From 24120f589e9709b5fbd16ff37fc4d148f7297512 Mon Sep 17 00:00:00 2001 From: v-tappelgate <91994953+v-tappelgate@users.noreply.github.com> Date: Wed, 25 May 2022 12:00:33 -0700 Subject: [PATCH 01/70] v-tappelgate-CI-163997 Metadata fix for [CI 163997](https://dev.azure.com/contentidea/ContentIdea/_workitems/edit/163997) --- .../bitlocker/ts-bitlocker-network-unlock-issues.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md index df10782087..d10158fc36 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md @@ -4,7 +4,7 @@ description: Describes several known issues that you may encounter while using n ms.technology: windows-sec ms.prod: m365-security ms.localizationpriority: medium -author: Teresa-Motiv +author: v-tappelgate ms.author: v-tappelgate manager: kaushika ms.reviewer: kaushika From c51041b06b7d7f0baee15f3c046519363747e5e7 Mon Sep 17 00:00:00 2001 From: themar-msft <33436507+themar-msft@users.noreply.github.com> Date: Wed, 25 May 2022 14:29:25 -0700 Subject: [PATCH 02/70] Update remotewipe-csp.md --- windows/client-management/mdm/remotewipe-csp.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md index 0771489578..b26beb9800 100644 --- a/windows/client-management/mdm/remotewipe-csp.md +++ b/windows/client-management/mdm/remotewipe-csp.md @@ -40,7 +40,7 @@ RemoteWipe --------Status ``` **doWipe** -Specifies that a remote wipe of the device should be performed. The return status code indicates whether the device accepted the Exec command. +Specifies that a remote wipe of the device should be performed. A remote wipe is the equivalent of running "Reset this PC > Remove everything" from the Settings app. The return status code indicates whether the device accepted the Exec command. When used with OMA Client Provisioning, a dummy value of "1" should be included for this element. @@ -56,9 +56,9 @@ Supported operation is Exec. The information that was backed up will be restored and applied to the device when it resumes. The return status code shows whether the device accepted the Exec command. **doWipeProtected** -Added in Windows 10, version 1703. Exec on this node performs a remote wipe on the device and fully clean the internal drive. In some device configurations, this command may leave the device unable to boot. The return status code indicates whether the device accepted the Exec command. +Added in Windows 10, version 1703. Exec on this node performs a remote wipe on the device and fully clean the internal drive. Drives that are cleaned with doWipeProtected aren't expected to meet industry or government standards for data cleaning. In some device configurations, this command may leave the device unable to boot. The return status code indicates whether the device accepted the Exec command. -The doWipeProtected is functionally similar to doWipe. But unlike doWipe, which can be easily circumvented by simply power cycling the device, doWipeProtected will keep trying to reset the device until it’s done. +The doWipeProtected is functionally similar to doWipe. But unlike doWipe, which can be easily circumvented by simply power cycling the device, doWipeProtected will keep trying to reset the device until it’s done. Because doWipeProtected will keep trying to reset the device until it's done, use doWipeProtected in lost/stolen device scenarios. Supported operation is Exec. From 6b921fcebdd66d577717d10392f442e5de9abc69 Mon Sep 17 00:00:00 2001 From: themar-msft <33436507+themar-msft@users.noreply.github.com> Date: Tue, 31 May 2022 09:14:40 -0700 Subject: [PATCH 03/70] Update remotewipe-csp.md --- windows/client-management/mdm/remotewipe-csp.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md index b26beb9800..9e7ad1053b 100644 --- a/windows/client-management/mdm/remotewipe-csp.md +++ b/windows/client-management/mdm/remotewipe-csp.md @@ -40,14 +40,14 @@ RemoteWipe --------Status ``` **doWipe** -Specifies that a remote wipe of the device should be performed. A remote wipe is the equivalent of running "Reset this PC > Remove everything" from the Settings app. The return status code indicates whether the device accepted the Exec command. +Specifies that a remote reset of the device should be started. A remote reset is equivalent to running "Reset this PC > Remove everything" from the Settings app. The return status code indicates whether the device accepted the Exec command. If a doWipe reset is started and then interrupted, the reset will not automatically be retried. When used with OMA Client Provisioning, a dummy value of "1" should be included for this element. Supported operation is Exec. **doWipePersistProvisionedData** -Specifies that provisioning data should be backed up to a persistent location, and then a remote wipe of the device should be performed. +Specifies that provisioning data should be backed up to a persistent location, and then a remote doWipe reset of the device should be started. When used with OMA Client Provisioning, a dummy value of "1" should be included for this element. @@ -56,14 +56,14 @@ Supported operation is Exec. The information that was backed up will be restored and applied to the device when it resumes. The return status code shows whether the device accepted the Exec command. **doWipeProtected** -Added in Windows 10, version 1703. Exec on this node performs a remote wipe on the device and fully clean the internal drive. Drives that are cleaned with doWipeProtected aren't expected to meet industry or government standards for data cleaning. In some device configurations, this command may leave the device unable to boot. The return status code indicates whether the device accepted the Exec command. +Added in Windows 10, version 1703. Exec on this node performs a remote reset on the device and also fully cleans the internal drive. Drives that are cleaned with doWipeProtected aren't expected to meet industry or government standards for data cleaning. In some device configurations, this command may leave the device unable to boot. The return status code indicates whether the device accepted the Exec command. The doWipeProtected is functionally similar to doWipe. But unlike doWipe, which can be easily circumvented by simply power cycling the device, doWipeProtected will keep trying to reset the device until it’s done. Because doWipeProtected will keep trying to reset the device until it's done, use doWipeProtected in lost/stolen device scenarios. Supported operation is Exec. **doWipePersistUserData** -Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device, and persist user accounts and data. The return status code shows whether the device accepted the Exec command. +Added in Windows 10, version 1709. Exec on this node will perform a doWipe remote reset on the device, and persist user accounts and data. The return status code shows whether the device accepted the Exec command. **AutomaticRedeployment** Added in Windows 10, version 1809. Node for the Autopilot Reset operation. From 65fd817caa8451859fb44fdf8a6e728a6666d5bb Mon Sep 17 00:00:00 2001 From: themar-msft <33436507+themar-msft@users.noreply.github.com> Date: Tue, 31 May 2022 09:18:02 -0700 Subject: [PATCH 04/70] Update remotewipe-csp.md --- windows/client-management/mdm/remotewipe-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md index 9e7ad1053b..b76855bf76 100644 --- a/windows/client-management/mdm/remotewipe-csp.md +++ b/windows/client-management/mdm/remotewipe-csp.md @@ -24,7 +24,7 @@ The table below shows the applicability of Windows: |Enterprise|Yes|Yes| |Education|Yes|Yes| -The RemoteWipe configuration service provider can be used by mobile operators DM server or enterprise management server to remotely wipe a device. The RemoteWipe configuration service provider can make the data stored in memory and hard disks difficult to recover if the device is remotely wiped after being lost or stolen. +The RemoteWipe configuration service provider can be used by mobile operators DM server or enterprise management server to remotely reset a device. The RemoteWipe configuration service provider can make the data stored in memory and hard disks difficult to recover if the device is remotely reset after being lost or stolen. The following example shows the RemoteWipe configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning. Enterprise IT Professionals can update these settings by using the Exchange Server. ``` From be82ff62eac57144df9429d6bee8bc43bf5c305b Mon Sep 17 00:00:00 2001 From: themar-msft <33436507+themar-msft@users.noreply.github.com> Date: Mon, 6 Jun 2022 10:32:03 -0700 Subject: [PATCH 05/70] Update remotewipe-csp.md --- .../client-management/mdm/remotewipe-csp.md | 20 +++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md index b76855bf76..c00be2ffd3 100644 --- a/windows/client-management/mdm/remotewipe-csp.md +++ b/windows/client-management/mdm/remotewipe-csp.md @@ -34,20 +34,23 @@ RemoteWipe ----doWipePersistProvisionedData ----doWipeProtected ----doWipePersistUserData +----doWipeCloud +----doWipeCloudPersistUserData +----doWipeCloudPersistProvisionedData ----AutomaticRedeployment --------doAutomaticRedeployment --------LastError --------Status ``` **doWipe** -Specifies that a remote reset of the device should be started. A remote reset is equivalent to running "Reset this PC > Remove everything" from the Settings app. The return status code indicates whether the device accepted the Exec command. If a doWipe reset is started and then interrupted, the reset will not automatically be retried. +Specifies that a remote reset of the device should be started. A remote reset is equivalent to running "Reset this PC > Remove everything" from the Settings app, with Clean Data set to No and Delete Files set to Yes. The return status code indicates whether the device accepted the Exec command. If a doWipe reset is started and then interrupted, depending on how far the reset progressed, the PC can roll back to the pre-reset state. When used with OMA Client Provisioning, a dummy value of "1" should be included for this element. Supported operation is Exec. **doWipePersistProvisionedData** -Specifies that provisioning data should be backed up to a persistent location, and then a remote doWipe reset of the device should be started. +Specifies that provisioning packages in ProgramData\Microsoft\Provisioning folder will be retained and applied to the OS after the reset. When used with OMA Client Provisioning, a dummy value of "1" should be included for this element. @@ -58,12 +61,21 @@ The information that was backed up will be restored and applied to the device wh **doWipeProtected** Added in Windows 10, version 1703. Exec on this node performs a remote reset on the device and also fully cleans the internal drive. Drives that are cleaned with doWipeProtected aren't expected to meet industry or government standards for data cleaning. In some device configurations, this command may leave the device unable to boot. The return status code indicates whether the device accepted the Exec command. -The doWipeProtected is functionally similar to doWipe. But unlike doWipe, which can be easily circumvented by simply power cycling the device, doWipeProtected will keep trying to reset the device until it’s done. Because doWipeProtected will keep trying to reset the device until it's done, use doWipeProtected in lost/stolen device scenarios. +The doWipeProtected is functionally similar to doWipe. But unlike doWipe, which can be easily circumvented by simply power cycling the device, if a reset that uses doWipeProtected is interrupted, upon restart it will clean the PC's disk partitions. Because doWipeProtected will clean the partitions in case of failure or interruption, use doWipeProtected in lost/stolen device scenarios. Supported operation is Exec. **doWipePersistUserData** -Added in Windows 10, version 1709. Exec on this node will perform a doWipe remote reset on the device, and persist user accounts and data. The return status code shows whether the device accepted the Exec command. +Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device, and persist user accounts and data. This setting is equivalent to selecting “Keep my files” when manually starting a reset from the Settings app. The return status code shows whether the device accepted the Exec command. + +**DoWipeCloud** +Performs a DoWipe remote reset, but downloads the OS payload from Windows Update instead of the local Windows recovery environment. + +**DoWipeCloudPersistUserData** +Performs a DoWipe remote reset, but downloads the OS payload from Windows Update instead of the local Windows recovery environment. + +**DoWipeCloudPersistProvisionedData** +Performs a DoWipe remote reset, but downloads the OS payload from Windows Update instead of the local Windows recovery environment. **AutomaticRedeployment** Added in Windows 10, version 1809. Node for the Autopilot Reset operation. From 5a0922f0aaddacf3b0abddbfb7822d9cf644326e Mon Sep 17 00:00:00 2001 From: themar-msft <33436507+themar-msft@users.noreply.github.com> Date: Mon, 6 Jun 2022 10:36:14 -0700 Subject: [PATCH 06/70] Update remotewipe-csp.md --- windows/client-management/mdm/remotewipe-csp.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md index c00be2ffd3..71cbd89d31 100644 --- a/windows/client-management/mdm/remotewipe-csp.md +++ b/windows/client-management/mdm/remotewipe-csp.md @@ -43,14 +43,14 @@ RemoteWipe --------Status ``` **doWipe** -Specifies that a remote reset of the device should be started. A remote reset is equivalent to running "Reset this PC > Remove everything" from the Settings app, with Clean Data set to No and Delete Files set to Yes. The return status code indicates whether the device accepted the Exec command. If a doWipe reset is started and then interrupted, depending on how far the reset progressed, the PC can roll back to the pre-reset state. +Specifies that a remote reset of the device should be started. A remote reset is equivalent to running "Reset this PC > Remove everything" from the Settings app, with **Clean Data** set to No and **Delete Files** set to Yes. The return status code indicates whether the device accepted the Exec command. If a doWipe reset is started and then interrupted, depending on how far the reset progressed, the PC can roll back to the pre-reset state. When used with OMA Client Provisioning, a dummy value of "1" should be included for this element. Supported operation is Exec. **doWipePersistProvisionedData** -Specifies that provisioning packages in ProgramData\Microsoft\Provisioning folder will be retained and applied to the OS after the reset. +Specifies that provisioning packages in the `%SystemDrive%\ProgramData\Microsoft\Provisioning` folder will be retained and then applied to the OS after the reset. When used with OMA Client Provisioning, a dummy value of "1" should be included for this element. @@ -66,7 +66,7 @@ The doWipeProtected is functionally similar to doWipe. But unlike doWipe, which Supported operation is Exec. **doWipePersistUserData** -Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device, and persist user accounts and data. This setting is equivalent to selecting “Keep my files” when manually starting a reset from the Settings app. The return status code shows whether the device accepted the Exec command. +Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device, and persist user accounts and data. This setting is equivalent to selecting "Reset this PC > Keep my files" when manually starting a reset from the Settings app. The return status code shows whether the device accepted the Exec command. **DoWipeCloud** Performs a DoWipe remote reset, but downloads the OS payload from Windows Update instead of the local Windows recovery environment. From 066609bfd10c47e1cc23c0e9f68e708138f09925 Mon Sep 17 00:00:00 2001 From: themar-msft <33436507+themar-msft@users.noreply.github.com> Date: Wed, 15 Jun 2022 11:30:26 -0700 Subject: [PATCH 07/70] Update remotewipe-csp.md --- windows/client-management/mdm/remotewipe-csp.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md index 71cbd89d31..2888082127 100644 --- a/windows/client-management/mdm/remotewipe-csp.md +++ b/windows/client-management/mdm/remotewipe-csp.md @@ -43,14 +43,14 @@ RemoteWipe --------Status ``` **doWipe** -Specifies that a remote reset of the device should be started. A remote reset is equivalent to running "Reset this PC > Remove everything" from the Settings app, with **Clean Data** set to No and **Delete Files** set to Yes. The return status code indicates whether the device accepted the Exec command. If a doWipe reset is started and then interrupted, depending on how far the reset progressed, the PC can roll back to the pre-reset state. +Exec on this node starts a remote reset of the device. A remote reset is equivalent to running "Reset this PC > Remove everything" from the Settings app, with **Clean Data** set to No and **Delete Files** set to Yes. The return status code indicates whether the device accepted the Exec command. If a doWipe reset is started and then interrupted, the PC will attempt to roll-back to a the pre-reset state. If the PC can't be rolled-back, the recovery environment will take no additional actions and the PC could be in an unusable state and Windows will have to be reinstalled. When used with OMA Client Provisioning, a dummy value of "1" should be included for this element. Supported operation is Exec. **doWipePersistProvisionedData** -Specifies that provisioning packages in the `%SystemDrive%\ProgramData\Microsoft\Provisioning` folder will be retained and then applied to the OS after the reset. +Exec on this node specifies that provisioning packages in the `%SystemDrive%\ProgramData\Microsoft\Provisioning` folder will be retained and then applied to the OS after the reset. When used with OMA Client Provisioning, a dummy value of "1" should be included for this element. @@ -59,7 +59,7 @@ Supported operation is Exec. The information that was backed up will be restored and applied to the device when it resumes. The return status code shows whether the device accepted the Exec command. **doWipeProtected** -Added in Windows 10, version 1703. Exec on this node performs a remote reset on the device and also fully cleans the internal drive. Drives that are cleaned with doWipeProtected aren't expected to meet industry or government standards for data cleaning. In some device configurations, this command may leave the device unable to boot. The return status code indicates whether the device accepted the Exec command. +Added in Windows 10, version 1703. Exec on this node performs a remote reset on the device and also fully cleans the internal drive. Drives that are cleaned with doWipeProtected aren't expected to meet industry or government standards for data cleaning. In some device configurations, this command may leave the device unable to boot. The return status code indicates whether the device accepted the Exec command, but not whether the reset was successful. The doWipeProtected is functionally similar to doWipe. But unlike doWipe, which can be easily circumvented by simply power cycling the device, if a reset that uses doWipeProtected is interrupted, upon restart it will clean the PC's disk partitions. Because doWipeProtected will clean the partitions in case of failure or interruption, use doWipeProtected in lost/stolen device scenarios. @@ -69,13 +69,13 @@ Supported operation is Exec. Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device, and persist user accounts and data. This setting is equivalent to selecting "Reset this PC > Keep my files" when manually starting a reset from the Settings app. The return status code shows whether the device accepted the Exec command. **DoWipeCloud** -Performs a DoWipe remote reset, but downloads the OS payload from Windows Update instead of the local Windows recovery environment. +Added in Windows 11, version 22H2. Performs a DoWipe remote reset, but downloads the OS payload from Windows update instead of using the local PC’s Windows Component store. The payload downloaded from Microsoft update will be used to reset the PC to the same version of Windows as it was pre-reset. **DoWipeCloudPersistUserData** -Performs a DoWipe remote reset, but downloads the OS payload from Windows Update instead of the local Windows recovery environment. +Added in Windows 11, version 22H2. Performs a DoWipe remote reset, but downloads the OS payload from Windows update instead of using the local PC’s Windows Component store. The payload downloaded from Microsoft update will be used to reset the PC to the same version of Windows as it was pre-reset. **DoWipeCloudPersistProvisionedData** -Performs a DoWipe remote reset, but downloads the OS payload from Windows Update instead of the local Windows recovery environment. +Added in Windows 11, version 22H2. Performs a DoWipe remote reset, but downloads the OS payload from Windows update instead of using the local PC’s Windows Component store. The payload downloaded from Microsoft update will be used to reset the PC to the same version of Windows as it was pre-reset. **AutomaticRedeployment** Added in Windows 10, version 1809. Node for the Autopilot Reset operation. From fb363499e1141883d3695d30d55cc6d95138d517 Mon Sep 17 00:00:00 2001 From: themar-msft <33436507+themar-msft@users.noreply.github.com> Date: Wed, 15 Jun 2022 11:35:26 -0700 Subject: [PATCH 08/70] Update remotewipe-csp.md --- windows/client-management/mdm/remotewipe-csp.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md index 2888082127..0640cf4d61 100644 --- a/windows/client-management/mdm/remotewipe-csp.md +++ b/windows/client-management/mdm/remotewipe-csp.md @@ -69,12 +69,15 @@ Supported operation is Exec. Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device, and persist user accounts and data. This setting is equivalent to selecting "Reset this PC > Keep my files" when manually starting a reset from the Settings app. The return status code shows whether the device accepted the Exec command. **DoWipeCloud** + Added in Windows 11, version 22H2. Performs a DoWipe remote reset, but downloads the OS payload from Windows update instead of using the local PC’s Windows Component store. The payload downloaded from Microsoft update will be used to reset the PC to the same version of Windows as it was pre-reset. **DoWipeCloudPersistUserData** + Added in Windows 11, version 22H2. Performs a DoWipe remote reset, but downloads the OS payload from Windows update instead of using the local PC’s Windows Component store. The payload downloaded from Microsoft update will be used to reset the PC to the same version of Windows as it was pre-reset. **DoWipeCloudPersistProvisionedData** + Added in Windows 11, version 22H2. Performs a DoWipe remote reset, but downloads the OS payload from Windows update instead of using the local PC’s Windows Component store. The payload downloaded from Microsoft update will be used to reset the PC to the same version of Windows as it was pre-reset. **AutomaticRedeployment** From 56572199ae847849f2b70e054d13a6731e205359 Mon Sep 17 00:00:00 2001 From: themar-msft <33436507+themar-msft@users.noreply.github.com> Date: Wed, 15 Jun 2022 12:14:07 -0700 Subject: [PATCH 09/70] spaces --- windows/client-management/mdm/remotewipe-csp.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md index 0640cf4d61..9b8ae699d8 100644 --- a/windows/client-management/mdm/remotewipe-csp.md +++ b/windows/client-management/mdm/remotewipe-csp.md @@ -27,6 +27,7 @@ The table below shows the applicability of Windows: The RemoteWipe configuration service provider can be used by mobile operators DM server or enterprise management server to remotely reset a device. The RemoteWipe configuration service provider can make the data stored in memory and hard disks difficult to recover if the device is remotely reset after being lost or stolen. The following example shows the RemoteWipe configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning. Enterprise IT Professionals can update these settings by using the Exchange Server. + ``` ./Vendor/MSFT RemoteWipe @@ -42,6 +43,7 @@ RemoteWipe --------LastError --------Status ``` + **doWipe** Exec on this node starts a remote reset of the device. A remote reset is equivalent to running "Reset this PC > Remove everything" from the Settings app, with **Clean Data** set to No and **Delete Files** set to Yes. The return status code indicates whether the device accepted the Exec command. If a doWipe reset is started and then interrupted, the PC will attempt to roll-back to a the pre-reset state. If the PC can't be rolled-back, the recovery environment will take no additional actions and the PC could be in an unusable state and Windows will have to be reinstalled. From 474bde92dcfbcb73e1f87e5c2c70dc8be1db16d6 Mon Sep 17 00:00:00 2001 From: themar-msft <33436507+themar-msft@users.noreply.github.com> Date: Wed, 15 Jun 2022 12:17:18 -0700 Subject: [PATCH 10/70] Update remotewipe-csp.md --- windows/client-management/mdm/remotewipe-csp.md | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md index 9b8ae699d8..88c970beb9 100644 --- a/windows/client-management/mdm/remotewipe-csp.md +++ b/windows/client-management/mdm/remotewipe-csp.md @@ -70,18 +70,6 @@ Supported operation is Exec. **doWipePersistUserData** Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device, and persist user accounts and data. This setting is equivalent to selecting "Reset this PC > Keep my files" when manually starting a reset from the Settings app. The return status code shows whether the device accepted the Exec command. -**DoWipeCloud** - -Added in Windows 11, version 22H2. Performs a DoWipe remote reset, but downloads the OS payload from Windows update instead of using the local PC’s Windows Component store. The payload downloaded from Microsoft update will be used to reset the PC to the same version of Windows as it was pre-reset. - -**DoWipeCloudPersistUserData** - -Added in Windows 11, version 22H2. Performs a DoWipe remote reset, but downloads the OS payload from Windows update instead of using the local PC’s Windows Component store. The payload downloaded from Microsoft update will be used to reset the PC to the same version of Windows as it was pre-reset. - -**DoWipeCloudPersistProvisionedData** - -Added in Windows 11, version 22H2. Performs a DoWipe remote reset, but downloads the OS payload from Windows update instead of using the local PC’s Windows Component store. The payload downloaded from Microsoft update will be used to reset the PC to the same version of Windows as it was pre-reset. - **AutomaticRedeployment** Added in Windows 10, version 1809. Node for the Autopilot Reset operation. From fd097900698f34d59451aea4f3633088cbc32678 Mon Sep 17 00:00:00 2001 From: themar-msft <33436507+themar-msft@users.noreply.github.com> Date: Wed, 15 Jun 2022 14:02:47 -0700 Subject: [PATCH 11/70] Update remotewipe-csp.md --- windows/client-management/mdm/remotewipe-csp.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md index 88c970beb9..4eb9ed7a1d 100644 --- a/windows/client-management/mdm/remotewipe-csp.md +++ b/windows/client-management/mdm/remotewipe-csp.md @@ -35,9 +35,6 @@ RemoteWipe ----doWipePersistProvisionedData ----doWipeProtected ----doWipePersistUserData -----doWipeCloud -----doWipeCloudPersistUserData -----doWipeCloudPersistProvisionedData ----AutomaticRedeployment --------doAutomaticRedeployment --------LastError From 169ea53d8cd1f089ba8abcdfc0d30637d1ef47eb Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Fri, 17 Jun 2022 17:28:07 +0300 Subject: [PATCH 12/70] add more info about localization https://github.com/MicrosoftDocs/windows-itpro-docs/issues/10485 --- .../deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md index 0d89ad7be7..eaee452ae3 100644 --- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md +++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md @@ -560,6 +560,9 @@ Some properties to use in the MDT Production rules file are as follows: - **USMTMigFiles(\*).** List of USMT templates (controlling what to backup and restore). - **EventService.** Activates logging information to the MDT monitoring web service. +>[!NOTE] +>For more details about localization support, please check the [MDT sample guide](https://docs.microsoft.com/en-us/mem/configmgr/mdt/samples-guide#fully-automated-lti-deployment-for-a-refresh-computer-scenario). You can find a list of Language Codes [here](https://docs.microsoft.com/en-us/openspecs/office_standards/ms-oe376/6c085406-a698-4e12-9d4d-c3b0ee3dbc4a) and a list of Time Zone Index Values [here](https://docs.microsoft.com/en-us/openspecs/office_standards/ms-oe376/6c085406-a698-4e12-9d4d-c3b0ee3dbc4a). + ### Optional deployment share configuration If your organization has a Microsoft Software Assurance agreement, you also can subscribe to the additional Microsoft Desktop Optimization Package (MDOP) license (at an additional cost). Included in MDOP is Microsoft Diagnostics and Recovery Toolkit (DaRT), which contains tools that can help you troubleshoot MDT deployments, as well as troubleshoot Windows itself. From cd92ea62a5d5291ffadbaa6a8666b9c240ecf162 Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Fri, 17 Jun 2022 17:50:41 +0300 Subject: [PATCH 13/70] add note https://github.com/MicrosoftDocs/windows-itpro-docs/issues/10496 --- windows/deployment/update/waas-configure-wufb.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md index 1918ed5246..300c877a7f 100644 --- a/windows/deployment/update/waas-configure-wufb.md +++ b/windows/deployment/update/waas-configure-wufb.md @@ -25,6 +25,8 @@ ms.topic: article > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) +> Note that Windows Server Operating System (outside of HCI) **does not** get Feature Updates from Windows Update, so only the quality update policies apply. + You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for Windows 10, version 1511 and later, including Windows 11. The MDM policies use the OMA-URI setting from the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider). > [!IMPORTANT] From c28edafe56d4c3b4616745b121207b3e91b3a234 Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Fri, 17 Jun 2022 18:27:08 +0300 Subject: [PATCH 14/70] update table https://github.com/MicrosoftDocs/windows-itpro-docs/issues/10499 --- .../upgrade/windows-10-edition-upgrades.md | 22 +++++++++++-------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md index fee71f1399..4ade882a85 100644 --- a/windows/deployment/upgrade/windows-10-edition-upgrades.md +++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md @@ -147,15 +147,19 @@ S = Supported; Not considered a downgrade or an upgrade **Destination Edition: (Starting)** -|Edition|Home|Pro|Pro for Workstations|Pro Education|Education|Enterprise LTSC|Enterprise| -|--- |--- |--- |--- |--- |--- |--- |--- | -|Home|||||||| -|Pro|||||||| -|Pro for Workstations|||||||| -|Pro Education|||||||| -|Education||✔|✔|✔|||S| -|Enterprise LTSC|||||||| -|Enterprise||✔|✔|✔|S||| +![Supported downgrade path.](../images/check_grn.png) (green checkmark) = Supported downgrade path
+![Supported; Not considered a downgrade or an upgrade.](../images/check_blu.png) (blue checkmark) = Not considered a downgrade or an upgrade
+![not supported.](../images/x_blk.png) (X) = not supported or not a downgrade
+ +| **Edition** | **Home** | **Pro** | **Pro for Workstations** | **Pro Education** | **Education** | **Enterprise LTSC** | **Enterprise** | +|-----------------| ------------------------------------ | --------------------------- | ------------------------- | -------------------------------------- | ----------------------------------- | --------------------------------------------- |--------------------------------------------- | +| **Home** | ![Supported; Not considered a downgrade or an upgrade.](../images/check_blu.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | +| **Pro** | ![not supported.](../images/x_blk.png) | ![Supported; Not considered a downgrade or an upgrade.](../images/check_blu.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | +| **Pro for Workstations** | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![Supported; Not considered a downgrade or an upgrade.](../images/check_blu.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | +| **Pro Education** | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![Supported; Not considered a downgrade or an upgrade.](../images/check_blu.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | +| **Education** | ![not supported.](../images/x_blk.png) | ![Supported downgrade path.](../images/check_grn.png) | ![Supported downgrade path.](../images/check_grn.png) | ![Supported downgrade path.](../images/check_grn.png) | ![Supported; Not considered a downgrade or an upgrade.](../images/check_blu.png) | ![not supported.](../images/x_blk.png) | ![Supported; Not considered a downgrade or an upgrade.](../images/check_blu.png) | +| **Enterprise LTSC** | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![Supported; Not considered a downgrade or an upgrade.](../images/check_blu.png) | ![not supported.](../images/x_blk.png) | +| **Enterprise** | ![not supported.](../images/x_blk.png) | ![Supported downgrade path.](../images/check_grn.png) | ![Supported downgrade path.](../images/check_grn.png) | ![Supported downgrade path.](../images/check_grn.png) | ![Supported; Not considered a downgrade or an upgrade.](../images/check_blu.png) | ![not supported.](../images/x_blk.png) | ![Supported; Not considered a downgrade or an upgrade.](../images/check_blu.png) | > **Windows N/KN**: Windows "N" and "KN" SKUs follow the same rules shown above. From 550ba579b43cbd2c7b38d660b969d5e6a13a5e54 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Sat, 18 Jun 2022 08:31:13 +0530 Subject: [PATCH 15/70] added latest adobe version this is my own PR , I added the latest version 2200120142 of adobe reader in this article. main article link **https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt** --- .../deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md index 0d89ad7be7..2adf9acbd1 100644 --- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md +++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md @@ -139,8 +139,8 @@ When you configure your MDT Build Lab deployment share, you can also add applica On **MDT01**: -1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2200120117_en_US.exe) to **D:\\setup\\adobe** on MDT01. -2. Extract the .exe file that you downloaded to an .msi (ex: .\AcroRdrDC2200120117_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne). +1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2200120142_en_US.exe) to **D:\\setup\\adobe** on MDT01. +2. Extract the .exe file that you downloaded to an .msi (ex: .\AcroRdrDC2200120142_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne). 3. In the Deployment Workbench, expand the **MDT Production** node and navigate to the **Applications** node. 4. Right-click the **Applications** node, and create a new folder named **Adobe**. From 7be4b3671d0919269331d31a3c1fe7d700fc544f Mon Sep 17 00:00:00 2001 From: "Carlos Mayol (MSFT)" Date: Mon, 20 Jun 2022 18:29:55 -0400 Subject: [PATCH 16/70] Update enable-virtualization-based-protection-of-code-integrity.md Add GMET along with MBEC Using acronym instead of full name to align with other features references in the code --- ...nable-virtualization-based-protection-of-code-integrity.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md index 4a0981cf1f..5d9db2a678 100644 --- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -223,7 +223,7 @@ Value | Description **4.** | If present, Secure Memory Overwrite is available. **5.** | If present, NX protections are available. **6.** | If present, SMM mitigations are available. -**7.** | If present, Mode Based Execution Control is available. +**7.** | If present, MBEC/GMET is available. **8.** | If present, APIC virtualization is available. #### InstanceIdentifier @@ -243,7 +243,7 @@ Value | Description **4.** | If present, Secure Memory Overwrite is needed. **5.** | If present, NX protections are needed. **6.** | If present, SMM mitigations are needed. -**7.** | If present, Mode Based Execution Control is needed. +**7.** | If present, MBEC/GMET is needed. #### SecurityServicesConfigured From 343e3e03271253e6f4862c60d2a8012164c71577 Mon Sep 17 00:00:00 2001 From: msarcletti <56821677+msarcletti@users.noreply.github.com> Date: Tue, 21 Jun 2022 09:20:55 +0200 Subject: [PATCH 17/70] Update filter-origin-documentation.md Changed the internal Windows code name 'Iron' to publicly known names Windows Server 2022 and Windows 11 (although 11 is Co already) --- .../windows-firewall/filter-origin-documentation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md index ad4e1359c3..9ecf89d162 100644 --- a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md +++ b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md @@ -48,7 +48,7 @@ The blocking filters can be categorized under these filter origins: g. Windows Service Hardening (WSH) default -The next section describes the improvements made to audits 5157 and 5152, and how the above filter origins are used in these events. These improvements were added in Iron release. +The next section describes the improvements made to audits 5157 and 5152, and how the above filter origins are used in these events. These improvements were added in the Windows Server 2022 and Windows 11 releases. ## Improved firewall audit From 84a24e22fe5813735ed70afe737ceb54391e1e11 Mon Sep 17 00:00:00 2001 From: Michael Nady Date: Tue, 21 Jun 2022 12:09:09 +0200 Subject: [PATCH 18/70] #10420 #10420 --- ...trict-ntlm-audit-ntlm-authentication-in-this-domain.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md index bdbf0e528d..725d0aaed2 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md @@ -47,9 +47,13 @@ When you enable this audit policy, it functions in the same way as the **Network The domain controller will log events for NTLM authentication logon attempts that use domain accounts when NTLM authentication would be denied because the **Network security: Restrict NTLM: NTLM authentication in this domain** policy setting is set to **Deny for domain accounts**. -- Not defined +- **Enable for domain servers** - This is the same as **Disable** and results in no auditing of NTLM traffic. + The domain controller will log events for NTLM authentication requests to all servers in the domain when NTLM authentication would be denied because the **Network security: Restrict NTLM: NTLM authentication in this domain** policy setting is set to **Deny for domain servers**. + +- **Enable all** + + The domain controlleron which this policy is set will log all events for incoming NTLM traffic. ### Best practices From 8015224337f81b26139f27c438ffcaa9f5162e1a Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 22 Jun 2022 10:40:44 +0500 Subject: [PATCH 19/70] Update hello-hybrid-aadj-sso-cert.md --- .../hello-hybrid-aadj-sso-cert.md | 134 +----------------- 1 file changed, 7 insertions(+), 127 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 807592de85..039b8d9442 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -814,143 +814,23 @@ Sign-in the NDES server with access equivalent to _local administrator_. The Intune Certificate Connector application enables Microsoft Intune to enroll certificates using your on-premises PKI for users on devices managed by Microsoft Intune. -### Download Intune Certificate Connector - -Sign-in a workstation with access equivalent to a _domain user_. - -1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). - -2. Select **Tenant administration** > **Connectors and tokens** > **Certificate connectors** > **Add**. - -3. Click **Download the certificate connector software** under the **Install Certificate Connectors** section. - - ![Intune Certificate Authority.](images/aadjcert/profile01.png) - -4. Save the downloaded file (NDESConnectorSetup.exe) to a location accessible from the NDES server. - -5. Sign-out of the Microsoft Endpoint Manager admin center. - -### Install the Intune Certificate Connector - -Sign-in the NDES server with access equivalent to _domain administrator_. - -1. Copy the Intune Certificate Connector Setup (NDESConnectorSetup.exe) downloaded in the previous task locally to the NDES server. - -2. Run **NDESConnectorSetup.exe** as an administrator. If the setup shows a dialog that reads **Microsoft Intune NDES Connector requires HTTP Activation**, ensure you started the application as an administrator, then check HTTP Activation is enabled on the NDES server. - -3. On the **Microsoft Intune** page, click **Next**. - - ![Intune Connector Install 01.](images/aadjcert/intunecertconnectorinstall-01.png) - -4. Read the **End User License Agreement**. Click **Next** to accept the agreement and to proceed with the installation. - -5. On the **Destination Folder** page, click **Next**. - -6. On the **Installation Options** page, select **SCEP and PFX Profile Distribution** and click **Next**. - - ![Intune Connector Install 03.](images/aadjcert/intunecertconnectorinstall-03.png) - -7. On the **Client certificate for Microsoft Intune** page, Click **Select**. Select the certificate previously enrolled for the NDES server. Click **Next**. - - ![Intune Connector Install 05.](images/aadjcert/intunecertconnectorinstall-05.png) - - > [!NOTE] - > The **Client certificate for Microsoft Intune** page does not update after selecting the client authentication certificate. However, the application rembers the selection and shows it in the next page. - -8. On the **Client certificate for the NDES Policy Module** page, verify the certificate information and then click **Next**. - -9. ON the **Ready to install Microsoft Intune Connector** page. Click **Install**. - - ![Intune Connector Install 06.](images/aadjcert/intunecertconnectorinstall-06.png) - - > [!NOTE] - > You can review the results of the install using the **SetupMsi.log** file located in the **C:\\NDESConnectorSetupMsi** folder. - -10. When the installation completes, select **Launch Intune Connector** and click Finish. Proceed to the Configure the Intune Certificate Connector task. - - ![Intune Connector install 07.](images/aadjcert/intunecertconnectorinstall-07.png) - -### Configure the Intune Certificate Connector - -Sign-in the NDES server with access equivalent to _domain administrator_. - -1. The **NDES Connector** user interface should be open from the last task. - - > [!NOTE] - > If the **NDES Connector** user interface is not open, you can start it from **\\NDESConnectorUI\NDESConnectorUI.exe**. - -2. If your organization uses a proxy server and the proxy is needed for the NDES server to access the Internet, select **Use proxy server**, and then enter the proxy server name, port, and credentials to connect. Click **Apply** - - ![Intune Certificate Connector Configuration 01.](images/aadjcert/intunecertconnectorconfig-01.png) - -3. Click **Sign-in**. Type credentials for your Intune administrator, or tenant administrator that has the **Global Administrator** directory role. - - ![Intune Certificate Connector Configuration 02.](images/aadjcert/intunecertconnectorconfig-02.png) - - > [!IMPORTANT] - > The user account must have a valid Intune license assigned. If the user account does not have a valid Intune license, the sign-in fails. - -4. Optionally, you can configure the NDES Connector for certificate revocation. If you want to do this, continue to the next task. Otherwise, Click **Close**, restart the **Intune Connector Service** and the **World Wide Web Publishing Service**, and skip the next task. - +To learn how to download, install and configure Intune Certificate Connector, please see [Install the Certificate Connector for Microsoft Intune](/mem/intune/protect/certificate-connector-install) ### Configure the NDES Connector for certificate revocation (**Optional**) -Optionally (not required), you can configure the Intune connector for certificate revocation when a device is wiped, unenrolled, or when the certificate profile falls out of scope for the targeted user (users is removed, deleted, or the profile is deleted). +Optionally (not required), you can configure the Intune connector for certificate revocation when a device is wiped, unenrolled, or when the certificate profile falls out of scope for the targeted user (users is removed, deleted, or the profile is deleted). You need to select **Certificate revocation** option during the connector configuration to enable automatic certificate revocation for certificates issued from a Microsoft Active Directory Certification Authority. Additionally, you need to enable the NDES Service account for revocation. -#### Enabling the NDES Service account for revocation +1. Sign-in the certificate authority used by the NDES Connector with access equivalent to _domain administrator_. -Sign-in the certificate authority used by the NDES Connector with access equivalent to _domain administrator_. +2. Start the **Certification Authority** management console. -1. Start the **Certification Authority** management console. +3. In the navigation pane, right-click the name of the certificate authority and select **Properties**. -2. In the navigation pane, right-click the name of the certificate authority and select **Properties**. - -3. Click the **Security** tab. Click **Add**. In **Enter the object names to select** box, type **NDESSvc** (or the name you gave the NDES Service account). Click *Check Names*. Click **OK**. Select the NDES Service account from the **Group or user names** list. Select **Allow** for the **Issue and Manage Certificates** permission. Click **OK**. +4. Click the **Security** tab. Click **Add**. In **Enter the object names to select** box, type **NDESSvc** (or the name you gave the NDES Service account). Click *Check Names*. Click **OK**. Select the NDES Service account from the **Group or user names** list. Select **Allow** for the **Issue and Manage Certificates** permission. Click **OK**. ![Configure Intune certificate revocation 02.](images/aadjcert/intuneconfigcertrevocation-02.png) -4. Close the **Certification Authority** - -#### Enable the NDES Connector for certificate revocation - -Sign-in the NDES server with access equivalent to _domain administrator_. - -1. Open the **NDES Connector** user interface (**\\NDESConnectorUI\NDESConnectorUI.exe**). - -2. Click the **Advanced** tab. Select **Specify a different account username and password**. Type the NDES service account username and password. Click **Apply**. Click **OK** to close the confirmation dialog box. Click **Close**. - - ![Intune Connector cert revocation configuration 04.](images/aadjcert/intunecertconnectorconfig-04.png) - -3. Restart the **Intune Connector Service** and the **World Wide Web Publishing Service**. - -### Test the NDES Connector - -Sign-in the NDES server with access equivalent to _domain admin_. - -1. Open a command prompt. - -2. Type the following command to confirm the NDES Connector's last connection time is current. - - ```console - reg query hklm\software\Microsoft\MicrosoftIntune\NDESConnector\ConnectionStatus - ``` - -3. Close the command prompt. - -4. Open **Internet Explorer**. - -5. In the navigation bar, type: - - ```console - https://[fqdnHostName]/certsrv/mscep/mscep.dll - ``` - - where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server. - A web page showing a 403 error (similar to the following) should appear in your web browser. If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source. - - ![NDES web site test after Intune Certificate Connector.](images/aadjcert/ndes-https-website-test-after-intune-connector.png) - -6. Using **Server Manager**, enable **Internet Explorer Enhanced Security Configuration**. +5. Close the **Certification Authority** ## Create and Assign a Simple Certificate Enrollment Protocol (SCEP) Certificate Profile From 8f8cf37bef0b2ca336a43dfbc966bf6558986815 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 22 Jun 2022 11:49:23 +0500 Subject: [PATCH 20/70] Update windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 039b8d9442..46c270d038 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -814,7 +814,7 @@ Sign-in the NDES server with access equivalent to _local administrator_. The Intune Certificate Connector application enables Microsoft Intune to enroll certificates using your on-premises PKI for users on devices managed by Microsoft Intune. -To learn how to download, install and configure Intune Certificate Connector, please see [Install the Certificate Connector for Microsoft Intune](/mem/intune/protect/certificate-connector-install) +To learn how to download, install, and configure the Intune Certificate Connector, see [Install the Certificate Connector for Microsoft Intune](/mem/intune/protect/certificate-connector-install). ### Configure the NDES Connector for certificate revocation (**Optional**) From 1ea5b2501aa5f22490e82f44bd38cda09c54707e Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 22 Jun 2022 11:49:44 +0500 Subject: [PATCH 21/70] Update windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 46c270d038..669112c0b6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -818,7 +818,7 @@ To learn how to download, install, and configure the Intune Certificate Connecto ### Configure the NDES Connector for certificate revocation (**Optional**) -Optionally (not required), you can configure the Intune connector for certificate revocation when a device is wiped, unenrolled, or when the certificate profile falls out of scope for the targeted user (users is removed, deleted, or the profile is deleted). You need to select **Certificate revocation** option during the connector configuration to enable automatic certificate revocation for certificates issued from a Microsoft Active Directory Certification Authority. Additionally, you need to enable the NDES Service account for revocation. +Optionally (not required), you can configure the Intune connector for certificate revocation when a device is wiped, unenrolled, or when the certificate profile falls out of scope for the targeted user (users are removed, deleted, or the profile is deleted). You need to select the **Certificate revocation** option during the connector configuration to enable automatic certificate revocation for certificates issued from a Microsoft Active Directory Certification Authority. Additionally, you need to enable the NDES Service account for revocation. 1. Sign-in the certificate authority used by the NDES Connector with access equivalent to _domain administrator_. From 2ff4cee88eb5dc58e01c953dcdcc8e51c7616f69 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 22 Jun 2022 11:49:52 +0500 Subject: [PATCH 22/70] Update windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 669112c0b6..dd04ba4432 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -820,7 +820,7 @@ To learn how to download, install, and configure the Intune Certificate Connecto Optionally (not required), you can configure the Intune connector for certificate revocation when a device is wiped, unenrolled, or when the certificate profile falls out of scope for the targeted user (users are removed, deleted, or the profile is deleted). You need to select the **Certificate revocation** option during the connector configuration to enable automatic certificate revocation for certificates issued from a Microsoft Active Directory Certification Authority. Additionally, you need to enable the NDES Service account for revocation. -1. Sign-in the certificate authority used by the NDES Connector with access equivalent to _domain administrator_. +1. Sign in the certificate authority used by the NDES Connector with access equivalent to _domain administrator_. 2. Start the **Certification Authority** management console. From 49233a2e2d248cf9d3ee875a6dc750bbad073be2 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 22 Jun 2022 11:50:03 +0500 Subject: [PATCH 23/70] Update windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index dd04ba4432..83e3036f24 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -826,7 +826,7 @@ Optionally (not required), you can configure the Intune connector for certificat 3. In the navigation pane, right-click the name of the certificate authority and select **Properties**. -4. Click the **Security** tab. Click **Add**. In **Enter the object names to select** box, type **NDESSvc** (or the name you gave the NDES Service account). Click *Check Names*. Click **OK**. Select the NDES Service account from the **Group or user names** list. Select **Allow** for the **Issue and Manage Certificates** permission. Click **OK**. +4. Select the **Security** tab, then select **Add**. In the **Enter the object names to select** box, enter **NDESSvc** (or the name you gave the NDES Service account). Select *Check Names*, then select **OK**. Select the NDES Service account from the **Group or user names** list. Select **Allow** for the **Issue and Manage Certificates** permission. Select **OK**. ![Configure Intune certificate revocation 02.](images/aadjcert/intuneconfigcertrevocation-02.png) From 57f0b32ca0563192b33bda4ee63702b0ea2319fe Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 22 Jun 2022 12:35:57 +0500 Subject: [PATCH 24/70] Update windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 83e3036f24..54afa073cc 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -830,7 +830,7 @@ Optionally (not required), you can configure the Intune connector for certificat ![Configure Intune certificate revocation 02.](images/aadjcert/intuneconfigcertrevocation-02.png) -5. Close the **Certification Authority** +5. Close the **Certification Authority**. ## Create and Assign a Simple Certificate Enrollment Protocol (SCEP) Certificate Profile From d01bd7c022fcea77d35cfcad4f4c38bdb5a9944d Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 22 Jun 2022 12:36:04 +0500 Subject: [PATCH 25/70] Update windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 54afa073cc..cb173a70b7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -826,7 +826,7 @@ Optionally (not required), you can configure the Intune connector for certificat 3. In the navigation pane, right-click the name of the certificate authority and select **Properties**. -4. Select the **Security** tab, then select **Add**. In the **Enter the object names to select** box, enter **NDESSvc** (or the name you gave the NDES Service account). Select *Check Names*, then select **OK**. Select the NDES Service account from the **Group or user names** list. Select **Allow** for the **Issue and Manage Certificates** permission. Select **OK**. +4. Select the **Security** tab, then select **Add**. In the **Enter the object names to select** box, enter **NDESSvc** (or the name you gave the NDES Service account). Select *Check Names*, then select **OK**. Select the NDES Service account from the **Group or user names** list. Select **Allow** for the **Issue and Manage Certificates** permission. Select **OK**. ![Configure Intune certificate revocation 02.](images/aadjcert/intuneconfigcertrevocation-02.png) From 1bc0d4e2b39eb288f9c674928782a62197dcb40b Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Thu, 23 Jun 2022 10:03:30 +0300 Subject: [PATCH 26/70] Update windows/deployment/update/waas-configure-wufb.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/deployment/update/waas-configure-wufb.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md index 300c877a7f..88af669727 100644 --- a/windows/deployment/update/waas-configure-wufb.md +++ b/windows/deployment/update/waas-configure-wufb.md @@ -25,7 +25,8 @@ ms.topic: article > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) -> Note that Windows Server Operating System (outside of HCI) **does not** get Feature Updates from Windows Update, so only the quality update policies apply. +> [!NOTE] +> Windows Server Operating System (outside of HCI) **does not** get Feature Updates from Windows Update, so only the quality update policies apply. You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for Windows 10, version 1511 and later, including Windows 11. The MDM policies use the OMA-URI setting from the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider). From c779e877828a34a83f990c7a31762d5d19670d6d Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Thu, 23 Jun 2022 10:04:01 +0300 Subject: [PATCH 27/70] Update windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md index eaee452ae3..eaa3a170c1 100644 --- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md +++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md @@ -560,8 +560,8 @@ Some properties to use in the MDT Production rules file are as follows: - **USMTMigFiles(\*).** List of USMT templates (controlling what to backup and restore). - **EventService.** Activates logging information to the MDT monitoring web service. ->[!NOTE] ->For more details about localization support, please check the [MDT sample guide](https://docs.microsoft.com/en-us/mem/configmgr/mdt/samples-guide#fully-automated-lti-deployment-for-a-refresh-computer-scenario). You can find a list of Language Codes [here](https://docs.microsoft.com/en-us/openspecs/office_standards/ms-oe376/6c085406-a698-4e12-9d4d-c3b0ee3dbc4a) and a list of Time Zone Index Values [here](https://docs.microsoft.com/en-us/openspecs/office_standards/ms-oe376/6c085406-a698-4e12-9d4d-c3b0ee3dbc4a). +> [!NOTE] +> For more details about localization support, see the [MDT sample guide](/mem/configmgr/mdt/samples-guide#fully-automated-lti-deployment-for-a-refresh-computer-scenario). You can find a list of Language Codes [here](/openspecs/office_standards/ms-oe376/6c085406-a698-4e12-9d4d-c3b0ee3dbc4a) and a list of Time Zone Index Values [here](/openspecs/office_standards/ms-oe376/6c085406-a698-4e12-9d4d-c3b0ee3dbc4a). ### Optional deployment share configuration From 792731fa5265825a6dcf1ad7fe99a062fb87c0f0 Mon Sep 17 00:00:00 2001 From: Michael Nady Date: Thu, 23 Jun 2022 13:41:12 +0200 Subject: [PATCH 28/70] #10456 #10456 wants to clarify the level of the logon command account, and assumed it must be an Administrator, so I added this info. --- .../windows-sandbox/windows-sandbox-configure-using-wsb-file.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md index 94adc3d7c8..d7fd288b24 100644 --- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md +++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md @@ -112,7 +112,7 @@ An array of folders, each representing a location on the host machine that will ### Logon command -Specifies a single command that will be invoked automatically after the sandbox logs on. Apps in the sandbox are run under the container user account. +Specifies a single command that will be invoked automatically after the sandbox logs on. Apps in the sandbox are run under the container user account. The container user account should be an Administrator. ```xml From 6038a000bc6cfb60a7988094e9048adc19c637a8 Mon Sep 17 00:00:00 2001 From: Jordan Geurten Date: Thu, 23 Jun 2022 15:06:05 -0400 Subject: [PATCH 29/70] Initial commit of MEMCM doc supplement work --- .../deploy-appid-tagging-policies.md | 2 +- .../TOC.yml | 4 +- .../create-wdac-deny-policy.md | 2 +- .../deploy-wdac-policies-with-memcm.md | 51 ++++++++++++++++++ ...ion-control-policies-using-group-policy.md | 0 ...plication-control-policies-using-intune.md | 0 .../feature-availability.md | 2 +- .../images/memcm/memcm-confirm-wdac-rule.jpg | Bin 0 -> 52909 bytes .../memcm/memcm-create-wdac-policy-2.jpg | Bin 0 -> 155649 bytes .../images/memcm/memcm-create-wdac-policy.jpg | Bin 0 -> 152383 bytes .../images/memcm/memcm-create-wdac-rule-2.jpg | Bin 0 -> 276511 bytes .../images/memcm/memcm-create-wdac-rule-3.jpg | Bin 0 -> 121563 bytes .../images/memcm/memcm-create-wdac-rule.jpg | Bin 0 -> 62257 bytes .../images/memcm/memcm-deploy-wdac-2.jpg | Bin 0 -> 43638 bytes .../images/memcm/memcm-deploy-wdac-3.jpg | Bin 0 -> 45121 bytes .../images/memcm/memcm-deploy-wdac-4.jpg | Bin 0 -> 42437 bytes .../images/memcm/memcm-deploy-wdac.jpg | Bin 0 -> 116300 bytes .../index.yml | 4 +- .../pdfs/WDAC-Deploy-WDAC-using-MEMCM.pdf | Bin 0 -> 2629620 bytes ...r-application-control-against-tampering.md | 2 +- ...er-application-control-deployment-guide.md | 4 +- 21 files changed, 61 insertions(+), 10 deletions(-) rename windows/security/threat-protection/windows-defender-application-control/{ => deployment}/deploy-windows-defender-application-control-policies-using-group-policy.md (100%) rename windows/security/threat-protection/windows-defender-application-control/{ => deployment}/deploy-windows-defender-application-control-policies-using-intune.md (100%) create mode 100644 windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-confirm-wdac-rule.jpg create mode 100644 windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-create-wdac-policy-2.jpg create mode 100644 windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-create-wdac-policy.jpg create mode 100644 windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-create-wdac-rule-2.jpg create mode 100644 windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-create-wdac-rule-3.jpg create mode 100644 windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-create-wdac-rule.jpg create mode 100644 windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-deploy-wdac-2.jpg create mode 100644 windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-deploy-wdac-3.jpg create mode 100644 windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-deploy-wdac-4.jpg create mode 100644 windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-deploy-wdac.jpg create mode 100644 windows/security/threat-protection/windows-defender-application-control/pdfs/WDAC-Deploy-WDAC-using-MEMCM.pdf diff --git a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md b/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md index a8ac5aafd1..f7cb9dee92 100644 --- a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md @@ -38,7 +38,7 @@ Similar to WDAC Application Control policies, WDAC AppId Tagging policies can be ## Deploy AppId Tagging Policies with MDM -Custom AppId Tagging policies can be deployed to endpoints using [the OMA-URI feature in MDM](../deploy-windows-defender-application-control-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri). +Custom AppId Tagging policies can be deployed to endpoints using [the OMA-URI feature in MDM](../deployment/deploy-windows-defender-application-control-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri). ## Deploy AppId Tagging Policies with MEMCM diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml index 2f007e159d..5d7d191d40 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml @@ -73,13 +73,13 @@ href: windows-defender-application-control-deployment-guide.md items: - name: Deploy WDAC policies with MDM - href: deploy-windows-defender-application-control-policies-using-intune.md + href: deployment/deploy-windows-defender-application-control-policies-using-intune.md - name: Deploy WDAC policies with MEMCM href: deployment/deploy-wdac-policies-with-memcm.md - name: Deploy WDAC policies with script href: deployment/deploy-wdac-policies-with-script.md - name: Deploy WDAC policies with Group Policy - href: deploy-windows-defender-application-control-policies-using-group-policy.md + href: deployment/deploy-windows-defender-application-control-policies-using-group-policy.md - name: Audit WDAC policies href: audit-windows-defender-application-control-policies.md - name: Merge WDAC policies diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md index 3203610df6..e4b820e7ed 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md @@ -159,4 +159,4 @@ Policies should be thoroughly evaluated and first rolled out in audit mode befor 3. Scripting [Deploy Windows Defender Application Control (WDAC) policies using script (Windows)](deployment/deploy-wdac-policies-with-script.md) -4. Group Policy: [Deploy WDAC policies via Group Policy (Windows)](deploy-windows-defender-application-control-policies-using-group-policy.md) +4. Group Policy: [Deploy WDAC policies via Group Policy (Windows)](deployment/deploy-windows-defender-application-control-policies-using-group-policy.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md index 1ac9e541d2..b9f7dfe7c2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md @@ -41,8 +41,59 @@ MEMCM includes native support for WDAC, which allows you to configure Windows 10 Note that MEMCM does not remove policies once deployed. To stop enforcement, you should switch the policy to audit mode, which will produce the same effect. If you want to disable WDAC altogether (including audit mode), you can deploy a script to delete the policy file from disk, and either trigger a reboot or wait for the next reboot. +### Create a WDAC Policy in MEMCM + +1. Select **Asset and Compliance** > **Endpoint Protection** > **Windows Defender Application Control** > **Create Application Control Policy** + +![Create a WDAC policy in MEMCM.](../images/memcm/memcm-create-wdac-policy.jpg) + +2. Enter the name of the policy > **Next** +3. Enable **Enforce a restart of devices so that this policy can be enforced for all processes** +4. Select the mode which you want the policy to run (Enforcement enabled / Audit Only) +5. Click **Next** + +![Create an enforced WDAC policy in MEMCM.](../images/memcm/memcm-create-wdac-policy-2.jpg) + +6. Click **Add** to begin creating rules for trusted software + +![Create a WDAC path rule in MEMCM.](../images/memcm/memcm-create-wdac-rule.jpg) + +7. Select **File** or **Folder** to create a path rule > **Browse** + +![Create a WDAC path rule in MEMCM.](../images/memcm/memcm-create-wdac-rule-2.jpg) + +8. Select the executable or folder for your path rule > **OK** + +![Select the file or folder.](../images/memcm/memcm-create-wdac-rule-3.jpg) + +9. Select **OK** to add the rule to the table of trusted files or folder +10. Select **Next** to navigate to the summary page > **Close** + +![Confirm the WDAC path rule in MEMCM.](../images/memcm/memcm-confirm-wdac-rule.jpg) + +### Deploy the WDAC Policy in MEMCM + +1. Right-click the newly created policy > **Deploy Application Control Policy** + +![Deploy WDAC via MEMCM.](../images/memcm/memcm-deploy-wdac.jpg) + +2. Select **Browse** + +![Deploy WDAC via MEMCM.](../images/memcm/memcm-deploy-wdac-2.jpg) + +3. Select the Device Collection you created earlier > **OK** + +![Select the device collection.](../images/memcm/memcm-deploy-wdac-3.jpg) + +4. Change the schedule > **OK** + +![Change the WDAC deployment schedule.](../images/memcm/memcm-deploy-wdac-4.jpg) + + For more information on using MEMCM's native WDAC policies, see [Windows Defender Application Control management with Configuration Manager](/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager). +The entire WDAC in MEMCM Lab Paper is available for download [here](../pdfs/WDAC-Deploy-WDAC-using-MEMCM.pdf). + ## Deploy custom WDAC policies using Packages/Programs or Task Sequences Using MEMCM's built-in policies can be a helpful starting point, but customers may find the circle-of-trust options available in MEMCM too limiting. To define your own circle-of-trust, you can use MEMCM to deploy custom WDAC policies using [script-based deployment](deploy-wdac-policies-with-script.md) via Software Distribution Packages and Programs or Operating System Deployment Task Sequences. diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md similarity index 100% rename from windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md rename to windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md similarity index 100% rename from windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md rename to windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md diff --git a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md index 5b024e8790..081fd263a5 100644 --- a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md +++ b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md @@ -34,7 +34,7 @@ ms.technology: windows-sec |-------------|------|-------------| | Platform support | Available on Windows 10, Windows 11, and Windows Server 2016 or later | Available on Windows 8 or later | | SKU availability | Cmdlets are available on all SKUs on 1909+ builds.
For pre-1909 builds, cmdlets are only available on Enterprise but policies are effective on all SKUs. | Policies deployed through GP are only effective on Enterprise devices.
Policies deployed through MDM are effective on all SKUs. | -| Management solutions |
  • [Intune](./deploy-windows-defender-application-control-policies-using-intune.md) (limited built-in policies or custom policy deployment via OMA-URI)
  • [Microsoft Endpoint Manager Configuration Manager (MEMCM)](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) (limited built-in policies or custom policy deployment via Software Distribution)
  • [Group Policy](./deploy-windows-defender-application-control-policies-using-group-policy.md)
  • PowerShell
|