity rules in place? -- Do you have budget for USB flash drives for each of these computers? -- Do your existing non-TPM devices support USB devices at boot time? +- Is there a budget for USB flash drives for each of these computers? +- Do existing non-TPM devices support USB devices at boot time? -Test your individual hardware platforms with the BitLocker system check option while you're enabling BitLocker. The system check makes sure that BitLocker can read the recovery information from a USB device and encryption keys correctly before it encrypts the volume. CD and DVD drives can't act as a block storage device and can't be used to store the BitLocker recovery material. +Test the individual hardware platforms with the BitLocker system check option while enabling BitLocker. The system check makes sure that BitLocker can read the recovery information from a USB device and encryption keys correctly before it encrypts the volume. CD and DVD drives can't act as a block storage device and can't be used to store the BitLocker recovery material. ## Disk configuration considerations @@ -124,17 +128,17 @@ To function correctly, BitLocker requires a specific disk configuration. BitLock - The operating system partition contains the operating system and its support files; it must be formatted with the NTFS file system - The system partition (or boot partition) includes the files needed to load Windows after the BIOS or UEFI firmware has prepared the system hardware. BitLocker isn't enabled on this partition. For BitLocker to work, the system partition must not be encrypted, and must be on a different partition than the operating system. On UEFI platforms, the system partition must be formatted with the FAT 32-file system. On BIOS platforms, the system partition must be formatted with the NTFS file system. It should be at least 350 MB in size. -Windows setup automatically configures the disk drives of your computer to support BitLocker encryption. +Windows setup automatically configures the disk drives of computers to support BitLocker encryption. Windows Recovery Environment (Windows RE) is an extensible recovery platform that is based on Windows Pre-installation Environment (Windows PE). When the computer fails to start, Windows automatically transitions into this environment, and the Startup Repair tool in Windows RE automates the diagnosis and repair of an unbootable Windows installation. Windows RE also contains the drivers and tools that are needed to unlock a volume protected by BitLocker by providing a recovery key or recovery password. To use Windows RE with BitLocker, the Windows RE boot image must be on a volume that isn't protected by BitLocker. -Windows RE can also be used from boot media other than the local hard disk. If you don't install Windows RE on the local hard disk of BitLocker-enabled computers, then you can use different boot methods. For example, you can use Windows Deployment Services, CD-ROM, or USB flash drive for recovery. +Windows RE can also be used from boot media other than the local hard disk. If Windows RE isn't installed on the local hard disk of BitLocker-enabled computers, then different methods can be used to boot Windows RE. For example, Windows Deployment Services (WDS), CD-ROM, or USB flash drive can be used for recovery. ## BitLocker provisioning In Windows Vista and Windows 7, BitLocker was provisioned after the installation for system and data volumes. It used the `manage-bde` command line interface or the Control Panel user interface. With newer operating systems, BitLocker can be provisioned before the operating system is installed. Preprovisioning requires the computer have a TPM. -To check the BitLocker status of a particular volume, administrators can look at the drive status in the BitLocker control panel applet or Windows Explorer. The "Waiting For Activation" status with a yellow exclamation icon means that the drive was preprovisioned for BitLocker. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume isn't protected, and needs to have a secure key added to the volume before the drive is considered fully protected. Administrators can use the control panel options, `manage-bde` tool, or WMI APIs to add an appropriate key protector. The volume status will be updated. +To check the BitLocker status of a particular volume, administrators can look at the drive status in the BitLocker control panel applet or Windows Explorer. The "Waiting For Activation" status with a yellow exclamation icon means that the drive was preprovisioned for BitLocker. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume isn't protected, and needs to have a secure key added to the volume before the drive is considered fully protected. Administrators can use the control panel options, the **manage-bde** tool, or WMI APIs to add an appropriate key protector. The volume status will be updated. When using the control panel options, administrators can choose to **Turn on BitLocker** and follow the steps in the wizard to add a protector, such as a PIN for an operating system volume (or a password if no TPM exists), or a password or smart card protector to a data volume. Then the drive security window is presented before changing the volume status. @@ -144,7 +148,7 @@ Administrators can enable BitLocker before to operating system deployment from t The BitLocker Setup wizard provides administrators the ability to choose the Used Disk Space Only or Full encryption method when enabling BitLocker for a volume. Administrators can use the new BitLocker group policy setting to enforce either Used Disk Space Only or Full disk encryption. -Launching the BitLocker Setup wizard prompts for the authentication method to be used (password and smart card are available for data volumes). Once the method is chosen and the recovery key is saved, you're asked to choose the drive encryption type. Select Used Disk Space Only or Full drive encryption. +Launching the BitLocker Setup wizard prompts for the authentication method to be used (password and smart card are available for data volumes). Once the method is chosen and the recovery key is saved, the wizard asks to choose the drive encryption type. Select Used Disk Space Only or Full drive encryption. With Used Disk Space Only, just the portion of the drive that contains data will be encrypted. Unused space will remain unencrypted. This behavior causes the encryption process to be much faster, especially for new PCs and data drives. When BitLocker is enabled with this method, as data is added to the drive, the portion of the drive used is encrypted. So, there's never unencrypted data stored on the drive. @@ -154,7 +158,7 @@ With Full drive encryption, the entire drive is encrypted, whether data is store BitLocker integrates with Active Directory Domain Services (AD DS) to provide centralized key management. By default, no recovery information is backed up to Active Directory. Administrators can configure the following group policy setting for each drive type to enable backup of BitLocker recovery information: -Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\*drive type*\\Choose how BitLocker-protected drives can be recovered. +**Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > ***drive type*** > **Choose how BitLocker-protected drives can be recovered**. By default, only Domain Admins have access to BitLocker recovery information, but [access can be delegated to others](/archive/blogs/craigf/delegating-access-in-ad-to-bitlocker-recovery-information). @@ -166,7 +170,7 @@ The following recovery data is saved for each computer object: - **Key package data** - With this key package and the recovery password, you will be able to decrypt portions of a BitLocker-protected volume if the disk is severely damaged. Each key package works only with the volume it was created on, which is identified by the corresponding volume ID. + With this key package and the recovery password, portions of a BitLocker-protected volume can be decrypted if the disk is severely damaged. Each key package works only with the volume it was created on, which is identified by the corresponding volume ID. ## FIPS support for recovery password protector @@ -175,21 +179,25 @@ Functionality introduced in Windows Server 2012 R2 and Windows 8.1 allows BitLoc > [!NOTE] > The United States Federal Information Processing Standard (FIPS) defines security and interoperability requirements for computer systems that are used by the U.S. Federal Government. The FIPS-140 standard defines approved cryptographic algorithms. The FIPS-140 standard also sets forth requirements for key generation and for key management. The National Institute of Standards and Technology (NIST) uses the Cryptographic Module Validation Program (CMVP) to determine whether a particular implementation of a cryptographic algorithm is compliant with the FIPS-140 standard. An implementation of a cryptographic algorithm is considered FIPS-140-compliant only if it has been submitted for and has passed NIST validation. An algorithm that has not been submitted cannot be considered FIPS-compliant even if the implementation produces identical data as a validated implementation of the same algorithm. -Before these supported versions of Windows, when Windows was in FIPS mode, BitLocker prevented the creation or use of recovery passwords and instead forced the user to use recovery keys. For more information about these issues, see the support article [kb947249](/troubleshoot/windows-client/windows-security/bitlocker-recovery-password-not-fips-compliant). +Before these supported versions of Windows, when Windows was in FIPS mode, BitLocker prevented the creation or use of recovery passwords and instead forced the user to use recovery keys. For more information about these issues, see the support article [The recovery password for Windows BitLocker isn't available when FIPS compliant policy is set in Windows](/troubleshoot/windows-client/windows-security/bitlocker-recovery-password-not-fips-compliant). -But on computers running these supported systems with BitLocker enabled: +However, on computers running these supported systems with BitLocker enabled: - FIPS-compliant recovery password protectors can be created when Windows is in FIPS mode. These protectors use the FIPS-140 NIST SP800-132 algorithm. + - Recovery passwords created in FIPS mode on Windows 8.1 can be distinguished from recovery passwords created on other systems. + - Recovery unlock using the FIPS-compliant, algorithm-based recovery password protector works in all cases that currently work for recovery passwords. + - When FIPS-compliant recovery passwords unlock volumes, the volume is unlocked to allow read/write access even while in FIPS mode. + - FIPS-compliant recovery password protectors can be exported and stored in AD a while in FIPS mode. The BitLocker Group Policy settings for recovery passwords work the same for all Windows versions that support BitLocker, whether in FIPS mode or not. -On Windows Server 2012 R2 and Windows 8.1 and older, you can't use recovery passwords generated on a system in FIPS mode. Recovery passwords created on Windows Server 2012 R2 and Windows 8.1 are incompatible with BitLocker on operating systems older than Windows Server 2012 R2 and Windows 8.1. So, recovery keys should be used instead. +On Windows Server 2012 R2 and Windows 8.1 and older, recovery passwords generated on a system in FIPS mode can't be used. Recovery passwords created on Windows Server 2012 R2 and Windows 8.1 are incompatible with BitLocker on operating systems older than Windows Server 2012 R2 and Windows 8.1. So, recovery keys should be used instead. -## More information +## Related articles - [Trusted Platform Module](../tpm/trusted-platform-module-top-node.md) - [TPM Group Policy settings](../tpm/trusted-platform-module-services-group-policy-settings.md) diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index 803ad864c1..c8e7301a42 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -4,25 +4,26 @@ description: This article for IT pros describes how to protect CSVs and SANs wit ms.reviewer: ms.prod: windows-client ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: frankroj +ms.author: frankroj manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 02/28/2019 +ms.date: 11/08/2022 ms.custom: bitlocker +ms.technology: itpro-security --- # Protecting cluster shared volumes and storage area networks with BitLocker -**Applies to** -- Windows Server 2016 +**Applies to:** + +- Windows Server 2016 and above This article describes the procedure to protect cluster shared volumes (CSVs) and storage area networks (SANs) by using BitLocker. BitLocker protects both physical disk resources and cluster shared volumes version 2.0 (CSV2.0). BitLocker on clustered volumes provides an extra layer of protection that can be used by administrators wishing to protect sensitive, highly available data. The administrators use this extra layer of protection to increase the security to resources. Only certain user accounts provided access to unlock the BitLocker volume. -## Configuring BitLocker on Cluster Shared Volumes +## Configuring BitLocker on Cluster Shared Volumes ### Using BitLocker with clustered volumes @@ -30,146 +31,150 @@ Volumes within a cluster are managed with the help of BitLocker based on how the > [!IMPORTANT] > SANs used with BitLocker must have obtained Windows Hardware Certification. For more info, see [Windows Hardware Lab Kit](/windows-hardware/drivers/). - + Instead, the volume can be a cluster-shared volume. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. The volumes that are designated for a cluster must do the following tasks: - It must turn on BitLocker—only after this task is done, can the volumes be added to the storage pool. - It must put the resource into maintenance mode before BitLocker operations are completed. -Windows PowerShell or the manage-bde command-line interface is the preferred method to manage BitLocker on CSV2.0 volumes. This method is recommended over the BitLocker Control Panel item because CSV2.0 volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other volumes. Mount points don't require the use of a drive letter. Volumes that lack drive letters don't appear in the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for cluster disk resource or CSV2.0 resources isn't available in the Control Panel item. +Windows PowerShell or the `manage-bde.exe` command-line tool is the preferred method to manage BitLocker on CSV2.0 volumes. This method is recommended over the BitLocker Control Panel item because CSV2.0 volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other volumes. Mount points don't require the use of a drive letter. Volumes that lack drive letters don't appear in the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for cluster disk resource or CSV2.0 resources isn't available in the Control Panel item. > [!NOTE] > Mount points can be used to support remote mount points on SMB-based network shares. This type of share is not supported for BitLocker encryption. - -If there's a thinly provisioned storage, such as a dynamic virtual hard disk (VHD), BitLocker runs in **Used Disk Space Only** encryption mode. You can't use the **manage-bde -WipeFreeSpace** command to transition the volume to full-volume encryption on thinly provisioned storage volumes. The usage of **manage-bde -WipeFreeSpace** command is blocked to avoid expanding thinly provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space. + +If there's a thinly provisioned storage, such as a dynamic virtual hard disk (VHD), BitLocker runs in **Used Disk Space Only** encryption mode. The **`manage-bde.exe -WipeFreeSpace`** command can't be used to transition the volume to full-volume encryption on thinly provisioned storage volumes. The usage of **`manage-bde.exe -WipeFreeSpace`** command is blocked to avoid expanding thinly provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space. ### Active Directory-based protector -You can also use an Active Directory Domain Services (AD DS) protector for protecting clustered volumes held within your AD DS infrastructure. The **ADAccountOrGroup** protector is a domain security identifier (SID)-based protector that can be bound to a user account, machine account, or group. When an unlock request is made for a protected volume, the following events take place: +An Active Directory Domain Services (AD DS) protector can also be used for protecting clustered volumes held within the AD DS infrastructure. The **ADAccountOrGroup** protector is a domain security identifier (SID)-based protector that can be bound to a user account, machine account, or group. When an unlock request is made for a protected volume, the following events take place: -- BitLocker service interrupts the request and uses the BitLocker protect/unprotect APIs to unlock or deny the request. +- BitLocker service interrupts the request and uses the BitLocker protect/unprotect APIs to unlock or deny the request. - BitLocker will unlock protected volumes without user intervention by attempting protectors in the following order: - 1. Clear key - 2. Driver-based auto-unlock key - 3. **ADAccountOrGroup** protector - + 1. Clear key + 2. Driver-based auto-unlock key + 3. **ADAccountOrGroup** protector + a. Service context protector - + b. User protector - - 4. Registry-based auto-unlock key + + 4. Registry-based auto-unlock key > [!NOTE] > A Windows Server 2012 or later domain controller is required for this feature to work properly. - + ### Turning on BitLocker before adding disks to a cluster using Windows PowerShell BitLocker encryption is available for disks before these disks are added to a cluster storage pool. > [!NOTE] -> The advantage of The Bitlocker encryption can even be made available for disks after they are added to a cluster storage pool. -The advantage of encrypting volumes prior to adding them to a cluster is that the disk resource need not be suspended to complete the operation. +> The advantage of The Bitlocker encryption can even be made available for disks after they are added to a cluster storage pool. +The advantage of encrypting volumes prior to adding them to a cluster is that the disk resource need not be suspended to complete the operation. To turn on BitLocker for a disk before adding it to a cluster: -1. Install the BitLocker Drive Encryption feature if it isn't already installed. -2. Ensure the disk is an NTFS-formatted one and has a drive letter assigned to it. -3. Identify the name of the cluster with Windows PowerShell. +1. Install the BitLocker Drive Encryption feature if it isn't already installed. + +2. Ensure the disk is an NTFS-formatted one and has a drive letter assigned to it. + +3. Identify the name of the cluster with Windows PowerShell. ```powershell Get-Cluster ``` -4. Enable BitLocker on the volume of your choice with an **ADAccountOrGroup** protector, using the cluster name. For example, use a command such as: + +4. Enable BitLocker on a volume with an **ADAccountOrGroup** protector, using the cluster name. For example, use a command such as: ```powershell Enable-BitLocker E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$ ``` - > [!WARNING] - > You must configure an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker enabled volume to either be shared in a Cluster Shared Volume or to fail over properly in a traditional failover cluster. - -5. Repeat the preceding steps for each disk in the cluster. -6. Add the volume(s) to the cluster. + > [!WARNING] + > An **ADAccountOrGroup** protector must be configured using the cluster CNO for a BitLocker enabled volume to either be shared in a Cluster Shared Volume or to fail over properly in a traditional failover cluster. + +5. Repeat the preceding steps for each disk in the cluster. + +6. Add the volume(s) to the cluster. ### Turning on BitLocker for a clustered disk using Windows PowerShell -When the cluster service owns a disk resource already, the disk resource needs to be set into maintenance mode before BitLocker can be enabled. To turn on the Bitlocker for a clustered disk using Windows PowerShell, perform the following steps: +When the cluster service owns a disk resource already, the disk resource needs to be set into maintenance mode before BitLocker can be enabled. To turn on the BitLocker for a clustered disk using Windows PowerShell, perform the following steps: -1. Install the BitLocker drive encryption feature if it isn't already installed. -2. Check the status of the cluster disk using Windows PowerShell. +1. Install the BitLocker drive encryption feature if it isn't already installed. + +2. Check the status of the cluster disk using Windows PowerShell. ```powershell Get-ClusterResource "Cluster Disk 1" ``` -3. Put the physical disk resource into maintenance mode using Windows PowerShell. + +3. Put the physical disk resource into maintenance mode using Windows PowerShell. ```powershell Get-ClusterResource "Cluster Disk 1" | Suspend-ClusterResource ``` -4. Identify the name of the cluster with Windows PowerShell. + +4. Identify the name of the cluster with Windows PowerShell. ```powershell Get-Cluster ``` -5. Enable BitLocker on the volume of your choice with an **ADAccountOrGroup** protector, using the cluster name. For example, use a command such as: + +5. Enable BitLocker a volume with an **ADAccountOrGroup** protector, using the cluster name. For example, use a command such as: ```powershell Enable-BitLocker E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$ ``` > [!WARNING] - > You must configure an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker-enabled volume to either be shared in a cluster-shared Volume or to fail over properly in a traditional failover cluster. - -6. Use **Resume-ClusterResource** to take back the physical disk resource out of maintenance mode: + > An **ADAccountOrGroup** protector must be configured using the cluster CNO for a BitLocker-enabled volume to either be shared in a cluster-shared Volume or to fail over properly in a traditional failover cluster. + +6. Use **Resume-ClusterResource** to take back the physical disk resource out of maintenance mode: ```powershell Get-ClusterResource "Cluster Disk 1" | Resume-ClusterResource ``` -7. Repeat the preceding steps for each disk in the cluster. -### Adding BitLocker-encrypted volumes to a cluster using manage-bde +7. Repeat the preceding steps for each disk in the cluster. -You can also use **manage-bde** to enable BitLocker on clustered volumes. The steps needed to add a physical disk resource or CSV2.0 volume to an existing cluster are: +### Adding BitLocker-encrypted volumes to a cluster using `manage-bde.exe` -1. Verify that the BitLocker drive encryption feature is installed on the computer. -2. Ensure new storage is formatted as NTFS. -3. Encrypt the volume, add a recovery key and add the cluster administrator as a protector key using the**manage-bde** command line interface (see example): +**`Manage-bde.exe`** can also be used to enable BitLocker on clustered volumes. The steps needed to add a physical disk resource or CSV2.0 volume to an existing cluster are: - - `Manage-bde -on -used -RP -sid domain\CNO$ -sync` +1. Verify that the BitLocker drive encryption feature is installed on the computer. - 1. BitLocker will check to see if the disk is already part of a cluster. If it is, administrators will encounter a hard block. Otherwise, the encryption continues. - 2. Using the -sync parameter is optional. However, using -sync parameter has the following advantage: - - The -sync parameter ensures the command waits until the encryption for the volume is completed. The volume is then released for use in the cluster storage pool. +2. Ensure new storage is formatted as NTFS. -4. Open the Failover Cluster Manager snap-in or cluster PowerShell cmdlets to enable the disk to be clustered. +3. Encrypt the volume, add a recovery key and add the cluster administrator as a protector key using **`manage-bde.exe`** in a command prompt window. For example: + ```cmd + manage-bde.exe -on -used -RP -sid domain\CNO$ -sync + ``` - - Once the disk is clustered, it's enabled for CSV. + 1. BitLocker will check to see if the disk is already part of a cluster. If it is, administrators will encounter a hard block. Otherwise, the encryption continues. + 2. Using the -sync parameter is optional. However, using the -sync parameter has the advantage of ensuring the command waits until the encryption for the volume is completed. The volume is then released for use in the cluster storage pool. -5. During the resource online operation, cluster checks whether the disk is BitLocker encrypted. +4. Open the Failover Cluster Manager snap-in or cluster PowerShell cmdlets to enable the disk to be clustered. - 1. If the volume isn't BitLocker enabled, traditional cluster online operations occur. - 2. If the volume is BitLocker enabled, the following check occurs: + - Once the disk is clustered, it's enabled for CSV. +5. During the resource online operation, cluster checks whether the disk is BitLocker encrypted. - - If volume is **locked**, BitLocker impersonates the CNO and unlocks the volume using the CNO protector. If these actions by BitLocker fail, an event is logged. The logged event will state that the volume couldn't be unlocked and the online operation has failed. + 1. If the volume isn't BitLocker enabled, traditional cluster online operations occur. -6. Once the disk is online in the storage pool, it can be added to a CSV by right-clicking the disk resource and choosing "**Add to cluster shared volumes**". -CSVs include both encrypted and unencrypted volumes. To check the status of a particular volume for BitLocker encryption: administrators must do the following task: + 2. If the volume is BitLocker enabled, BitLocker checks if the volume is **locked**. If the volume is **locked**, BitLocker impersonates the CNO and unlocks the volume using the CNO protector. If these actions by BitLocker fail, an event is logged. The logged event will state that the volume couldn't be unlocked and the online operation has failed. -- Utilize the **manage-bde -status** command with a path to the volume. +6. Once the disk is online in the storage pool, it can be added to a CSV by right-clicking the disk resource, and choosing "**Add to cluster shared volumes**". - The path must be one that is inside the CSV namespace as seen in the example command line below. +CSVs include both encrypted and unencrypted volumes. To check the status of a particular volume for BitLocker encryption run the `manage-bde.exe -status` command as an administrator with a path to the volume. The path must be one that is inside the CSV namespace. For example: - -```powershell -manage-bde -status "C:\ClusterStorage\volume1" +```cmd +manage-bde.exe -status "C:\ClusterStorage\volume1" ``` ### Physical disk resources - -Unlike CSV2.0 volumes, physical disk resources can only be accessed by one cluster node at a time. This condition means that operations such as encrypting, decrypting, locking or unlocking volumes require a context to perform. For example, you can't unlock or decrypt a physical disk resource if you aren't administering the cluster node that owns the disk resource because the disk resource isn't available. +Unlike CSV2.0 volumes, physical disk resources can only be accessed by one cluster node at a time. This condition means that operations such as encrypting, decrypting, locking, or unlocking volumes require a context to perform. For example, a physical disk resource can't unlock or decrypt if it isn't administering the cluster node that owns the disk resource because the disk resource isn't available. ### Restrictions on BitLocker actions with cluster volumes @@ -177,31 +182,38 @@ The following table contains information about both physical disk resources (tha | Action | On owner node of failover volume | On Metadata Server (MDS) of CSV | On (Data Server) DS of CSV | Maintenance Mode | |--- |--- |--- |--- |--- | -|**Manage-bde –on**|Blocked|Blocked|Blocked|Allowed| -|**Manage-bde –off**|Blocked|Blocked|Blocked|Allowed| -|**Manage-bde Pause/Resume**|Blocked|Blocked**|Blocked|Allowed| -|**Manage-bde –lock**|Blocked|Blocked|Blocked|Allowed| -|**manage-bde –wipe**|Blocked|Blocked|Blocked|Allowed| +|**`Manage-bde.exe -on`**|Blocked|Blocked|Blocked|Allowed| +|**`Manage-bde.exe -off`**|Blocked|Blocked|Blocked|Allowed| +|**`Manage-bde.exe Pause/Resume`**|Blocked|Blocked**|Blocked|Allowed| +|**`Manage-bde.exe -lock`**|Blocked|Blocked|Blocked|Allowed| +|**`Manage-bde.exe -wipe`**|Blocked|Blocked|Blocked|Allowed| |**Unlock**|Automatic via cluster service|Automatic via cluster service|Automatic via cluster service|Allowed| -|**manage-bde –protector –add**|Allowed|Allowed|Blocked|Allowed| -|**manage-bde -protector -delete**|Allowed|Allowed|Blocked|Allowed| -|**manage-bde –autounlock**|Allowed (not recommended)|Allowed (not recommended)|Blocked|Allowed (not recommended)| -|**Manage-bde -upgrade**|Allowed|Allowed|Blocked|Allowed| +|**`Manage-bde.exe -protector -add`**|Allowed|Allowed|Blocked|Allowed| +|**`Manage-bde.exe -protector -delete`**|Allowed|Allowed|Blocked|Allowed| +|**`Manage-bde.exe -autounlock`**|Allowed (not recommended)|Allowed (not recommended)|Blocked|Allowed (not recommended)| +|**`Manage-bde.exe -upgrade`**|Allowed|Allowed|Blocked|Allowed| |**Shrink**|Allowed|Allowed|Blocked|Allowed| |**Extend**|Allowed|Allowed|Blocked|Allowed| > [!NOTE] -> Although the **manage-bde -pause** command is blocked in clusters, the cluster service automatically resumes a paused encryption or decryption from the MDS node. - +> Although the **`manage-bde.exe -pause`** command is blocked in clusters, the cluster service automatically resumes a paused encryption or decryption from the MDS node. + In the case where a physical disk resource experiences a failover event during conversion, the new owning node detects that the conversion isn't complete and completes the conversion process. ### Other considerations when using BitLocker on CSV2.0 Some other considerations to take into account for BitLocker on clustered storage include: -- BitLocker volumes have to be initialized and begin encryption before they're available to add to a CSV2.0 volume. -- If an administrator needs to decrypt a CSV volume, remove the volume from the cluster or put it into disk maintenance mode. You can add the CSV back to the cluster while waiting for decryption to complete. -- If an administrator needs to start encrypting a CSV volume, remove the volume from the cluster or put it into maintenance mode. -- If conversion is paused with encryption in progress and the CSV volume is offline from the cluster, the cluster thread (health check) automatically resumes conversion when the volume is online to the cluster. -- If conversion is paused with encryption in progress and a physical disk resource volume is offline from the cluster, the BitLocker driver automatically resumes conversion when the volume is online to the cluster. -- If conversion is paused with encryption in progress, while the CSV volume is in maintenance mode, the cluster thread (health check) automatically resumes conversion when moving the volume back from maintenance. -- If conversion is paused with encryption in progress, while the disk resource volume is in maintenance mode, the BitLocker driver automatically resumes conversion when the volume is moved back from maintenance mode. + +- BitLocker volumes have to be initialized and begin encryption before they're available to add to a CSV2.0 volume. + +- If an administrator needs to decrypt a CSV volume, remove the volume from the cluster or put it into disk maintenance mode. The CSV can be added back to the cluster while waiting for decryption to complete. + +- If an administrator needs to start encrypting a CSV volume, remove the volume from the cluster or put it into maintenance mode. + +- If conversion is paused with encryption in progress and the CSV volume is offline from the cluster, the cluster thread (health check) automatically resumes conversion when the volume is online to the cluster. + +- If conversion is paused with encryption in progress and a physical disk resource volume is offline from the cluster, the BitLocker driver automatically resumes conversion when the volume is online to the cluster. + +- If conversion is paused with encryption in progress, while the CSV volume is in maintenance mode, the cluster thread (health check) automatically resumes conversion when moving the volume back from maintenance. + +- If conversion is paused with encryption in progress, while the disk resource volume is in maintenance mode, the BitLocker driver automatically resumes conversion when the volume is moved back from maintenance mode. diff --git a/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md b/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md deleted file mode 100644 index c9c1de7322..0000000000 --- a/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md +++ /dev/null @@ -1,136 +0,0 @@ ---- -title: Guidelines for troubleshooting BitLocker -description: Describes approaches for investigating BitLocker issues, including how to gather diagnostic information -ms.reviewer: kaushika -ms.technology: itpro-security -ms.prod: windows-client -ms.localizationpriority: medium -author: Teresa-Motiv -ms.author: v-tappelgate -manager: kaushika -ms.collection: Windows Security Technologies\BitLocker -ms.topic: troubleshooting -ms.date: 10/17/2019 -ms.custom: bitlocker ---- - -# Guidelines for troubleshooting BitLocker - -This article addresses common issues in BitLocker and provides guidelines to troubleshoot these issues. This article also provides information such as what data to collect and what settings to check. This information makes your troubleshooting process much easier. - -## Review the event logs - -Open Event Viewer and review the following logs under Applications and Services logs\\Microsoft\\Windows: - -- **BitLocker-API**. Review the management log, the operational log, and any other logs that are generated in this folder. The default logs have the following unique names: - - Microsoft-Windows-BitLocker-API/BitLocker Operational - - Microsoft-Windows-BitLocker-API/BitLocker Management - -- **BitLocker-DrivePreparationTool**. Review the admin log, the operational log, and any other logs that are generated in this folder. The default logs have the following unique names: - - Microsoft-Windows-BitLocker-DrivePreparationTool/Operational - - Microsoft-Windows-BitLocker-DrivePreparationTool/Admin - -Additionally, review the Windows logs\\System log for events that were produced by the TPM and TPM-WMI event sources. - -To filter and display or export logs, you can use the [wevtutil.exe](/windows-server/administration/windows-commands/wevtutil) command-line tool or the [Get-WinEvent](/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-6&preserve-view=true) cmdlet. - - -For example, to use wevtutil to export the contents of the operational log from the BitLocker-API folder to a text file that is named BitLockerAPIOpsLog.txt, open a Command Prompt window, and run the following command: - -```cmd -wevtutil qe "Microsoft-Windows-BitLocker/BitLocker Operational" /f:text > BitLockerAPIOpsLog.txt -``` - -To use the **Get-WinEvent** cmdlet to export the same log to a comma-separated text file, open a Windows Powershell window and run the following command: - -```ps -Get-WinEvent -logname "Microsoft-Windows-BitLocker/BitLocker Operational"  | Export-Csv -Path Bitlocker-Operational.csv -``` - -You can use Get-WinEvent in an elevated PowerShell window to display filtered information from the system or application log by using the following syntax: - -- To display BitLocker-related information: - ```ps - Get-WinEvent -FilterHashtable @{LogName='System'} | Where-Object -Property Message -Match 'BitLocker' | fl - ``` - - The output of such a command resembles the following. - - ![Display of events that is produced by using Get-WinEvent and a BitLocker filter.](./images/psget-winevent-1.png) - -- To export BitLocker-related information: - ```ps - Get-WinEvent -FilterHashtable @{LogName='System'} | Where-Object -Property Message -Match 'BitLocker' | Export-Csv -Path System-BitLocker.csv - ``` - -- To display TPM-related information: - ```ps - Get-WinEvent -FilterHashtable @{LogName='System'} | Where-Object -Property Message -Match 'TPM' | fl - ``` - -- To export TPM-related information: - ```ps - Get-WinEvent -FilterHashtable @{LogName='System'} | Where-Object -Property Message -Match 'TPM' | Export-Csv -Path System-TPM.csv - ``` - - The output of such a command resembles the following. - - ![Display of events that is produced by using Get-WinEvent and a TPM filter.](./images/psget-winevent-2.png) - -> [!NOTE] -> If you intend to contact Microsoft Support, we recommend that you export the logs listed in this section. - -## Gather status information from the BitLocker technologies - -Open an elevated Windows PowerShell window, and run each of the following commands. - -|Command |Notes | -| --- | --- | -|[**get-tpm \> C:\\TPM.txt**](/powershell/module/trustedplatformmodule/get-tpm?view=win10-ps&preserve-view=true) |Exports information about the local computer's Trusted Platform Module (TPM). This cmdlet shows different values depending on whether the TPM chip is version 1.2 or 2.0. This cmdlet is not supported in Windows 7. | -|[**manage-bde –status \> C:\\BDEStatus.txt**](/windows-server/administration/windows-commands/manage-bde-status) |Exports information about the general encryption status of all drives on the computer. | -|[**manage-bde c:
                              -protectors -get \> C:\\Protectors**](/windows-server/administration/windows-commands/manage-bde-protectors) |Exports information about the protection methods that are used for the BitLocker encryption key. | -|[**reagentc /info \> C:\\reagent.txt**](/windows-hardware/manufacture/desktop/reagentc-command-line-options) |Exports information about an online or offline image about the current status of the Windows Recovery Environment (WindowsRE) and any available recovery image. | -|[**get-BitLockerVolume \| fl**](/powershell/module/bitlocker/get-bitlockervolume?view=win10-ps&preserve-view=true) |Gets information about volumes that BitLocker Drive Encryption can protect. | - -## Review the configuration information - -1. Open an elevated Command Prompt window, and run the following commands. - - |Command |Notes | - | --- | --- | - |[**gpresult /h \**](/windows-server/administration/windows-commands/gpresult) |Exports the Resultant Set of Policy information, and saves the information as an HTML file. | - |[**msinfo /report \ /computer \**](/windows-server/administration/windows-commands/msinfo32) |Exports comprehensive information about the hardware, system components, and software environment on the local computer. The **/report** option saves the information as a .txt file. | - -1. Open Registry Editor, and export the entries in the following subkeys: - - - **HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE** - - **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\** - -## Check the BitLocker prerequisites - -Common settings that can cause issues for BitLocker include the following scenarios: - -- The TPM must be unlocked. You can check the output of the **get-tpm** command for the status of the TPM. -- Windows RE must be enabled. You can check the output of the **reagentc** command for the status of WindowsRE. -- The system-reserved partition must use the correct format. - - On Unified Extensible Firmware Interface (UEFI) computers, the system-reserved partition must be formatted as FAT32. - - On legacy computers, the system-reserved partition must be formatted as NTFS. -- If the device that you are troubleshooting is a slate or tablet PC, use to verify the status of the **Enable use of BitLocker authentication requiring preboot keyboard input on slates** option. - -For more information about the BitLocker prerequisites, see [BitLocker basic deployment: Using BitLocker to encrypt volumes](./bitlocker-basic-deployment.md#using-bitlocker-to-encrypt-volumes) - -## Next steps - -If the information that you have examined so far indicates a specific issue (for example, WindowsRE is not enabled), the issue may have a straightforward fix. - -Resolving issues that do not have obvious causes depends on exactly which components are involved and what behavior you see. The information that you have gathered helps you narrow down the areas to investigate. - -- If you are working on a device that is managed by Microsoft Intune, see [Enforcing BitLocker policies by using Intune: known issues](ts-bitlocker-intune-issues.md). -- If BitLocker does not start or cannot encrypt a drive and you notice errors or events that are related to the TPM, see [BitLocker cannot encrypt a drive: known TPM issues](ts-bitlocker-cannot-encrypt-tpm-issues.md). -- If BitLocker does not start or cannot encrypt a drive, see [BitLocker cannot encrypt a drive: known issues](ts-bitlocker-cannot-encrypt-issues.md). -- If BitLocker Network Unlock does not behave as expected, see [BitLocker Network Unlock: known issues](ts-bitlocker-network-unlock-issues.md). -- If BitLocker does not behave as expected when you recover an encrypted drive, or if you did not expect BitLocker to recover the drive, see [BitLocker recovery: known issues](ts-bitlocker-recovery-issues.md). -- If BitLocker or the encrypted drive does not behave as expected, and you notice errors or events that are related to the TPM, see [BitLocker and TPM: other known issues](ts-bitlocker-tpm-issues.md). -- If BitLocker or the encrypted drive does not behave as expected, see [BitLocker configuration: known issues](ts-bitlocker-config-issues.md). - -We recommend that you keep the information that you have gathered handy in case you decide to contact Microsoft Support for help to resolve your issue. diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md deleted file mode 100644 index 9929bc59ea..0000000000 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md +++ /dev/null @@ -1,107 +0,0 @@ ---- -title: BitLocker cannot encrypt a drive known issues -description: Provides guidance for troubleshooting known issues that may prevent BitLocker Drive Encryption from encrypting a drive -ms.reviewer: kaushika -ms.technology: itpro-security -ms.prod: windows-client -ms.localizationpriority: medium -author: Teresa-Motiv -ms.author: v-tappelgate -manager: kaushika -ms.collection: Windows Security Technologies\BitLocker -ms.topic: troubleshooting -ms.date: 10/17/2019 -ms.custom: bitlocker ---- - -# BitLocker cannot encrypt a drive: known issues - -This article describes common issues that prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues. - -> [!NOTE] -> If you have determined that your BitLocker issue involves the trusted platform module (TPM), see [BitLocker cannot encrypt a drive: known TPM issues](ts-bitlocker-cannot-encrypt-tpm-issues.md). - -## Error 0x80310059: BitLocker drive encryption is already performing an operation on this drive - -When you turn on BitLocker Drive Encryption on a computer that is running Windows 10 Professional or Windows 11, you receive a message that resembles the following: - -> **ERROR:** An error occurred (code 0x80310059):BitLocker Drive Encryption is already performing an operation on this drive. Please complete all operations before continuing.NOTE: If the -on switch has failed to add key protectors or start encryption,you may need to call manage-bde -off before attempting -on again. - -### Cause - -This issue may be caused by settings that are controlled by group policy objects (GPOs). - -### Resolution - -> [!IMPORTANT] -> Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, [back up the registry for restoration](https://support.microsoft.com/help/322756) in case problems occur. - -To resolve this issue, follow these steps: - -1. Start Registry Editor, and navigate to the following subkey: - - **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE** - -1. Delete the following entries: - - **OSPlatformValidation\_BIOS** - - **OSPlatformValidation\_UEFI** - - **PlatformValidation** - -1. Exit registry editor, and turn on BitLocker drive encryption again. - -## "Access is denied" message when you try to encrypt removable drives - -You have a computer that is running Windows 10, version 1709 or version 1607, or Windows 11. You try to encrypt a USB drive by following these steps: - -1. In Windows Explorer, right-click the USB drive and select **Turn on BitLocker**. - -1. On the **Choose how you want to unlock this drive** page, select **Use a password to unlock the drive**. - -1. Follow the instructions on the page to enter your password. - -1. On the **Are you ready to encrypt this drive?** page, select **Start encrypting**. - -1. The **Starting encryption** page displays the message "Access is denied." - -You receive this message on any computer that runs Windows 10 version 1709 or version 1607, or Windows 11, when you use any USB drive. - -### Cause - -The security descriptor of the BitLocker drive encryption service (BDESvc) has an incorrect entry. Instead of NT AUTHORITY\Authenticated Users, the security descriptor uses NT AUTHORITY\INTERACTIVE. - -To verify that this issue has occurred, follow these steps: - -1. On an affected computer, open an elevated Command Prompt window and an elevated PowerShell window. - -1. At the command prompt, enter the following command: - - ```console - C:\>sc sdshow bdesvc - ``` - - The output of this command resembles the following: - - > `D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD)` - -1. Copy this output, and use it as part of the [**ConvertFrom-SddlString**](/powershell/module/microsoft.powershell.utility/convertfrom-sddlstring) command in the PowerShell window, as follows. - - ![Output of the ConvertFrom-SddlString command, showing NT AUTHORITY\\INTERACTIVE.](./images/ts-bitlocker-usb-sddl.png) - - If you see NT AUTHORITY\INTERACTIVE (as highlighted) in the output of this command, this is the cause of the issue. Under typical conditions, the output should resemble the following: - - ![Output of the ConvertFrom-SddlString command, showing NT AUTHORITY\\Authenticated Users.](./images/ts-bitlocker-usb-default-sddl.png) - -> [!NOTE] -> GPOs that change the security descriptors of services have been known to cause this issue. - -### Resolution - -1. To repair the security descriptor of BDESvc, open an elevated PowerShell window and enter the following command: - - ```powershell - sc sdset bdesvc D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD) - ``` - -1. Restart the computer. - -The issue should now be resolved. \ No newline at end of file diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md deleted file mode 100644 index faea2fc7bb..0000000000 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md +++ /dev/null @@ -1,129 +0,0 @@ ---- -title: BitLocker cannot encrypt a drive known TPM issues -description: Provides guidance for troubleshooting known issues that may prevent BitLocker Drive Encryption from encrypting a drive, and that you can attribute to the TPM -ms.reviewer: kaushika -ms.technology: itpro-security -ms.prod: windows-client -ms.localizationpriority: medium -author: Teresa-Motiv -ms.author: v-tappelgate -manager: kaushika -ms.collection: Windows Security Technologies\BitLocker -ms.topic: troubleshooting -ms.date: 10/18/2019 -ms.custom: bitlocker ---- - -# BitLocker cannot encrypt a drive: known TPM issues - -This article describes common issues that affect the Trusted Platform Module (TPM) that might prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues. - -> [!NOTE] -> If you have determined that your BitLocker issue does not involve the TPM, see [BitLocker cannot encrypt a drive: known issues](ts-bitlocker-cannot-encrypt-issues.md). - -## The TPM is locked and you see "The TPM is defending against dictionary attacks and is in a time-out period" - -When you turn on BitLocker drive encryption, it does not start. Instead, you receive a message that resembles "The TPM is defending against dictionary attacks and is in a time-out period." - -### Cause - -The TPM is locked out. - -### Resolution - -To resolve this issue, follow these steps: - -1. Open an elevated PowerShell window and run the following script: - - ```powershell - $Tpm = Get-WmiObject -class Win32_Tpm -namespace "root\CIMv2\Security\MicrosoftTpm" - $ConfirmationStatus = $Tpm.GetPhysicalPresenceConfirmationStatus(22).ConfirmationStatus - if($ConfirmationStatus -ne 4) {$Tpm.SetPhysicalPresenceRequest(22)} - ``` -2. Restart the computer. If you are prompted at the restart screen, press F12 to agree.8 -3. Retry starting BitLocker drive encryption. - -## You cannot prepare the TPM, and you see "The TPM is defending against dictionary attacks and is in a time-out period" - -You cannot turn on BitLocker drive encryption on a device. You use the TPM management console (tpm.msc) to prepare the TPM on a device. The operation fails and you receive a message that resembles "The TPM is defending against dictionary attacks and is in a time-out period." - -### Cause - -The TPM is locked out. - -### Resolution - -To resolve this issue, disable and re-enable the TPM. To do this, follow these steps: - -1. Restart the device, and change the BIOS configuration to disable the TPM. -2. Restart the device again, and return to the TPM management console. Following message is displayed: - > Compatible Trusted Platform Module (TPM) cannot be found on this computer. Verify that this computer has 1.2 TPM and it is turned on in the BIOS. - -3. Restart the device, and change the BIOS configuration to enable the TPM. -4. Restart the device, and return to the TPM management console. - -If you still cannot prepare the TPM, clear the existing TPM keys. To do this, follow the instructions in [Troubleshoot the TPM: Clear all the keys from the TPM](../tpm/initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm). - -> [!WARNING] -> Clearing the TPM can cause data loss. - -## Access Denied: Failed to backup TPM Owner Authorization information to Active Directory Domain Services. Errorcode: 0x80070005 - -You have an environment that enforces the **Do not enable BitLocker until recovery information is stored in AD DS** policy. You try to turn on BitLocker drive encryption on a computer that runs Windows 7, but the operation fails. You receive a message that resembles "Access Denied" or "Insufficient Rights." - -### Cause - -The TPM did not have sufficient permissions on the TPM devices container in Active Directory Domain Services (AD DS). Therefore, the BitLocker recovery information could not be backed up to AD DS, and BitLocker drive encryption could not run. - -This issue appears to be limited to computers that run versions of Windows that are earlier than Windows 10. - -### Resolution - -To verify that you have correctly identified this issue, use one of the following methods: - -- Disable the policy or remove the computer from the domain. Then try to turn on BitLocker drive encryption again. The operation should now succeed. -- Use LDAP and network trace tools to examine the LDAP exchanges between the client and the AD DS domain controller to identify the cause of the "Access Denied" or "Insufficient Rights" error. In this case, you should see the error when the client tries to access its object in the "CN=TPM Devices,DC=\<*domain*>,DC=com" container. - -1. To review the TPM information for the affected computer, open an elevated Windows PowerShell window and run the following command: - - ```powershell - Get-ADComputer -Filter {Name -like "ComputerName"} -Property * | Format-Table name,msTPM-TPMInformationForComputer - ``` - - In this command, *ComputerName* is the name of the affected computer. - -1. To resolve the issue, use a tool such as dsacls.exe to ensure that the access control list of msTPM-TPMInformationForComputer grants both Read and Write permissions to NTAUTHORITY/SELF. - -## Cannot prepare the TPM, error 0x80072030: "There is no such object on the server" - -Your domain controllers were upgraded from Windows Server 2008 R2 to Windows Server 2012 R2. A group policy object (GPO) enforces the **Do not enable BitLocker until recovery information is stored in AD DS** policy. - -You cannot turn on BitLocker drive encryption on a device. You use the TPM management console (tpm.msc) to prepare the TPM on a device. The operation fails and you see a message that resembles the following: - -> 0x80072030 There is no such object on the server when a policy to back up TPM information to active directory is enabled - -You have confirmed that the **ms-TPM-OwnerInformation** and **msTPM-TpmInformationForComputer** attributes are present. - -### Cause - -The domain and forest functional level of the environment may still be set to Windows 2008 R2. Additionally, the permissions in AD DS might not be correctly set. - -### Resolution - -To resolve this issue, follow these steps: - -1. Upgrade the functional level of the domain and forest to Windows Server 2012 R2. -2. Download [Add-TPMSelfWriteACE.vbs](/samples/browse/?redirectedfrom=TechNet-Gallery). -3. In the script, modify the value of **strPathToDomain** to your domain name. -4. Open an elevated PowerShell window, and run the following command: - - ```powershell - cscript Add-TPMSelfWriteACE.vbs - ``` - - In this command \<*Path*> is the path to the script file. - -For more information, see the following articles: - -- [Back up the TPM recovery information to AD DS](../tpm/backup-tpm-recovery-information-to-ad-ds.md) -- [Prepare your organization for BitLocker: Planning and policies](./prepare-your-organization-for-bitlocker-planning-and-policies.md) \ No newline at end of file diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md deleted file mode 100644 index 61e63f2090..0000000000 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md +++ /dev/null @@ -1,181 +0,0 @@ ---- -title: BitLocker configuration known issues -description: Describes common issues that involve your BitLocker configuration and BitLocker's general functionality, and provides guidance for addressing those issues. -ms.reviewer: kaushika -ms.technology: itpro-security -ms.prod: windows-client -ms.localizationpriority: medium -author: Teresa-Motiv -ms.author: v-tappelgate -manager: kaushika -ms.collection: Windows Security Technologies\BitLocker -ms.topic: troubleshooting -ms.date: 10/17/2019 -ms.custom: bitlocker ---- - -# BitLocker configuration: known issues - -This article describes common issues that affect your BitLocker's configuration and general functionality. This article also provides guidance to address these issues. - -## BitLocker encryption is slower in Windows 10 and Windows 11 - -In both Windows 11, Windows 10, and Windows 7, BitLocker runs in the background to encrypt drives. However, in Windows 11 and Windows 10, BitLocker is less aggressive about requesting resources. This behavior reduces the chance that BitLocker will affect the computer's performance. - -To compensate for these changes, BitLocker uses a new conversion model. This model, (referred to as Encrypt-On-Write), makes sure that any new disk writes on all client SKUs and that any internal drives are always encrypted *as soon as you turn on BitLocker*. - -> [!IMPORTANT] -> To preserve backward compatibility, BitLocker uses the previous conversion model to encrypt removable drives. - -### Benefits of using the new conversion model - -By using the previous conversion model, you cannot consider an internal drive to be protected (and compliant with data protection standards) until the BitLocker conversion is 100 percent complete. Before the process finishes, the data that existed on the drive before encryption began—that is, potentially compromised data—can still be read and written without encryption. Therefore, you must wait for the encryption process to finish before you store sensitive data on the drive. Depending on the size of the drive, this delay can be substantial. - -By using the new conversion model, you can safely store sensitive data on the drive as soon as you turn on BitLocker. You don't have to wait for the encryption process to finish, and encryption does not adversely affect performance. The tradeoff is that the encryption process for pre-existing data takes more time. - -### Other BitLocker enhancements - -After Windows 7 was released, several other areas of BitLocker were improved: - -- **New encryption algorithm, XTS-AES**. The new algorithm provides additional protection from a class of attacks on encrypted data that rely on manipulating cipher text to cause predictable changes in plain text. - - By default, this algorithm complies with the Federal Information Processing Standards (FIPS). FIPS is a United States Government standard that provides a benchmark for implementing cryptographic software. - -- **Improved administration features**. You can manage BitLocker on PCs or other devices by using the following interfaces: - - BitLocker Wizard - - manage-bde - - Group Policy Objects (GPOs) - - Mobile Device Management (MDM) policy - - Windows PowerShell - - Windows Management Interface (WMI) - -- **Integration with Azure Active Directory** (Azure AD). BitLocker can store recovery information in Azure AD to make it easier to recover. - -- **[Direct memory access (DMA) Port Protection](../kernel-dma-protection-for-thunderbolt.md)**. By using MDM policies to manage BitLocker, you can block a device's DMA ports and secure the device during its startup. - -- **[BitLocker Network Unlock](./bitlocker-how-to-enable-network-unlock.md)**. If your BitLocker-enabled desktop or server computer is connected to a wired corporate network in a domain environment, you can automatically unlock its operating system volume during a system restart. - -- **Support for [Encrypted Hard Drives](../encrypted-hard-drive.md)**. Encrypted Hard Drives are a new class of hard drives that are self-encrypting at a hardware level and allow for full disk hardware encryption. By taking on that workload, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption. - -- **Support for classes of HDD/SSD hybrid disks**. BitLocker can encrypt a disk that uses a small SSD as a non-volatile cache in front of the HDD, such as Intel Rapid Storage Technology. - -## Hyper-V Gen 2 VM: Cannot access the volume after BitLocker encryption - -Consider the following scenario: - -1. You turn on BitLocker on a generation-2 virtual machine (VM) that runs on Hyper-V. -1. You add data to the data disk as it encrypts. -1. You restart the VM, and observe the following: - - The system volume is not encrypted. - - The encrypted volume is not accessible, and the computer lists the volume's file system as "Unknown." - - You see a message that resembles: "You need to format the disk in \<*x:*> drive before you can use it" - -### Cause - -This issue occurs because the third-party filter driver Stcvsm.sys (from StorageCraft) is installed on the VM. - -### Resolution - -To resolve this issue, remove the third-party software. - -## Production snapshots fail for virtualized domain controllers that use BitLocker-encrypted disks - -You have a Windows Server 2019 or 2016 Hyper-V Server that is hosting VMs (guests) that are configured as Windows domain controllers. BitLocker has encrypted the disks that store the Active Directory database and log files. When you run a “production snapshot” of the domain controller guests, the Volume Snap-Shot (VSS) service does not correctly process the backup. - -This issue occurs regardless of any of the following variations in the environment: - -- How the domain controller volumes are unlocked. -- Whether the VMs are generation 1 or generation 2. -- Whether the guest operating system is Windows Server 2019, 2016 or 2012 R2. - -In the domain controller application log, the VSS event source records event ID 8229: - -> ID: 8229 -> Level: Warning -> ‎Source: VSS -> Message: A VSS writer has rejected an event with error 0x800423f4. The writer experienced a non-transient error. If the backup process is retried, the error is likely to reoccur. -> -> Changes that the writer made to the writer components while handling the event will not be available to the requester. -> -> Check the event log for related events from the application hosting the VSS writer. -> -> Operation: -> PostSnapshot Event -> -> Context: -> Execution Context: Writer -> Writer Class Id: {b2014c9e-8711-4c5c-a5a9-3cf384484757} -> Writer Name: NTDS -> Writer Instance ID: {d170b355-a523-47ba-a5c8-732244f70e75} -> Command Line: C:\\Windows\\system32\\lsass.exe -> -> Process ID: 680 - -In the domain controller Directory Services event log, you see an event that resembles the following: - -> Error Microsoft-Windows-ActiveDirectory\_DomainService 1168 -> Internal Processing Internal error: An Active Directory Domain Services error has occurred. -> ->‎  Additional Data -> ‎  Error value (decimal): -1022 -> -> Error value (hex): fffffc02 -> -> Internal ID: 160207d9 - -> [!NOTE] -> The internal ID of this event may differ based on your operating system release and path level. - -After this issue occurs, if you run the **VSSADMIN list writers** command, you see output that resembles the following for the Active Directory Domain Services (NTDS) VSS Writer: - -> Writer name: 'NTDS' ->   Writer Id: {b2014c9e-8711-4c5c-a5a9-3cf384484757} ->   Writer Instance Id: {08321e53-4032-44dc-9b03-7a1a15ad3eb8} ->   State: \[11\] Failed ->   Last error: Non-retryable error - -Additionally, you cannot back up the VMs until you restart them. - -### Cause - -After VSS creates a snapshot of a volume, the VSS writer takes "post snapshot" actions. In the case of a "production snapshot," which you initiate from the host server, Hyper-V tries to mount the snapshotted volume. However, it cannot unlock the volume for unencrypted access. BitLocker on the Hyper-V server does not recognize the volume. Therefore, the access attempt fails and then the snapshot operation fails. - -This behavior is by design. - -### Workaround - -There is one supported way to perform backup and restore of a virtualized domain controller: - -- Run Windows Server Backup in the guest operating system. - -If you have to take a production snapshot of a virtualized domain controller, you can suspend BitLocker in the guest operating system before you start the production snapshot. However, this approach is not recommended. - -For more information and recommendations about backing up virtualized domain controllers, see [Virtualizing Domain Controllers using Hyper-V: Backup and Restore Considerations for Virtualized Domain Controllers](/windows-server/identity/ad-ds/get-started/virtual-dc/virtualized-domain-controllers-hyper-v#backup-and-restore-considerations-for-virtualized-domain-controllers) - -### More information - -When the VSS NTDS writer requests access to the encrypted drive, the Local Security Authority Subsystem Service (LSASS) generates an error entry that resembles the following: - -```console -\# for hex 0xc0210000 / decimal -1071579136 -‎ STATUS\_FVE\_LOCKED\_VOLUME ntstatus.h -‎ \# This volume is locked by BitLocker Drive Encryption. -``` - -The operation produces the following call stack: - -```console -\# Child-SP RetAddr Call Site -‎ 00 00000086\`b357a800 00007ffc\`ea6e7a4c KERNELBASE\!FindFirstFileExW+0x1ba \[d:\\rs1\\minkernel\\kernelbase\\filefind.c @ 872\] -‎ 01 00000086\`b357abd0 00007ffc\`e824accb KERNELBASE\!FindFirstFileW+0x1c \[d:\\rs1\\minkernel\\kernelbase\\filefind.c @ 208\] -‎ 02 00000086\`b357ac10 00007ffc\`e824afa1 ESENT\!COSFileFind::ErrInit+0x10b \[d:\\rs1\\onecore\\ds\\esent\\src\\os\\osfs.cxx @ 2476\] -‎ 03 00000086\`b357b700 00007ffc\`e827bf02 ESENT\!COSFileSystem::ErrFileFind+0xa1 \[d:\\rs1\\onecore\\ds\\esent\\src\\os\\osfs.cxx @ 1443\] -‎ 04 00000086\`b357b960 00007ffc\`e82882a9 ESENT\!JetGetDatabaseFileInfoEx+0xa2 \[d:\\rs1\\onecore\\ds\\esent\\src\\ese\\jetapi.cxx @ 11503\] -‎ 05 00000086\`b357c260 00007ffc\`e8288166 ESENT\!JetGetDatabaseFileInfoExA+0x59 \[d:\\rs1\\onecore\\ds\\esent\\src\\ese\\jetapi.cxx @ 11759\] -‎ 06 00000086\`b357c390 00007ffc\`e84c64fb ESENT\!JetGetDatabaseFileInfoA+0x46 \[d:\\rs1\\onecore\\ds\\esent\\src\\ese\\jetapi.cxx @ 12076\] -‎ 07 00000086\`b357c3f0 00007ffc\`e84c5f23 ntdsbsrv\!CVssJetWriterLocal::RecoverJetDB+0x12f \[d:\\rs1\\ds\\ds\\src\\jetback\\snapshot.cxx @ 2009\] -‎ 08 00000086\`b357c710 00007ffc\`e80339e0 ntdsbsrv\!CVssJetWriterLocal::OnPostSnapshot+0x293 \[d:\\rs1\\ds\\ds\\src\\jetback\\snapshot.cxx @ 2190\] -‎ 09 00000086\`b357cad0 00007ffc\`e801fe6d VSSAPI\!CVssIJetWriter::OnPostSnapshot+0x300 \[d:\\rs1\\base\\stor\\vss\\modules\\jetwriter\\ijetwriter.cpp @ 1704\] -‎ 0a 00000086\`b357ccc0 00007ffc\`e8022193 VSSAPI\!CVssWriterImpl::OnPostSnapshotGuard+0x1d \[d:\\rs1\\base\\stor\\vss\\modules\\vswriter\\vswrtimp.cpp @ 5228\] -‎ 0b 00000086\`b357ccf0 00007ffc\`e80214f0 VSSAPI\!CVssWriterImpl::PostSnapshotInternal+0xc3b \[d:\\rs1\\base\\stor\\vss\\modules\\vswriter\\vswrtimp.cpp @ 3552\] -``` \ No newline at end of file diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md deleted file mode 100644 index c026262ec6..0000000000 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md +++ /dev/null @@ -1,119 +0,0 @@ ---- -title: Decode Measured Boot logs to track PCR changes -description: Provides instructions for installing and using a tool for analyzing log information to identify changes to PCRs -ms.reviewer: kaushika -ms.technology: itpro-security -ms.prod: windows-client -ms.localizationpriority: medium -author: Teresa-Motiv -ms.author: v-tappelgate -manager: kaushika -ms.collection: Windows Security Technologies\BitLocker -ms.topic: troubleshooting -ms.date: 10/17/2019 -ms.custom: bitlocker ---- - -# Decode Measured Boot logs to track PCR changes - -Platform Configuration Registers (PCRs) are memory locations in the Trusted Platform Module (TPM). BitLocker and its related technologies depend on specific PCR configurations. Additionally, specific change in PCRs can cause a device or computer to enter BitLocker recovery mode. - -By tracking changes in the PCRs, and identifying when they changed, you can gain insight into issues that occur or learn why a device or computer entered BitLocker recovery mode. The Measured Boot logs record PCR changes and other information. These logs are located in the C:\\Windows\\Logs\\MeasuredBoot\\ folder. - -This article describes tools that you can use to decode these logs: TBSLogGenerator and PCPTool. - -For more information about Measured Boot and PCRs, see the following articles: - -- [TPM fundamentals: Measured Boot with support for attestation](../tpm/tpm-fundamentals.md#measured-boot-with-support-for-attestation) -- [Understanding PCR banks on TPM 2.0 devices](../tpm/switch-pcr-banks-on-tpm-2-0-devices.md) - -## Use TBSLogGenerator to decode Measured Boot logs - -Use TBSLogGenerator to decode Measured Boot logs that you have collected from Windows 11, Windows 10, and earlier versions. You can install this tool on the following systems: - -- A computer that is running Windows Server 2016 and that has a TPM enabled -- A Gen 2 virtual machine (running on Hyper-V) that is running Windows Server 2016 (you can use the virtual TPM) - -To install the tool, follow these steps: - -1. Download the Windows Hardware Lab Kit from one of the following locations: - - - [Windows Hardware Lab Kit](/windows-hardware/test/hlk/) - - Direct download link for Windows Server 2016: [Windows HLK, version 1607](https://go.microsoft.com/fwlink/p/?LinkID=404112) - -1. Accept the default installation path. - - ![Specify Location page of the Windows Hardware Lab Kit installation wizard.](./images/ts-tpm-1.png) - -1. Under **Select the features you want to install**, select **Windows Hardware Lab Kit—Controller + Studio**. - - ![Select features page of the Windows Hardware Lab Kit installation wizard.](./images/ts-tpm-2.png) - -1. Finish the installation. - -To use TBSLogGenerator, follow these steps: - -1. After the installation finishes, open an elevated Command Prompt window and navigate to the following folder: - - **C:\\Program Files (x86)\\Windows Kits\\10\\Hardware Lab Kit\\Tests\\amd64\\NTTEST\\BASETEST\\ngscb** - - This folder contains the TBSLogGenerator.exe file. - - ![Properties and location of the TBSLogGenerator.exe file.](./images/ts-tpm-3.png) - -1. Run the following command: - - ```console - TBSLogGenerator.exe -LF \.log > \.txt - ``` - - where the variables represent the following values: - - \<*LogFolderName*> = the name of the folder that contains the file to be decoded - - \<*LogFileName*> = the name of the file to be decoded - - \<*DestinationFolderName*> = the name of the folder for the decoded text file - - \<*DecodedFileName*> = the name of the decoded text file - - For example, the following figure shows Measured Boot logs that were collected from a Windows 10 computer and put into the C:\\MeasuredBoot\\ folder. The figure also shows a Command Prompt window and the command to decode the **0000000005-0000000000.log** file: - - ```console - TBSLogGenerator.exe -LF C:\MeasuredBoot\0000000005-0000000000.log > C:\MeasuredBoot\0000000005-0000000000.txt - ``` - - ![Command Prompt window that shows an example of how to use TBSLogGenerator.](./images/ts-tpm-4.png) - - The command produces a text file that uses the specified name. In the case of the example, the file is **0000000005-0000000000.txt**. The file is located in the same folder as the original .log file. - - ![Windows Explorer window that shows the text file that TBSLogGenerator produces.](./images/ts-tpm-5.png) - - The content of this text file resembles the following. - - ![Contents of the text file, as shown in NotePad.](./images/ts-tpm-6.png) - - To find the PCR information, go to the end of the file. - - ![View of NotePad that shows the PCR information at the end of the text file.](./images/ts-tpm-7.png) - -## Use PCPTool to decode Measured Boot logs - -> [!NOTE] -> PCPTool is a Visual Studio solution, but you need to build the executable before you can start using this tool. - -PCPTool is part of the [TPM Platform Crypto-Provider Toolkit](https://www.microsoft.com/download/details.aspx?id=52487). The tool decodes a Measured Boot log file and converts it into an XML file. - -To download and install PCPTool, go to the Toolkit page, select **Download**, and follow the instructions. - -To decode a log, run the following command: - -```console -PCPTool.exe decodelog \.log > \.xml -``` - -where the variables represent the following values: -- \<*LogFolderPath*> = the path to the folder that contains the file to be decoded -- \<*LogFileName*> = the name of the file to be decoded -- \<*DestinationFolderName*> = the name of the folder for the decoded text file -- \<*DecodedFileName*> = the name of the decoded text file - -The content of the XML file resembles the following. - -:::image type="content" alt-text="Command Prompt window that shows an example of how to use PCPTool." source="./images/pcptool-output.jpg" lightbox="./images/pcptool-output.jpg"::: diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md deleted file mode 100644 index 1ba88008b1..0000000000 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md +++ /dev/null @@ -1,357 +0,0 @@ ---- -title: Enforcing BitLocker policies by using Intune known issues -description: provides assistance for issues that you may see if you use Microsoft Intune policy to manage silent BitLocker encryption on devices. -ms.reviewer: kaushika -ms.technology: itpro-security -ms.prod: windows-client -ms.localizationpriority: medium -author: Teresa-Motiv -ms.author: v-tappelgate -manager: kaushika -ms.collection: - - Windows Security Technologies\BitLocker -ms.topic: troubleshooting -ms.date: 10/18/2019 -ms.custom: bitlocker ---- - -# Enforcing BitLocker policies by using Intune: known issues - -This article helps you troubleshoot issues that you may experience if you use Microsoft Intune policy to manage silent BitLocker encryption on devices. The Intune portal indicates whether BitLocker has failed to encrypt one or more managed devices. - -:::image type="content" alt-text="The BitLocker status indictors on the Intune portal." source="./images/4509189-en-1.png" lightbox="./images/4509189-en-1.png"::: - -To start narrowing down the cause of the problem, review the event logs as described in [Troubleshoot BitLocker](troubleshoot-bitlocker.md). Concentrate on the Management and Operations logs in the **Applications and Services logs\\Microsoft\\Windows\\BitLocker-API** folder. The following sections provide more information about how to resolve the indicated events and error messages: - -- [Event ID 853: Error: A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer](#issue-1) -- [Event ID 853: Error: BitLocker Drive Encryption detected bootable media (CD or DVD) in the computer](#issue-2) -- [Event ID 854: WinRE is not configured](#issue-3) -- [Event ID 851: Contact manufacturer for BIOS upgrade](#issue-4) -- [Error message: The UEFI variable 'SecureBoot' could not be read](#issue-6) -- [Event ID 846, 778, and 851: Error 0x80072f9a](#issue-7) -- [Error message: Conflicting Group Policy settings for recovery options on operating system drives](#issue-5) - -If you do not have a clear trail of events or error messages to follow, other areas to investigate include the following: - -- [Review the hardware requirements for using Intune to manage BitLocker on devices](/windows-hardware/design/device-experiences/oem-bitlocker#bitlocker-automatic-device-encryption-hardware-requirements) -- [Review your BitLocker policy configuration](#policy) - -For information about the procedure to verify whether Intune policies are enforcing BitLocker correctly, see [Verifying that BitLocker is operating correctly](#verifying-that-bitlocker-is-operating-correctly). - -## Event ID 853: Error: A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer - -Event ID 853 can carry different error messages, depending on the context. In this case, the Event ID 853 error message indicates that the device does not appear to have a TPM. The event information resembles the following: - -![Details of event ID 853 (TPM is not available, cannot find TPM).](./images/4509190-en-1.png) - -### Cause - -The device that you are trying to secure may not have a TPM chip, or the device BIOS might have been configured to disable the TPM. - -### Resolution - -To resolve this issue, verify the following: - -- The TPM is enabled in the device BIOS. -- The TPM status in the TPM management console resembles the following: - - Ready (TPM 2.0) - - Initialized (TPM 1.2) - -For more information, see [Troubleshoot the TPM](../tpm/initialize-and-configure-ownership-of-the-tpm.md). - -## Event ID 853: Error: BitLocker Drive Encryption detected bootable media (CD or DVD) in the computer - -In this case, you see event ID 853, and the error message in the event indicates that bootable media is available to the device. The event information resembles the following. - -![Details of event ID 853 (TPM is not available, bootable media found).](./images/4509191-en-1.png) - -### Cause - -During the provisioning process, BitLocker drive encryption records the configuration of the device to establish a baseline. If the device configuration changes later (for example, if you remove the media), BitLocker recovery mode automatically starts. - -To avoid this situation, the provisioning process stops if it detects a removable bootable media. - -### Resolution - -Remove the bootable media, and restart the device. After the device restarts, verify the encryption status. - -## Event ID 854: WinRE is not configured - -The event information resembles the following: - -> Failed to enable Silent Encryption. WinRe is not configured. -> -> Error: This PC cannot support device encryption because WinRE is not properly configured. - -### Cause - -Windows Recovery Environment (WinRE) is a minimal Windows operating system that is based on Windows Preinstallation Environment (Windows PE). WinRE includes several tools that an administrator can use to recover or reset Windows and diagnose Windows issues. If a device cannot start the regular Windows operating system, the device tries to start WinRE. - -The provisioning process enables BitLocker drive encryption on the operating system drive during the Windows PE phase of provisioning. This action makes sure that the drive is protected before the full operating system is installed. The provisioning process also creates a system partition for WinRE to use if the system crashes. - -If WinRE is not available on the device, provisioning stops. - -### Resolution - -You can resolve this issue by verifying the configuration of the disk partitions, the status of WinRE, and the Windows Boot Loader configuration. To do this, follow these steps. - -#### Step 1: Verify the configuration of the disk partitions - -The procedures described in this section depend on the default disk partitions that Windows configures during installation. Windows 11 and Windows 10 automatically create a recovery partition that contains the Winre.wim file. The partition configuration resembles the following. - -![Default disk partitions, including the recovery partition.](./images/4509194-en-1.png) - -To verify the configuration of the disk partitions, open an elevated Command Prompt window and run the following commands: - -```console -diskpart -list volume -``` - -![Output of the list volume command in the Diskpart app.](./images/4509195-en-1.png) - -If the status of any of the volumes is not healthy or if the recovery partition is missing, you may have to reinstall Windows. Before you do this, check the configuration of the Windows image that you are using for provisioning. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from Microsoft Configuration Manager): - -![Windows image configuration in Microsoft Configuration Manager.](./images/configmgr-imageconfig.jpg) - -#### Step 2: Verify the status of WinRE - -To verify the status of WinRE on the device, open an elevated Command Prompt window and run the following command: - -```console -reagentc /info -``` -The output of this command resembles the following. - -![Output of the reagentc /info command.](./images/4509193-en-1.png) - -If the **Windows RE status** is not **Enabled**, run the following command to enable it: - -```console -reagentc /enable -``` - -#### Step 3: Verify the Windows Boot Loader configuration - -If the partition status is healthy, but the **reagentc /enable** command results in an error, verify whether the Windows Boot Loader contains the recovery sequence GUID. To do this, run the following command in an elevated Command Prompt window: - -```console -bcdedit /enum all -``` - -The output of this command resembles the following: - -:::image type="content" alt-text="Output of the bcdedit /enum all command." source="./images/4509196-en-1.png" lightbox="./images/4509196-en-1.png"::: - -In the output, locate the **Windows Boot Loader** section that includes the line **identifier={current}**. In that section, locate the **recoverysequence** attribute. The value of this attribute should be a GUID value, not a string of zeros. - -## Event ID 851: Contact the manufacturer for BIOS upgrade instructions - -The event information resembles the following: - -> Failed to enable Silent Encryption. -> -> Error: BitLocker Drive Encryption cannot be enabled on the operating system drive. Contact the computer manufacturer for BIOS upgrade instructions. - -### Cause - -The device must have Unified Extensible Firmware Interface (UEFI) BIOS. Silent BitLocker drive encryption does not support legacy BIOS. - -### Resolution - -To verify the BIOS mode, use the System Information application. To do this, follow these steps: - -1. Select **Start**, and enter **msinfo32** in the **Search** box. - -1. Verify that the **BIOS Mode** setting is **UEFI** and not **Legacy**. - - ![System Information app, showing the BIOS Mode setting.](./images/4509198-en-1.png) - -1. If the **BIOS Mode** setting is **Legacy**, you have to switch the BIOS into **UEFI** or **EFI** mode. The steps for doing this are specific to the device. - - > [!NOTE] - > If the device supports only Legacy mode, you cannot use Intune to manage BitLocker device encryption on the device. - -## Error message: The UEFI variable 'SecureBoot' could not be read - -You receive an error message that resembles the following: - -> **Error:** BitLocker cannot use Secure Boot for integrity because the UEFI variable 'SecureBoot' could not be read. A required privilege is not held by the client. - -### Cause - -A platform configuration register (PCR) is a memory location in the TPM. In particular, PCR 7 measures the state of secure boot. Silent BitLocker drive encryption requires the secure boot to be turned on. - -### Resolution - -You can resolve this issue by verifying the PCR validation profile of the TPM and the secure boot state. To do this, follow these steps: - -#### Step 1: Verify the PCR validation profile of the TPM - -To verify that PCR 7 is in use, open an elevated Command Prompt window and run the following command: - -```console -Manage-bde -protectors -get %systemdrive% -``` - -In the TPM section of the output of this command, verify whether the **PCR Validation Profile** setting includes **7**, as follows: - -![Output of the manage-bde command.](./images/4509199-en-1.png) - -If **PCR Validation Profile** doesn't include **7** (for example, the values include **0**, **2**, **4**, and **11**, but not **7**), then secure boot is not turned on. - -![Output of the manage-bde command when PCR 7 is not present.](./images/4509200-en-1.png) - -#### 2. Verify the secure boot state - -To verify the secure boot state, use the System Information application. To do this, follow these steps: - -1. Select **Start**, and enter **msinfo32** in the **Search** box. - -1. Verify that the **Secure Boot State** setting is **On**, as follows: - - ![System Information app, showing a supported Secure Boot State.](./images/4509201-en-1.png) - -1. If the **Secure Boot State** setting is **Unsupported**, you cannot use Silent BitLocker Encryption on this device. - - ![System Information app, showing a unsupported Secure Boot State.](./images/4509202-en-1.png) - -> [!NOTE] -> You can also use the [Confirm-SecureBootUEFI](/powershell/module/secureboot/confirm-securebootuefi) cmdlet to verify the Secure Boot state. To do this, open an elevated PowerShell window and run the following command: -> -> ```ps -> PS C:\> Confirm-SecureBootUEFI -> ``` -> -> If the computer supports Secure Boot and Secure Boot is enabled, this cmdlet returns "True." -> -> If the computer supports secure boot and secure boot is disabled, this cmdlet returns "False." -> -> If the computer does not support Secure Boot or is a BIOS (non-UEFI) computer, this cmdlet returns "Cmdlet not supported on this platform." - -## Event ID 846, 778, and 851: Error 0x80072f9a - -In this case, you are deploying Intune policy to encrypt a Windows 11, Windows 10, version 1809 device, and store the recovery password in Azure Active Directory (Azure AD). As part of the policy configuration, you have selected the **Allow standard users to enable encryption during Azure AD Join** option. - -The policy deployment fails and the failure generates the following events (visible in Event Viewer in the **Applications and Services Logs\\Microsoft\\Windows\\BitLocker API** folder): - -> Event ID:846 -> -> Event: -> Failed to backup BitLocker Drive Encryption recovery information for volume C: to your Azure AD. -> -> TraceId: {cbac2b6f-1434-4faa-a9c3-597b17c1dfa3} -> Error: Unknown HResult Error code: 0x80072f9a - -> Event ID:778 -> -> Event: The BitLocker volume C: was reverted to an unprotected state. - -> Event ID: 851 -> -> Event: -> Failed to enable Silent Encryption. -> -> Error: Unknown HResult Error code: 0x80072f9a. - -These events refer to Error code 0x80072f9a. - -### Cause - -These events indicate that the signed-in user does not have permission to read the private key on the certificate that is generated as part of the provisioning and enrollment process. Therefore, the BitLocker MDM policy refresh fails. - -The issue affects Windows 11 and Windows 10 version 1809. - -### Resolution - -To resolve this issue, install the [May 21, 2019](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934) update. - -## Error message: There are conflicting group policy settings for recovery options on operating system drives - -You receive a message that resembles the following: - -> **Error:** BitLocker Drive Encryption cannot be applied to this drive because there are conflicting Group Policy settings for recovery options on operating system drives. Storing recovery information to Active Directory Domain Services cannot be required when the generation of recovery passwords is not permitted. Please have your system administrator resolve these policy conflicts before attempting to enable BitLocker… - -### Resolution - -To resolve this issue, review your group policy object (GPO) settings for conflicts. For further guidance, see the next section, [Review your BitLocker policy configuration](#policy). - -For more information about GPOs and BitLocker, see [BitLocker Group Policy Reference](/previous-versions/windows/it-pro/windows-7/ee706521(v=ws.10)). - -## Review your BitLocker policy configuration - -For information about the procedure to use policy together with BitLocker and Intune, see the following resources: - -- [BitLocker management for enterprises: Managing devices joined to Azure Active Directory](./bitlocker-management-for-enterprises.md#managing-devices-joined-to-azure-active-directory) -- [BitLocker Group Policy Reference](/previous-versions/windows/it-pro/windows-7/ee706521(v=ws.10)) -- [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference) -- [Policy CSP – BitLocker](/windows/client-management/mdm/policy-csp-bitlocker) -- [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) -- [Enable ADMX-backed policies in MDM](/windows/client-management/mdm/enable-admx-backed-policies-in-mdm) -- [gpresult](/windows-server/administration/windows-commands/gpresult) - -Intune offers the following enforcement types for BitLocker: - -- **Automatic** (Enforced when the device joins Azure AD during the provisioning process. This option is available in Windows 10 version 1703 and later, or Windows 11.) -- **Silent** (Endpoint protection policy. This option is available in Windows 10 version 1803 and later, or Windows 11.) -- **Interactive** (Endpoint policy for Windows versions that are older than Windows 10 version 1803, or Windows 11.) - -If your device runs Windows 10 version 1703 or later, or Windows 11, supports Modern Standby (also known as Instant Go) and is HSTI-compliant, joining the device to Azure AD triggers automatic device encryption. A separate endpoint protection policy is not required to enforce device encryption. - -If your device is HSTI-compliant but does not support Modern Standby, you have to configure an endpoint protection policy to enforce silent BitLocker drive encryption. The settings for this policy should resemble the following: - -![Intune policy settings.](./images/4509186-en-1.png) - -The OMA-URI references for these settings are as follows: - -- OMA-URI: **./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryption** - Value Type: **Integer** - Value: **1**  (1 = Require, 0 = Not Configured) - -- OMA-URI: **./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryption** - Value Type: **Integer** - Value: **0** (0 = Blocked, 1 = Allowed) - -> [!NOTE] -> Because of an update to the BitLocker Policy CSP, if the device uses Windows 10 version 1809 or later, or Windows 11, you can use an endpoint protection policy to enforce silent BitLocker Device Encryption even if the device is not HSTI-compliant. - -> [!NOTE] -> If the **Warning for other disk encryption** setting is set to **Not configured**, you have to manually start the BitLocker drive encryption wizard. - -If the device does not support Modern Standby but is HSTI-compliant, and it uses a version of Windows that is earlier than Windows 10, version 1803, or Windows 11, an endpoint protection policy that has the settings that are described in this article delivers the policy configuration to the device. However, Windows then notifies the user to manually enable BitLocker Drive Encryption. To do this, the user selects the notification. This action starts the BitLocker Drive Encryption wizard. - -The Intune 1901 release provides settings that you can use to configure automatic device encryption for Autopilot devices for standard users. Each device must meet the following requirements: - -- Be HSTI-compliant -- Support Modern Standby -- Use Windows 10 version 1803 or later, or Windows 11 - -![Intune policy setting.](./images/4509188-en-1.png) - -The OMA-URI references for these settings are as follows: - -- OMA-URI: **./Device/Vendor/MSFT/BitLocker/AllowStandardUserEncryption** - Value Type: **Integer** - Value: **1** - -> [!NOTE] -> This node works together with the **RequireDeviceEncryption** and **AllowWarningForOtherDiskEncryption** nodes. For this reason, when you set **RequireDeviceEncryption** to **1**, **AllowStandardUserEncryption** to **1**, and **AllowWarningForOtherDiskEncryption** to **0**, Intune enforces silent BitLocker encryption for Autopilot devices that have standard user profiles. - -## Verifying that BitLocker is operating correctly - -During regular operations, BitLocker drive encryption generates events such as Event ID 796 and Event ID 845. - -![Event ID 796, as shown in Event Viewer.](./images/4509203-en-1.png) - -![Event ID 845, as shown in Event Viewer.](./images/4509204-en-1.png) - -You can also determine whether the BitLocker recovery password has been uploaded to Azure AD by checking the device details in the Azure AD Devices section. - -![BitLocker recovery information as viewed in Azure AD.](./images/4509205-en-1.png) - -On the device, check the Registry Editor to verify the policy settings on the device. Verify the entries under the following subkeys: - -- **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\current\\device\\BitLocker** -- **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\current\\device** - -![Registry subkeys that relate to Intune policy.](./images/4509206-en-1.png) \ No newline at end of file diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md deleted file mode 100644 index 00e41f6158..0000000000 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md +++ /dev/null @@ -1,90 +0,0 @@ ---- -title: BitLocker network unlock known issues -description: Describes several known issues that you may encounter while using network unlock, and provided guidance for addressing those issues. -ms.technology: itpro-security -ms.prod: windows-client -ms.localizationpriority: medium -author: v-tappelgate -ms.author: v-tappelgate -manager: kaushika -ms.reviewer: kaushika -ms.collection: Windows Security Technologies\BitLocker -ms.topic: troubleshooting -ms.custom: bitlocker ---- - -# BitLocker network unlock: known issues - -By using the BitLocker network unlock feature, you can manage computers remotely without having to enter a BitLocker PIN when each computer starts up. To configure this behavior, your environment needs to meet the following requirements: - -- Each computer belongs to a domain. -- Each computer has a wired connection to the internal network. -- The internal network uses DHCP to manage IP addresses. -- Each computer has a DHCP driver implemented in its Unified Extensible Firmware Interface (UEFI) firmware. - -For general guidelines about how to troubleshoot network unlock, see [How to enable network unlock: Troubleshoot network unlock](./bitlocker-how-to-enable-network-unlock.md#troubleshoot-network-unlock). - -This article describes several known issues that you may encounter when you use network unlock, and provides guidance to address these issues. - -## Tip: Detect whether BitLocker network unlock is enabled on a specific computer - -You can use the following steps on computers with either x64 or x32 UEFI firmware. You can also script these commands. - -1. Open an elevated command prompt window and run the following command: - - ```cmd - manage-bde -protectors -get - ``` - - ```cmd - manage-bde -protectors -get C: - ``` - - Where `` is the drive letter, followed by a colon (`:`), of the bootable drive. - If the output of this command includes a key protector of type **TpmCertificate (9)**, the configuration is correct for BitLocker network unlock. - -1. Start Registry Editor, and verify the following settings: - - Entry `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE: OSManageNKP` is set to `1`. - - Subkey `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\FVE_NKP\Certificates` has an entry whose name matches the name of the certificate thumbprint of the network unlock key protector that you found in step 1. - -## 1. On a Surface Pro 4 device, BitLocker network unlock doesn't work because the UEFI network stack is incorrectly configured - -You've configured BitLocker network unlock as described in [BitLocker: How to enable network unlock](/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock). You've configured the UEFI of the device to use DHCP. However, when you restart the device, it still prompts you for the BitLocker PIN. - -You test another device, such as a different type of tablet or laptop PC that's configured to use the same infrastructure. The device restarts as expected, without prompting for the BitLocker PIN. You conclude that the infrastructure is correctly configured, and the issue is specific to the device. - -### Cause of issue 1 - -The UEFI network stack on the device was incorrectly configured. - -### Resolution for issue 1 - -To correctly configure the UEFI network stack of the Surface Pro 4, you have to use Microsoft Surface Enterprise Management Mode (SEMM). For information about SEMM, see [Enroll and configure Surface devices with SEMM](/surface/enroll-and-configure-surface-devices-with-semm). - -> [!NOTE] -> If you cannot use SEMM, you may be able to configure the Surface Pro 4 to use BitLocker network unlock by configuring the device to use the network as its first boot option. - -## 2. Unable to use BitLocker network unlock feature on a Windows client computer - -You have configured BitLocker network unlock as described in [BitLocker: How to enable network unlock](/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock). You have a Windows 8 client computer that is connected to the internal network with an ethernet cable. However, when you restart the computer, it still prompts you for the BitLocker PIN. - -### Cause of issue 2 - -A Windows 8-based or Windows Server 2012-based client computer sometimes doesn't receive or use the network unlock protector, depending on whether the client receives unrelated BOOTP replies from a DHCP server or WDS server. - -DHCP servers may send any DHCP options to a BOOTP client as allowed by the DHCP options and BOOTP vendor extensions. This behavior means that because a DHCP server supports BOOTP clients, the DHCP server replies to BOOTP requests. - -The manner in which a DHCP server handles an incoming message depends in part on whether the message uses the Message Type option: - -- The first two messages that the BitLocker network unlock client sends are DHCP DISCOVER\REQUEST messages. They use the Message Type option, so the DHCP server treats them as DHCP messages. -- The third message that the BitLocker network unlock client sends doesn't have the Message Type option. The DHCP server treats the message as a BOOTP request. - -A DHCP server that supports BOOTP clients must interact with those clients according to the BOOTP protocol. The server must create a BOOTP BOOTREPLY message instead of a DHCP DHCPOFFER message. (In other words, the server must not include the DHCP message option type and must not exceed the size limit for BOOTREPLY messages.) After the server sends the BOOTP BOOTREPLY message, the server marks a binding for a BOOTP client as BOUND. A non-DHCP client doesn't send a DHCPREQUEST message, nor does that client expect a DHCPACK message. - -If a DHCP server that isn't configured to support BOOTP clients receives a BOOTREQUEST message from a BOOTP client, that server silently discards the BOOTREQUEST message. - -For more information about DHCP and BitLocker network unlock, see [BitLocker: How to enable network unlock: network unlock sequence](/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock#network-unlock-sequence). - -### Resolution for issue 2 - -To resolve this issue, change the configuration of the DHCP server by changing the **DHCP** option from **DHCP and BOOTP** to **DHCP**. diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md deleted file mode 100644 index 03932d4c98..0000000000 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md +++ /dev/null @@ -1,343 +0,0 @@ ---- -title: BitLocker recovery known issues -description: Describes common issues that can occur that prevent BitLocker from behaving as expected when recovering a drive, or may cause BitLocker to start recovery unexpectedly. The article provides guidance for addressing those issues. -ms.reviewer: kaushika -ms.technology: itpro-security -ms.prod: windows-client -ms.localizationpriority: medium -author: Teresa-Motiv -ms.author: v-tappelgate -manager: kaushika -ms.collection: - - Windows Security Technologies\BitLocker - - highpri -ms.topic: troubleshooting -ms.date: 10/18/2019 -ms.custom: bitlocker ---- - -# BitLocker recovery: known issues - -This article describes common issues that may prevent BitLocker from behaving as expected when you recover a drive, or that may cause BitLocker to start recovery unexpectedly. The article also provides guidance to address these issues. - -> [!NOTE] -> In this article, "recovery password" refers to the 48-digit recovery password and "recovery key" refers to 32-digit recovery key. For more information, see [BitLocker key protectors](./prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-key-protectors). - -## Windows prompts for a non-existing BitLocker recovery password - -Windows prompts you for a BitLocker recovery password. However, you did not configure a BitLocker recovery password. - -### Resolution - -The BitLocker and Active Directory Domain Services (AD DS) FAQ address situations that may produce this symptom, and provides information about the procedure to resolve the issue: - -- [What if BitLocker is enabled on a computer before the computer has joined the domain?](./bitlocker-and-adds-faq.yml#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain-) - -- [What happens if the backup initially fails? Will BitLocker retry the backup?](./bitlocker-and-adds-faq.yml) - -## The recovery password for a laptop was not backed up, and the laptop is locked - -You have a Windows 11 or Windows 10 Home-based laptop, and you have to recover its hard disk. The disk was encrypted by using BitLocker Driver Encryption. However, the BitLocker recovery password was not backed up, and the usual user of the laptop is not available to provide the password. - -### Resolution - -You can use either of the following methods to manually back up or synchronize an online client's existing recovery information: - -- Create a Windows Management Instrumentation (WMI) script that backs up the information. For more information, see [BitLocker Drive Encryption Provider](/windows/win32/secprov/bitlocker-drive-encryption-provider). - -- In an elevated Command Prompt window, use the [manage-bde](/windows-server/administration/windows-commands/manage-bde) command to back up the information. - - For example, to back up all of the recovery information for the C: drive to AD DS, open an elevated Command Prompt window and run the following command: - - ```console - manage-bde -protectors -adbackup C: - ``` - -> [!NOTE] -> BitLocker does not automatically manage this backup process. - -## Tablet devices do not support using Manage-bde -forcerecovery to test recovery mode - -You have a tablet or slate device, and you try to test BitLocker recovery by running the following command: - -```console -Manage-bde -forcerecovery -``` - -However, after you enter the recovery password, the device cannot start. - -### Cause - -> [!IMPORTANT] -> Tablet devices do not support the **manage-bde -forcerecovery** command. - -This issue occurs because the Windows Boot Manager cannot process touch-input during the pre-boot phase of startup. If Boot Manager detects that the device is a tablet, it redirects the startup process to the Windows Recovery Environment (WinRE), which can process touch-input. - -If WindowsRE detects the TPM protector on the hard disk, it does a PCR reseal. However, the **manage-bde -forcerecovery** command deletes the TPM protectors on the hard disk. Therefore, WinRE cannot reseal the PCRs. This failure triggers an infinite BitLocker recovery cycle and prevents Windows from starting. - -This behavior is by design for all versions of Windows. - -### Workaround - -To resolve the restart loop, follow these steps: - -1. On the BitLocker Recovery screen, select **Skip this drive**. - -1. Select **Troubleshoot** \> **Advanced Options** \> **Command Prompt**. - -1. In the Command Prompt window, run the following commands: - - ```console - manage-bde –unlock C: -rp <48-digit BitLocker recovery password> - manage-bde -protectors -disable C: - - ``` - -1. Close the Command Prompt window. - -1. Shut down the device. - -1. Start the device. Windows should start as usual. - -## After you install UEFI or TPM firmware updates on Surface, BitLocker prompts for the recovery password - -You have a Surface device that has BitLocker drive encryption turned on. You update the firmware of the device TPM or install an update that changes the signature of the system firmware. For example, you install the Surface TPM (IFX) update. - -You experience one or more of the following symptoms on the Surface device: - -- At startup, you are prompted for your BitLocker recovery password. You enter the correct recovery password, but Windows doesn’t start up. -- Startup progresses directly into the Surface Unified Extensible Firmware Interface (UEFI) settings. -- The Surface device appears to be in an infinite restart loop. - -### Cause - -This issue occurs if the Surface device TPM is configured to use Platform Configuration Register (PCR) values other than the default values of PCR 7 and PCR 11. For example, the following settings can configure the TPM this way: - -- Secure boot is turned off. -- PCR values have been explicitly defined, such as by group policy. - -Devices that support Connected Standby (also known as *InstantGO* or *Always On, Always Connected PCs*), including Surface devices, must use PCR 7 of the TPM. In its default configuration on such systems, BitLocker binds to PCR 7 and PCR 11 if PCR 7 and Secure Boot are correctly configured. For more information, see "About the Platform Configuration Register (PCR)" at [BitLocker Group Policy Settings](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj679890(v=ws.11)#about-the-platform-configuration-register-pcr)). - -### Resolution - -To verify the PCR values that are in use on a device, open an elevated Command Prompt window and run the following command: - -```console -manage-bde.exe -protectors -get : -``` - -In this command, <*OSDriveLetter*> represents the drive letter of the operating system drive. - -To resolve this issue and repair the device, follow these steps. - -#### Step 1: Disable the TPM protectors on the boot drive - -If you have installed a TPM or UEFI update and your device cannot start, even if you enter the correct BitLocker recovery password, you can restore the ability to start by using the BitLocker recovery password and a Surface recovery image to remove the TPM protectors from the boot drive. - -To do this, follow these steps: - -1. Obtain your BitLocker recovery password from [your Microsoft.com account](https://account.microsoft.com/devices/recoverykey). If BitLocker is managed by a different method, such as Microsoft BitLocker Administration and Monitoring (MBAM), contact your administrator for help. - -1. Use another computer to download the Surface recovery image from [Download a recovery image for your Surface](https://support.microsoft.com/surfacerecoveryimage). Use the downloaded image to create a USB recovery drive. - -1. Insert the USB Surface recovery image drive into the Surface device, and start the device. - -1. When you are prompted, select the following items: - - 1. Your operating system language. - - 1. Your keyboard layout. - -1. Select **Troubleshoot** > **Advanced Options** > **Command Prompt**. - -1. In the Command Prompt window, run the following commands: - - ```console - manage-bde -unlock -recoverypassword : - manage-bde -protectors -disable : - - ``` - - In these commands, \<*Password*\> is the BitLocker recovery password that you obtained in step 1, and \<*DriveLetter*> is the drive letter that is assigned to your operating system drive. - - > [!NOTE] - > For more information about how to use this command, see [manage-bde: unlock](/windows-server/administration/windows-commands/manage-bde-unlock). - -1. Restart the computer. - -1. When you are prompted, enter the BitLocker recovery password that you obtained in step 1. - -> [!NOTE] -> After you disable the TPM protectors, BitLocker drive encryption no longer protects your device. To re-enable BitLocker drive encryption, select **Start**, type **Manage BitLocker**, and then press Enter. Follow the steps to encrypt your drive. - -#### Step 2: Use Surface BMR to recover data and reset your device - -To recover data from your Surface device if you cannot start Windows, follow steps 1 through 5 of [Step 1](#step-1) to return to the Command Prompt window, and then follow these steps: - -1. At the command prompt, run the following command: - - ```console - manage-bde -unlock -recoverypassword : - ``` - - In this command, \<*Password*\> is the BitLocker recovery password that you obtained in step 1 of [Step 1](#step-1), and \<*DriveLetter*> is the drive letter that is assigned to your operating system drive. - -1. After the drive is unlocked, use the **copy** or **xcopy** command to copy the user data to another drive. - - > [!NOTE] - > For more information about the these commands, see the [Windows commands](/windows-server/administration/windows-commands/windows-commands). - -1. To reset your device by using a Surface recovery image, follow the instructions in the "How to reset your Surface using your USB recovery drive" section in [Creating and using a USB recovery drive](https://support.microsoft.com/help/4023512). - -#### Step 3: Restore the default PCR values - -To prevent this issue from recurring, we strongly recommend that you restore the default configuration of secure boot and the PCR values. - -To enable secure boot on a Surface device, follow these steps: - -1. Suspend BitLocker. to do this, open an elevated Windows PowerShell window, and run the following cmdlet: - - ```powershell - Suspend-BitLocker -MountPoint ":" -RebootCount 0 - ``` - - In this command, <*DriveLetter*> is the letter that is assigned to your drive. - -1. Restart the device, and then edit the BIOS to set the **Secure Boot** option to **Microsoft Only**. - -1. Restart the device. - -1. Open an elevated PowerShell window, and run the following cmdlet: - - ```powershell - - Resume-BitLocker -MountPoint ":" - ``` - -To reset the PCR settings on the TPM, follow these steps: - -1. Disable any Group Policy Objects that configure the PCR settings, or remove the device from any groups that enforce such policies. - - For more information, see [BitLocker Group Policy settings](./bitlocker-group-policy-settings.md). - -1. Suspend BitLocker. To do this, open an elevated Windows PowerShell window, and run the following cmdlet: - - ```powershell - Suspend-BitLocker -MountPoint ":" -RebootCount 0 - ``` - - where <*DriveLetter*> is the letter assigned to your drive. - -1. Run the following cmdlet: - - ```powershell - Resume-BitLocker -MountPoint ":" - ``` - -#### Step 4: Suspend BitLocker during TPM or UEFI firmware updates - -You can avoid this scenario when you install updates to system firmware or TPM firmware by temporarily suspending BitLocker before you apply such updates. - -> [!IMPORTANT] -> TPM and UEFI firmware updates may require multiple restarts while they install. To keep BitLocker suspended during this process, you must use [Suspend-BitLocker](/powershell/module/bitlocker/suspend-bitlocker?view=winserver2012r2-ps&preserve-view=true) and set the **Reboot Count** parameter to either of the following values: -> - **2** or greater: This value sets the number of times the device can restart before BitLocker Device Encryption resumes. -> - **0**: This value suspends BitLocker Drive Encryption indefinitely, until you use [Resume-BitLocker](/powershell/module/bitlocker/resume-bitlocker?view=winserver2012r2-ps&preserve-view=true) or another mechanism to resume protection. - -To suspend BitLocker while you install TPM or UEFI firmware updates: - -1. Open an elevated Windows PowerShell window, and run the following cmdlet: - - ```powershell - Suspend-BitLocker -MountPoint ":" -RebootCount 0 - - ``` - In this cmdlet <*DriveLetter*> is the letter that is assigned to your drive. - -1. Install the Surface device driver and firmware updates. - -1. After you install the firmware updates, restart the computer, open an elevated PowerShell window, and then run the following cmdlet: - - ```powershell - Resume-BitLocker -MountPoint ":" - ``` - -To re-enable BitLocker drive encryption, select **Start**, type **Manage BitLocker**, and then press Enter. Follow the steps to encrypt your drive. - -## After you install an update to a Hyper V-enabled computer, BitLocker prompts for the recovery password and returns error 0xC0210000 - -You have a device that runs Windows 11, Windows 10, version 1703, Windows 10, version 1607, or Windows Server 2016. Also, Hyper-V is enabled on the device. After you install an affected update and restart the device, the device enters BitLocker Recovery mode and you see error code 0xC0210000. - -### Workaround - -If your device is already in this state, you can successfully start Windows after suspending BitLocker from the Windows Recovery Environment (WinRE). To do this, follow these steps: - -1. Retrieve the 48-digit BitLocker recovery password for the operating system drive from your organization's portal or from wherever the password was stored when BitLocker Drive Encryption was first turned on. - -1. On the Recovery screen, press Enter. When you are prompted, enter the recovery password. - -1. If your device starts in the (WinRE) and prompts you for the recovery password again, select **Skip the drive**. - -1. Select **Advanced options** > **Troubleshoot** > **Advanced options** > **Command Prompt**. - -1. In the Command Prompt window, run the following commands: - - ```console - Manage-bde -unlock c: -rp <48 digit numerical recovery password separated by “-“ in 6 digit group> - Manage-bde -protectors -disable c: - exit - ``` - - These commands unlock the drive and then suspend BitLocker by disabling the TPM protectors on the drive. The final command closes the Command Prompt window. - - > [!NOTE] - > These commands suspend BitLocker for one restart of the device. The **-rc 1** option works only inside the operating system and does not work in the recovery environment. - -1. Select **Continue**. Windows should start. - -1. After Windows has started, open an elevated Command Prompt window and run the following command: - - ```console - Manage-bde -protectors -enable c: - ``` - -> [!IMPORTANT] -> Unless you suspend BitLocker before you start the device, this issue recurs. - -To temporarily suspend BitLocker just before you restart the device, open an elevated Command Prompt window and run the following command: - -```console -Manage-bde -protectors -disable c: -rc 1 -``` - -### Resolution - -To resolve this issue, install the appropriate update on the affected device: - -- For Windows 10, version 1703, or Windows 11: [July 9, 2019—KB4507450 (OS Build 15063.1928)](https://support.microsoft.com/help/4507450/windows-10-update-kb4507450) -- For Windows 11, Windows 10, version 1607 and Windows Server 2016: [July 9, 2019—KB4507460 (OS Build 14393.3085)](https://support.microsoft.com/help/4507460/windows-10-update-kb4507460) - -## Credential Guard/Device Guard on TPM 1.2: At every restart, BitLocker prompts for the recovery password and returns error 0xC0210000 - -You have a device that uses TPM 1.2 and runs Windows 10, version 1809, or Windows 11. Also, the device uses [Virtualization-based Security](/windows-hardware/design/device-experiences/oem-vbs) features such as [Device Guard and Credential Guard](/windows-hardware/drivers/bringup/device-guard-and-credential-guard). Every time that you start the device, the device enters BitLocker Recovery mode and you see error code 0xc0210000, and a message that resembles the following. - -> Recovery -> -> Your PC/Device needs to be repaired. -> A required file couldn't be accessed because your BitLocker key wasn't loaded correctly. -> -> Error code 0xc0210000 -> -> You'll need to use recovery tools. If you don't have any installation media (like a disc or USB device), contact your PC administrator or PC/Device manufacturer. - -### Cause - -TPM 1.2 does not support Secure Launch. For more information, see [System Guard Secure Launch and SMM protection: Requirements Met by System Guard Enabled Machines](../../threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md) - -For more information about this technology, see [Windows Defender System Guard: How a hardware-based root of trust helps protect Windows](../../threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md) - -### Resolution - -To resolve this issue, do one of the following: - -- Remove any device that uses TPM 1.2 from any group that is subject to GPOs that enforce secure launch. -- Edit the **Turn On Virtualization Based Security** GPO to set **Secure Launch Configuration** to **Disabled**. diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md deleted file mode 100644 index b6ea2d5b56..0000000000 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md +++ /dev/null @@ -1,112 +0,0 @@ ---- -title: BitLocker and TPM other known issues -description: Describes common issues that relate directly to the TPM, and provides guidance for resolving those issues. -ms.reviewer: kaushika -ms.technology: itpro-security -ms.prod: windows-client -ms.localizationpriority: medium -author: Teresa-Motiv -ms.author: v-tappelgate -manager: kaushika -ms.collection: Windows Security Technologies\BitLocker -ms.topic: troubleshooting -ms.date: 10/18/2019 -ms.custom: bitlocker ---- - -# BitLocker and TPM: other known issues - -This article describes common issues that relate directly to the trusted platform module (TPM), and provides guidance to address these issues. - -## Azure AD: Windows Hello for Business and single sign-on don't work - -You have an Azure Active Directory (Azure AD)-joined client computer that can't authenticate correctly. You experience one or more of the following symptoms: - -- Windows Hello for Business doesn't work. -- Conditional access fails. -- Single sign-on (SSO) doesn't work. - -Additionally, the computer logs the following entry for Event ID 1026: - -> Log Name: System -> Source: Microsoft-Windows-TPM-WMI -> Date: \ -> Event ID: 1026 -> Task Category: None -> Level: Information -> Keywords: -> User: SYSTEM -> Computer: \ -> Description: -> The Trusted Platform Module (TPM) hardware on this computer cannot be provisioned for use automatically.  To set up the TPM interactively use the TPM management console (Start-\>tpm.msc) and use the action to make the TPM ready. -> Error: The TPM is defending against dictionary attacks and is in a time-out period. -> Additional Information: 0x840000 - -### Cause - -This event indicates that the TPM isn't ready or has some setting that prevents access to the TPM keys. - -Additionally, the behavior indicates that the client computer can't obtain a [Primary Refresh Token (PRT)](/azure/active-directory/devices/concept-primary-refresh-token). - -### Resolution - -To verify the status of the PRT, use the [dsregcmd /status command](/azure/active-directory/devices/troubleshoot-device-dsregcmd) to collect information. In the tool output, verify that either **User state** or **SSO state** contains the **AzureAdPrt** attribute. If the value of this attribute is **No**, the PRT wasn't issued. This may indicate that the computer couldn't present its certificate for authentication. - -To resolve this issue, follow these steps to troubleshoot the TPM: - -1. Open the TPM management console (tpm.msc). To do this, select **Start**, and enter **tpm.msc** in the **Search** box. -1. If you see a notice to either unlock the TPM or reset the lockout, follow those instructions. -1. If you don't see such a notice, review the BIOS settings of the computer for any setting that you can use to reset or disable the lockout. -1. Contact the hardware vendor to determine whether there's a known fix for the issue. -1. If you still can't resolve the issue, clear and reinitialize the TPM. To do this, follow the instructions in [Troubleshoot the TPM: Clear all the keys from the TPM](../tpm/initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm). - > [!WARNING] - > Clearing the TPM can cause data loss. - -## TPM 1.2 Error: Loading the management console failed. The device that is required by the cryptographic provider isn't ready for use - -You have a Windows 11 or Windows 10 version 1703-based computer that uses TPM version 1.2. When you try to open the TPM management console, you receive the following message: - -> Loading the management console failed. The device that is required by the cryptographic provider is not ready for use. -> HRESULT 0x800900300x80090030 - NTE\_DEVICE\_NOT\_READY -> The device that is required by this cryptographic provider is not ready for use. -> TPM Spec version: TPM v1.2 - -On a different device that is running the same version of Windows, you can open the TPM management console. - -### Cause (suspected) - -These symptoms indicate that the TPM has hardware or firmware issues. - -### Resolution - -To resolve this issue, switch the TPM operating mode from version 1.2 to version 2.0. - -If this doesn't resolve the issue, consider replacing the device motherboard. After you replace the motherboard, switch the TPM operating mode from version 1.2 to version 2.0. - -## Devices don't join hybrid Azure AD because of a TPM issue - -You have a device that you're trying to join to a hybrid Azure AD. However, the join operation appears to fail. - -To verify that the join succeeded, use the [dsregcmd /status command](/azure/active-directory/devices/troubleshoot-device-dsregcmd). In the tool output, the following attributes indicate that the join succeeded: - -- **AzureAdJoined: YES** -- **DomainName: \<*on-prem Domain name*\>** - -If the value of **AzureADJoined** is **No**, the join operation failed. - -### Causes and Resolutions - -This issue may occur when the Windows operating system isn't the owner of the TPM. The specific fix for this issue depends on which errors or events you experience, as shown in the following table: - -|Message |Reason | Resolution| -| - | - | - | -|NTE\_BAD\_KEYSET (0x80090016/-2146893802) |TPM operation failed or was invalid |This issue was probably caused by a corrupted sysprep image. Make sure that you create the sysprep image by using a computer that isn't joined to or registered in Azure AD or hybrid Azure AD. | -|TPM\_E\_PCP\_INTERNAL\_ERROR (0x80290407/-2144795641) |Generic TPM error. |If the device returns this error, disable its TPM. Windows 10, version 1809 and later versions, or Windows 11 automatically detect TPM failures and finish the hybrid Azure AD join without using the TPM. | -|TPM\_E\_NOTFIPS (0x80280036/-2144862154) |The FIPS mode of the TPM is currently not supported. |If the device gives this error, disable its TPM. Windows 10, version 1809 and later versions, or Windows 11 automatically detect TPM failures and finish the hybrid Azure AD join without using the TPM. | -|NTE\_AUTHENTICATION\_IGNORED (0x80090031/-2146893775) |The TPM is locked out. |This error is transient. Wait for the cooldown period, and then retry the join operation. | - -For more information about TPM issues, see the following articles: - -- [TPM fundamentals: Anti-hammering](../tpm/tpm-fundamentals.md#anti-hammering) -- [Troubleshooting hybrid Azure Active Directory-joined devices](/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current) -- [Troubleshoot the TPM](../tpm/initialize-and-configure-ownership-of-the-tpm.md) \ No newline at end of file diff --git a/windows/security/information-protection/encrypted-hard-drive.md b/windows/security/information-protection/encrypted-hard-drive.md index 5a14663688..4523cd4552 100644 --- a/windows/security/information-protection/encrypted-hard-drive.md +++ b/windows/security/information-protection/encrypted-hard-drive.md @@ -3,16 +3,19 @@ title: Encrypted Hard Drive (Windows) description: Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management. ms.reviewer: manager: aaroncz -ms.author: dansimp +ms.author: frankroj ms.prod: windows-client -author: dulcemontemayor -ms.date: 04/02/2019 +author: frankroj +ms.date: 11/08/2022 +ms.technology: itpro-security +ms.topic: conceptual --- # Encrypted Hard Drive -**Applies to** -- Windows 10 +*Applies to:* + +- Windows 10 - Windows 11 - Windows Server 2022 - Windows Server 2019 @@ -21,29 +24,29 @@ ms.date: 04/02/2019 Encrypted hard drive uses the rapid encryption that is provided by BitLocker drive encryption to enhance data security and management. -By offloading the cryptographic operations to a hardware, Encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted hard drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity. +By offloading the cryptographic operations to hardware, Encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted hard drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity. Encrypted hard drives are a new class of hard drives that are self-encrypting at a hardware level and allow for full disk hardware encryption. You can install Windows to encrypted hard drives without additional modification, beginning with Windows 8 and Windows Server 2012. Encrypted hard drives provide: -- **Better performance**: Encryption hardware, integrated into the drive controller, allows the drive to operate at full data rate with no performance degradation. -- **Strong security based in hardware**: Encryption is always "on" and the keys for encryption never leave the hard drive. User authentication is performed by the drive before it will unlock, independently of the operating system -- **Ease of use**: Encryption is transparent to the user, and the user doesn't need to enable it. Encrypted Hard Drives are easily erased using on-board encryption key; there's no need to re-encrypt data on the drive. -- **Lower cost of ownership**: There's no need for new infrastructure to manage encryption keys, since BitLocker leverages your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles don't need to be used for the encryption process. +- **Better performance**: Encryption hardware, integrated into the drive controller, allows the drive to operate at full data rate with no performance degradation. +- **Strong security based in hardware**: Encryption is always "on" and the keys for encryption never leave the hard drive. User authentication is performed by the drive before it will unlock, independently of the operating system +- **Ease of use**: Encryption is transparent to the user, and the user doesn't need to enable it. Encrypted Hard Drives are easily erased using on-board encryption key; there's no need to re-encrypt data on the drive. +- **Lower cost of ownership**: There's no need for new infrastructure to manage encryption keys, since BitLocker uses your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles don't need to be used for the encryption process. Encrypted hard drives are supported natively in the operating system through the following mechanisms: -- **Identification**: The operating system identifies that the drive is an Encrypted hard drive device type. -- **Activation**: The operating system disk management utility activates, creates and maps volumes to ranges/bands as appropriate. -- **Configuration**: The operating system creates and maps volumes to ranges/bands as appropriate. -- **API**: API support for applications to manage Encrypted hard drives independent of BitLocker drive encryption (BDE). -- **BitLocker support**: Integration with the BitLocker Control Panel provides a seamless BitLocker end-user experience. +- **Identification**: The operating system identifies that the drive is an Encrypted hard drive device type. +- **Activation**: The operating system disk management utility activates, creates and maps volumes to ranges/bands as appropriate. +- **Configuration**: The operating system creates and maps volumes to ranges/bands as appropriate. +- **API**: API support for applications to manage Encrypted hard drives independent of BitLocker drive encryption (BDE). +- **BitLocker support**: Integration with the BitLocker Control Panel provides a seamless BitLocker end-user experience. >[!WARNING] >Self-encrypting hard drives and encrypted hard drives for Windows are not the same type of devices. Encrypted hard drives for Windows require compliance for specific TCG protocols as well as IEEE 1667 compliance; Self-encrypting hard drives do not have these requirements. It is important to confirm that the device type is an encrypted hard drive for Windows when planning for deployment. - -If you are a storage device vendor who is looking for more info on how to implement Encrypted Hard Drive, see the [Encrypted Hard Drive Device Guide](/previous-versions/windows/hardware/design/dn653989(v=vs.85)). + +If you're a storage device vendor who is looking for more info on how to implement Encrypted Hard Drive, see the [Encrypted Hard Drive Device Guide](/previous-versions/windows/hardware/design/dn653989(v=vs.85)). ## System Requirements @@ -51,44 +54,44 @@ To use encrypted hard drives, the following system requirements apply: For an encrypted hard drive used as a **data drive**: -- The drive must be in an uninitialized state. -- The drive must be in a security inactive state. +- The drive must be in an uninitialized state. +- The drive must be in a security inactive state. For an encrypted hard drive used as a **startup drive**: -- The drive must be in an uninitialized state. -- The drive must be in a security inactive state. -- The computer must be UEFI 2.3.1 based and have the EFI\_STORAGE\_SECURITY\_COMMAND\_PROTOCOL defined. (This protocol is used to allow programs running in the EFI boot services environment to send security protocol commands to the drive). -- The computer must have the compatibility support module (CSM) disabled in UEFI. -- The computer must always boot natively from UEFI. +- The drive must be in an uninitialized state. +- The drive must be in a security inactive state. +- The computer must be UEFI 2.3.1 based and have the EFI\_STORAGE\_SECURITY\_COMMAND\_PROTOCOL defined. (This protocol is used to allow programs running in the EFI boot services environment to send security protocol commands to the drive). +- The computer must have the compatibility support module (CSM) disabled in UEFI. +- The computer must always boot natively from UEFI. >[!WARNING] >All encrypted hard drives must be attached to non-RAID controllers to function properly. - + ## Technical overview -Rapid encryption in BitLocker directly addresses the security needs of enterprises while offering significantly improved performance. In versions of Windows earlier than Windows Server 2012, BitLocker required a two-step process to complete read/write requests. In Windows Server 2012, Windows 8, or later versions, encrypted hard drives offload the cryptographic operations to the drive controller for much greater efficiency. When the operating system identifies an encrypted hard drive, it activates the security mode. This activation lets the drive controller generate a media key for every volume that the host computer creates. This media key, which is never exposed outside the disk, is used to rapidly encrypt or decrypt every byte of data that is sent or received from the disk. +Rapid encryption in BitLocker directly addresses the security needs of enterprises while offering improved performance. In versions of Windows earlier than Windows Server 2012, BitLocker required a two-step process to complete read/write requests. In Windows Server 2012, Windows 8, or later versions, encrypted hard drives offload the cryptographic operations to the drive controller for much greater efficiency. When the operating system identifies an encrypted hard drive, it activates the security mode. This activation lets the drive controller generate a media key for every volume that the host computer creates. This media key, which is never exposed outside the disk, is used to rapidly encrypt or decrypt every byte of data that is sent or received from the disk. ## Configuring encrypted hard drives as startup drives Configuration of encrypted hard drives as startup drives is done using the same methods as standard hard drives. These methods include: -- **Deploy from media**: Configuration of Encrypted Hard Drives happens automatically through the installation process. -- **Deploy from network**: This deployment method involves booting a Windows PE environment and using imaging tools to apply a Windows image from a network share. Using this method, the Enhanced Storage optional component needs to be included in the Windows PE image. You can enable this component using Server Manager, Windows PowerShell, or the DISM command line tool. If this component isn't present, configuration of Encrypted Hard Drives won't work. -- **Deploy from server**: This deployment method involves PXE booting a client with Encrypted Hard Drives present. Configuration of Encrypted Hard Drives happens automatically in this environment when the Enhanced Storage component is added to the PXE boot image. During deployment, the [TCGSecurityActivationDisabled](/windows-hardware/customize/desktop/unattend/microsoft-windows-enhancedstorage-adm-tcgsecurityactivationdisabled) setting in unattend.xml controls the encryption behavior of Encrypted Hard Drives. -- **Disk Duplication**: This deployment method involves use of a previously configured device and disk duplication tools to apply a Windows image to an Encrypted Hard Drive. Disks must be partitioned using at least Windows 8 or Windows Server 2012 for this configuration to work. Images made using disk duplicators won't work. +- **Deploy from media**: Configuration of Encrypted Hard Drives happens automatically through the installation process. +- **Deploy from network**: This deployment method involves booting a Windows PE environment and using imaging tools to apply a Windows image from a network share. Using this method, the Enhanced Storage optional component needs to be included in the Windows PE image. You can enable this component using Server Manager, Windows PowerShell, or the DISM command line tool. If this component isn't present, configuration of Encrypted Hard Drives won't work. +- **Deploy from server**: This deployment method involves PXE booting a client with Encrypted Hard Drives present. Configuration of Encrypted Hard Drives happens automatically in this environment when the Enhanced Storage component is added to the PXE boot image. During deployment, the [TCGSecurityActivationDisabled](/windows-hardware/customize/desktop/unattend/microsoft-windows-enhancedstorage-adm-tcgsecurityactivationdisabled) setting in unattend.xml controls the encryption behavior of Encrypted Hard Drives. +- **Disk Duplication**: This deployment method involves use of a previously configured device and disk duplication tools to apply a Windows image to an Encrypted Hard Drive. Disks must be partitioned using at least Windows 8 or Windows Server 2012 for this configuration to work. Images made using disk duplicators won't work. ## Configuring hardware-based encryption with group policy -There are three related Group Policy settings that help you manage how BitLocker uses hardware-based encryption and which encryption algorithms to use. If these settings aren't configured or disabled on systems that are equipped with encrypted drives, BitLocker uses software-based encryption: +There are three related Group Policy settings that help you manage how BitLocker uses hardware-based encryption and which encryption algorithms to use. If these settings aren't configured or disabled on systems that are equipped with encrypted drives, BitLocker uses software-based encryption: -- [Configure use of hardware-based encryption for fixed data drives](bitlocker/bitlocker-group-policy-settings.md#bkmk-hdefxd) +- [Configure use of hardware-based encryption for fixed data drives](bitlocker/bitlocker-group-policy-settings.md#configure-use-of-hardware-based-encryption-for-fixed-data-drives) - [Configure use of hardware-based encryption for removable data drives](bitlocker/bitlocker-group-policy-settings.md#configure-use-of-hardware-based-encryption-for-removable-data-drives) - [Configure use of hardware-based encryption for operating system drives](bitlocker/bitlocker-group-policy-settings.md#configure-use-of-hardware-based-encryption-for-operating-system-drives) ## Encrypted hard drive architecture -Encrypted hard drives utilize two encryption keys on the device to control the locking and unlocking of data on the drive. These are the data encryption key (DEK) and the authentication key (AK). +Encrypted hard drives utilize two encryption keys on the device to control the locking and unlocking of data on the drive. These encryption keys are the data encryption key (DEK) and the authentication key (AK). The Data Encryption Key is the key used to encrypt all of the data on the drive. The drive generates the DEK and it never leaves the device. It's stored in an encrypted format at a random location on the drive. If the DEK is changed or erased, data encrypted using the DEK is irrecoverable. @@ -96,13 +99,13 @@ The AK is the key used to unlock data on the drive. A hash of the key is stored When a computer with an encrypted hard drive is in a powered-off state, the drive locks automatically. As a computer powers on, the device remains in a locked state and is only unlocked after the AK decrypts the DEK. Once the AK decrypts the DEK, read-write operations can take place on the device. -When writing data to the drive, it passes through an encryption engine before the write operation completes. Likewise, reading data from the drive requires the encryption engine to decrypt the data before passing that data back to the user. In the event that the AK needs to be changed or erased, the data on the drive doesn't need to be re-encrypted. A new Authentication Key needs to be created and it will re-encrypt the DEK. Once completed, the DEK can now be unlocked using the new AK and read-writes to the volume can continue. +When writing data to the drive, it passes through an encryption engine before the write operation completes. Likewise, reading data from the drive requires the encryption engine to decrypt the data before passing that data back to the user. If the AK needs to be changed or erased, the data on the drive doesn't need to be re-encrypted. A new Authentication Key needs to be created and it will re-encrypt the DEK. Once completed, the DEK can now be unlocked using the new AK, and read-writes to the volume can continue. -## Re-configuring encrypted hard drives +## Reconfiguring encrypted hard drives Many encrypted hard drive devices come pre-configured for use. If reconfiguration of the drive is required, use the following procedure after removing all available volumes and reverting the drive to an uninitialized state: -1. Open Disk Management (diskmgmt.msc) -2. Initialize the disk and select the appropriate partition style (MBR or GPT) -3. Create one or more volumes on the disk. -4. Use the BitLocker setup wizard to enable BitLocker on the volume. +1. Open Disk Management (`diskmgmt.msc`) +2. Initialize the disk and select the appropriate partition style (MBR or GPT) +3. Create one or more volumes on the disk. +4. Use the BitLocker setup wizard to enable BitLocker on the volume. diff --git a/windows/security/information-protection/index.md b/windows/security/information-protection/index.md index c95e39d0c0..7126b41530 100644 --- a/windows/security/information-protection/index.md +++ b/windows/security/information-protection/index.md @@ -5,9 +5,9 @@ ms.prod: windows-client author: dansimp ms.author: dansimp manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 10/10/2018 +ms.technology: itpro-security --- # Information protection diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md index 147e0ad051..234c8a6eba 100644 --- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md +++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md @@ -2,14 +2,14 @@ title: Kernel DMA Protection (Windows) description: Kernel DMA Protection protects PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to Thunderbolt™ 3 ports. ms.prod: windows-client -author: dansimp -ms.author: dansimp +author: vinaypamnani-msft +ms.author: vinpa manager: aaroncz ms.collection: - - M365-security-compliance - highpri ms.topic: conceptual -ms.date: 03/26/2019 +ms.date: 01/05/2023 +ms.technology: itpro-security --- # Kernel DMA Protection @@ -66,6 +66,9 @@ Systems released prior to Windows 10 version 1803 do not support Kernel DMA Prot >[!NOTE] >Kernel DMA Protection is not compatible with other BitLocker DMA attacks countermeasures. It is recommended to disable the BitLocker DMA attacks countermeasures if the system supports Kernel DMA Protection. Kernel DMA Protection provides higher security bar for the system over the BitLocker DMA attack countermeasures, while maintaining usability of external peripherals. +>[!NOTE] +>DMA remapping support for graphics devices was added in Windows 11 with the WDDM 3.0 driver model; Windows 10 does not support this feature. + ## How to check if Kernel DMA Protection is enabled Systems running Windows 10 version 1803 that do support Kernel DMA Protection do have this security feature enabled automatically by the OS with no user or IT admin configuration required. diff --git a/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md b/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md index 4375ada864..0aed4ad1d1 100644 --- a/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md +++ b/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md @@ -3,16 +3,17 @@ title: Configure Personal Data Encryption (PDE) in Intune description: Configuring and enabling Personal Data Encryption (PDE) required and recommended policies in Intune author: frankroj ms.author: frankroj -ms.reviewer: rafals +ms.reviewer: rhonnegowda manager: aaroncz ms.topic: how-to ms.prod: windows-client ms.technology: itpro-security ms.localizationpriority: medium -ms.date: 09/22/2022 +ms.date: 12/13/2022 --- + # Configure Personal Data Encryption (PDE) policies in Intune @@ -20,104 +21,243 @@ ms.date: 09/22/2022 ### Enable Personal Data Encryption (PDE) -1. Sign into the Intune +1. Sign into [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). + 2. Navigate to **Devices** > **Configuration Profiles** + 3. Select **Create profile** + 4. Under **Platform**, select **Windows 10 and later** + 5. Under **Profile type**, select **Templates** + 6. Under **Template name**, select **Custom**, and then select **Create** -7. On the ****Basics** tab: + +7. In **Basics**: + 1. Next to **Name**, enter **Personal Data Encryption** - 2. Next to **Description**, enter a description + 2. Next to **Description**, enter a description + 8. Select **Next** -9. On the **Configuration settings** tab, select **Add** -10. In the **Add Row** window: + +9. In **Configuration settings**, select **Add** + +10. In **Add Row**: + 1. Next to **Name**, enter **Personal Data Encryption** 2. Next to **Description**, enter a description 3. Next to **OMA-URI**, enter in **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption** 4. Next to **Data type**, select **Integer** 5. Next to **Value**, enter in **1** + 11. Select **Save**, and then select **Next** -12. On the **Assignments** tab: + +12. In **Assignments**: + 1. Under **Included groups**, select **Add groups** 2. Select the groups that the PDE policy should be deployed to 3. Select **Select** 4. Select **Next** -13. On the **Applicability Rules** tab, configure if necessary and then select **Next** -14. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create** -#### Disable Winlogon automatic restart sign-on (ARSO) +13. In **Applicability Rules**, configure if necessary and then select **Next** + +14. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create** + +### Disable Winlogon automatic restart sign-on (ARSO) + +1. Sign into [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -1. Sign into the Intune 2. Navigate to **Devices** > **Configuration Profiles** + 3. Select **Create profile** + 4. Under **Platform**, select **Windows 10 and later** + 5. Under **Profile type**, select **Templates** + 6. Under **Template name**, select **Administrative templates**, and then select **Create** -7. On the ****Basics** tab: + +7. In **Basics**: + 1. Next to **Name**, enter **Disable ARSO** 2. Next to **Description**, enter a description + 8. Select **Next** -9. On the **Configuration settings** tab, under **Computer Configuration**, navigate to **Windows Components** > **Windows Logon Options** + +9. In **Configuration settings**, under **Computer Configuration**, navigate to **Windows Components** > **Windows Logon Options** + 10. Select **Sign-in and lock last interactive user automatically after a restart** + 11. In the **Sign-in and lock last interactive user automatically after a restart** window that opens, select **Disabled**, and then select **OK** + 12. Select **Next** -13. On the **Scope tags** tab, configure if necessary and then select **Next** -12. On the **Assignments** tab: + +13. In **Scope tags**, configure if necessary and then select **Next** + +14. In **Assignments**: + 1. Under **Included groups**, select **Add groups** 2. Select the groups that the ARSO policy should be deployed to 3. Select **Select** 4. Select **Next** -13. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create** -## Recommended prerequisites +15. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create** -#### Disable crash dumps +## Security hardening recommendations + +### Disable kernel-mode crash dumps and live dumps + +1. Sign into [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -1. Sign into the Intune 2. Navigate to **Devices** > **Configuration Profiles** + 3. Select **Create profile** + 4. Under **Platform**, select **Windows 10 and later** + 5. Under **Profile type**, select **Settings catalog**, and then select **Create** -6. On the ****Basics** tab: - 1. Next to **Name**, enter **Disable Hibernation** + +6. In **Basics**: + + 1. Next to **Name**, enter **Disable Kernel-Mode Crash Dumps** 2. Next to **Description**, enter a description + 7. Select **Next** -8. On the **Configuration settings** tab, select **Add settings** -9. In the **Settings picker** windows, select **Memory Dump** -10. When the settings appear in the lower pane, under **Setting name**, select both **Allow Crash Dump** and **Allow Live Dump**, and then select the **X** in the top right corner of the **Settings picker** window to close the window + +8. In **Configuration settings**, select **Add settings** + +9. In the **Settings picker** window, under **Browse by category**, select **Memory Dump** + +10. When the settings appear under **Setting name**, select both **Allow Crash Dump** and **Allow Live Dump**, and then select the **X** in the top right corner of the **Settings picker** window to close the window + 11. Change both **Allow Live Dump** and **Allow Crash Dump** to **Block**, and then select **Next** -12. On the **Scope tags** tab, configure if necessary and then select **Next** -13. On the **Assignments** tab: + +12. In **Scope tags**, configure if necessary and then select **Next** + +13. In **Assignments**: + 1. Under **Included groups**, select **Add groups** - 2. Select the groups that the crash dumps policy should be deployed to + 2. Select the groups that the disable crash dumps policy should be deployed to 3. Select **Select** 4. Select **Next** -14. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create** -#### Disable hibernation +14. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create** + +### Disable Windows Error Reporting (WER)/Disable user-mode crash dumps + +1. Sign into [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -1. Sign into the Intune 2. Navigate to **Devices** > **Configuration Profiles** + 3. Select **Create profile** + 4. Under **Platform**, select **Windows 10 and later** + 5. Under **Profile type**, select **Settings catalog**, and then select **Create** -6. On the ****Basics** tab: + +6. In **Basics**: + + 1. Next to **Name**, enter **Disable Windows Error Reporting (WER)** + 2. Next to **Description**, enter a description + +7. Select **Next** + +8. In **Configuration settings**, select **Add settings** + +9. In the **Settings picker** window, under **Browse by category**, expand to **Administrative Templates** > **Windows Components**, and then select **Windows Error Reporting** + +10. When the settings appear under **Setting name**, select **Disable Windows Error Reporting**, and then select the **X** in the top right corner of the **Settings picker** window to close the window + +11. Change **Disable Windows Error Reporting** to **Enabled**, and then select **Next** + +12. In **Scope tags**, configure if necessary and then select **Next** + +13. In **Assignments**: + + 1. Under **Included groups**, select **Add groups** + 2. Select the groups that the disable WER dumps policy should be deployed to + 3. Select **Select** + 4. Select **Next** + +14. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create** + +### Disable hibernation + +1. Sign into [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). + +2. Navigate to **Devices** > **Configuration Profiles** + +3. Select **Create profile** + +4. Under **Platform**, select **Windows 10 and later** + +5. Under **Profile type**, select **Settings catalog**, and then select **Create** + +6. In **Basics**: + 1. Next to **Name**, enter **Disable Hibernation** 2. Next to **Description**, enter a description + 7. Select **Next** -8. On the **Configuration settings** tab, select **Add settings** -9. In the **Settings picker** windows, select **Power** -10. When the settings appear in the lower pane, under **Setting name**, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window + +8. In **Configuration settings**, select **Add settings** + +9. In the **Settings picker** window, under **Browse by category**, select **Power** + +10. When the settings appear under **Setting name**, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window + 11. Change **Allow Hibernate** to **Block**, and then select **Next** -12. On the **Scope tags** tab, configure if necessary and then select **Next** -13. On the **Assignments** tab: + +12. In **Scope tags**, configure if necessary and then select **Next** + +13. In **Assignments**: + 1. Under **Included groups**, select **Add groups** - 2. Select the groups that the hibernation policy should be deployed to + 2. Select the groups that the disable hibernation policy should be deployed to 3. Select **Select** 4. Select **Next** -14. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create** + +14. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create** + +### Disable allowing users to select when a password is required when resuming from connected standby + +1. Sign into [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). + +2. Navigate to **Devices** > **Configuration Profiles** + +3. Select **Create profile** + +4. Under **Platform**, select **Windows 10 and later** + +5. Under **Profile type**, select **Settings catalog**, and then select **Create** + +6. In **Basics**: + + 1. Next to **Name**, enter **Disable allowing users to select when a password is required when resuming from connected standby** + 2. Next to **Description**, enter a description + +7. Select **Next** + +8. In **Configuration settings**, select **Add settings** + +9. In the **Settings picker** window, under **Browse by category**, expand to **Administrative Templates** > **System**, and then select **Logon** + +10. When the settings appear under **Setting name**, select **Allow users to select when a password is required when resuming from connected standby**, and then select the **X** in the top right corner of the **Settings picker** window to close the window + +11. Make sure that **Allow users to select when a password is required when resuming from connected standby** is left at the default of **Disabled**, and then select **Next** + +12. In **Scope tags**, configure if necessary and then select **Next** + +13. In **Assignments**: + + 1. Under **Included groups**, select **Add groups** + 2. Select the groups that the disable Allow users to select when a password is required when resuming from connected standby policy should be deployed to + 3. Select **Select** + 4. Select **Next** + +14. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create** ## See also + - [Personal Data Encryption (PDE)](overview-pde.md) -- [Personal Data Encryption (PDE) FAQ](faq-pde.yml) \ No newline at end of file +- [Personal Data Encryption (PDE) FAQ](faq-pde.yml) diff --git a/windows/security/information-protection/personal-data-encryption/faq-pde.yml b/windows/security/information-protection/personal-data-encryption/faq-pde.yml index 744161659e..c56effe008 100644 --- a/windows/security/information-protection/personal-data-encryption/faq-pde.yml +++ b/windows/security/information-protection/personal-data-encryption/faq-pde.yml @@ -5,13 +5,16 @@ metadata: description: Answers to common questions regarding Personal Data Encryption (PDE). author: frankroj ms.author: frankroj - ms.reviewer: rafals + ms.reviewer: rhonnegowda manager: aaroncz ms.topic: faq ms.prod: windows-client ms.technology: itpro-security ms.localizationpriority: medium - ms.date: 09/22/2022 + ms.date: 12/13/2022 + +# Max 5963468 OS 32516487 +# Max 6946251 title: Frequently asked questions for Personal Data Encryption (PDE) summary: | @@ -22,53 +25,58 @@ sections: questions: - question: Can PDE encrypt entire volumes or drives? answer: | - No. PDE only encrypts specified files. + No. PDE only encrypts specified files and content. - question: Is PDE a replacement for BitLocker? answer: | No. It's still recommended to encrypt all volumes with BitLocker Drive Encryption for increased security. - - question: Can an IT admin specify which files should be encrypted? + - question: How are files and content protected by PDE selected? answer: | - Yes, but it can only be done using the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). + [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager) are used to select which files and content are protected using PDE. - - question: Do I need to use OneDrive as my backup provider? + - question: Do I need to use OneDrive in Microsoft 365 as my backup provider? answer: | - No. PDE doesn't have a requirement for a backup provider including OneDrive. However, backups are strongly recommended in case the keys used by PDE to decrypt files are lost. OneDrive is a recommended backup provider. + No. PDE doesn't have a requirement for a backup provider, including OneDrive in Microsoft 365. However, backups are recommended in case the keys used by PDE to protect files are lost. OneDrive in Microsoft 365 is a recommended backup provider. - question: What is the relation between Windows Hello for Business and PDE? answer: | - During user sign-on, Windows Hello for Business unlocks the keys that PDE uses to decrypt files. + During user sign-on, Windows Hello for Business unlocks the keys that PDE uses to protect content. - - question: Can a file be encrypted with both PDE and EFS at the same time? + - question: Can a file be protected with both PDE and EFS at the same time? answer: | No. PDE and EFS are mutually exclusive. - - question: Can PDE encrypted files be accessed after signing on via a Remote Desktop connection (RDP)? + - question: Can PDE protected content be accessed after signing on via a Remote Desktop connection (RDP)? answer: | - No. Accessing PDE encrypted files over RDP isn't currently supported. + No. Accessing PDE protected content over RDP isn't currently supported. - - question: Can PDE encrypted files be access via a network share? + - question: Can PDE protected content be accessed via a network share? answer: | - No. PDE encrypted files can only be accessed after signing on locally to Windows with Windows Hello for Business credentials. + No. PDE protected content can only be accessed after signing on locally to Windows with Windows Hello for Business credentials. - - question: How can it be determined if a file is encrypted with PDE? + - question: How can it be determined if a file is protected with PDE? answer: | - Encrypted files will show a padlock on the file's icon. Additionally, `cipher.exe` can be used to show the encryption state of the file. + - Files protected with PDE and EFS will both show a padlock on the file's icon. To verify whether a file is protected with PDE vs. EFS: + 1. In the properties of the file, navigate to **General** > **Advanced**. The option **Encrypt contents to secure data** should be selected. + 2. Select the **Details** button. + 3. If the file is protected with PDE, under **Protection status:**, the item **Personal Data Encryption is:** will be marked as **On**. + - [`cipher.exe`](/windows-server/administration/windows-commands/cipher) can also be used to show the encryption state of the file. - question: Can users manually encrypt and decrypt files with PDE? answer: | - Currently users can decrypt files manually but they can't encrypt files manually. + Currently users can decrypt files manually but they can't encrypt files manually. For information on how a user can manually decrypt a file, see the section **Disable PDE and decrypt files** in [Personal Data Encryption (PDE)](overview-pde.md). - - question: If a user signs into Windows with a password instead of Windows Hello for Business, will they be able to access their PDE encrypted files? + - question: If a user signs into Windows with a password instead of Windows Hello for Business, will they be able to access their PDE protected content? answer: | - No. The keys used by PDE to decrypt files are protected by Windows Hello for Business credentials and will only be unlocked when signing on with Windows Hello for Business PIN or biometrics. + No. The keys used by PDE to protect content are protected by Windows Hello for Business credentials and will only be unlocked when signing on with Windows Hello for Business PIN or biometrics. - question: What encryption method and strength does PDE use? answer: | - PDE uses AES-CBC with a 256-bit key to encrypt files + PDE uses AES-CBC with a 256-bit key to encrypt content. additionalContent: | ## See also - [Personal Data Encryption (PDE)](overview-pde.md) - - [Configure Personal Data Encryption (PDE) polices in Intune](configure-pde-in-intune.md) \ No newline at end of file + - [Configure Personal Data Encryption (PDE) polices in Intune](configure-pde-in-intune.md) + diff --git a/windows/security/information-protection/personal-data-encryption/includes/pde-description.md b/windows/security/information-protection/personal-data-encryption/includes/pde-description.md index 7ca7334657..2eb0fa2a66 100644 --- a/windows/security/information-protection/personal-data-encryption/includes/pde-description.md +++ b/windows/security/information-protection/personal-data-encryption/includes/pde-description.md @@ -4,24 +4,25 @@ description: Personal Data Encryption (PDE) description include file author: frankroj ms.author: frankroj -ms.reviewer: rafals +ms.reviewer: rhonnegowda manager: aaroncz ms.topic: how-to ms.prod: windows-client ms.technology: itpro-security ms.localizationpriority: medium -ms.date: 09/22/2022 +ms.date: 12/13/2022 --- + -Personal data encryption (PDE) is a security feature introduced in Windows 11, version 22H2 that provides additional encryption features to Windows. PDE differs from BitLocker in that it encrypts individual files instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker. +Personal data encryption (PDE) is a security feature introduced in Windows 11, version 22H2 that provides additional encryption features to Windows. PDE differs from BitLocker in that it encrypts individual files and content instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker. -PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. This feature can minimize the number of credentials the user has to remember to gain access to files. For example, when using BitLocker with PIN, a user would need to authenticate twice - once with the BitLocker PIN and a second time with Windows credentials. This requirement requires users to remember two different credentials. With PDE, users only need to enter one set of credentials via Windows Hello for Business. +PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. This feature can minimize the number of credentials the user has to remember to gain access to content. For example, when using BitLocker with PIN, a user would need to authenticate twice - once with the BitLocker PIN and a second time with Windows credentials. This requirement requires users to remember two different credentials. With PDE, users only need to enter one set of credentials via Windows Hello for Business. -PDE is also accessibility friendly. For example, The BitLocker PIN entry screen doesn't have accessibility options. PDE however uses Windows Hello for Business, which does have accessibility features. +Because PDE utilizes Windows Hello for Business, PDE is also accessibility friendly due to the accessibility features available when using Windows Hello for Business. -Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user signs in using Windows Hello for Business. Users will only be able to access their PDE encrypted files once they've signed into Windows using Windows Hello for Business. Additionally, PDE has the ability to also discard the encryption keys when the device is locked. +Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user signs in using Windows Hello for Business. Users will only be able to access their PDE protected content once they've signed into Windows using Windows Hello for Business. Additionally, PDE has the ability to also discard the encryption keys when the device is locked. > [!NOTE] -> PDE is currently only available to developers via [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). There is no user interface in Windows to either enable PDE or encrypt files via PDE. Also, although there is an MDM policy that can enable PDE, there are no MDM policies that can be used to encrypt files via PDE. +> PDE can be enabled using MDM policies. The content to be protected by PDE can be specified using [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). There is no user interface in Windows to either enable PDE or protect content using PDE. diff --git a/windows/security/information-protection/personal-data-encryption/overview-pde.md b/windows/security/information-protection/personal-data-encryption/overview-pde.md index bfb7153548..12709e8d35 100644 --- a/windows/security/information-protection/personal-data-encryption/overview-pde.md +++ b/windows/security/information-protection/personal-data-encryption/overview-pde.md @@ -3,75 +3,123 @@ title: Personal Data Encryption (PDE) description: Personal Data Encryption unlocks user encrypted files at user sign-in instead of at boot. author: frankroj ms.author: frankroj -ms.reviewer: rafals +ms.reviewer: rhonnegowda manager: aaroncz ms.topic: how-to ms.prod: windows-client ms.technology: itpro-security ms.localizationpriority: medium -ms.date: 09/22/2022 +ms.date: 12/13/2022 --- + # Personal Data Encryption (PDE) -(*Applies to: Windows 11, version 22H2 and later Enterprise and Education editions*) +**Applies to:** + +- Windows 11, version 22H2 and later Enterprise and Education editions [!INCLUDE [Personal Data Encryption (PDE) description](includes/pde-description.md)] ## Prerequisites -### **Required** - - [Azure AD joined device](/azure/active-directory/devices/concept-azure-ad-join) - - [Windows Hello for Business](../../identity-protection/hello-for-business/hello-overview.md) - - Windows 11, version 22H2 and later Enterprise and Education editions +### Required -### **Not supported with PDE** - - [FIDO/security key authentication](../../identity-protection/hello-for-business/microsoft-compatible-security-key.md) - - [Winlogon automatic restart sign-on (ARSO)](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-) - - For information on disabling ARSO via Intune, see [Disable Winlogon automatic restart sign-on (ARSO)](configure-pde-in-intune.md#disable-winlogon-automatic-restart-sign-on-arso)). - - [Windows Information Protection (WIP)](../windows-information-protection/protect-enterprise-data-using-wip.md) - - [Hybrid Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join-hybrid) - - Remote Desktop connections +- [Azure AD joined device](/azure/active-directory/devices/concept-azure-ad-join) +- [Windows Hello for Business](../../identity-protection/hello-for-business/hello-overview.md) +- Windows 11, version 22H2 and later Enterprise and Education editions -### **Highly recommended** - - [BitLocker Drive Encryption](../bitlocker/bitlocker-overview.md) enabled - - Although PDE will work without BitLocker, it's recommended to also enable BitLocker. PDE is meant to supplement BitLocker and not replace it. - - Backup solution such as [OneDrive](/onedrive/onedrive) - - In certain scenarios such as TPM resets or destructive PIN resets, the keys used by PDE to decrypt files can be lost. In such scenarios, any file encrypted with PDE will no longer be accessible. The only way to recover such files would be from backup. - - [Windows Hello for Business PIN reset service](../../identity-protection/hello-for-business/hello-feature-pin-reset.md) - - Destructive PIN resets will cause keys used by PDE to decrypt files to be lost. The destructive PIN reset will make any file encrypted with PDE no longer accessible after a destructive PIN reset. Files encrypted with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets. - - [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security) - - Provides additional security when authenticating with Windows Hello for Business via biometrics or PIN - - [Kernel and user mode crash dumps disabled](/windows/client-management/mdm/policy-csp-memorydump) - - Crash dumps can potentially cause the keys used by PDE decrypt files to be exposed. For greatest security, disable kernel and user mode crash dumps. For information on disabling crash dumbs via Intune, see [Disable crash dumps](configure-pde-in-intune.md#disable-crash-dumps). - - [Hibernation disabled](/windows/client-management/mdm/policy-csp-power#power-allowhibernate) - - Hibernation files can potentially cause the keys used by PDE to decrypt files to be exposed. For greatest security, disable hibernation. For information on disabling crash dumbs via Intune, see [Disable hibernation](configure-pde-in-intune.md#disable-hibernation). +### Not supported with PDE + +- [FIDO/security key authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) +- [Winlogon automatic restart sign-on (ARSO)](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-) + - For information on disabling ARSO via Intune, see [Disable Winlogon automatic restart sign-on (ARSO)](configure-pde-in-intune.md#disable-winlogon-automatic-restart-sign-on-arso)). +- [Windows Information Protection (WIP)](../windows-information-protection/protect-enterprise-data-using-wip.md) +- [Hybrid Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join-hybrid) +- Remote Desktop connections + +### Security hardening recommendations + +- [Kernel-mode crash dumps and live dumps disabled](/windows/client-management/mdm/policy-csp-memorydump#memorydump-policies) + + Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps. For information on disabling crash dumps and live dumps via Intune, see [Disable kernel-mode crash dumps and live dumps](configure-pde-in-intune.md#disable-kernel-mode-crash-dumps-and-live-dumps). + +- [Windows Error Reporting (WER) disabled/User-mode crash dumps disabled](/windows/client-management/mdm/policy-csp-errorreporting#errorreporting-disablewindowserrorreporting) + + Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. For more information on disabling crash dumps via Intune, see [Disable Windows Error Reporting (WER)/Disable user-mode crash dumps](configure-pde-in-intune.md#disable-windows-error-reporting-werdisable-user-mode-crash-dumps). + +- [Hibernation disabled](/windows/client-management/mdm/policy-csp-power#power-allowhibernate) + + Hibernation files can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable hibernation. For more information on disabling crash dumps via Intune, see [Disable hibernation](configure-pde-in-intune.md#disable-hibernation). + +- [Allowing users to select when a password is required when resuming from connected standby disabled](/windows/client-management/mdm/policy-csp-admx-credentialproviders#admx-credentialproviders-allowdomaindelaylock) + + When this policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including native Azure Active Directory joined devices, is different: + + - On-premises Active Directory joined devices: + + - A user can't change the amount of time after the device´s screen turns off before a password is required when waking the device. + + - A password is required immediately after the screen turns off. + + The above is the desired outcome, but PDE isn't supported with on-premises Active Directory joined devices. + + - Workgroup devices, including native Azure AD joined devices: + + - A user on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device. + + - During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. This outcome isn't a desired outcome. + + Because of this undesired outcome, it's recommended to explicitly disable this policy on native Azure AD joined devices instead of leaving it at the default of not configured. + + For information on disabling this policy via Intune, see [Disable allowing users to select when a password is required when resuming from connected standby](configure-pde-in-intune.md#disable-allowing-users-to-select-when-a-password-is-required-when-resuming-from-connected-standby). + +### Highly recommended + +- [BitLocker Drive Encryption](../bitlocker/bitlocker-overview.md) enabled + + Although PDE will work without BitLocker, it's recommended to also enable BitLocker. PDE is meant to work alongside BitLocker for increased security. PDE isn't a replacement for BitLocker. + +- Backup solution such as [OneDrive in Microsoft 365](/sharepoint/onedrive-overview) + + In certain scenarios such as TPM resets or destructive PIN resets, the keys used by PDE to protect content will be lost. In such scenarios, any content protected with PDE will no longer be accessible. The only way to recover such content would be from backup. + +- [Windows Hello for Business PIN reset service](../../identity-protection/hello-for-business/hello-feature-pin-reset.md) + + Destructive PIN resets will cause keys used by PDE to protect content to be lost. The destructive PIN reset will make any content protected with PDE no longer accessible after a destructive PIN reset. Content protected with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets. + +- [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security) + + Provides additional security when authenticating with Windows Hello for Business via biometrics or PIN ## PDE protection levels -PDE uses AES-CBC with a 256-bit key to encrypt files and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). +PDE uses AES-CBC with a 256-bit key to protect content and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). | Item | Level 1 | Level 2 | |---|---|---| -| Data is accessible when user is signed in | Yes | Yes | -| Data is accessible when user has locked their device | Yes | No | -| Data is accessible after user signs out | No | No | -| Data is accessible when device is shut down | No | No | -| Decryption keys discarded | After user signs out | After user locks device or signs out | +| PDE protected data accessible when user has signed in via Windows Hello for Business | Yes | Yes | +| PDE protected data is accessible at Windows lock screen | Yes | Data is accessible for one minute after lock, then it's no longer available | +| PDE protected data is accessible after user signs out of Windows | No | No | +| PDE protected data is accessible when device is shut down | No | No | +| PDE protected data is accessible via UNC paths | No | No | +| PDE protected data is accessible when signing with Windows password instead of Windows Hello for Business | No | No | +| PDE protected data is accessible via Remote Desktop session | No | No | +| Decryption keys used by PDE discarded | After user signs out of Windows | One minute after Windows lock screen is engaged or after user signs out of Windows | -## PDE encrypted files accessibility +## PDE protected content accessibility -When a file is encrypted with PDE, its icon will show a padlock. If the user hasn't signed in locally with Windows Hello for Business or an unauthorized user attempts to access a PDE encrypted file, they'll be denied access to the file. +When a file is protected with PDE, its icon will show a padlock. If the user hasn't signed in locally with Windows Hello for Business or an unauthorized user attempts to access PDE protected content, they'll be denied access to the content. -Scenarios where a user will be denied access to a PDE encrypted file include: +Scenarios where a user will be denied access to PDE protected content include: - User has signed into Windows via a password instead of signing in with Windows Hello for Business biometric or PIN. -- If specified via level 2 protection, when the device is locked. -- When trying to access files on the device remotely. For example, UNC network paths. +- If protected via level 2 protection, when the device is locked. +- When trying to access content on the device remotely. For example, UNC network paths. - Remote Desktop sessions. -- Other users on the device who aren't owners of the file, even if they're signed in via Windows Hello for Business and have permissions to navigate to the PDE encrypted files. +- Other users on the device who aren't owners of the content, even if they're signed in via Windows Hello for Business and have permissions to navigate to the PDE protected content. ## How to enable PDE @@ -85,55 +133,83 @@ To enable PDE on devices, push an MDM policy to the devices with the following p There's also a [PDE CSP](/windows/client-management/mdm/personaldataencryption-csp) available for MDM solutions that support it. > [!NOTE] -> Enabling the PDE policy on devices only enables the PDE feature. It does not encrypt any files. To encrypt files, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager) to create custom applications and scripts to specify which files to encrypt and at what level to encrypt the files. Additionally, files will not encrypt via the APIs until this policy has been enabled. +> Enabling the PDE policy on devices only enables the PDE feature. It does not protect any content. To protect content via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled. For information on enabling PDE via Intune, see [Enable Personal Data Encryption (PDE)](configure-pde-in-intune.md#enable-personal-data-encryption-pde). ## Differences between PDE and BitLocker +PDE is meant to work alongside BitLocker. PDE isn't a replacement for BitLocker, nor is BitLocker a replacement for PDE. Using both features together provides better security than using either BitLocker or PDE alone. However there are differences between BitLocker and PDE and how they work. These differences are why using them together offers better security. + | Item | PDE | BitLocker | |--|--|--| -| Release of key | At user sign-in via Windows Hello for Business | At boot | -| Keys discarded | At user sign-out | At reboot | -| Files encrypted | Individual specified files | Entire volume/drive | -| Authentication to access encrypted file | Windows Hello for Business | When BitLocker with PIN is enabled, BitLocker PIN plus Windows sign in | -| Accessibility | Windows Hello for Business is accessibility friendly | BitLocker with PIN doesn't have accessibility features | +| Release of decryption key | At user sign-in via Windows Hello for Business | At boot | +| Decryption keys discarded | When user signs out of Windows or one minute after Windows lock screen is engaged | At reboot | +| Files protected | Individual specified files | Entire volume/drive | +| Authentication to access protected content | Windows Hello for Business | When BitLocker with TPM + PIN is enabled, BitLocker PIN plus Windows sign-in | ## Differences between PDE and EFS -The main difference between encrypting files with PDE instead of EFS is the method they use to encrypt the file. PDE uses Windows Hello for Business to secure the keys to decrypt the files. EFS uses certificates to secure and encrypt the files. +The main difference between protecting files with PDE instead of EFS is the method they use to protect the file. PDE uses Windows Hello for Business to secure the keys that protect the files. EFS uses certificates to secure and protect the files. -To see if a file is encrypted with PDE or EFS: +To see if a file is protected with PDE or with EFS: 1. Open the properties of the file 2. Under the **General** tab, select **Advanced...** 3. In the **Advanced Attributes** windows, select **Details** -For PDE encrypted files, under **Protection status:** there will be an item listed as **Personal Data Encryption is:** and it will have the attribute of **On**. +For PDE protected files, under **Protection status:** there will be an item listed as **Personal Data Encryption is:** and it will have the attribute of **On**. -For EFS encrypted files, under **Users who can access this file:**, there will be a **Certificate thumbprint** next to the users with access to the file. There will also be a section at the bottom labeled **Recovery certificates for this file as defined by recovery policy:**. +For EFS protected files, under **Users who can access this file:**, there will be a **Certificate thumbprint** next to the users with access to the file. There will also be a section at the bottom labeled **Recovery certificates for this file as defined by recovery policy:**. -Encryption information including what encryption method is being used can be obtained with the command line `cipher.exe /c` command. +Encryption information including what encryption method is being used to protect the file can be obtained with the [cipher.exe /c](/windows-server/administration/windows-commands/cipher) command. -## Disable PDE and decrypt files +## Disable PDE and decrypt content -Currently there's no method to disable PDE via MDM policy. However, in certain scenarios PDE encrypted files can be decrypted using `cipher.exe` using the following steps: +Once PDE is enabled, it isn't recommended to disable it. However if PDE does need to be disabled, it can be done so via the MDM policy described in the section [How to enable PDE](#how-to-enable-pde). The value of the OMA-URI needs to be changed from **`1`** to **`0`** as follows: + +- Name: **Personal Data Encryption** +- OMA-URI: **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption** +- Data type: **Integer** +- Value: **0** + +Disabling PDE doesn't decrypt any PDE protected content. It only prevents the PDE API from being able to protect any additional content. PDE protected files can be manually decrypted using the following steps: 1. Open the properties of the file 2. Under the **General** tab, select **Advanced...** 3. Uncheck the option **Encrypt contents to secure data** 4. Select **OK**, and then **OK** again -> [!Important] -> Once a user selects to manually decrypt a file, they will not be able to manually encrypt the file again. +PDE protected files can also be decrypted using [cipher.exe](/windows-server/administration/windows-commands/cipher). Using `cipher.exe` can be helpful to decrypt files in the following scenarios: + +- Decrypting a large number of files on a device +- Decrypting files on a large number of devices. + +To decrypt files on a device using `cipher.exe`: + +- Decrypt all files under a directory including subdirectories: + + ```cmd + cipher.exe /d /s: + ``` + +- Decrypt a single file or all of the files in the specified directory, but not any subdirectories: + + ```cmd + cipher.exe /d + ``` + +> [!IMPORTANT] +> Once a user selects to manually decrypt a file, the user will not be able to manually protect the file again using PDE. ## Windows out of box applications that support PDE Certain Windows applications support PDE out of the box. If PDE is enabled on a device, these applications will utilize PDE. - Mail - - Supports encrypting both email bodies and attachments + - Supports protecting both email bodies and attachments ## See also + - [Personal Data Encryption (PDE) FAQ](faq-pde.yml) - [Configure Personal Data Encryption (PDE) polices in Intune](configure-pde-in-intune.md) diff --git a/windows/security/information-protection/pluton/microsoft-pluton-security-processor.md b/windows/security/information-protection/pluton/microsoft-pluton-security-processor.md index 3939be9c9d..5274334565 100644 --- a/windows/security/information-protection/pluton/microsoft-pluton-security-processor.md +++ b/windows/security/information-protection/pluton/microsoft-pluton-security-processor.md @@ -7,12 +7,11 @@ author: vinaypamnani-msft ms.author: vinpa manager: aaroncz ms.localizationpriority: medium -ms.collection: - - M365-security-compliance ms.topic: conceptual ms.date: 09/15/2022 appliesto: - ✅ Windows 11, version 22H2 +ms.technology: itpro-security --- # Microsoft Pluton security processor diff --git a/windows/security/information-protection/pluton/pluton-as-tpm.md b/windows/security/information-protection/pluton/pluton-as-tpm.md index 2eba011694..a51ef6db48 100644 --- a/windows/security/information-protection/pluton/pluton-as-tpm.md +++ b/windows/security/information-protection/pluton/pluton-as-tpm.md @@ -7,12 +7,11 @@ author: vinaypamnani-msft ms.author: vinpa manager: aaroncz ms.localizationpriority: medium -ms.collection: - - M365-security-compliance ms.topic: conceptual ms.date: 09/15/2022 appliesto: - ✅ Windows 11, version 22H2 +ms.technology: itpro-security --- # Microsoft Pluton as Trusted Platform Module diff --git a/windows/security/information-protection/secure-the-windows-10-boot-process.md b/windows/security/information-protection/secure-the-windows-10-boot-process.md index fec7e2f25b..edec923f61 100644 --- a/windows/security/information-protection/secure-the-windows-10-boot-process.md +++ b/windows/security/information-protection/secure-the-windows-10-boot-process.md @@ -6,11 +6,11 @@ ms.localizationpriority: medium author: dansimp manager: aaroncz ms.collection: - - M365-security-compliance - highpri ms.topic: conceptual ms.date: 05/12/2022 ms.author: dansimp +ms.technology: itpro-security --- # Secure the Windows boot process diff --git a/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md b/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md index 88de60b907..5545248585 100644 --- a/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md +++ b/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md @@ -6,9 +6,9 @@ ms.prod: windows-client author: dansimp ms.author: dansimp manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/03/2021 +ms.technology: itpro-security --- # Back up the TPM recovery information to AD DS diff --git a/windows/security/information-protection/tpm/change-the-tpm-owner-password.md b/windows/security/information-protection/tpm/change-the-tpm-owner-password.md index 16f70af2df..5fabd8a69f 100644 --- a/windows/security/information-protection/tpm/change-the-tpm-owner-password.md +++ b/windows/security/information-protection/tpm/change-the-tpm-owner-password.md @@ -6,9 +6,9 @@ ms.prod: windows-client author: dansimp ms.author: dansimp manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 01/18/2022 +ms.technology: itpro-security --- # Change the TPM owner password diff --git a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md index 8dac1018ca..df275cf0b3 100644 --- a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md +++ b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md @@ -7,10 +7,9 @@ ms.localizationpriority: medium author: dansimp ms.author: dansimp manager: aaroncz -ms.collection: - - M365-security-compliance ms.topic: conceptual ms.date: 09/03/2021 +ms.technology: itpro-security --- # How Windows uses the Trusted Platform Module diff --git a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md index f0ed4e0e7e..dc54432a56 100644 --- a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md +++ b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md @@ -7,10 +7,10 @@ author: dansimp ms.author: dansimp manager: aaroncz ms.collection: - - M365-security-compliance - highpri ms.topic: conceptual ms.date: 09/06/2021 +ms.technology: itpro-security --- # Troubleshoot the TPM @@ -38,35 +38,35 @@ Starting with Windows 10 and Windows 11, the operating system automatically init ## Troubleshoot TPM initialization -If you find that Windows is not able to initialize the TPM automatically, review the following information: +If you find that Windows isn't able to initialize the TPM automatically, review the following information: - You can try clearing the TPM to the factory default values and allowing Windows to re-initialize it. For important precautions for this process, and instructions for completing it, see [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm), later in this article. -- If the TPM is a TPM 2.0 and is not detected by Windows, verify that your computer hardware contains a Unified Extensible Firmware Interface (UEFI) that is Trusted Computing Group-compliant. Also, ensure that in the UEFI settings, the TPM has not been disabled or hidden from the operating system. +- If the TPM is a TPM 2.0 and isn't detected by Windows, verify that your computer hardware contains a Unified Extensible Firmware Interface (UEFI) that is Trusted Computing Group-compliant. Also, ensure that in the UEFI settings, the TPM hasn't been disabled or hidden from the operating system. -- If you have TPM 1.2 with Windows 10, version 1507 or 1511, or Windows 11, the TPM might be turned off, and need to be turned back on, as described in [Turn on the TPM](#turn-on-the-tpm). When it is turned back on, Windows will re-initialize it. +- If you have TPM 1.2 with Windows 10, version 1507 or 1511, or Windows 11, the TPM might be turned off, and need to be turned back on, as described in [Turn on the TPM](#turn-on-the-tpm). When it's turned back on, Windows will re-initialize it. -- If you are attempting to set up BitLocker with the TPM, check which TPM driver is installed on the computer. We recommend always using one of the TPM drivers that is provided by Microsoft and is protected with BitLocker. If a non-Microsoft TPM driver is installed, it may prevent the default TPM driver from loading and cause BitLocker to report that a TPM is not present on the computer. If you have a non-Microsoft driver installed, remove it and then allow the operating system to initialize the TPM. +- If you're attempting to set up BitLocker with the TPM, check which TPM driver is installed on the computer. We recommend always using one of the TPM drivers that is provided by Microsoft and is protected with BitLocker. If a non-Microsoft TPM driver is installed, it may prevent the default TPM driver from loading and cause BitLocker to report that a TPM isn't present on the computer. If you have a non-Microsoft driver installed, remove it and then allow the operating system to initialize the TPM. ### Troubleshoot network connection issues for Windows 10, versions 1507 and 1511, or Windows 11 -If you have Windows 10, version 1507 or 1511, or Windows 11, the initialization of the TPM cannot complete when your computer has network connection issues and both of the following conditions exist: +If you have Windows 10, version 1507 or 1511, or Windows 11, the initialization of the TPM can't complete when your computer has network connection issues and both of the following conditions exist: - An administrator has configured your computer to require that TPM recovery information be saved in Active Directory Domain Services (AD DS). This requirement can be configured through Group Policy. -- A domain controller cannot be reached. This can occur on a computer that is currently disconnected from the network, separated from the domain by a firewall, or experiencing a network component failure (such as an unplugged cable or a faulty network adapter). +- A domain controller can't be reached. This can occur on a computer that is currently disconnected from the network, separated from the domain by a firewall, or experiencing a network component failure (such as an unplugged cable or a faulty network adapter). -If these issues occur, an error message appears, and you cannot complete the initialization process. To avoid this issue, allow Windows to initialize the TPM while you are connected to the corporate network and you can contact a domain controller. +If these issues occur, an error message appears, and you can't complete the initialization process. To avoid this issue, allow Windows to initialize the TPM while you're connected to the corporate network and you can contact a domain controller. ### Troubleshoot systems with multiple TPMs Some systems may have multiple TPMs and the active TPM may be toggled in UEFI. Windows does not support this behavior. If you switch TPMs, Windows might not properly detect or interact with the new TPM. If you plan to switch TPMs you should toggle to the new TPM, clear it, and reinstall Windows. For more information, see [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm), later in this article. -For example, toggling TPMs will cause BitLocker to enter recovery mode. We strongly recommend that, on systems with two TPMs, one TPM is selected to be used and the selection is not changed. +For example, toggling TPMs will cause BitLocker to enter recovery mode. We strongly recommend that, on systems with two TPMs, one TPM is selected to be used and the selection isn't changed. ## Clear all the keys from the TPM -You can use the Windows Defender Security Center app to clear the TPM as a troubleshooting step, or as a final preparation before a clean installation of a new operating system. Preparing for a clean installation in this way helps ensure that the new operating system can fully deploy any TPM-based functionality that it includes, such as attestation. However, even if the TPM is not cleared before a new operating system is installed, most TPM functionality will probably work correctly. +You can use the Windows Defender Security Center app to clear the TPM as a troubleshooting step, or as a final preparation before a clean installation of a new operating system. Preparing for a clean installation in this way helps ensure that the new operating system can fully deploy any TPM-based functionality that it includes, such as attestation. However, even if the TPM isn't cleared before a new operating system is installed, most TPM functionality will probably work correctly. Clearing the TPM resets it to an unowned state. After you clear the TPM, the Windows operating system will automatically re-initialize it and take ownership again. @@ -77,13 +77,13 @@ Clearing the TPM resets it to an unowned state. After you clear the TPM, the Win Clearing the TPM can result in data loss. To protect against such loss, review the following precautions: -- Clearing the TPM causes you to lose all created keys associated with the TPM, and data protected by those keys, such as a virtual smart card or a sign in PIN. Make sure that you have a backup and recovery method for any data that is protected or encrypted by the TPM. +- Clearing the TPM causes you to lose all created keys associated with the TPM, and data protected by those keys, such as a virtual smart card or a sign-in PIN. Make sure that you have a backup and recovery method for any data that is protected or encrypted by the TPM. -- Do not clear the TPM on a device you do not own, such as a work or school PC, without being instructed to do so by your IT administrator. +- Don't clear the TPM on a device you don't own, such as a work or school PC, without being instructed to do so by your IT administrator. - If you want to temporarily suspend TPM operations and you have TPM 1.2 with Windows 10, version 1507 or 1511, or Windows 11, you can turn off the TPM. For more information, see [Turn off the TPM](#turn-off-the-tpm), later in this article. -- Always use functionality in the operating system (such as TPM.msc) to the clear the TPM. Do not clear the TPM directly from UEFI. +- Always use functionality in the operating system (such as TPM.msc) to the clear the TPM. Don't clear the TPM directly from UEFI. - Because your TPM security hardware is a physical part of your computer, before clearing the TPM, you might want to read the manuals or instructions that came with your computer, or search the manufacturer's website. @@ -107,7 +107,7 @@ Membership in the local Administrators group, or equivalent, is the minimum requ ## Turn on or turn off the TPM (available only with TPM 1.2 with Windows 10, version 1507 and higher) -Normally, the TPM is turned on as part of the TPM initialization process. You do not normally need to turn the TPM on or off. However, if necessary you can do so by using the TPM MMC. +Normally, the TPM is turned on as part of the TPM initialization process. You don't normally need to turn the TPM on or off. However, if necessary you can do so by using the TPM MMC. ### Turn on the TPM @@ -121,7 +121,7 @@ If you want to use the TPM after you have turned it off, you can use the followi 3. Select **Shutdown** (or **Restart**), and then follow the UEFI screen prompts. - After the computer restarts, but before you sign in to Windows, you will be prompted to accept the reconfiguration of the TPM. This ensures that the user has physical access to the computer and that malicious software is not attempting to make changes to the TPM. + After the computer restarts, but before you sign in to Windows, you will be prompted to accept the reconfiguration of the TPM. This ensures that the user has physical access to the computer and that malicious software isn't attempting to make changes to the TPM. ### Turn off the TPM @@ -137,9 +137,9 @@ If you want to stop using the services that are provided by the TPM, you can use - If you saved your TPM owner password on a removable storage device, insert it, and then select **I have the owner password file**. In the **Select backup file with the TPM owner password** dialog box, select **Browse** to locate the .tpm file that is saved on your removable storage device, select **Open**, and then select **Turn TPM Off**. - - If you do not have the removable storage device with your saved TPM owner password, select **I want to enter the password**. In the **Type your TPM owner password** dialog box, type your password (including hyphens), and then select **Turn TPM Off**. + - If you don't have the removable storage device with your saved TPM owner password, select **I want to enter the password**. In the **Type your TPM owner password** dialog box, type your password (including hyphens), and then select **Turn TPM Off**. - - If you did not save your TPM owner password or no longer know it, select **I do not have the TPM owner password**, and follow the instructions that are provided in the dialog box and subsequent UEFI screens to turn off the TPM without entering the password. + - If you didn't save your TPM owner password or no longer know it, select **I do not have the TPM owner password**, and follow the instructions that are provided in the dialog box and subsequent UEFI screens to turn off the TPM without entering the password. ## Use the TPM cmdlets diff --git a/windows/security/information-protection/tpm/manage-tpm-commands.md b/windows/security/information-protection/tpm/manage-tpm-commands.md index fabbf667ac..1ec4c72de8 100644 --- a/windows/security/information-protection/tpm/manage-tpm-commands.md +++ b/windows/security/information-protection/tpm/manage-tpm-commands.md @@ -5,10 +5,9 @@ ms.author: dansimp ms.prod: windows-client author: dulcemontemayor manager: aaroncz -ms.collection: - - M365-security-compliance ms.topic: conceptual ms.date: 09/06/2021 +ms.technology: itpro-security --- # Manage TPM commands diff --git a/windows/security/information-protection/tpm/manage-tpm-lockout.md b/windows/security/information-protection/tpm/manage-tpm-lockout.md index ab7e5f71c9..b348034a8d 100644 --- a/windows/security/information-protection/tpm/manage-tpm-lockout.md +++ b/windows/security/information-protection/tpm/manage-tpm-lockout.md @@ -6,9 +6,9 @@ ms.author: dansimp ms.prod: windows-client author: dulcemontemayor manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/06/2021 +ms.technology: itpro-security --- # Manage TPM lockout diff --git a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md index 81449edff3..34b14b5105 100644 --- a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md +++ b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md @@ -6,10 +6,9 @@ ms.prod: windows-client author: dansimp ms.author: dansimp manager: aaroncz -ms.collection: - - M365-security-compliance ms.topic: conceptual ms.date: 09/06/2021 +ms.technology: itpro-security --- # Understanding PCR banks on TPM 2.0 devices diff --git a/windows/security/information-protection/tpm/tpm-fundamentals.md b/windows/security/information-protection/tpm/tpm-fundamentals.md index 84966ce948..60e31fc6af 100644 --- a/windows/security/information-protection/tpm/tpm-fundamentals.md +++ b/windows/security/information-protection/tpm/tpm-fundamentals.md @@ -6,10 +6,9 @@ ms.prod: windows-client author: dansimp ms.author: dansimp manager: aaroncz -ms.collection: - - M365-security-compliance ms.topic: conceptual ms.date: 12/27/2021 +ms.technology: itpro-security --- # TPM fundamentals diff --git a/windows/security/information-protection/tpm/tpm-recommendations.md b/windows/security/information-protection/tpm/tpm-recommendations.md index 816f36c806..aab2d0711e 100644 --- a/windows/security/information-protection/tpm/tpm-recommendations.md +++ b/windows/security/information-protection/tpm/tpm-recommendations.md @@ -8,10 +8,10 @@ author: dansimp ms.author: dansimp manager: aaroncz ms.collection: - - M365-security-compliance - highpri ms.topic: conceptual ms.date: 09/06/2021 +ms.technology: itpro-security --- # TPM recommendations diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md index 8a21a83f1c..f768669a7c 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md @@ -8,10 +8,11 @@ author: dansimp ms.author: dansimp manager: aaroncz ms.collection: - - M365-security-compliance - highpri ms.topic: conceptual adobe-target: true +ms.technology: itpro-security +ms.date: 12/31/2017 --- # Trusted Platform Module Technology Overview @@ -19,8 +20,9 @@ adobe-target: true **Applies to** - Windows 11 - Windows 10 -- Windows Server 2016 +- Windows Server 2022 - Windows Server 2019 +- Windows Server 2016 This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. @@ -73,15 +75,14 @@ Some things that you can check on the device are: - Is SecureBoot supported and enabled? > [!NOTE] -> Windows 11, Windows 10, Windows Server 2016, and Windows Server 2019 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows version 1607 (RS1). TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected. +> Windows 11, Windows 10, Windows Server 2016, and Windows Server 2019 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows 10, version 1607. TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected. ## Supported versions for device health attestation -| TPM version | Windows 11 | Windows 10 | Windows Server 2016 | Windows Server 2019 | -|-------------|-------------|-------------|---------------------|---------------------| -| TPM 1.2 | | >= ver 1607 | >= ver 1607 | Yes | -| TPM 2.0 | Yes | Yes | Yes | Yes | - +| TPM version | Windows 11 | Windows 10 | Windows Server 2022 | Windows Server 2019 | Windows Server 2016 | +|-------------|-------------|-------------|---------------------|---------------------|---------------------| +| TPM 1.2 | | >= ver 1607 | | Yes | >= ver 1607 | +| TPM 2.0 | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | ## Related topics diff --git a/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md index d81a34cdbe..b6ff1df198 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md @@ -6,10 +6,9 @@ ms.prod: windows-client author: dansimp ms.author: dansimp manager: aaroncz -ms.collection: - - M365-security-compliance ms.topic: conceptual ms.date: 09/06/2021 +ms.technology: itpro-security --- # TPM Group Policy settings diff --git a/windows/security/information-protection/tpm/trusted-platform-module-top-node.md b/windows/security/information-protection/tpm/trusted-platform-module-top-node.md index dc338ea85c..300fe10913 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-top-node.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-top-node.md @@ -7,10 +7,10 @@ author: dansimp ms.author: dansimp manager: aaroncz ms.collection: - - M365-security-compliance - highpri ms.topic: conceptual ms.date: 09/06/2021 +ms.technology: itpro-security --- # Trusted Platform Module diff --git a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md index 16301e0592..7f88cdd683 100644 --- a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md @@ -6,10 +6,10 @@ ms.localizationpriority: medium author: dansimp ms.author: dansimp manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 02/26/2019 ms.reviewer: +ms.technology: itpro-security --- # Unenlightened and enlightened app behavior while using Windows Information Protection (WIP) diff --git a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md index 19987b59ef..191ef91d6d 100644 --- a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md +++ b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md @@ -6,10 +6,10 @@ ms.localizationpriority: medium author: dansimp ms.author: dansimp manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 02/26/2019 ms.reviewer: +ms.technology: itpro-security --- # How to collect Windows Information Protection (WIP) audit event logs diff --git a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md index 452dcc0cac..e2a7ffaa5f 100644 --- a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md +++ b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md @@ -7,9 +7,9 @@ author: aczechowski ms.author: aaroncz manager: dougeby ms.reviewer: rafals -ms.collection: M365-security-compliance ms.topic: how-to ms.date: 07/15/2022 +ms.technology: itpro-security --- # Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate diff --git a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md index 84d2cbd34e..12fd396283 100644 --- a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md @@ -6,10 +6,10 @@ ms.localizationpriority: medium author: dansimp ms.author: dansimp manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 02/26/2019 ms.reviewer: +ms.technology: itpro-security --- # Associate and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md index a5f4831ea5..1cab70ff7c 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md @@ -7,9 +7,9 @@ author: aczechowski ms.author: aaroncz manager: dougeby ms.reviewer: rafals -ms.collection: M365-security-compliance ms.topic: how-to ms.date: 07/15/2022 +ms.technology: itpro-security --- # Create and deploy a Windows Information Protection policy in Configuration Manager diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index 55a76f28af..d60c78b01f 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -6,9 +6,9 @@ author: aczechowski ms.author: aaroncz manager: dougeby ms.reviewer: rafals -ms.collection: M365-security-compliance ms.topic: how-to ms.date: 07/15/2022 +ms.technology: itpro-security --- # Create a Windows Information Protection policy in Microsoft Intune diff --git a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md index 9a285c4817..81feca58e9 100644 --- a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md @@ -6,10 +6,10 @@ ms.localizationpriority: medium author: dansimp ms.author: dansimp manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 03/05/2019 ms.reviewer: +ms.technology: itpro-security --- # Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md index 7960ef2c04..6aed7ca98e 100644 --- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md +++ b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md @@ -7,9 +7,9 @@ ms.localizationpriority: medium author: dansimp ms.author: dansimp manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 05/02/2019 +ms.technology: itpro-security --- # List of enlightened Microsoft apps for use with Windows Information Protection (WIP) diff --git a/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md b/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md index 3c84852f67..52fa03b931 100644 --- a/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md +++ b/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md @@ -7,9 +7,9 @@ ms.localizationpriority: medium author: dansimp ms.author: dansimp manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 02/26/2019 +ms.technology: itpro-security --- # General guidance and best practices for Windows Information Protection (WIP) diff --git a/windows/security/information-protection/windows-information-protection/how-to-disable-wip.md b/windows/security/information-protection/windows-information-protection/how-to-disable-wip.md index a37766ca18..8356183a84 100644 --- a/windows/security/information-protection/windows-information-protection/how-to-disable-wip.md +++ b/windows/security/information-protection/windows-information-protection/how-to-disable-wip.md @@ -9,6 +9,7 @@ author: lizgt2000 ms.author: lizlong ms.reviewer: aaroncz manager: dougeby +ms.technology: itpro-security --- # How to disable Windows Information Protection (WIP) diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md index 1679964f76..db34a870d4 100644 --- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md @@ -6,10 +6,10 @@ author: aczechowski ms.author: aaroncz manager: dougeby ms.reviewer: rafals -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/05/2019 ms.localizationpriority: medium +ms.technology: itpro-security --- # Limitations while using Windows Information Protection (WIP) diff --git a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md index 1bb878384d..ac3cd3b1cc 100644 --- a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md @@ -6,10 +6,10 @@ ms.localizationpriority: medium author: dansimp ms.author: dansimp manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 05/25/2022 ms.reviewer: +ms.technology: itpro-security --- # Mandatory tasks and settings required to turn on Windows Information Protection (WIP) diff --git a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md index e2f1e9a416..2f0636e228 100644 --- a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md +++ b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md @@ -7,9 +7,9 @@ ms.localizationpriority: medium author: dansimp ms.author: dansimp manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 02/26/2019 +ms.technology: itpro-security --- # Create a Windows Information Protection (WIP) policy using Microsoft Configuration Manager diff --git a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md index 6a28d6795c..a1b100e968 100644 --- a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md +++ b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md @@ -7,9 +7,9 @@ ms.localizationpriority: medium author: dansimp ms.author: dansimp manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 03/11/2019 +ms.technology: itpro-security --- # Create a Windows Information Protection (WIP) policy using Microsoft Intune diff --git a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md index f73f212820..39b0e027de 100644 --- a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md +++ b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md @@ -7,10 +7,9 @@ author: aczechowski ms.author: aaroncz manager: dougeby ms.reviewer: rafals -ms.collection: - - M365-security-compliance ms.topic: overview ms.date: 07/15/2022 +ms.technology: itpro-security --- # Protect your enterprise data using Windows Information Protection (WIP) diff --git a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md index cf10227eb8..a27c24da1d 100644 --- a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md @@ -6,10 +6,10 @@ ms.localizationpriority: medium author: dansimp ms.author: dansimp manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 03/25/2019 ms.reviewer: +ms.technology: itpro-security --- # Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP) diff --git a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md index 7115c88cc2..6efe96a30e 100644 --- a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md @@ -7,9 +7,9 @@ ms.localizationpriority: medium author: dansimp ms.author: dansimp manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 03/05/2019 +ms.technology: itpro-security --- # Testing scenarios for Windows Information Protection (WIP) diff --git a/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md b/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md index bff685e23b..1be650dda0 100644 --- a/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md @@ -6,10 +6,10 @@ ms.localizationpriority: medium author: dansimp ms.author: dansimp manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 02/26/2019 ms.reviewer: +ms.technology: itpro-security --- # Using Outlook on the web with Windows Information Protection (WIP) diff --git a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md index 554b5b2662..670283c970 100644 --- a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md +++ b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md @@ -6,10 +6,10 @@ ms.localizationpriority: medium author: dansimp ms.author: dansimp manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 02/26/2019 ms.reviewer: +ms.technology: itpro-security --- # Determine the Enterprise Context of an app running in Windows Information Protection (WIP) diff --git a/windows/security/information-protection/windows-information-protection/wip-learning.md b/windows/security/information-protection/windows-information-protection/wip-learning.md index f5d1914f60..6b8c5f1841 100644 --- a/windows/security/information-protection/windows-information-protection/wip-learning.md +++ b/windows/security/information-protection/windows-information-protection/wip-learning.md @@ -7,9 +7,9 @@ ms.localizationpriority: medium author: aczechowski ms.author: aaroncz manager: dougeby -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 02/26/2019 +ms.technology: itpro-security --- # Fine-tune Windows Information Protection (WIP) with WIP Learning diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index d2b9b2ae9c..5a71a44832 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -6,7 +6,6 @@ ms.topic: article manager: aaroncz ms.author: paoloma author: paolomatarazzo -ms.collection: M365-security-compliance ms.prod: windows-client ms.technology: itpro-security ms.date: 09/21/2021 diff --git a/windows/security/security-foundations.md b/windows/security/security-foundations.md index d49045d449..ceed1cb436 100644 --- a/windows/security/security-foundations.md +++ b/windows/security/security-foundations.md @@ -3,21 +3,20 @@ title: Windows security foundations description: Get an overview of security foundations, including the security development lifecycle, common criteria, and the bug bounty program. ms.reviewer: ms.topic: article -manager: aaroncz ms.author: paoloma author: paolomatarazzo -ms.collection: M365-security-compliance ms.prod: windows-client ms.technology: itpro-security +ms.date: 12/31/2017 --- # Windows security foundations Microsoft is committed to continuously invest in improving our software development process, building highly secure-by-design software, and addressing security compliance requirements. At Microsoft, we embed security and privacy considerations from the earliest life-cycle phases of all our software development processes. We build in security from the ground for powerful defense in today’s threat environment. -Our strong security foundation uses Microsoft Security Development Lifecycle (SDL) Bug Bounty, support for product security standards and certifications, and Azure Code signing. As a result, we improve security by producing software with fewer defects and vulnerabilities instead of relying on applying updates after vulnerabilities have been identified. +Our strong security foundation uses Microsoft Security Development Lifecycle (SDL) Bug Bounty, support for product security standards and certifications, and Azure Code signing. As a result, we improve security by producing software with fewer defects and vulnerabilities instead of relying on applying updates after vulnerabilities have been identified. -Use the links in the following table to learn more about the security foundations:

                              +Use the links in the following table to learn more about the security foundations: | Concept | Description | |:---|:---| @@ -25,6 +24,3 @@ Use the links in the following table to learn more about the security foundation | Common Criteria Certifications | Microsoft supports the Common Criteria certification program, ensures that products incorporate the features and functions required by relevant Common Criteria Protection Profiles, and completes Common Criteria certifications of Microsoft Windows products.

                              Learn more about [Common Criteria Certifications](threat-protection/windows-platform-common-criteria.md). | | Microsoft Security Development Lifecycle | The Security Development Lifecycle (SDL) is a security assurance process that is focused on software development. The SDL has played a critical role in embedding security and privacy in software and culture at Microsoft.

                              Learn more about [Microsoft SDL](threat-protection/msft-security-dev-lifecycle.md).| | Microsoft Bug Bounty Program | If you find a vulnerability in a Microsoft product, service, or device, we want to hear from you! If your vulnerability report affects a product or service that is within scope of one of our bounty programs below, you could receive a bounty award according to the program descriptions.

                              Learn more about the [Microsoft Bug Bounty Program](https://www.microsoft.com/en-us/msrc/bounty?rtc=1). | - - - diff --git a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md index 54ddd26b54..b4b43624b2 100644 --- a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md +++ b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md @@ -12,7 +12,6 @@ ms.localizationpriority: none author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/06/2021 ms.technology: itpro-security @@ -172,4 +171,8 @@ Resource SACLs are also useful for diagnostic scenarios. For example, administra This category includes the following subcategories: - [File System (Global Object Access Auditing)](file-system-global-object-access-auditing.md) -- [Registry (Global Object Access Auditing)](registry-global-object-access-auditing.md) \ No newline at end of file +- [Registry (Global Object Access Auditing)](registry-global-object-access-auditing.md) + +## Related topics + +- [Basic security audit policy settings](basic-security-audit-policy-settings.md) diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml index f7e415c185..9b46b2d3a3 100644 --- a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml +++ b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml @@ -1,17 +1,14 @@ ### YamlMime:FAQ metadata: - title: Advanced security auditing FAQ (Windows 10) + title: Advanced security auditing FAQ description: This article lists common questions and answers about understanding, deploying, and managing security audit policies. - ms.prod: m365-security - ms.technology: mde - ms.localizationpriority: none - author: dansimp - ms.author: dansimp + ms.prod: windows-client + author: vinaypamnani-msft + ms.author: vinpa manager: aaroncz - ms.reviewer: - ms.collection: M365-security-compliance ms.topic: faq ms.date: 05/24/2022 + ms.technology: itpro-security title: Advanced security auditing FAQ diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing.md b/windows/security/threat-protection/auditing/advanced-security-auditing.md index dfdea1de13..37031d5f88 100644 --- a/windows/security/threat-protection/auditing/advanced-security-auditing.md +++ b/windows/security/threat-protection/auditing/advanced-security-auditing.md @@ -12,7 +12,6 @@ ms.localizationpriority: none author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/6/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md b/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md index 3838e0f0f4..eb734ebf54 100644 --- a/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md +++ b/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # Appendix A: Security monitoring recommendations for many audit events diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index 8d2d3f824c..af39d39146 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -13,7 +13,6 @@ author: vinaypamnani-msft manager: aaroncz audience: ITPro ms.collection: - - M365-security-compliance - highpri ms.topic: conceptual ms.date: 09/06/2021 diff --git a/windows/security/threat-protection/auditing/audit-account-lockout.md b/windows/security/threat-protection/auditing/audit-account-lockout.md index 9d49394e56..f2cf0cc5ec 100644 --- a/windows/security/threat-protection/auditing/audit-account-lockout.md +++ b/windows/security/threat-protection/auditing/audit-account-lockout.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit Account Lockout diff --git a/windows/security/threat-protection/auditing/audit-application-generated.md b/windows/security/threat-protection/auditing/audit-application-generated.md index f7ca99507d..36f8f451a0 100644 --- a/windows/security/threat-protection/auditing/audit-application-generated.md +++ b/windows/security/threat-protection/auditing/audit-application-generated.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit Application Generated diff --git a/windows/security/threat-protection/auditing/audit-application-group-management.md b/windows/security/threat-protection/auditing/audit-application-group-management.md index 706551065b..cb91f3fa61 100644 --- a/windows/security/threat-protection/auditing/audit-application-group-management.md +++ b/windows/security/threat-protection/auditing/audit-application-group-management.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit Application Group Management diff --git a/windows/security/threat-protection/auditing/audit-audit-policy-change.md b/windows/security/threat-protection/auditing/audit-audit-policy-change.md index aaf65be8db..c5cdf8c616 100644 --- a/windows/security/threat-protection/auditing/audit-audit-policy-change.md +++ b/windows/security/threat-protection/auditing/audit-audit-policy-change.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit Audit Policy Change diff --git a/windows/security/threat-protection/auditing/audit-authentication-policy-change.md b/windows/security/threat-protection/auditing/audit-authentication-policy-change.md index 6754a2796a..318f08b516 100644 --- a/windows/security/threat-protection/auditing/audit-authentication-policy-change.md +++ b/windows/security/threat-protection/auditing/audit-authentication-policy-change.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit Authentication Policy Change diff --git a/windows/security/threat-protection/auditing/audit-authorization-policy-change.md b/windows/security/threat-protection/auditing/audit-authorization-policy-change.md index e8c3a7d588..b7fd89b268 100644 --- a/windows/security/threat-protection/auditing/audit-authorization-policy-change.md +++ b/windows/security/threat-protection/auditing/audit-authorization-policy-change.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit Authorization Policy Change diff --git a/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md b/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md index 5e92817efe..62ac5c925c 100644 --- a/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md +++ b/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit Central Access Policy Staging diff --git a/windows/security/threat-protection/auditing/audit-certification-services.md b/windows/security/threat-protection/auditing/audit-certification-services.md index bc1ec469f1..889edc295b 100644 --- a/windows/security/threat-protection/auditing/audit-certification-services.md +++ b/windows/security/threat-protection/auditing/audit-certification-services.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit Certification Services diff --git a/windows/security/threat-protection/auditing/audit-computer-account-management.md b/windows/security/threat-protection/auditing/audit-computer-account-management.md index 8c42317e94..63ad7eaac9 100644 --- a/windows/security/threat-protection/auditing/audit-computer-account-management.md +++ b/windows/security/threat-protection/auditing/audit-computer-account-management.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit Computer Account Management diff --git a/windows/security/threat-protection/auditing/audit-credential-validation.md b/windows/security/threat-protection/auditing/audit-credential-validation.md index b04f1cb5a9..a5a9dc7158 100644 --- a/windows/security/threat-protection/auditing/audit-credential-validation.md +++ b/windows/security/threat-protection/auditing/audit-credential-validation.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit Credential Validation diff --git a/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md b/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md index 72f481f66b..7fffbad3df 100644 --- a/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md +++ b/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit Detailed Directory Service Replication diff --git a/windows/security/threat-protection/auditing/audit-detailed-file-share.md b/windows/security/threat-protection/auditing/audit-detailed-file-share.md index 16b1667db6..9ec6b5c148 100644 --- a/windows/security/threat-protection/auditing/audit-detailed-file-share.md +++ b/windows/security/threat-protection/auditing/audit-detailed-file-share.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit Detailed File Share diff --git a/windows/security/threat-protection/auditing/audit-directory-service-access.md b/windows/security/threat-protection/auditing/audit-directory-service-access.md index c954c98ef9..e58853650d 100644 --- a/windows/security/threat-protection/auditing/audit-directory-service-access.md +++ b/windows/security/threat-protection/auditing/audit-directory-service-access.md @@ -1,6 +1,6 @@ --- title: Audit Directory Service Access (Windows 10) -description: The policy setting Audit Directory Service Access determines if audit events are generated when an Active Directory Domain Services (ADA DS) object is accessed. +description: The policy setting Audit Directory Service Access determines if audit events are generated when an Active Directory Domain Services (AD DS) object is accessed. ms.assetid: ba2562ba-4282-4588-b87c-a3fcb771c7d0 ms.reviewer: manager: aaroncz @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit Directory Service Access @@ -34,4 +35,4 @@ This subcategory allows you to audit when an Active Directory Domain Services (A - [4662](event-4662.md)(S, F): An operation was performed on an object. -- [4661](event-4661.md)(S, F): A handle to an object was requested. \ No newline at end of file +- [4661](event-4661.md)(S, F): A handle to an object was requested. diff --git a/windows/security/threat-protection/auditing/audit-directory-service-changes.md b/windows/security/threat-protection/auditing/audit-directory-service-changes.md index 5aa0e36978..c9485389e9 100644 --- a/windows/security/threat-protection/auditing/audit-directory-service-changes.md +++ b/windows/security/threat-protection/auditing/audit-directory-service-changes.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit Directory Service Changes diff --git a/windows/security/threat-protection/auditing/audit-directory-service-replication.md b/windows/security/threat-protection/auditing/audit-directory-service-replication.md index f9c45299fe..046dd9a1e7 100644 --- a/windows/security/threat-protection/auditing/audit-directory-service-replication.md +++ b/windows/security/threat-protection/auditing/audit-directory-service-replication.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit Directory Service Replication diff --git a/windows/security/threat-protection/auditing/audit-distribution-group-management.md b/windows/security/threat-protection/auditing/audit-distribution-group-management.md index 23341f0d60..8eb5bb988c 100644 --- a/windows/security/threat-protection/auditing/audit-distribution-group-management.md +++ b/windows/security/threat-protection/auditing/audit-distribution-group-management.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit Distribution Group Management diff --git a/windows/security/threat-protection/auditing/audit-dpapi-activity.md b/windows/security/threat-protection/auditing/audit-dpapi-activity.md index bc24e85d75..79dbf17692 100644 --- a/windows/security/threat-protection/auditing/audit-dpapi-activity.md +++ b/windows/security/threat-protection/auditing/audit-dpapi-activity.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit DPAPI Activity diff --git a/windows/security/threat-protection/auditing/audit-file-share.md b/windows/security/threat-protection/auditing/audit-file-share.md index 59c2d6638e..577c138f46 100644 --- a/windows/security/threat-protection/auditing/audit-file-share.md +++ b/windows/security/threat-protection/auditing/audit-file-share.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit File Share diff --git a/windows/security/threat-protection/auditing/audit-file-system.md b/windows/security/threat-protection/auditing/audit-file-system.md index c9a66ed82e..037faaf8f4 100644 --- a/windows/security/threat-protection/auditing/audit-file-system.md +++ b/windows/security/threat-protection/auditing/audit-file-system.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit File System diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md b/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md index 7984928783..5877ab26f1 100644 --- a/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md +++ b/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit Filtering Platform Connection diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md b/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md index 15c0bc27d2..9003cab47c 100644 --- a/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md +++ b/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit Filtering Platform Packet Drop diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md b/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md index b8f192cccd..1a4cab1153 100644 --- a/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md +++ b/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit Filtering Platform Policy Change diff --git a/windows/security/threat-protection/auditing/audit-group-membership.md b/windows/security/threat-protection/auditing/audit-group-membership.md index b3740aca1a..9f32d9d336 100644 --- a/windows/security/threat-protection/auditing/audit-group-membership.md +++ b/windows/security/threat-protection/auditing/audit-group-membership.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit Group Membership diff --git a/windows/security/threat-protection/auditing/audit-handle-manipulation.md b/windows/security/threat-protection/auditing/audit-handle-manipulation.md index c468ff02f3..50470902eb 100644 --- a/windows/security/threat-protection/auditing/audit-handle-manipulation.md +++ b/windows/security/threat-protection/auditing/audit-handle-manipulation.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit Handle Manipulation diff --git a/windows/security/threat-protection/auditing/audit-ipsec-driver.md b/windows/security/threat-protection/auditing/audit-ipsec-driver.md index dc52d2d90e..cfcefafd36 100644 --- a/windows/security/threat-protection/auditing/audit-ipsec-driver.md +++ b/windows/security/threat-protection/auditing/audit-ipsec-driver.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit IPsec Driver diff --git a/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md index 92e2d71f5e..33bfbb485d 100644 --- a/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md +++ b/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit IPsec Extended Mode diff --git a/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md index 965715efa2..7f1d59e38c 100644 --- a/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md +++ b/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit IPsec Main Mode diff --git a/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md index 7a8be4ff82..869e1f4dcf 100644 --- a/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md +++ b/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit IPsec Quick Mode diff --git a/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md b/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md index 98a1c8f558..4ed0bce866 100644 --- a/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md +++ b/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit Kerberos Authentication Service diff --git a/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md b/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md index 135c2882b7..ed3c49dfef 100644 --- a/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md +++ b/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit Kerberos Service Ticket Operations diff --git a/windows/security/threat-protection/auditing/audit-kernel-object.md b/windows/security/threat-protection/auditing/audit-kernel-object.md index bb5d6d221a..0dd8928c22 100644 --- a/windows/security/threat-protection/auditing/audit-kernel-object.md +++ b/windows/security/threat-protection/auditing/audit-kernel-object.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit Kernel Object diff --git a/windows/security/threat-protection/auditing/audit-logoff.md b/windows/security/threat-protection/auditing/audit-logoff.md index b6108a6488..6a1f7f33ef 100644 --- a/windows/security/threat-protection/auditing/audit-logoff.md +++ b/windows/security/threat-protection/auditing/audit-logoff.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit Logoff diff --git a/windows/security/threat-protection/auditing/audit-logon.md b/windows/security/threat-protection/auditing/audit-logon.md index 74e7fe7f8f..4b78d70722 100644 --- a/windows/security/threat-protection/auditing/audit-logon.md +++ b/windows/security/threat-protection/auditing/audit-logon.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit Logon diff --git a/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md b/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md index a441c97c4c..4081cf31a9 100644 --- a/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md +++ b/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit MPSSVC Rule-Level Policy Change diff --git a/windows/security/threat-protection/auditing/audit-network-policy-server.md b/windows/security/threat-protection/auditing/audit-network-policy-server.md index 6c9a0fb877..2501fecc08 100644 --- a/windows/security/threat-protection/auditing/audit-network-policy-server.md +++ b/windows/security/threat-protection/auditing/audit-network-policy-server.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit Network Policy Server diff --git a/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md b/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md index b9920a8900..01b3fb153f 100644 --- a/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md +++ b/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit Non-Sensitive Privilege Use diff --git a/windows/security/threat-protection/auditing/audit-other-account-logon-events.md b/windows/security/threat-protection/auditing/audit-other-account-logon-events.md index 23ab2587a5..23ee128d63 100644 --- a/windows/security/threat-protection/auditing/audit-other-account-logon-events.md +++ b/windows/security/threat-protection/auditing/audit-other-account-logon-events.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit Other Account Logon Events diff --git a/windows/security/threat-protection/auditing/audit-other-account-management-events.md b/windows/security/threat-protection/auditing/audit-other-account-management-events.md index 7d8e27c634..8f3d985309 100644 --- a/windows/security/threat-protection/auditing/audit-other-account-management-events.md +++ b/windows/security/threat-protection/auditing/audit-other-account-management-events.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit Other Account Management Events diff --git a/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md b/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md index 43e4b822aa..789ab297be 100644 --- a/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md +++ b/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit Other Logon/Logoff Events diff --git a/windows/security/threat-protection/auditing/audit-other-object-access-events.md b/windows/security/threat-protection/auditing/audit-other-object-access-events.md index 901c4b5a7e..5dc0923e42 100644 --- a/windows/security/threat-protection/auditing/audit-other-object-access-events.md +++ b/windows/security/threat-protection/auditing/audit-other-object-access-events.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit Other Object Access Events diff --git a/windows/security/threat-protection/auditing/audit-other-policy-change-events.md b/windows/security/threat-protection/auditing/audit-other-policy-change-events.md index 776b3fdec9..d088e9f929 100644 --- a/windows/security/threat-protection/auditing/audit-other-policy-change-events.md +++ b/windows/security/threat-protection/auditing/audit-other-policy-change-events.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit Other Policy Change Events diff --git a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md index 97a8de3544..c2487a6b33 100644 --- a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md +++ b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit Other Privilege Use Events diff --git a/windows/security/threat-protection/auditing/audit-other-system-events.md b/windows/security/threat-protection/auditing/audit-other-system-events.md index 015eb3ddea..63cfb375b0 100644 --- a/windows/security/threat-protection/auditing/audit-other-system-events.md +++ b/windows/security/threat-protection/auditing/audit-other-system-events.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit Other System Events diff --git a/windows/security/threat-protection/auditing/audit-pnp-activity.md b/windows/security/threat-protection/auditing/audit-pnp-activity.md index da07e88f35..224eae5fcb 100644 --- a/windows/security/threat-protection/auditing/audit-pnp-activity.md +++ b/windows/security/threat-protection/auditing/audit-pnp-activity.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit PNP Activity diff --git a/windows/security/threat-protection/auditing/audit-process-creation.md b/windows/security/threat-protection/auditing/audit-process-creation.md index 3eb6dcf190..07b283ace9 100644 --- a/windows/security/threat-protection/auditing/audit-process-creation.md +++ b/windows/security/threat-protection/auditing/audit-process-creation.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 03/16/2022 ms.technology: itpro-security +ms.topic: reference --- # Audit Process Creation diff --git a/windows/security/threat-protection/auditing/audit-process-termination.md b/windows/security/threat-protection/auditing/audit-process-termination.md index 60a0a05de7..b156ba658a 100644 --- a/windows/security/threat-protection/auditing/audit-process-termination.md +++ b/windows/security/threat-protection/auditing/audit-process-termination.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit Process Termination diff --git a/windows/security/threat-protection/auditing/audit-registry.md b/windows/security/threat-protection/auditing/audit-registry.md index e67da43c3e..a4423aeb52 100644 --- a/windows/security/threat-protection/auditing/audit-registry.md +++ b/windows/security/threat-protection/auditing/audit-registry.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 01/05/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit Registry diff --git a/windows/security/threat-protection/auditing/audit-removable-storage.md b/windows/security/threat-protection/auditing/audit-removable-storage.md index 4277dd71c8..c9d2586107 100644 --- a/windows/security/threat-protection/auditing/audit-removable-storage.md +++ b/windows/security/threat-protection/auditing/audit-removable-storage.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit Removable Storage diff --git a/windows/security/threat-protection/auditing/audit-rpc-events.md b/windows/security/threat-protection/auditing/audit-rpc-events.md index 27dc6938be..bee389855a 100644 --- a/windows/security/threat-protection/auditing/audit-rpc-events.md +++ b/windows/security/threat-protection/auditing/audit-rpc-events.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit RPC Events diff --git a/windows/security/threat-protection/auditing/audit-sam.md b/windows/security/threat-protection/auditing/audit-sam.md index 1f295079c7..c92e7d5ba5 100644 --- a/windows/security/threat-protection/auditing/audit-sam.md +++ b/windows/security/threat-protection/auditing/audit-sam.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit SAM diff --git a/windows/security/threat-protection/auditing/audit-security-group-management.md b/windows/security/threat-protection/auditing/audit-security-group-management.md index 6fe81c704f..0564c257b6 100644 --- a/windows/security/threat-protection/auditing/audit-security-group-management.md +++ b/windows/security/threat-protection/auditing/audit-security-group-management.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit Security Group Management diff --git a/windows/security/threat-protection/auditing/audit-security-state-change.md b/windows/security/threat-protection/auditing/audit-security-state-change.md index 94c6d1f229..25686b4f33 100644 --- a/windows/security/threat-protection/auditing/audit-security-state-change.md +++ b/windows/security/threat-protection/auditing/audit-security-state-change.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit Security State Change diff --git a/windows/security/threat-protection/auditing/audit-security-system-extension.md b/windows/security/threat-protection/auditing/audit-security-system-extension.md index fbda6e4cbb..72a72a15aa 100644 --- a/windows/security/threat-protection/auditing/audit-security-system-extension.md +++ b/windows/security/threat-protection/auditing/audit-security-system-extension.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit Security System Extension diff --git a/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md b/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md index eb8714f152..c79520f698 100644 --- a/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md +++ b/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit Sensitive Privilege Use diff --git a/windows/security/threat-protection/auditing/audit-special-logon.md b/windows/security/threat-protection/auditing/audit-special-logon.md index 8f865d11bc..e9958ffa2e 100644 --- a/windows/security/threat-protection/auditing/audit-special-logon.md +++ b/windows/security/threat-protection/auditing/audit-special-logon.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit Special Logon diff --git a/windows/security/threat-protection/auditing/audit-system-integrity.md b/windows/security/threat-protection/auditing/audit-system-integrity.md index 761abff74a..4a313d8ae0 100644 --- a/windows/security/threat-protection/auditing/audit-system-integrity.md +++ b/windows/security/threat-protection/auditing/audit-system-integrity.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit System Integrity diff --git a/windows/security/threat-protection/auditing/audit-token-right-adjusted.md b/windows/security/threat-protection/auditing/audit-token-right-adjusted.md index 533703cb10..d0969156b5 100644 --- a/windows/security/threat-protection/auditing/audit-token-right-adjusted.md +++ b/windows/security/threat-protection/auditing/audit-token-right-adjusted.md @@ -7,6 +7,8 @@ ms.author: vinpa ms.pagetype: security ms.prod: windows-client ms.technology: itpro-security +ms.date: 12/31/2017 +ms.topic: article --- # Audit Token Right Adjusted diff --git a/windows/security/threat-protection/auditing/audit-user-account-management.md b/windows/security/threat-protection/auditing/audit-user-account-management.md index 7efa2301e3..2faba55a60 100644 --- a/windows/security/threat-protection/auditing/audit-user-account-management.md +++ b/windows/security/threat-protection/auditing/audit-user-account-management.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit User Account Management diff --git a/windows/security/threat-protection/auditing/audit-user-device-claims.md b/windows/security/threat-protection/auditing/audit-user-device-claims.md index 750c5568ca..e22930f47a 100644 --- a/windows/security/threat-protection/auditing/audit-user-device-claims.md +++ b/windows/security/threat-protection/auditing/audit-user-device-claims.md @@ -13,6 +13,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/06/2021 ms.technology: itpro-security +ms.topic: reference --- # Audit User/Device Claims diff --git a/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md index c40298d5a5..da74741832 100644 --- a/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md +++ b/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md @@ -12,7 +12,6 @@ ms.localizationpriority: none author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/06/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/auditing/basic-audit-account-management.md b/windows/security/threat-protection/auditing/basic-audit-account-management.md index 2327ae1658..22824ae059 100644 --- a/windows/security/threat-protection/auditing/basic-audit-account-management.md +++ b/windows/security/threat-protection/auditing/basic-audit-account-management.md @@ -12,7 +12,6 @@ ms.localizationpriority: none author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/06/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md b/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md index bbd62c2d7f..e9bd4f0117 100644 --- a/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md +++ b/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md @@ -12,7 +12,6 @@ ms.localizationpriority: none author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/06/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/auditing/basic-audit-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-logon-events.md index c429d26054..319301f86f 100644 --- a/windows/security/threat-protection/auditing/basic-audit-logon-events.md +++ b/windows/security/threat-protection/auditing/basic-audit-logon-events.md @@ -13,7 +13,6 @@ author: vinaypamnani-msft manager: aaroncz audience: ITPro ms.collection: - - M365-security-compliance - highpri ms.topic: conceptual ms.date: 09/06/2021 diff --git a/windows/security/threat-protection/auditing/basic-audit-object-access.md b/windows/security/threat-protection/auditing/basic-audit-object-access.md index 5223f78f44..1b5014823a 100644 --- a/windows/security/threat-protection/auditing/basic-audit-object-access.md +++ b/windows/security/threat-protection/auditing/basic-audit-object-access.md @@ -12,7 +12,6 @@ ms.localizationpriority: none author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/06/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/auditing/basic-audit-policy-change.md b/windows/security/threat-protection/auditing/basic-audit-policy-change.md index 698273ad21..e698be1f37 100644 --- a/windows/security/threat-protection/auditing/basic-audit-policy-change.md +++ b/windows/security/threat-protection/auditing/basic-audit-policy-change.md @@ -12,7 +12,6 @@ ms.localizationpriority: none author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/06/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/auditing/basic-audit-privilege-use.md b/windows/security/threat-protection/auditing/basic-audit-privilege-use.md index 202483cba9..4e70e2b0f1 100644 --- a/windows/security/threat-protection/auditing/basic-audit-privilege-use.md +++ b/windows/security/threat-protection/auditing/basic-audit-privilege-use.md @@ -12,7 +12,6 @@ ms.localizationpriority: none author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/06/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/auditing/basic-audit-process-tracking.md b/windows/security/threat-protection/auditing/basic-audit-process-tracking.md index 96125dc789..e2d32e164d 100644 --- a/windows/security/threat-protection/auditing/basic-audit-process-tracking.md +++ b/windows/security/threat-protection/auditing/basic-audit-process-tracking.md @@ -12,7 +12,6 @@ ms.localizationpriority: none author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/06/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/auditing/basic-audit-system-events.md b/windows/security/threat-protection/auditing/basic-audit-system-events.md index 951ca143f2..e1c1c1a64c 100644 --- a/windows/security/threat-protection/auditing/basic-audit-system-events.md +++ b/windows/security/threat-protection/auditing/basic-audit-system-events.md @@ -12,7 +12,6 @@ ms.localizationpriority: none author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/06/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policies.md b/windows/security/threat-protection/auditing/basic-security-audit-policies.md index e05747ce76..5a4bec26db 100644 --- a/windows/security/threat-protection/auditing/basic-security-audit-policies.md +++ b/windows/security/threat-protection/auditing/basic-security-audit-policies.md @@ -12,7 +12,6 @@ ms.localizationpriority: none author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/06/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md index bbc3b39ae8..aa0e4c7ea2 100644 --- a/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md +++ b/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md @@ -12,7 +12,6 @@ ms.localizationpriority: none author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/06/2021 ms.technology: itpro-security @@ -39,6 +38,6 @@ Basic security audit policy settings are found under Computer Configuration\\Win ## Related topics -- [Basic security audit policy settings](basic-security-audit-policy-settings.md) +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) diff --git a/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md b/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md index 431c0d89e2..f27b911fa2 100644 --- a/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md +++ b/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md @@ -12,7 +12,6 @@ ms.localizationpriority: none author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/auditing/event-1100.md b/windows/security/threat-protection/auditing/event-1100.md index b5e2bfaf89..b0606e87da 100644 --- a/windows/security/threat-protection/auditing/event-1100.md +++ b/windows/security/threat-protection/auditing/event-1100.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 1100(S): The event logging service has shut down. diff --git a/windows/security/threat-protection/auditing/event-1102.md b/windows/security/threat-protection/auditing/event-1102.md index 3da9fc2a33..c319070f2a 100644 --- a/windows/security/threat-protection/auditing/event-1102.md +++ b/windows/security/threat-protection/auditing/event-1102.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 1102(S): The audit log was cleared. diff --git a/windows/security/threat-protection/auditing/event-1104.md b/windows/security/threat-protection/auditing/event-1104.md index 71e08f1f79..7768b7a43a 100644 --- a/windows/security/threat-protection/auditing/event-1104.md +++ b/windows/security/threat-protection/auditing/event-1104.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 1104(S): The security log is now full. diff --git a/windows/security/threat-protection/auditing/event-1105.md b/windows/security/threat-protection/auditing/event-1105.md index 6eea66a2d6..2c10dd205e 100644 --- a/windows/security/threat-protection/auditing/event-1105.md +++ b/windows/security/threat-protection/auditing/event-1105.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 1105(S): Event log automatic backup diff --git a/windows/security/threat-protection/auditing/event-1108.md b/windows/security/threat-protection/auditing/event-1108.md index 3ef547a322..3412104704 100644 --- a/windows/security/threat-protection/auditing/event-1108.md +++ b/windows/security/threat-protection/auditing/event-1108.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 1108(S): The event logging service encountered an error while processing an incoming event published from %1. diff --git a/windows/security/threat-protection/auditing/event-4608.md b/windows/security/threat-protection/auditing/event-4608.md index 51e0c51819..bbcb45e073 100644 --- a/windows/security/threat-protection/auditing/event-4608.md +++ b/windows/security/threat-protection/auditing/event-4608.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4608(S): Windows is starting up. diff --git a/windows/security/threat-protection/auditing/event-4610.md b/windows/security/threat-protection/auditing/event-4610.md index cbb410b55d..2307a50732 100644 --- a/windows/security/threat-protection/auditing/event-4610.md +++ b/windows/security/threat-protection/auditing/event-4610.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4610(S): An authentication package has been loaded by the Local Security Authority. diff --git a/windows/security/threat-protection/auditing/event-4611.md b/windows/security/threat-protection/auditing/event-4611.md index 0f4b7b7a55..54b57cc223 100644 --- a/windows/security/threat-protection/auditing/event-4611.md +++ b/windows/security/threat-protection/auditing/event-4611.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4611(S): A trusted logon process has been registered with the Local Security Authority. diff --git a/windows/security/threat-protection/auditing/event-4612.md b/windows/security/threat-protection/auditing/event-4612.md index 15ba866bce..111fa80c83 100644 --- a/windows/security/threat-protection/auditing/event-4612.md +++ b/windows/security/threat-protection/auditing/event-4612.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4612(S): Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. diff --git a/windows/security/threat-protection/auditing/event-4614.md b/windows/security/threat-protection/auditing/event-4614.md index 1dbbdeeefe..edb915b91d 100644 --- a/windows/security/threat-protection/auditing/event-4614.md +++ b/windows/security/threat-protection/auditing/event-4614.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4614(S): A notification package has been loaded by the Security Account Manager. diff --git a/windows/security/threat-protection/auditing/event-4615.md b/windows/security/threat-protection/auditing/event-4615.md index d3cd763690..f74209909e 100644 --- a/windows/security/threat-protection/auditing/event-4615.md +++ b/windows/security/threat-protection/auditing/event-4615.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4615(S): Invalid use of LPC port. diff --git a/windows/security/threat-protection/auditing/event-4616.md b/windows/security/threat-protection/auditing/event-4616.md index 6c96460629..166b695ebb 100644 --- a/windows/security/threat-protection/auditing/event-4616.md +++ b/windows/security/threat-protection/auditing/event-4616.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4616(S): The system time was changed. @@ -163,9 +164,9 @@ For 4616(S): The system time was changed. > [!IMPORTANT] > For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). -- Report all “**Subject\\Security ID**” not equals **“LOCAL SERVICE”**, which means that the time change was not made not by Windows Time service. +- Report all “**Subject\\Security ID**” not equals **“LOCAL SERVICE”**, which means that the time change was not made by Windows Time service. -- Report all “**Process Information\\Name**” not equals **“C:\\Windows\\System32\\svchost.exe”** (path to svchost.exe can be different, you can search for “svchost.exe” substring), which means that the time change was not made not by Windows Time service. +- Report all “**Process Information\\Name**” not equals **“C:\\Windows\\System32\\svchost.exe”** (path to svchost.exe can be different, you can search for “svchost.exe” substring), which means that the time change was not made by Windows Time service. diff --git a/windows/security/threat-protection/auditing/event-4618.md b/windows/security/threat-protection/auditing/event-4618.md index dcbe79c3ac..f35815a20c 100644 --- a/windows/security/threat-protection/auditing/event-4618.md +++ b/windows/security/threat-protection/auditing/event-4618.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4618(S): A monitored security event pattern has occurred. diff --git a/windows/security/threat-protection/auditing/event-4621.md b/windows/security/threat-protection/auditing/event-4621.md index 8d85ca11c8..64e4f81134 100644 --- a/windows/security/threat-protection/auditing/event-4621.md +++ b/windows/security/threat-protection/auditing/event-4621.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4621(S): Administrator recovered system from CrashOnAuditFail. diff --git a/windows/security/threat-protection/auditing/event-4622.md b/windows/security/threat-protection/auditing/event-4622.md index b4d338e351..5dc147c077 100644 --- a/windows/security/threat-protection/auditing/event-4622.md +++ b/windows/security/threat-protection/auditing/event-4622.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4622(S): A security package has been loaded by the Local Security Authority. diff --git a/windows/security/threat-protection/auditing/event-4624.md b/windows/security/threat-protection/auditing/event-4624.md index 9a2a4e5b64..d505b5d9ef 100644 --- a/windows/security/threat-protection/auditing/event-4624.md +++ b/windows/security/threat-protection/auditing/event-4624.md @@ -14,6 +14,7 @@ ms.author: vinpa ms.technology: itpro-security ms.collection: - highpri +ms.topic: reference --- # 4624(S): An account was successfully logged on. diff --git a/windows/security/threat-protection/auditing/event-4625.md b/windows/security/threat-protection/auditing/event-4625.md index 8030b3d479..81657a6361 100644 --- a/windows/security/threat-protection/auditing/event-4625.md +++ b/windows/security/threat-protection/auditing/event-4625.md @@ -14,6 +14,7 @@ ms.author: vinpa ms.technology: itpro-security ms.collection: - highpri +ms.topic: reference --- # 4625(F): An account failed to log on. diff --git a/windows/security/threat-protection/auditing/event-4626.md b/windows/security/threat-protection/auditing/event-4626.md index d855d40847..addb26abce 100644 --- a/windows/security/threat-protection/auditing/event-4626.md +++ b/windows/security/threat-protection/auditing/event-4626.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4626(S): User/Device claims information. diff --git a/windows/security/threat-protection/auditing/event-4627.md b/windows/security/threat-protection/auditing/event-4627.md index b86dcd5739..0da1f08aee 100644 --- a/windows/security/threat-protection/auditing/event-4627.md +++ b/windows/security/threat-protection/auditing/event-4627.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4627(S): Group membership information. diff --git a/windows/security/threat-protection/auditing/event-4634.md b/windows/security/threat-protection/auditing/event-4634.md index 467dedd19f..6d8ed22539 100644 --- a/windows/security/threat-protection/auditing/event-4634.md +++ b/windows/security/threat-protection/auditing/event-4634.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4634(S): An account was logged off. diff --git a/windows/security/threat-protection/auditing/event-4647.md b/windows/security/threat-protection/auditing/event-4647.md index 9ff4d6507e..64c7e02466 100644 --- a/windows/security/threat-protection/auditing/event-4647.md +++ b/windows/security/threat-protection/auditing/event-4647.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4647(S): User initiated logoff. diff --git a/windows/security/threat-protection/auditing/event-4648.md b/windows/security/threat-protection/auditing/event-4648.md index b0cab6c7cd..5ffebb9c04 100644 --- a/windows/security/threat-protection/auditing/event-4648.md +++ b/windows/security/threat-protection/auditing/event-4648.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4648(S): A logon was attempted using explicit credentials. diff --git a/windows/security/threat-protection/auditing/event-4649.md b/windows/security/threat-protection/auditing/event-4649.md index 4447ed9ef5..98a1c9ad18 100644 --- a/windows/security/threat-protection/auditing/event-4649.md +++ b/windows/security/threat-protection/auditing/event-4649.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4649(S): A replay attack was detected. diff --git a/windows/security/threat-protection/auditing/event-4656.md b/windows/security/threat-protection/auditing/event-4656.md index 4f9aa3d55a..7d974fa3fa 100644 --- a/windows/security/threat-protection/auditing/event-4656.md +++ b/windows/security/threat-protection/auditing/event-4656.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4656(S, F): A handle to an object was requested. diff --git a/windows/security/threat-protection/auditing/event-4657.md b/windows/security/threat-protection/auditing/event-4657.md index fbe96e603d..cb4ecc3ae1 100644 --- a/windows/security/threat-protection/auditing/event-4657.md +++ b/windows/security/threat-protection/auditing/event-4657.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4657(S): A registry value was modified. diff --git a/windows/security/threat-protection/auditing/event-4658.md b/windows/security/threat-protection/auditing/event-4658.md index c577dd8cb1..532558cd00 100644 --- a/windows/security/threat-protection/auditing/event-4658.md +++ b/windows/security/threat-protection/auditing/event-4658.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4658(S): The handle to an object was closed. diff --git a/windows/security/threat-protection/auditing/event-4660.md b/windows/security/threat-protection/auditing/event-4660.md index 52e57a1502..b0124437c6 100644 --- a/windows/security/threat-protection/auditing/event-4660.md +++ b/windows/security/threat-protection/auditing/event-4660.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4660(S): An object was deleted. diff --git a/windows/security/threat-protection/auditing/event-4661.md b/windows/security/threat-protection/auditing/event-4661.md index bf8b9b0543..6cc68892c8 100644 --- a/windows/security/threat-protection/auditing/event-4661.md +++ b/windows/security/threat-protection/auditing/event-4661.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4661(S, F): A handle to an object was requested. @@ -157,15 +158,15 @@ This event generates only if Success auditing is enabled for the [Audit Handle M **Access Request Information:** -- **Transaction ID** \[Type = GUID\]: unique GUID of the transaction. This field can help you correlate this event with other events that might contain the same the **Transaction ID**, such as “[4660](event-4660.md)(S): An object was deleted.” +- **Transaction ID** \[Type = GUID\]: unique GUID of the transaction. This field can help you correlate this event with other events that might contain the same **Transaction ID**, such as “[4660](event-4660.md)(S): An object was deleted.” This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”. > **Note**  **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances. -- **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. See “Table 13. File access codes.” for more information about file access rights. For information about SAM object access right use or other informational resources. +- **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. For more information about file access rights, see [Table of file access codes](/windows/security/threat-protection/auditing/event-5145#table-of-file-access-codes). For information about SAM object access right use or other informational resources. -- **Access Mask** \[Type = HexInt32\]: hexadecimal mask for the operation that was requested or performed. See “Table 13. File access codes.” for more information about file access rights. For information about SAM object access right use or other informational resources. +- **Access Mask** \[Type = HexInt32\]: hexadecimal mask for the operation that was requested or performed. For more information about file access rights, see [Table of file access codes](/windows/security/threat-protection/auditing/event-5145#table-of-file-access-codes). For information about SAM object access right use or other informational resources. - **Privileges Used for Access Check** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in the table below: @@ -217,4 +218,4 @@ For 4661(S, F): A handle to an object was requested. > **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). -- You can get almost the same information from “[4662](event-4662.md): An operation was performed on an object.” There are no additional recommendations for this event in this document. \ No newline at end of file +- You can get almost the same information from “[4662](event-4662.md): An operation was performed on an object.” There are no additional recommendations for this event in this document. diff --git a/windows/security/threat-protection/auditing/event-4662.md b/windows/security/threat-protection/auditing/event-4662.md index cdc37e9ac3..cf19827489 100644 --- a/windows/security/threat-protection/auditing/event-4662.md +++ b/windows/security/threat-protection/auditing/event-4662.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4662(S, F): An operation was performed on an object. diff --git a/windows/security/threat-protection/auditing/event-4663.md b/windows/security/threat-protection/auditing/event-4663.md index e92604294e..cf790af491 100644 --- a/windows/security/threat-protection/auditing/event-4663.md +++ b/windows/security/threat-protection/auditing/event-4663.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4663(S): An attempt was made to access an object. diff --git a/windows/security/threat-protection/auditing/event-4664.md b/windows/security/threat-protection/auditing/event-4664.md index 5d20d8cbda..0a27e27f7d 100644 --- a/windows/security/threat-protection/auditing/event-4664.md +++ b/windows/security/threat-protection/auditing/event-4664.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4664(S): An attempt was made to create a hard link. diff --git a/windows/security/threat-protection/auditing/event-4670.md b/windows/security/threat-protection/auditing/event-4670.md index 1775901f8b..9509f490e5 100644 --- a/windows/security/threat-protection/auditing/event-4670.md +++ b/windows/security/threat-protection/auditing/event-4670.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4670(S): Permissions on an object were changed. diff --git a/windows/security/threat-protection/auditing/event-4671.md b/windows/security/threat-protection/auditing/event-4671.md index 7a1ee6965a..3215da12d8 100644 --- a/windows/security/threat-protection/auditing/event-4671.md +++ b/windows/security/threat-protection/auditing/event-4671.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4671(-): An application attempted to access a blocked ordinal through the TBS. diff --git a/windows/security/threat-protection/auditing/event-4672.md b/windows/security/threat-protection/auditing/event-4672.md index 25a4365bb7..3b61e352a2 100644 --- a/windows/security/threat-protection/auditing/event-4672.md +++ b/windows/security/threat-protection/auditing/event-4672.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4672(S): Special privileges assigned to new logon. diff --git a/windows/security/threat-protection/auditing/event-4673.md b/windows/security/threat-protection/auditing/event-4673.md index e4ba4b8a01..e63486e9fa 100644 --- a/windows/security/threat-protection/auditing/event-4673.md +++ b/windows/security/threat-protection/auditing/event-4673.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4673(S, F): A privileged service was called. diff --git a/windows/security/threat-protection/auditing/event-4674.md b/windows/security/threat-protection/auditing/event-4674.md index 09b8e8a50e..11f8c3fb62 100644 --- a/windows/security/threat-protection/auditing/event-4674.md +++ b/windows/security/threat-protection/auditing/event-4674.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4674(S, F): An operation was attempted on a privileged object. diff --git a/windows/security/threat-protection/auditing/event-4675.md b/windows/security/threat-protection/auditing/event-4675.md index 8a6b84b8e9..6daf08eef3 100644 --- a/windows/security/threat-protection/auditing/event-4675.md +++ b/windows/security/threat-protection/auditing/event-4675.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4675(S): SIDs were filtered. diff --git a/windows/security/threat-protection/auditing/event-4688.md b/windows/security/threat-protection/auditing/event-4688.md index 3de0d6acc5..5742fbd554 100644 --- a/windows/security/threat-protection/auditing/event-4688.md +++ b/windows/security/threat-protection/auditing/event-4688.md @@ -12,9 +12,10 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- -# 4688(S): A new process has been created. +# 4688(S): A new process has been created. (Windows 10) Event 4688 illustration diff --git a/windows/security/threat-protection/auditing/event-4689.md b/windows/security/threat-protection/auditing/event-4689.md index e64fd85f5a..f2014c9a1e 100644 --- a/windows/security/threat-protection/auditing/event-4689.md +++ b/windows/security/threat-protection/auditing/event-4689.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4689(S): A process has exited. diff --git a/windows/security/threat-protection/auditing/event-4690.md b/windows/security/threat-protection/auditing/event-4690.md index 25c57686e5..e0b54b2afe 100644 --- a/windows/security/threat-protection/auditing/event-4690.md +++ b/windows/security/threat-protection/auditing/event-4690.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4690(S): An attempt was made to duplicate a handle to an object. diff --git a/windows/security/threat-protection/auditing/event-4691.md b/windows/security/threat-protection/auditing/event-4691.md index 140889746d..9f88bf0d9b 100644 --- a/windows/security/threat-protection/auditing/event-4691.md +++ b/windows/security/threat-protection/auditing/event-4691.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4691(S): Indirect access to an object was requested. @@ -125,12 +126,12 @@ These events are generated for [ALPC Ports](/windows/win32/etw/alpc) access requ **Access Request Information:** -- **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. “Table 13. File access codes.” contains information about the most common access rights for file system objects. For information about ALPC ports access rights, use or other informational resources. +- **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. [Table of file access codes](/windows/security/threat-protection/auditing/event-5145#table-of-file-access-codes) contains information about the most common access rights for file system objects. For information about ALPC ports access rights, use or other informational resources. -- **Access Mask** \[Type = HexInt32\]: hexadecimal mask for the operation that was requested or performed. See “Table 13. File access codes.” for more information about file access rights. For information about ALPC ports access rights, use or other informational resources. +- **Access Mask** \[Type = HexInt32\]: hexadecimal mask for the operation that was requested or performed. For more information about file access rights, see [Table of file access codes](/windows/security/threat-protection/auditing/event-5145#table-of-file-access-codes). For information about ALPC ports access rights, use or other informational resources. ## Security Monitoring Recommendations For 4691(S): Indirect access to an object was requested. -- Typically this event has little to no security relevance and is hard to parse or analyze. There is no recommendation for this event, unless you know exactly what you need to monitor with ALPC Ports. \ No newline at end of file +- Typically this event has little to no security relevance and is hard to parse or analyze. There is no recommendation for this event, unless you know exactly what you need to monitor with ALPC Ports. diff --git a/windows/security/threat-protection/auditing/event-4692.md b/windows/security/threat-protection/auditing/event-4692.md index ac9b7268ca..fb56e8e4c9 100644 --- a/windows/security/threat-protection/auditing/event-4692.md +++ b/windows/security/threat-protection/auditing/event-4692.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4692(S, F): Backup of data protection master key was attempted. diff --git a/windows/security/threat-protection/auditing/event-4693.md b/windows/security/threat-protection/auditing/event-4693.md index 219798f08e..bd99d76424 100644 --- a/windows/security/threat-protection/auditing/event-4693.md +++ b/windows/security/threat-protection/auditing/event-4693.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4693(S, F): Recovery of data protection master key was attempted. diff --git a/windows/security/threat-protection/auditing/event-4694.md b/windows/security/threat-protection/auditing/event-4694.md index dc24a37fc9..f66fb36e4d 100644 --- a/windows/security/threat-protection/auditing/event-4694.md +++ b/windows/security/threat-protection/auditing/event-4694.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4694(S, F): Protection of auditable protected data was attempted. diff --git a/windows/security/threat-protection/auditing/event-4695.md b/windows/security/threat-protection/auditing/event-4695.md index 78c1b43834..68c0ac644a 100644 --- a/windows/security/threat-protection/auditing/event-4695.md +++ b/windows/security/threat-protection/auditing/event-4695.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4695(S, F): Unprotection of auditable protected data was attempted. diff --git a/windows/security/threat-protection/auditing/event-4696.md b/windows/security/threat-protection/auditing/event-4696.md index 16c7a8e333..fc3d8432ee 100644 --- a/windows/security/threat-protection/auditing/event-4696.md +++ b/windows/security/threat-protection/auditing/event-4696.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4696(S): A primary token was assigned to process. diff --git a/windows/security/threat-protection/auditing/event-4697.md b/windows/security/threat-protection/auditing/event-4697.md index 348ae3a7a9..5d1072f99b 100644 --- a/windows/security/threat-protection/auditing/event-4697.md +++ b/windows/security/threat-protection/auditing/event-4697.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4697(S): A service was installed in the system. diff --git a/windows/security/threat-protection/auditing/event-4698.md b/windows/security/threat-protection/auditing/event-4698.md index 7eb2d41a68..cfbe0e3f96 100644 --- a/windows/security/threat-protection/auditing/event-4698.md +++ b/windows/security/threat-protection/auditing/event-4698.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4698(S): A scheduled task was created. diff --git a/windows/security/threat-protection/auditing/event-4699.md b/windows/security/threat-protection/auditing/event-4699.md index 258b0a31d3..56935a1da0 100644 --- a/windows/security/threat-protection/auditing/event-4699.md +++ b/windows/security/threat-protection/auditing/event-4699.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4699(S): A scheduled task was deleted. diff --git a/windows/security/threat-protection/auditing/event-4700.md b/windows/security/threat-protection/auditing/event-4700.md index aa1ef1cc10..3c45c92cf4 100644 --- a/windows/security/threat-protection/auditing/event-4700.md +++ b/windows/security/threat-protection/auditing/event-4700.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4700(S): A scheduled task was enabled. diff --git a/windows/security/threat-protection/auditing/event-4701.md b/windows/security/threat-protection/auditing/event-4701.md index 11a6147179..0a9639837b 100644 --- a/windows/security/threat-protection/auditing/event-4701.md +++ b/windows/security/threat-protection/auditing/event-4701.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4701(S): A scheduled task was disabled. diff --git a/windows/security/threat-protection/auditing/event-4702.md b/windows/security/threat-protection/auditing/event-4702.md index a738b7753e..96c7f0b93b 100644 --- a/windows/security/threat-protection/auditing/event-4702.md +++ b/windows/security/threat-protection/auditing/event-4702.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4702(S): A scheduled task was updated. diff --git a/windows/security/threat-protection/auditing/event-4703.md b/windows/security/threat-protection/auditing/event-4703.md index b4571317fc..f10d935aa1 100644 --- a/windows/security/threat-protection/auditing/event-4703.md +++ b/windows/security/threat-protection/auditing/event-4703.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4703(S): A user right was adjusted. diff --git a/windows/security/threat-protection/auditing/event-4704.md b/windows/security/threat-protection/auditing/event-4704.md index 0780690284..4b0b4ef478 100644 --- a/windows/security/threat-protection/auditing/event-4704.md +++ b/windows/security/threat-protection/auditing/event-4704.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4704(S): A user right was assigned. diff --git a/windows/security/threat-protection/auditing/event-4705.md b/windows/security/threat-protection/auditing/event-4705.md index afd7149169..c66295ce0d 100644 --- a/windows/security/threat-protection/auditing/event-4705.md +++ b/windows/security/threat-protection/auditing/event-4705.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4705(S): A user right was removed. diff --git a/windows/security/threat-protection/auditing/event-4706.md b/windows/security/threat-protection/auditing/event-4706.md index c6ff0bb373..01ce8db4cd 100644 --- a/windows/security/threat-protection/auditing/event-4706.md +++ b/windows/security/threat-protection/auditing/event-4706.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4706(S): A new trust was created to a domain. diff --git a/windows/security/threat-protection/auditing/event-4707.md b/windows/security/threat-protection/auditing/event-4707.md index 28b13b2cb0..a47a9ea3ea 100644 --- a/windows/security/threat-protection/auditing/event-4707.md +++ b/windows/security/threat-protection/auditing/event-4707.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4707(S): A trust to a domain was removed. diff --git a/windows/security/threat-protection/auditing/event-4713.md b/windows/security/threat-protection/auditing/event-4713.md index e92aa50675..218134046e 100644 --- a/windows/security/threat-protection/auditing/event-4713.md +++ b/windows/security/threat-protection/auditing/event-4713.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4713(S): Kerberos policy was changed. diff --git a/windows/security/threat-protection/auditing/event-4714.md b/windows/security/threat-protection/auditing/event-4714.md index 77709fc5c7..fc40a49c6e 100644 --- a/windows/security/threat-protection/auditing/event-4714.md +++ b/windows/security/threat-protection/auditing/event-4714.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4714(S): Encrypted data recovery policy was changed. diff --git a/windows/security/threat-protection/auditing/event-4715.md b/windows/security/threat-protection/auditing/event-4715.md index 82b24bae92..f128397767 100644 --- a/windows/security/threat-protection/auditing/event-4715.md +++ b/windows/security/threat-protection/auditing/event-4715.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4715(S): The audit policy (SACL) on an object was changed. diff --git a/windows/security/threat-protection/auditing/event-4716.md b/windows/security/threat-protection/auditing/event-4716.md index f6d57fece2..64f3140ad0 100644 --- a/windows/security/threat-protection/auditing/event-4716.md +++ b/windows/security/threat-protection/auditing/event-4716.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4716(S): Trusted domain information was modified. diff --git a/windows/security/threat-protection/auditing/event-4717.md b/windows/security/threat-protection/auditing/event-4717.md index dc449a8758..8a1f14e022 100644 --- a/windows/security/threat-protection/auditing/event-4717.md +++ b/windows/security/threat-protection/auditing/event-4717.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4717(S): System security access was granted to an account. diff --git a/windows/security/threat-protection/auditing/event-4718.md b/windows/security/threat-protection/auditing/event-4718.md index 7a47fa5d37..e8ec6b8039 100644 --- a/windows/security/threat-protection/auditing/event-4718.md +++ b/windows/security/threat-protection/auditing/event-4718.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4718(S): System security access was removed from an account. diff --git a/windows/security/threat-protection/auditing/event-4719.md b/windows/security/threat-protection/auditing/event-4719.md index 97711ffdf7..dae615acf4 100644 --- a/windows/security/threat-protection/auditing/event-4719.md +++ b/windows/security/threat-protection/auditing/event-4719.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4719(S): System audit policy was changed. diff --git a/windows/security/threat-protection/auditing/event-4720.md b/windows/security/threat-protection/auditing/event-4720.md index bb732fd1dd..b53966664d 100644 --- a/windows/security/threat-protection/auditing/event-4720.md +++ b/windows/security/threat-protection/auditing/event-4720.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4720(S): A user account was created. diff --git a/windows/security/threat-protection/auditing/event-4722.md b/windows/security/threat-protection/auditing/event-4722.md index 1d82961714..4388873aa0 100644 --- a/windows/security/threat-protection/auditing/event-4722.md +++ b/windows/security/threat-protection/auditing/event-4722.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4722(S): A user account was enabled. diff --git a/windows/security/threat-protection/auditing/event-4723.md b/windows/security/threat-protection/auditing/event-4723.md index f63004d706..8b8b7975a1 100644 --- a/windows/security/threat-protection/auditing/event-4723.md +++ b/windows/security/threat-protection/auditing/event-4723.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4723(S, F): An attempt was made to change an account's password. diff --git a/windows/security/threat-protection/auditing/event-4724.md b/windows/security/threat-protection/auditing/event-4724.md index a36b61acac..00c98b63e4 100644 --- a/windows/security/threat-protection/auditing/event-4724.md +++ b/windows/security/threat-protection/auditing/event-4724.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4724(S, F): An attempt was made to reset an account's password. diff --git a/windows/security/threat-protection/auditing/event-4725.md b/windows/security/threat-protection/auditing/event-4725.md index 731fa570ad..ad5b546a6d 100644 --- a/windows/security/threat-protection/auditing/event-4725.md +++ b/windows/security/threat-protection/auditing/event-4725.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4725(S): A user account was disabled. diff --git a/windows/security/threat-protection/auditing/event-4726.md b/windows/security/threat-protection/auditing/event-4726.md index 620ba8bbeb..7df0779c4a 100644 --- a/windows/security/threat-protection/auditing/event-4726.md +++ b/windows/security/threat-protection/auditing/event-4726.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4726(S): A user account was deleted. diff --git a/windows/security/threat-protection/auditing/event-4731.md b/windows/security/threat-protection/auditing/event-4731.md index 39426b84ac..ca1c673af4 100644 --- a/windows/security/threat-protection/auditing/event-4731.md +++ b/windows/security/threat-protection/auditing/event-4731.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4731(S): A security-enabled local group was created. diff --git a/windows/security/threat-protection/auditing/event-4732.md b/windows/security/threat-protection/auditing/event-4732.md index e68eecbb3d..8afb300906 100644 --- a/windows/security/threat-protection/auditing/event-4732.md +++ b/windows/security/threat-protection/auditing/event-4732.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4732(S): A member was added to a security-enabled local group. diff --git a/windows/security/threat-protection/auditing/event-4733.md b/windows/security/threat-protection/auditing/event-4733.md index b3dcf94109..3a24b2ef0f 100644 --- a/windows/security/threat-protection/auditing/event-4733.md +++ b/windows/security/threat-protection/auditing/event-4733.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4733(S): A member was removed from a security-enabled local group. diff --git a/windows/security/threat-protection/auditing/event-4734.md b/windows/security/threat-protection/auditing/event-4734.md index 2f83cfa9a5..ac2c5d7b93 100644 --- a/windows/security/threat-protection/auditing/event-4734.md +++ b/windows/security/threat-protection/auditing/event-4734.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4734(S): A security-enabled local group was deleted. diff --git a/windows/security/threat-protection/auditing/event-4735.md b/windows/security/threat-protection/auditing/event-4735.md index f590b87f44..4842263179 100644 --- a/windows/security/threat-protection/auditing/event-4735.md +++ b/windows/security/threat-protection/auditing/event-4735.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4735(S): A security-enabled local group was changed. diff --git a/windows/security/threat-protection/auditing/event-4738.md b/windows/security/threat-protection/auditing/event-4738.md index ef5a72da75..63352ed67e 100644 --- a/windows/security/threat-protection/auditing/event-4738.md +++ b/windows/security/threat-protection/auditing/event-4738.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4738(S): A user account was changed. diff --git a/windows/security/threat-protection/auditing/event-4739.md b/windows/security/threat-protection/auditing/event-4739.md index 4ecbfdf064..d43bdb27e2 100644 --- a/windows/security/threat-protection/auditing/event-4739.md +++ b/windows/security/threat-protection/auditing/event-4739.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4739(S): Domain Policy was changed. diff --git a/windows/security/threat-protection/auditing/event-4740.md b/windows/security/threat-protection/auditing/event-4740.md index 63c75713f7..46c0cdcb9d 100644 --- a/windows/security/threat-protection/auditing/event-4740.md +++ b/windows/security/threat-protection/auditing/event-4740.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4740(S): A user account was locked out. diff --git a/windows/security/threat-protection/auditing/event-4741.md b/windows/security/threat-protection/auditing/event-4741.md index 0152e427a6..5245280f11 100644 --- a/windows/security/threat-protection/auditing/event-4741.md +++ b/windows/security/threat-protection/auditing/event-4741.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4741(S): A computer account was created. diff --git a/windows/security/threat-protection/auditing/event-4742.md b/windows/security/threat-protection/auditing/event-4742.md index de51f96421..3f5f9c2eb6 100644 --- a/windows/security/threat-protection/auditing/event-4742.md +++ b/windows/security/threat-protection/auditing/event-4742.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4742(S): A computer account was changed. diff --git a/windows/security/threat-protection/auditing/event-4743.md b/windows/security/threat-protection/auditing/event-4743.md index cfa007a9b7..50411689a9 100644 --- a/windows/security/threat-protection/auditing/event-4743.md +++ b/windows/security/threat-protection/auditing/event-4743.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4743(S): A computer account was deleted. diff --git a/windows/security/threat-protection/auditing/event-4749.md b/windows/security/threat-protection/auditing/event-4749.md index f49d9f6c7c..8293c95b2b 100644 --- a/windows/security/threat-protection/auditing/event-4749.md +++ b/windows/security/threat-protection/auditing/event-4749.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4749(S): A security-disabled global group was created. diff --git a/windows/security/threat-protection/auditing/event-4750.md b/windows/security/threat-protection/auditing/event-4750.md index aa3be8fba0..d106e10077 100644 --- a/windows/security/threat-protection/auditing/event-4750.md +++ b/windows/security/threat-protection/auditing/event-4750.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4750(S): A security-disabled global group was changed. diff --git a/windows/security/threat-protection/auditing/event-4751.md b/windows/security/threat-protection/auditing/event-4751.md index fdd8a37fcc..e3bdca780e 100644 --- a/windows/security/threat-protection/auditing/event-4751.md +++ b/windows/security/threat-protection/auditing/event-4751.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4751(S): A member was added to a security-disabled global group. diff --git a/windows/security/threat-protection/auditing/event-4752.md b/windows/security/threat-protection/auditing/event-4752.md index d49e422f9e..f6b4fc37dd 100644 --- a/windows/security/threat-protection/auditing/event-4752.md +++ b/windows/security/threat-protection/auditing/event-4752.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4752(S): A member was removed from a security-disabled global group. diff --git a/windows/security/threat-protection/auditing/event-4753.md b/windows/security/threat-protection/auditing/event-4753.md index b5f941a040..6bdf28a86b 100644 --- a/windows/security/threat-protection/auditing/event-4753.md +++ b/windows/security/threat-protection/auditing/event-4753.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4753(S): A security-disabled global group was deleted. diff --git a/windows/security/threat-protection/auditing/event-4764.md b/windows/security/threat-protection/auditing/event-4764.md index 85824b3df3..f959fc103a 100644 --- a/windows/security/threat-protection/auditing/event-4764.md +++ b/windows/security/threat-protection/auditing/event-4764.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4764(S): A group’s type was changed. diff --git a/windows/security/threat-protection/auditing/event-4765.md b/windows/security/threat-protection/auditing/event-4765.md index cf78144c6a..5789319e57 100644 --- a/windows/security/threat-protection/auditing/event-4765.md +++ b/windows/security/threat-protection/auditing/event-4765.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4765(S): SID History was added to an account. diff --git a/windows/security/threat-protection/auditing/event-4766.md b/windows/security/threat-protection/auditing/event-4766.md index 4178c53a80..4d0ec7ae25 100644 --- a/windows/security/threat-protection/auditing/event-4766.md +++ b/windows/security/threat-protection/auditing/event-4766.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4766(F): An attempt to add SID History to an account failed. diff --git a/windows/security/threat-protection/auditing/event-4767.md b/windows/security/threat-protection/auditing/event-4767.md index 21beb6c3ec..9dbf921ebf 100644 --- a/windows/security/threat-protection/auditing/event-4767.md +++ b/windows/security/threat-protection/auditing/event-4767.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4767(S): A user account was unlocked. diff --git a/windows/security/threat-protection/auditing/event-4768.md b/windows/security/threat-protection/auditing/event-4768.md index 1eded19698..825ba47534 100644 --- a/windows/security/threat-protection/auditing/event-4768.md +++ b/windows/security/threat-protection/auditing/event-4768.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4768(S, F): A Kerberos authentication ticket (TGT) was requested. @@ -219,7 +220,7 @@ The most common values: | 0x14 | KDC\_ERR\_TGT\_REVOKED | TGT has been revoked | Since the remote KDC may change its PKCROSS key while there are PKCROSS tickets still active, it SHOULD cache the old PKCROSS keys until the last issued PKCROSS ticket expires. Otherwise, the remote KDC will respond to a client with a KRB-ERROR message of type KDC\_ERR\_TGT\_REVOKED. See [RFC1510](https://www.ietf.org/proceedings/49/I-D/draft-ietf-cat-kerberos-pk-cross-07.txt) for more details. | | 0x15 | KDC\_ERR\_CLIENT\_NOTYET | Client not yet valid—try again later | No information. | | 0x16 | KDC\_ERR\_SERVICE\_NOTYET | Server not yet valid—try again later | No information. | -| 0x17 | KDC\_ERR\_KEY\_EXPIRED | Password has expired—change password to reset | The user’s password has expired.
                              This error code cannot occur in event “[4768](event-4768.md). A Kerberos authentication ticket (TGT) was requested”. It occurs in “[4771](event-4771.md). Kerberos pre-authentication failed” event. | +| 0x17 | KDC\_ERR\_KEY\_EXPIRED | Password has expired—change password to reset | The user’s password has expired. | | 0x18 | KDC\_ERR\_PREAUTH\_FAILED | Pre-authentication information was invalid | The wrong password was provided.
                              This error code cannot occur in event “[4768](event-4768.md). A Kerberos authentication ticket (TGT) was requested”. It occurs in “[4771](event-4771.md). Kerberos pre-authentication failed” event. | | 0x19 | KDC\_ERR\_PREAUTH\_REQUIRED | Additional pre-authentication required | This error often occurs in UNIX interoperability scenarios. MIT-Kerberos clients do not request pre-authentication when they send a KRB\_AS\_REQ message. If pre-authentication is required (the default), Windows systems will send this error. Most MIT-Kerberos clients will respond to this error by giving the pre-authentication, in which case the error can be ignored, but some clients might not respond in this way. | | 0x1A | KDC\_ERR\_SERVER\_NOMATCH | KDC does not know about the requested server | No information. | diff --git a/windows/security/threat-protection/auditing/event-4769.md b/windows/security/threat-protection/auditing/event-4769.md index bcf3312248..e82434467c 100644 --- a/windows/security/threat-protection/auditing/event-4769.md +++ b/windows/security/threat-protection/auditing/event-4769.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4769(S, F): A Kerberos service ticket was requested. diff --git a/windows/security/threat-protection/auditing/event-4770.md b/windows/security/threat-protection/auditing/event-4770.md index b24835b3ba..2027d8504f 100644 --- a/windows/security/threat-protection/auditing/event-4770.md +++ b/windows/security/threat-protection/auditing/event-4770.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4770(S): A Kerberos service ticket was renewed. diff --git a/windows/security/threat-protection/auditing/event-4771.md b/windows/security/threat-protection/auditing/event-4771.md index 0d4c72e45f..3ca1095e98 100644 --- a/windows/security/threat-protection/auditing/event-4771.md +++ b/windows/security/threat-protection/auditing/event-4771.md @@ -14,6 +14,7 @@ ms.author: vinpa ms.technology: itpro-security ms.collection: - highpri +ms.topic: reference --- # 4771(F): Kerberos pre-authentication failed. diff --git a/windows/security/threat-protection/auditing/event-4772.md b/windows/security/threat-protection/auditing/event-4772.md index 54fdd53057..3c378ccc0b 100644 --- a/windows/security/threat-protection/auditing/event-4772.md +++ b/windows/security/threat-protection/auditing/event-4772.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4772(F): A Kerberos authentication ticket request failed. diff --git a/windows/security/threat-protection/auditing/event-4773.md b/windows/security/threat-protection/auditing/event-4773.md index e3ad7e5b20..30c32b9f8d 100644 --- a/windows/security/threat-protection/auditing/event-4773.md +++ b/windows/security/threat-protection/auditing/event-4773.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4773(F): A Kerberos service ticket request failed. diff --git a/windows/security/threat-protection/auditing/event-4774.md b/windows/security/threat-protection/auditing/event-4774.md index 2301e2110f..2f9b37c352 100644 --- a/windows/security/threat-protection/auditing/event-4774.md +++ b/windows/security/threat-protection/auditing/event-4774.md @@ -8,10 +8,11 @@ ms.sitesec: library ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/07/2021 -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4774(S, F): An account was mapped for logon diff --git a/windows/security/threat-protection/auditing/event-4775.md b/windows/security/threat-protection/auditing/event-4775.md index 285efe300f..8281bb27e5 100644 --- a/windows/security/threat-protection/auditing/event-4775.md +++ b/windows/security/threat-protection/auditing/event-4775.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4775(F): An account could not be mapped for logon. diff --git a/windows/security/threat-protection/auditing/event-4776.md b/windows/security/threat-protection/auditing/event-4776.md index cebb01a7c7..e411b647ce 100644 --- a/windows/security/threat-protection/auditing/event-4776.md +++ b/windows/security/threat-protection/auditing/event-4776.md @@ -14,6 +14,7 @@ ms.author: vinpa ms.technology: itpro-security ms.collection: - highpri +ms.topic: reference --- # 4776(S, F): The computer attempted to validate the credentials for an account. diff --git a/windows/security/threat-protection/auditing/event-4777.md b/windows/security/threat-protection/auditing/event-4777.md index 21749ac3ac..e534dbee25 100644 --- a/windows/security/threat-protection/auditing/event-4777.md +++ b/windows/security/threat-protection/auditing/event-4777.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4777(F): The domain controller failed to validate the credentials for an account. diff --git a/windows/security/threat-protection/auditing/event-4778.md b/windows/security/threat-protection/auditing/event-4778.md index f9f3175763..76aac3738e 100644 --- a/windows/security/threat-protection/auditing/event-4778.md +++ b/windows/security/threat-protection/auditing/event-4778.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4778(S): A session was reconnected to a Window Station. diff --git a/windows/security/threat-protection/auditing/event-4779.md b/windows/security/threat-protection/auditing/event-4779.md index 4edf0f6668..7f6568c1cb 100644 --- a/windows/security/threat-protection/auditing/event-4779.md +++ b/windows/security/threat-protection/auditing/event-4779.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4779(S): A session was disconnected from a Window Station. diff --git a/windows/security/threat-protection/auditing/event-4780.md b/windows/security/threat-protection/auditing/event-4780.md index 982fa983de..5195929a0e 100644 --- a/windows/security/threat-protection/auditing/event-4780.md +++ b/windows/security/threat-protection/auditing/event-4780.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4780(S): The ACL was set on accounts which are members of administrators groups. diff --git a/windows/security/threat-protection/auditing/event-4781.md b/windows/security/threat-protection/auditing/event-4781.md index 856cd7cb4b..fc2aaffc53 100644 --- a/windows/security/threat-protection/auditing/event-4781.md +++ b/windows/security/threat-protection/auditing/event-4781.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4781(S): The name of an account was changed. diff --git a/windows/security/threat-protection/auditing/event-4782.md b/windows/security/threat-protection/auditing/event-4782.md index 3a6d312600..a0615135c6 100644 --- a/windows/security/threat-protection/auditing/event-4782.md +++ b/windows/security/threat-protection/auditing/event-4782.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4782(S): The password hash of an account was accessed. diff --git a/windows/security/threat-protection/auditing/event-4793.md b/windows/security/threat-protection/auditing/event-4793.md index 7c64bea4eb..cc197ccb60 100644 --- a/windows/security/threat-protection/auditing/event-4793.md +++ b/windows/security/threat-protection/auditing/event-4793.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4793(S): The Password Policy Checking API was called. diff --git a/windows/security/threat-protection/auditing/event-4794.md b/windows/security/threat-protection/auditing/event-4794.md index 8519e79e9d..6bcb12e02c 100644 --- a/windows/security/threat-protection/auditing/event-4794.md +++ b/windows/security/threat-protection/auditing/event-4794.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4794(S, F): An attempt was made to set the Directory Services Restore Mode administrator password. diff --git a/windows/security/threat-protection/auditing/event-4798.md b/windows/security/threat-protection/auditing/event-4798.md index 396f15d0b2..696366f22d 100644 --- a/windows/security/threat-protection/auditing/event-4798.md +++ b/windows/security/threat-protection/auditing/event-4798.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4798(S): A user's local group membership was enumerated. diff --git a/windows/security/threat-protection/auditing/event-4799.md b/windows/security/threat-protection/auditing/event-4799.md index ad750b391e..1cf362be1d 100644 --- a/windows/security/threat-protection/auditing/event-4799.md +++ b/windows/security/threat-protection/auditing/event-4799.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4799(S): A security-enabled local group membership was enumerated. diff --git a/windows/security/threat-protection/auditing/event-4800.md b/windows/security/threat-protection/auditing/event-4800.md index 87f46d5a18..89c94ade64 100644 --- a/windows/security/threat-protection/auditing/event-4800.md +++ b/windows/security/threat-protection/auditing/event-4800.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4800(S): The workstation was locked. diff --git a/windows/security/threat-protection/auditing/event-4801.md b/windows/security/threat-protection/auditing/event-4801.md index f94c08e08f..906e46fcd3 100644 --- a/windows/security/threat-protection/auditing/event-4801.md +++ b/windows/security/threat-protection/auditing/event-4801.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4801(S): The workstation was unlocked. diff --git a/windows/security/threat-protection/auditing/event-4802.md b/windows/security/threat-protection/auditing/event-4802.md index 6590d5bd4b..1b423f29ee 100644 --- a/windows/security/threat-protection/auditing/event-4802.md +++ b/windows/security/threat-protection/auditing/event-4802.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4802(S): The screen saver was invoked. diff --git a/windows/security/threat-protection/auditing/event-4803.md b/windows/security/threat-protection/auditing/event-4803.md index 2c0e8d441b..247e3c704d 100644 --- a/windows/security/threat-protection/auditing/event-4803.md +++ b/windows/security/threat-protection/auditing/event-4803.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4803(S): The screen saver was dismissed. diff --git a/windows/security/threat-protection/auditing/event-4816.md b/windows/security/threat-protection/auditing/event-4816.md index 8d61ef6f9a..8636e1abef 100644 --- a/windows/security/threat-protection/auditing/event-4816.md +++ b/windows/security/threat-protection/auditing/event-4816.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4816(S): RPC detected an integrity violation while decrypting an incoming message. diff --git a/windows/security/threat-protection/auditing/event-4817.md b/windows/security/threat-protection/auditing/event-4817.md index 2cb3ae3794..ff20520062 100644 --- a/windows/security/threat-protection/auditing/event-4817.md +++ b/windows/security/threat-protection/auditing/event-4817.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4817(S): Auditing settings on object were changed. diff --git a/windows/security/threat-protection/auditing/event-4818.md b/windows/security/threat-protection/auditing/event-4818.md index 25c2111bd2..c884c2e7a8 100644 --- a/windows/security/threat-protection/auditing/event-4818.md +++ b/windows/security/threat-protection/auditing/event-4818.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4818(S): Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy. diff --git a/windows/security/threat-protection/auditing/event-4819.md b/windows/security/threat-protection/auditing/event-4819.md index 69743c28c7..e8bca4427e 100644 --- a/windows/security/threat-protection/auditing/event-4819.md +++ b/windows/security/threat-protection/auditing/event-4819.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4819(S): Central Access Policies on the machine have been changed. diff --git a/windows/security/threat-protection/auditing/event-4826.md b/windows/security/threat-protection/auditing/event-4826.md index 914961945b..001e6c6026 100644 --- a/windows/security/threat-protection/auditing/event-4826.md +++ b/windows/security/threat-protection/auditing/event-4826.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4826(S): Boot Configuration Data loaded. diff --git a/windows/security/threat-protection/auditing/event-4864.md b/windows/security/threat-protection/auditing/event-4864.md index e70836a75b..a26b552f4a 100644 --- a/windows/security/threat-protection/auditing/event-4864.md +++ b/windows/security/threat-protection/auditing/event-4864.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4864(S): A namespace collision was detected. diff --git a/windows/security/threat-protection/auditing/event-4865.md b/windows/security/threat-protection/auditing/event-4865.md index 76624588fc..aa44c9bb6a 100644 --- a/windows/security/threat-protection/auditing/event-4865.md +++ b/windows/security/threat-protection/auditing/event-4865.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4865(S): A trusted forest information entry was added. diff --git a/windows/security/threat-protection/auditing/event-4866.md b/windows/security/threat-protection/auditing/event-4866.md index 1e1b870506..1fcc07f446 100644 --- a/windows/security/threat-protection/auditing/event-4866.md +++ b/windows/security/threat-protection/auditing/event-4866.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4866(S): A trusted forest information entry was removed. diff --git a/windows/security/threat-protection/auditing/event-4867.md b/windows/security/threat-protection/auditing/event-4867.md index 24063dad9d..ce30699bfa 100644 --- a/windows/security/threat-protection/auditing/event-4867.md +++ b/windows/security/threat-protection/auditing/event-4867.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4867(S): A trusted forest information entry was modified. diff --git a/windows/security/threat-protection/auditing/event-4902.md b/windows/security/threat-protection/auditing/event-4902.md index 5b2a94af52..7185b9f3da 100644 --- a/windows/security/threat-protection/auditing/event-4902.md +++ b/windows/security/threat-protection/auditing/event-4902.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4902(S): The Per-user audit policy table was created. diff --git a/windows/security/threat-protection/auditing/event-4904.md b/windows/security/threat-protection/auditing/event-4904.md index fd9ee497a2..90858c5844 100644 --- a/windows/security/threat-protection/auditing/event-4904.md +++ b/windows/security/threat-protection/auditing/event-4904.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4904(S): An attempt was made to register a security event source. diff --git a/windows/security/threat-protection/auditing/event-4905.md b/windows/security/threat-protection/auditing/event-4905.md index c8ba9bb9c9..14eb6cfa8b 100644 --- a/windows/security/threat-protection/auditing/event-4905.md +++ b/windows/security/threat-protection/auditing/event-4905.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4905(S): An attempt was made to unregister a security event source. diff --git a/windows/security/threat-protection/auditing/event-4906.md b/windows/security/threat-protection/auditing/event-4906.md index 4913d0d431..2058342aa0 100644 --- a/windows/security/threat-protection/auditing/event-4906.md +++ b/windows/security/threat-protection/auditing/event-4906.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4906(S): The CrashOnAuditFail value has changed. diff --git a/windows/security/threat-protection/auditing/event-4907.md b/windows/security/threat-protection/auditing/event-4907.md index 70de13eecf..c38b66d51b 100644 --- a/windows/security/threat-protection/auditing/event-4907.md +++ b/windows/security/threat-protection/auditing/event-4907.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4907(S): Auditing settings on object were changed. diff --git a/windows/security/threat-protection/auditing/event-4908.md b/windows/security/threat-protection/auditing/event-4908.md index b5351ecbd4..3314e94436 100644 --- a/windows/security/threat-protection/auditing/event-4908.md +++ b/windows/security/threat-protection/auditing/event-4908.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4908(S): Special Groups Logon table modified. diff --git a/windows/security/threat-protection/auditing/event-4909.md b/windows/security/threat-protection/auditing/event-4909.md index ab35104b88..8a8631489a 100644 --- a/windows/security/threat-protection/auditing/event-4909.md +++ b/windows/security/threat-protection/auditing/event-4909.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4909(-): The local policy settings for the TBS were changed. diff --git a/windows/security/threat-protection/auditing/event-4910.md b/windows/security/threat-protection/auditing/event-4910.md index 2e46e4e49e..15276f29ce 100644 --- a/windows/security/threat-protection/auditing/event-4910.md +++ b/windows/security/threat-protection/auditing/event-4910.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4910(-): The group policy settings for the TBS were changed. diff --git a/windows/security/threat-protection/auditing/event-4911.md b/windows/security/threat-protection/auditing/event-4911.md index b72644a868..abc112dbb4 100644 --- a/windows/security/threat-protection/auditing/event-4911.md +++ b/windows/security/threat-protection/auditing/event-4911.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4911(S): Resource attributes of the object were changed. diff --git a/windows/security/threat-protection/auditing/event-4912.md b/windows/security/threat-protection/auditing/event-4912.md index 3ac8a96880..0c0e66f90e 100644 --- a/windows/security/threat-protection/auditing/event-4912.md +++ b/windows/security/threat-protection/auditing/event-4912.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4912(S): Per User Audit Policy was changed. diff --git a/windows/security/threat-protection/auditing/event-4913.md b/windows/security/threat-protection/auditing/event-4913.md index 949b10bd58..e15a691617 100644 --- a/windows/security/threat-protection/auditing/event-4913.md +++ b/windows/security/threat-protection/auditing/event-4913.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4913(S): Central Access Policy on the object was changed. diff --git a/windows/security/threat-protection/auditing/event-4928.md b/windows/security/threat-protection/auditing/event-4928.md index d39db3ef25..902113bb5c 100644 --- a/windows/security/threat-protection/auditing/event-4928.md +++ b/windows/security/threat-protection/auditing/event-4928.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4928(S, F): An Active Directory replica source naming context was established. diff --git a/windows/security/threat-protection/auditing/event-4929.md b/windows/security/threat-protection/auditing/event-4929.md index 596b209eb4..3fd978d0e3 100644 --- a/windows/security/threat-protection/auditing/event-4929.md +++ b/windows/security/threat-protection/auditing/event-4929.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4929(S, F): An Active Directory replica source naming context was removed. diff --git a/windows/security/threat-protection/auditing/event-4930.md b/windows/security/threat-protection/auditing/event-4930.md index e66843285f..1b7bee26bf 100644 --- a/windows/security/threat-protection/auditing/event-4930.md +++ b/windows/security/threat-protection/auditing/event-4930.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4930(S, F): An Active Directory replica source naming context was modified. diff --git a/windows/security/threat-protection/auditing/event-4931.md b/windows/security/threat-protection/auditing/event-4931.md index 27be6fe7ed..75acecb89f 100644 --- a/windows/security/threat-protection/auditing/event-4931.md +++ b/windows/security/threat-protection/auditing/event-4931.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4931(S, F): An Active Directory replica destination naming context was modified. diff --git a/windows/security/threat-protection/auditing/event-4932.md b/windows/security/threat-protection/auditing/event-4932.md index 71e22cd118..4cdd6b7bdd 100644 --- a/windows/security/threat-protection/auditing/event-4932.md +++ b/windows/security/threat-protection/auditing/event-4932.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4932(S): Synchronization of a replica of an Active Directory naming context has begun. diff --git a/windows/security/threat-protection/auditing/event-4933.md b/windows/security/threat-protection/auditing/event-4933.md index 3937b0e178..b1636e8e63 100644 --- a/windows/security/threat-protection/auditing/event-4933.md +++ b/windows/security/threat-protection/auditing/event-4933.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4933(S, F): Synchronization of a replica of an Active Directory naming context has ended. diff --git a/windows/security/threat-protection/auditing/event-4934.md b/windows/security/threat-protection/auditing/event-4934.md index 90e2db1e04..efafcb9b79 100644 --- a/windows/security/threat-protection/auditing/event-4934.md +++ b/windows/security/threat-protection/auditing/event-4934.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4934(S): Attributes of an Active Directory object were replicated. diff --git a/windows/security/threat-protection/auditing/event-4935.md b/windows/security/threat-protection/auditing/event-4935.md index 79ef8d6e1c..a126742afb 100644 --- a/windows/security/threat-protection/auditing/event-4935.md +++ b/windows/security/threat-protection/auditing/event-4935.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4935(F): Replication failure begins. diff --git a/windows/security/threat-protection/auditing/event-4936.md b/windows/security/threat-protection/auditing/event-4936.md index 16a640d3bb..e2818ec6ee 100644 --- a/windows/security/threat-protection/auditing/event-4936.md +++ b/windows/security/threat-protection/auditing/event-4936.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4936(S): Replication failure ends. diff --git a/windows/security/threat-protection/auditing/event-4937.md b/windows/security/threat-protection/auditing/event-4937.md index 731aceca7a..8296ce75c4 100644 --- a/windows/security/threat-protection/auditing/event-4937.md +++ b/windows/security/threat-protection/auditing/event-4937.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4937(S): A lingering object was removed from a replica. diff --git a/windows/security/threat-protection/auditing/event-4944.md b/windows/security/threat-protection/auditing/event-4944.md index 7db0bee853..bb08c3a077 100644 --- a/windows/security/threat-protection/auditing/event-4944.md +++ b/windows/security/threat-protection/auditing/event-4944.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4944(S): The following policy was active when the Windows Firewall started. diff --git a/windows/security/threat-protection/auditing/event-4945.md b/windows/security/threat-protection/auditing/event-4945.md index 8d73c9f148..852ed5f03e 100644 --- a/windows/security/threat-protection/auditing/event-4945.md +++ b/windows/security/threat-protection/auditing/event-4945.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4945(S): A rule was listed when the Windows Firewall started. diff --git a/windows/security/threat-protection/auditing/event-4946.md b/windows/security/threat-protection/auditing/event-4946.md index d2fafe1dfc..ab355b85c1 100644 --- a/windows/security/threat-protection/auditing/event-4946.md +++ b/windows/security/threat-protection/auditing/event-4946.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4946(S): A change has been made to Windows Firewall exception list. A rule was added. diff --git a/windows/security/threat-protection/auditing/event-4947.md b/windows/security/threat-protection/auditing/event-4947.md index 674449382b..284d2d4303 100644 --- a/windows/security/threat-protection/auditing/event-4947.md +++ b/windows/security/threat-protection/auditing/event-4947.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4947(S): A change has been made to Windows Firewall exception list. A rule was modified. diff --git a/windows/security/threat-protection/auditing/event-4948.md b/windows/security/threat-protection/auditing/event-4948.md index 43acd0b7a9..da8f423b29 100644 --- a/windows/security/threat-protection/auditing/event-4948.md +++ b/windows/security/threat-protection/auditing/event-4948.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4948(S): A change has been made to Windows Firewall exception list. A rule was deleted. diff --git a/windows/security/threat-protection/auditing/event-4949.md b/windows/security/threat-protection/auditing/event-4949.md index 81db5c36c6..528ad262bb 100644 --- a/windows/security/threat-protection/auditing/event-4949.md +++ b/windows/security/threat-protection/auditing/event-4949.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4949(S): Windows Firewall settings were restored to the default values. diff --git a/windows/security/threat-protection/auditing/event-4950.md b/windows/security/threat-protection/auditing/event-4950.md index b4bd969a10..8a3aa4274a 100644 --- a/windows/security/threat-protection/auditing/event-4950.md +++ b/windows/security/threat-protection/auditing/event-4950.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4950(S): A Windows Firewall setting has changed. diff --git a/windows/security/threat-protection/auditing/event-4951.md b/windows/security/threat-protection/auditing/event-4951.md index f585ac4615..7addb69d77 100644 --- a/windows/security/threat-protection/auditing/event-4951.md +++ b/windows/security/threat-protection/auditing/event-4951.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4951(F): A rule has been ignored because its major version number wasn't recognized by Windows Firewall. diff --git a/windows/security/threat-protection/auditing/event-4952.md b/windows/security/threat-protection/auditing/event-4952.md index f95423f1c1..1dd166db54 100644 --- a/windows/security/threat-protection/auditing/event-4952.md +++ b/windows/security/threat-protection/auditing/event-4952.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4952(F): Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. diff --git a/windows/security/threat-protection/auditing/event-4953.md b/windows/security/threat-protection/auditing/event-4953.md index dfce2c4545..5a5a97d56a 100644 --- a/windows/security/threat-protection/auditing/event-4953.md +++ b/windows/security/threat-protection/auditing/event-4953.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4953(F): Windows Firewall ignored a rule because it couldn't be parsed. diff --git a/windows/security/threat-protection/auditing/event-4954.md b/windows/security/threat-protection/auditing/event-4954.md index 09f0a2ce76..07977d6aff 100644 --- a/windows/security/threat-protection/auditing/event-4954.md +++ b/windows/security/threat-protection/auditing/event-4954.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4954(S): Windows Firewall Group Policy settings have changed. The new settings have been applied. diff --git a/windows/security/threat-protection/auditing/event-4956.md b/windows/security/threat-protection/auditing/event-4956.md index 2344350879..105b780984 100644 --- a/windows/security/threat-protection/auditing/event-4956.md +++ b/windows/security/threat-protection/auditing/event-4956.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4956(S): Windows Firewall has changed the active profile. diff --git a/windows/security/threat-protection/auditing/event-4957.md b/windows/security/threat-protection/auditing/event-4957.md index c408811451..49fae3fef5 100644 --- a/windows/security/threat-protection/auditing/event-4957.md +++ b/windows/security/threat-protection/auditing/event-4957.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4957(F): Windows Firewall did not apply the following rule. diff --git a/windows/security/threat-protection/auditing/event-4958.md b/windows/security/threat-protection/auditing/event-4958.md index e05fc62bfa..45964176a6 100644 --- a/windows/security/threat-protection/auditing/event-4958.md +++ b/windows/security/threat-protection/auditing/event-4958.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4958(F): Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer. diff --git a/windows/security/threat-protection/auditing/event-4964.md b/windows/security/threat-protection/auditing/event-4964.md index 6c8452f0d6..51893d2572 100644 --- a/windows/security/threat-protection/auditing/event-4964.md +++ b/windows/security/threat-protection/auditing/event-4964.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4964(S): Special groups have been assigned to a new logon. diff --git a/windows/security/threat-protection/auditing/event-4985.md b/windows/security/threat-protection/auditing/event-4985.md index b5cdedc6a7..8150e62b11 100644 --- a/windows/security/threat-protection/auditing/event-4985.md +++ b/windows/security/threat-protection/auditing/event-4985.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 4985(S): The state of a transaction has changed. diff --git a/windows/security/threat-protection/auditing/event-5024.md b/windows/security/threat-protection/auditing/event-5024.md index c6f473df75..9e06608869 100644 --- a/windows/security/threat-protection/auditing/event-5024.md +++ b/windows/security/threat-protection/auditing/event-5024.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 5024(S): The Windows Firewall Service has started successfully. diff --git a/windows/security/threat-protection/auditing/event-5025.md b/windows/security/threat-protection/auditing/event-5025.md index 4dd4c320c6..9ae2fe14d0 100644 --- a/windows/security/threat-protection/auditing/event-5025.md +++ b/windows/security/threat-protection/auditing/event-5025.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 5025(S): The Windows Firewall Service has been stopped. diff --git a/windows/security/threat-protection/auditing/event-5027.md b/windows/security/threat-protection/auditing/event-5027.md index 652dac8c47..d654b82a01 100644 --- a/windows/security/threat-protection/auditing/event-5027.md +++ b/windows/security/threat-protection/auditing/event-5027.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 5027(F): The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy. diff --git a/windows/security/threat-protection/auditing/event-5028.md b/windows/security/threat-protection/auditing/event-5028.md index 6650d79ec5..bf9c62d91a 100644 --- a/windows/security/threat-protection/auditing/event-5028.md +++ b/windows/security/threat-protection/auditing/event-5028.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 5028(F): The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. diff --git a/windows/security/threat-protection/auditing/event-5029.md b/windows/security/threat-protection/auditing/event-5029.md index 7ca1bb4522..4a36c10d4d 100644 --- a/windows/security/threat-protection/auditing/event-5029.md +++ b/windows/security/threat-protection/auditing/event-5029.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 5029(F): The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy. diff --git a/windows/security/threat-protection/auditing/event-5030.md b/windows/security/threat-protection/auditing/event-5030.md index 24660d6d45..aa78cb3b62 100644 --- a/windows/security/threat-protection/auditing/event-5030.md +++ b/windows/security/threat-protection/auditing/event-5030.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 5030(F): The Windows Firewall Service failed to start. diff --git a/windows/security/threat-protection/auditing/event-5031.md b/windows/security/threat-protection/auditing/event-5031.md index c328c46107..04c03b1ee6 100644 --- a/windows/security/threat-protection/auditing/event-5031.md +++ b/windows/security/threat-protection/auditing/event-5031.md @@ -12,6 +12,7 @@ ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/08/2021 ms.technology: itpro-security +ms.topic: reference --- # 5031(F): The Windows Firewall Service blocked an application from accepting incoming connections on the network. diff --git a/windows/security/threat-protection/auditing/event-5032.md b/windows/security/threat-protection/auditing/event-5032.md index 231acb67b1..af43e8ea73 100644 --- a/windows/security/threat-protection/auditing/event-5032.md +++ b/windows/security/threat-protection/auditing/event-5032.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 5032(F): Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network. diff --git a/windows/security/threat-protection/auditing/event-5033.md b/windows/security/threat-protection/auditing/event-5033.md index ce127dad94..467ba04e40 100644 --- a/windows/security/threat-protection/auditing/event-5033.md +++ b/windows/security/threat-protection/auditing/event-5033.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 5033(S): The Windows Firewall Driver has started successfully. diff --git a/windows/security/threat-protection/auditing/event-5034.md b/windows/security/threat-protection/auditing/event-5034.md index 52c8c2522d..dc2d097c4a 100644 --- a/windows/security/threat-protection/auditing/event-5034.md +++ b/windows/security/threat-protection/auditing/event-5034.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 5034(S): The Windows Firewall Driver was stopped. diff --git a/windows/security/threat-protection/auditing/event-5035.md b/windows/security/threat-protection/auditing/event-5035.md index 3cf63d5224..88a49892a6 100644 --- a/windows/security/threat-protection/auditing/event-5035.md +++ b/windows/security/threat-protection/auditing/event-5035.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 5035(F): The Windows Firewall Driver failed to start. diff --git a/windows/security/threat-protection/auditing/event-5037.md b/windows/security/threat-protection/auditing/event-5037.md index bf6d42a9ef..f25a054fe7 100644 --- a/windows/security/threat-protection/auditing/event-5037.md +++ b/windows/security/threat-protection/auditing/event-5037.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 5037(F): The Windows Firewall Driver detected critical runtime error. Terminating. diff --git a/windows/security/threat-protection/auditing/event-5038.md b/windows/security/threat-protection/auditing/event-5038.md index 3b4aa0d998..e824e93afe 100644 --- a/windows/security/threat-protection/auditing/event-5038.md +++ b/windows/security/threat-protection/auditing/event-5038.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 5038(F): Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. diff --git a/windows/security/threat-protection/auditing/event-5039.md b/windows/security/threat-protection/auditing/event-5039.md index e1f249411a..7bf2bf5471 100644 --- a/windows/security/threat-protection/auditing/event-5039.md +++ b/windows/security/threat-protection/auditing/event-5039.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 5039(-): A registry key was virtualized. diff --git a/windows/security/threat-protection/auditing/event-5051.md b/windows/security/threat-protection/auditing/event-5051.md index 79d4e4b789..38a07353b3 100644 --- a/windows/security/threat-protection/auditing/event-5051.md +++ b/windows/security/threat-protection/auditing/event-5051.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 5051(-): A file was virtualized. diff --git a/windows/security/threat-protection/auditing/event-5056.md b/windows/security/threat-protection/auditing/event-5056.md index bac056b217..3711acef2d 100644 --- a/windows/security/threat-protection/auditing/event-5056.md +++ b/windows/security/threat-protection/auditing/event-5056.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 5056(S): A cryptographic self-test was performed. diff --git a/windows/security/threat-protection/auditing/event-5057.md b/windows/security/threat-protection/auditing/event-5057.md index 2013fda273..4fc7113c1b 100644 --- a/windows/security/threat-protection/auditing/event-5057.md +++ b/windows/security/threat-protection/auditing/event-5057.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 5057(F): A cryptographic primitive operation failed. diff --git a/windows/security/threat-protection/auditing/event-5058.md b/windows/security/threat-protection/auditing/event-5058.md index 2dae2d1e2f..b95c545e7c 100644 --- a/windows/security/threat-protection/auditing/event-5058.md +++ b/windows/security/threat-protection/auditing/event-5058.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 5058(S, F): Key file operation. diff --git a/windows/security/threat-protection/auditing/event-5059.md b/windows/security/threat-protection/auditing/event-5059.md index 6c069ab814..cdbae47721 100644 --- a/windows/security/threat-protection/auditing/event-5059.md +++ b/windows/security/threat-protection/auditing/event-5059.md @@ -2,7 +2,7 @@ title: 5059(S, F) Key migration operation. (Windows 10) description: Describes security event 5059(S, F) Key migration operation. This event is generated when a cryptographic key is exported/imported using a Key Storage Provider. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 5059(S, F): Key migration operation. diff --git a/windows/security/threat-protection/auditing/event-5060.md b/windows/security/threat-protection/auditing/event-5060.md index 00c3fc26b4..60ec2cbd3e 100644 --- a/windows/security/threat-protection/auditing/event-5060.md +++ b/windows/security/threat-protection/auditing/event-5060.md @@ -2,7 +2,7 @@ title: 5060(F) Verification operation failed. (Windows 10) description: Describes security event 5060(F) Verification operation failed. This event is generated when the CNG verification operation fails. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 5060(F): Verification operation failed. diff --git a/windows/security/threat-protection/auditing/event-5061.md b/windows/security/threat-protection/auditing/event-5061.md index 2b6cc4b64c..802ee6cc60 100644 --- a/windows/security/threat-protection/auditing/event-5061.md +++ b/windows/security/threat-protection/auditing/event-5061.md @@ -2,7 +2,7 @@ title: 5061(S, F) Cryptographic operation. (Windows 10) description: Describes security event 5061(S, F) Cryptographic operation. This event is generated when a cryptographic operation is performed using a Key Storage Provider. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 5061(S, F): Cryptographic operation. diff --git a/windows/security/threat-protection/auditing/event-5062.md b/windows/security/threat-protection/auditing/event-5062.md index b038353b7d..a76dabb95e 100644 --- a/windows/security/threat-protection/auditing/event-5062.md +++ b/windows/security/threat-protection/auditing/event-5062.md @@ -2,7 +2,7 @@ title: 5062(S) A kernel-mode cryptographic self-test was performed. (Windows 10) description: Describes security event 5062(S) A kernel-mode cryptographic self-test was performed. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 5062(S): A kernel-mode cryptographic self-test was performed. diff --git a/windows/security/threat-protection/auditing/event-5063.md b/windows/security/threat-protection/auditing/event-5063.md index 52e68d3dbd..41ac047786 100644 --- a/windows/security/threat-protection/auditing/event-5063.md +++ b/windows/security/threat-protection/auditing/event-5063.md @@ -2,7 +2,7 @@ title: 5063(S, F) A cryptographic provider operation was attempted. (Windows 10) description: Describes security event 5063(S, F) A cryptographic provider operation was attempted. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 5063(S, F): A cryptographic provider operation was attempted. diff --git a/windows/security/threat-protection/auditing/event-5064.md b/windows/security/threat-protection/auditing/event-5064.md index 9dd6ca5e47..3467a2816a 100644 --- a/windows/security/threat-protection/auditing/event-5064.md +++ b/windows/security/threat-protection/auditing/event-5064.md @@ -2,7 +2,7 @@ title: 5064(S, F) A cryptographic context operation was attempted. (Windows 10) description: Describes security event 5064(S, F) A cryptographic context operation was attempted. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 5064(S, F): A cryptographic context operation was attempted. diff --git a/windows/security/threat-protection/auditing/event-5065.md b/windows/security/threat-protection/auditing/event-5065.md index 46772ff759..66bfddb1d1 100644 --- a/windows/security/threat-protection/auditing/event-5065.md +++ b/windows/security/threat-protection/auditing/event-5065.md @@ -2,7 +2,7 @@ title: 5065(S, F) A cryptographic context modification was attempted. (Windows 10) description: Describes security event 5065(S, F) A cryptographic context modification was attempted. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 5065(S, F): A cryptographic context modification was attempted. diff --git a/windows/security/threat-protection/auditing/event-5066.md b/windows/security/threat-protection/auditing/event-5066.md index 1a4dd7ae96..62a0920fb7 100644 --- a/windows/security/threat-protection/auditing/event-5066.md +++ b/windows/security/threat-protection/auditing/event-5066.md @@ -2,7 +2,7 @@ title: 5066(S, F) A cryptographic function operation was attempted. (Windows 10) description: Describes security event 5066(S, F) A cryptographic function operation was attempted. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 5066(S, F): A cryptographic function operation was attempted. diff --git a/windows/security/threat-protection/auditing/event-5067.md b/windows/security/threat-protection/auditing/event-5067.md index 01b6ce22cb..78cd9d24aa 100644 --- a/windows/security/threat-protection/auditing/event-5067.md +++ b/windows/security/threat-protection/auditing/event-5067.md @@ -2,7 +2,7 @@ title: 5067(S, F) A cryptographic function modification was attempted. (Windows 10) description: Describes security event 5067(S, F) A cryptographic function modification was attempted. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 5067(S, F): A cryptographic function modification was attempted. diff --git a/windows/security/threat-protection/auditing/event-5068.md b/windows/security/threat-protection/auditing/event-5068.md index c365519a4c..791301bc3b 100644 --- a/windows/security/threat-protection/auditing/event-5068.md +++ b/windows/security/threat-protection/auditing/event-5068.md @@ -2,7 +2,7 @@ title: 5068(S, F) A cryptographic function provider operation was attempted. (Windows 10) description: Describes security event 5068(S, F) A cryptographic function provider operation was attempted. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 5068(S, F): A cryptographic function provider operation was attempted. diff --git a/windows/security/threat-protection/auditing/event-5069.md b/windows/security/threat-protection/auditing/event-5069.md index 68a9da47b3..9894285dad 100644 --- a/windows/security/threat-protection/auditing/event-5069.md +++ b/windows/security/threat-protection/auditing/event-5069.md @@ -2,7 +2,7 @@ title: 5069(S, F) A cryptographic function property operation was attempted. (Windows 10) description: Describes security event 5069(S, F) A cryptographic function property operation was attempted. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 5069(S, F): A cryptographic function property operation was attempted. diff --git a/windows/security/threat-protection/auditing/event-5070.md b/windows/security/threat-protection/auditing/event-5070.md index 85ccd666f0..ba4785e01b 100644 --- a/windows/security/threat-protection/auditing/event-5070.md +++ b/windows/security/threat-protection/auditing/event-5070.md @@ -2,7 +2,7 @@ title: 5070(S, F) A cryptographic function property modification was attempted. (Windows 10) description: Describes security event 5070(S, F) A cryptographic function property modification was attempted. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 5070(S, F): A cryptographic function property modification was attempted. diff --git a/windows/security/threat-protection/auditing/event-5136.md b/windows/security/threat-protection/auditing/event-5136.md index d58033c0a7..97c0977a60 100644 --- a/windows/security/threat-protection/auditing/event-5136.md +++ b/windows/security/threat-protection/auditing/event-5136.md @@ -2,7 +2,7 @@ title: 5136(S) A directory service object was modified. (Windows 10) description: Describes security event 5136(S) A directory service object was modified. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 5136(S): A directory service object was modified. diff --git a/windows/security/threat-protection/auditing/event-5137.md b/windows/security/threat-protection/auditing/event-5137.md index a0d084c4f8..bed5eae208 100644 --- a/windows/security/threat-protection/auditing/event-5137.md +++ b/windows/security/threat-protection/auditing/event-5137.md @@ -2,7 +2,7 @@ title: 5137(S) A directory service object was created. (Windows 10) description: Describes security event 5137(S) A directory service object was created. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 5137(S): A directory service object was created. diff --git a/windows/security/threat-protection/auditing/event-5138.md b/windows/security/threat-protection/auditing/event-5138.md index abb03c8027..12d981909a 100644 --- a/windows/security/threat-protection/auditing/event-5138.md +++ b/windows/security/threat-protection/auditing/event-5138.md @@ -2,7 +2,7 @@ title: 5138(S) A directory service object was undeleted. (Windows 10) description: Describes security event 5138(S) A directory service object was undeleted. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 5138(S): A directory service object was undeleted. diff --git a/windows/security/threat-protection/auditing/event-5139.md b/windows/security/threat-protection/auditing/event-5139.md index ca0b1825f9..6799a4e50d 100644 --- a/windows/security/threat-protection/auditing/event-5139.md +++ b/windows/security/threat-protection/auditing/event-5139.md @@ -2,7 +2,7 @@ title: 5139(S) A directory service object was moved. (Windows 10) description: Describes security event 5139(S) A directory service object was moved. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 5139(S): A directory service object was moved. diff --git a/windows/security/threat-protection/auditing/event-5140.md b/windows/security/threat-protection/auditing/event-5140.md index ea890e4738..602e1d4024 100644 --- a/windows/security/threat-protection/auditing/event-5140.md +++ b/windows/security/threat-protection/auditing/event-5140.md @@ -2,7 +2,7 @@ title: 5140(S, F) A network share object was accessed. (Windows 10) description: Describes security event 5140(S, F) A network share object was accessed. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 5140(S, F): A network share object was accessed. @@ -132,7 +133,7 @@ This event generates once per session, when first access attempt was made. **Access Request Information:** -- **Access Mask** \[Type = HexInt32\]: the sum of hexadecimal values of requested access rights. See “Table 13. File access codes.” for different hexadecimal values for access rights. Has always “**0x1**” value for this event. +- **Access Mask** \[Type = HexInt32\]: the sum of hexadecimal values of requested access rights. See [Table of file access codes](/windows/security/threat-protection/auditing/event-5145#table-of-file-access-codes) for different hexadecimal values for access rights. It always has “**0x1**” value for this event. - **Accesses** \[Type = UnicodeString\]: the list of access rights that were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. Has always “**ReadData (or ListDirectory)**” value for this event. diff --git a/windows/security/threat-protection/auditing/event-5141.md b/windows/security/threat-protection/auditing/event-5141.md index fbc9435158..046ca20f9d 100644 --- a/windows/security/threat-protection/auditing/event-5141.md +++ b/windows/security/threat-protection/auditing/event-5141.md @@ -2,7 +2,7 @@ title: 5141(S) A directory service object was deleted. (Windows 10) description: Describes security event 5141(S) A directory service object was deleted. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 5141(S): A directory service object was deleted. diff --git a/windows/security/threat-protection/auditing/event-5142.md b/windows/security/threat-protection/auditing/event-5142.md index 74e31d363f..3a69208c29 100644 --- a/windows/security/threat-protection/auditing/event-5142.md +++ b/windows/security/threat-protection/auditing/event-5142.md @@ -2,7 +2,7 @@ title: 5142(S) A network share object was added. (Windows 10) description: Describes security event 5142(S) A network share object was added. This event is generated when a network share object is added. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 5142(S): A network share object was added. diff --git a/windows/security/threat-protection/auditing/event-5143.md b/windows/security/threat-protection/auditing/event-5143.md index e485322da4..e92068c93a 100644 --- a/windows/security/threat-protection/auditing/event-5143.md +++ b/windows/security/threat-protection/auditing/event-5143.md @@ -2,7 +2,7 @@ title: 5143(S) A network share object was modified. (Windows 10) description: Describes security event 5143(S) A network share object was modified. This event is generated when a network share object is modified. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 5143(S): A network share object was modified. diff --git a/windows/security/threat-protection/auditing/event-5144.md b/windows/security/threat-protection/auditing/event-5144.md index 50f697a96f..da401f212d 100644 --- a/windows/security/threat-protection/auditing/event-5144.md +++ b/windows/security/threat-protection/auditing/event-5144.md @@ -2,7 +2,7 @@ title: 5144(S) A network share object was deleted. (Windows 10) description: Describes security event 5144(S) A network share object was deleted. This event is generated when a network share object is deleted. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 5144(S): A network share object was deleted. diff --git a/windows/security/threat-protection/auditing/event-5145.md b/windows/security/threat-protection/auditing/event-5145.md index 782cdb4911..7b34010d4c 100644 --- a/windows/security/threat-protection/auditing/event-5145.md +++ b/windows/security/threat-protection/auditing/event-5145.md @@ -2,7 +2,7 @@ title: 5145(S, F) A network share object was checked to see whether client can be granted desired access. (Windows 10) description: Describes security event 5145(S, F) A network share object was checked to see whether client can be granted desired access. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 5145(S, F): A network share object was checked to see whether client can be granted desired access. @@ -134,7 +135,7 @@ This event generates every time network share object (file or folder) was access **Access Request Information:** -- **Access Mask** \[Type = HexInt32\]: the sum of hexadecimal values of requested access rights. See “Table 13. File access codes.” for different hexadecimal values for access rights. +- **Access Mask** \[Type = HexInt32\]: the sum of hexadecimal values of requested access rights. See [Table of file access codes](/windows/security/threat-protection/auditing/event-5145#table-of-file-access-codes) for different hexadecimal values for access rights. - **Accesses** \[Type = UnicodeString\]: the list of access rights that were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. @@ -318,4 +319,4 @@ For 5145(S, F): A network share object was checked to see whether client can be - WRITE\_DAC - - WRITE\_OWNER \ No newline at end of file + - WRITE\_OWNER diff --git a/windows/security/threat-protection/auditing/event-5148.md b/windows/security/threat-protection/auditing/event-5148.md index 109b4da544..5442a8a705 100644 --- a/windows/security/threat-protection/auditing/event-5148.md +++ b/windows/security/threat-protection/auditing/event-5148.md @@ -2,7 +2,7 @@ title: 5148(F) The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded. (Windows 10) description: Details on Security event 5148(F), The Windows Filtering Platform has detected a DoS attack and entered a defensive mode. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 5148(F): The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded. diff --git a/windows/security/threat-protection/auditing/event-5149.md b/windows/security/threat-protection/auditing/event-5149.md index b94279645b..7e0dc6dd45 100644 --- a/windows/security/threat-protection/auditing/event-5149.md +++ b/windows/security/threat-protection/auditing/event-5149.md @@ -2,7 +2,7 @@ title: 5149(F) The DoS attack has subsided and normal processing is being resumed. (Windows 10) description: Describes security event 5149(F) The DoS attack has subsided and normal processing is being resumed. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 5149(F): The DoS attack has subsided and normal processing is being resumed. diff --git a/windows/security/threat-protection/auditing/event-5150.md b/windows/security/threat-protection/auditing/event-5150.md index 23c35f76d7..80c82d807e 100644 --- a/windows/security/threat-protection/auditing/event-5150.md +++ b/windows/security/threat-protection/auditing/event-5150.md @@ -2,7 +2,7 @@ title: 5150(-) The Windows Filtering Platform blocked a packet. (Windows 10) description: Describes security event 5150(-) The Windows Filtering Platform blocked a packet. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 5150(-): The Windows Filtering Platform blocked a packet. diff --git a/windows/security/threat-protection/auditing/event-5151.md b/windows/security/threat-protection/auditing/event-5151.md index 239d0556a2..6b7d1453bf 100644 --- a/windows/security/threat-protection/auditing/event-5151.md +++ b/windows/security/threat-protection/auditing/event-5151.md @@ -2,7 +2,7 @@ title: 5151(-) A more restrictive Windows Filtering Platform filter has blocked a packet. (Windows 10) description: Describes security event 5151(-) A more restrictive Windows Filtering Platform filter has blocked a packet. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 5151(-): A more restrictive Windows Filtering Platform filter has blocked a packet. diff --git a/windows/security/threat-protection/auditing/event-5152.md b/windows/security/threat-protection/auditing/event-5152.md index 7fd8072d96..e5a76da383 100644 --- a/windows/security/threat-protection/auditing/event-5152.md +++ b/windows/security/threat-protection/auditing/event-5152.md @@ -2,7 +2,7 @@ title: 5152(F) The Windows Filtering Platform blocked a packet. (Windows 10) description: Describes security event 5152(F) The Windows Filtering Platform blocked a packet. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 5152(F): The Windows Filtering Platform blocked a packet. diff --git a/windows/security/threat-protection/auditing/event-5153.md b/windows/security/threat-protection/auditing/event-5153.md index 355b963812..a321b76f20 100644 --- a/windows/security/threat-protection/auditing/event-5153.md +++ b/windows/security/threat-protection/auditing/event-5153.md @@ -2,7 +2,7 @@ title: 5153(S) A more restrictive Windows Filtering Platform filter has blocked a packet. (Windows 10) description: Describes security event 5153(S) A more restrictive Windows Filtering Platform filter has blocked a packet. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 5153(S): A more restrictive Windows Filtering Platform filter has blocked a packet. diff --git a/windows/security/threat-protection/auditing/event-5154.md b/windows/security/threat-protection/auditing/event-5154.md index 4ada326421..9b2425ff9c 100644 --- a/windows/security/threat-protection/auditing/event-5154.md +++ b/windows/security/threat-protection/auditing/event-5154.md @@ -2,7 +2,7 @@ title: 5154(S) The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. (Windows 10) description: Describes security event 5154(S) The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 5154(S): The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. diff --git a/windows/security/threat-protection/auditing/event-5155.md b/windows/security/threat-protection/auditing/event-5155.md index b24e159daf..e6efebdae1 100644 --- a/windows/security/threat-protection/auditing/event-5155.md +++ b/windows/security/threat-protection/auditing/event-5155.md @@ -2,7 +2,7 @@ title: 5155(F) The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. (Windows 10) description: Describes security event 5155(F) The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 5155(F): The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. diff --git a/windows/security/threat-protection/auditing/event-5156.md b/windows/security/threat-protection/auditing/event-5156.md index a22acae52c..3d56301b24 100644 --- a/windows/security/threat-protection/auditing/event-5156.md +++ b/windows/security/threat-protection/auditing/event-5156.md @@ -2,7 +2,7 @@ title: 5156(S) The Windows Filtering Platform has permitted a connection. (Windows 10) description: Describes security event 5156(S) The Windows Filtering Platform has permitted a connection. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 5156(S): The Windows Filtering Platform has permitted a connection. diff --git a/windows/security/threat-protection/auditing/event-5157.md b/windows/security/threat-protection/auditing/event-5157.md index c555d5aa36..4f62c99d51 100644 --- a/windows/security/threat-protection/auditing/event-5157.md +++ b/windows/security/threat-protection/auditing/event-5157.md @@ -2,7 +2,7 @@ title: 5157(F) The Windows Filtering Platform has blocked a connection. (Windows 10) description: Describes security event 5157(F) The Windows Filtering Platform has blocked a connection. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 5157(F): The Windows Filtering Platform has blocked a connection. diff --git a/windows/security/threat-protection/auditing/event-5158.md b/windows/security/threat-protection/auditing/event-5158.md index 1255e8d0bb..cbc0d2d4ee 100644 --- a/windows/security/threat-protection/auditing/event-5158.md +++ b/windows/security/threat-protection/auditing/event-5158.md @@ -2,7 +2,7 @@ title: 5158(S) The Windows Filtering Platform has permitted a bind to a local port. (Windows 10) description: Describes security event 5158(S) The Windows Filtering Platform has permitted a bind to a local port. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 5158(S): The Windows Filtering Platform has permitted a bind to a local port. diff --git a/windows/security/threat-protection/auditing/event-5159.md b/windows/security/threat-protection/auditing/event-5159.md index bbd1141c71..ffe34518c5 100644 --- a/windows/security/threat-protection/auditing/event-5159.md +++ b/windows/security/threat-protection/auditing/event-5159.md @@ -2,7 +2,7 @@ title: 5159(F) The Windows Filtering Platform has blocked a bind to a local port. (Windows 10) description: Describes security event 5159(F) The Windows Filtering Platform has blocked a bind to a local port. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 5159(F): The Windows Filtering Platform has blocked a bind to a local port. diff --git a/windows/security/threat-protection/auditing/event-5168.md b/windows/security/threat-protection/auditing/event-5168.md index 1b97127e7f..f0ae1f47a8 100644 --- a/windows/security/threat-protection/auditing/event-5168.md +++ b/windows/security/threat-protection/auditing/event-5168.md @@ -2,7 +2,7 @@ title: 5168(F) SPN check for SMB/SMB2 failed. (Windows 10) description: Describes security event 5168(F) SPN check for SMB/SMB2 failed. This event is generated when an SMB SPN check fails. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 5168(F): SPN check for SMB/SMB2 failed. diff --git a/windows/security/threat-protection/auditing/event-5376.md b/windows/security/threat-protection/auditing/event-5376.md index eaa77a9e64..ee08c45c93 100644 --- a/windows/security/threat-protection/auditing/event-5376.md +++ b/windows/security/threat-protection/auditing/event-5376.md @@ -2,7 +2,7 @@ title: 5376(S) Credential Manager credentials were backed up. (Windows 10) description: Describes security event 5376(S) Credential Manager credentials were backed up. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 5376(S): Credential Manager credentials were backed up. diff --git a/windows/security/threat-protection/auditing/event-5377.md b/windows/security/threat-protection/auditing/event-5377.md index fd9c84db3a..a6f12f74f5 100644 --- a/windows/security/threat-protection/auditing/event-5377.md +++ b/windows/security/threat-protection/auditing/event-5377.md @@ -2,7 +2,7 @@ title: 5377(S) Credential Manager credentials were restored from a backup. (Windows 10) description: Describes security event 5377(S) Credential Manager credentials were restored from a backup. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 5377(S): Credential Manager credentials were restored from a backup. diff --git a/windows/security/threat-protection/auditing/event-5378.md b/windows/security/threat-protection/auditing/event-5378.md index d25246b249..b6391769da 100644 --- a/windows/security/threat-protection/auditing/event-5378.md +++ b/windows/security/threat-protection/auditing/event-5378.md @@ -2,7 +2,7 @@ title: 5378(F) The requested credentials delegation was disallowed by policy. (Windows 10) description: Describes security event 5378(F) The requested credentials delegation was disallowed by policy. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 5378(F): The requested credentials delegation was disallowed by policy. diff --git a/windows/security/threat-protection/auditing/event-5447.md b/windows/security/threat-protection/auditing/event-5447.md index 801d206b0b..96b013cf8c 100644 --- a/windows/security/threat-protection/auditing/event-5447.md +++ b/windows/security/threat-protection/auditing/event-5447.md @@ -2,7 +2,7 @@ title: 5447(S) A Windows Filtering Platform filter has been changed. (Windows 10) description: Describes security event 5447(S) A Windows Filtering Platform filter has been changed. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 5447(S): A Windows Filtering Platform filter has been changed. diff --git a/windows/security/threat-protection/auditing/event-5632.md b/windows/security/threat-protection/auditing/event-5632.md index 26c41df186..676a79172e 100644 --- a/windows/security/threat-protection/auditing/event-5632.md +++ b/windows/security/threat-protection/auditing/event-5632.md @@ -2,16 +2,17 @@ title: 5632(S, F) A request was made to authenticate to a wireless network. (Windows 10) description: Describes security event 5632(S, F) A request was made to authenticate to a wireless network. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: vinaypamnani-msft ms.date: 09/08/2021 -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 5632(S, F): A request was made to authenticate to a wireless network. diff --git a/windows/security/threat-protection/auditing/event-5633.md b/windows/security/threat-protection/auditing/event-5633.md index e0591f9a05..e661c80301 100644 --- a/windows/security/threat-protection/auditing/event-5633.md +++ b/windows/security/threat-protection/auditing/event-5633.md @@ -2,7 +2,7 @@ title: 5633(S, F) A request was made to authenticate to a wired network. (Windows 10) description: Describes security event 5633(S, F) A request was made to authenticate to a wired network. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 5633(S, F): A request was made to authenticate to a wired network. diff --git a/windows/security/threat-protection/auditing/event-5712.md b/windows/security/threat-protection/auditing/event-5712.md index dbafd70da3..32d5ba732a 100644 --- a/windows/security/threat-protection/auditing/event-5712.md +++ b/windows/security/threat-protection/auditing/event-5712.md @@ -2,7 +2,7 @@ title: 5712(S) A Remote Procedure Call (RPC) was attempted. (Windows 10) description: Describes security event 5712(S) A Remote Procedure Call (RPC) was attempted. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 5712(S): A Remote Procedure Call (RPC) was attempted. diff --git a/windows/security/threat-protection/auditing/event-5888.md b/windows/security/threat-protection/auditing/event-5888.md index 0ac72b6488..72e18b5e28 100644 --- a/windows/security/threat-protection/auditing/event-5888.md +++ b/windows/security/threat-protection/auditing/event-5888.md @@ -2,7 +2,7 @@ title: 5888(S) An object in the COM+ Catalog was modified. (Windows 10) description: Describes security event 5888(S) An object in the COM+ Catalog was modified. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 5888(S): An object in the COM+ Catalog was modified. diff --git a/windows/security/threat-protection/auditing/event-5889.md b/windows/security/threat-protection/auditing/event-5889.md index 821162c968..178ec29a4f 100644 --- a/windows/security/threat-protection/auditing/event-5889.md +++ b/windows/security/threat-protection/auditing/event-5889.md @@ -2,7 +2,7 @@ title: 5889(S) An object was deleted from the COM+ Catalog. (Windows 10) description: Describes security event 5889(S) An object was deleted from the COM+ Catalog. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 5889(S): An object was deleted from the COM+ Catalog. diff --git a/windows/security/threat-protection/auditing/event-5890.md b/windows/security/threat-protection/auditing/event-5890.md index a59fadc788..4f473d2a4e 100644 --- a/windows/security/threat-protection/auditing/event-5890.md +++ b/windows/security/threat-protection/auditing/event-5890.md @@ -2,7 +2,7 @@ title: 5890(S) An object was added to the COM+ Catalog. (Windows 10) description: Describes security event 5890(S) An object was added to the COM+ Catalog. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 5890(S): An object was added to the COM+ Catalog. diff --git a/windows/security/threat-protection/auditing/event-6144.md b/windows/security/threat-protection/auditing/event-6144.md index 959f1b969c..3eb1181321 100644 --- a/windows/security/threat-protection/auditing/event-6144.md +++ b/windows/security/threat-protection/auditing/event-6144.md @@ -2,7 +2,7 @@ title: 6144(S) Security policy in the group policy objects has been applied successfully. (Windows 10) description: Describes security event 6144(S) Security policy in the group policy objects has been applied successfully. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 6144(S): Security policy in the group policy objects has been applied successfully. diff --git a/windows/security/threat-protection/auditing/event-6145.md b/windows/security/threat-protection/auditing/event-6145.md index 266a490fdd..b062b5e023 100644 --- a/windows/security/threat-protection/auditing/event-6145.md +++ b/windows/security/threat-protection/auditing/event-6145.md @@ -2,7 +2,7 @@ title: 6145(F) One or more errors occurred while processing security policy in the group policy objects. (Windows 10) description: Describes security event 6145(F) One or more errors occurred while processing security policy in the group policy objects. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 6145(F): One or more errors occurred while processing security policy in the group policy objects. diff --git a/windows/security/threat-protection/auditing/event-6281.md b/windows/security/threat-protection/auditing/event-6281.md index d6701e243e..38f432d51a 100644 --- a/windows/security/threat-protection/auditing/event-6281.md +++ b/windows/security/threat-protection/auditing/event-6281.md @@ -2,7 +2,7 @@ title: 6281(F) Code Integrity determined that the page hashes of an image file aren't valid. (Windows 10) description: Describes security event 6281(F) Code Integrity determined that the page hashes of an image file aren't valid. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/09/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 6281(F): Code Integrity determined that the page hashes of an image file aren't valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error. diff --git a/windows/security/threat-protection/auditing/event-6400.md b/windows/security/threat-protection/auditing/event-6400.md index f3cc62235d..a588c35204 100644 --- a/windows/security/threat-protection/auditing/event-6400.md +++ b/windows/security/threat-protection/auditing/event-6400.md @@ -2,7 +2,7 @@ title: 6400(-) BranchCache Received an incorrectly formatted response while discovering availability of content. (Windows 10) description: Describes security event 6400(-) BranchCache Received an incorrectly formatted response while discovering availability of content. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/09/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 6400(-): BranchCache: Received an incorrectly formatted response while discovering availability of content. diff --git a/windows/security/threat-protection/auditing/event-6401.md b/windows/security/threat-protection/auditing/event-6401.md index cdd2869db5..82502eb7ff 100644 --- a/windows/security/threat-protection/auditing/event-6401.md +++ b/windows/security/threat-protection/auditing/event-6401.md @@ -2,7 +2,7 @@ title: 6401(-) BranchCache Received invalid data from a peer. Data discarded. (Windows 10) description: Describes security event 6401(-) BranchCache Received invalid data from a peer. Data discarded. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/09/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 6401(-): BranchCache: Received invalid data from a peer. Data discarded. diff --git a/windows/security/threat-protection/auditing/event-6402.md b/windows/security/threat-protection/auditing/event-6402.md index 5c2a2775b2..d5d3febf63 100644 --- a/windows/security/threat-protection/auditing/event-6402.md +++ b/windows/security/threat-protection/auditing/event-6402.md @@ -2,7 +2,7 @@ title: 6402(-) BranchCache The message to the hosted cache offering it data is incorrectly formatted. (Windows 10) description: Describes security event 6402(-) BranchCache The message to the hosted cache offering it data is incorrectly formatted. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/09/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 6402(-): BranchCache: The message to the hosted cache offering it data is incorrectly formatted. diff --git a/windows/security/threat-protection/auditing/event-6403.md b/windows/security/threat-protection/auditing/event-6403.md index 3b5d284082..2f9d945388 100644 --- a/windows/security/threat-protection/auditing/event-6403.md +++ b/windows/security/threat-protection/auditing/event-6403.md @@ -2,7 +2,7 @@ title: 6403(-) BranchCache The hosted cache sent an incorrectly formatted response to the client. (Windows 10) description: Describes security event 6403(-) BranchCache The hosted cache sent an incorrectly formatted response to the client. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/09/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 6403(-): BranchCache: The hosted cache sent an incorrectly formatted response to the client. diff --git a/windows/security/threat-protection/auditing/event-6404.md b/windows/security/threat-protection/auditing/event-6404.md index ff6b32947a..f37bea1b9e 100644 --- a/windows/security/threat-protection/auditing/event-6404.md +++ b/windows/security/threat-protection/auditing/event-6404.md @@ -2,7 +2,7 @@ title: 6404(-) BranchCache Hosted cache could not be authenticated using the provisioned SSL certificate. (Windows 10) description: Describes security event 6404(-) BranchCache Hosted cache could not be authenticated using the provisioned SSL certificate. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/09/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 6404(-): BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate. diff --git a/windows/security/threat-protection/auditing/event-6405.md b/windows/security/threat-protection/auditing/event-6405.md index f83340addb..1feed0f6a6 100644 --- a/windows/security/threat-protection/auditing/event-6405.md +++ b/windows/security/threat-protection/auditing/event-6405.md @@ -2,7 +2,7 @@ title: 6405(-) BranchCache %2 instance(s) of event id %1 occurred. (Windows 10) description: Describes security event 6405(-) BranchCache %2 instance(s) of event id %1 occurred. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/09/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 6405(-): BranchCache: %2 instance(s) of event id %1 occurred. diff --git a/windows/security/threat-protection/auditing/event-6406.md b/windows/security/threat-protection/auditing/event-6406.md index d6109b695e..fdd75af38b 100644 --- a/windows/security/threat-protection/auditing/event-6406.md +++ b/windows/security/threat-protection/auditing/event-6406.md @@ -2,7 +2,7 @@ title: 6406(-) %1 registered to Windows Firewall to control filtering for the following %2. (Windows 10) description: Describes security event 6406(-) %1 registered to Windows Firewall to control filtering for the following %2. ms.pagetype: security -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,7 +11,8 @@ ms.date: 09/09/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # 6406(-): %1 registered to Windows Firewall to control filtering for the following: %2. diff --git a/windows/security/threat-protection/auditing/event-6407.md b/windows/security/threat-protection/auditing/event-6407.md index 68aba98482..c2f279466e 100644 --- a/windows/security/threat-protection/auditing/event-6407.md +++ b/windows/security/threat-protection/auditing/event-6407.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 6407(-): 1%. diff --git a/windows/security/threat-protection/auditing/event-6408.md b/windows/security/threat-protection/auditing/event-6408.md index 28c11c16f5..36f25a9b69 100644 --- a/windows/security/threat-protection/auditing/event-6408.md +++ b/windows/security/threat-protection/auditing/event-6408.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 6408(-): Registered product %1 failed and Windows Firewall is now controlling the filtering for %2. diff --git a/windows/security/threat-protection/auditing/event-6409.md b/windows/security/threat-protection/auditing/event-6409.md index c1c419c09d..3f406625b5 100644 --- a/windows/security/threat-protection/auditing/event-6409.md +++ b/windows/security/threat-protection/auditing/event-6409.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 6409(-): BranchCache: A service connection point object could not be parsed. diff --git a/windows/security/threat-protection/auditing/event-6410.md b/windows/security/threat-protection/auditing/event-6410.md index b921dbea1c..958db95565 100644 --- a/windows/security/threat-protection/auditing/event-6410.md +++ b/windows/security/threat-protection/auditing/event-6410.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 6410(F): Code integrity determined that a file does not meet the security requirements to load into a process. diff --git a/windows/security/threat-protection/auditing/event-6416.md b/windows/security/threat-protection/auditing/event-6416.md index 7d254bf9ef..64cdb17ee1 100644 --- a/windows/security/threat-protection/auditing/event-6416.md +++ b/windows/security/threat-protection/auditing/event-6416.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 6416(S): A new external device was recognized by the System. diff --git a/windows/security/threat-protection/auditing/event-6419.md b/windows/security/threat-protection/auditing/event-6419.md index 108315501c..7368059899 100644 --- a/windows/security/threat-protection/auditing/event-6419.md +++ b/windows/security/threat-protection/auditing/event-6419.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 6419(S): A request was made to disable a device. diff --git a/windows/security/threat-protection/auditing/event-6420.md b/windows/security/threat-protection/auditing/event-6420.md index 2efdfa78aa..2c7166a78d 100644 --- a/windows/security/threat-protection/auditing/event-6420.md +++ b/windows/security/threat-protection/auditing/event-6420.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 6420(S): A device was disabled. diff --git a/windows/security/threat-protection/auditing/event-6421.md b/windows/security/threat-protection/auditing/event-6421.md index 3780d8b15e..ae72b11254 100644 --- a/windows/security/threat-protection/auditing/event-6421.md +++ b/windows/security/threat-protection/auditing/event-6421.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 6421(S): A request was made to enable a device. diff --git a/windows/security/threat-protection/auditing/event-6422.md b/windows/security/threat-protection/auditing/event-6422.md index 02752c9163..bf594b6937 100644 --- a/windows/security/threat-protection/auditing/event-6422.md +++ b/windows/security/threat-protection/auditing/event-6422.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 6422(S): A device was enabled. diff --git a/windows/security/threat-protection/auditing/event-6423.md b/windows/security/threat-protection/auditing/event-6423.md index 5e62ebe6c7..4f7fcb614c 100644 --- a/windows/security/threat-protection/auditing/event-6423.md +++ b/windows/security/threat-protection/auditing/event-6423.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 6423(S): The installation of this device is forbidden by system policy. diff --git a/windows/security/threat-protection/auditing/event-6424.md b/windows/security/threat-protection/auditing/event-6424.md index 699e5ad030..10d33c2820 100644 --- a/windows/security/threat-protection/auditing/event-6424.md +++ b/windows/security/threat-protection/auditing/event-6424.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # 6424(S): The installation of this device was allowed, after having previously been forbidden by policy. diff --git a/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md b/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md index 8f748675ac..90b8df1a2d 100644 --- a/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md +++ b/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/09/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md b/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md index 4ee793c896..d2af1d3d31 100644 --- a/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md +++ b/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: how-to --- # How to get a list of XML data name elements in EventData diff --git a/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md b/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md index 8eab827c8c..9b6b271da7 100644 --- a/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md +++ b/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/09/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/auditing/monitor-claim-types.md b/windows/security/threat-protection/auditing/monitor-claim-types.md index f07cf95322..a7c3aa44fe 100644 --- a/windows/security/threat-protection/auditing/monitor-claim-types.md +++ b/windows/security/threat-protection/auditing/monitor-claim-types.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/09/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md b/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md index a7e5d02dfc..91265a3f10 100644 --- a/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md +++ b/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/09/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md index 3efb97355c..179df431d4 100644 --- a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md +++ b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/09/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md index 4b441fb816..1e95dc5887 100644 --- a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md +++ b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/09/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md b/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md index 23e407048c..5bbd6fa638 100644 --- a/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md +++ b/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/09/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md index 9e876c52cd..659d01dc6b 100644 --- a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md +++ b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/09/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md b/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md index 6f278f38b9..70ff402a9c 100644 --- a/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md +++ b/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/09/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/auditing/other-events.md b/windows/security/threat-protection/auditing/other-events.md index 6854674959..800961629e 100644 --- a/windows/security/threat-protection/auditing/other-events.md +++ b/windows/security/threat-protection/auditing/other-events.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # Other Events diff --git a/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md b/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md index b90600ce1b..ca4a732ae0 100644 --- a/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md +++ b/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/09/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md b/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md index a003b01b19..ddb00eb78b 100644 --- a/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md +++ b/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/09/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/auditing/security-auditing-overview.md b/windows/security/threat-protection/auditing/security-auditing-overview.md index af93397c03..6b11aea8c2 100644 --- a/windows/security/threat-protection/auditing/security-auditing-overview.md +++ b/windows/security/threat-protection/auditing/security-auditing-overview.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/09/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md b/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md index 43954b93a0..1b69753395 100644 --- a/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md +++ b/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/09/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/auditing/view-the-security-event-log.md b/windows/security/threat-protection/auditing/view-the-security-event-log.md index e76f4cde92..ebf21e1e50 100644 --- a/windows/security/threat-protection/auditing/view-the-security-event-log.md +++ b/windows/security/threat-protection/auditing/view-the-security-event-log.md @@ -13,7 +13,6 @@ author: vinaypamnani-msft manager: aaroncz audience: ITPro ms.collection: - - M365-security-compliance - highpri ms.topic: conceptual ms.date: 09/09/2021 diff --git a/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md b/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md index bdee085d81..bb0933cca6 100644 --- a/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md +++ b/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/09/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md b/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md index e0e4b5e90d..fdc4c5d757 100644 --- a/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md +++ b/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md @@ -3,12 +3,13 @@ title: Block untrusted fonts in an enterprise (Windows 10) description: To help protect your company from attacks that may originate from untrusted or attacker controlled font files, we've created the Blocking Untrusted Fonts feature. ms.reviewer: manager: aaroncz -ms.prod: m365-security +ms.prod: windows-client author: dansimp ms.author: dansimp ms.date: 08/14/2017 ms.localizationpriority: medium -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: reference --- # Block untrusted fonts in an enterprise diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md index 314595bed9..bf8fa457c5 100644 --- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -9,7 +9,6 @@ author: vinaypamnani-msft manager: aaroncz audience: ITPro ms.collection: - - M365-security-compliance - highpri ms.topic: conceptual ms.date: 12/16/2021 @@ -52,7 +51,7 @@ HVCI is labeled **Memory integrity** in the Windows Security app and it can be a ### Enable HVCI using Intune -Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP](/windows/client-management/mdm/applocker-csp). +Enabling in Intune requires using the Code Integrity node in the [VirtualizationBasedTechnology CSP](/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology). You can configure the settings in Windows by using the [settings catalog](/mem/intune/configuration/settings-catalog). ### Enable HVCI using Group Policy @@ -204,9 +203,6 @@ Windows 10, Windows 11, and Windows Server 2016 have a WMI class for related pro Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard ``` -> [!NOTE] -> The *Win32\_DeviceGuard* WMI class is only available on the Enterprise edition of Windows 10 and Windows 11. - > [!NOTE] > Mode Based Execution Control property will only be listed as available starting with Windows 10 version 1803 and Windows 11 version 21H2. diff --git a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md index 6956068c52..25024c897f 100644 --- a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md +++ b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md @@ -9,6 +9,8 @@ ms.reviewer: manager: aaroncz ms.custom: asr ms.technology: itpro-security +ms.date: 12/31/2017 +ms.topic: article --- # Windows Defender Application Control and virtualization-based protection of code integrity diff --git a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md index f86bf00a8b..1bee48b996 100644 --- a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md @@ -8,7 +8,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 10/20/2017 ms.reviewer: diff --git a/windows/security/threat-protection/fips-140-validation.md b/windows/security/threat-protection/fips-140-validation.md index 1af5ea34bd..7b0d87f42e 100644 --- a/windows/security/threat-protection/fips-140-validation.md +++ b/windows/security/threat-protection/fips-140-validation.md @@ -1,18 +1,17 @@ --- title: Federal Information Processing Standard (FIPS) 140 Validation description: Learn how Microsoft products and cryptographic modules follow the U.S. Federal government standard FIPS 140. -ms.prod: m365-security +ms.prod: windows-client ms.date: 11/03/2022 manager: aaroncz ms.author: paoloma author: paolomatarazzo ms.collection: - - M365-identity-device-management - highpri ms.topic: article ms.localizationpriority: medium ms.reviewer: -ms.technology: windows-sec +ms.technology: itpro-security --- # FIPS 140-2 Validation diff --git a/windows/security/threat-protection/get-support-for-security-baselines.md b/windows/security/threat-protection/get-support-for-security-baselines.md index 7fec38f0ff..6fb73d0cd6 100644 --- a/windows/security/threat-protection/get-support-for-security-baselines.md +++ b/windows/security/threat-protection/get-support-for-security-baselines.md @@ -1,16 +1,15 @@ --- title: Get support description: Frequently asked questions about how to get support for Windows baselines and the Security Compliance Toolkit (SCT). -ms.prod: m365-security +ms.prod: windows-client ms.localizationpriority: medium ms.author: dansimp author: dulcemontemayor manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 06/25/2018 ms.reviewer: -ms.technology: windows-sec +ms.technology: itpro-security --- # Get Support for Windows baselines diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index 52a5ae4951..4a039044c7 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -2,14 +2,14 @@ title: Windows threat protection description: Describes the security capabilities in Windows client focused on threat protection search.product: eADQiWindows 10XVcnh -ms.prod: m365-security +ms.prod: windows-client ms.author: dansimp author: dansimp ms.localizationpriority: medium manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual -ms.technology: windows-sec +ms.technology: itpro-security +ms.date: 12/31/2017 --- # Windows threat protection diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/threat-protection/mbsa-removal-and-guidance.md index 92da921c12..307fd1ee4b 100644 --- a/windows/security/threat-protection/mbsa-removal-and-guidance.md +++ b/windows/security/threat-protection/mbsa-removal-and-guidance.md @@ -1,13 +1,15 @@ --- title: Guide to removing Microsoft Baseline Security Analyzer (MBSA) description: This article documents the removal of Microsoft Baseline Security Analyzer (MBSA) and provides alternative solutions. -ms.prod: m365-security +ms.prod: windows-client ms.localizationpriority: medium ms.author: dansimp author: dansimp ms.reviewer: manager: aaroncz -ms.technology: windows-sec +ms.technology: itpro-security +ms.date: 12/31/2017 +ms.topic: article --- # What is Microsoft Baseline Security Analyzer and its uses? diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md index a00cec360b..5ab3f50909 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md @@ -13,6 +13,7 @@ ms.reviewer: manager: aaroncz ms.custom: sasr ms.technology: itpro-security +ms.topic: how-to --- # Configure Microsoft Defender Application Guard policy settings @@ -60,7 +61,7 @@ These settings, located at `Computer Configuration\Administrative Templates\Wind |Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher

                              Windows 11 Enterprise|Determines whether Application Guard can use the print functionality.|**Enabled.** This is effective only in managed mode. Turns on the print functionality and lets you choose whether to additionally:
                              - Enable Application Guard to print into the XPS format.
                              - Enable Application Guard to print into the PDF format.
                              - Enable Application Guard to print to locally attached printers.
                              - Enable Application Guard to print from previously connected network printers. Employees can't search for other printers.

                              **Disabled or not configured.** Completely turns Off the print functionality for Application Guard.| |Allow Persistence|Windows 10 Enterprise, 1709 or higher

                              Windows 11 Enterprise|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.

                              **Disabled or not configured.** All user data within Application Guard is reset between sessions.

                              **NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.

                              **To reset the container:**
                              1. Open a command-line program and navigate to `Windows/System32`.
                              2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
                              3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.| |Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher

                              Windows 11 Enterprise|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering untrusted content in the Application Guard container. Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:
                              - Enable Microsoft Defender Application Guard only for Microsoft Edge
                              - Enable Microsoft Defender Application Guard only for Microsoft Office
                              - Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office

                              **Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.

                              **Note:** For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you are no longer required to configure network isolation policy to enable Application Guard for Edge.| -|Allow files to download to host operating system|Windows 10 Enterprise or Pro, 1803 or higher

                              Windows 11 Enterprise or Pro|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** This is effective only in managed mode. Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.

                              **Disabled or not configured.** Users aren't able to save downloaded files from Application Guard to the host operating system.| +|Allow files to download to host operating system|Windows 10 Enterprise or Pro, 1803 or higher

                              Windows 11 Enterprise or Pro|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.

                              **Disabled or not configured.** Users aren't able to save downloaded files from Application Guard to the host operating system.| |Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher

                              Windows 11 Enterprise|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** This is effective only in managed mode. Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.

                              **Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.| |Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher

                              Windows 11 Enterprise|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.

                              **Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.| |Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise or Pro, 1809 or higher

                              Windows 11 Enterprise or Pro|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.

                              **Disabled or not configured.** Certificates aren't shared with Microsoft Defender Application Guard.| diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml index 7118a806da..816d5da3f4 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml @@ -2,18 +2,19 @@ metadata: title: FAQ - Microsoft Defender Application Guard (Windows 10) description: Learn about the commonly asked questions and answers for Microsoft Defender Application Guard. - ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium - author: denisebmsft - ms.author: deniseb + ms.prod: windows-client + ms.technology: itpro-security + author: vinaypamnani-msft + ms.author: vinpa ms.reviewer: manager: aaroncz ms.custom: asr - ms.technology: windows-sec ms.topic: faq + ms.date: 12/31/2017 title: Frequently asked questions - Microsoft Defender Application Guard summary: | diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md index b4fb01a3c6..ad5d373c27 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md @@ -8,13 +8,14 @@ ms.pagetype: security ms.localizationpriority: medium author: vinaypamnani-msft ms.author: vinpa -ms.date: 09/09/2021 +ms.date: 11/30/2022 ms.reviewer: manager: aaroncz ms.custom: asr ms.technology: itpro-security ms.collection: - highpri +ms.topic: how-to --- # Prepare to install Microsoft Defender Application Guard @@ -27,10 +28,12 @@ ms.collection: ## Review system requirements See [System requirements for Microsoft Defender Application Guard](./reqs-md-app-guard.md) to review the hardware and software installation requirements for Microsoft Defender Application Guard. ->[!NOTE] ->Microsoft Defender Application Guard is not supported on VMs and VDI environment. For testing and automation on non-production machines, you may enable WDAG on a VM by enabling Hyper-V nested virtualization on the host. + +> [!NOTE] +> Microsoft Defender Application Guard is not supported on VMs and VDI environment. For testing and automation on non-production machines, you may enable WDAG on a VM by enabling Hyper-V nested virtualization on the host. ## Prepare for Microsoft Defender Application Guard + Before you can install and use Microsoft Defender Application Guard, you must determine which way you intend to use it in your enterprise. You can use Application Guard in either **Standalone** or **Enterprise-managed** mode. ### Standalone mode @@ -51,6 +54,7 @@ Applies to: You and your security department can define your corporate boundaries by explicitly adding trusted domains and by customizing the Application Guard experience to meet and enforce your needs on employee devices. Enterprise-managed mode also automatically redirects any browser requests to add non-enterprise domain(s) in the container. The following diagram shows the flow between the host PC and the isolated container. + ![Flowchart for movement between Microsoft Edge and Application Guard.](images/application-guard-container-v-host.png) ## Install Application Guard @@ -59,29 +63,29 @@ Application Guard functionality is turned off by default. However, you can quick ### To install by using the Control Panel -1. Open the **Control Panel**, click **Programs,** and then click **Turn Windows features on or off**. +1. Open the **Control Panel**, click **Programs,** and then select **Turn Windows features on or off**. ![Windows Features, turning on Microsoft Defender Application Guard.](images/turn-windows-features-on-off.png) -2. Select the check box next to **Microsoft Defender Application Guard** and then click **OK**. +2. Select the check box next to **Microsoft Defender Application Guard** and then select **OK**. Application Guard and its underlying dependencies are all installed. ### To install by using PowerShell ->[!NOTE] ->Ensure your devices have met all system requirements prior to this step. PowerShell will install the feature without checking system requirements. If your devices don't meet the system requirements, Application Guard may not work. This step is recommended for enterprise managed scenarios only. +> [!NOTE] +> Ensure your devices have met all system requirements prior to this step. PowerShell will install the feature without checking system requirements. If your devices don't meet the system requirements, Application Guard may not work. This step is recommended for enterprise managed scenarios only. -1. Click the **Search** or **Cortana** icon in the Windows 10 or Windows 11 taskbar and type **PowerShell**. +1. Select the **Search** or **Cortana** icon in the Windows 10 or Windows 11 taskbar and type **PowerShell**. -2. Right-click **Windows PowerShell**, and then click **Run as administrator**. +2. Right-click **Windows PowerShell**, and then select **Run as administrator**. Windows PowerShell opens with administrator credentials. 3. Type the following command: ``` - Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard + Enable-WindowsOptionalFeature -Online -FeatureName Windows-Defender-ApplicationGuard ``` 4. Restart the device. @@ -94,17 +98,15 @@ Application Guard functionality is turned off by default. However, you can quick :::image type="content" source="images/MDAG-EndpointMgr-newprofile.jpg" alt-text="Enroll devices in Intune."::: -1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). - -1. Choose **Devices** > **Configuration profiles** > **+ Create profile**, and do the following:
                              +1. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Devices** > **Configuration profiles** > **+ Create profile**, and do the following:
                              1. In the **Platform** list, select **Windows 10 and later**. - 1. In the **Profile** list, select **Endpoint protection**. + 2. In the **Profile** type, choose **Templates** and select **Endpoint protection**. - 1. Choose **Create**. + 3. Choose **Create**. -1. Specify the following settings for the profile: +2. Specify the following settings for the profile: - **Name** and **Description** @@ -114,16 +116,16 @@ Application Guard functionality is turned off by default. However, you can quick - Choose your preferences for **Clipboard behavior**, **External content**, and the remaining settings. -1. Choose **OK**, and then choose **OK** again. +3. Choose **OK**, and then choose **OK** again. -1. Review your settings, and then choose **Create**. +4. Review your settings, and then choose **Create**. -1. Choose **Assignments**, and then do the following: +5. Choose **Assignments**, and then do the following: 1. On the **Include** tab, in the **Assign to** list, choose an option. - 1. If you have any devices or users you want to exclude from this endpoint protection profile, specify those on the **Exclude** tab. + 2. If you have any devices or users you want to exclude from this endpoint protection profile, specify those on the **Exclude** tab. - 1. Click **Save**. + 3. Select **Save**. After the profile is created, any devices to which the policy should apply will have Microsoft Defender Application Guard enabled. Users might have to restart their devices in order for protection to be in place. diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md index 631bbc75fd..0f2bca60b2 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md @@ -10,6 +10,7 @@ ms.reviewer: manager: aaroncz ms.custom: asr ms.technology: itpro-security +ms.topic: conceptual --- # Microsoft Defender Application Guard Extension diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md index 1ba47ee970..6b284c9344 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md @@ -15,6 +15,7 @@ ms.custom: asr ms.technology: itpro-security ms.collection: - highpri +ms.topic: conceptual --- # Microsoft Defender Application Guard overview diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md index d8461e69f2..4357712bc7 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md @@ -10,6 +10,7 @@ ms.reviewer: sazankha manager: aaroncz ms.date: 09/23/2022 ms.custom: asr +ms.topic: conceptual --- # Application Guard testing scenarios diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md index 5d2279fcc0..8723d513d2 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: reference --- # Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings **Applies to:** diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md index e58c585f72..393d33b206 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md @@ -11,6 +11,8 @@ ms.technology: itpro-security adobe-target: true ms.collection: - highpri +ms.date: 12/31/2017 +ms.topic: article --- # Microsoft Defender SmartScreen diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md index 4d099ef9e6..0ee92c6736 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md @@ -12,6 +12,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: how-to --- # Set up and use Microsoft Defender SmartScreen on individual devices diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md b/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md index db57203dd5..8597ee9893 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md @@ -12,6 +12,7 @@ ms.date: 10/07/2022 adobe-target: true appliesto: - ✅ Windows 11, version 22H2 +ms.topic: conceptual --- # Enhanced Phishing Protection in Microsoft Defender SmartScreen diff --git a/windows/security/threat-protection/msft-security-dev-lifecycle.md b/windows/security/threat-protection/msft-security-dev-lifecycle.md index c15e7110b2..9c275ac6ba 100644 --- a/windows/security/threat-protection/msft-security-dev-lifecycle.md +++ b/windows/security/threat-protection/msft-security-dev-lifecycle.md @@ -1,15 +1,15 @@ --- title: Microsoft Security Development Lifecycle description: Download the Microsoft Security Development Lifecycle white paper that covers a security assurance process focused on software development. -ms.prod: m365-security +ms.prod: windows-client author: dansimp ms.author: dansimp manager: aaroncz -ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.reviewer: -ms.technology: windows-sec +ms.technology: itpro-security +ms.date: 12/31/2017 --- # Microsoft Security Development Lifecycle diff --git a/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md b/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md index 83dcf3036f..f2ff6373f9 100644 --- a/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md +++ b/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md @@ -3,10 +3,12 @@ manager: aaroncz ms.author: dansimp title: Override Process Mitigation Options (Windows 10) description: How to use Group Policy to override individual Process Mitigation Options settings and to help enforce specific app-related security policies. -ms.prod: m365-security +ms.prod: windows-client author: dulcemontemayor ms.localizationpriority: medium -ms.technology: windows-sec +ms.technology: itpro-security +ms.date: 12/31/2017 +ms.topic: article --- diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md index 551bdb2981..29058967b4 100644 --- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md +++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md @@ -1,13 +1,15 @@ --- title: Mitigate threats by using Windows 10 security features (Windows 10) description: An overview of software and firmware threats faced in the current security landscape, and the mitigations that Windows 10 offers in response to these threats. -ms.prod: m365-security +ms.prod: windows-client ms.localizationpriority: medium author: dansimp ms.reviewer: manager: aaroncz ms.author: dansimp -ms.technology: windows-sec +ms.technology: itpro-security +ms.date: 12/31/2017 +ms.topic: article --- # Mitigate threats by using Windows 10 security features diff --git a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md index c038120c89..fa79c1116f 100644 --- a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md +++ b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md @@ -1,14 +1,15 @@ --- title: Control the health of Windows 10-based devices (Windows 10) description: This article details an end-to-end solution that helps you protect high-value assets by enforcing, controlling, and reporting the health of Windows 10-based devices. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: dansimp -ms.prod: m365-security +ms.prod: windows-client author: dulcemontemayor ms.date: 10/13/2017 ms.localizationpriority: medium -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: conceptual --- # Control the health of Windows 10-based devices diff --git a/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md b/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md index 4948ce0dd3..1c67b647de 100644 --- a/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md +++ b/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md b/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md index 58a7ccea5f..ea4406b6f7 100644 --- a/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md +++ b/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 06/11/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md index 559a82704b..e6f9bec119 100644 --- a/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md +++ b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md @@ -13,7 +13,6 @@ author: vinaypamnani-msft manager: aaroncz audience: ITPro ms.collection: - - M365-security-compliance - highpri ms.topic: conceptual ms.date: 08/16/2021 @@ -23,6 +22,7 @@ ms.technology: itpro-security # Account lockout duration **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, and security considerations for the **Account lockout duration** security policy setting. diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md b/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md index a53b0258c1..03d4f6bba0 100644 --- a/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md +++ b/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 10/11/2018 ms.technology: itpro-security @@ -21,6 +20,7 @@ ms.technology: itpro-security # Account Lockout Policy **Applies to** +- Windows 11 - Windows 10 Describes the Account Lockout Policy settings and links to information about each policy setting. diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md index 0b41931636..7436c55ccd 100644 --- a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md +++ b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md @@ -13,7 +13,6 @@ author: vinaypamnani-msft manager: aaroncz audience: ITPro ms.collection: - - M365-security-compliance - highpri ms.topic: conceptual ms.date: 11/02/2018 @@ -23,6 +22,7 @@ ms.technology: itpro-security # Account lockout threshold **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, and security considerations for the **Account lockout threshold** security policy setting. diff --git a/windows/security/threat-protection/security-policy-settings/account-policies.md b/windows/security/threat-protection/security-policy-settings/account-policies.md index ba2d477909..b3031beef7 100644 --- a/windows/security/threat-protection/security-policy-settings/account-policies.md +++ b/windows/security/threat-protection/security-policy-settings/account-policies.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security @@ -21,6 +20,7 @@ ms.technology: itpro-security # Account Policies **Applies to** +- Windows 11 - Windows 10 An overview of account policies in Windows and provides links to policy descriptions. diff --git a/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md b/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md index 90bc33cfae..e247a80951 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/01/2017 ms.technology: itpro-security @@ -21,6 +20,7 @@ ms.technology: itpro-security # Accounts: Administrator account status **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, and security considerations for the **Accounts: Administrator account status** security policy setting. diff --git a/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md b/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md index 9e7978d6dc..bd80ebe594 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/10/2017 ms.technology: itpro-security @@ -21,6 +20,7 @@ ms.technology: itpro-security # Accounts: Block Microsoft accounts **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, management, and security considerations for the **Accounts: Block Microsoft accounts** security policy setting. diff --git a/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md b/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md index 3640a3d432..f23fc8dd7e 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security @@ -21,6 +20,7 @@ ms.technology: itpro-security # Accounts: Guest account status - security policy setting **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, and security considerations for the **Accounts: Guest account status** security policy setting. diff --git a/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md b/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md index 0d915059c8..6b3f24d9e6 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security @@ -21,6 +20,7 @@ ms.technology: itpro-security # Accounts: Limit local account use of blank passwords to console logon only **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, and security considerations for the **Accounts: Limit local account use of blank passwords to console logon only** security policy setting. diff --git a/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md b/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md index 46c725eb8d..bd8090dfe7 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security @@ -21,6 +20,7 @@ ms.technology: itpro-security # Accounts: Rename administrator account **Applies to** +- Windows 11 - Windows 10 This security policy reference topic for the IT professional describes the best practices, location, values, and security considerations for this policy setting. diff --git a/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md b/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md index 987c19d4b7..6bfcf412ae 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security @@ -21,6 +20,7 @@ ms.technology: itpro-security # Accounts: Rename guest account - security policy setting **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, and security considerations for the **Accounts: Rename guest account** security policy setting. diff --git a/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md b/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md index 87c7ed20ea..c36f75e923 100644 --- a/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md +++ b/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md b/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md index 562f3219cb..6c558c83f7 100644 --- a/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md +++ b/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md b/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md index a56b7a05ba..622ad26f5c 100644 --- a/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md +++ b/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md index 8d8e4c26cd..9994324c08 100644 --- a/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md +++ b/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security @@ -22,7 +21,8 @@ ms.technology: itpro-security **Applies to** -- Windows 10 +- Windows 11 +- Windows 10 This article discusses different methods to administer security policy settings on a local device or throughout a small- or medium-sized organization. @@ -94,7 +94,7 @@ The Security Compliance Manager is a downloadable tool that helps you plan, depl **To administer security policies by using the Security Compliance Manager** -1. Download the most recent version. You can find out more info on the [Microsoft Security Guidance](/archive/blogs/secguide/) blog. +1. Download the most recent version. You can find more info on the [Microsoft Security Baselines](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines) blog. 1. Read the relevant security baseline documentation that is included in this tool. 1. Download and import the relevant security baselines. The installation process steps you through baseline selection. 1. Open the Help and follow instructions how to customize, compare, or merge your security baselines before deploying those baselines. @@ -313,4 +313,4 @@ Secedit.exe is useful when you have multiple devices on which security must be a ## Working with Group Policy tools -Group Policy is an infrastructure that allows you to specify managed configurations for users and computers through Group Policy settings and Group Policy Preferences. For Group Policy settings that affect only a local device or user, you can use the Local Group Policy Editor. You can manage Group Policy settings and Group Policy Preferences in an Active Directory Domain Services (AD DS) environment through the Group Policy Management Console (GPMC). Group Policy management tools also are included in the Remote Server Administration Tools pack to provide a way for you to administer Group Policy settings from your desktop. \ No newline at end of file +Group Policy is an infrastructure that allows you to specify managed configurations for users and computers through Group Policy settings and Group Policy Preferences. For Group Policy settings that affect only a local device or user, you can use the Local Group Policy Editor. You can manage Group Policy settings and Group Policy Preferences in an Active Directory Domain Services (AD DS) environment through the Group Policy Management Console (GPMC). Group Policy management tools also are included in the Remote Server Administration Tools pack to provide a way for you to administer Group Policy settings from your desktop. diff --git a/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md b/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md index 925f18e265..6e252f1e14 100644 --- a/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md +++ b/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md b/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md index f08466a3fe..6b074f6cb3 100644 --- a/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md +++ b/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md b/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md index f7bee2d141..d5f0c9641a 100644 --- a/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md +++ b/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md b/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md index 7eb7e6736f..7d38765755 100644 --- a/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md +++ b/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/01/2019 ms.technology: itpro-security @@ -21,6 +20,7 @@ ms.technology: itpro-security # Audit: Audit the use of Backup and Restore privilege **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, and security considerations for the **Audit: Audit the use of Backup and Restore privilege** security policy setting. diff --git a/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md b/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md index 19fbeba785..42e645eb95 100644 --- a/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md +++ b/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security @@ -21,6 +20,7 @@ ms.technology: itpro-security # Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, and security considerations for the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** security policy setting. diff --git a/windows/security/threat-protection/security-policy-settings/audit-policy.md b/windows/security/threat-protection/security-policy-settings/audit-policy.md index 9f1e6cd0c6..5130a2112d 100644 --- a/windows/security/threat-protection/security-policy-settings/audit-policy.md +++ b/windows/security/threat-protection/security-policy-settings/audit-policy.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security @@ -21,6 +20,7 @@ ms.technology: itpro-security # Audit Policy **Applies to** +- Windows 11 - Windows 10 Provides information about basic audit policies that are available in Windows and links to information about each setting. diff --git a/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md b/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md index 7a76b59383..614fbe0d12 100644 --- a/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md +++ b/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security @@ -21,6 +20,7 @@ ms.technology: itpro-security # Audit: Shut down system immediately if unable to log security audits **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, management practices, and security considerations for the **Audit: Shut down system immediately if unable to log security audits** security policy setting. diff --git a/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md b/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md index f73a8fcbfb..40d62fb154 100644 --- a/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md +++ b/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md b/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md index e85a3de000..bd274babde 100644 --- a/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md +++ b/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/change-the-system-time.md b/windows/security/threat-protection/security-policy-settings/change-the-system-time.md index 3f4fea070d..3958ae9bed 100644 --- a/windows/security/threat-protection/security-policy-settings/change-the-system-time.md +++ b/windows/security/threat-protection/security-policy-settings/change-the-system-time.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md b/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md index be8cee418e..0f18fbe6a0 100644 --- a/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md +++ b/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md b/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md index d4eff325c4..68753e633a 100644 --- a/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md +++ b/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/create-a-token-object.md b/windows/security/threat-protection/security-policy-settings/create-a-token-object.md index 42880a98ce..397456fc85 100644 --- a/windows/security/threat-protection/security-policy-settings/create-a-token-object.md +++ b/windows/security/threat-protection/security-policy-settings/create-a-token-object.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/create-global-objects.md b/windows/security/threat-protection/security-policy-settings/create-global-objects.md index cbbe65e98f..bd8b943798 100644 --- a/windows/security/threat-protection/security-policy-settings/create-global-objects.md +++ b/windows/security/threat-protection/security-policy-settings/create-global-objects.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md b/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md index 702b33b967..dd58539e88 100644 --- a/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md +++ b/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md b/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md index a1cb062b9e..5ea5c36a0c 100644 --- a/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md +++ b/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md index c0da6c3c6d..b2b90cdc1f 100644 --- a/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md +++ b/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md index c5a0177457..e549425217 100644 --- a/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md +++ b/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security @@ -21,6 +20,7 @@ ms.technology: itpro-security # DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, and security considerations for the **DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax** security policy setting. diff --git a/windows/security/threat-protection/security-policy-settings/debug-programs.md b/windows/security/threat-protection/security-policy-settings/debug-programs.md index 75073bd6ad..c97a34004a 100644 --- a/windows/security/threat-protection/security-policy-settings/debug-programs.md +++ b/windows/security/threat-protection/security-policy-settings/debug-programs.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md b/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md index 1e218d4db5..9d51332226 100644 --- a/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md +++ b/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 05/19/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md index 388793a1c5..26257d7869 100644 --- a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md +++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md index 04490f4249..943ab1c47e 100644 --- a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md +++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md index 7ccc3a1197..66c2308100 100644 --- a/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md +++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md index 5d840786b2..ad977d3239 100644 --- a/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md +++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md b/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md index 3f7ea8fc06..42bcd1198e 100644 --- a/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md +++ b/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security @@ -21,6 +20,7 @@ ms.technology: itpro-security # Devices: Allow undock without having to log on **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, and security considerations for the **Devices: Allow undock without having to log on** security policy setting. diff --git a/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md b/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md index 6702bc1ca9..f27b736149 100644 --- a/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md +++ b/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security @@ -21,6 +20,7 @@ ms.technology: itpro-security # Devices: Allowed to format and eject removable media **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, and security considerations for the **Devices: Allowed to format and eject removable media** security policy setting. diff --git a/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md b/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md index fcd1e4ceda..48ec7ee37d 100644 --- a/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md +++ b/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 01/05/2022 ms.technology: itpro-security @@ -21,6 +20,7 @@ ms.technology: itpro-security # Devices: Prevent users from installing printer drivers **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, and security considerations for the **Devices: Prevent users from installing printer drivers** security policy setting. diff --git a/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md b/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md index 7a3f1c4576..606f90388d 100644 --- a/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md +++ b/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security @@ -21,6 +20,7 @@ ms.technology: itpro-security # Devices: Restrict CD-ROM access to locally logged-on user only **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, and security considerations for the **Devices: Restrict CD-ROM access to locally logged-on user only** security policy setting. diff --git a/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md b/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md index cae68cce6a..f678d28b4a 100644 --- a/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md +++ b/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security @@ -21,6 +20,7 @@ ms.technology: itpro-security # Devices: Restrict floppy access to locally logged-on user only **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, and security considerations for the **Devices: Restrict floppy access to locally logged-on user only** security policy setting. diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md b/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md index 53ae7eca11..67c1a1fd26 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md +++ b/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md index c231fd191b..cc42ccd096 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md +++ b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md b/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md index 73ec982c16..df6db377b5 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md +++ b/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md @@ -12,9 +12,9 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.technology: itpro-security +ms.date: 12/31/2017 --- # Domain controller: Refuse machine account password changes diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md index f442a4ccd6..497ae0dcf3 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md +++ b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security @@ -21,6 +20,7 @@ ms.technology: itpro-security # Domain member: Digitally encrypt or sign secure channel data (always) **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, and security considerations for the **Domain member: Digitally encrypt or sign secure channel data (always)** security policy setting. diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md index deb101306c..ee6200237d 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md +++ b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security @@ -21,6 +20,7 @@ ms.technology: itpro-security # Domain member: Digitally encrypt secure channel data (when possible) **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, and security considerations for the **Domain member: Digitally encrypt secure channel data (when possible)** security policy setting. diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md index b19d3da882..fa4519f654 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md +++ b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security @@ -21,6 +20,7 @@ ms.technology: itpro-security # Domain member: Digitally sign secure channel data (when possible) **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, and security considerations for the **Domain member: Digitally sign secure channel data (when possible)** security policy setting. diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md b/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md index ca4549a9cc..29cc577b0b 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md +++ b/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 06/27/2019 ms.technology: itpro-security @@ -21,6 +20,7 @@ ms.technology: itpro-security # Domain member: Disable machine account password changes **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, and security considerations for the **Domain member: Disable machine account password changes** security policy setting. diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md index e5e1ed0e87..ac46532629 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md +++ b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 05/29/2020 ms.technology: itpro-security @@ -21,6 +20,7 @@ ms.technology: itpro-security # Domain member: Maximum machine account password age **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, and security considerations for the **Domain member: Maximum machine account password age** security policy setting. diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md b/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md index 402b5c1833..ba84a03cc1 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md +++ b/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security @@ -21,7 +20,8 @@ ms.technology: itpro-security # Domain member: Require strong (Windows 2000 or later) session key **Applies to** -- Windows 10 +- Windows 11 +- Windows 10 Describes the best practices, location, values, and security considerations for the **Domain member: Require strong (Windows 2000 or later) session key** security policy setting. diff --git a/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md b/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md index ea2e02efb2..e1bc8ef4b9 100644 --- a/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md +++ b/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/enforce-password-history.md b/windows/security/threat-protection/security-policy-settings/enforce-password-history.md index 4bb6c855cc..5c1bb1ef3b 100644 --- a/windows/security/threat-protection/security-policy-settings/enforce-password-history.md +++ b/windows/security/threat-protection/security-policy-settings/enforce-password-history.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security @@ -21,6 +20,7 @@ ms.technology: itpro-security # Enforce password history **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, policy management, and security considerations for the **Enforce password history** security policy setting. diff --git a/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md b/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md index 9f7ae5a5e6..0b360cffa1 100644 --- a/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md +++ b/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md b/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md index 346ef2f329..47d87b0cef 100644 --- a/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md +++ b/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/generate-security-audits.md b/windows/security/threat-protection/security-policy-settings/generate-security-audits.md index fddbf6586e..be5d5caebf 100644 --- a/windows/security/threat-protection/security-policy-settings/generate-security-audits.md +++ b/windows/security/threat-protection/security-policy-settings/generate-security-audits.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md index 4d69ec3195..8cdc5e7f53 100644 --- a/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md +++ b/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md @@ -13,7 +13,6 @@ author: vinaypamnani-msft manager: aaroncz audience: ITPro ms.collection: - - M365-security-compliance - highpri ms.topic: conceptual ms.date: 04/19/2017 @@ -22,7 +21,8 @@ ms.technology: itpro-security # Configure security policy settings **Applies to** -- Windows 10 +- Windows 11 +- Windows 10 Describes steps to configure a security policy setting on the local device, on a domain-joined device, and on a domain controller. diff --git a/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md b/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md index 7bb2552b61..c4a613a542 100644 --- a/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md +++ b/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md b/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md index 300c643543..3c54eb33ec 100644 --- a/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md +++ b/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md index 75721584d2..2c2e0bb890 100644 --- a/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md +++ b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 2/6/2020 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md index a7a97b3252..d76c4110fc 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security @@ -21,6 +20,7 @@ ms.technology: itpro-security # Interactive logon: Display user information when the session is locked **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, and security considerations for the **Interactive logon: Display user information when the session is locked** security policy setting. diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md index 66fff5d9b2..6cddf9952d 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md @@ -9,7 +9,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.reviewer: @@ -20,7 +19,8 @@ ms.technology: itpro-security # Interactive logon: Don't display last signed-in **Applies to** -- Windows 10 +- Windows 11 +- Windows 10 Describes the best practices, location, values, and security considerations for the **Interactive logon: Don't display last signed-in** security policy setting. Before Windows 10 version 1703, this policy setting was named **Interactive logon:Do not display last user name.** diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md index bc9c2d4afb..f33b15222c 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security @@ -20,6 +19,7 @@ ms.technology: itpro-security # Interactive logon: Do not require CTRL+ALT+DEL **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, and security considerations for the **Interactive logon: Do not require CTRL+ALT+DEL** security policy setting. diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md index ea25ab2fbb..e283a1f14d 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security @@ -21,7 +20,9 @@ ms.technology: itpro-security # Interactive logon: Don't display username at sign-in **Applies to** -- Windows 10, Windows Server 2019 +- Windows 11 +- Windows 10 +- Windows Server 2019 Describes the best practices, location, values, and security considerations for the **Interactive logon: Don't display username at sign-in** security policy setting. diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md index c7aad467f2..c08ad29828 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security @@ -21,6 +20,7 @@ ms.technology: itpro-security # Interactive logon: Machine account lockout threshold **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, management, and security considerations for the **Interactive logon: Machine account lockout threshold** security policy setting. diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md index ff6e5b9bac..b65e3da751 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md @@ -13,7 +13,6 @@ author: vinaypamnani-msft manager: aaroncz audience: ITPro ms.collection: - - M365-security-compliance - highpri ms.topic: conceptual ms.date: 09/18/2018 @@ -23,6 +22,7 @@ ms.technology: itpro-security # Interactive logon: Machine inactivity limit **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, management, and security considerations for the **Interactive logon: Machine inactivity limit** security policy setting. diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md index 3dca94d8de..0b5af8fa19 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security @@ -22,6 +21,7 @@ ms.technology: itpro-security **Applies to:** +- Windows 11 - Windows 10 Describes the best practices, location, values, management, and security considerations for the **Interactive logon: Message text for users attempting to log on** security policy setting. diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md index cf278a7681..c20c76d1c8 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security @@ -22,6 +21,7 @@ ms.technology: itpro-security **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Message title for users attempting to log on** security policy setting. diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md index b82c0ed014..91919d8ae3 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/27/2018 ms.technology: itpro-security @@ -21,6 +20,7 @@ ms.technology: itpro-security # Interactive logon: Number of previous logons to cache (in case domain controller is not available) **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, policy management, and security considerations for the **Interactive logon: Number of previous logons to cache (in case domain controller is not available)** security policy setting. diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md index 23c3afa966..5508696327 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security @@ -21,6 +20,7 @@ ms.technology: itpro-security # Interactive log on: Prompt the user to change passwords before expiration **Applies to** +- Windows 11 - Windows 10 This article describes the best practices, location, values, policy management, and security considerations for the **Interactive logon: Prompt user to change password before expiration** security policy setting. diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md index 66491dbbc4..dea0b48963 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security @@ -21,6 +20,7 @@ ms.technology: itpro-security # Interactive logon: Require Domain Controller authentication to unlock workstation **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, policy management, and security considerations for the **Interactive logon: Require Domain Controller authentication to unlock workstation** security policy setting. diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md index 164c2cc81a..32b2a60b44 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md index 7388a8053f..804de2d6cb 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security @@ -21,6 +20,7 @@ ms.technology: itpro-security # Interactive logon: Smart card removal behavior **Applies to** +- Windows 11 - Windows 10 Describes the recommended practices, location, values, policy management, and security considerations for the **Interactive logon: Smart card removal behavior** security policy setting. diff --git a/windows/security/threat-protection/security-policy-settings/kerberos-policy.md b/windows/security/threat-protection/security-policy-settings/kerberos-policy.md index 7fb1cb1710..c6fc22a8de 100644 --- a/windows/security/threat-protection/security-policy-settings/kerberos-policy.md +++ b/windows/security/threat-protection/security-policy-settings/kerberos-policy.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md b/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md index 7c6871a87f..10425d576a 100644 --- a/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md +++ b/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md b/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md index b981d5e8cc..ab91674f23 100644 --- a/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md +++ b/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md b/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md index a55b2121f7..c982a7ca78 100644 --- a/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md +++ b/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md @@ -13,7 +13,6 @@ author: vinaypamnani-msft manager: aaroncz audience: ITPro ms.collection: - - M365-security-compliance - highpri ms.topic: conceptual ms.date: 04/19/2017 diff --git a/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md b/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md index f43b7635b5..833a0d2eea 100644 --- a/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md +++ b/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md b/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md index 37c0b4951f..f19e322da5 100644 --- a/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md +++ b/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md index 8efd0f5d89..e60f5b8019 100644 --- a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md +++ b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md index 10456a7833..d048ad2d5b 100644 --- a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md +++ b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md index 15fec062f5..7117941bbe 100644 --- a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md +++ b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/maximum-password-age.md b/windows/security/threat-protection/security-policy-settings/maximum-password-age.md index c0b7aae124..7c99d562b8 100644 --- a/windows/security/threat-protection/security-policy-settings/maximum-password-age.md +++ b/windows/security/threat-protection/security-policy-settings/maximum-password-age.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security @@ -21,6 +20,7 @@ ms.technology: itpro-security # Maximum password age **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, policy management, and security considerations for the **Maximum password age** security policy setting. diff --git a/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md b/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md index 9934945176..e6976b9407 100644 --- a/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md +++ b/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md index bde8daf5f1..e446db45a1 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md @@ -13,11 +13,13 @@ ms.localizationpriority: medium author: vinaypamnani-msft ms.date: 06/28/2018 ms.technology: itpro-security +ms.topic: conceptual --- # Microsoft network client: Digitally sign communications (always) **Applies to** +- Windows 11 - Windows 10 - Windows Server diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md index c3c7ced2ca..1162197765 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md index 4c6c5ddd2d..b5f65848a6 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security @@ -33,9 +32,9 @@ The **Microsoft network server: Amount of idle time required before suspending s ### Possible values -- A user-defined number of minutes from 0 through 99,999 +- A user-defined number of minutes from 0 through 99,999. - For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999, which is 208 days. In effect, this value disables the policy. + For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999 (8 business hours per day), which is 208 days. In effect, this value disables the policy. - Not defined diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md index 75a1455561..12c009ce89 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md index a3f70b7900..3ef631a76e 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 06/21/2018 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md index 8c064588f8..9af04189fa 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md index bd1d8be1f3..e157b27f1e 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md index f6ce6b41e1..02c1a25fd5 100644 --- a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md +++ b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md @@ -13,11 +13,13 @@ ms.localizationpriority: medium author: vinaypamnani-msft ms.date: 11/13/2018 ms.technology: itpro-security +ms.topic: conceptual --- # Minimum password age **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, policy management, and security considerations for the **Minimum password age** security policy setting. @@ -89,4 +91,4 @@ If you set a password for a user but want that user to change the password when ## Related topics -- [Password Policy](password-policy.md) \ No newline at end of file +- [Password Policy](password-policy.md) diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-length.md b/windows/security/threat-protection/security-policy-settings/minimum-password-length.md index 14a19ec3af..cde1a5df8b 100644 --- a/windows/security/threat-protection/security-policy-settings/minimum-password-length.md +++ b/windows/security/threat-protection/security-policy-settings/minimum-password-length.md @@ -13,7 +13,6 @@ author: vinaypamnani-msft manager: aaroncz audience: ITPro ms.collection: - - M365-security-compliance - highpri ms.topic: conceptual ms.date: 03/30/2022 @@ -23,6 +22,7 @@ ms.technology: itpro-security # Minimum password length **Applies to** +- Windows 11 - Windows 10 This article describes the recommended practices, location, values, policy management, and security considerations for the **Minimum password length** security policy setting. diff --git a/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md b/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md index fbfb32b045..784db5fe09 100644 --- a/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md +++ b/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md b/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md index d084e365ba..3f104ff095 100644 --- a/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md +++ b/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md b/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md index aafe4619c1..c3103f7be5 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md index 4317675d65..547733a694 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md index 0b57d3a933..36749adf40 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md index 8726b950f2..cd953a6928 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 07/01/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md b/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md index a71af792e0..d4297e81d7 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md b/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md index 22436ac3ef..beb39359bb 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md index d9c616fb82..cf9c3cea63 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md index 38b0c07c3c..cf59a0d22f 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md b/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md index 4842d0dfe2..92f62c7e6b 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security @@ -21,7 +20,13 @@ ms.technology: itpro-security # Network access: Restrict anonymous access to Named Pipes and Shares **Applies to** +- Windows 11 - Windows 10 +- Windows 8.1 +- Windows Server 2022 +- Windows Server 2019 +- Windows Server 2016 +- Windows Server 2012 R2 Describes the best practices, location, values, policy management and security considerations for the **Network access: Restrict anonymous access to Named Pipes and Shares** security policy setting. diff --git a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md index 48d6693d11..67f28accd4 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md @@ -11,6 +11,7 @@ ms.reviewer: manager: aaroncz ms.collection: - highpri +ms.topic: conceptual --- # Network access: Restrict clients allowed to make remote calls to SAM diff --git a/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md b/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md index c6b831e405..6f1e91f1b2 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md b/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md index 2d159d7ee9..3feed8fa4d 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md b/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md index f558cd0804..6b67b4947f 100644 --- a/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md +++ b/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security @@ -21,7 +20,8 @@ ms.technology: itpro-security # Network List Manager policies **Applies to** -- Windows 10 +- Windows 11 +- Windows 10 Network List Manager policies are security settings that you can use to configure different aspects of how networks are listed and displayed on one device or on many devices. diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md index 68e3fb1776..531f18f014 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 10/04/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md index e74d40a8ae..4d47667005 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md index 1b8d66ce92..08db95e10e 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 01/03/2022 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md index c5143b9f49..b0da8cc808 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md @@ -13,7 +13,6 @@ author: vinaypamnani-msft manager: aaroncz audience: ITPro ms.collection: - - M365-security-compliance - highpri ms.topic: conceptual ms.date: 04/19/2017 diff --git a/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md b/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md index 6fb0bc171f..463b054ea4 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md b/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md index dc9aebbb8c..3e5f9a03b9 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md b/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md index b3ebd353c1..aba0587774 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md @@ -13,7 +13,6 @@ author: vinaypamnani-msft manager: aaroncz audience: ITPro ms.collection: - - M365-security-compliance - highpri ms.topic: conceptual ms.date: 04/19/2017 diff --git a/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md b/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md index 4dcdc81aa0..3c0032faf1 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md index 9c3d1d2f2a..d0a7524fb4 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 07/27/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md index 469bd9cf39..022d167542 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md index 4ce6039624..09f6ccc2c7 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md index 61a85682bd..99e8c7a39f 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md index b390537f8b..4c15706058 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md index b7024f8999..7bf8d5f15b 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md index 21e4daa313..2f02467243 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md index 02de52f636..33ff80fb70 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md @@ -12,9 +12,9 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.technology: itpro-security +ms.date: 12/31/2017 --- # Network security: Restrict NTLM: NTLM authentication in this domain diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md index 4158c8dff7..9037b9728c 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 06/15/2022 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md index 3781352906..c7b9c6ad9d 100644 --- a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md +++ b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md @@ -13,15 +13,16 @@ author: vinaypamnani-msft manager: aaroncz audience: ITPro ms.collection: - - M365-security-compliance - highpri ms.topic: conceptual ms.technology: itpro-security +ms.date: 12/31/2017 --- # Password must meet complexity requirements **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, and security considerations for the **Password must meet complexity requirements** security policy setting. @@ -30,7 +31,7 @@ Describes the best practices, location, values, and security considerations for The **Passwords must meet complexity requirements** policy setting determines whether passwords must meet a series of strong-password guidelines. When enabled, this setting requires passwords to meet the following requirements: -1. Passwords may not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Both checks aren't case-sensitive. +1. Passwords may not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Neither of these checks is case-sensitive. The samAccountName is checked in its entirety only to determine whether it's part of the password. If the samAccountName is fewer than three characters long, this check is skipped. The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed not to be included in the password. Tokens that are shorter than three characters are ignored, and substrings of the tokens aren't checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Hagens". Because the second token is only one character long, it's ignored. So, this user couldn't have a password that included either "erin" or "hagens" as a substring anywhere in the password. diff --git a/windows/security/threat-protection/security-policy-settings/password-policy.md b/windows/security/threat-protection/security-policy-settings/password-policy.md index 7ecb04ce32..b4163b8525 100644 --- a/windows/security/threat-protection/security-policy-settings/password-policy.md +++ b/windows/security/threat-protection/security-policy-settings/password-policy.md @@ -13,7 +13,6 @@ author: vinaypamnani-msft manager: aaroncz audience: ITPro ms.collection: - - M365-security-compliance - highpri ms.topic: conceptual ms.date: 04/19/2017 @@ -23,6 +22,7 @@ ms.technology: itpro-security # Password Policy **Applies to** +- Windows 11 - Windows 10 An overview of password policies for Windows and links to information for each policy setting. diff --git a/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md b/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md index 310b057751..7b30d8f59c 100644 --- a/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md +++ b/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/profile-single-process.md b/windows/security/threat-protection/security-policy-settings/profile-single-process.md index a98135713c..cde1362185 100644 --- a/windows/security/threat-protection/security-policy-settings/profile-single-process.md +++ b/windows/security/threat-protection/security-policy-settings/profile-single-process.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/profile-system-performance.md b/windows/security/threat-protection/security-policy-settings/profile-system-performance.md index 9f76b3d698..ecb01bb455 100644 --- a/windows/security/threat-protection/security-policy-settings/profile-system-performance.md +++ b/windows/security/threat-protection/security-policy-settings/profile-system-performance.md @@ -4,7 +4,7 @@ description: Best practices, location, values, policy management, and security c ms.assetid: ffabc3c5-9206-4105-94ea-84f597a54b2e ms.reviewer: ms.author: vinpa -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,10 +12,9 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 -ms.technology: windows-sec +ms.technology: itpro-security --- # Profile system performance diff --git a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md index a1e2ab6949..0980bf4469 100644 --- a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md +++ b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md @@ -4,7 +4,7 @@ description: Best practices, location, values, policy management, and security c ms.assetid: be2498fc-48f4-43f3-ad09-74664e45e596 ms.reviewer: ms.author: vinpa -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,10 +12,9 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 -ms.technology: windows-sec +ms.technology: itpro-security --- # Recovery console: Allow automatic administrative logon diff --git a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md index 8e34bd2995..d7906353f2 100644 --- a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md +++ b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md @@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the policy se ms.assetid: a5b4ac0c-f33d-42b5-a866-72afa7cbd0bd ms.reviewer: ms.author: vinpa -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,10 +12,9 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 -ms.technology: windows-sec +ms.technology: itpro-security --- # Recovery console: Allow floppy copy and access to all drives and folders diff --git a/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md b/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md index dafe4d5d59..57181925d6 100644 --- a/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md +++ b/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 229a385a-a862-4973-899a-413b1b5b6c30 ms.reviewer: ms.author: vinpa -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,10 +12,9 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 -ms.technology: windows-sec +ms.technology: itpro-security --- # Remove computer from docking station - security policy setting diff --git a/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md b/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md index c40121b387..5e9ee1c0f3 100644 --- a/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md +++ b/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 5add02db-6339-489e-ba21-ccc3ccbe8745 ms.reviewer: ms.author: vinpa -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,10 +12,9 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 -ms.technology: windows-sec +ms.technology: itpro-security --- # Replace a process level token diff --git a/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md b/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md index e2f943cd55..1891e3b322 100644 --- a/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md +++ b/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, and security consid ms.assetid: d5ccf6dd-5ba7-44a9-8e0b-c478d8b1442c ms.reviewer: ms.author: vinpa -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,15 +12,15 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 11/02/2018 -ms.technology: windows-sec +ms.technology: itpro-security --- # Reset account lockout counter after **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, and security considerations for the **Reset account lockout counter after** security policy setting. @@ -77,4 +77,4 @@ If you don't configure this policy setting or if the value is configured to an i ## Related topics -- [Account Lockout Policy](account-lockout-policy.md) \ No newline at end of file +- [Account Lockout Policy](account-lockout-policy.md) diff --git a/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md b/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md index 5e3f6b9386..d534fcedaa 100644 --- a/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md +++ b/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: c673c0fa-6f49-4edd-8c1f-c5e8513f701d ms.reviewer: ms.author: vinpa -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,10 +12,9 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 -ms.technology: windows-sec +ms.technology: itpro-security --- # Restore files and directories - security policy setting diff --git a/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md b/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md index 7dc532fd31..15e8e865fb 100644 --- a/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md +++ b/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md @@ -4,7 +4,7 @@ description: Provides information about the advanced security audit policy setti ms.assetid: 6BF9A642-DBC3-4101-94A3-B2316C553CE3 ms.reviewer: ms.author: vinpa -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,15 +12,15 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 -ms.technology: windows-sec +ms.technology: itpro-security --- # Advanced security audit policy settings for Windows 10 **Applies to** +- Windows 11 - Windows 10 Provides information about the advanced security audit policy settings that are available in Windows and the audit events that they generate. diff --git a/windows/security/threat-protection/security-policy-settings/security-options.md b/windows/security/threat-protection/security-policy-settings/security-options.md index 00441e06c4..b7b56bf6a8 100644 --- a/windows/security/threat-protection/security-policy-settings/security-options.md +++ b/windows/security/threat-protection/security-policy-settings/security-options.md @@ -5,19 +5,21 @@ ms.assetid: 405ea253-8116-4e57-b08e-14a8dcdca92b ms.reviewer: manager: aaroncz ms.author: vinpa -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: vinaypamnani-msft ms.date: 06/28/2018 -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: conceptual --- # Security Options **Applies to** +- Windows 11 - Windows 10 Provides an introduction to the **Security Options** settings for local security policies and links to more information. diff --git a/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md b/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md index bfca76513d..5aecd1228b 100644 --- a/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md +++ b/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md @@ -4,7 +4,7 @@ description: This reference of security settings provides information about how ms.assetid: ef5a4579-15a8-4507-9a43-b7ccddcb0ed1 ms.reviewer: ms.author: vinpa -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,16 +12,16 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 -ms.technology: windows-sec +ms.technology: itpro-security --- # Security policy settings reference **Applies to** -- Windows 10 +- Windows 11 +- Windows 10 This reference of security settings provides information about how to implement and manage security policies, including setting options and security considerations. diff --git a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md index 5e771b19bd..79136b00da 100644 --- a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md +++ b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md @@ -4,7 +4,7 @@ description: This reference topic describes the common scenarios, architecture, ms.assetid: e7ac5204-7f6c-4708-a9f6-6af712ca43b9 ms.reviewer: ms.author: vinpa -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,11 +13,10 @@ author: vinaypamnani-msft manager: aaroncz audience: ITPro ms.collection: - - M365-security-compliance - highpri ms.topic: conceptual ms.date: 04/19/2017 -ms.technology: windows-sec +ms.technology: itpro-security --- # Security policy settings diff --git a/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md b/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md index 465e04c8e5..b2bd961eea 100644 --- a/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md +++ b/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: c8e8f890-153a-401e-a957-ba6a130304bf ms.reviewer: ms.author: vinpa -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,10 +12,9 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 -ms.technology: windows-sec +ms.technology: itpro-security --- # Shut down the system - security policy setting diff --git a/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md b/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md index 06fb947134..6fe3056930 100644 --- a/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md +++ b/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md @@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the security ms.assetid: f3964767-5377-4416-8eb3-e14d553a7315 ms.reviewer: ms.author: vinpa -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,10 +12,9 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 -ms.technology: windows-sec +ms.technology: itpro-security --- # Shutdown: Allow system to be shut down without having to log on diff --git a/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md b/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md index 188c435f4f..4b773d0043 100644 --- a/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md +++ b/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management a ms.assetid: 31400078-6c56-4891-a6df-6dfb403c4bc9 ms.reviewer: ms.author: vinpa -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,10 +12,9 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/01/2017 -ms.technology: windows-sec +ms.technology: itpro-security --- # Shutdown: Clear virtual memory pagefile diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md index 460941fd81..99e2eca53e 100644 --- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md +++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md @@ -4,7 +4,7 @@ description: Learn about best practices, security considerations and more for th ms.assetid: 4b7b0298-b130-40f8-960d-60418ba85f76 ms.reviewer: ms.author: vinpa -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,10 +12,9 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 01/04/2019 -ms.technology: windows-sec +ms.technology: itpro-security --- # SMBv1 Microsoft network client: Digitally sign communications (always) diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md index 6125397053..b4ac13d05a 100644 --- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md +++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md @@ -4,7 +4,7 @@ description: Best practices, location, values, and security considerations for t ms.assetid: e553f700-aae5-425c-8650-f251c90ba5dd ms.reviewer: ms.author: vinpa -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,10 +12,9 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 01/04/2019 -ms.technology: windows-sec +ms.technology: itpro-security --- # SMBv1 Microsoft network client: Digitally sign communications (if server agrees) diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md index b261da96b1..45b7731eb7 100644 --- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md +++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md @@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the security ms.assetid: 2007b622-7bc2-44e8-9cf1-d34b62117ea8 ms.reviewer: ms.author: vinpa -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,10 +12,9 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 01/04/2019 -ms.technology: windows-sec +ms.technology: itpro-security --- # SMB v1 Microsoft network server: Digitally sign communications (always) diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md index d10e1c5531..cf2feb9753 100644 --- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md +++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md @@ -4,7 +4,7 @@ description: Best practices, security considerations and more for the security p ms.assetid: c92b2e3d-1dbf-4337-a145-b17a585f4fc1 ms.reviewer: ms.author: vinpa -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,10 +12,9 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 01/04/2019 -ms.technology: windows-sec +ms.technology: itpro-security --- # SMBv1 Microsoft network server: Digitally sign communications (if client agrees) diff --git a/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md b/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md index 207e07ea6f..93c6889650 100644 --- a/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md +++ b/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, and security consid ms.assetid: 57f958c2-f1e9-48bf-871b-0a9b3299e238 ms.reviewer: ms.author: vinpa -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,15 +12,15 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 -ms.technology: windows-sec +ms.technology: itpro-security --- # Store passwords using reversible encryption **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, and security considerations for the **Store passwords using reversible encryption** security policy setting. diff --git a/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md b/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md index 75c07aa23f..f165400681 100644 --- a/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md +++ b/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 97b0aaa4-674f-40f4-8974-b4bfb12c232c ms.reviewer: ms.author: vinpa -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,10 +12,9 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 -ms.technology: windows-sec +ms.technology: itpro-security --- # Synchronize directory service data diff --git a/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md b/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md index 8e7bbc95a5..8e1ac04319 100644 --- a/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md +++ b/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md @@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the policy se ms.assetid: 8cbff267-881e-4bf6-920d-b583a5ff7de0 ms.reviewer: ms.author: vinpa -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,10 +12,9 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 -ms.technology: windows-sec +ms.technology: itpro-security --- # System cryptography: Force strong key protection for user keys stored on the computer diff --git a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md index 384b7464ec..86ed35f4ec 100644 --- a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md +++ b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md @@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the policy se ms.assetid: 83988865-dc0f-45eb-90d1-ee33495eb045 ms.reviewer: ms.author: vinpa -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,10 +12,9 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 11/16/2018 -ms.technology: windows-sec +ms.technology: itpro-security --- # System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing diff --git a/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md b/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md index 9c4cd9c338..fb283fcb9b 100644 --- a/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md +++ b/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md @@ -4,7 +4,7 @@ description: Best practices, security considerations and more for the security p ms.assetid: 340d6769-8f33-4067-8470-1458978d1522 ms.reviewer: ms.author: vinpa -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,10 +12,9 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 -ms.technology: windows-sec +ms.technology: itpro-security --- # System objects: Require case insensitivity for non-Windows subsystems diff --git a/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md b/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md index bba4ab0d9b..c4cc3fd368 100644 --- a/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md +++ b/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md @@ -4,7 +4,7 @@ description: Best practices and more for the security policy setting, System obj ms.assetid: 3a592097-9cf5-4fd0-a504-7cbfab050bb6 ms.reviewer: ms.author: vinpa -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,10 +12,9 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 -ms.technology: windows-sec +ms.technology: itpro-security --- # System objects: Strengthen default permissions of internal system objects (for example, Symbolic Links) diff --git a/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md b/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md index a36f304e17..d287cf1d46 100644 --- a/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md +++ b/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 5cb6519a-4f84-4b45-8072-e2aa8a72fb78 ms.reviewer: ms.author: vinpa -ms.prod: m365-security +ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,10 +12,9 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 -ms.technology: windows-sec +ms.technology: itpro-security --- # System settings: Optional subsystems diff --git a/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md b/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md index f8db801710..4d194b9586 100644 --- a/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md +++ b/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md b/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md index 563b7b38aa..279eeced74 100644 --- a/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md +++ b/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md b/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md index 32ff199d90..73b7ad213e 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md b/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md index bb6ff605e9..541ed662b6 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md index 867ff0c857..b573193466 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md index c80cd46fc4..cc56752bf0 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 10/11/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md b/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md index 157dbcb839..9a76eb60a7 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md index 94940efabd..5b94f9db23 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md index 59e27064f3..c181b31d00 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md b/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md index b246a0c52c..28bcf3d293 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md b/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md index bff51aac66..3e92e84352 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md b/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md index 2d7c126bdf..fe36fcdd30 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md index 79919780f0..0439fc8ee1 100644 --- a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md +++ b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md @@ -13,7 +13,6 @@ author: vinaypamnani-msft manager: aaroncz audience: ITPro ms.collection: - - M365-security-compliance - highpri ms.topic: conceptual ms.date: 12/16/2021 diff --git a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md index f4ddfe874d..1fac194013 100644 --- a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md +++ b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md @@ -4,11 +4,12 @@ description: Learn about an approach to collect events from devices in your orga ms.reviewer: manager: aaroncz ms.author: dansimp -ms.prod: m365-security +ms.prod: windows-client author: dulcemontemayor ms.date: 02/28/2019 ms.localizationpriority: medium -ms.technology: windows-sec +ms.technology: itpro-security +ms.topic: how-to --- # Use Windows Event Forwarding to help with intrusion detection @@ -397,6 +398,17 @@ The following GPO snippet performs the following tasks: ![configure event channels.](images/capi-gpo.png) +The following table also contains the six actions to configure in the GPO: + +| Program/Script | Arguments | +|------------------------------------|----------------------------------------------------------------------------------------------------------| +| %SystemRoot%\System32\wevtutil.exe | sl Microsoft-Windows-CAPI2/Operational /e:true | +| %SystemRoot%\System32\wevtutil.exe | sl Microsoft-Windows-CAPI2/Operational /ms:102432768 | +| %SystemRoot%\System32\wevtutil.exe | sl "Microsoft-Windows-AppLocker/EXE and DLL" /ms:102432768 | +| %SystemRoot%\System32\wevtutil.exe | sl Microsoft-Windows-CAPI2/Operational /ca:"O:BAG:SYD:(A;;0x7;;;BA)(A;;0x2;;;AU)(A;;0x1;;;S-1-5-32-573)" | +| %SystemRoot%\System32\wevtutil.exe | sl "Microsoft-Windows-DriverFrameworks-UserMode/Operational" /e:true | +| %SystemRoot%\System32\wevtutil.exe | sl "Microsoft-Windows-DriverFrameworks-UserMode/Operational" /ms:52432896 | + ## Appendix D - Minimum GPO for WEF Client configuration Here are the minimum steps for WEF to operate: @@ -655,4 +667,4 @@ You can get more info with the following links: - [Event Queries and Event XML](/previous-versions/bb399427(v=vs.90)) - [Event Query Schema](/windows/win32/wes/queryschema-schema) - [Windows Event Collector](/windows/win32/wec/windows-event-collector) -- [4625(F): An account failed to log on](./auditing/event-4625.md) \ No newline at end of file +- [4625(F): An account failed to log on](./auditing/event-4625.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/debugging-operational-guide-appid-tagging-policies.md b/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/debugging-operational-guide-appid-tagging-policies.md index 707538f309..ab8014b9a5 100644 --- a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/debugging-operational-guide-appid-tagging-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/debugging-operational-guide-appid-tagging-policies.md @@ -9,13 +9,13 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -ms.collection: M365-security-compliance author: jgeurten ms.reviewer: jsuther1974 ms.author: vinpa manager: aaroncz ms.date: 04/29/2022 ms.technology: itpro-security +ms.topic: article --- # Testing and Debugging AppId Tagging Policies diff --git a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md b/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md index 6b822bc07e..bf48be5b8d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md @@ -3,13 +3,13 @@ title: Deploying Windows Defender Application Control AppId tagging policies description: How to deploy your WDAC AppId tagging policies locally and globally within your managed environment. ms.prod: windows-client ms.localizationpriority: medium -ms.collection: M365-security-compliance author: jgeurten ms.reviewer: jsuther1974 ms.author: vinpa manager: aaroncz ms.date: 04/29/2022 ms.technology: itpro-security +ms.topic: article --- # Deploying Windows Defender Application Control AppId tagging policies diff --git a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/design-create-appid-tagging-policies.md b/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/design-create-appid-tagging-policies.md index cea2b2e0d7..9bce0c01fd 100644 --- a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/design-create-appid-tagging-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/design-create-appid-tagging-policies.md @@ -9,13 +9,13 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -ms.collection: M365-security-compliance author: jgeurten ms.reviewer: jsuther1974 ms.author: vinpa manager: aaroncz ms.date: 04/29/2022 ms.technology: itpro-security +ms.topic: article --- # Creating your WDAC AppId Tagging Policies diff --git a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/windows-defender-application-control-appid-tagging-guide.md b/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/windows-defender-application-control-appid-tagging-guide.md index a2d2da6611..ffde0b7c8e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/windows-defender-application-control-appid-tagging-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/windows-defender-application-control-appid-tagging-guide.md @@ -9,13 +9,13 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -ms.collection: M365-security-compliance author: jgeurten ms.reviewer: jsuther1974 ms.author: vinpa manager: aaroncz ms.date: 04/27/2022 ms.technology: itpro-security +ms.topic: article --- # WDAC Application ID (AppId) Tagging guide diff --git a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md index 7a948159c8..0b5ca8e152 100644 --- a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md +++ b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md @@ -9,13 +9,13 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -ms.collection: M365-security-compliance author: jsuther1974 ms.reviewer: isbrahm ms.author: vinpa manager: aaroncz ms.date: 10/30/2019 ms.technology: itpro-security +ms.topic: article --- # Allow Line-of-Business Win32 Apps on Intune-Managed S Mode Devices diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml index 2c063bad24..f9355db522 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml @@ -87,19 +87,17 @@ href: merge-windows-defender-application-control-policies.md - name: Enforce WDAC policies href: enforce-windows-defender-application-control-policies.md - - name: Managing WDAC Policies with CI Tool - href: citool-commands.md - - name: Use code signing to simplify application control for classic Windows applications + - name: Use code signing for added control and protection with WDAC href: use-code-signing-to-simplify-application-control-for-classic-windows-applications.md items: - - name: "Optional: Use the WDAC Signing Portal in the Microsoft Store for Business" + - name: Deploy catalog files to support WDAC + href: deploy-catalog-files-to-support-windows-defender-application-control.md + - name: Use signed policies to protect Windows Defender Application Control against tampering + href: use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md + - name: "Optional: Use the Device Guard Signing Service v2" href: use-device-guard-signing-portal-in-microsoft-store-for-business.md - name: "Optional: Create a code signing cert for WDAC" href: create-code-signing-cert-for-windows-defender-application-control.md - - name: Deploy catalog files to support WDAC - href: deploy-catalog-files-to-support-windows-defender-application-control.md - - name: Use signed policies to protect Windows Defender Application Control against tampering - href: use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md - name: Disable WDAC policies href: disable-windows-defender-application-control-policies.md - name: LOB Win32 Apps on S Mode @@ -117,6 +115,8 @@ href: operations/known-issues.md - name: Managed installer and ISG technical reference and troubleshooting guide href: configure-wdac-managed-installer.md + - name: CITool.exe technical reference + href: operations/citool-commands.md - name: WDAC AppId Tagging guide href: AppIdTagging/windows-defender-application-control-appid-tagging-guide.md items: diff --git a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md index af08583111..b3e65b47bf 100644 --- a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md @@ -9,12 +9,13 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -ms.collection: M365-security-compliance author: vinaypamnani-msft ms.reviewer: isbrahm ms.author: vinpa manager: aaroncz ms.technology: itpro-security +ms.date: 12/31/2017 +ms.topic: article --- # Allow COM object registration in a Windows Defender Application Control policy @@ -69,6 +70,10 @@ One attribute: - The setting needs to be placed in the order of ASCII values (first by Provider, then Key, then ValueName) +### Multiple policy considerations + +Similar to executable files, COM objects must pass each policy on the system to be allowed by WDAC. For example, if the COM object under evaluation passes most but not all of your WDAC policies, the COM object will not be allowed. If you are using a combination of base and supplemental policies, the COM object just needs to be allowlisted in either the base policy or one of the supplemental policies. + ### Examples Example 1: Allows registration of all COM object GUIDs in any provider diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md b/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md index 999e12d065..c41d4b9e24 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md index 15f67c37ac..0b93872957 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 02/28/2019 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md index d7fe255d6d..4ffbf7a507 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md index 1e52c126e4..ab19a6f3c0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md index 2e6095c98a..c2987aea45 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md @@ -13,7 +13,6 @@ author: vinaypamnani-msft manager: aaroncz audience: ITPro ms.collection: - - M365-security-compliance - highpri ms.topic: conceptual ms.date: 10/16/2017 diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md index 3e68795be1..ff9dab0871 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md index fa42cc82dd..ae89b01ff7 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md index 1d908e2f8e..bd9c843bda 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md index e70885a1a5..354f073ff9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md index a0c355bef9..43fe8a1ef2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md index 73fea32c43..f9b9a77466 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md index 149ca60ce9..ba4c5228a2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 06/08/2018 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md index e151e8190f..32d94d0af1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md index 212cde1127..66826b4b00 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md index 45720da1ec..f2263ece50 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md index 62e3f5bbe7..5f081ad311 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 07/01/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md index ba45e341f1..ff60b9add8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md index 3b7d3855c4..894151f16f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md index 11d5a05373..6399a404d9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md index 72e43ee33a..89b0d672cf 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md index 5efaa6ef5c..33534d6a32 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md index d99ffe4b82..6c8c9389cb 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md index e32ce48432..68d616c899 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md index 6de23bb531..56981ee10e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md index 66f6c0a203..ca59bdbda8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 11/09/2020 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md index 5268d11b52..3e30ca5a13 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md index 4fd68a84b7..40c44e6764 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md index d650a66317..ccc988d5ff 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md index 3b7faa4248..975a812d0d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md index 04f8f5ea63..ed337dd53d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md b/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md index 7a8f7e4cb7..8b93a5a341 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md index 78b0bc09bc..4ef55c919d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md index dea2bf1d1d..2ef4d45309 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md @@ -11,7 +11,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.pagetype: security ms.date: 09/21/2017 diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md index ff4be0a01c..46c2d4bd75 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md index 6ea771b3b1..51b3644c43 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md index 68e95db030..3486c2c96a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md index 866659b54e..d73311a429 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md b/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md index ae11ea5a92..53383e51c3 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md index e614c2ebfd..269b7e0c0a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md index bad5f25658..1be63d7bd3 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md index 6c98a90cfb..103730016d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md index a5aef1b467..136220fec8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md b/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md index ca2337fc34..a684de3cd7 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md index 1fd9ead2c1..c25ac7d908 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md @@ -12,9 +12,9 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.technology: itpro-security +ms.date: 12/31/2017 --- # Import an AppLocker policy from another computer diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md index 13d9a01b2a..9683aef8f7 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md index 2b4cef69e3..41c1a9a0e4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md @@ -12,9 +12,9 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.technology: itpro-security +ms.date: 12/31/2017 --- # Maintain AppLocker policies diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md index 4c2f33327f..814136c5f1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md index 56dcf21cac..63bcac7d18 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md index fdb57686ce..4b8c2836f8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md index b38259298d..9df3828e59 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md b/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md index 182265d2e4..b588a17ed6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md index f771463944..74a9350ddd 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 10/13/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md index c60158c407..b45b475826 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md index 4b3bb3f464..5deca1e65f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md index e2d6dd1988..3b4cf38cad 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md index b92733030c..642b8ea960 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md b/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md index d1c53d1412..150729a9d8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md index 772023138c..baee48ce11 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 06/15/2022 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md index 70b10a3c46..ac8ec9e988 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md index a9a7edb8f8..2e5f803568 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md index 8580a543c2..7fb6397c08 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md index 35e67a8b9a..bbb9138590 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md index 11c1b53405..2d9b935f73 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md index 6f70f979bd..47499212fa 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md index 92d977ca6a..f7ca9620ab 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 10/13/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md index 80ca82b196..d763f4b0e4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md index 3ea8eca627..d151bd9066 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md index 8991037f4d..d400c84233 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md index 359939ee32..b788a6f151 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md index 303e8de3de..2d992cfb44 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md index 0b4db784ac..19e74d5246 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md index ae9f22bb2a..06884a0057 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md index 0920f34c34..2696d75f86 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md index 29453e1b5c..a89e0a624e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md index 1760a6c905..7dbac718ff 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md index 68e7b5b770..351eeb599a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md index 77c83a4efb..2a927654c2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md @@ -11,7 +11,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.reviewer: diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md index 6b7bda08f8..e78953a494 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 11/07/2022 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md index aca8d806d7..e73b867fa3 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md index 886cd66d27..4c9e95f7c1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md @@ -12,9 +12,9 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.technology: itpro-security +ms.date: 12/31/2017 --- # Using Event Viewer with AppLocker diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md index c407320e8f..0ec75fc106 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md index ecbdc3515e..3f53833251 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md index f6718a2f98..252b66b015 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md index b2045a212e..85bfc0c2f0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md index e5b9ec21cc..e746c84f0f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md @@ -14,6 +14,7 @@ ms.localizationpriority: medium msauthor: v-anbic ms.date: 08/27/2018 ms.technology: itpro-security +ms.topic: conceptual --- # Working with AppLocker rules diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md index 1aa3c8a019..acdfc6b79b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md @@ -9,13 +9,13 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -ms.collection: M365-security-compliance author: jsuther1974 ms.reviewer: jogeurte ms.author: vinpa manager: aaroncz ms.date: 05/03/2021 ms.technology: itpro-security +ms.topic: article --- # Use audit events to create WDAC policy rules and Convert **base** policy from audits to enforced diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md index 2dc654001c..ca6fa6c251 100644 --- a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md @@ -9,13 +9,13 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -ms.collection: M365-security-compliance author: jsuther1974 ms.reviewer: jogeurte ms.author: vinpa manager: aaroncz ms.date: 05/03/2018 ms.technology: itpro-security +ms.topic: article --- # Use audit events to create WDAC policy rules diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md index f078f7a073..c15b97399b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md @@ -9,13 +9,13 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -ms.collection: M365-security-compliance author: jsuther1974 ms.reviewer: jogeurte ms.author: vinpa manager: aaroncz ms.date: 08/26/2022 ms.technology: itpro-security +ms.topic: article --- # Automatically allow apps deployed by a managed installer with Windows Defender Application Control diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md index 9eb2d45bf5..d1947bc8fe 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md @@ -9,13 +9,13 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -ms.collection: M365-security-compliance author: jsuther1974 -ms.reviewer: isbrahm +ms.reviewer: jogeurte ms.author: vinpa manager: aaroncz -ms.date: 08/14/2020 +ms.date: 11/11/2022 ms.technology: itpro-security +ms.topic: article --- # Managed installer and ISG technical reference and troubleshooting guide @@ -29,21 +29,25 @@ ms.technology: itpro-security >[!NOTE] >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](feature-availability.md). -## Using fsutil to query SmartLocker EA +## Enabling managed installer and Intelligent Security Graph (ISG) logging events -Customers using Windows Defender Application Control (WDAC) with Managed Installer (MI) or Intelligent Security Graph (ISG) enabled can use fsutil to determine whether a file was allowed to run by one of these features. This verification can be done by querying the Extended Attributes (EAs) on a file using fsutil and looking for the KERNEL.SMARTLOCKER.ORIGINCLAIM EA. The presence of this EA indicates that either MI or ISG allowed the file to run. This EA's presence can be used in conjunction with enabling the MI and ISG logging events. +Refer to [Understanding Application Control Events](event-id-explanations.md#diagnostic-events-for-intelligent-security-graph-isg-and-managed-installer-mi) for information on enabling optional managed installer diagnostic events. + +## Using fsutil to query extended attributes for Managed Installer (MI) + +Customers using Windows Defender Application Control (WDAC) with Managed Installer (MI) enabled can use fsutil.exe to determine whether a file was created by a managed installer process. This verification is done by querying the Extended Attributes (EAs) on a file using fsutil.exe and looking for the KERNEL.SMARTLOCKER.ORIGINCLAIM EA. Then, you can use the data from the first row of output to identify if the file was created by a managed installer. For example, let's look at the fsutil.exe output for a file called application.exe: **Example:** ```powershell -fsutil file queryEA C:\Users\Temp\Downloads\application.exe +fsutil.exe file queryEA C:\Users\Temp\Downloads\application.exe Extended Attributes (EA) information for file C:\Users\Temp\Downloads\application.exe: Ea Buffer Offset: 410 Ea Name: $KERNEL.SMARTLOCKER.ORIGINCLAIM Ea Value Length: 7e -0000: 01 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 ................ +0000: 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ................ 0010: b2 ff 10 66 bc a8 47 c7 00 d9 56 9d 3d d4 20 2a ...f..G...V.=. * 0020: 63 a3 80 e2 d8 33 8e 77 e9 5c 8d b0 d5 a7 a3 11 c....3.w.\...... 0030: 83 00 00 00 00 00 00 00 5c 00 00 00 43 00 3a 00 ........\...C.:. @@ -53,40 +57,63 @@ Ea Value Length: 7e 0070: 44 00 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 i.c.a.t.i.o.n..e.x.e ``` -## Enabling managed installer logging events +From the output shown above, find the first row of data labeled "0000:", which is then followed by 16 two-character sets. Every four sets form a group known as a ULONG. The two-character set at the front of the first ULONG will always be "01" as shown here: -Refer to [Understanding Application Control Events](event-id-explanations.md#diagnostic-events-for-intelligent-security-graph-isg-and-managed-installer-mi) for information on enabling optional managed installer diagnostic events. +0000: **`01` 00 00 00** 00 00 00 00 00 00 00 00 01 00 00 00 -## Deploying the Managed Installer rule collection +If there is "00" in the fifth position of the output (the start of the second ULONG), that indicates the EA is related to managed installer: -Once you've completed configuring your chosen Managed Installer, by specifying which option to use in the AppLocker policy, enabling the service enforcement of it, and by enabling the Managed Installer option in a WDAC policy, you'll need to deploy it. +0000: 01 00 00 00 **`00` 00 00 00** 00 00 00 00 01 00 00 00 -1. Use the following command to deploy the policy. +Finally, the two-character set in the ninth position of the output (the start of the third ULONG) indicates whether the file was created by a process running as managed installer. A value of "00" means the file was directly written by a managed installer process and will run if your WDAC policy trusts managed installers. - ```powershell - $policyFile= - @" - Raw_AppLocker_Policy_XML - "@ - Set-AppLockerPolicy -XmlPolicy $policyFile -Merge -ErrorAction SilentlyContinue +0000: 01 00 00 00 00 00 00 00 **`00` 00 00 00** 01 00 00 00 + +If instead the starting value for the third ULONG is "02", then that indicates a "child of child". "Child of child" is set on any files created by something that was installed by a managed installer. But, the file was created **after** the managed installer completed its work. So this file **wouldn't** be allowed to run unless there's some other rule in your policy to allow it. + +In rarer cases, you may see other values in this position, but that will also run if your policy trusts managed installer. + +## Using fsutil to query extended attributes for Intelligent Security Graph (ISG) + +When an installer runs that has good reputation according to the ISG, the files that the installer writes to disk will inherit the reputation from the installer. These files with ISG inherited trust will also have the KERNEL.SMARTLOCKER.ORIGINCLAIM EA set as described above for managed installers. You can identify that the EA was created by the ISG by looking for the value "01" in the fifth position of the output (the start of the second ULONG) from fsutil: + +0000: 01 00 00 00 **`01` 00 00 00** 00 00 00 00 01 00 00 00 + +## More troubleshooting steps for Managed Installer and ISG + +Both managed installer and the ISG depend on AppLocker to provide some functionality. Use the following steps to confirm that AppLocker is configured and running correctly. + +1. Check that AppLocker services are running. From an elevated PowerShell window, run the following and confirm the STATE shows as RUNNING for both appidsvc and AppLockerFltr: + + ```powershell + sc.exe query appidsvc + SERVICE_NAME: appidsvc + TYPE : 30 WIN32 + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 + sc.exe query AppLockerFltr + SERVICE_NAME: applockerfltr + TYPE : 1 KERNEL_DRIVER + STATE : 4 RUNNING + (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) + WIN32_EXIT_CODE : 0 (0x0) + SERVICE_EXIT_CODE : 0 (0x0) + CHECKPOINT : 0x0 + WAIT_HINT : 0x0 ``` -2. Verify Deployment of the ruleset was successful + If not, run *appidtel start* from the elevated PowerShell window and check again. + +2. For managed installer, check for AppCache.dat and other *.AppLocker files created under %windir%\System32\AppLocker. There should minimally be a ".AppLocker" file created for each of EXE, DLL, and MANAGEDINSTALLER rule collections. If you don't see these files created, proceed to the next step to confirm the AppLocker policy has been correctly applied. + +3. For managed installer troubleshooting, check that the AppLocker effective policy is correct. From an elevated PowerShell window: ```powershell - Get-AppLockerPolicy -Local - - Version RuleCollections RuleCollectionTypes - ------- --------------- ------------------- - 1 {0, 0, 0, 0...} {Appx, Dll, Exe, ManagedInstaller...} + Get-AppLockerPolicy -Effective -XML > $env:USERPROFILE\Desktop\AppLocker.xml ``` - Verify the output shows the ManagedInstaller rule set. - -3. Get the policy XML (optional) using PowerShell: - - ```powershell - Get-AppLockerPolicy -Effective -Xml -ErrorVariable ev -ErrorAction SilentlyContinue - ``` - - This command will show the raw XML to verify the individual rules that were set. + Then open the XML file created and confirm it contains the rules you expect. In particular, the policy should include at least one rule for each of the EXE, DLL, and MANAGEDINSTALLER RuleCollections. The RuleCollections can either be set to AuditOnly or Enabled. Additionally, the EXE and DLL RuleCollections must include the RuleCollectionExtensions configuration as shown in [Automatically allow apps deployed by a managed installer with Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer#create-and-deploy-an-applocker-policy-that-defines-your-managed-installer-rules-and-enables-services-enforcement-for-executables-and-dlls). diff --git a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md index 6f065d01c8..982c07dd6a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md @@ -9,12 +9,12 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -ms.collection: M365-security-compliance +ms.topic: conceptual author: jsuther1974 -ms.reviewer: isbrahm +ms.reviewer: jogeurte ms.author: vinpa manager: aaroncz -ms.date: 02/28/2018 +ms.date: 12/01/2022 ms.technology: itpro-security --- @@ -29,18 +29,17 @@ ms.technology: itpro-security >[!NOTE] >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). -As you deploy Windows Defender Application Control (WDAC), you might need to sign catalog files or WDAC policies internally. To do this signature, you'll either need a publicly issued code signing certificate or an internal CA. If you've purchased a code-signing certificate, you can skip this article and instead follow other articles listed in the [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md). +As you deploy Windows Defender Application Control (WDAC), you might need to sign catalog files or WDAC policies internally. To do this signing, you'll either need a publicly issued code signing certificate or an internal CA. If you've purchased a code-signing certificate, you can skip this article, and instead follow other articles listed in the [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md). If you have an internal CA, complete these steps to create a code signing certificate. > [!WARNING] -> Boot failure (blue screen) may occur if your signing certificate does not follow these rules: +> When creating signing certificates for WDAC policy signing, Boot failure (blue screen) may occur if your signing certificate does not follow these rules: > > - All policies, including base and supplemental, must be signed according to the [PKCS 7 Standard](https://datatracker.ietf.org/doc/html/rfc5652). -> - Use RSA SHA-256 only. ECDSA isn't supported. +> - Use RSA keys with 2K, 3K, or 4K key size only. ECDSA isn't supported. +> - You can use SHA-256, SHA-384, or SHA-512 as the digest algorithm on Windows 11, as well as Windows 10 and Windows Server 2019 and above after applying the November 2022 cumulative security update. All other devices only support SHA-256. > - Don't use UTF-8 encoding for certificate fields, like 'subject common name' and 'issuer common name'. These strings must be encoded as PRINTABLE_STRING, IA5STRING or BMPSTRING. -> - Keys must be less than or equal to 4K key size -> 1. Open the Certification Authority Microsoft Management Console (MMC) snap-in, and then select your issuing CA. @@ -86,7 +85,7 @@ When this certificate template has been created, you must publish it to the CA p 2. Select the WDAC Catalog signing certificate, and then select **OK**. -Now that the template is available to be issued, you must request one from the computer running Windows 10 and Windows 11 on which you create and sign catalog files. To begin, open the MMC, and then complete the following steps: +Now that the template is available to be issued, you must request one from the computer running Windows 10 or Windows 11 on which you create and sign catalog files. To begin, open the MMC, and then complete the following steps: 1. In MMC, from the **File** menu, select **Add/Remove Snap-in**. Double-click **Certificates**, and then select **My user account**. @@ -100,7 +99,7 @@ Now that the template is available to be issued, you must request one from the c Figure 4. Get more information for your code signing certificate -5. In the **Certificate Properties** dialog box, for **Type**, select **Common name**. For **Value**, select **ContosoDGSigningCert**, and then select **Add**. When added, select **OK.** +5. In the **Certificate Properties** dialog box, for **Type**, select **Common name**. For **Value**, specify a meaningful name for your certificate (in this example, we select **$ContosoSigningCert**), and then select **Add**. When added, select **OK.** 6. Enroll and finish. @@ -118,9 +117,3 @@ This certificate must be installed in the user's personal store on the computer 4. Set a password, select an export path, and then select **WDACCatSigningCert.pfx** as the file name. When the certificate has been exported, import it into the personal store for the user who will be signing the catalog files or code integrity policies on the specific computer that will be signing them. - -## Related topics - -- [Windows Defender Application Control](windows-defender-application-control.md) - -- [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md index a7ea499e26..453207654b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md @@ -9,13 +9,13 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -ms.collection: M365-security-compliance author: jsuther1974 ms.reviewer: jogeurte ms.author: vinpa manager: aaroncz ms.date: 08/08/2022 ms.technology: itpro-security +ms.topic: article --- # Create a WDAC policy using a reference computer diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md index 4e2096d5c5..935140572c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md @@ -9,12 +9,13 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -ms.collection: M365-security-compliance author: jgeurten ms.reviewer: jsuther1974 ms.author: vinpa manager: aaroncz ms.technology: itpro-security +ms.date: 12/31/2017 +ms.topic: article --- # Guidance on Creating WDAC Deny Policies diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md index 0fdfc798f0..a100094dc2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md @@ -10,7 +10,6 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -ms.collection: M365-security-compliance author: jsuther1974 ms.reviewer: jogeurte ms.author: vinpa diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md index 7878df99b7..aa3f0aa5f6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md @@ -10,7 +10,6 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -ms.collection: M365-security-compliance author: jsuther1974 ms.reviewer: jogeurte ms.author: vinpa diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md index ee084e1311..73d75a96d8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md @@ -9,12 +9,12 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -ms.collection: M365-security-compliance +ms.topic: conceptual author: jsuther1974 ms.reviewer: jgeurten ms.author: vinpa manager: aaroncz -ms.date: 02/28/2018 +ms.date: 11/30/2022 ms.technology: itpro-security --- @@ -22,62 +22,62 @@ ms.technology: itpro-security **Applies to:** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above +- Windows 10 +- Windows 11 +- Windows Server 2016 and above >[!NOTE] >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). -Catalog files can be important in your deployment of Windows Defender Application Control (WDAC) if you have unsigned line-of-business (LOB) applications for which the process of signing is difficult. To prepare to create WDAC policies that allow these trusted applications but block unsigned code (most malware is unsigned), you create a *catalog file* that contains information about the trusted applications. After you sign and distribute the catalog, your trusted applications can be handled by WDAC in the same way as any other signed application. With this foundation, you can more easily block all unsigned applications, allowing only signed applications to run. +*Catalog files* can be important in your deployment of Windows Defender Application Control (WDAC) if you have unsigned line-of-business (LOB) applications for which the process of signing is difficult. You can also use catalog files to add your own signature to apps you get from independent software vendors (ISV) when you don't want to trust all code signed by that ISV. In this way, catalog files provide a convenient way for you to "bless" apps for use in your WDAC-managed environment. And, you can create catalog files for existing apps without requiring access to the original source code or needing any expensive repackaging. -## Create catalog files +You'll need to [obtain a code signing certificate for your own use](/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications#obtain-code-signing-certificates-for-your-own-use) and use it to sign the catalog file. Then, distribute the signed catalog file using your preferred content deployment mechanism. -The creation of a catalog file simplifies the steps to run unsigned applications in the presence of a Windows Defender Application Control policy. +Finally, add a signer rule to your WDAC policy for your signing certificate. Then, any apps covered by your signed catalog files will be able to run, even if the apps were previously unsigned. With this foundation, you can more easily build a WDAC policy that blocks all unsigned code (most malware is unsigned). -To create a catalog file, you use a tool called **Package Inspector**. You must also have a WDAC policy deployed in audit mode on the computer on which you run Package Inspector, so that Package Inspector can include any temporary installation files that are added and then removed from the computer during the installation process. +## Create catalog files using Package Inspector -> [!NOTE] -> When you establish a naming convention it makes it easier to detect deployed catalog files in the future. In this guide, *\*-Contoso.cat* is used as the example naming convention. +To create a catalog file for an existing app, you can use a tool called **Package Inspector** that comes with Windows. -1. Be sure that a Windows Defender Application Control policy is currently deployed in audit mode on the computer on which you'll run Package Inspector. - - Package Inspector doesn't always detect temporary installation files that are added and then removed from the computer during the installation process. To ensure that these binaries are also included in your catalog file, deploy a WDAC policy in audit mode. +1. Apply a WDAC policy in **audit mode** to the computer where you'll run Package Inspector. Package Inspector will use audit events to include hashes in the catalog file for any temporary installation files that are added and then removed from the computer during the installation process. The audit mode policy should **not** allow the app's binaries or you may miss some critical files that are needed in the catalog file. > [!NOTE] - > This process should **not** be performed on a system with an enforced Windows Defender Application Control policy, only with a policy in audit mode. If a policy is currently being enforced, you will not be able to install and run the application unless the policy already allows it. + > You won't be able to complete this process if it's done on a system with an enforced WDAC policy, unless the enforced policy already allows the app to run. -2. Start Package Inspector, and then start scanning a local drive, for example, drive C: + You can use this PowerShell sample to make a copy of the DefaultWindows_Audit.xml template: + + ```powershell + Copy-Item -Path $env:windir\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_Audit.xml -Destination $env:USERPROFILE\Desktop\ + $PolicyId = Set-CIPolicyIdInfo -FilePath $env:USERPROFILE\Desktop\DefaultWindows_Audit.xml -PolicyName "Package Inspector Audit Policy" -ResetPolicyID + $PolicyBinary = $env:USERPROFILE+"\Desktop\"+$PolicyId.substring(11)+".cip" + ``` + + Then apply the policy as described in [Deploy WDAC policies with script](/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script). + +2. Start Package Inspector to monitor file creation on a **local drive** where you'll install the app, for example, drive C: ```powershell PackageInspector.exe Start C: ``` - > [!NOTE] - > Package inspector can monitor installations on any local drive. Specify the appropriate drive on the local computer. - -3. Copy the installation media to the local drive (typically drive C). - - By copying the installation media to the local drive, you ensure that Package Inspector detects and catalogs the actual installer. If you skip this step, the future WDAC policy may allow the application to run but not to be installed. - -4. Install the application. Install it to the same drive that the application installer is located on (the drive you're scanning). Also, while Package Inspector is running, don't run any installations or updates that you don't want to capture in the catalog. - > [!IMPORTANT] - > Every binary that is run while Package Inspector is running will be captured in the catalog. Ensure that only trusted applications are run during this time. + > Every file that is written to the drive you are watching with Package Inspector will be included in the catalog that is created. Be aware of any other processes that may be running and creating files on the drive. -5. Start the application. +3. Copy the installation media to the drive you're watching with Package Inspector, so that the actual installer is included in the final catalog file. If you skip this step, you may allow the *app* to run, but not actually be able to install it. -6. Ensure that product updates are installed, and downloadable content associated with the application is downloaded. +4. Install the app. -7. Close and reopen the application. +5. Start the app to ensure that files created on initial launch are included in your catalog file. - This step is necessary to ensure that the scan has captured all binaries. - -8. As appropriate, with Package Inspector still running, repeat the process for another application that you want in the catalog. Copy the installation media to the local drive, install the application, ensure it's updated, and then close and reopen the application. +6. Use the app as you would normally, so that files created during normal use are included in your catalog file. For example, some apps may download more files on first use of a feature within the app. Be sure to also check for app updates if the app has that capability. -9. When you've confirmed that the previous steps are complete, use the following commands to generate the catalog and definition files on your computer's desktop. The filenames used in these example commands are **LOBApp-Contoso.cat** (catalog file) and **LOBApp.cdf** (definition file)—substitute different filenames as appropriate. +7. Close and reopen the application to ensure that the scan has captured all binaries. - For the last command, which stops Package Inspector, be sure to type the drive letter of the drive you have been scanning, for example, C:. +8. As appropriate, with Package Inspector still running, repeat the steps above for any other apps that you want to include in the catalog. + +9. When you've confirmed that the previous steps are complete, use the following commands to stop Package Inspector. A catalog file and catalog definition file will be created in the specified location. Use a naming convention for your catalog files to make it easier to manage your deployed catalog files over time. The filenames used in this example are **LOBApp-Contoso.cat** (catalog file) and **LOBApp.cdf** (definition file). + + For the last command, which stops Package Inspector, be sure to specify the same local drive you've been watching with Package Inspector, for example, C:. ```powershell $ExamplePath=$env:userprofile+"\Desktop" @@ -87,42 +87,33 @@ To create a catalog file, you use a tool called **Package Inspector**. You must ``` >[!NOTE] ->Package Inspector catalogs the hash values for each discovered binary file. If the applications that were scanned are updated, complete this process again to trust the new binaries' hash values. +>Package Inspector catalogs the hash values for each discovered file. If the applications that were scanned are updated, complete this process again to trust the new binaries' hash values. -When finished, the files will be saved to your desktop. You can double-click the \*.cat file to see its contents, and you can view the \*.cdf file with a text editor. +When finished, the files will be saved to your desktop. You can view the \*.cdf file with a text editor and see what files were included by Package Inspector. You can also double-click the \*.cat file to see its contents and check for a specific file hash. -To trust the contents of the catalog file within a WDAC policy, the catalog must first be signed. Then, the signing certificate can be added to the WDAC policy, and the catalog file can be distributed to the individual client computers. +## Sign your Catalog file -### Resolving package failures +Now that you've created a catalog file for your app, you're ready to sign it. -Packages can fail for the following reasons: +### Catalog signing with Device Guard Signing Service v2 (DGSS) -- Package is too large for default USN Journal or Event Log sizes - - To diagnose whether USN journal size is the issue, after running through Package Inspector, click Start > install app > PackageInspector stop - - Get the value of the reg key at HKEY\_CURRENT\_USER/PackageInspectorRegistryKey/c: (this USN was the most recent one when you ran PackageInspector start) - - `fsutil usn readjournal C: startusn=RegKeyValue > inspectedusn.txt` - - ReadJournal command should throw an error if the older USNs don't exist anymore due to overflow - - For USN Journal, log size can be expanded using: `fsutil usn createjournal` command with a new size and alloc delta. `Fsutil usn queryjournal` will give the current size and allocation delta, so using a multiple of that may help - - To diagnose whether Eventlog size is the issue, look at the Microsoft/Windows/CodeIntegrity/Operational log under Applications and Services logs in Event Viewer and ensure that there are entries present from when you began Package Inspector (You can use write time as a justification; if you started the install 2 hours ago and there are only entries from 30 minutes prior, the log is definitely too small) - - To increase Eventlog size, in Event Viewer you can right click the operational log, click properties, and then set new values (some multiple of what it was previously) -- Package files that change hash each time the package is installed - - Package Inspector is incompatible if files in the package (temporary or otherwise) change hash each time the package is installed. You can diagnose this hash-change by looking at the hash field in the 3077 block events when the package is failing in enforcement. If each time you attempt to run the package you get a new block event with a different hash, the package won't work with Package Inspector -- Files with an invalid signature blob or otherwise "unhashable" files - - This issue arises when a file that has been signed is modified post signing in a way that invalidates the PE header and renders the file unable to be hashed by the Authenticode Spec. - - Windows Defender Application Control uses Authenticode Hashes to validate files when they're running. If the file is unhashable via the authenticode SIP, there's no way to identify the file to allow it, regardless of if you attempt to add the file to the policy directly, or re-sign the file with a Package Inspector catalog (the signature is invalidated due to file being edited, file can't be allowed by hash due to authenticode hashing algorithm rejecting it) - - Recent versions of InstallShield packages that use custom actions can hit this condition. If the DLL input to the custom action was signed before being put through InstallShield, InstallShield adds tracking markers to the file (editing it post signature) which leaves the file in this "unhashable" state and renders the file unable to be allowed by Windows Defender (regardless of if you try to allow directly by policy or resign with Package Inspector) +If you have an existing Microsoft Store for Business and Education account, you can use the DGSS to sign your catalog files. See [Submit-SigningJob](/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business#submit-signingjob). -## Catalog signing with SignTool.exe +### Catalog signing with SignTool.exe -To sign a catalog file you generated by using PackageInspector.exe, you need: +If you purchased a code signing certificate or issued one from your own public key infrastructure (PKI), you can use SignTool.exe to sign your catalog files. -- SignTool.exe, found in the Windows software development kit (SDK—Windows 7 or later) +
                              +

                              + Expand this section for detailed instructions on signing catalog files with signtool.exe. -- The catalog file that you generated previously +You need: -- An internal certification authority (CA) code signing certificate or purchased code signing certificate +- SignTool.exe, found in the [Windows software development kit (SDK)](https://developer.microsoft.com/windows/downloads/windows-sdk/) +- The catalog file that you created earlier +- A code signing certificate issued from an internal certificate authority (CA) or a purchased code signing certificate -To sign the existing catalog file, copy each of the following commands into an elevated Windows PowerShell session. +Import the code signing certificate that will be used to sign the catalog file into the signing user's personal store. Then, sign the existing catalog file by copying each of the following commands into an elevated Windows PowerShell session. 1. Initialize the variables that will be used. Replace the *$ExamplePath* and *$CatFileName* variables as needed: @@ -131,74 +122,59 @@ To sign the existing catalog file, copy each of the following commands into an e $CatFileName=$ExamplePath+"\LOBApp-Contoso.cat" ``` -2. Import the code signing certificate that will be used to sign the catalog file. Import it to the signing user's personal store. - -3. Sign the catalog file with Signtool.exe: +2. Sign the catalog file with Signtool.exe: ```powershell - sign /n "ContosoDGSigningCert" /fd sha256 /v $CatFileName + sign /n "ContosoSigningCert" /fd sha256 /v $CatFileName ``` >[!NOTE] - >The *<Path to signtool.exe>* variable should be the full path to the Signtool.exe utility. *ContosoDGSigningCert* represents the subject name of the certificate that you will use to sign the catalog file. This certificate should be imported to your personal certificate store on the computer on which you are attempting to sign the catalog file. - > + >The *<Path to signtool.exe>* variable should be the full path to the Signtool.exe utility. *ContosoSigningCert* represents the subject name of the certificate that you will use to sign the catalog file. This certificate should be imported to your personal certificate store on the computer on which you are attempting to sign the catalog file. + > >For additional information about Signtool.exe and all additional switches, visit the [Sign Tool page](/dotnet/framework/tools/signtool-exe). - -4. Verify the catalog file digital signature. Right-click the catalog file, and then click **Properties**. On the **Digital Signatures** tab, verify that your signing certificate exists with a **sha256** algorithm, as shown in Figure 1. + +3. Verify the catalog file's digital signature. Right-click the catalog file, and then select **Properties**. On the **Digital Signatures** tab, verify that your signing certificate exists with a **sha256** algorithm, as shown in Figure 1. ![Digital Signature list in file Properties.](images/dg-fig12-verifysigning.png) Figure 1. Verify that the signing certificate exists -5. Copy the catalog file to C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}. +
                              - For testing purposes, you can manually copy signed catalog files to their intended folder. For large-scale implementations, to copy the appropriate catalog files to all desired computers, we recommend that you use Group Policy File Preferences or an enterprise systems management product such as Microsoft Configuration Manager, which also simplifies the management of catalog versions. +## Deploy the catalog file to your managed endpoints -## Add a catalog signing certificate to a Windows Defender Application Control policy +Catalog files in Windows are stored under ***%windir%\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}***. -After the catalog file is signed, add the signing certificate to a WDAC policy, as described in the following steps. +For testing purposes, you can manually copy signed catalog files to the folder above. For large-scale deployment of signed catalog files, we recommend that you use Group Policy File Preferences or an enterprise systems management product such as Microsoft Configuration Manager. -1. If you haven't already verified the catalog file digital signature, right-click the catalog file, and then click **Properties**. On the **Digital Signatures** tab, verify that your signing certificate exists with the algorithm you expect. +### Deploy catalog files with Group Policy -2. If you already have an XML policy file that you want to add the signing certificate to, skip to the next step. Otherwise, use [New-CIPolicy](/powershell/module/configci/new-cipolicy) to create a Windows Defender Application Control policy that you will later merge into another policy (not deploy as-is). This example creates a policy called **CatalogSignatureOnly.xml** in the location **C:\\PolicyFolder** by scanning the system and allowlisting by signer and original filename: +To simplify the management of catalog files, you can use Group Policy preferences to deploy catalog files to the appropriate computers in your organization. - ```powershell - New-CIPolicy -Level FilePublisher -FilePath C:\PolicyFolder\CatalogSignatureOnly.xml –UserPEs -MultiplePolicyFormat -Fallback SignedVersion,Publisher,Hash - ``` +
                              +
                              +Expand this section for detailed instructions on deploying catalog files using Group Policy. - > [!NOTE] - > Include the **-UserPEs** parameter to ensure that the policy includes user mode code integrity. - -3. Use [Add-SignerRule](/powershell/module/configci/add-signerrule) to add the signing certificate to the WDAC policy, filling in the correct path and filenames for `` and ``: - - ```powershell - Add-SignerRule -FilePath -CertificatePath -User - ``` - -If you used step 2 to create a new WDAC policy, and want information about merging policies together, see [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md). - -## Deploy catalog files with Group Policy - -To simplify the management of catalog files, you can use Group Policy preferences to deploy catalog files to the appropriate computers in your organization. The following process walks you through the deployment of a signed catalog file called **LOBApp-Contoso.cat** to a test OU called DG Enabled PCs with a GPO called **Contoso DG Catalog File GPO Test**. +The following process walks you through the deployment of a signed catalog file called **LOBApp-Contoso.cat** to a test OU called WDAC Enabled PCs with a GPO called **Contoso Catalog File GPO Test**. **To deploy a catalog file with Group Policy:** 1. From either a domain controller or a client computer that has Remote Server Administration Tools (RSAT) installed, open the Group Policy Management Console (GPMC) by running **GPMC.MSC** or by searching for Group Policy Management. -2. Create a new GPO: right-click an OU, for example, the **DG Enabled PCs OU**, and then click **Create a GPO in this domain, and Link it here**, as shown in Figure 2. +2. Create a new GPO: right-click an OU, for example, the **WDAC Enabled PCs OU**, and then select **Create a GPO in this domain, and Link it here**, as shown in Figure 2. > [!NOTE] - > You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies (or keeping them separate). + > You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies. ![Group Policy Management, create a GPO.](images/dg-fig13-createnewgpo.png) Figure 2. Create a new GPO -3. Give the new GPO a name, for example, **Contoso DG Catalog File GPO Test**, or any name you prefer. +3. Give the new GPO a name, for example, **Contoso Catalog File GPO Test**, or any name you prefer. -4. Open the Group Policy Management Editor: right-click the new GPO, and then click **Edit**. +4. Open the Group Policy Management Editor: right-click the new GPO, and then select **Edit**. -5. Within the selected GPO, navigate to Computer Configuration\\Preferences\\Windows Settings\\Files. Right-click **Files**, point to **New**, and then click **File**, as shown in Figure 3. +5. Within the selected GPO, navigate to Computer Configuration\\Preferences\\Windows Settings\\Files. Right-click **Files**, point to **New**, and then select **File**, as shown in Figure 3. ![Group Policy Management Editor, New File.](images/dg-fig14-createnewfile.png) @@ -224,144 +200,200 @@ To simplify the management of catalog files, you can use Group Policy preference 10. On the **Common** tab of the **New File Properties** dialog box, select the **Remove this item when it is no longer applied** option. Enabling this option ensures that the catalog file is removed from every system, in case you ever need to stop trusting this application. -11. Click **OK** to complete file creation. +11. Select **OK** to complete file creation. -12. Close the Group Policy Management Editor, and then update the policy on the test computer running Windows 10, by running GPUpdate.exe. When the policy has been updated, verify that the catalog file exists in C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} on the computer running Windows 10. +12. Close the Group Policy Management Editor, and then update the policy on the test computer running Windows 10 or Windows 11, by running GPUpdate.exe. When the policy has been updated, verify that the catalog file exists in C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} on the computer running Windows 10. -Before you begin testing the deployed catalog file, make sure that the catalog signing certificate has been added to an appropriate WDAC policy. +
                              -## Deploy catalog files with Microsoft Configuration Manager +### Deploy catalog files with Microsoft Configuration Manager -As an alternative to Group Policy, you can use Configuration Manager to deploy catalog files to the managed computers in your environment. This approach can simplify the deployment and management of multiple catalog files and provide reporting around which catalog each client or collection has deployed. In addition to the deployment of these files, Configuration Manager can also be used to inventory the currently deployed catalog files for reporting and compliance purposes. Complete the following steps to create a new deployment package for catalog files: +As an alternative to Group Policy, you can use Configuration Manager to deploy catalog files to the managed computers in your environment. This approach can simplify the deployment and management of multiple catalog files and provide reporting around which catalog each client or collection has deployed. In addition to the deployment of these files, Configuration Manager can also be used to inventory the currently deployed catalog files for reporting and compliance purposes. + +
                              +
                              +Expand this section for detailed instructions on deploying catalog files using Configuration Manager. + +Complete the following steps to create a new deployment package for catalog files: >[!NOTE] ->The following example uses a network share named \\\\Shares\\CatalogShare as a source for the catalog files. If you have collection specific catalog files, or prefer to deploy them individually, use whichever folder structure works best for your organization. +>The following example uses a network share named \\\\Shares\\CatalogShare as a source for the catalog files. If you have collection-specific catalog files, or prefer to deploy them individually, use whichever folder structure works best for your organization. -1. Open the Configuration Manager console, and select the Software Library workspace. +1. Open the Configuration Manager console, and select the Software Library workspace. -2. Navigate to Overview\\Application Management, right-click **Packages**, and then click **Create Package**. +2. Navigate to Overview\\Application Management, right-click **Packages**, and then select **Create Package**. -3. Name the package, set your organization as the manufacturer, and select an appropriate version number. +3. Name the package, set your organization as the manufacturer, and select an appropriate version number. ![Create Package and Program Wizard.](images/dg-fig16-specifyinfo.png) Figure 5. Specify information about the new package -4. Click **Next**, and then select **Standard program** as the program type. +4. Select **Next**, and then select **Standard program** as the program type. -5. On the **Standard Program** page, select a name, and then set the **Command Line** property to **XCopy \\\\Shares\\CatalogShare C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} /H /K /E /Y**. +5. On the **Standard Program** page, select a name, and then set the **Command Line** property to **XCopy \\\\Shares\\CatalogShare C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} /H /K /E /Y**. -6. On the **Standard Program** page, select the following options (Figure 6): +6. On the **Standard Program** page, select the following options (Figure 6): - - In **Name**, type a name such as **Contoso Catalog File Copy Program**. - - - In **Command line**, browse to the program location. - - - In **Startup folder**, type **C:\\Windows\\System32**. - - - From the **Run** list, select **Hidden**. - - - From the **Program can run** list, select **Whether or not a user is logged on**. - - - From the **Drive mode** list, select **Runs with UNC name**. + - In **Name**, type a name such as **Contoso Catalog File Copy Program**. + - In **Command line**, browse to the program location. + - In **Startup folder**, type **C:\\Windows\\System32**. + - From the **Run** list, select **Hidden**. + - From the **Program can run** list, select **Whether or not a user is logged on**. + - From the **Drive mode** list, select **Runs with UNC name**. ![Standard Program page of wizard.](images/dg-fig17-specifyinfo.png) Figure 6. Specify information about the standard program -7. Accept the defaults for the rest of the wizard, and then close the wizard. +7. Accept the defaults for the rest of the wizard, and then close the wizard. After you create the deployment package, deploy it to a collection so that the clients will receive the catalog files. In this example, you deploy the package you created to a test collection: -1. In the Software Library workspace, navigate to Overview\\Application Management\\Packages, right-click the catalog file package, and then click **Deploy**. +1. In the Software Library workspace, navigate to Overview\\Application Management\\Packages, right-click the catalog file package, and then select **Deploy**. -2. On the **General** page, select the test collection to which the catalog files will be deployed, and then click **Next**. +2. On the **General** page, select the test collection to which the catalog files will be deployed, and then select **Next**. -3. On the **Content** page, click **Add** to select the distribution point that will serve content to the selected collection, and then click **Next**. +3. On the **Content** page, select **Add** to select the distribution point that will serve content to the selected collection, and then select **Next**. -4. On the **Deployment Settings** page, select **Required** in the **Purpose** box. +4. On the **Deployment Settings** page, select **Required** in the **Purpose** box. -5. On the **Scheduling** page, click **New**. +5. On the **Scheduling** page, select **New**. -6. In the **Assignment Schedule** dialog box, select **Assign immediately after this event**, set the value to **As soon as possible**, and then click **OK**. +6. In the **Assignment Schedule** dialog box, select **Assign immediately after this event**, set the value to **As soon as possible**, and then select **OK**. -7. On the **Scheduling** page, click **Next**. +7. On the **Scheduling** page, select **Next**. -8. On the **User Experience** page (Figure 7), set the following options, and then click **Next**: +8. On the **User Experience** page (Figure 7), set the following options, and then select **Next**: - - Select the **Software installation** check box. + - Select the **Software installation** check box. - - Select the **Commit changes at deadline or during a maintenance window (requires restarts)** check box. + - Select the **Commit changes at deadline or during a maintenance window (requires restarts)** check box. ![Deploy Software Wizard, User Experience page.](images/dg-fig18-specifyux.png) Figure 7. Specify the user experience -9. On the **Distribution Points** page, in the **Deployment options** box, select **Run program from distribution point**, and then click **Next**. +9. On the **Distribution Points** page, in the **Deployment options** box, select **Run program from distribution point**, and then select **Next**. -10. On the **Summary** page, review the selections, and then click **Next**. +10. On the **Summary** page, review the selections, and then select **Next**. 11. Close the wizard. -Before you begin testing the deployed catalog file, make sure that the catalog signing certificate has been added to an appropriate WDAC policy,. +
                              -## Inventory catalog files with Microsoft Configuration Manager +#### Inventory catalog files with Microsoft Configuration Manager -When catalog files have been deployed to the computers within your environment, whether by using Group Policy or Configuration Manager, you can inventory them with the software inventory feature of Configuration Manager. The following process walks you through the enablement of software inventory to discover catalog files on your managed systems through the creation and deployment of a new client settings policy. +When catalog files have been deployed to the computers within your environment, whether by using Group Policy or Configuration Manager, you can inventory them with the software inventory feature of Configuration Manager. + +
                              +
                              +Expand this section for detailed instructions on inventorying catalog files using Configuration Manager. + +You can configure software inventory to find catalog files on your managed systems by creating and deploying a new client settings policy. >[!NOTE] >A standard naming convention for your catalog files will significantly simplify the catalog file software inventory process. In this example, *-Contoso* has been added to all catalog file names. -1. Open the Configuration Manager console, and select the Administration workspace. +1. Open the Configuration Manager console, and select the Administration workspace. -2. Navigate to **Overview\\Client Settings**, right-click **Client Settings**, and then click **Create Custom Client Device Settings**. +2. Navigate to **Overview\\Client Settings**, right-click **Client Settings**, and then select **Create Custom Client Device Settings**. -3. Name the new policy, and under **Select and then configure the custom settings for client devices**, select the **Software Inventory** check box, as shown in Figure 8. +3. Name the new policy, and under **Select and then configure the custom settings for client devices**, select the **Software Inventory** check box, as shown in Figure 8. ![Create Custom Client Device Settings.](images/dg-fig19-customsettings.png) Figure 8. Select custom settings -4. In the navigation pane, click **Software Inventory**, and then click **Set Types**, as shown in Figure 9. +4. In the navigation pane, select **Software Inventory**, and then select **Set Types**, as shown in Figure 9. ![Software Inventory settings for devices.](images/dg-fig20-setsoftwareinv.png) Figure 9. Set the software inventory -5. In the **Configure Client Setting** dialog box, click the **Start** button to open the **Inventories File Properties** dialog box. +5. In the **Configure Client Setting** dialog box, select the **Start** button to open the **Inventories File Properties** dialog box. -6. In the **Name** box, type a name such as **\*Contoso.cat**, and then click **Set**. +6. In the **Name** box, type a name such as **\*Contoso.cat**, and then select **Set**. >[!NOTE] >When typing the name, follow your naming convention for catalog files. -7. In the **Path Properties** dialog box, select **Variable or path name**, and then type **C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}** in the box, as shown in Figure 10. +7. In the **Path Properties** dialog box, select **Variable or path name**, and then type **C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}** in the box, as shown in Figure 10. ![Path Properties, specifying a path.](images/dg-fig21-pathproperties.png) Figure 10. Set the path properties -8. Click **OK**. +8. Select **OK**. -9. Now that you've created the client settings policy, right-click the new policy, click **Deploy**, and then choose the collection on which you would like to inventory the catalog files. +9. Now that you've created the client settings policy, right-click the new policy, select **Deploy**, and then choose the collection on which you would like to inventory the catalog files. At the time of the next software inventory cycle, when the targeted clients receive the new client settings policy, you'll be able to view the inventoried files in the built-in Configuration Manager reports or Resource Explorer. To view the inventoried files on a client within Resource Explorer, complete the following steps: -1. Open the Configuration Manager console, and select the Assets and Compliance workspace. +1. Open the Configuration Manager console, and select the Assets and Compliance workspace. -2. Navigate to Overview\\Devices, and search for the device on which you want to view the inventoried files. +2. Navigate to Overview\\Devices, and search for the device on which you want to view the inventoried files. -3. Right-click the computer, point to **Start**, and then click **Resource Explorer**. +3. Right-click the computer, point to **Start**, and then select **Resource Explorer**. -4. In Resource Explorer, navigate to Software\\File Details to view the inventoried catalog files. +4. In Resource Explorer, navigate to Software\\File Details to view the inventoried catalog files. >[!NOTE] >If nothing is displayed in this view, navigate to Software\\Last Software Scan in Resource Explorer to verify that the client has recently completed a software inventory scan. -## Related topics +
                              -- [Windows Defender Application Control](windows-defender-application-control.md) +## Allow apps signed by your catalog signing certificate in your WDAC policy -- [Windows Defender Application Control Design Guide](windows-defender-application-control-design-guide.md) +Now that you have your signed catalog file, you can add a signer rule to your WDAC policy that will allow anything signed with that certificate. If you haven't yet created a WDAC policy, see [WDAC Design Guide](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide). -- [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md) \ No newline at end of file +
                              +
                              +Expand this section for detailed instructions on creating a signer rule for your catalog signer. + +On a computer where the signed catalog file has been deployed, you can use [New-CiPolicyRule](/powershell/module/configci/new-cipolicyrule) to create a signer rule from any file included in that catalog. Then use [Merge-CiPolicy](/powershell/module/configci/merge-cipolicy) to add the rule to your policy XML. Be sure to replace the path values in the sample below. + + ```powershell + $Rules = New-CIPolicyRule -DriverFilePath -Level Publisher + Merge-CIPolicy -OutputFilePath -PolicyPaths -Rules $Rules + ``` + +Alternatively, you can use [Add-SignerRule](/powershell/module/configci/add-signerrule) to add a signer rule to your WDAC policy from the certificate file (.cer). You can easily save the .cer file from your signed catalog file. + +1. Right-click the catalog file, and then select **Properties**. +2. On the **Digital Signatures** tab, select the signature from the list and then select **Details**. +3. Select **View Certificate** to view the properties of the leaf certificate. +4. Select the **Details** tab and select **Copy to File** which will run the Certificate Export Wizard. +5. Complete the wizard using the default option for **Export File Format** and specifying a location and file name to save the .cer file. + +> [!NOTE] +> The steps listed above will select the lowest level of the certificate chain (the "leaf" certificate). Instead, you can choose to use the certificate's intermediate or root issuer certificate. To use a different certificate in the chain, switch to the **Certification Path** tab after step 3 above, then select the certificate level you want to use and select **View Certificate**. Then complete the remaining steps. + +The following example uses the .cer file to add a signer rule to both the user and kernel mode signing scenarios. Be sure to replace the path values in the sample below. + + ```powershell + Add-SignerRule -FilePath -CertificatePath -User -Kernel + ``` + +
                              + +## Known issues using Package Inspector + +Some of the known issues using Package Inspector to build a catalog file are: + +- **USN journal size is too small to track all files created by the installer** + - To diagnose whether USN journal size is the issue, after running through Package Inspector: + - Get the value of the reg key at HKEY\_CURRENT\_USER/PackageInspectorRegistryKey/c: (this USN was the most recent one when you ran PackageInspector start). Then use fsutil.exe to read that starting location. Replace "RegKeyValue" in the following command with the value from the reg key:
                              + `fsutil usn readjournal C: startusn=RegKeyValue > inspectedusn.txt` + - The above command should return an error if the older USNs don't exist anymore due to overflow + - You can expand the USN Journal size using: `fsutil usn createjournal` with a new size and allocation delta. `Fsutil usn queryjournal` will show the current size and allocation delta, so using a multiple of that may help +- **CodeIntegrity - Operational event log is too small to track all files created by the installer** + - To diagnose whether Eventlog size is the issue, after running through Package Inspector: + - Open Event Viewer and expand the **Application and Services//Microsoft//Windows//CodeIntegrity//Operational**. Check for a 3076 audit block event for the initial installer launch. + - To increase the Event log size, in Event Viewer right-click the operational log, select Properties, and then set new values +- **Installer or app files that change hash each time the app is installed or run** + - Some apps generate files at run time whose hash value is different every time. You can diagnose this issue by reviewing the hash values in the 3076 audit block events (or 3077 enforcement events) that are generated. If each time you attempt to run the file you observe a new block event with a different hash, the package won't work with Package Inspector. +- **Files with an invalid signature blob or otherwise "unhashable" files** + - This issue arises when a signed file was modified in a way that invalidates the file's PE header. A file modified in this way is unable to be hashed according to the Authenticode spec. + - Although these "unhashable" files can't be included in the catalog file created by PackageInspector, you should be able to allow them by adding a hash ALLOW rule to your WDAC policy that uses the file's flat file hash. + - This issue affects some versions of InstallShield packages that use signed DLL files in custom actions. InstallShield adds tracking markers to the file (editing it post signature) which leaves the file in this "unhashable" state. diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md index 1d07caffe7..36a2141386 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md @@ -9,13 +9,13 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -ms.collection: M365-security-compliance author: jsuther1974 ms.reviewer: jogeurte ms.author: vinpa manager: aaroncz ms.date: 07/19/2021 ms.technology: itpro-security +ms.topic: article --- # Use multiple Windows Defender Application Control Policies diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md index d66bca3105..72b2f4c5a2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md @@ -3,7 +3,6 @@ title: Deploy Windows Defender Application Control policies with Configuration M description: You can use Microsoft Configuration Manager to configure Windows Defender Application Control (WDAC). Learn how with this step-by-step guide. ms.prod: windows-client ms.technology: itpro-security -ms.collection: M365-security-compliance author: jgeurten ms.reviewer: aaroncz ms.author: jogeurte diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md index 9beafe889b..da03a2f08c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md @@ -4,13 +4,12 @@ description: Use scripts to deploy Windows Defender Application Control (WDAC) p keywords: security, malware ms.prod: windows-client audience: ITPro -ms.collection: M365-security-compliance author: jsuther1974 ms.reviewer: aaroncz ms.author: jogeurte ms.manager: jsuther manager: aaroncz -ms.date: 10/06/2022 +ms.date: 12/03/2022 ms.technology: itpro-security ms.topic: article ms.localizationpriority: medium @@ -29,13 +28,22 @@ ms.localizationpriority: medium This article describes how to deploy Windows Defender Application Control (WDAC) policies using script. The instructions below use PowerShell but can work with any scripting host. -> [!NOTE] -> To use this procedure, download and distribute the [WDAC policy refresh tool](https://aka.ms/refreshpolicy) to all managed endpoints. Ensure your WDAC policies allow the WDAC policy refresh tool or use a managed installer to distribute the tool. - -## Deploying policies for Windows 10 version 1903 and above - You should now have one or more WDAC policies converted into binary form. If not, follow the steps described in [Deploying Windows Defender Application Control (WDAC) policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide). +## Deploying policies for Windows 11 22H2 and above + +You can use [citool.exe](/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands) to apply policies on Windows 11 22H2 with the following commands. Be sure to replace **<Path to policy binary file to deploy>** in the example below with the actual path to your WDAC policy binary file. + +```powershell +# Policy binary files should be named as {GUID}.cip for multiple policy format files (where {GUID} = from the Policy XML) +$PolicyBinary = "" +citool.exe --update-policy $PolicyBinary --json +``` + +## Deploying policies for Windows 11, Windows 10 version 1903 and above, and Windows Server 2022 and above + +To use this procedure, download and distribute the [WDAC policy refresh tool](https://aka.ms/refreshpolicy) to all managed endpoints. Ensure your WDAC policies allow the WDAC policy refresh tool or use a managed installer to distribute the tool. + 1. Initialize the variables to be used by the script. ```powershell @@ -58,7 +66,9 @@ You should now have one or more WDAC policies converted into binary form. If not & $RefreshPolicyTool ``` -## Deploying policies for Windows 10 versions earlier than 1903 +## Deploying policies for all other versions of Windows and Windows Server + +Use WMI to apply policies on all other versions of Windows and Windows Server. 1. Initialize the variables to be used by the script. diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md index 3ff41f6ec0..f0c1ff7b47 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md @@ -9,13 +9,13 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -ms.collection: M365-security-compliance author: jsuther1974 ms.reviewer: jogeurte ms.author: vinpa manager: aaroncz ms.date: 10/06/2022 ms.technology: itpro-security +ms.topic: article --- # Deploy Windows Defender Application Control policies by using Group Policy diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md index 6f8d77a67f..14716db117 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md @@ -4,7 +4,6 @@ description: You can use an MDM like Microsoft Intune to configure Windows Defen ms.prod: windows-client ms.technology: itpro-security ms.localizationpriority: medium -ms.collection: M365-security-compliance author: jsuther1974 ms.reviewer: jogeurte ms.author: vinpa @@ -61,7 +60,7 @@ The steps to use Intune's custom OMA-URI functionality are: 2. Specify a **Name** and **Description** and use the following values for the remaining custom OMA-URI settings: - **OMA-URI**: `./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy` - **Data type**: Base64 (file) - - **Certificate file**: upload your binary format policy file. You don't need to upload a Base64 file, as Intune will convert the uploaded .bin file to Base64 on your behalf. + - **Certificate file**: Upload your binary format policy file. To do this, change your {GUID}.cip file to {GUID}.bin. You don't need to upload a Base64 file, as Intune will convert the uploaded .bin file to Base64 on your behalf. > [!div class="mx-imgBorder"] > ![Configure custom WDAC.](../images/wdac-intune-custom-oma-uri.png) diff --git a/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement.md index 5a4f9be3f6..2414d5dd4e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement.md +++ b/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement.md @@ -4,7 +4,6 @@ description: WDAC script enforcement keywords: security, malware ms.prod: windows-client audience: ITPro -ms.collection: M365-security-compliance author: jsuther1974 ms.reviewer: jogeurte ms.author: jogeurte diff --git a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md index 526551ec0e..644f65163a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md @@ -9,13 +9,13 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -ms.collection: M365-security-compliance author: jsuther1974 ms.reviewer: jogeurte ms.author: vinpa manager: aaroncz ms.date: 11/04/2022 ms.technology: itpro-security +ms.topic: article --- # Remove Windows Defender Application Control (WDAC) policies diff --git a/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md index b7c381d70d..0bf9b9d1f5 100644 --- a/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md @@ -4,7 +4,6 @@ description: Learn how to switch a WDAC policy from audit to enforced mode. keywords: security, malware ms.prod: windows-client audience: ITPro -ms.collection: M365-security-compliance author: jsuther1974 ms.reviewer: jogeurte ms.author: jogeurte diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index abe6093543..4b9c9e64bd 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -4,7 +4,6 @@ description: Learn what different Windows Defender Application Control event IDs ms.prod: windows-client ms.technology: itpro-security ms.localizationpriority: medium -ms.collection: M365-security-compliance author: jsuther1974 ms.reviewer: jogeurte ms.author: vinpa @@ -189,3 +188,4 @@ A list of other relevant event IDs and their corresponding description. | 3110 | Windows mode change event was unsuccessful. | | 3111 | The file under validation didn't meet the hypervisor-protected code integrity (HVCI) policy. | | 3112 | The file under validation is signed by a certificate that has been explicitly revoked by Windows. | +| 3114 | Dynamic Code Security opted the .NET app or DLL into Application Control policy validation. The file under validation didn't pass your policy and was blocked. | diff --git a/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md index ee37a71bca..f358465735 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md @@ -9,13 +9,13 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -ms.collection: M365-security-compliance author: jsuther1974 ms.reviewer: isbrahm ms.author: vinpa manager: aaroncz ms.date: 07/13/2021 ms.technology: itpro-security +ms.topic: article --- # Understanding Application Control event tags diff --git a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md index 2c666bad22..0286b18ad3 100644 --- a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md @@ -10,7 +10,6 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -ms.collection: M365-security-compliance author: jsuther1974 ms.reviewer: jogeurte ms.author: vinpa diff --git a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md index 4da8421cfe..23e85b02c4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md +++ b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md @@ -4,7 +4,6 @@ description: Compare Windows Defender Application Control (WDAC) and AppLocker f ms.prod: windows-client ms.technology: itpro-security ms.localizationpriority: medium -ms.collection: M365-security-compliance author: jgeurten ms.reviewer: aaroncz ms.author: jogeurte diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig31-getmoreinfo.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig31-getmoreinfo.png index 7661cb4eb9..732001bdf8 100644 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig31-getmoreinfo.png and b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig31-getmoreinfo.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/index.yml b/windows/security/threat-protection/windows-defender-application-control/index.yml index 5dd1e3fd49..6602ab9a3c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/index.yml +++ b/windows/security/threat-protection/windows-defender-application-control/index.yml @@ -4,14 +4,11 @@ title: Application Control for Windows metadata: title: Application Control for Windows description: Landing page for Windows Defender Application Control -# services: service -# ms.service: microsoft-WDAC-AppLocker -# ms.subservice: Application-Control -# ms.topic: landing-page -# author: Kim Klein -# ms.author: Jordan Geurten -# manager: Jeffrey Sutherland -# ms.update: 04/30/2021 + ms.topic: landing-page + author: vinaypamnani-msft + ms.author: vinpa + manager: aaroncz + ms.date: 12/07/2022 # linkListType: overview | how-to-guide | tutorial | video landingContent: # Cards and links should be based on top customer tasks or top subjects diff --git a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md index 77933f3967..5ccc7f5f17 100644 --- a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md @@ -9,13 +9,13 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -ms.collection: M365-security-compliance author: jsuther1974 ms.reviewer: isbrahm ms.author: vinpa manager: aaroncz ms.date: 05/29/2020 ms.technology: itpro-security +ms.topic: article --- # Manage Packaged Apps with Windows Defender Application Control diff --git a/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md index 19737f5a29..80865556cc 100644 --- a/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md @@ -4,7 +4,6 @@ description: Learn how to merge WDAC policies as part of your policy lifecycle m keywords: security, malware ms.prod: windows-client audience: ITPro -ms.collection: M365-security-compliance author: jsuther1974 ms.reviewer: jogeurte ms.author: jogeurte diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md index 407e490e72..68be5afd9a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md @@ -4,7 +4,6 @@ description: View a list of recommended block rules, based on knowledge shared b ms.prod: windows-client ms.technology: itpro-security ms.localizationpriority: medium -ms.collection: M365-security-compliance author: jsuther1974 ms.reviewer: jgeurten ms.author: vinpa diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index f37306192a..fc266be640 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -10,13 +10,14 @@ ms.pagetype: security ms.localizationpriority: medium audience: ITPro ms.collection: - - M365-security-compliance - highpri author: jgeurten ms.reviewer: jsuther ms.author: vinpa manager: aaroncz ms.date: 11/01/2022 +ms.technology: itpro-security +ms.topic: article --- # Microsoft recommended driver block rules diff --git a/windows/security/threat-protection/windows-defender-application-control/citool-commands.md b/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands.md similarity index 92% rename from windows/security/threat-protection/windows-defender-application-control/citool-commands.md rename to windows/security/threat-protection/windows-defender-application-control/operations/citool-commands.md index 5a2d7b7e72..e9f786a561 100644 --- a/windows/security/threat-protection/windows-defender-application-control/citool-commands.md +++ b/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands.md @@ -3,14 +3,15 @@ title: Managing CI Policies and Tokens with CiTool description: Learn how to use Policy Commands, Token Commands, and Miscellaneous Commands in CiTool author: valemieux ms.author: jogeurte -ms.service: security -ms.reviewer: jogeurte +ms.reviewer: jsuther1974 ms.topic: how-to -ms.date: 08/07/2022 +ms.date: 12/03/2022 ms.custom: template-how-to +ms.prod: windows-client +ms.technology: itpro-security --- -# Manage Windows Defender Application Control (WDAC) Policies with CI Tool +# CITool.exe technical reference CI Tool makes Windows Defender Application Control (WDAC) policy management easier for IT admins. CI Tool can be used to manage Windows Defender Application Control policies and CI Tokens. This article describes how to use CI Tool to update and manage policies. CI Tool is currently included in Windows 11, version 22H2. @@ -20,7 +21,7 @@ CI Tool makes Windows Defender Application Control (WDAC) policy management easi |--------|---------|---------| | --update-policy `` | Add or update a policy on the current system | -up | | --remove-policy `` | Remove a policy indicated by PolicyGUID from the system | -rp | -| --list-policies | Dump information about all policies on the system, whether they are active or not | -lp | +| --list-policies | Dump information about all policies on the system, whether they're active or not | -lp | ## Token Commands @@ -31,7 +32,7 @@ CI Tool makes Windows Defender Application Control (WDAC) policy management easi | --list-tokens | Dump information about all tokens on the system | -lt | > [!NOTE] -> Regarding --add-token, if `` is specified, a pre-existing token with `` should not exist. +> Regarding `--add-token`, if `` is specified, a pre-existing token with `` should not exist. ## Miscellaneous Commands diff --git a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md index 675fba1e03..9a7322339f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md +++ b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md @@ -4,7 +4,6 @@ description: WDAC Known Issues keywords: security, malware ms.prod: windows-client audience: ITPro -ms.collection: M365-security-compliance author: jsuther1974 ms.reviewer: jogeurte ms.author: jogeurte diff --git a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md index 08f23bb4ca..3650147424 100644 --- a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md +++ b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md @@ -9,13 +9,13 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -ms.collection: M365-security-compliance author: jsuther1974 ms.reviewer: jogeurte ms.author: vinpa manager: aaroncz ms.date: 11/02/2022 ms.technology: itpro-security +ms.topic: article --- # Plan for Windows Defender Application Control lifecycle policy management diff --git a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md index e9cef369c8..edebf6678f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md +++ b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md @@ -9,13 +9,13 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -ms.collection: M365-security-compliance author: jsuther1974 ms.reviewer: isbrahm ms.author: vinpa manager: aaroncz ms.date: 03/01/2022 ms.technology: itpro-security +ms.topic: article --- # Querying Application Control events centrally using Advanced hunting diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 836db5154a..d14c84c13f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -9,13 +9,13 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -ms.collection: M365-security-compliance author: jgeurten ms.reviewer: jsuther1974 ms.author: vinpa manager: aaroncz ms.date: 08/29/2022 ms.technology: itpro-security +ms.topic: article --- # Understand Windows Defender Application Control (WDAC) policy rules and file rules diff --git a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md index 7122339287..75657fc814 100644 --- a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md @@ -9,13 +9,13 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -ms.collection: M365-security-compliance author: jsuther1974 ms.reviewer: isbrahm ms.author: vinpa manager: aaroncz ms.date: 03/01/2018 ms.technology: itpro-security +ms.topic: article --- # Windows Defender Application Control deployment in different scenarios: types of devices diff --git a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md index 6627e9c50a..0e68f7beb2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md +++ b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md @@ -10,12 +10,12 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -ms.collection: M365-security-compliance author: jsuther1974 ms.reviewer: isbrahm ms.author: vinpa ms.date: 02/08/2018 ms.technology: itpro-security +ms.topic: article --- # Understand Windows Defender Application Control policy design decisions diff --git a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md index 2f9f3c81b4..0a270415dc 100644 --- a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md +++ b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md @@ -3,13 +3,13 @@ title: Understanding Windows Defender Application Control (WDAC) secure settings description: Learn about secure settings in Windows Defender Application Control. ms.prod: windows-client ms.localizationpriority: medium -ms.collection: M365-security-compliance author: jgeurten ms.reviewer: vinpa ms.author: jogeurte manager: aaroncz ms.date: 10/11/2021 ms.technology: itpro-security +ms.topic: article --- # Understanding WDAC Policy Settings diff --git a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md index 953d9ae95e..e73d92001f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md @@ -1,6 +1,6 @@ --- -title: Use code signing to simplify application control for classic Windows applications (Windows) -description: With embedded signing, your WDAC policies typically don't have to be updated when an app is updated. To set up this embedded signing, you can choose from various methods. +title: Use code signing for added control and protection with WDAC +description: Code signing can be used to better control win32 app authorization and add protection for your WDAC policies. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: windows-client @@ -9,16 +9,16 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -ms.collection: M365-security-compliance +ms.topic: conceptual author: jsuther1974 -ms.reviewer: isbrahm +ms.reviewer: jogeurte ms.author: vinpa manager: aaroncz -ms.date: 05/03/2018 +ms.date: 11/29/2022 ms.technology: itpro-security --- -# Use code signing to simplify application control for classic Windows applications +# Use code signing for added control and protection with WDAC **Applies to:** @@ -29,45 +29,34 @@ ms.technology: itpro-security > [!NOTE] > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). -This topic covers guidelines for using code signing control classic Windows apps. +## What is code signing and why is it important? -## Reviewing your applications: application signing and catalog files +Code signing provides some important benefits to application security features like Windows Defender Application Control (WDAC). First, it allows the system to cryptographically verify that a file hasn't been tampered with since it was signed and before any code is allowed to run. Second, it associates the file with a real-world identity, such as a company or an individual developer. This identity can make your WDAC policy trust decisions easier and allows for real-world consequences when code signing is abused or used maliciously. Although Windows doesn't require software developers to digitally sign their code, most major independent software vendors (ISV) do use code signing for much of their code. And metadata that a developer includes in a file's resource header (.RSRC), such as OriginalFileName or ProductName, can be combined with the file's signing certificate to limit the scope of trust decisions. For example, instead of allowing everything signed by Microsoft, you can choose to allow only files signed by Microsoft where ProductName is "Microsoft Teams". Then use other rules to authorize any other files that need to run. -Typically, Windows Defender Application Control (WDAC) policies are configured to use the application's signing certificate as part or all of what identifies the application as trusted. This purpose means that applications must either use embedded signing—where the signature is part of the binary—or catalog signing, where you generate a "catalog file" from the applications, sign it, and through the signed catalog file, configure the WDAC policy to recognize the applications as signed. +Wherever possible, you should require all app binaries and scripts are code signed as part of your app acceptance criteria. And, you should ensure that internal line-of-business (LOB) app developers have access to code signing certificates controlled by your organization. -Catalog files can be useful for unsigned LOB applications that can't easily be given an embedded signature. However, catalogs need to be updated each time an application is updated. In contrast, with embedded signing, your Windows Defender Application Control policies typically don't have to be updated when an application is updated. For this reason, if code-signing is or can be included in your in-house application development process, it can simplify the management of WDAC (compared to using catalog signing). +## Catalog signing -To obtain signed applications or embed signatures in your in-house applications, you can choose from various methods: +App binaries and scripts are typically either embed-signed or catalog-signed. Embedded signatures become part of the file itself and are carried with the file wherever it's copied or moved. Catalog signatures, on the other hand, are detached from the individual file(s). Instead, a separate "catalog file" is created that contains hash values for one or more files to be signed. This catalog file is then digitally signed and applied to any computer where you want the signature to exist. Any file whose hash value is included in the signed catalog inherits the signature from the catalog file. A file may have multiple signatures, including a mix of embedded and catalog signatures. -- Using the Microsoft Store publishing process. All apps that come out of the Microsoft Store are automatically signed with special signatures that can roll up to our certificate authority (CA) or to your own. - -- Using your own digital certificate or public key infrastructure (PKI). ISV's and enterprises can sign their own Classic Windows applications themselves, adding themselves to the trusted list of signers. - -- Using a non-Microsoft signing authority. ISV's and enterprises can use a trusted non-Microsoft signing authority to sign all of their own Classic Windows applications. - -To use catalog signing, you can choose from the following options: - -- Use the Windows Defender signing portal available in the Microsoft Store for Business and Education. The portal is a Microsoft web service that you can use to sign your Classic Windows applications. - -- Create your own catalog files, which are described in the next section. - -### Catalog files - -Catalog files (which you can create in Windows 10 and Windows 11 with a tool called Package Inspector) contain information about all deployed and executed binary files associated with your trusted but unsigned applications. When you create catalog files, you can also include signed applications for which you don't want to trust the signer but rather the specific application. After creating a catalog, you must sign the catalog file itself by using enterprise public key infrastructure (PKI), or a purchased code signing certificate. Then you can distribute the catalog, so that your trusted applications can be handled by Windows Defender Application Control in the same way as any other signed application. - -Catalog files are Secure Hash Algorithm 2 (SHA2) hash lists of discovered binaries. These binaries' hash values are updated each time an application is updated, which requires the catalog file to be updated also. - -After you've created and signed your catalog files, you can configure your WDAC policies to trust the signer or signing certificate of those files. +You can use catalog files to easily add a signature to an existing application without needing access to the original source files and without any expensive repackaging. You can even use catalog files to add your own signature to an ISV app when you don't want to trust everything the ISV signs directly, themselves. Then you just deploy the signed catalog along with the app to all your managed endpoints. > [!NOTE] -> Package Inspector only works on operating systems that support Windows Defender, such as Windows 10 and Windows 11 Enterprise, Windows 10 and Windows 11 Education, Windows 2016 Server, or Windows Enterprise IoT. +> Since catalogs identify the files they sign by hash, any change to the file may invalidate its signature. You will need to deploy updated catalog signatures any time the application is updated. Integrating code signing with your app development or app deployment processes is generally the best approach. Be aware of self-updating apps, as their app binaries may change without your knowledge. -For procedures for working with catalog files, see [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-windows-defender-application-control.md). +To learn how to create and manage catalog files for existing apps, see [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-windows-defender-application-control.md). -## Windows Defender Application Control policy formats and signing +## Signed WDAC policies -When you generate a Windows Defender Application Control policy, you're generating a binary-encoded XML document that includes configuration settings for both the User and Kernel-modes of Windows 10 and Windows 11 Enterprise, along with restrictions on Windows 10 and Windows 11 script hosts. You can view your original XML document in a text editor, for example if you want to check the rule options that are present in the **<Rules>** section of the file. +While a WDAC policy begins as an XML document, it's then converted into a binary-encoded file before deployment. This binary version of your WDAC policy can be code signed like any other application binary, offering many of the same benefits as described above for signed code. Additionally, signed policies are treated specially by WDAC and help protect against tampering or removal of a WDAC policy even by an admin user. -We recommend that you keep the original XML file for use when you need to merge the WDAC policy with another policy or update its rule options. For deployment purposes, the file is converted to a binary format, which can be done using a simple Windows PowerShell command. +For more information on using signed WDAC policies, see [Use signed policies to protect WDAC against tampering](/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering) -When the Windows Defender Application Control policy is deployed, it restricts the software that can run on a device. The XML document can be signed, helping to add more protection against administrative users changing or removing the policy. +## Obtain code signing certificates for your own use + +Some ways to obtain code signing certificates for your own use, include: + +- Purchase a code signing certificate from one of the [Microsoft Trusted Root Program participants](/security/trusted-root/participants-list). +- To use your own digital certificate or public key infrastructure (PKI) to issue code signing certificates, see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md). +- Customers with existing Microsoft Store for Business and Education accounts can continue to use the ["Device Guard signing service v2"](/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business). +- Use Microsoft's [Azure Code Signing (ACS) service](https://aka.ms/AzureCodeSigning). diff --git a/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md b/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md index d23bee6811..6e3ec4c7fb 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md @@ -1,6 +1,6 @@ --- -title: Use the Device Guard Signing Portal in the Microsoft Store for Business (Windows) -description: You can sign code integrity policies with the Device Guard signing portal to prevent them from being tampered with after they're deployed. +title: Use the Device Guard Signing Service v2 (Windows) +description: You can sign catalog files and WDAC policies with the Device Guard signing service. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.author: vinpa @@ -10,15 +10,15 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -ms.collection: M365-security-compliance +ms.topic: conceptual author: jsuther1974 -ms.reviewer: isbrahm +ms.reviewer: jogeurte manager: aaroncz -ms.date: 02/19/2019 +ms.date: 11/30/2022 ms.technology: itpro-security --- -# Optional: Use the Device Guard Signing Portal in the Microsoft Store for Business +# Optional: Use the Device Guard Signing Service v2 **Applies to:** @@ -27,27 +27,162 @@ ms.technology: itpro-security - Windows Server 2016 and above > [!IMPORTANT] -> The existing web-based mechanism for the Device Guard Signing Service v1 will be retired on June 9, 2021. Please transition to the PowerShell based version of the service [(DGSS v2)](/microsoft-store/device-guard-signing-portal). For more details, see [Sign an MSIX package with Device Guard signing](/windows/msix/package/signing-package-device-guard-signing) and [Device Guard signing](/microsoft-store/device-guard-signing-portal). +> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). +> +> You can continue to use the current Device Guard Signing Service v2 (DGSS) capabilities until that time. DGSS will be replaced by the [Azure Code Signing service (ACS)](https://aka.ms/AzureCodeSigning) and will support your Windows Defender Application Control (WDAC) policy and catalog file signing needs. + +The Device Guard Signing Service v2 (DGSS) is a code signing service that comes with your existing Microsoft Store for Business and Education tenant account. You can use the DGSS to sign catalog files and Windows Defender Application Control (WDAC) policies. + +## Set up permissions for DGSS signing in the Microsoft Store for Business and Education + +To use DGSS, you need to assign yourself a role with the right permissions. The least privileged role with DGSS signing privilege is the **Device Guard signer** role. **Global Administrator** and **Billing account owner** can also sign with the DGSS. + +## Install the DGSS client NuGet package + +Download and install the [DGSS client utilities and PowerShell cmdlets NuGet package](https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/). + +1. Download the [latest recommended version of nuget.exe](https://dist.nuget.org/win-x86-commandline/latest/nuget.exe). +2. From an elevated PowerShell or command window, run the following command: + + ```powershell + nuget.exe install Microsoft.Acs.Dgss.Client + ``` + +3. Import the DGSS PowerShell module from the location where the Microsoft.Acs.Dgss.Client was installed in the previous step. + + ```powershell + # Update the path to the Microsoft.Acs.Dgss.Client.dll if needed + Import-Module $env:USERPROFILE\Downloads\Microsoft.Acs.Dgss.Client.1.0.11\PowerShell\Microsoft.Acs.Dgss.Client.dll + ``` + +## DGSS PowerShell Commands > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). +> <DGSSCommonParameters> are parameters common across all commands and are documented below the command definitions. -You can sign code integrity policies with the Device Guard signing portal to prevent them from being tampered with after they're deployed. +### Get-DefaultPolicy -## Sign your code integrity policy -Before you get started, be sure to review these best practices: +Gets the default .xml policy file associated with the current tenant. -**Best practices** +**Usage:** -- Test your code integrity policies on a pilot group of devices before deploying them to production. -- Use rule options 9 and 10 during testing. For more information, see the section Code integrity policy rules in the [Deploy Windows Defender Application Control policy rules and file rules](./select-types-of-rules-to-create.md). + ```powershell + Get-DefaultPolicy -OutFile filename [-PassThru] [] + ``` -**To sign a code integrity policy** +**Parameters:** -1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com). -2. Click **Manage**, click **Store settings**, and then click **Device Guard**. -3. Click **Upload** to upload your code integrity policy. -4. After the files are uploaded, click **Sign** to sign the code integrity policy. -5. Click **Download** to download the signed code integrity policy. +- **OutFile** - string, mandatory - The filename where the default policy file should be persisted to disk. The file name should be an .xml file. If the file already exists, it will be overwritten. NOTE: The destination folder must already exist. +- **PassThru** - switch, optional - If present, returns an XmlDocument object returning the default policy file. - When you sign a code integrity policy with the Device Guard signing portal, the signing certificate is added to the policy. This means you can't modify this policy. If you need to make changes, make them to an unsigned version of the policy, and then sign the policy again. +**Command running time:** The average running time is under 20 seconds but may be up to 3 minutes. + +### Get-RootCertificate + +Gets the root certificate for the current tenant. All Authenticode and policy signing certificates will eventually chain up to this root certificate. + +**Usage:** + + ```powershell + Get-RootCertificate -OutFile filename [-PassThru] [] + ``` + +**Parameters:** + +- **OutFile** - string, mandatory - The filename where the root certificate file should be persisted to disk. The file name should be a .cer file. If the file already exists, it will be overwritten. NOTE: The destination folder must already exist. +- **PassThru** - switch, optional - If present, returns an X509Certificate2 object returning the default policy file. + +**Command running time:** The average running time is under 20 seconds but may be up to 3 minutes. + +### Get-SigningHistory + +Gets information for the latest 100 files signed by the current tenant. Results are returned as a collection with elements in reverse chronological order (most recent to least recent). + +**Usage:** + + ```powershell + Get-SigningHistory -OutFile filename [-PassThru] [] + ``` + +**Parameters:** + +- **OutFile** - string, mandatory - The filename where the signing history file should be persisted to disk. The file name should be an .xml file. If the file already exists, it will be overwritten. NOTE: The destination folder must already exist. +- **PassThru** - switch, optional - If present, returns XML objects returning the XML file. + +**Command running time:** The average running time is under 10 seconds. + +### Submit-SigningJob + +Submits a file to the service for signing and timestamping. The module supports valid file type for Authenticode signing is Catalog file (.cat). Valid file type for policy signing is binary policy files with the extension (.bin) that have been created via the ConvertFrom-CiPolicy cmdlet. Otherwise, binary policy file may not be deployed properly. + +**Usage:** + + ```powershell + Submit-SigningJob -InFile filename -OutFile filename [-NoTimestamp][- TimeStamperUrl "timestamper url"] [-JobDescription "description"] [] + ``` + +**Parameters:** + +- **InFile** - string, mandatory - The file to be signed, which must be a valid catalog file (.cat) or WDAC policy file with binary extension (.bin). +- **OutFile** - string, mandatory - The output file that should be generated by the signing process. If this file already exists, it will be overwritten. NOTE: The destination folder must already exist. +- **NoTimestamp** - switch, optional - If present, the signing operation will skip timestamping the output file, and it will be signed only. If not present (default) and TimeStamperUrl is present, the output file will be both signed and timestamped. If both NoTimestamp and TimeStamperUrl aren't present, the signing operation will skip timestamping the output file, and it will be signed only. +- **TimeStamperUrl** - string, optional - If this value is an invalid URL (and NoTimestamp not present), the module will throw an exception. To understand more about timestamping, see [Timestamping](/windows/msix/package/signing-package-overview#timestamping). +- **JobDescription** - string, optional - A short (< 100 chars), human-readable description of this submission. If the script is being called as part of an automated build process, you may want the process to pass a version number or changeset number for this field. This information will be provided as part of the results of the Get-SigningHistory command. + +### Submit-SigningV1MigrationPolicy + +Submits a file to the service for signing and timestamping. The only valid file type for policy signing is binary policy files with the extension (.bin) that have been created via the [ConvertFromCiPolicy](/powershell/module/configci/convertfrom-cipolicy) cmdlet. Otherwise, binary policy file may not be deployed properly. Note: Only use for DGSS V1 migration. + +**Usage:** + + ```powershell + Submit-SigningV1MigrationPolicy -InFile filename -OutFile filename [-NoTimestamp][-TimeStamperUrl "timestamper url"] [-JobDescription "description"] [] + ``` + +**Parameters:** + +- **InFile** - string, mandatory - The file to be signed, which must be a WDAC policy file with binary extension (.bin). +- **OutFile** - string, mandatory - The output file that should be generated by the signing process. If this file already exists, it will be overwritten. NOTE: The destination folder must already exist. +- **NoTimestamp** - switch, optional - If present, the signing operation will skip timestamping the output file, and it will be signed only. If not present (default) and TimeStamperUrl is present, the output file will be both signed and timestamped. If both NoTimestamp and TimeStamperUrl aren't present, the signing operation will skip timestamping the output file, and it will be signed only. +- **TimeStamperUrl** - string, optional - If this value is an invalid URL (and NoTimestamp not present), the module will throw exception. To understand more about timestamping, see [Timestamping](/windows/msix/package/signing-package-overview#timestamping). +- **JobDescription** - string, optional - A short (< 100 chars), human-readable description of this submission. If the script is being called as part of an automated build process, you may want the process to pass a version number or changeset number for this field. This information will be provided as part of the results of the Get-SigningHistory command. + +**Command running time:** The average running time is under 20 seconds but may be up to 3 minutes. + +### Common parameters <DGSSCommonParameters> + +In addition to cmdlet-specific parameters, each cmdlet understands the following common parameters. + +**Usage:** + + ```powershell + ... [-NoPrompt] [-Credential $creds] [-AppId AppId] [-Verbose] + ``` + +**Parameters:** + +- **NoPrompt** - switch, optional - If present, indicates that the script is running in a headless environment and that all UI should be suppressed. If UI must be displayed (for example, for authentication) when the switch is set, the operation will instead fail. +- **Credential + AppId** - PSCredential - A sign-in credential (username and password) and AppId. + +## File and size limits + +When you're uploading files for DGSS signing, there are a few limits for files and file size: + +| Description | Limit | +|-------------------------------------------------------|----------| +| Maximum size for a policy or catalog file | 3.5 MB | +| Maximum size for multiple files (uploaded in a group) | 4 MB | +| Maximum number of files per upload | 15 files | + +## File types + +Catalog and policy files submitted to DGSS for signing must use specific file extensions: + +| File | Required file extension | +|---------------|--------------------| +| catalog files | .cat | +| policy files | .bin | + +## DGSS signing certificates + +All certificates generated by the DGSS are unique per customer and are independent of the Microsoft production code signing certificate authorities. All Certification Authority (CA) keys are stored within the cryptographic boundary of Federal Information Processing Standards (FIPS) publication 140-2 compliant hardware security modules. After initial generation, root certificate keys and top level CA keys are removed from the online signing service, encrypted, and stored offline. diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md index ca5b20ff1f..60174cc444 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md @@ -8,8 +8,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium +ms.topic: conceptual audience: ITPro -ms.collection: M365-security-compliance author: jsuther1974 ms.reviewer: jogeurte ms.author: vinpa @@ -29,89 +29,117 @@ ms.technology: itpro-security > [!NOTE] > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). -Signed Windows Defender Application Control (WDAC) policies give organizations the highest level of malware protection available in Windows—must be signed with [PKCS #7](https://datatracker.ietf.org/doc/html/rfc5652). In addition to their enforced policy rules, signed policies can't be modified or deleted by a user or administrator on the computer. These policies are designed to prevent administrative tampering and kernel mode exploit access. With this idea of the policies in mind, it's much more difficult to remove signed WDAC policies. SecureBoot must be enabled in order to restrict users from updating or removing signed WDAC policies. +Signed Windows Defender Application Control (WDAC) policies give organizations the highest level of protection available in Windows. These policies are designed to detect administrative tampering of the policy, such as by malware running as admin, and will result in a boot failure (blue screen). With this goal in mind, it's much more difficult to remove signed WDAC policies. SecureBoot must be enabled in order to provide this protection for signed WDAC policies. + +If you don't currently have a code signing certificate you can use to sign your WDAC policies, see [Obtain code signing certificates for your own use](/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications#obtain-code-signing-certificates-for-your-own-use). > [!WARNING] -> Boot failure (blue screen) may occur if your signing certificate does not follow these rules: +> Boot failure (blue screen) may occur if your signing certificate doesn't follow these rules: > > - All policies, including base and supplemental, must be signed according to the [PKCS 7 Standard](https://datatracker.ietf.org/doc/html/rfc5652). -> - Use RSA SHA-256 only. ECDSA isn't supported. +> - Use RSA keys with 2K, 3K, or 4K key size only. ECDSA isn't supported. +> - You can use SHA-256, SHA-384, or SHA-512 as the digest algorithm on Windows 11, as well as Windows 10 and Windows Server 2019 and above after applying the November 2022 cumulative security update. All other devices only support SHA-256. > - Don't use UTF-8 encoding for certificate fields, like 'subject common name' and 'issuer common name'. These strings must be encoded as PRINTABLE_STRING, IA5STRING or BMPSTRING. -> - Keys must be less than or equal to 4K key size -> -Before you sign with PKCS #7 and deploy a signed WDAC policy, we recommend that you [audit the policy](audit-windows-defender-application-control-policies.md) to discover any blocked applications that should be allowed to run. - -Signing WDAC policies by using an on-premises CA-generated certificate or a purchased code signing certificate is straightforward. -If you don't currently have a code signing certificate exported in .pfx format (containing private keys, extensions, and root certificates), see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) to create one with your on-premises CA. - -Before PKCS #7-signing WDAC policies for the first time, ensure you enable rule options **Enabled:Advanced Boot Options Menu** and **10 Enabled:Boot Audit on Failure** to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath -Option 9`, even if you're not sure whether the option is already enabled. If so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Windows Defender Application Control policy rules](select-types-of-rules-to-create.md). - -To sign a Windows Defender Application Control policy with SignTool.exe, you need the following components: - -- SignTool.exe, found in the [Windows SDK](https://developer.microsoft.com/windows/downloads/windows-10-sdk/) (Windows 7 or later) - -- The binary format of the WDAC policy that you generated in [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) or another WDAC policy that you've created - -- An internal CA code signing certificate or a purchased code signing certificate - -If you don't have a code signing certificate, see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) for instructions on how to create one. If you use an alternate certificate or Windows Defender Application Control (WDAC) policy, ensure you update the following steps with the appropriate variables and certificate so that the commands will function properly. To sign the existing WDAC policy, copy each of the following commands into an elevated Windows PowerShell session: - -1. Initialize the variables that will be used: - - ```powershell - $CIPolicyPath=$env:userprofile+"\Desktop\" - $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml" - ``` - - > [!NOTE] - > This example uses the WDAC policy that you created in the [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) section. If you are signing another policy, be sure to update the **$CIPolicyPath** variable with the correct information. - -2. Import the .pfx code signing certificate. Import the code signing certificate that you'll use to sign the WDAC policy into the user’s personal store on the computer where the signing happens. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md). - -3. Export the .cer code signing certificate. After the code signing certificate has been imported, export the .cer version to your desktop. This version will be added to the policy so that it can be updated later. - -4. Navigate to your desktop as the working directory: - - ```powershell - cd $env:USERPROFILE\Desktop - ``` - -5. Use [Add-SignerRule](/powershell/module/configci/add-signerrule) to add an update signer certificate to the WDAC policy: - - ```powershell - Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath -Kernel -User –Update - ``` - - > [!NOTE] - > *<Path to exported .cer certificate>* should be the full path to the certificate that you exported in step 3. - Also, adding update signers is crucial to being able to modify or disable this policy in the future. For more information about how to disable signed WDAC policies, see [Remove WDAC policies](disable-windows-defender-application-control-policies.md). - -6. Use [Set-RuleOption](/powershell/module/configci/set-ruleoption) to remove the unsigned policy rule option: - - ```powershell - Set-RuleOption -FilePath $InitialCIPolicy -Option 6 -Delete - ``` - -7. Reset the policy ID and use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the policy to binary format: - - ```powershell - $PolicyID= Set-CIPolicyIdInfo -FilePath $InitialCIPolicy -ResetPolicyID - $PolicyID = $PolicyID.Substring(11) - $CIPolicyBin = $env:userprofile + "\Desktop\" + $PolicyID + ".cip" - ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin - ``` - -8. Sign ([PKCS #7](https://datatracker.ietf.org/doc/html/rfc5652)) the WDAC policy by using SignTool.exe: - - ```powershell - sign -v /n "ContosoDGSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin - ``` - - > [!NOTE] - > The *<Path to signtool.exe>* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the WDAC policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy. - -9. Validate the signed file. When complete, the commands should output a signed policy file called {PolicyID}.cip to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deployment/deploy-windows-defender-application-control-policies-using-group-policy.md). +Before you attempt to deploy signed WDAC policy, you should first deploy an unsigned version of the policy to uncover any issues with the policy rules. We also recommend you enable rule options **9 - Enabled:Advanced Boot Options Menu** and **10 - Enabled:Boot Audit on Failure** to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath -Option 9`, even if you're not sure whether the option is already enabled. If so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Windows Defender Application Control policy rules](select-types-of-rules-to-create.md). > [!NOTE] -> The device with the signed policy must be rebooted one time with Secure Boot enabled for the UEFI lock to be set. +> When signing a Base policy that has existing Supplemental policies, you must also switch to signed policy for all of the Supplementals. Authorize the signed supplemental policies by adding a **<SupplementalPolicySigner>** rule to the Base policy. + +## Prepare your WDAC policy for signing + +
                              +
                              + Expand this section for detailed instructions on preparing your WDAC policy files for signing. + +1. Open an elevated Windows PowerShell session and initialize the variables that will be used: + + ```powershell + $PolicyPath=$env:userprofile+"\Desktop\" + $PolicyName="FixedWorkloadPolicy_Enforced" + $LamnaServerPolicy=$PolicyPath+$PolicyName+".xml" + ``` + + > [!NOTE] + > This example uses an enforced version of the WDAC policy that you created in [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) article. If you are signing another policy, be sure to update the **$PolicyPath** and **$PolicyName** variables with the correct information. + +2. Navigate to your desktop as the working directory: + + ```powershell + cd $PolicyPath + ``` + +3. If your WDAC policy doesn't already include an **<UpdatePolicySigner>** rule for your policy signing certificate, you must add it. At least one **<UpdatePolicySigner>** rule must exist to convert your WDAC policy XML with [ConvertFrom-CiPolicy](/powershell/module/configci/convertfrom-cipolicy). If you're using the Device Guard Signing Service v2 (DGSS) to sign your policy, you can find the policy signer rule in your tenant's default policy, which you can download from [Get-DefaultPolicy](/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business#get-defaultpolicy). + + Otherwise, use [Add-SignerRule](/powershell/module/configci/add-signerrule) and create an **<UpdatePolicySigner>** rule from your certificate file (.cer). DGSS users can download the root certificate file from [Get-RootCertificate](/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business#get-rootcertificate). If you purchased a code signing certificate or issued one from your own public key infrastructure (PKI), you can export the certificate file. + + NOTE: If your policy doesn't allow Supplemental policies, you should omit the **-Supplemental** switch from the following command: + + ```powershell + Add-SignerRule -FilePath $LamnaServerPolicy -CertificatePath –Update -Supplemental + ``` + + > [!IMPORTANT] + > Failing to perform this step will leave you unable to modify or disable this policy and will lead to boot failure. For more information about how to disable signed WDAC policies causing boot failure, see [Remove WDAC policies causing boot stop failures](/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies#remove-wdac-policies-causing-boot-stop-failures). + +4. Use [Set-RuleOption](/powershell/module/configci/set-ruleoption) to remove the unsigned policy rule option: + + ```powershell + Set-RuleOption -FilePath $LamnaServerPolicy -Option 6 -Delete + ``` + +5. (Optional) Use [Set-CIPolicyIdInfo](/powershell/module/configci/set-cipolicyidinfo) to reset the policy ID and change the policy name. + +6. (Optional) Use [Set-CIPolicyVersion](/powershell/module/configci/set-cipolicyversion) to change the policy VersionEx. + + > [!IMPORTANT] + > When updating a signed policy, the VersionEx of the updated policy must be greater than or equal to the current policy. Replacing a signed policy with a lower version will lead to boot failure. + +7. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the policy to binary format: + + ```powershell + $PolicyID= Set-CIPolicyIdInfo -FilePath $LamnaServerPolicy -ResetPolicyID + $PolicyID = $PolicyID.Substring(11) + $CIPolicyBin = $env:userprofile + "\Desktop\" + $PolicyID + ".cip" + ConvertFrom-CIPolicy $LamnaServerPolicy $CIPolicyBin + ``` + +
                              + +## Sign your WDAC policy + +### Policy signing with Device Guard Signing Service v2 (DGSS) + +If you have an existing Microsoft Store for Business and Education account, you can use the DGSS to sign your WDAC policy. For more information, see [Submit-SigningJob](/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business#submit-signingjob). + +### Policy signing with signtool.exe + +If you purchased a code signing certificate or issued one from your own PKI, you can use [SignTool.exe](/windows/win32/seccrypto/signtool) to sign your WDAC policy files: + +1. Import the .pfx code signing certificate into the user’s personal store on the computer where the signing will happen. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md). + +2. Sign the WDAC policy by using SignTool.exe: + + ```powershell + sign -v -n "ContosoSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin + ``` + + > [!NOTE] + > The *<Path to signtool.exe>* variable should be the full path to the SignTool.exe utility. **ContosoSigningCert** is the subject name of the certificate that will be used to sign the WDAC policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy. + +When complete, the commands should output a signed policy file with a .p7 extension. You must rename the file to *{GUID}*.cip where "{GUID}" is the <PolicyId> from your original WDAC policy XML. + +## Verify and deploy the signed policy + +You can use certutil.exe to verify the signed file. Review the output to confirm the signature algorithm and encoding for certificate fields, like 'subject common name' and 'issuer common name' as described in the Warning at the top of this article. + +```powershell +certutil.exe -asn +``` + +Thoroughly test the signed policy on a representative set of computers before proceeding with deployment. Be sure to reboot the test computers at least twice after applying the signed WDAC policy to ensure you don't encounter a boot failure. + +Once you've verified the signed policy, deploy it using your preferred deployment method. For information about deploying WDAC policies, see [Deploying WDAC policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide). + +> [!NOTE] +> Anti-tampering protection for signed WDAC policies takes effect after the first reboot once the signed WDAC policy is applied to a computer. This protection only applies to computers with UEFI Secure Boot enabled. diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md index 6830e5bbcd..3d284b33dd 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md @@ -11,11 +11,11 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -ms.collection: M365-security-compliance author: jsuther1974 ms.reviewer: jogeurte ms.date: 11/02/2022 ms.technology: itpro-security +ms.topic: article --- # Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md index 9e5568c30d..d00682891d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md @@ -9,13 +9,13 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -ms.collection: M365-security-compliance author: jsuther1974 ms.reviewer: jogeurte ms.author: vinpa manager: aaroncz ms.date: 08/10/2022 ms.technology: itpro-security +ms.topic: article --- # Windows Defender Application Control (WDAC) and .NET diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md index a5d9f79a3f..8f03c660cd 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md @@ -9,12 +9,13 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -ms.collection: M365-security-compliance author: jsuther1974 ms.reviewer: isbrahm ms.author: vinpa manager: aaroncz ms.technology: itpro-security +ms.date: 12/31/2017 +ms.topic: article --- # Authorize reputable apps with the Intelligent Security Graph (ISG) diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md index 4eda9d1fff..1cac513952 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md @@ -9,7 +9,6 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -ms.collection: M365-security-compliance author: vinaypamnani-msft ms.reviewer: isbrahm ms.author: vinpa @@ -17,6 +16,7 @@ manager: aaroncz ms.date: 09/30/2020 ms.custom: asr ms.technology: itpro-security +ms.topic: article --- # Windows Defender Application Control and AppLocker Overview diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md index 1676591088..b4c9fd2969 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md @@ -9,7 +9,6 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -ms.collection: M365-security-compliance author: jgeurten ms.reviewer: isbrahm ms.author: vinpa diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md index 05d77d395a..53a8d5c954 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md @@ -9,7 +9,6 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -ms.collection: M365-security-compliance author: jgeurten ms.reviewer: isbrahm ms.author: vinpa diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md index 04dc388298..89d6fab2aa 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md @@ -9,7 +9,6 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -ms.collection: M365-security-compliance author: jgeurten ms.reviewer: isbrahm ms.author: vinpa diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-merging-policies.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-merging-policies.md index 1546604828..be4fce9d9b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-merging-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-merging-policies.md @@ -9,7 +9,6 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -ms.collection: M365-security-compliance author: jgeurten ms.reviewer: isbrahm ms.author: vinpa diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard.md index f584befef7..cc3fb987e1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard.md @@ -4,7 +4,6 @@ description: The Windows Defender Application Control policy wizard tool allows ms.prod: windows-client ms.technology: itpro-security ms.localizationpriority: medium -ms.collection: M365-security-compliance author: jgeurten ms.reviewer: isbrahm ms.author: vinpa diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md index c8a1476cff..938e4370ae 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md @@ -4,7 +4,6 @@ description: Learn how to plan and implement a WDAC deployment. ms.prod: windows-client ms.technology: itpro-security ms.localizationpriority: medium -ms.collection: M365-security-compliance author: jgeurten ms.reviewer: aaroncz ms.author: jogeurte @@ -32,7 +31,7 @@ Before you deploy your WDAC policies, you must first convert the XML to its bina ```powershell ## Update the path to your WDAC policy XML - $WDACPolicyXMLFile = $env:USERPROFILE"\Desktop\MyWDACPolicy.xml" + $WDACPolicyXMLFile = $env:USERPROFILE + "\Desktop\MyWDACPolicy.xml" [xml]$WDACPolicy = Get-Content -Path $WDACPolicyXMLFile if (($WDACPolicy.SiPolicy.PolicyID) -ne $null) ## Multiple policy format (For Windows builds 1903+ only, including Server 2022) { diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md index 6a441bfedb..4b3cdb445f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md @@ -9,7 +9,6 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -ms.collection: M365-security-compliance author: jsuther1974 ms.reviewer: isbrahm ms.author: vinpa diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md index 5dd2b71791..4a03e5ee20 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md @@ -9,13 +9,13 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -ms.collection: M365-security-compliance author: jsuther1974 ms.reviewer: isbrahm ms.author: vinpa manager: aaroncz ms.date: 03/16/2020 ms.technology: itpro-security +ms.topic: article --- # Windows Defender Application Control operational guide diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md index b0da802f2e..6ac671b28d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md @@ -10,7 +10,6 @@ ms.pagetype: security ms.localizationpriority: medium audience: ITPro ms.collection: - - M365-security-compliance - highpri author: vinaypamnani-msft ms.reviewer: isbrahm @@ -19,6 +18,7 @@ manager: aaroncz ms.date: 05/26/2020 ms.custom: asr ms.technology: itpro-security +ms.topic: article --- # Application Control for Windows diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md index 211e327035..b85fb0dfe8 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md @@ -1,19 +1,12 @@ --- title: Account protection in the Windows Security app description: Use the Account protection section to manage security for your account and sign in to Microsoft. -keywords: account protection, wdav, smartscreen, antivirus, wdsc, exploit, protection, hide, Windows Defender SmartScreen, SmartScreen Filter, Windows SmartScreen -search.product: eADQiWindows 10XVcnh ms.prod: windows-client -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium author: vinaypamnani-msft ms.author: vinpa -ms.date: -ms.reviewer: -manager: aaroncz +ms.date: 12/31/2018 ms.technology: itpro-security +ms.topic: article --- @@ -21,8 +14,7 @@ ms.technology: itpro-security **Applies to** -- Windows 10 -- Windows 11 +- Windows 10 and later The **Account protection** section contains information and settings for account protection and sign-in. You can get more information about these capabilities from the following list: @@ -32,7 +24,6 @@ The **Account protection** section contains information and settings for account You can also choose to hide the section from users of the device. This is useful if you don't want your employees to access or view user-configured options for these features. - ## Hide the Account protection section You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app. diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md index 8744e633e8..817ff1949e 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md @@ -1,28 +1,20 @@ --- title: App & browser control in the Windows Security app description: Use the App & browser control section to see and configure Windows Defender SmartScreen and Exploit protection settings. -keywords: wdav, smartscreen, antivirus, wdsc, exploit, protection, hide -search.product: eADQiWindows 10XVcnh ms.prod: windows-client -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -audience: ITPro author: vinaypamnani-msft ms.author: vinpa -ms.date: -ms.reviewer: +ms.date: 12/31/2018 manager: aaroncz ms.technology: itpro-security +ms.topic: article --- # App and browser control **Applies to** -- Windows 10 -- Windows 11 +- Windows 10 and later The **App and browser control** section contains information and settings for Windows Defender SmartScreen. IT administrators and IT pros can get configuration guidance from the [Windows Defender SmartScreen documentation library](/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview). diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md index a4d1b860ad..1aed92dc61 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md @@ -1,27 +1,19 @@ --- title: Customize Windows Security contact information description: Provide information to your employees on how to contact your IT department when a security issue occurs -keywords: wdsc, security center, defender, notification, customize, contact, it department, help desk, call, help site -search.product: eADQiWindows 10XVcnh ms.prod: windows-client -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium author: vinaypamnani-msft ms.author: vinpa -ms.date: -ms.reviewer: -manager: aaroncz +ms.date: 12/31/2018 ms.technology: itpro-security +ms.topic: article --- # Customize the Windows Security app for your organization **Applies to** -- Windows 10 -- Windows 11 +- Windows 10 and later You can add information about your organization in a contact card to the Windows Security app. You can include a link to a support site, a phone number for a help desk, and an email address for email-based support. @@ -43,8 +35,6 @@ You must have Windows 10, version 1709 or later. The ADMX/ADML template files fo There are two stages to using the contact card and customized notifications. First, you have to enable the contact card or custom notifications (or both), and then you must specify at least a name for your organization and one piece of contact information. -This can only be done in Group Policy. - 1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**. 2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. @@ -55,6 +45,9 @@ This can only be done in Group Policy. 1. To enable the contact card, open the **Configure customized contact information** setting and set it to **Enabled**. Click **OK**. + > [!NOTE] + > This can only be done in Group Policy. + 2. To enable the customized notifications, open the **Configure customized notifications** setting and set it to **Enabled**. Click **OK**. 5. After you've enabled the contact card or the customized notifications (or both), you must configure the **Specify contact company name** to **Enabled**. Enter your company or organization's name in the field in the **Options** section. Click **OK**. @@ -66,5 +59,7 @@ This can only be done in Group Policy. 7. Select **OK** after you configure each setting to save your changes. ->[!IMPORTANT] ->You must specify the contact company name and at least one contact method - email, phone number, or website URL. If you do not specify the contact name and a contact method the customization will not apply, the contact card will not show, and notifications will not be customized. +To enable the customized notifications and add the contact information in Intune, see [Manage device security with endpoint security policies in Microsoft Intune](/mem/intune/protect/endpoint-security-policy) and [Settings for the Windows Security experience profile in Microsoft Intune](/mem/intune/protect/antivirus-security-experience-windows-settings). + +> [!IMPORTANT] +> You must specify the contact company name and at least one contact method - email, phone number, or website URL. If you do not specify the contact name and a contact method the customization will not apply, the contact card will not show, and notifications will not be customized. diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md index ab88f6b52c..bfc66838f7 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md @@ -1,19 +1,12 @@ --- title: Device & performance health in the Windows Security app description: Use the Device & performance health section to see the status of the machine and note any storage, update, battery, driver, or hardware configuration issues -keywords: wdsc, windows update, storage, driver, device, installation, battery, health, status -search.product: eADQiWindows 10XVcnh +ms.date: 12/31/2018 ms.prod: windows-client -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium author: vinaypamnani-msft ms.author: vinpa -ms.date: -ms.reviewer: -manager: aaroncz ms.technology: itpro-security +ms.topic: article --- diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md index ef5178a8fb..d56e6ecd4f 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md @@ -1,27 +1,20 @@ --- title: Device security in the Windows Security app description: Use the Device security section to manage security built into your device, including virtualization-based security. -keywords: device security, device guard, wdav, smartscreen, antivirus, wdsc, exploit, protection, hide -search.product: eADQiWindows 10XVcnh ms.prod: windows-client -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium author: vinaypamnani-msft ms.author: vinpa -ms.date: -ms.reviewer: +ms.date: 12/31/2018 manager: aaroncz ms.technology: itpro-security +ms.topic: article --- # Device security **Applies to** -- Windows 10 -- Windows 11 +- Windows 10 and later The **Device security** section contains information and settings for built-in device security. diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md index 5b3d707b6d..f4a6bb11c6 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md @@ -1,19 +1,12 @@ --- title: Family options in the Windows Security app description: Learn how to hide the Family options section of Windows Security for enterprise environments. Family options aren't intended for business environments. -keywords: wdsc, family options, hide, suppress, remove, disable, uninstall, kids, parents, safety, parental, child, screen time -search.product: eADQiWindows 10XVcnh ms.prod: windows-client -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium author: vinaypamnani-msft ms.author: vinpa -ms.date: -ms.reviewer: -manager: aaroncz +ms.date: 12/31/2018 ms.technology: itpro-security +ms.topic: article --- @@ -21,8 +14,7 @@ ms.technology: itpro-security **Applies to** -- Windows 10 -- Windows 11 +- Windows 10 and later The **Family options** section contains links to settings and further information for parents of a Windows 10 PC. It isn't intended for enterprise or business environments. diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md index 9c3ba56cc6..1d0d162d10 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md @@ -1,18 +1,11 @@ --- title: Firewall and network protection in the Windows Security app description: Use the Firewall & network protection section to see the status of and make changes to firewalls and network connections for the machine. -keywords: wdsc, firewall, windows defender firewall, network, connections, domain, private network, publish network, allow firewall, firewall rule, block firewall -search.product: eADQiWindows 10XVcnh -ms.prod: windows-client -ms.mktglfcycl: manage -ms.sitesec: library -ms.localizationpriority: medium author: vinaypamnani-msft ms.author: vinpa -ms.date: -ms.reviewer: -manager: aaroncz +ms.date: 12/31/2018 ms.technology: itpro-security +ms.topic: article --- diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md index 958d4c9085..8ca7f8d1c1 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md @@ -1,27 +1,19 @@ --- title: Hide notifications from the Windows Security app description: Prevent Windows Security app notifications from appearing on user endpoints -keywords: defender, security center, app, notifications, av, alerts -search.product: eADQiWindows 10XVcnh ms.prod: windows-client -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium author: vinaypamnani-msft ms.author: vinpa -ms.date: -ms.reviewer: -manager: aaroncz +ms.date: 12/31/2018 ms.technology: itpro-security +ms.topic: article --- # Hide Windows Security app notifications **Applies to** -- Windows 10 -- Windows 11 +- Windows 10 and later The Windows Security app is used by many Windows security features to provide notifications about the health and security of the machine. These include notifications about firewalls, antivirus products, Windows Defender SmartScreen, and others. @@ -40,7 +32,7 @@ You can only use Group Policy to change these settings. ## Use Group Policy to hide non-critical notifications -You can hide notifications that describe regular events related to the health and security of the machine. These notifications are the ones that don't require an action from the machine's user. It can be useful to hide these notifications if you find they're too numerous or you have other status reporting on a larger scale (such as Update Compliance or Microsoft Configuration Manager reporting). +You can hide notifications that describe regular events related to the health and security of the machine. These notifications are the ones that don't require an action from the machine's user. It can be useful to hide these notifications if you find they're too numerous or you have other status reporting on a larger scale (such as Windows Update for Business reports or Microsoft Configuration Manager reporting). These notifications can be hidden only by using Group Policy. diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md index 21ebc8e722..cfb558208e 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md @@ -13,6 +13,8 @@ ms.author: vinpa ms.reviewer: manager: aaroncz ms.technology: itpro-security +ms.date: 12/31/2017 +ms.topic: article --- # Virus and threat protection diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md index 4777c6863d..a3773ffe67 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md @@ -14,6 +14,7 @@ ms.date: 04/30/2018 ms.reviewer: manager: aaroncz ms.technology: itpro-security +ms.topic: how-to --- # Manage Windows Security in Windows 10 in S mode diff --git a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md index d34c5fc2b0..3f25837b24 100644 --- a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md +++ b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md @@ -11,6 +11,8 @@ manager: aaroncz ms.technology: itpro-security ms.collection: - highpri +ms.date: 12/31/2017 +ms.topic: article --- # The Windows Security app diff --git a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md index a5a4b985e6..1404209dea 100644 --- a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md +++ b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md @@ -14,6 +14,7 @@ ms.localizationpriority: medium author: vinaypamnani-msft ms.date: 03/01/2019 ms.technology: itpro-security +ms.topic: conceptual --- # Windows Defender System Guard: How a hardware-based root of trust helps protect Windows 10 diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md index e4715791d7..929c7d815b 100644 --- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md +++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md @@ -13,6 +13,7 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security +ms.topic: conceptual --- # System Guard Secure Launch and SMM protection diff --git a/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md b/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md index 599f606eb6..272fed2a81 100644 --- a/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md +++ b/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md b/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md index 36d687c819..12a0d5018e 100644 --- a/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md +++ b/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md b/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md index 29758cdb89..5bb2312dbe 100644 --- a/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md +++ b/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md b/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md index 5dbd0f57e6..4aeb22b1f0 100644 --- a/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md +++ b/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md @@ -13,7 +13,6 @@ author: paolomatarazzo manager: aaroncz audience: ITPro ms.collection: - - M365-security-compliance - highpri ms.topic: conceptual ms.date: 09/07/2021 diff --git a/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md b/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md index 73e20f347d..11fb40c04f 100644 --- a/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.technology: itpro-security appliesto: @@ -21,6 +20,7 @@ appliesto: - ✅ Windows Server 2016 - ✅ Windows Server 2019 - ✅ Windows Server 2022 +ms.date: 12/31/2017 --- # Basic Firewall Policy Design @@ -53,7 +53,7 @@ By default, in new installations, Windows Defender Firewall with Advanced Securi If you turn off the Windows Defender Firewall service you lose other benefits provided by the service, such as the ability to use IPsec connection security rules, Windows Service Hardening, and network protection from forms of attacks that use network fingerprinting. -Compatible third-party firewall software can programmatically disable only the parts of Windows Defender Firewall that might need to be disabled for compatibility. This approach is the recommended one for third-party firewalls to coexist with the Windows Defender Firewall; third-party party firewalls that comply with this recommendation have the certified logo from Microsoft.  +Compatible third-party firewall software can programmatically disable only the parts of Windows Defender Firewall that might need to be disabled for compatibility. This approach is the recommended one for third-party firewalls to coexist with the Windows Defender Firewall; third-party firewalls that comply with this recommendation have the certified logo from Microsoft. An organization typically uses this design as a first step toward a more comprehensive Windows Defender Firewall design that adds server isolation and domain isolation. diff --git a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md index 7ed3e77df2..c3caab02c2 100644 --- a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md +++ b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md @@ -3,6 +3,7 @@ title: Best practices for configuring Windows Defender Firewall description: Learn about best practices for configuring Windows Defender Firewall keywords: firewall, best practices, security, network security, network, rules, filters, ms.prod: windows-client +ms.date: 11/09/2022 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,27 +13,16 @@ ms.localizationpriority: medium manager: aaroncz audience: ITPro ms.collection: - - M365-security-compliance - highpri ms.topic: article ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Best practices for configuring Windows Defender Firewall -**Applies to** - -- Windows 10 -- Windows 11 -- Windows Server 2016 and above - - Windows Defender Firewall with Advanced Security provides host-based, two-way network traffic filtering and blocks unauthorized network traffic flowing into or out of the local device. Configuring your Windows Firewall based on the @@ -40,8 +30,8 @@ following best practices can help you optimize protection for devices in your network. These recommendations cover a wide range of deployments including home networks and enterprise desktop/server systems. -To open Windows Firewall, go to the **Start** menu, select **Run**, -type **WF.msc**, and then select **OK**. See also [Open Windows Firewall](./open-windows-firewall-with-advanced-security.md). +To open Windows Firewall, go to the **Start** menu, select **Run**, +type **WF.msc**, and then select **OK**. See also [Open Windows Firewall](./open-windows-firewall-with-advanced-security.md). ## Keep default settings @@ -51,18 +41,14 @@ When you open the Windows Defender Firewall for the first time, you can see the *Figure 1: Windows Defender Firewall* -1. **Domain profile**: Used for networks where there's a system of account authentication against a domain controller (DC), such as an Azure Active Directory DC - -2. **Private profile**: Designed for and best used - in private networks such as a home network - -3. **Public profile**: Designed with higher security in mind - for public networks like Wi-Fi hotspots, coffee shops, airports, hotels, or stores +1. **Domain profile**: Used for networks where there's a system of account authentication against an Active Directory domain controller +1. **Private profile**: Designed for and best used in private networks such as a home network +1. **Public profile**: Designed with higher security in mind for public networks, like Wi-Fi hotspots, coffee shops, airports, hotels, or stores View detailed settings for each profile by right-clicking the top-level **Windows Defender Firewall with Advanced Security** node in the left pane and then selecting **Properties**. Maintain the default settings in Windows Defender -Firewall whenever possible. These settings have been designed to secure your device for use in most network scenarios. One key example is the default Block behavior for Inbound connections. +Firewall whenever possible. These settings have been designed to secure your device for use in most network scenarios. One key example is the default Block behavior for Inbound connections. ![A screenshot of a cell phone Description automatically generated.](images/fw03-defaults.png) @@ -84,27 +70,20 @@ This rule-adding task can be accomplished by right-clicking either **Inbound Rul *Figure 3: Rule Creation Wizard* > [!NOTE] ->This article does not cover step-by-step rule -configuration. See the [Windows Firewall with Advanced Security Deployment -Guide](./windows-firewall-with-advanced-security-deployment-guide.md) -for general guidance on policy creation. +>This article does not cover step-by-step rule configuration. See the [Windows Firewall with Advanced Security Deployment Guide](./windows-firewall-with-advanced-security-deployment-guide.md) for general guidance on policy creation. -In many cases, allowing specific types of inbound traffic will be required for -applications to function in the network. Administrators should keep the following rule precedence behaviors in mind when -allowing these inbound exceptions. +In many cases, allowing specific types of inbound traffic will be required for applications to function in the network. Administrators should keep the following rule precedence behaviors in mind when allowing these inbound exceptions. -1. Explicitly defined allow rules will take precedence over the default block setting. - -2. Explicit block rules will take precedence over any conflicting allow rules. - -3. More specific rules will take precedence over less specific rules, except if there are explicit block rules as mentioned in 2. (For example, if the parameters of rule 1 include an IP address range, while the parameters of rule 2 include a single IP host address, rule 2 will take precedence.) +1. Explicitly defined allow rules will take precedence over the default block setting. +1. Explicit block rules will take precedence over any conflicting allow rules. +1. More specific rules will take precedence over less specific rules, except if there are explicit block rules as mentioned in 2. (For example, if the parameters of rule 1 include an IP address range, while the parameters of rule 2 include a single IP host address, rule 2 will take precedence.) Because of 1 and 2, it's important that, when designing a set of policies, you make sure that there are no other explicit block rules in place that could inadvertently overlap, thus preventing the traffic flow you wish to allow. A general security best practice when creating inbound rules is to be as specific as possible. However, when new rules must be made that use ports or IP addresses, consider using consecutive ranges or subnets instead of individual addresses or ports where possible. This approach avoids creation of multiple filters under the hood, reduces complexity, and helps to avoid performance degradation. -> [!NOTE] -> Windows Defender Firewall does not support traditional weighted, administrator-assigned rule ordering. An effective policy set with expected behaviors can be created by keeping in mind the few, consistent, and logical rule behaviors described above. +> [!NOTE] +> Windows Defender Firewall does not support traditional weighted, administrator-assigned rule ordering. An effective policy set with expected behaviors can be created by keeping in mind the few, consistent, and logical rule behaviors described above. ## Create rules for new applications before first launch @@ -123,7 +102,6 @@ In either of the scenarios above, once these rules are added they must be delete > [!NOTE] > The firewall's default settings are designed for security. Allowing all inbound connections by default introduces the network to various threats. Therefore, creating exceptions for inbound connections from third-party software should be determined by trusted app developers, the user, or the admin on behalf of the user. - ### Known issues with automatic rule creation When designing a set of firewall policies for your network, it's a best practice to configure allow rules for any networked applications deployed on the host. Having these rules in place before the user first launches the application will help ensure a seamless experience. @@ -132,11 +110,9 @@ The absence of these staged rules doesn't necessarily mean that in the end an ap To determine why some applications are blocked from communicating in the network, check for the following instances: -1. A user with sufficient privileges receives a query notification advising them that the application needs to make a change to the firewall policy. Not fully understanding the prompt, the user cancels or dismisses the prompt. - -2. A user lacks sufficient privileges and is therefore not prompted to allow the application to make the appropriate policy changes. - -3. Local Policy Merge is disabled, preventing the application or network service from creating local rules. +1. A user with sufficient privileges receives a query notification advising them that the application needs to make a change to the firewall policy. Not fully understanding the prompt, the user cancels or dismisses the prompt. +1. A user lacks sufficient privileges and is therefore not prompted to allow the application to make the appropriate policy changes. +1. Local Policy Merge is disabled, preventing the application or network service from creating local rules. Creation of application rules at runtime can also be prohibited by administrators using the Settings app or Group Policy. @@ -150,9 +126,9 @@ See also [Checklist: Creating Inbound Firewall Rules](./checklist-creating-inbou Firewall rules can be deployed: -1. Locally using the Firewall snap-in (**WF.msc**) -2. Locally using PowerShell -3. Remotely using Group Policy if the device is a member of an Active Directory Name, System Center Configuration Manager, or Intune (using workplace join) +1. Locally using the Firewall snap-in (**WF.msc**) +1. Locally using PowerShell +1. Remotely using Group Policy if the device is a member of an Active Directory Name, System Center Configuration Manager, or Intune (using workplace join) Rule merging settings control how rules from different policy sources can be combined. Administrators can configure different merge behaviors for Domain, Private, and Public profiles. @@ -163,8 +139,7 @@ The rule-merging settings either allow or prevent local administrators from crea *Figure 5: Rule merging setting* > [!TIP] -> In the firewall [configuration service provider](/windows/client-management/mdm/firewall-csp), the -equivalent setting is *AllowLocalPolicyMerge*. This setting can be found under each respective profile node, *DomainProfile*, *PrivateProfile*, and *PublicProfile*. +> In the firewall [configuration service provider](/windows/client-management/mdm/firewall-csp), the equivalent setting is *AllowLocalPolicyMerge*. This setting can be found under each respective profile node, *DomainProfile*, *PrivateProfile*, and *PublicProfile*. If merging of local policies is disabled, centralized deployment of rules is required for any app that needs inbound connectivity. @@ -173,15 +148,12 @@ Management (MDM), or both (for hybrid or co-management environments). [Firewall CSP](/windows/client-management/mdm/firewall-csp) and [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) also have settings that can affect rule merging. -As a best practice, it's important to list and log such apps, including the network ports used for communications. Typically, you can find what ports must be open for a given service on the app's website. For more complex or customer application deployments, a more thorough analysis may be needed using network packet capture tools. +As a best practice, it's important to list and log such apps, including the network ports used for communications. Typically, you can find what ports must be open for a given service on the app's website. For more complex or customer application deployments, a more thorough analysis may be needed using network packet capture tools. In general, to maintain maximum security, admins should only push firewall exceptions for apps and services determined to serve legitimate purposes. - - > [!NOTE] -> The use of wildcard patterns, such as *C:\*\\teams.exe* is not -supported in application rules. We currently only support rules created using the full path to the application(s). +> The use of wildcard patterns, such as *C:\*\\teams.exe* is not supported in application rules. We currently only support rules created using the full path to the application(s). ## Know how to use "shields up" mode for active attacks @@ -208,15 +180,12 @@ Once the emergency is over, uncheck the setting to restore regular network traff What follows are a few general guidelines for configuring outbound rules. -- The default configuration of Blocked for Outbound rules can be - considered for certain highly secure environments. However, the Inbound rule configuration should never be changed in a way that Allows traffic by default. - -- It's recommended to Allow Outbound by default for most deployments for the sake of simplification around app deployments, unless the enterprise prefers tight security controls over ease-of-use. - -- In high security environments, an inventory of all enterprise-spanning apps must be taken and logged by the administrator or administrators. Records must include whether an app used requires network connectivity. Administrators will need to create new rules specific to each app that needs network connectivity and push those rules centrally, via group policy (GP), Mobile Device Management (MDM), or both (for hybrid or co-management environments). +- The default configuration of Blocked for Outbound rules can be considered for certain highly secure environments. However, the Inbound rule configuration should never be changed in a way that Allows traffic by default +- It's recommended to Allow Outbound by default for most deployments for the sake of simplification around app deployments, unless the enterprise prefers tight security controls over ease-of-use +- In high security environments, an inventory of all enterprise-spanning apps must be taken and logged by the administrator or administrators. Records must include whether an app used requires network connectivity. Administrators will need to create new rules specific to each app that needs network connectivity and push those rules centrally, via group policy (GP), Mobile Device Management (MDM), or both (for hybrid or co-management environments) For tasks related to creating outbound rules, see [Checklist: Creating Outbound Firewall Rules](./checklist-creating-outbound-firewall-rules.md). ## Document your changes -When creating an inbound or outbound rule, you should specify details about the app itself, the port range used, and important notes like creation date. Rules must be well-documented for ease of review both by you and other admins. We highly encourage taking the time to make the work of reviewing your firewall rules at a later date easier. And *never* create unnecessary holes in your firewall. +When creating an inbound or outbound rule, you should specify details about the app itself, the port range used, and important notes like creation date. Rules must be well-documented for ease of review both by you and other admins. We highly encourage taking the time to make the work of reviewing your firewall rules at a later date easier. And *never* create unnecessary holes in your firewall. diff --git a/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md b/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md index 5f387ab500..35518f5c27 100644 --- a/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md +++ b/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/boundary-zone.md b/windows/security/threat-protection/windows-firewall/boundary-zone.md index ddf9562c69..fc8ce50228 100644 --- a/windows/security/threat-protection/windows-firewall/boundary-zone.md +++ b/windows/security/threat-protection/windows-firewall/boundary-zone.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md index 69e583f17a..7684a782be 100644 --- a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md +++ b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md index 147120e57c..ae9e0d2610 100644 --- a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md b/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md index cba7590b63..98faaf9390 100644 --- a/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md +++ b/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md index 6cabec1bf7..6e55af017d 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md index f07cb38e30..42dedfb5a6 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md index 3b68925db4..7a27fdafd9 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md index 41a43f9038..e13496eb9d 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md index 389b23caf6..1a33764cd6 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md index aea70dd3ea..146c7be617 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md b/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md index b7921828f2..2437571f7b 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md +++ b/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md b/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md index de58dbc7eb..a334a5eedd 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md +++ b/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md b/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md index 54b97c48ac..556a01f1c5 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md +++ b/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md b/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md index c13d088e5d..7a3a496e98 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md +++ b/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md index 53258f6a73..70b910425b 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md index 11b301d872..f5cc9a2ba8 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md index eb3067f9be..ce9abfe303 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md index f3889b86b2..db49df08e9 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md b/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md index 0b796f7211..60e8551837 100644 --- a/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md +++ b/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md b/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md index 767fc1f408..089e73a9ab 100644 --- a/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md +++ b/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md b/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md index 100761b6b1..2526c140bf 100644 --- a/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md +++ b/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md b/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md index a2f9b0187f..dc610001a5 100644 --- a/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md +++ b/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md b/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md index d20d03f5d7..35828e953a 100644 --- a/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md +++ b/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md b/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md index bc9c1a9e12..c025101f58 100644 --- a/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md +++ b/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md b/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md index df6d6a8219..3e77330596 100644 --- a/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md +++ b/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md @@ -19,6 +19,7 @@ appliesto: - ✅ Windows Server 2016 - ✅ Windows Server 2019 - ✅ Windows Server 2022 +ms.topic: conceptual --- # Configure the Workstation Authentication Certificate Template diff --git a/windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md b/windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md index 8ec39eb754..26b8f6be29 100644 --- a/windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md +++ b/windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md b/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md index 503e1a1509..5c43673b29 100644 --- a/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md +++ b/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md b/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md index 89e08b0200..ed4354a524 100644 --- a/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md +++ b/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: itpro-security @@ -43,6 +42,8 @@ To complete this procedure, you must be a member of the Domain Administrators gr 4. In the navigation pane, right-click **Group Policy Objects** again, and then click **Paste**. + :::image type="content" alt-text="Screenshot that shows Copy Paste GPO." source="images/grouppolicy-paste.png"::: + 5. In the **Copy GPO** dialog box, click **Preserve the existing permissions**, and then click **OK**. Selecting this option preserves any exception groups to which you denied Read and Apply GPO permissions, making the change simpler. 6. After the copy is complete, click **OK**. The new GPO is named **Copy of** *original GPO name*. diff --git a/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md b/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md index b2add7fde0..1987320e47 100644 --- a/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md +++ b/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md b/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md index c714c14def..f8f7c3977f 100644 --- a/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md +++ b/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md @@ -13,7 +13,6 @@ author: paolomatarazzo manager: aaroncz audience: ITPro ms.collection: - - M365-security-compliance - highpri ms.topic: conceptual ms.date: 09/07/2021 diff --git a/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md b/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md index fb37c6b565..7a0d8b8743 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md b/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md index e1b9c05bb2..1c1d6c0e60 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md index f89624ab3a..8045d1975d 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md index 3a2283e1cd..ea3861bad7 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md @@ -13,7 +13,6 @@ author: paolomatarazzo manager: aaroncz audience: ITPro ms.collection: - - M365-security-compliance - highpri ms.topic: conceptual ms.date: 09/07/2021 diff --git a/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md index 23682f8f12..5c79645f58 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md b/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md index 83e8906a26..9ce8ea91f2 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz audience: ITPro -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md b/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md index b9cfe0dd86..02116e5f9f 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md b/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md index f9e1408e99..4ecf74444b 100644 --- a/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md +++ b/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md index a3d1293e65..4782bb53e2 100644 --- a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md +++ b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.technology: itpro-security appliesto: @@ -16,6 +15,7 @@ appliesto: - ✅ Windows Server 2016 - ✅ Windows Server 2019 - ✅ Windows Server 2022 +ms.date: 12/31/2017 --- # Create Windows Firewall rules in Intune diff --git a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md index 591aa2000d..77ea069a39 100644 --- a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md +++ b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md @@ -8,7 +8,6 @@ ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz ms.collection: - - M365-security-compliance - highpri ms.topic: conceptual ms.date: 09/07/2021 diff --git a/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md b/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md index 7cdf313e6c..5d7dc149f9 100644 --- a/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md +++ b/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md b/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md index e4f4c426db..68a9b98493 100644 --- a/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md +++ b/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/documenting-the-zones.md b/windows/security/threat-protection/windows-firewall/documenting-the-zones.md index ecd84a43b9..8694e3c9fc 100644 --- a/windows/security/threat-protection/windows-firewall/documenting-the-zones.md +++ b/windows/security/threat-protection/windows-firewall/documenting-the-zones.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md index 9e3463ee29..60932b1a3d 100644 --- a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md +++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md index 1e198851ed..d906a7fa27 100644 --- a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md b/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md index 0f5acc57e9..8e5cbc491c 100644 --- a/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md +++ b/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md b/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md index c77a74cf72..818f3191e4 100644 --- a/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md +++ b/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md b/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md index ae7e6858d2..ec8427d677 100644 --- a/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md +++ b/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/encryption-zone.md b/windows/security/threat-protection/windows-firewall/encryption-zone.md index bd4e7b1f25..0cf4b23338 100644 --- a/windows/security/threat-protection/windows-firewall/encryption-zone.md +++ b/windows/security/threat-protection/windows-firewall/encryption-zone.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md b/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md index 731c0ad6fe..759c9f4ce3 100644 --- a/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md +++ b/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md b/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md index d14ee96cbf..a37aa1bb81 100644 --- a/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md +++ b/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/exemption-list.md b/windows/security/threat-protection/windows-firewall/exemption-list.md index 1fffa210de..e90686a631 100644 --- a/windows/security/threat-protection/windows-firewall/exemption-list.md +++ b/windows/security/threat-protection/windows-firewall/exemption-list.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md index 1b297a4a99..9f9f8dbc43 100644 --- a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md +++ b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md @@ -7,9 +7,6 @@ ms.prod: windows-client ms.localizationpriority: normal author: paolomatarazzo manager: aaroncz -ms.collection: - - m365-security-compliance - - m365-initiative-windows-security ms.topic: troubleshooting ms.technology: itpro-security appliesto: @@ -18,6 +15,7 @@ appliesto: - ✅ Windows Server 2016 - ✅ Windows Server 2019 - ✅ Windows Server 2022 +ms.date: 12/31/2017 --- # Filter origin audit log improvements diff --git a/windows/security/threat-protection/windows-firewall/firewall-gpos.md b/windows/security/threat-protection/windows-firewall/firewall-gpos.md index 0092797805..08a86364ba 100644 --- a/windows/security/threat-protection/windows-firewall/firewall-gpos.md +++ b/windows/security/threat-protection/windows-firewall/firewall-gpos.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md index 5b30251565..948e5e1bab 100644 --- a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md +++ b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/firewall-settings-lost-on-upgrade.md b/windows/security/threat-protection/windows-firewall/firewall-settings-lost-on-upgrade.md index c18f9f8d11..ae7a47f809 100644 --- a/windows/security/threat-protection/windows-firewall/firewall-settings-lost-on-upgrade.md +++ b/windows/security/threat-protection/windows-firewall/firewall-settings-lost-on-upgrade.md @@ -7,9 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: - - m365-security-compliance - - m365-initiative-windows-security ms.topic: troubleshooting ms.technology: itpro-security appliesto: @@ -18,6 +15,7 @@ appliesto: - ✅ Windows Server 2016 - ✅ Windows Server 2019 - ✅ Windows Server 2022 +ms.date: 12/31/2017 --- # Troubleshooting Windows Firewall settings after a Windows upgrade diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md index ba94e03160..7e8e014d6c 100644 --- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md +++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md index 62a1db3b76..5a815ce133 100644 --- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md +++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md index 6eba9eaa00..c004735816 100644 --- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md +++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md b/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md index fbbc390730..8655113adc 100644 --- a/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md +++ b/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md b/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md index 4d8b90e2f1..27014f95a8 100644 --- a/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md +++ b/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md index 2e0dfd5e6b..e01a4c33c8 100644 --- a/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md index c16453f08a..abf7fcbadf 100644 --- a/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md @@ -5,7 +5,6 @@ ms.reviewer: jekrynit ms.author: paoloma author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.prod: windows-client ms.localizationpriority: medium diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md index 1588f6d060..19d5d2f4fe 100644 --- a/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md index 82ef3d2e1d..8147d76ef7 100644 --- a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md index 82b84d2890..fadc52139d 100644 --- a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md b/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md index ff2b90f628..877c262554 100644 --- a/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md +++ b/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/images/grouppolicy-paste.png b/windows/security/threat-protection/windows-firewall/images/grouppolicy-paste.png new file mode 100644 index 0000000000..ba2de148f1 Binary files /dev/null and b/windows/security/threat-protection/windows-firewall/images/grouppolicy-paste.png differ diff --git a/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md b/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md index b2b6b365fc..c745825369 100644 --- a/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md +++ b/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md b/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md index e0ce74ae93..2cede95e14 100644 --- a/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md +++ b/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/isolated-domain.md b/windows/security/threat-protection/windows-firewall/isolated-domain.md index 062814252f..2f854ff73f 100644 --- a/windows/security/threat-protection/windows-firewall/isolated-domain.md +++ b/windows/security/threat-protection/windows-firewall/isolated-domain.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md b/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md index 561d3ab30f..5724da80ea 100644 --- a/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md +++ b/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md @@ -5,7 +5,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.reviewer: jekrynit diff --git a/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md b/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md index 9d5d01e830..f3eb72f2e3 100644 --- a/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md +++ b/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md b/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md index 9290de13c5..b0597ddac5 100644 --- a/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md +++ b/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md b/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md index 969256d600..2db48a89d3 100644 --- a/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md +++ b/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md index b028f16bd9..e55dca92b4 100644 --- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md +++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md index c71a87bdc4..0dead272e0 100644 --- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md @@ -8,7 +8,6 @@ ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz ms.collection: - - M365-security-compliance - highpri ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md index 7f35f2c4e3..f51325daf5 100644 --- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md +++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md index a3d6128d8e..85c5fb4099 100644 --- a/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md b/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md index 5d059e7bc3..b0b4bc000c 100644 --- a/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md +++ b/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md index ea204961e8..a29847e44c 100644 --- a/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md +++ b/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md b/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md index 6931536f0f..7e46a275c4 100644 --- a/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md +++ b/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md index 04a0e7ccdd..02e00fb3c5 100644 --- a/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md +++ b/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md b/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md index b5d583e0e9..4eefdea9e1 100644 --- a/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md +++ b/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md b/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md index d91b63d005..4515218f2b 100644 --- a/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md +++ b/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md index 9175be95f8..c96545cf8b 100644 --- a/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md +++ b/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md b/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md index 1f59adb3cf..027506a427 100644 --- a/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md +++ b/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/planning-the-gpos.md b/windows/security/threat-protection/windows-firewall/planning-the-gpos.md index 8e5f1ac2f9..572fa33116 100644 --- a/windows/security/threat-protection/windows-firewall/planning-the-gpos.md +++ b/windows/security/threat-protection/windows-firewall/planning-the-gpos.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md index c0aa22cdbb..e9691ceada 100644 --- a/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md b/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md index b43ec8cc93..22b46bd189 100644 --- a/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md +++ b/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md b/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md index a91f2973da..430a461918 100644 --- a/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md +++ b/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md b/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md index 45506318ea..3cb9728be9 100644 --- a/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md +++ b/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 01/18/2022 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/quarantine.md b/windows/security/threat-protection/windows-firewall/quarantine.md index 8cae981937..55de70d2af 100644 --- a/windows/security/threat-protection/windows-firewall/quarantine.md +++ b/windows/security/threat-protection/windows-firewall/quarantine.md @@ -7,7 +7,6 @@ manager: aaroncz ms.reviewer: jekrynit ms.prod: windows-client ms.localizationpriority: normal -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md index 49ce9f4442..d478752b6a 100644 --- a/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md +++ b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md index 5085bc1098..efc90aca28 100644 --- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md +++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md index b22bd127a3..7dca23dc7e 100644 --- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md +++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md b/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md index b729ccfeb1..091d80f05a 100644 --- a/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md +++ b/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md index f30c95e52c..03f3651091 100644 --- a/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md +++ b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md @@ -5,7 +5,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.reviewer: jekrynit diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md b/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md index 5a4635e28f..f4d1fc60c6 100644 --- a/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md +++ b/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md index 00c2d9cd9a..97ae77f6c1 100644 --- a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md +++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md index cab997937a..1b500c186c 100644 --- a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md b/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md index 1d10511499..08eda94fb7 100644 --- a/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md +++ b/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md @@ -7,9 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: - - m365-security-compliance - - m365-initiative-windows-security ms.topic: troubleshooting ms.technology: itpro-security appliesto: @@ -18,6 +15,7 @@ appliesto: - ✅ Windows Server 2016 - ✅ Windows Server 2019 - ✅ Windows Server 2022 +ms.date: 12/31/2017 --- # Troubleshooting UWP App Connectivity Issues diff --git a/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md b/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md index 464d0a2e3d..5e70140b77 100644 --- a/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md +++ b/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md b/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md index 40d884c100..cbf01ad656 100644 --- a/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md +++ b/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md @@ -5,7 +5,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.reviewer: jekrynit diff --git a/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md b/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md index 56fcc17fbc..f260e9c06d 100644 --- a/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md +++ b/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md index 62117c90aa..cf9152516d 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md @@ -5,7 +5,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.reviewer: jekrynit diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md index a7027ab879..6a6d733678 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md index 3579f01b70..e095007a7d 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md @@ -7,7 +7,6 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: itpro-security diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md index 26eefe0a15..56c5f70707 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md @@ -7,7 +7,6 @@ author: paolomatarazzo ms.author: paoloma manager: aaroncz ms.collection: - - M365-security-compliance - highpri ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-platform-common-criteria.md b/windows/security/threat-protection/windows-platform-common-criteria.md index 4578d9eb6c..5d976ff196 100644 --- a/windows/security/threat-protection/windows-platform-common-criteria.md +++ b/windows/security/threat-protection/windows-platform-common-criteria.md @@ -1,16 +1,15 @@ --- title: Common Criteria Certifications description: This topic details how Microsoft supports the Common Criteria certification program. -ms.prod: m365-security +ms.prod: windows-client ms.author: paoloma author: paolomatarazzo manager: aaroncz -ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 11/4/2022 ms.reviewer: -ms.technology: windows-sec +ms.technology: itpro-security --- # Common Criteria certifications diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md index 82a8b404e8..0dfbc42f89 100644 --- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md +++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md @@ -5,17 +5,14 @@ ms.prod: windows-client author: vinaypamnani-msft ms.author: vinpa manager: aaroncz -ms.collection: ms.topic: article -ms.localizationpriority: -ms.date: -ms.reviewer: +ms.date: 6/30/2022 ms.technology: itpro-security --- # Windows Sandbox architecture -Windows Sandbox benefits from new container technology in Windows to achieve a combination of security, density, and performance that isn't available in traditional VMs. +Windows Sandbox benefits from new container technology in Windows to achieve a combination of security, density, and performance that isn't available in traditional VMs. ## Dynamically generated image diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md index 7f5b3c7832..2b518a0153 100644 --- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md +++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md @@ -8,9 +8,7 @@ manager: aaroncz ms.collection: - highpri ms.topic: article -ms.localizationpriority: medium -ms.date: -ms.reviewer: +ms.date: 6/30/2022 ms.technology: itpro-security --- @@ -229,12 +227,14 @@ With the Visual Studio Code installer script already mapped into the sandbox, th ### VSCodeInstall.cmd +Download vscode to `downloads` folder and run from `downloads` folder + ```batch REM Download Visual Studio Code -curl -L "https://update.code.visualstudio.com/latest/win32-x64-user/stable" --output C:\users\WDAGUtilityAccount\Desktop\vscode.exe +curl -L "https://update.code.visualstudio.com/latest/win32-x64-user/stable" --output C:\users\WDAGUtilityAccount\Downloads\vscode.exe REM Install and run Visual Studio Code -C:\users\WDAGUtilityAccount\Desktop\vscode.exe /verysilent /suppressmsgboxes +C:\users\WDAGUtilityAccount\Downloads\vscode.exe /verysilent /suppressmsgboxes ``` ### VSCode.wsb @@ -244,15 +244,17 @@ C:\users\WDAGUtilityAccount\Desktop\vscode.exe /verysilent /suppressmsgboxes C:\SandboxScripts + C:\Users\WDAGUtilityAccount\Downloads\sandbox true C:\CodingProjects + C:\Users\WDAGUtilityAccount\Documents\Projects false - C:\Users\WDAGUtilityAccount\Desktop\SandboxScripts\VSCodeInstall.cmd + C:\Users\WDAGUtilityAccount\Downloads\sandbox\VSCodeInstall.cmd ``` diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md index 60ccff4e09..3987f694a9 100644 --- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md +++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md @@ -8,13 +8,11 @@ manager: aaroncz ms.collection: - highpri ms.topic: article -ms.localizationpriority: -ms.date: -ms.reviewer: +ms.date: 6/30/2022 ms.technology: itpro-security --- -# Windows Sandbox +# Windows Sandbox Windows Sandbox provides a lightweight desktop environment to safely run applications in isolation. Software installed inside the Windows Sandbox environment remains "sandboxed" and runs separately from the host machine. @@ -51,7 +49,7 @@ Windows Sandbox has the following properties: - If you're using a virtual machine, run the following PowerShell command to enable nested virtualization: ```powershell - Set-VMProcessor -VMName \ -ExposeVirtualizationExtensions $true + Set-VMProcessor -VMName -ExposeVirtualizationExtensions $true ``` 3. Use the search bar on the task bar and type **Turn Windows Features on or off** to access the Windows Optional Features tool. Select **Windows Sandbox** and then **OK**. Restart the computer if you're prompted. @@ -59,7 +57,11 @@ Windows Sandbox has the following properties: If the **Windows Sandbox** option is unavailable, your computer doesn't meet the requirements to run Windows Sandbox. If you think this analysis is incorrect, review the prerequisite list and steps 1 and 2. > [!NOTE] - > To enable Sandbox using PowerShell, open PowerShell as Administrator and run **Enable-WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -All -Online**. + > To enable Sandbox using PowerShell, open PowerShell as Administrator and run the following command: + > + > ```powershell + > Enable-WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -All -Online + > ``` 4. Locate and select **Windows Sandbox** on the Start menu to run it for the first time. diff --git a/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md index 1f712dc9f7..65d2045cbc 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md @@ -6,7 +6,6 @@ ms.localizationpriority: medium ms.author: vinpa author: vinaypamnani-msft manager: aaroncz -ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 10/19/2022 ms.reviewer: jmunck @@ -55,7 +54,7 @@ No. SCM supported only SCAP 1.0, which wasn't updated as SCAP evolved. The new t | Name | Build | Baseline Release Date | Security Tools | | ---- | ----- | --------------------- | -------------- | | Windows 11 | [22H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-11-version-22h2-security-baseline/ba-p/3632520)
                              | September 2022
                              |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) | -| Windows 10 | [22H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-10-version-22h2-security-baseline/ba-p/3655724)
                              [21H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-windows-10-version-21h2/ba-p/3042703)
                              [21H1](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-version-21h1/ba-p/2362353)
                              [20H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-and-windows-server/ba-p/1999393)
                              [1809](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1809-and-windows-server/ba-p/701082)
                              [1607](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016)
                              [1507](/archive/blogs/secguide/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update)| October 2022
                              December 2021
                              May 2021
                              December 2020
                              October 2018
                              October 2016
                              January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) | +| Windows 10 | [22H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-10-version-22h2-security-baseline/ba-p/3655724)
                              [21H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-windows-10-version-21h2/ba-p/3042703)
                              [20H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-and-windows-server/ba-p/1999393)
                              [1809](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1809-and-windows-server/ba-p/701082)
                              [1607](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016)
                              [1507](/archive/blogs/secguide/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update)| October 2022
                              December 2021
                              December 2020
                              October 2018
                              October 2016
                              January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) | Windows 8.1 |[9600 (April Update)](/archive/blogs/secguide/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final)| October 2013| [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
                              @@ -77,7 +76,7 @@ Windows 8.1 |[9600 (April Update)](/archive/blogs/secguide/security-baselines-fo | Name | Details | Security Tools | |---------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------| | Microsoft 365 Apps for enterprise, version 2206 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-365-apps-for-enterprise-v2206/ba-p/3502714) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) | -| Microsoft Edge, version 98 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-v98/ba-p/3165443) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) | +| Microsoft Edge, version 107 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-v98/ba-p/3165443) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
                              diff --git a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md index a3d0a27f9d..b08b62f673 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md @@ -7,7 +7,6 @@ ms.author: vinpa author: vinaypamnani-msft manager: aaroncz ms.collection: - - M365-security-compliance - highpri ms.topic: conceptual ms.date: 02/14/2022 @@ -32,7 +31,6 @@ The Security Compliance Toolkit consists of: - Windows 10 security baselines - Windows 10, version 22H2 - Windows 10, version 21H2 - - Windows 10, version 21H1 - Windows 10, version 20H2 - Windows 10, version 1809 - Windows 10, version 1607 @@ -49,7 +47,7 @@ The Security Compliance Toolkit consists of: - Microsoft 365 Apps for Enterprise Version 2206 - Microsoft Edge security baseline - - Edge version 98 + - Edge version 107 - Tools - Policy Analyzer diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md index 5bedbaf17a..0c513379b1 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md @@ -7,7 +7,6 @@ ms.author: vinpa author: vinaypamnani-msft manager: aaroncz ms.collection: - - M365-security-compliance - highpri ms.topic: conceptual ms.date: 01/26/2022 @@ -66,7 +65,7 @@ There are several ways to get and use security baselines: 2. [Mobile device management (MDM) security baselines](/windows/client-management/mdm/#mdm-security-baseline) function like the Microsoft group policy-based security baselines and can easily integrate these baselines into an existing MDM management tool. -3. MDM security baselines can easily be configures in Microsoft Intune on devices that run Windows 10 and Windows 11. For more information, see [List of the settings in the Windows 10/11 MDM security baseline in Intune](/mem/intune/protect/security-baseline-settings-mdm-all). +3. MDM security baselines can easily be configured in Microsoft Intune on devices that run Windows 10 and Windows 11. For more information, see [List of the settings in the Windows 10/11 MDM security baseline in Intune](/mem/intune/protect/security-baseline-settings-mdm-all). ## Community diff --git a/windows/security/trusted-boot.md b/windows/security/trusted-boot.md index 37a654e8fd..64689039a1 100644 --- a/windows/security/trusted-boot.md +++ b/windows/security/trusted-boot.md @@ -1,18 +1,18 @@ --- title: Secure Boot and Trusted Boot description: Trusted Boot prevents corrupted components from loading during the boot-up process in Windows 11 -search.appverid: MET150 +search.appverid: MET150 author: vinaypamnani-msft ms.author: vinpa -manager: aaroncz +manager: aaroncz ms.topic: conceptual ms.date: 09/21/2021 -ms.prod: m365-security -ms.technology: windows-sec +ms.prod: windows-client +ms.technology: itpro-security ms.localizationpriority: medium ms.collection: ms.custom: -ms.reviewer: jsuther +ms.reviewer: jsuther --- # Secure Boot and Trusted Boot diff --git a/windows/security/zero-trust-windows-device-health.md b/windows/security/zero-trust-windows-device-health.md index 49dbfdd3d3..d6159d39a6 100644 --- a/windows/security/zero-trust-windows-device-health.md +++ b/windows/security/zero-trust-windows-device-health.md @@ -1,19 +1,19 @@ --- -title: Zero Trust and Windows device health +title: Zero Trust and Windows device health description: Describes the process of Windows device health attestation ms.reviewer: ms.topic: article manager: aaroncz ms.author: paoloma author: paolomatarazzo -ms.collection: M365-security-compliance ms.custom: intro-overview -ms.prod: m365-security -ms.technology: windows-sec +ms.prod: windows-client +ms.technology: itpro-security +ms.date: 12/31/2017 --- # Zero Trust and Windows device health -Organizations need a security model that more effectively adapts to the complexity of the modern work environment. IT admins need to embrace the hybrid workplace, while protecting people, devices, apps, and data wherever they’re located. Implementing a Zero Trust model for security helps addresses today's complex environments. +Organizations need a security model that more effectively adapts to the complexity of the modern work environment. IT admins need to embrace the hybrid workplace, while protecting people, devices, apps, and data wherever they’re located. Implementing a Zero Trust model for security helps address today's complex environments. The [Zero Trust](https://www.microsoft.com/security/business/zero-trust) principles are: diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml index 6a59ce9b38..d432c8a8ff 100644 --- a/windows/whats-new/TOC.yml +++ b/windows/whats-new/TOC.yml @@ -12,13 +12,24 @@ - name: Prepare for Windows 11 href: windows-11-prepare.md - name: What's new in Windows 11, version 22H2 - href: whats-new-windows-11-version-22h2.md + href: whats-new-windows-11-version-22h2.md - name: Windows 10 expanded: true items: + - name: What's new in Windows 10, version 22H2 + href: whats-new-windows-10-version-22H2.md - name: What's new in Windows 10, version 21H2 href: whats-new-windows-10-version-21H2.md - name: What's new in Windows 10, version 21H1 href: whats-new-windows-10-version-21H1.md - name: What's new in Windows 10, version 20H2 href: whats-new-windows-10-version-20H2.md +- name: Deprecated and removed Windows features + expanded: false + items: + - name: Windows client features lifecycle + href: feature-lifecycle.md + - name: Deprecated Windows features + href: deprecated-features.md + - name: Removed Windows features + href: removed-features.md \ No newline at end of file diff --git a/windows/deployment/planning/windows-10-deprecated-features.md b/windows/whats-new/deprecated-features.md similarity index 89% rename from windows/deployment/planning/windows-10-deprecated-features.md rename to windows/whats-new/deprecated-features.md index e2d52b176a..3c58ebfc65 100644 --- a/windows/deployment/planning/windows-10-deprecated-features.md +++ b/windows/whats-new/deprecated-features.md @@ -1,12 +1,12 @@ --- -title: Deprecated features in Windows client +title: Deprecated features in the Windows client description: Review the list of features that Microsoft is no longer developing in Windows 10 and Windows 11. -ms.date: 10/28/2022 +ms.date: 12/05/2022 ms.prod: windows-client ms.technology: itpro-fundamentals ms.localizationpriority: medium -author: frankroj -ms.author: frankroj +author: mestew +ms.author: mstewart manager: aaroncz ms.reviewer: ms.topic: article @@ -19,14 +19,16 @@ ms.topic: article - Windows 10 - Windows 11 -Each version of Windows client adds new features and functionality. Occasionally, new versions also remove features and functionality, often because they've added a newer option. This article provides details about the features and functionalities that are no longer being developed in Windows client. For more information about features that have been removed, see [Windows features removed](windows-10-removed-features.md). +Each version of Windows client adds new features and functionality. Occasionally, new versions also remove features and functionality, often because they've added a newer option. This article provides details about the features and functionalities that are no longer being developed in Windows client. For more information about features that have been removed, see [Windows features removed](removed-features.md). For more information about features in Windows 11, see [Feature deprecations and removals](https://www.microsoft.com/windows/windows-11-specifications#table3). -To understand the distinction between _deprecation_ and _removal_, see [Windows client features lifecycle](features-lifecycle.md). +To understand the distinction between *deprecation* and *removal*, see [Windows client features lifecycle](feature-lifecycle.md). The features in this article are no longer being actively developed, and might be removed in a future update. Some features have been replaced with other features or functionality and some are now available from other sources. +## Deprecated features + **The following list is subject to change and might not include every affected feature or functionality.** > [!NOTE] @@ -34,6 +36,8 @@ The features in this article are no longer being actively developed, and might b |Feature | Details and mitigation | Deprecation announced | | ----------- | --------------------- | ---- | +| Universal Windows Platform (UWP) Applications for 32-bit Arm | This change is applicable only to devices with an Arm processor, for example Snapdragon processors from Qualcomm. If you have a PC built with a processor from Intel or AMD, this content is not applicable. If you are not sure which type of processor you have, check **Settings** > **System** > **About**.

                              Support for 32-bit Arm versions of applications will be removed in a future release of Windows 11. After this change, for the small number of applications affected, app features might be different and you might notice a difference in performance. For more technical details about this change, see [Update app architecture from Arm32 to Arm64](/windows/arm/arm32-to-arm64). | January 2023 | +| Update Compliance | [Update Compliance](/windows/deployment/update/update-compliance-monitor), a cloud-based service for the Windows client, is no longer being developed. This service has been replaced with [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview), which provides reporting on client compliance with Microsoft updates from the Azure portal. | November 2022| | Windows Information Protection | [Windows Information Protection](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip) will no longer be developed in future versions of Windows. For more information, see [Announcing sunset of Windows Information Protection (WIP)](https://go.microsoft.com/fwlink/?linkid=2202124).

                              For your data protection needs, Microsoft recommends that you use [Microsoft Purview Information Protection](/microsoft-365/compliance/information-protection) and [Microsoft Purview Data Loss Prevention](/microsoft-365/compliance/dlp-learn-about-dlp). | July 2022 | | BitLocker To Go Reader | **Note: BitLocker to Go as a feature is still supported.**
                              Reading of BitLocker-protected removable drives ([BitLocker To Go](/windows/security/information-protection/bitlocker/bitlocker-to-go-faq)) from Windows XP or Windows Vista in later operating systems is deprecated and might be removed in a future release of Windows client.
                              The following items might not be available in a future release of Windows client:
                              - ADMX policy: **Allow access to BitLocker-protected removable data drives from earlier versions of Windows**
                              - Command line parameter: [`manage-bde -DiscoveryVolumeType`](/windows-server/administration/windows-commands/manage-bde-on) (-dv)
                              - Catalog file: **c:\windows\BitLockerDiscoveryVolumeContents**
                              - BitLocker 2 Go Reader app: **bitlockertogo.exe** and associated files | 21H1 | | Personalization roaming | Roaming of Personalization settings (including wallpaper, slideshow, accent colors, and lock screen images) is no longer being developed and might be removed in a future release. | 21H1 | @@ -75,7 +79,7 @@ The features in this article are no longer being actively developed, and might b |Windows Hello for Business deployment that uses Microsoft Configuration Manager |Windows Server 2016 Active Directory Federation Services - Registration Authority (ADFS RA) deployment is simpler and provides a better user experience and a more deterministic certificate enrollment experience. | 1709 | |Windows PowerShell 2.0 | Applications and components should be migrated to PowerShell 5.0+. | 1709 | |Apndatabase.xml | Apndatabase.xml is being replaced by the COSA database. Therefore, some constructs will no longer function. This replacement includes Hardware ID, incoming SMS messaging rules in mobile apps, a list of privileged apps in mobile apps, autoconnect order, APN parser, and CDMAProvider ID. | 1703 | -|Tile Data Layer | The [Tile Data Layer](/windows/configuration/start-layout-troubleshoot#symptom-start-menu-issues-with-tile-data-layer-corruption) database stopped development in Windows 10, version 1703. | 1703 | +|Tile Data Layer | The [Tile Data Layer](/troubleshoot/windows-client/shell-experience/troubleshoot-start-menu-errors#symptom-start-menu-issues-with-tile-data-layer-corruption) database stopped development in Windows 10, version 1703. | 1703 | |TLS DHE_DSS ciphers DisabledByDefault| [TLS RC4 Ciphers](/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server) will be disabled by default in this release. | 1703 | |TCPChimney | TCP Chimney Offload is no longer being developed. See [Performance Tuning Network Adapters](/windows-server/networking/technologies/network-subsystem/net-sub-performance-tuning-nics). | 1703 | |IPsec Task Offload| [IPsec Task Offload](/windows-hardware/drivers/network/task-offload) versions 1 and 2 are no longer being developed and shouldn't be used. | 1703 | diff --git a/windows/deployment/planning/features-lifecycle.md b/windows/whats-new/feature-lifecycle.md similarity index 80% rename from windows/deployment/planning/features-lifecycle.md rename to windows/whats-new/feature-lifecycle.md index 18da27cab7..11eaa12e7e 100644 --- a/windows/deployment/planning/features-lifecycle.md +++ b/windows/whats-new/feature-lifecycle.md @@ -1,11 +1,11 @@ --- title: Windows client features lifecycle -description: Learn about the lifecycle of Windows 10 features, as well as features that are no longer developed, removed features, and terminology assigned to a feature. +description: Learn about the lifecycle of Windows features, as well as features that are no longer developed, removed features, and terminology assigned to a feature. ms.prod: windows-client ms.localizationpriority: medium -author: frankroj +author: mestew manager: aaroncz -ms.author: frankroj +ms.author: mstewart ms.topic: article ms.custom: seo-marvel-apr2020 ms.technology: itpro-fundamentals @@ -27,17 +27,17 @@ For information about features that are impacted when you upgrade from Windows 1 The following topic lists features that are no longer being developed. These features might be removed in a future release. -[Windows 10 features we're no longer developing](windows-10-deprecated-features.md) +[Deprecated Windows features](deprecated-features.md) ## Features removed The following topics have details about features that have been removed from Windows 10 or Windows 11. This includes features that are present in Windows 10, but are removed in Windows 11. -[Windows 10 features we removed](windows-10-removed-features.md) +[Removed Windows features](removed-features.md) ## Terminology -The following terms can be used to describe the status that might be assigned to a feature during its lifecycle. +The following terms can be used to describe the status that might be assigned to a feature during its lifecycle: - **Deprecation**: The stage of the product lifecycle when a feature or functionality is no longer in active development and may be removed in future releases of a product or online service. - **End of support**: The stage of the product lifecycle when support and servicing are no longer available for a product. @@ -47,4 +47,4 @@ The following terms can be used to describe the status that might be assigned to ## Also see -[Windows 10 release information](/windows/release-health/release-information) +[Windows release information](/windows/release-health/release-information) diff --git a/windows/whats-new/images/ICD.png b/windows/whats-new/images/ICD.png deleted file mode 100644 index 9cfcb845df..0000000000 Binary files a/windows/whats-new/images/ICD.png and /dev/null differ diff --git a/windows/whats-new/images/block-suspicious-behaviors.png b/windows/whats-new/images/block-suspicious-behaviors.png deleted file mode 100644 index 31a2cf5727..0000000000 Binary files a/windows/whats-new/images/block-suspicious-behaviors.png and /dev/null differ diff --git a/windows/whats-new/images/compare-changes.png b/windows/whats-new/images/compare-changes.png deleted file mode 100644 index 0d86db70f5..0000000000 Binary files a/windows/whats-new/images/compare-changes.png and /dev/null differ diff --git a/windows/whats-new/images/contribute-link.png b/windows/whats-new/images/contribute-link.png deleted file mode 100644 index 4cf685e54e..0000000000 Binary files a/windows/whats-new/images/contribute-link.png and /dev/null differ diff --git a/windows/whats-new/images/funfacts.png b/windows/whats-new/images/funfacts.png deleted file mode 100644 index 71355ec370..0000000000 Binary files a/windows/whats-new/images/funfacts.png and /dev/null differ diff --git a/windows/whats-new/images/ldstore.PNG b/windows/whats-new/images/ldstore.PNG deleted file mode 100644 index 63f0eedee7..0000000000 Binary files a/windows/whats-new/images/ldstore.PNG and /dev/null differ diff --git a/windows/whats-new/images/lockscreen.png b/windows/whats-new/images/lockscreen.png deleted file mode 100644 index 68c64e15ec..0000000000 Binary files a/windows/whats-new/images/lockscreen.png and /dev/null differ diff --git a/windows/whats-new/images/lockscreenpolicy.png b/windows/whats-new/images/lockscreenpolicy.png deleted file mode 100644 index 30b6a7ae9d..0000000000 Binary files a/windows/whats-new/images/lockscreenpolicy.png and /dev/null differ diff --git a/windows/whats-new/images/pencil-icon.png b/windows/whats-new/images/pencil-icon.png deleted file mode 100644 index 82fe7852dd..0000000000 Binary files a/windows/whats-new/images/pencil-icon.png and /dev/null differ diff --git a/windows/whats-new/images/preview-changes.png b/windows/whats-new/images/preview-changes.png deleted file mode 100644 index cb4ecab594..0000000000 Binary files a/windows/whats-new/images/preview-changes.png and /dev/null differ diff --git a/windows/whats-new/images/propose-file-change.png b/windows/whats-new/images/propose-file-change.png deleted file mode 100644 index aedbc07b16..0000000000 Binary files a/windows/whats-new/images/propose-file-change.png and /dev/null differ diff --git a/windows/whats-new/images/spotlight.png b/windows/whats-new/images/spotlight.png deleted file mode 100644 index 515269740b..0000000000 Binary files a/windows/whats-new/images/spotlight.png and /dev/null differ diff --git a/windows/whats-new/images/video-1709.jpg b/windows/whats-new/images/video-1709.jpg deleted file mode 100644 index b54fe67cf6..0000000000 Binary files a/windows/whats-new/images/video-1709.jpg and /dev/null differ diff --git a/windows/whats-new/images/video-1709s.jpg b/windows/whats-new/images/video-1709s.jpg deleted file mode 100644 index 7abc313dd8..0000000000 Binary files a/windows/whats-new/images/video-1709s.jpg and /dev/null differ diff --git a/windows/whats-new/images/windows-11-whats-new/windows-11-taskbar.png b/windows/whats-new/images/windows-11-whats-new/windows-11-taskbar.png deleted file mode 100644 index 1f997e62f9..0000000000 Binary files a/windows/whats-new/images/windows-11-whats-new/windows-11-taskbar.png and /dev/null differ diff --git a/windows/whats-new/images/windows-defender-atp.png b/windows/whats-new/images/windows-defender-atp.png deleted file mode 100644 index 938ac2c72d..0000000000 Binary files a/windows/whats-new/images/windows-defender-atp.png and /dev/null differ diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml index 3d11bd96e3..d1f1ec51df 100644 --- a/windows/whats-new/index.yml +++ b/windows/whats-new/index.yml @@ -1,22 +1,20 @@ ### YamlMime:Landing title: What's new in Windows -summary: Find out about new features and capabilities in the latest release of Windows 10 and Windows 11. +summary: Find out about new features and capabilities in the latest release of Windows client for IT professionals. metadata: title: What's new in Windows - description: Find out about new features and capabilities in the latest release of Windows 10 and Windows 11. - services: windows-10 - ms.service: windows-10 - ms.subservice: subservice + description: Find out about new features and capabilities in the latest release of Windows client for IT professionals. + ms.prod: windows-client + ms.technology: itpro-fundamentals ms.topic: landing-page ms.collection: - - windows-10 - highpri author: aczechowski ms.author: aaroncz manager: dougeby - ms.date: 06/03/2022 + ms.date: 11/14/2022 localization_priority: medium landingContent: @@ -38,12 +36,12 @@ landingContent: linkLists: - linkListType: overview links: + - text: What's new in Windows 10, version 22H2 + url: whats-new-windows-10-version-22h2.md - text: What's new in Windows 10, version 21H2 url: whats-new-windows-10-version-21h2.md - text: What's new in Windows 10, version 21H1 url: whats-new-windows-10-version-21h1.md - - text: What's new in Windows 10, version 20H2 - url: whats-new-windows-10-version-20h2.md - title: Learn more linkLists: @@ -54,14 +52,14 @@ landingContent: - text: Windows release health dashboard url: /windows/release-health/ - text: Windows 11 update history - url: https://support.microsoft.com/topic/windows-11-update-history-a19cd327-b57f-44b9-84e0-26ced7109ba9 + url: https://support.microsoft.com/topic/windows-11-version-22h2-update-history-ec4229c3-9c5f-4e75-9d6d-9025ab70fcce - text: Windows 10 update history url: https://support.microsoft.com/topic/windows-10-update-history-857b8ccb-71e4-49e5-b3f6-7073197d98fb - - text: Windows 10 features we're no longer developing - url: /windows/deployment/planning/windows-10-deprecated-features - - text: Features and functionality removed in Windows 10 - url: /windows/deployment/planning/windows-10-removed-features - - text: Compare Windows 10 Editions - url: https://www.microsoft.com/windowsforbusiness/compare + - text: Windows features we're no longer developing + url: deprecated-features.md + - text: Features and functionality removed in Windows + url: removed-features.md + - text: Compare Windows 11 Editions + url: https://www.microsoft.com/windows/business/compare-windows-11 - text: Windows 10 Enterprise LTSC url: ltsc/index.md diff --git a/windows/whats-new/ltsc/index.md b/windows/whats-new/ltsc/index.md index faa61e8726..66e69fb814 100644 --- a/windows/whats-new/ltsc/index.md +++ b/windows/whats-new/ltsc/index.md @@ -8,6 +8,8 @@ manager: dougeby ms.localizationpriority: low ms.topic: article ms.collection: highpri +ms.technology: itpro-fundamentals +ms.date: 12/31/2017 --- # Windows 10 Enterprise LTSC diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2015.md b/windows/whats-new/ltsc/whats-new-windows-10-2015.md index 9619a71f7d..60f00167d7 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2015.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2015.md @@ -8,6 +8,8 @@ ms.prod: windows-client author: aczechowski ms.localizationpriority: medium ms.topic: article +ms.technology: itpro-fundamentals +ms.date: 12/31/2017 --- # What's new in Windows 10 Enterprise LTSC 2015 diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2016.md b/windows/whats-new/ltsc/whats-new-windows-10-2016.md index 2f55f78bd5..43da9f13c3 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2016.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2016.md @@ -8,6 +8,8 @@ ms.prod: windows-client author: aczechowski ms.localizationpriority: low ms.topic: article +ms.technology: itpro-fundamentals +ms.date: 12/31/2017 --- # What's new in Windows 10 Enterprise LTSC 2016 diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md index 1e2217e1d0..ac0e6ef2cc 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md @@ -10,6 +10,8 @@ ms.localizationpriority: medium ms.topic: article ms.collection: - highpri +ms.technology: itpro-fundamentals +ms.date: 12/31/2017 --- # What's new in Windows 10 Enterprise LTSC 2019 diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md index c04c33fd31..ac2853f72a 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md @@ -10,6 +10,8 @@ ms.localizationpriority: low ms.topic: article ms.collection: - highpri +ms.technology: itpro-fundamentals +ms.date: 12/31/2017 --- # What's new in Windows 10 Enterprise LTSC 2021 diff --git a/windows/deployment/planning/windows-10-removed-features.md b/windows/whats-new/removed-features.md similarity index 95% rename from windows/deployment/planning/windows-10-removed-features.md rename to windows/whats-new/removed-features.md index 3b686d66a9..bdaca31c06 100644 --- a/windows/deployment/planning/windows-10-removed-features.md +++ b/windows/whats-new/removed-features.md @@ -3,13 +3,13 @@ title: Features and functionality removed in Windows client description: In this article, learn about the features and functionality that have been removed or replaced in Windows client. ms.prod: windows-client ms.localizationpriority: medium -author: frankroj -ms.author: frankroj +author: mestew +ms.author: mstewart manager: aaroncz ms.topic: article ms.custom: seo-marvel-apr2020 ms.technology: itpro-fundamentals -ms.date: 10/28/2022 +ms.date: 01/05/2023 --- # Features and functionality removed in Windows client @@ -21,14 +21,16 @@ ms.date: 10/28/2022 Each version of Windows client adds new features and functionality. Occasionally, new versions also remove features and functionality, often because they've added a newer option. This article provides details about the features and functionality that have been removed in Windows client. -For more information about features that might be removed in a future release, see [Deprecated features for Windows client](windows-10-deprecated-features.md). +For more information about features that might be removed in a future release, see [Deprecated features for Windows client](deprecated-features.md). > [!NOTE] > To get early access to new Windows builds and test these changes yourself, join the [Windows Insider program](https://insider.windows.com). For more information about features in Windows 11, see [Feature deprecations and removals](https://www.microsoft.com/windows/windows-11-specifications#table3). -To understand the distinction between _deprecation_ and _removal_, see [Windows client features lifecycle](features-lifecycle.md). +To understand the distinction between _deprecation_ and _removal_, see [Windows client features lifecycle](feature-lifecycle.md). + +## Removed features and functionality The following features and functionalities have been removed from the installed product image for Windows client. Applications or code that depend on these features won't function in the release when it was removed, or in later releases. @@ -36,6 +38,7 @@ The following features and functionalities have been removed from the installed |Feature | Details and mitigation | Support removed | | ----------- | --------------------- | ------ | +| Store uploader tool | Support has been removed for the store uploader tool. This tool is included in the Windows SDK only. The endpoint for the tool has been removed from service and the files will be removed from the SDK in the next release. | November, 2022 | | Internet Explorer 11 | The Internet Explorer 11 desktop application is [retired and out of support](https://aka.ms/IEJune15Blog) as of June 15, 2022 for certain versions of Windows 10. You can still access older, legacy sites that require Internet Explorer with Internet Explorer mode in Microsoft Edge. [Learn how](https://aka.ms/IEmodewebsite). The Internet Explorer 11 desktop application will progressively redirect to the faster, more secure Microsoft Edge browser, and will ultimately be disabled via Windows Update. [Disable IE today](/deployedge/edge-ie-disable-ie11). | June 15, 2022 | | XDDM-based remote display driver | Support for Windows 2000 Display Driver Model (XDDM) based remote display drivers is removed in this release. Independent Software Vendors that use an XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information on implementing remote display indirect display driver, see [Updates for IddCx versions 1.4 and later](/windows-hardware/drivers/display/iddcx1.4-updates). | 21H1 | |Microsoft Edge|The legacy version of Microsoft Edge is no longer supported after March 9, 2021. For more information, see [End of support reminder for Microsoft Edge Legacy](/lifecycle/announcements/edge-legacy-eos-details). | 21H1 | @@ -76,4 +79,4 @@ The following features and functionalities have been removed from the installed |Microsoft Paint | This application won't be available for languages that aren't on the [full localization list](https://www.microsoft.com/windows/windows-10-specifications#Windows-10-localization). | 1703 | |NPN support in TLS | This feature is superseded by Application-Layer Protocol Negotiation (ALPN). | 1703 | |Windows Information Protection "AllowUserDecryption" policy | Starting in Windows 10, version 1703, AllowUserDecryption is no longer supported. | 1703 | -|WSUS for Windows Mobile | Updates are being transitioned to the new Unified Update Platform (UUP) | 1703 | \ No newline at end of file +|WSUS for Windows Mobile | Updates are being transitioned to the new Unified Update Platform (UUP) | 1703 | diff --git a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md index 24a9eacec5..8c1413f87f 100644 --- a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md +++ b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md @@ -9,6 +9,8 @@ ms.author: aaroncz ms.localizationpriority: medium ms.topic: article ROBOTS: NOINDEX +ms.technology: itpro-fundamentals +ms.date: 12/31/2017 --- # What's new in Windows 10, versions 1507 and 1511 for IT Pros diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md index 61009f9d89..b37fc54c61 100644 --- a/windows/whats-new/whats-new-windows-10-version-1607.md +++ b/windows/whats-new/whats-new-windows-10-version-1607.md @@ -9,6 +9,8 @@ manager: dougeby ms.author: aaroncz ms.topic: article ROBOTS: NOINDEX +ms.technology: itpro-fundamentals +ms.date: 12/31/2017 --- # What's new in Windows 10, version 1607 for IT Pros diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md index 83a34f13b1..0b0ebd0b2a 100644 --- a/windows/whats-new/whats-new-windows-10-version-1703.md +++ b/windows/whats-new/whats-new-windows-10-version-1703.md @@ -9,6 +9,8 @@ manager: dougeby ms.author: aaroncz ms.topic: article ROBOTS: NOINDEX +ms.technology: itpro-fundamentals +ms.date: 12/31/2017 --- # What's new in Windows 10, version 1703 for IT Pros @@ -18,7 +20,7 @@ Below is a list of some of what's new in Information Technology (IT) pro feature For more general info about Windows 10 features, see [Features available only on Windows 10](https://www.microsoft.com/windows/features). For info about previous versions of Windows 10, see [What's New in Windows 10](./index.yml). Also see this blog post: [What’s new for IT pros in the Windows 10 Creators Update}(https://blogs.technet.microsoft.com/windowsitpro/2017/04/05/whats-new-for-it-pros-in-the-windows-10-creators-update/). >[!NOTE] ->Windows 10, version 1703 contains all fixes included in previous cumulative updates to Windows 10, version 1607. For info about each version, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info). For a list of removed features, see [Features that are removed or deprecated in Windows 10 Creators Update](/windows/deployment/planning/windows-10-removed-features). +>Windows 10, version 1703 contains all fixes included in previous cumulative updates to Windows 10, version 1607. For info about each version, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info). For a list of removed features, see [Features that are removed in Windows 10 Creators Update](removed-features.md). ## Configuration diff --git a/windows/whats-new/whats-new-windows-10-version-1709.md b/windows/whats-new/whats-new-windows-10-version-1709.md index ee7222900f..24468089e9 100644 --- a/windows/whats-new/whats-new-windows-10-version-1709.md +++ b/windows/whats-new/whats-new-windows-10-version-1709.md @@ -9,6 +9,8 @@ ms.author: aaroncz ms.localizationpriority: medium ms.topic: article ROBOTS: NOINDEX +ms.technology: itpro-fundamentals +ms.date: 12/31/2017 --- # What's new in Windows 10, version 1709 for IT Pros diff --git a/windows/whats-new/whats-new-windows-10-version-1803.md b/windows/whats-new/whats-new-windows-10-version-1803.md index 97e8587b75..4bfc545809 100644 --- a/windows/whats-new/whats-new-windows-10-version-1803.md +++ b/windows/whats-new/whats-new-windows-10-version-1803.md @@ -9,6 +9,8 @@ ms.author: aaroncz ms.localizationpriority: medium ms.topic: article ROBOTS: NOINDEX +ms.technology: itpro-fundamentals +ms.date: 12/31/2017 --- # What's new in Windows 10, version 1803 for IT Pros diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md index 7f151bdfcf..776e3fd5fe 100644 --- a/windows/whats-new/whats-new-windows-10-version-1809.md +++ b/windows/whats-new/whats-new-windows-10-version-1809.md @@ -9,6 +9,8 @@ ms.author: aaroncz ms.localizationpriority: medium ms.topic: article ROBOTS: NOINDEX +ms.technology: itpro-fundamentals +ms.date: 12/31/2017 --- # What's new in Windows 10, version 1809 for IT Pros @@ -284,9 +286,12 @@ One of the things we’ve heard from you is that it’s hard to know when you’ ## Remote Desktop with Biometrics -Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session. +Windows Hello for Business supports using a certificate deployed to a Windows Hello for Business container as a supplied credential to establish a remote desktop connection to a server or another device. This feature takes advantage of the redirected smart card capabilities of the remote desktop protocol. +Users using earlier versions of Windows 10 could authenticate to a remote desktop using Windows Hello for Business but were limited to using their PIN as their authentication gesture. Windows 10, version 1809 introduces the ability for users to authenticate to a remote desktop session using their Windows Hello for Business biometric gesture. -To get started, sign into your device using Windows Hello for Business. Bring up **Remote Desktop Connection** (mstsc.exe), type the name of the computer you want to connect to, and click **Connect**. Windows remembers that you signed using Windows Hello for Business, and automatically selects Windows Hello for Business to authenticate you to your RDP session. You can also click **More choices** to choose alternate credentials. Windows uses facial recognition to authenticate the RDP session to the Windows Server 2016 Hyper-V server. You can continue to use Windows Hello for Business in the remote session, but you must use your PIN. +Azure Active Directory and Active Directory users using Windows Hello for Business in a certificate trust model, can use biometrics to authenticate to a remote desktop session. + +To get started, sign into your device using Windows Hello for Business. Bring up **Remote Desktop Connection** (mstsc.exe), type the name of the device you want to connect to, and select **Connect**. Windows remembers that you signed using Windows Hello for Business, and automatically selects Windows Hello for Business to authenticate you to your RDP session. You can also select **More choices** to choose alternate credentials. Windows uses biometrics to authenticate the RDP session to the Windows device. You can continue to use Windows Hello for Business in the remote session, but in the remote session you must use the PIN. See the following example: diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md index 49112ccb86..703e8af27b 100644 --- a/windows/whats-new/whats-new-windows-10-version-1903.md +++ b/windows/whats-new/whats-new-windows-10-version-1903.md @@ -8,6 +8,8 @@ manager: dougeby ms.localizationpriority: medium ms.topic: article ROBOTS: NOINDEX +ms.technology: itpro-fundamentals +ms.date: 12/31/2017 --- # What's new in Windows 10, version 1903 for IT Pros diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md index b3350031c0..9b27125a3b 100644 --- a/windows/whats-new/whats-new-windows-10-version-1909.md +++ b/windows/whats-new/whats-new-windows-10-version-1909.md @@ -8,12 +8,14 @@ manager: dougeby ms.localizationpriority: medium ms.topic: article ROBOTS: NOINDEX +ms.technology: itpro-fundamentals +ms.date: 12/31/2017 --- # What's new in Windows 10, version 1909 for IT Pros **Applies to** -- Windows 10, version 1909 +- Windows 10, version 1909 This article lists new and updated features and content that are of interest to IT Pros for Windows 10, version 1909, also known as the Windows 10 November 2019 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1903. @@ -65,7 +67,7 @@ An experimental implementation of TLS 1.3 is included in Windows 10, version 190 [Windows Virtual Desktop](/azure/virtual-desktop/overview) (WVD) is now generally available globally! -Windows Virtual Desktop is a comprehensive desktop and app virtualization service running in the cloud. It’s the only virtual desktop infrastructure (VDI) that delivers simplified management, multi-session Windows 10, optimizations for Microsoft 365 Apps for enterprise, and support for Remote Desktop Services (RDS) environments. Deploy and scale your Windows desktops and apps on Azure in minutes, and get built-in security and compliance features. Windows Virtual Desktop requires a Microsoft E3 or E5 license, or a Microsoft 365 E3 or E5 license, and an Azure tenant. +Windows Virtual Desktop is a comprehensive desktop and app virtualization service running in the cloud. It's the only virtual desktop infrastructure (VDI) that delivers simplified management, multi-session Windows 10, optimizations for Microsoft 365 Apps for enterprise, and support for Remote Desktop Services (RDS) environments. Deploy and scale your Windows desktops and apps on Azure in minutes, and get built-in security and compliance features. Windows Virtual Desktop requires a Microsoft E3 or E5 license, or a Microsoft 365 E3 or E5 license, and an Azure tenant. ## Deployment @@ -93,7 +95,7 @@ A new [Windows ADK](/windows-hardware/get-started/adk-install) will **not be rel ## Microsoft Connected Cache -Together with Delivery Optimization, [Microsoft Connected Cache](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Introducing-Microsoft-Connected-Cache-Microsoft-s-cloud-managed/ba-p/963898) installed on Windows Server or Linux can seamlessly offload your traffic to local sources, caching content efficiently at the byte range level. Connected Cache is configured as a “configure once and forget it” solution that transparently caches content that your devices on your network need. +Together with Delivery Optimization, [Microsoft Connected Cache](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Introducing-Microsoft-Connected-Cache-Microsoft-s-cloud-managed/ba-p/963898) installed on Windows Server or Linux can seamlessly offload your traffic to local sources, caching content efficiently at the byte range level. Connected Cache is configured as a "configure once and forget it" solution that transparently caches content that your devices on your network need. ## Accessibility @@ -125,10 +127,10 @@ General battery life and power efficiency improvements for PCs with certain proc [What's New in Windows Server](/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server.
                              [Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.
                              -[What's New in Windows 10](./index.yml): See what’s new in other versions of Windows 10.
                              +[What's New in Windows 10](./index.yml): See what's new in other versions of Windows 10.
                              [What Windows 10, version 1909 Means for Developers](https://blogs.windows.com/windowsdeveloper/2019/10/16/what-windows-10-version-1909-means-for-developers/): New and updated features in Windows 10 that are of interest to developers.
                              -[Features and functionality removed in Windows 10](/windows/deployment/planning/windows-10-removed-features): Removed features.
                              -[Windows 10 features we’re no longer developing](/windows/deployment/planning/windows-10-deprecated-features): Features that aren't being developed.
                              +[Features and functionality removed in Windows 10](removed-features.md): Removed features.
                              +[Windows 10 features we're no longer developing](deprecated-features.md): Features that aren't being developed.
                              [How to get the Windows 10 November 2019 Update](https://aka.ms/how-to-get-1909): John Cable blog.
                              [How to get Windows 10, Version 1909: Enablement Mechanics](https://aka.ms/1909mechanics): Mechanics blog.
                              -[What’s new for IT pros in Windows 10, version 1909](https://aka.ms/whats-new-in-1909): Windows IT Pro blog.
                              +[What's new for IT pros in Windows 10, version 1909](https://aka.ms/whats-new-in-1909): Windows IT Pro blog.
                              diff --git a/windows/whats-new/whats-new-windows-10-version-2004.md b/windows/whats-new/whats-new-windows-10-version-2004.md index 9baa6d915f..d61e9c57ec 100644 --- a/windows/whats-new/whats-new-windows-10-version-2004.md +++ b/windows/whats-new/whats-new-windows-10-version-2004.md @@ -8,6 +8,8 @@ manager: dougeby ms.localizationpriority: medium ms.topic: article ROBOTS: NOINDEX +ms.technology: itpro-fundamentals +ms.date: 12/31/2017 --- # What's new in Windows 10, version 2004 for IT Pros @@ -261,5 +263,5 @@ For information about Desktop Analytics and this release of Windows 10, see [Wha - [Start developing on Windows 10, version 2004 today](https://blogs.windows.com/windowsdeveloper/2020/05/12/start-developing-on-windows-10-version-2004-today/): New and updated features in Windows 10 that are of interest to developers. - [What's new for business in Windows 10 Insider Preview Builds](/windows-insider/Active-Dev-Branch): A preview of new features for businesses. - [What's new in Windows 10, version 2004 - Windows Insiders](/windows-insider/archive/new-in-20h1): This list also includes consumer focused new features. -- [Features and functionality removed in Windows 10](/windows/deployment/planning/windows-10-removed-features): Removed features. -- [Windows 10 features we're no longer developing](/windows/deployment/planning/windows-10-deprecated-features): Features that aren't being developed. +- [Features and functionality removed in Windows 10](removed-features.md): Removed features. +- [Windows 10 features we're no longer developing](deprecated-features.md): Features that aren't being developed. diff --git a/windows/whats-new/whats-new-windows-10-version-20H2.md b/windows/whats-new/whats-new-windows-10-version-20H2.md index 431769b672..118d9441cc 100644 --- a/windows/whats-new/whats-new-windows-10-version-20H2.md +++ b/windows/whats-new/whats-new-windows-10-version-20H2.md @@ -8,6 +8,8 @@ manager: dougeby ms.localizationpriority: high ms.topic: article ms.collection: highpri +ms.technology: itpro-fundamentals +ms.date: 12/31/2017 --- # What's new in Windows 10, version 20H2 for IT Pros @@ -145,5 +147,5 @@ For information about Desktop Analytics and this release of Windows 10, see [Wha [Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.
                              [What's New in Windows 10](./index.yml): See what’s new in other versions of Windows 10.
                              [Announcing more ways we’re making app development easier on Windows](https://blogs.windows.com/windowsdeveloper/2020/09/22/kevin-gallo-microsoft-ignite-2020/): Simplifying app development in Windows.
                              -[Features and functionality removed in Windows 10](/windows/deployment/planning/windows-10-removed-features): Removed features.
                              -[Windows 10 features we’re no longer developing](/windows/deployment/planning/windows-10-deprecated-features): Features that aren't being developed.
                              +[Features and functionality removed in Windows 10](removed-features.md): Removed features.
                              +[Windows 10 features we're no longer developing](deprecated-features.md): Features that aren't being developed.
                              diff --git a/windows/whats-new/whats-new-windows-10-version-21H1.md b/windows/whats-new/whats-new-windows-10-version-21H1.md index 1edaf57d80..cdf34929de 100644 --- a/windows/whats-new/whats-new-windows-10-version-21H1.md +++ b/windows/whats-new/whats-new-windows-10-version-21H1.md @@ -8,6 +8,8 @@ manager: dougeby ms.localizationpriority: high ms.topic: article ms.collection: highpri +ms.technology: itpro-fundamentals +ms.date: 12/31/2017 --- # What's new in Windows 10, version 21H1 for IT Pros @@ -93,10 +95,10 @@ This release includes the following enhancements and issues fixed: - Windows Management Instrumentation (WMI) service caused a heap leak each time security settings are applied to WMI namespace permissions. - screen rendering after opening games with certain hardware configurations. - startup times for applications that have roaming settings when User Experience Virtualization (UE-V) is turned on. -- a principal in a trusted MIT realm fails to obtain a Kerberos service ticket from Active Directory domain controllers (DC). This occurs on devices that installed Windows Updates that contain CVE-2020-17049 protections and configured PerfromTicketSignature to 1 or higher. These updates were released between November 10, 2020 and December 8, 2020. Ticket acquisition also fails with the error, “KRB_GENERIC_ERROR”, if callers submit a PAC-less Ticket Granting Ticket (TGT) as an evidence ticket without providing the USER_NO_AUTH_DATA_REQUIRED flag. +- a principal in a trusted MIT realm fails to obtain a Kerberos service ticket from Active Directory domain controllers (DC). This occurs on devices that installed Windows Updates that contain CVE-2020-17049 protections and configured PerfromTicketSignature to 1 or higher. These updates were released between November 10, 2020 and December 8, 2020. Ticket acquisition also fails with the error, "KRB_GENERIC_ERROR", if callers submit a PAC-less Ticket Granting Ticket (TGT) as an evidence ticket without providing the USER_NO_AUTH_DATA_REQUIRED flag. - high memory and CPU utilization in Microsoft Defender for Endpoint. - We enhanced data loss prevention and insider risk management solution functionalities in Microsoft 365 endpoints. -- an error when you attempt to open an untrusted webpage using Microsoft Edge or open an untrusted Microsoft Office document. The error is, “WDAG Report – Container: Error: 0x80070003, Ext error: 0x00000001”. This issue occurs after installing the .NET update KB4565627. +- an error when you attempt to open an untrusted webpage using Microsoft Edge or open an untrusted Microsoft Office document. The error is, "WDAG Report - Container: Error: 0x80070003, Ext error: 0x00000001". This issue occurs after installing the .NET update KB4565627. - an issue that prevents wevtutil from parsing an XML file. - failure to report an error when the Elliptic Curve Digital Signature Algorithm (ECDSA) generates invalid keys of 163 bytes instead of 165 bytes. - We added support for using the new Chromium-based Microsoft Edge as the assigned access single kiosk app. Now, you can also customize a breakout key sequence for single app kiosks. For more information, see Configure Microsoft Edge kiosk mode. @@ -130,7 +132,7 @@ This release includes the following enhancements and issues fixed: [Introducing the next feature update to Windows 10, version 21H1](https://blogs.windows.com/windowsexperience/2021/02/17/introducing-the-next-feature-update-to-windows-10-version-21h1/): Windows Experience Blog.
                              [What's New in Windows Server](/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server.
                              [Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.
                              -[What's New in Windows 10](./index.yml): See what’s new in other versions of Windows 10.
                              -[Announcing more ways we’re making app development easier on Windows](https://blogs.windows.com/windowsdeveloper/2020/09/22/kevin-gallo-microsoft-ignite-2020/): Simplifying app development in Windows.
                              -[Features and functionality removed in Windows 10](/windows/deployment/planning/windows-10-removed-features): Removed features.
                              -[Windows 10 features we’re no longer developing](/windows/deployment/planning/windows-10-deprecated-features): Features that aren't being developed.
                              +[What's New in Windows 10](./index.yml): See what's new in other versions of Windows 10.
                              +[Announcing more ways we're making app development easier on Windows](https://blogs.windows.com/windowsdeveloper/2020/09/22/kevin-gallo-microsoft-ignite-2020/): Simplifying app development in Windows.
                              +[Features and functionality removed in Windows 10](removed-features.md): Removed features.
                              +[Windows 10 features we're no longer developing](deprecated-features.md): Features that aren't being developed.
                              diff --git a/windows/whats-new/whats-new-windows-10-version-21H2.md b/windows/whats-new/whats-new-windows-10-version-21H2.md index 64749cbbee..0b5aea83f8 100644 --- a/windows/whats-new/whats-new-windows-10-version-21H2.md +++ b/windows/whats-new/whats-new-windows-10-version-21H2.md @@ -9,6 +9,8 @@ ms.localizationpriority: medium ms.topic: article ms.collection: highpri ms.custom: intro-overview +ms.technology: itpro-fundamentals +ms.date: 12/31/2017 --- # What's new in Windows 10, version 21H2 diff --git a/windows/whats-new/whats-new-windows-10-version-22H2.md b/windows/whats-new/whats-new-windows-10-version-22H2.md new file mode 100644 index 0000000000..19a2bb9c46 --- /dev/null +++ b/windows/whats-new/whats-new-windows-10-version-22H2.md @@ -0,0 +1,38 @@ +--- +title: What's new in Windows 10, version 22H2 for IT pros +description: Learn more about what's new in Windows 10, version 22H2, including how to get it. +ms.prod: windows-client +ms.technology: itpro-fundamentals +ms.author: mstewart +author: mestew +manager: dougeby +ms.localizationpriority: medium +ms.topic: overview +ms.date: 10/18/2022 +--- + +# What's new in Windows 10, version 22H2 + + + +Windows 10, version 22H2 is a feature update for Windows 10. It's a scoped release focused on quality improvements to the overall Windows experience in existing feature areas. It includes all previous cumulative updates to Windows 10, version 21H2. This article is for IT professionals, it lists information about this release that you should know. + +Windows 10, version 22H2 is an [H2-targeted release](/lifecycle/faq/windows#what-is-the-servicing-timeline-for-a-version--feature-update--of-windows-10-), and has the following servicing schedule: + +- **Windows 10 Professional**: Serviced for 18 months from the release date. +- **Windows 10 Enterprise**: Serviced for 30 months from the release date. + +Windows 10, version 22H2 is available through Windows Server Update Services including Configuration Manager, Windows Update for Business, and the Volume Licensing Service Center (VLSC). For more information, see [How to get the Windows 10 2022 Update](https://blogs.windows.com/windowsexperience/2022/10/18/how-to-get-the-windows-10-2022-update/). + +Devices running earlier supported versions of Windows 10 can update to version 22H2 using an enablement package. For more information, see [Feature update to Windows 10, version 22H2 by using an enablement package](https://support.microsoft.com/topic/kb5015684-featured-update-to-windows-10-version-22h2-by-using-an-enablement-package-09d43632-f438-47b5-985e-d6fd704eee61). + +To learn more about the status of the Windows 10, version 22H2 rollout, known issues, and build information, see [Windows 10 release information](/windows/release-health/release-information). + +For more information about updated tools to support this release, see [IT tools to support Windows 10, version 22H2](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-22h2/ba-p/3655750). + +The Windows 10, version 22H2 feature update is installed as part of the general availability channel. Quality updates are still installed monthly on patch Tuesday. + +For more information, see: + +- [Feature and quality update definitions](/windows/deployment/update/waas-quick-start#definitions) +- [Windows servicing channels](/windows/deployment/update/waas-overview#servicing-channels) diff --git a/windows/whats-new/whats-new-windows-11-version-22H2.md b/windows/whats-new/whats-new-windows-11-version-22H2.md index ba75d6dbc6..df8b5092e6 100644 --- a/windows/whats-new/whats-new-windows-11-version-22H2.md +++ b/windows/whats-new/whats-new-windows-11-version-22H2.md @@ -9,6 +9,8 @@ ms.localizationpriority: medium ms.topic: article ms.collection: highpri ms.custom: intro-overview +ms.technology: itpro-fundamentals +ms.date: 12/31/2017 --- # What's new in Windows 11, version 22H2 diff --git a/windows/whats-new/windows-10-insider-preview.md b/windows/whats-new/windows-10-insider-preview.md index 9f9114f7ef..bdfa205f5c 100644 --- a/windows/whats-new/windows-10-insider-preview.md +++ b/windows/whats-new/windows-10-insider-preview.md @@ -8,6 +8,7 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.topic: article +ms.technology: itpro-fundamentals --- # Documentation for Windows 10 Insider Preview diff --git a/windows/whats-new/windows-11-plan.md b/windows/whats-new/windows-11-plan.md index b0af27c9a3..38dd1a3030 100644 --- a/windows/whats-new/windows-11-plan.md +++ b/windows/whats-new/windows-11-plan.md @@ -8,6 +8,8 @@ manager: dougeby ms.localizationpriority: high ms.topic: article ms.collection: highpri +ms.technology: itpro-fundamentals +ms.date: 12/31/2017 --- # Plan for Windows 11 diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md index 3bdc8c1a18..6f5f8d35ad 100644 --- a/windows/whats-new/windows-11-prepare.md +++ b/windows/whats-new/windows-11-prepare.md @@ -8,6 +8,8 @@ manager: dougeby ms.localizationpriority: high ms.topic: article ms.collection: highpri +ms.technology: itpro-fundamentals +ms.date: 12/31/2017 --- # Prepare for Windows 11 diff --git a/windows/whats-new/windows-11-requirements.md b/windows/whats-new/windows-11-requirements.md index f7a02bf116..4a63cc1f7c 100644 --- a/windows/whats-new/windows-11-requirements.md +++ b/windows/whats-new/windows-11-requirements.md @@ -9,6 +9,8 @@ ms.localizationpriority: medium ms.topic: article ms.custom: seo-marvel-apr2020 ms.collection: highpri +ms.technology: itpro-fundamentals +ms.date: 12/31/2017 --- # Windows 11 requirements @@ -83,7 +85,7 @@ The following configuration requirements apply to VMs running Windows 11. - Generation: 2 \* - Storage: 64 GB or greater - Security: - - Azure: [Trusted launch](/azure/virtual-machines/trusted-launch) with vTPM and secure boot enabled + - Azure: [Trusted launch](/azure/virtual-machines/trusted-launch) with vTPM enabled - Hyper-V: [Secure boot and TPM enabled](/windows-server/virtualization/hyper-v/learn-more/Generation-2-virtual-machine-security-settings-for-Hyper-V#secure-boot-setting-in-hyper-v-manager) - General settings: Secure boot capable, virtual TPM enabled - Memory: 4 GB or greater @@ -104,5 +106,5 @@ The VM host CPU must also meet Windows 11 [processor requirements](/windows-hard ## See also [Windows minimum hardware requirements](/windows-hardware/design/minimum/minimum-hardware-requirements-overview)
                              -[What's new in Windows 11 overview](windows-11-whats-new.md) +[What's new in Windows 11 overview](/windows/whats-new/windows-11-overview)