deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' into systemapps22h2

Browse Source
This commit is contained in:
Nicholas S. White 2023-02-13 12:13:32 -05:00 committed by GitHub
commit 17473a8efa
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
77 changed files with 2621 additions and 1586 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.openpublishing.redirection.json
View File

@ -20514,6 +20514,11 @@
"source_path": "windows/deployment/windows-autopatch/references/windows-autopatch-wqu-unsupported-policies.md",
"redirect_url": "/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies",
"redirect_document_id": true
},
{
"source_path": "windows/client-management/mdm/policy-ddf-file.md",
"redirect_url": "/windows/client-management/mdm/configuration-service-provider-ddf",
"redirect_document_id": true
}
]
}

3
browsers/edge/docfx.json
View File

@ -28,6 +28,9 @@
],
"globalMetadata": {
"recommendations": true,
"ms.collection": [
"tier3"
],
"breadcrumb_path": "/microsoft-edge/breadcrumbs/toc.json",
"ROBOTS": "INDEX, FOLLOW",
"ms.technology": "microsoft-edge",

3
browsers/internet-explorer/docfx.json
View File

@ -24,6 +24,9 @@
],
"globalMetadata": {
"recommendations": true,
"ms.collection": [
"tier3"
],
"breadcrumb_path": "/internet-explorer/breadcrumb/toc.json",
"ROBOTS": "INDEX, FOLLOW",
"ms.topic": "article",

5
education/docfx.json
View File

@ -29,7 +29,10 @@
"globalMetadata": {
"recommendations": true,
"ms.topic": "article",
"ms.collection": "education",
"ms.collection": [
"education",
"tier2"
],
"ms.prod": "windows-client",
"ms.technology": "itpro-edu",
"author": "paolomatarazzo",

2
education/index.yml
View File

@ -45,7 +45,7 @@ productDirectory:
text: Azure information protection deployment acceleration guide
- url: /defender-cloud-apps/get-started
text: Microsoft Defender for Cloud Apps
- url: /microsoft-365/compliance/create-test-tune-dlp-policy
- url: /microsoft-365/compliance/information-protection#prevent-data-loss
text: Data loss prevention
- url: /microsoft-365/compliance/
text: Microsoft Purview compliance

1
education/windows/autopilot-reset.md
View File

@ -7,6 +7,7 @@ appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
ms.collection:
- highpri
- tier2
- education
---

3
education/windows/change-home-to-edu.md
View File

@ -7,6 +7,9 @@ author: scottbreenmsft
ms.author: scbree
ms.reviewer: paoloma
manager: jeffbu
ms.collection:
- tier3
- education
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
---

3
education/windows/change-to-pro-education.md
View File

@ -7,6 +7,7 @@ appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
ms.collection:
- highpri
- tier2
- education
---
@ -147,7 +148,7 @@ Existing Azure AD domain joined devices will be changed to Windows 10 Pro Educat
### For new devices that are not Azure AD joined
Now that you've turned on the setting to automatically change to Windows 10 Pro Education, the users are ready to change their devices running Windows 10 Pro, version 1607 or higher, version 1703 to Windows 10 Pro Education edition.
#### Step 1: Join users devices to Azure AD
#### Step 1: Join users' devices to Azure AD
Users can join a device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1607 or higher, version 1703.

4
education/windows/configure-aad-google-trust.md
View File

@ -1,7 +1,7 @@
---
title: Configure federation between Google Workspace and Azure AD
description: Configuration of a federated trust between Google Workspace and Azure AD, with Google Workspace acting as an identity provider (IdP) for Azure AD.
ms.date: 01/17/2023
ms.date: 02/10/2023
ms.topic: how-to
---
@ -42,7 +42,7 @@ To test federation, the following prerequisites must be met:
1. On the *Service provider details* page
- Select the option **Signed response**
- Verify that the Name ID format is set to **PERSISTENT**
- Depending on how the Azure AD users have been provisioned in Azure AD, you may need to adjust the **Name ID** mapping. For more information, see (article to write).\
- Depending on how the Azure AD users have been provisioned in Azure AD, you may need to adjust the **Name ID** mapping.\
If using Google auto-provisioning, select **Basic Information > Primary email**
- Select **Continue**
1. On the *Attribute mapping* page, map the Google attributes to the Azure AD attributes

1
education/windows/edu-stickers.md
View File

@ -8,6 +8,7 @@ appliesto:
ms.collection:
- highpri
- education
- tier2
---
# Configure Stickers for Windows 11 SE

4
education/windows/federated-sign-in.md
View File

@ -5,6 +5,10 @@ ms.date: 01/12/2023
ms.topic: how-to
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE</a>
ms.collection:
- highpri
- tier1
- education
---
<!-- MAXADO-6286399 -->

1
education/windows/get-minecraft-for-education.md
View File

@ -8,6 +8,7 @@ appliesto:
ms.collection:
- highpri
- education
- tier2
---
# Get Minecraft: Education Edition

7
education/windows/school-get-minecraft.md
View File

@ -8,6 +8,7 @@ appliesto:
ms.collection:
- highpri
- education
- tier2
---
# For IT administrators - get Minecraft: Education Edition
@ -34,7 +35,7 @@ If you turn off this setting after students have been using Minecraft: Education
Users in a Microsoft verified academic institution account will have access to the free trial limited logins for Minecraft: Education Edition. This grants faculty accounts 25 free logins and student accounts 10 free logins. To purchase direct licenses, see [Minecraft: Education Edition - direct purchase](#individual-copies).
If youve been approved and are part of the Enrollment for Education Solutions volume license program, you can purchase a volume license for Minecraft: Education Edition. For more information, see [Minecraft: Education Edition - volume license](#volume-license).
If you've been approved and are part of the Enrollment for Education Solutions volume license program, you can purchase a volume license for Minecraft: Education Edition. For more information, see [Minecraft: Education Edition - volume license](#volume-license).
### <a href="" id="individual-copies"></a>Minecraft: Education Edition - direct purchase
@ -48,7 +49,7 @@ If youve been approved and are part of the Enrollment for Education Solutions
5. Select the quantity of licenses you would like to purchase and select **Place Order**.
6. After youve purchased licenses, youll need to [assign them to users in the Admin Center](/microsoft-365/admin/manage/assign-licenses-to-users).
6. After you've purchased licenses, you'll need to [assign them to users in the Admin Center](/microsoft-365/admin/manage/assign-licenses-to-users).
If you need additional licenses for **Minecraft: Education Edition**, see [Buy or remove subscription licenses](/microsoft-365/commerce/licenses/buy-licenses).
@ -57,7 +58,7 @@ If you need additional licenses for **Minecraft: Education Edition**, see [Buy o
Qualified education institutions can purchase Minecraft: Education Edition licenses through their Microsoft channel partner. Schools need to be part of the Enrollment for Education Solutions (EES) volume licensing program. Educational institutions should work with their channel partner to determine which Minecraft: Education Edition licensing offer is best for their institution. The process looks like this:
- Your channel partner will submit and process your volume license order, your licenses will be shown on [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx), and the licenses will be available in your [Microsoft Store for Education](https://www.microsoft.com/business-store) inventory.
- Youll receive an email with a link to Microsoft Store for Education.
- You'll receive an email with a link to Microsoft Store for Education.
- Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com) to distribute and manage the Minecraft: Education Edition licenses. For more information on distribution options, see [Distribute Minecraft](#distribute-minecraft)
## Minecraft: Education Edition payment options

1
education/windows/teacher-get-minecraft.md
View File

@ -8,6 +8,7 @@ appliesto:
ms.collection:
- highpri
- education
- tier2
---
# For teachers - get Minecraft: Education Edition

1
education/windows/test-windows10s-for-edu.md
View File

@ -8,6 +8,7 @@ appliesto:
ms.collection:
- highpri
- education
- tier2
---
# Test Windows 10 in S mode on existing Windows 10 education devices

8
education/windows/windows-11-se-overview.md
View File

@ -8,6 +8,7 @@ appliesto:
ms.collection:
- highpri
- education
- tier1
---
# Windows 11 SE Overview
@ -93,6 +94,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| `Class Policy` | 114.0.0 | Win32 | `Class Policy` |
| `Classroom.cloud` | 1.40.0004 | Win32 | `NetSupport` |
| `CoGat Secure Browser` | 11.0.0.19 | Win32 | `Riverside Insights` |
| `ContentKeeper Cloud` | 9.01.45 | Win32 | `ContentKeeper Technologies` |
| `Dragon Professional Individual` | 15.00.100 | Win32 | `Nuance Communications` |
| `DRC INSIGHT Online Assessments` | 12.0.0.0 | `Store` | `Data recognition Corporation` |
| `Duo from Cisco` | 3.0.0 | Win32 | `Cisco` |
@ -104,7 +106,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| `Free NaturalReader` | 16.1.2 | Win32 | `Natural Soft` |
| `Ghotit Real Writer & Reader` | 10.14.2.3 | Win32 | `Ghotit Ltd` |
| `GoGuardian` | 1.4.4 | Win32 | `GoGuardian` |
| `Google Chrome` | 102.0.5005.115 | Win32 | `Google` |
| `Google Chrome` | 109.0.5414.75 | Win32 | `Google` |
| `Illuminate Lockdown Browser` | 2.0.5 | Win32 | `Illuminate Education` |
| `Immunet` | 7.5.8.21178 | Win32 | `Immunet` |
| `Impero Backdrop Client` | 4.4.86 | Win32 | `Impero Software` |
@ -137,10 +139,10 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| `Respondus Lockdown Browser` | 2.0.9.03 | Win32 | `Respondus` |
| `Safe Exam Browser` | 3.4.1.505 | Win32 | `Safe Exam Browser` |
| `Senso.Cloud` | 2021.11.15.0 | Win32 | `Senso.Cloud` |
| `Smoothwall Monitor` | 2.8.0 | Win32 | `Smoothwall Ltd` |
| `Smoothwall Monitor` | 2.9.2 | Win32 | `Smoothwall Ltd` |
| `SuperNova Magnifier & Screen Reader` | 21.02 | Win32 | `Dolphin Computer Access` |
| `SuperNova Magnifier & Speech` | 21.02 | Win32 | `Dolphin Computer Access` |
|`TX Secure Browser` | 15.0.0 | Win32 | `Cambium Development`
|`TX Secure Browser` | 15.0.0 | Win32 | `Cambium Development` |
| `VitalSourceBookShelf` | 10.2.26.0 | Win32 | `VitalSource Technologies Inc` |
| `Winbird` | 19 | Win32 | `Winbird Co., Ltd.` |
| `WordQ` | 5.4.23 | Win32 | `Mathetmots` |

3
education/windows/windows-11-se-settings-list.md
View File

@ -5,6 +5,9 @@ ms.topic: article
ms.date: 09/12/2022
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE</a>
ms.collection:
- education
- tier1
---
# Windows 11 SE for Education settings list

3
store-for-business/docfx.json
View File

@ -32,6 +32,9 @@
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"ms.collection": [
"tier2"
],
"breadcrumb_path": "/microsoft-store/breadcrumb/toc.json",
"ms.author": "trudyha",
"audience": "ITPro",

3
windows/application-management/docfx.json
View File

@ -35,6 +35,9 @@
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
"ms.collection": [
"tier2"
],
"uhfHeaderId": "MSDocsHeader-M365-IT",
"ms.technology": "itpro-apps",
"ms.topic": "article",

8
windows/client-management/change-history-for-mdm-documentation.md
View File

@ -185,7 +185,7 @@ As of November 2020 This page will no longer be updated. This article lists new
|[RemoteWipe CSP](mdm/remotewipe-csp.md)|Added new settings in Windows 10, version 1809.|
|[TenantLockdown CSP](mdm/tenantlockdown-csp.md)|Added new CSP in Windows 10, version 1809.|
|[WindowsDefenderApplicationGuard CSP](mdm/windowsdefenderapplicationguard-csp.md)|Added new settings in Windows 10, version 1809.|
|[Policy DDF file](mdm/policy-ddf-file.md)|Posted an updated version of the Policy DDF for Windows 10, version 1809.|
|[Policy DDF file](mdm/configuration-service-provider-ddf.md)|Posted an updated version of the Policy DDF for Windows 10, version 1809.|
|[Policy CSP](mdm/policy-configuration-service-provider.md)|Added the following new policies in Windows 10, version 1809:<li>Browser/AllowFullScreenMode<li>Browser/AllowPrelaunch<li>Browser/AllowPrinting<li>Browser/AllowSavingHistory<li>Browser/AllowSideloadingOfExtensions<li>Browser/AllowTabPreloading<li>Browser/AllowWebContentOnNewTabPage<li>Browser/ConfigureFavoritesBar<li>Browser/ConfigureHomeButton<li>Browser/ConfigureKioskMode<li>Browser/ConfigureKioskResetAfterIdleTimeout<li>Browser/ConfigureOpenMicrosoftEdgeWith<li>Browser/ConfigureTelemetryForMicrosoft365Analytics<li>Browser/PreventCertErrorOverrides<li>Browser/SetHomeButtonURL<li>Browser/SetNewTabPageURL<li>Browser/UnlockHomeButton<li>Experience/DoNotSyncBrowserSettings<li>Experience/PreventUsersFromTurningOnBrowserSyncing<li>Kerberos/UPNNameHints<li>Privacy/AllowCrossDeviceClipboard<li>Privacy<li>DisablePrivacyExperience<li>Privacy/UploadUserActivities<li>System/AllowDeviceNameInDiagnosticData<li>System/ConfigureMicrosoft365UploadEndpoint<li>System/DisableDeviceDelete<li>System/DisableDiagnosticDataViewer<li>Storage/RemovableDiskDenyWriteAccess<li>Update/UpdateNotificationLevel<br/><br/>Start/DisableContextMenus - added in Windows 10, version 1803.<br/><br/>RestrictedGroups/ConfigureGroupMembership - added new schema to apply and retrieve the policy.|
## July 2018
@ -217,7 +217,7 @@ As of November 2020 This page will no longer be updated. This article lists new
|New or updated article|Description|
|--- |--- |
|[Policy DDF file](mdm/policy-ddf-file.md)|Updated the DDF files in the Windows 10 version 1703 and 1709.<li>[Download the Policy DDF file for Windows 10, version 1709](https://download.microsoft.com/download/8/C/4/8C43C116-62CB-470B-9B69-76A3E2BC32A8/PolicyDDF_all.xml)<li>[Download the Policy DDF file for Windows 10, version 1703](https://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml)|
|[Policy DDF file](mdm/configuration-service-provider-ddf.md)|Updated the DDF files in the Windows 10 version 1703 and 1709.<li>[Download the Policy DDF file for Windows 10, version 1709](https://download.microsoft.com/download/8/C/4/8C43C116-62CB-470B-9B69-76A3E2BC32A8/PolicyDDF_all.xml)<li>[Download the Policy DDF file for Windows 10, version 1703](https://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml)|
## April 2018
@ -281,7 +281,7 @@ As of November 2020 This page will no longer be updated. This article lists new
| New or updated article | Description |
| --- | --- |
| [Policy DDF file](mdm/policy-ddf-file.md) | Updated the DDF content for Windows 10 version 1709. Added a link to the download of Policy DDF for Windows 10, version 1709. |
| [Policy DDF file](mdm/configuration-service-provider-ddf.md) | Updated the DDF content for Windows 10 version 1709. Added a link to the download of Policy DDF for Windows 10, version 1709. |
| [Policy CSP](mdm/policy-configuration-service-provider.md) | Updated the following policies:<br/><br/>- Defender/ControlledFolderAccessAllowedApplications - string separator is `|` <br/>- Defender/ControlledFolderAccessProtectedFolders - string separator is `|` |
| [eUICCs CSP](mdm/euiccs-csp.md) | Added new CSP in Windows 10, version 1709. |
| [AssignedAccess CSP](mdm/assignedaccess-csp.md) | Added SyncML examples for the new Configuration node. |
@ -313,5 +313,5 @@ As of November 2020 This page will no longer be updated. This article lists new
|[Office CSP](mdm/office-csp.md)|Added the following setting in Windows 10, version 1709:<li>Installation/CurrentStatus|
|[BitLocker CSP](mdm/bitlocker-csp.md)|Added information to the ADMX-backed policies. Changed the minimum personal identification number (PIN) length to four digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709.|
|[Firewall CSP](mdm/firewall-csp.md)|Updated the CSP and DDF topics. Here are the changes:<li>Removed the two settings - FirewallRules/FirewallRuleName/FriendlyName and FirewallRules/FirewallRuleName/IcmpTypesAndCodes.<li>Changed some data types from integer to bool.<li>Updated the list of supported operations for some settings.<li>Added default values.|
|[Policy DDF file](mdm/policy-ddf-file.md)|Added another Policy DDF file [download](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml) for the 8C release of Windows 10, version 1607, which added the following policies:<li>Browser/AllowMicrosoftCompatibilityList<li>Update/DisableDualScan<li>Update/FillEmptyContentUrls|
|[Policy DDF file](mdm/configuration-service-provider-ddf.md)|Added another Policy DDF file [download](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml) for the 8C release of Windows 10, version 1607, which added the following policies:<li>Browser/AllowMicrosoftCompatibilityList<li>Update/DisableDualScan<li>Update/FillEmptyContentUrls|
|[Policy CSP](mdm/policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1709:<li>Browser/ProvisionFavorites<li>Browser/LockdownFavorites<li>ExploitGuard/ExploitProtectionSettings<li>Games/AllowAdvancedGamingServices<li>LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts<li>LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly<li>LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount<li>LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount<li>LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL<li>LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit<li>LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn<li>LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn<li>LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests<li>LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn<li>LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation<li>LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators<li>LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers<li>LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated<li>LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations<li>LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode<li>LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation<li>LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations<li>Privacy/EnableActivityFeed<li>Privacy/PublishUserActivities<li>Update/DisableDualScan<li>Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork<br/><br/>Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutopilotResetCredentials.<br/><br/>Changed the names of the following policies:<li>Defender/GuardedFoldersAllowedApplications to Defender/ControlledFolderAccessAllowedApplications<li>Defender/GuardedFoldersList to Defender/ControlledFolderAccessProtectedFolders<li>Defender/EnableGuardMyFolders to Defender/EnableControlledFolderAccess<br/><br/>Added links to the extra [ADMX-backed BitLocker policies](mdm/policy-csp-bitlocker.md).<br/><br/>There were issues reported with the previous release of the following policies. These issues were fixed in Windows 10, version 1709:<li>Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts<li>Start/HideAppList|

3
windows/client-management/docfx.json
View File

@ -34,6 +34,9 @@
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"ms.collection": [
"tier2"
],
"breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"ms.technology": "itpro-manage",

579
windows/client-management/mdm/configuration-service-provider-ddf.md
View File

@ -14,9 +14,571 @@ ms.collection: highpri
# Configuration service provider DDF files
This topic shows the OMA DM device description framework (DDF) for various configuration service providers. DDF files are used only with OMA DM provisioning XML.
This article lists the OMA DM device description framework (DDF) files for various configuration service providers. DDF files are used only with OMA DM provisioning XML.
You can download the DDF files for various CSPs from the links below:
As of December 2022, DDF XML schema was updated to include additional information such as OS build applicability. DDF v2 XML files for Windows 10 and Windows 11 are combined, and provided in a single download:
- [DDF v2 Files, December 2022](https://download.microsoft.com/download/7/4/c/74c6daca-983e-4f16-964a-eef65b553a37/DDFv2December2022.zip)
## DDF v2 schema
DDF v2 XML schema definition is listed below along with the schema definition for the referenced `MSFT` namespace.
- Schema definition for DDF v2:
```xml
<?xml version="1.0" encoding="Windows-1252"?>
<xs:schema xmlns="http://tempuri.org/DM_DDF-V1_2" elementFormDefault="qualified" targetNamespace="http://tempuri.org/DM_DDF-V1_2"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<xs:import schemaLocation="DDFv2Msft.xsd" namespace="http://schemas.microsoft.com/MobileDevice/DM" />
<xs:element name="MgmtTree">
<xs:annotation>
<xs:documentation>Starting point for DDF</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:sequence>
<xs:element ref="VerDTD" />
<xs:element minOccurs="1" ref="MSFT:Diagnostics" />
<xs:element minOccurs="1" maxOccurs="unbounded" ref="Node" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="VerDTD" type="xs:string" />
<xs:element name="Node">
<xs:annotation>
<xs:documentation>Main Recurring XML tag describing nodes of the CSP</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:sequence>
<xs:element ref="NodeName" />
<xs:element minOccurs="0" maxOccurs="1" ref="Path" />
<xs:element minOccurs="1" maxOccurs="1" ref="DFProperties" />
<xs:choice>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="Node" />
</xs:choice>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="NodeName" type="xs:anyURI" />
<xs:element name="Path" type="xs:anyURI" />
<xs:element name="MIME" type="xs:string" />
<xs:element name="DDFName" type="xs:string" />
<xs:element name="DFProperties">
<xs:complexType>
<xs:sequence>
<xs:element ref="AccessType" />
<xs:element minOccurs="0" maxOccurs="1" ref="DefaultValue" />
<xs:element minOccurs="0" maxOccurs="1" ref="Description" />
<xs:element ref="DFFormat" />
<xs:element minOccurs="0" maxOccurs="1" ref="Occurrence" />
<xs:element minOccurs="0" maxOccurs="1" ref="Scope" />
<xs:element minOccurs="0" maxOccurs="1" ref="DFTitle" />
<xs:element ref="DFType" />
<xs:element minOccurs="0" maxOccurs="1" ref="CaseSense" />
<xs:element minOccurs="0" maxOccurs="1" ref="MSFT:Applicability" />
<xs:element minOccurs="0" maxOccurs="1" ref="MSFT:DynamicNodeNaming" />
<xs:element minOccurs="0" maxOccurs="1" ref="MSFT:AllowedValues" />
<xs:element minOccurs="0" maxOccurs="1" ref="MSFT:ReplaceBehavior" />
<xs:element minOccurs="0" maxOccurs="1" ref="MSFT:RebootBehavior" />
<xs:element minOccurs="0" maxOccurs="1" ref="MSFT:GpMapping" />
<xs:element minOccurs="0" maxOccurs="1" ref="MSFT:CommonErrorResults" />
<xs:element minOccurs="0" maxOccurs="1" ref="MSFT:Deprecated" />
<xs:element minOccurs="0" maxOccurs="1" ref="MSFT:DependencyBehavior" />
<xs:element minOccurs="0" maxOccurs="1" ref="MSFT:ConflictResolution" />
<xs:element minOccurs="0" maxOccurs="1" ref="MSFT:AtomicRequired" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="AccessType">
<xs:complexType>
<xs:sequence>
<xs:element minOccurs="0" maxOccurs="1" name="Add" />
<xs:element minOccurs="0" maxOccurs="1" name="Copy" />
<xs:element minOccurs="0" maxOccurs="1" name="Delete" />
<xs:element minOccurs="0" maxOccurs="1" name="Exec" />
<xs:element minOccurs="0" maxOccurs="1" name="Get" />
<xs:element minOccurs="0" maxOccurs="1" name="Replace" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="DefaultValue" type="xs:string" />
<xs:element name="Description" type="xs:string" />
<xs:element name="DFFormat">
<xs:complexType>
<xs:choice>
<xs:element name="b64" />
<xs:element name="bin" />
<xs:element name="bool" />
<xs:element name="chr" />
<xs:element name="int" />
<xs:element name="node" />
<xs:element name="null" />
<xs:element name="xml" />
<xs:element name="date" />
<xs:element name="time" />
<xs:element name="float" />
</xs:choice>
</xs:complexType>
</xs:element>
<xs:element name="Occurrence">
<xs:complexType>
<xs:choice>
<xs:element name="One" />
<xs:element name="ZeroOrOne" />
<xs:element name="ZeroOrMore" />
<xs:element name="OneOrMore" />
<xs:element name="ZeroOrN" type="xs:integer" />
<xs:element name="OneOrN" type="xs:integer" />
</xs:choice>
</xs:complexType>
</xs:element>
<xs:element name="Scope">
<xs:complexType>
<xs:choice>
<xs:element name="Permanent" />
<xs:element name="Dynamic" />
</xs:choice>
</xs:complexType>
</xs:element>
<xs:element name="DFTitle" type="xs:string" />
<xs:element name="DFType">
<xs:complexType>
<xs:choice>
<xs:element minOccurs="1" maxOccurs="unbounded" ref="MIME" />
<xs:element ref="DDFName" />
</xs:choice>
</xs:complexType>
</xs:element>
<xs:element name="CaseSense">
<xs:complexType>
<xs:choice>
<xs:element name="CS" />
<xs:element name="CIS" />
</xs:choice>
</xs:complexType>
</xs:element>
</xs:schema>
```
- Schema definition for the `MSFT` namespace:
```xml
<?xml version="1.0" encoding="utf-8"?>
<xs:schema elementFormDefault="qualified" xmlns="http://schemas.microsoft.com/MobileDevice/DM" targetNamespace="http://schemas.microsoft.com/MobileDevice/DM" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<xs:element name="Diagnostics" type="xs:string">
<xs:annotation>
<xs:documentation>This node contains an XML blob that can be used as an argument to the DiagnosticsLogCSP to pull diagnostics for a feature.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Deprecated">
<xs:annotation>
<xs:documentation>This node marks that a feature is deprecated. If included, OsBuildDeprecated gives the OS Build version that the node is no longer recommended to be set.</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:attribute name="OsBuildDeprecated" type="xs:string" />
</xs:complexType>
</xs:element>
<xs:element name="DynamicNodeNaming">
<xs:annotation>
<xs:documentation>This node contains information on how to dynamically name the node such that the name is valid.</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:choice>
<xs:element name="ServerGeneratedUniqueIdentifier">
<xs:annotation>
<xs:documentation>This indicates that the server should generate a unique identifier for the node.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="ClientInventory">
<xs:annotation>
<xs:documentation>This indicates that the client will generate the name of the node based on the device state (such as inventorying apps).</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="UniqueName" type="xs:string">
<xs:annotation>
<xs:documentation>This indicates that the server should name the node, and the value listed gives a regex to define what is allowed.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:choice>
</xs:complexType>
</xs:element>
<xs:element name="ConflictResolution" default="NoMerge">
<xs:simpleType>
<xs:annotation>
<xs:documentation>The type of the conflict resolution.</xs:documentation>
</xs:annotation>
<xs:restriction base="xs:string">
<xs:enumeration value="NoMerge">
<xs:annotation>
<xs:documentation>No policy merge.</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="LowestValueMostSecure">
<xs:annotation>
<xs:documentation>The lowest value is the most secure policy value.</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="HighestValueMostSecure">
<xs:annotation>
<xs:documentation>The highest value is the most secure policy value.</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="LastWrite">
<xs:annotation>
<xs:documentation>The last written value is current value</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="LowestValueMostSecureZeroHasNoLimits">
<xs:annotation>
<xs:documentation>The lowest value is the most secure policy value unless the value is zero.</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="HighestValueMostSecureZeroHasNoLimits">
<xs:annotation>
<xs:documentation>The highest value is the most secure policy value unless the value is zero.</xs:documentation>
</xs:annotation>
</xs:enumeration>
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element name="Applicability">
<xs:annotation>
<xs:documentation>These tags indicate what are required on the device for the node to be applicable to configured. These tags can be inherited by children nodes.</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:sequence>
<xs:element minOccurs="0" maxOccurs="1" name="OsBuildVersion" type="xs:string">
<xs:annotation>
<xs:documentation>This tag describes the first build that a feature is released to. If the feature was backported, multiple OS versions will be listed, such that the OS build version without a minor number is the first "major release."</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" maxOccurs="1" name="CspVersion" type="xs:decimal">
<xs:annotation>
<xs:documentation>This tag describes the lowest CSP Version that the node was released to.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" maxOccurs="1" name="EditionAllowList" type="xs:string">
<xs:annotation>
<xs:documentation>This tag describes the list of Edition IDs that the features is allowed on. 0x88* refers to Windows Holographic for Business.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" maxOccurs="1" name="RequiresAzureAd">
<xs:annotation>
<xs:documentation>This tag indicates that the node requires the device to be Azure Active Directory Joined to be applicable.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="AllowedValues">
<xs:annotation>
<xs:documentation>These tags describe what values are allowed to be set for this particular node.</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:group ref="AllowedValuesGroup" />
<xs:attributeGroup ref="AllowedValuesAttributeGroup" />
</xs:complexType>
</xs:element>
<xs:attributeGroup name="AllowedValuesAttributeGroup">
<xs:attribute name="ValueType" use="required">
<xs:annotation>
<xs:documentation>This attribute describes what kind of Allowed Values tag this is.</xs:documentation>
</xs:annotation>
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="XSD">
<xs:annotation>
<xs:documentation>This attribute indicates that the Value tag contains an XSD for the node.</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="RegEx">
<xs:annotation>
<xs:documentation>This attribute indicates that the Value tag contains a RegEx for the node.</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="ADMX">
<xs:annotation>
<xs:documentation>This attribute indicates that the node can be described by an external ADMX file.</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="JSON">
<xs:annotation>
<xs:documentation>This attribute indicates that the node can be described by a JSON schema.</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="ENUM">
<xs:annotation>
<xs:documentation>This attribute indicates that the allowed values are an enumeration.</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="Flag">
<xs:annotation>
<xs:documentation>This attribute indicates that the allowed values can be combined into a bitwise flag.</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="Range">
<xs:annotation>
<xs:documentation>This attribute indicates that the allowed values are a numerical range.</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="SDDL">
<xs:annotation>
<xs:documentation>This attribute indicates that the allowed values are a string in the SDDL format.</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="None">
<xs:annotation>
<xs:documentation>This attribute indicates there is no data-driven way to define the allowed values of the node. This potentially means that all string values are valid values.</xs:documentation>
</xs:annotation>
</xs:enumeration>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:attributeGroup>
<xs:group name="AllowedValuesGroup">
<xs:sequence>
<xs:group minOccurs="0" maxOccurs="1" ref="AllowedValueGroupedNodes" />
<xs:element minOccurs="0" maxOccurs="1" name="List">
<xs:annotation>
<xs:documentation>This tag indicates that the node input can contain multiple, delimited values.</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:attribute name="Delimiter" type="xs:string" use="required">
<xs:annotation>
<xs:documentation>This attribute details the delimeter used for the list of values.</xs:documentation>
</xs:annotation>
</xs:attribute>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:group>
<xs:group name="ValueAndDescriptionGroup">
<xs:sequence>
<xs:element name="Value" type="xs:string">
<xs:annotation>
<xs:documentation>This tag indicates an allowed value.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" maxOccurs="1" name="ValueDescription" type="xs:string">
<xs:annotation>
<xs:documentation>This tag gives further description to an allowed value, such as for an enumeration.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:group>
<xs:group name="AllowedValueGroupedNodes">
<xs:choice>
<xs:element ref="Enum" maxOccurs="unbounded" />
<xs:group ref="ValueAndDescriptionGroup" />
<xs:element ref="AdmxBacked" />
</xs:choice>
</xs:group>
<xs:element name="Enum">
<xs:annotation>
<xs:documentation>This tag gives details for one particular enumeration of the allowed values.</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:sequence>
<xs:group ref="ValueAndDescriptionGroup" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="AdmxBacked">
<xs:annotation>
<xs:documentation>This tag indicates the relevent details for the corresponding ADMX policy for this node.</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:attribute name="Area" type="xs:string" use="required">
<xs:annotation>
<xs:documentation>This attribute gives the area path of the ADMX policy.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="Name" type="xs:string" use="required">
<xs:annotation>
<xs:documentation>This attribute gives the name of the ADMX policy.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="File" type="xs:string" use="required">
<xs:annotation>
<xs:documentation>This attribute gives the filename for the ADMX policy.</xs:documentation>
</xs:annotation>
</xs:attribute>
</xs:complexType>
</xs:element>
<xs:element name="ReplaceBehavior" default="Replace">
<xs:annotation>
<xs:documentation>This tag details the replace behavior of the node.</xs:documentation>
</xs:annotation>
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="Append">
<xs:annotation>
<xs:documentation>When performing a replace operation on this node, the value is appending to the existing node data.</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="Replace">
<xs:annotation>
<xs:documentation>When performing a replace operation on this node, the existing node data is removed before new data is added.</xs:documentation>
</xs:annotation>
</xs:enumeration>
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element name="RebootBehavior" default="None">
<xs:annotation>
<xs:documentation>This tag describes the reboot behavior of the node.</xs:documentation>
</xs:annotation>
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="None">
<xs:annotation>
<xs:documentation>No reboot is required for this node.</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="Automatic">
<xs:annotation>
<xs:documentation>This node will automatically perform a reboot to take effect.</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="ServerInitiated">
<xs:annotation>
<xs:documentation>This node needs a reboot initiated from an external source to take effect.</xs:documentation>
</xs:annotation>
</xs:enumeration>
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element name="GpMapping">
<xs:annotation>
<xs:documentation>This tag details the information necessary to map this node to an existing group policy.</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:attribute name="GpEnglishName" type="xs:string" use="required">
<xs:annotation>
<xs:documentation>This attribute details the English name of the GP.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="GpAreaPath" type="xs:string" use="required">
<xs:annotation>
<xs:documentation>This attribute details the area path of the GP.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="GpElement" type="xs:string">
<xs:annotation>
<xs:documentation>This attribute details a particular element of a GP that the CSP node maps to.</xs:documentation>
</xs:annotation>
</xs:attribute>
</xs:complexType>
</xs:element>
<xs:element name="CommonErrorResults">
<xs:annotation>
<xs:documentation>This tag lists out common error HRESULTS reported by the CSP and English text to associate with them.</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:sequence>
<xs:element name="CommonErrorOne" type="xs:string" />
<xs:element name="CommonErrorTwo" type="xs:string" />
<xs:element name="CommonErrorThree" type="xs:string" />
<xs:element name="CommonErrorFour" type="xs:string" />
<xs:element name="CommonErrorFive" type="xs:string" />
<xs:element name="CommonErrorSix" type="xs:string" />
<xs:element name="CommonErrorSeven" type="xs:string" />
<xs:element name="CommonErrorEight" type="xs:string" />
<xs:element name="CommonErrorNine" type="xs:string" />
<xs:element name="CommonErrorTen" type="xs:string" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="AtomicRequired">
<xs:annotation>
<xs:documentation>This tag indicates that this node and all children nodes should be enclosed by an Atomic tag when being sent to the client.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="DependencyBehavior">
<xs:annotation>
<xs:documentation>These tags detail potential dependencies that the current CSP node has on other nodes in the same CSP.</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:sequence>
<xs:element ref="DependencyGroup" maxOccurs="unbounded" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Dependency">
<xs:annotation>
<xs:documentation>This tag describes a dependency that the current CSP node has on another nodes in the same CSP.</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:sequence>
<xs:element name="DependencyUri" type="xs:anyURI">
<xs:annotation>
<xs:documentation>The URI that the current CSP node has a dependency on.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element ref="DependencyAllowedValue" />
</xs:sequence>
<xs:attribute name="Type" use="required">
<xs:annotation>
<xs:documentation>This tag details the kind of dependency.</xs:documentation>
</xs:annotation>
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="DependsOn">
<xs:annotation>
<xs:documentation>The current node depends on the dependency holding a certain value.</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="Not">
<xs:annotation>
<xs:documentation>The current node depends on the dependency not holding a certain value.</xs:documentation>
</xs:annotation>
</xs:enumeration>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:complexType>
</xs:element>
<xs:element name="DependencyGroup">
<xs:annotation>
<xs:documentation>This tag details one specific dependency. A node might have multiple different dependencies.</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:sequence>
<xs:element minOccurs="0" maxOccurs="1" ref="DependencyChangedAllowedValues" />
<xs:element ref="Dependency" maxOccurs="unbounded" />
</xs:sequence>
<xs:attribute name="FriendlyId" type="xs:string" use="required">
<xs:annotation>
<xs:documentation>This attribute gives a friendly ID to the dependency, to differentiate it from other dependencies.</xs:documentation>
</xs:annotation>
</xs:attribute>
</xs:complexType>
</xs:element>
<xs:element name="DependencyAllowedValue">
<xs:annotation>
<xs:documentation>This tag details the values that the dependency must be set to for the dependency to be satisfied.</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:group ref="AllowedValuesGroup" />
<xs:attributeGroup ref="AllowedValuesAttributeGroup" />
</xs:complexType>
</xs:element>
<xs:element name="DependencyChangedAllowedValues">
<xs:annotation>
<xs:documentation>This tag details a change to the current node's allowed values if the dependency is satisfied.</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:group ref="AllowedValuesGroup" />
<xs:attributeGroup ref="AllowedValuesAttributeGroup" />
</xs:complexType>
</xs:element>
</xs:schema>
```
## Older DDF files
You can download the older DDF files for various CSPs from the links below:
- [Download all the DDF files for Windows 10, version 2004](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/Windows10_2004_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1903](https://download.microsoft.com/download/6/F/0/6F019079-6EB0-41B5-88E8-D1CE77DBA27B/Windows10_1903_DDF_download.zip)
@ -26,4 +588,15 @@ You can download the DDF files for various CSPs from the links below:
- [Download all the DDF files for Windows 10, version 1703](https://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](https://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
You can download DDF file for Policy CSP from [Policy DDF file](policy-ddf-file.md).
You can download the older Policy area DDF files by clicking the following links:
- [View the Policy DDF file for Windows 10, version 20H2](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/PolicyDDF_all_20H2.xml)
- [View the Policy DDF file for Windows 10, version 2004](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/PolicyDDF_all_2004.xml)
- [View the Policy DDF file for Windows 10, version 1903](https://download.microsoft.com/download/0/C/D/0CD61812-8B9C-4846-AC4A-1545BFD201EE/PolicyDDF_all_1903.xml)
- [View the Policy DDF file for Windows 10, version 1809](https://download.microsoft.com/download/7/3/5/735B8537-82F4-4CD1-B059-93984F9FAAC5/Policy_DDF_all_1809.xml)
- [View the Policy DDF file for Windows 10, version 1803](https://download.microsoft.com/download/4/9/6/496534EE-8F0C-4F12-B084-A8502DA22430/PolicyDDF_all.xml)
- [View the Policy DDF file for Windows 10, version 1803 release C](https://download.microsoft.com/download/4/9/6/496534EE-8F0C-4F12-B084-A8502DA22430/PolicyDDF_all_1809C_release.xml)
- [View the Policy DDF file for Windows 10, version 1709](https://download.microsoft.com/download/8/C/4/8C43C116-62CB-470B-9B69-76A3E2BC32A8/PolicyDDF_all.xml)
- [View the Policy DDF file for Windows 10, version 1703](https://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml)
- [View the Policy DDF file for Windows 10, version 1607](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607.xml)
- [View the Policy DDF file for Windows 10, version 1607 release 8C](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml)

2
windows/client-management/mdm/index.yml
View File

@ -47,7 +47,7 @@ landingContent:
- text: Policy CSP
url: policy-configuration-service-provider.md
- text: Policy DDF file
url: policy-ddf-file.md
url: configuration-service-provider-ddf.md
- text: Policy CSP - Start
url: policy-csp-start.md
- text: Policy CSP - Update

3
windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
View File

@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by Group Policy.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/30/2023
ms.date: 02/03/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -814,6 +814,7 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [SetPolicyDrivenUpdateSourceForOtherUpdates](policy-csp-update.md)
- [SetEDURestart](policy-csp-update.md)
- [AllowAutoWindowsUpdateDownloadOverMeteredNetwork](policy-csp-update.md)
- [AllowTemporaryEnterpriseFeatureControl](policy-csp-update.md)
- [SetDisableUXWUAccess](policy-csp-update.md)
- [SetDisablePauseUXAccess](policy-csp-update.md)
- [UpdateNotificationLevel](policy-csp-update.md)

4
windows/client-management/mdm/policy-csp-admx-windowsexplorer.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_WindowsExplorer Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 02/10/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -4538,7 +4538,7 @@ The first several links will also be pinned to the Start menu. A total of four l
<!-- TryHarderPinnedOpenSearch-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to add Internet or intranet sites to the "Search again" links located at the bottom of search results in File Explorer and the Start menu links. The "Search again" links at the bottom of the Search Results view allow the user to reconduct a search but in a different location. The Internet search site will be searched with the text in the search box. To add an Internet search site, specify the URL of the search site in OpenSearch format with {searchTerms} for the query string (for example, <https://www.example.com/results.aspx?q=>{searchTerms}).
This policy setting allows you to add Internet or intranet sites to the "Search again" links located at the bottom of search results in File Explorer and the Start menu links. The "Search again" links at the bottom of the Search Results view allow the user to reconduct a search but in a different location. The Internet search site will be searched with the text in the search box. To add an Internet search site, specify the URL of the search site in OpenSearch format with {searchTerms} for the query string (for example, `https://www.example.com/results.aspx?q={searchTerms}`).
You can add up to five additional links to the "Search again" links at the bottom of results returned in File Explorer after a search is executed. These links will be shared between Internet search sites and Search Connectors/Libraries. Search Connector/Library links take precedence over Internet search links.

34
windows/client-management/mdm/policy-csp-audit.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Audit Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 02/10/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -343,7 +343,7 @@ Volume: Low.
<!-- AccountLogonLogoff_AuditGroupMembership-Description-Begin -->
<!-- Description-Source-DDF -->
This policy allows you to audit the group memberhsip information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the group memberhsip information cannot fit in a single security audit event.
This policy allows you to audit the group membership information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the group membership information cannot fit in a single security audit event.
<!-- AccountLogonLogoff_AuditGroupMembership-Description-End -->
<!-- AccountLogonLogoff_AuditGroupMembership-Editable-Begin -->
@ -836,7 +836,7 @@ Volume: Low.
<!-- AccountLogonLogoff_AuditSpecialLogon-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting allows you to audit events generated by special logons such as the following : The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged. For more information about this feature, see article 947223 in the Microsoft Knowledge Base (<https://go.microsoft.com/fwlink/?LinkId=121697)>.
This policy setting allows you to audit events generated by special logons such as the following : The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged. For more information about this feature, see [article 947223 in the Microsoft Knowledge Base](<https://go.microsoft.com/fwlink/?LinkId=121697>).
<!-- AccountLogonLogoff_AuditSpecialLogon-Description-End -->
<!-- AccountLogonLogoff_AuditSpecialLogon-Editable-Begin -->
@ -1083,7 +1083,7 @@ Volume: Low.
<!-- AccountManagement_AuditDistributionGroupManagement-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting allows you to audit events generated by changes to distribution groups such as the following Distribution group is created, changed, or deleted. Member is added or removed from a distribution group. Distribution group type is changed. If you configure this policy setting, an audit event is generated when an attempt to change a distribution group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts.
- If you do not configure this policy setting, no audit event is generated when a distribution group changes
- If you do not configure this policy setting, no audit event is generated when a distribution group changes.
> [!NOTE]
> Events in this subcategory are logged only on domain controllers.
@ -1120,7 +1120,7 @@ Volume: Low.
| Name | Value |
|:--|:--|
| Name | Audit Distributio Group Management |
| Name | Audit Distribution Group Management |
| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Account Management |
<!-- AccountManagement_AuditDistributionGroupManagement-GpMapping-End -->
@ -1332,7 +1332,7 @@ Volume: Low.
<!-- DetailedTracking_AuditDPAPIActivity-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting allows you to audit events generated when encryption or decryption requests are made to the Data Protection application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information. For more information about DPAPI, see <https://go.microsoft.com/fwlink/?LinkId=121720>. If you configure this policy setting, an audit event is generated when an encryption or decryption request is made to DPAPI. Success audits record successful requests and Failure audits record unsuccessful requests.
This policy setting allows you to audit events generated when encryption or decryption requests are made to the Data Protection application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information. For more information about DPAPI, see [How to Use Data Protection](/dotnet/standard/security/how-to-use-data-protection). If you configure this policy setting, an audit event is generated when an encryption or decryption request is made to DPAPI. Success audits record successful requests and Failure audits record unsuccessful requests.
- If you do not configure this policy setting, no audit event is generated when an encryption or decryption request is made to DPAPI.
<!-- DetailedTracking_AuditDPAPIActivity-Description-End -->
@ -1825,7 +1825,7 @@ Volume: High on domain controllers. None on client computers.
<!-- DSAccess_AuditDirectoryServiceChanges-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting allows you to audit events generated by changes to objects in Active Directory Domain Services (AD DS). Events are logged when an object is created, deleted, modified, moved, or undeleted. When possible, events logged in this subcategory indicate the old and new values of the object's properties. Events in this subcategory are logged only on domain controllers, and only objects in AD DS with a matching system access control list (SACL) are logged
This policy setting allows you to audit events generated by changes to objects in Active Directory Domain Services (AD DS). Events are logged when an object is created, deleted, modified, moved, or undeleted. When possible, events logged in this subcategory indicate the old and new values of the object's properties. Events in this subcategory are logged only on domain controllers, and only objects in AD DS with a matching system access control list (SACL) are logged.
> [!NOTE]
> Actions on some objects and properties do not cause audit events to be generated due to settings on the object class in the schema. If you configure this policy setting, an audit event is generated when an attempt to change an object in AD DS is made. Success audits record successful attempts, however unsuccessful attempts are NOT recorded.
@ -2135,7 +2135,7 @@ Volume: Medium or Low on computers running Active Directory Certificate Services
<!-- ObjectAccess_AuditDetailedFileShare-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting allows you to audit attempts to access files and folders on a shared folder. The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access. If you configure this policy setting, an audit event is generated when an attempt is made to access a file or folder on a share. The administrator can specify whether to audit only successes, only failures, or both successes and failures
This policy setting allows you to audit attempts to access files and folders on a shared folder. The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access. If you configure this policy setting, an audit event is generated when an attempt is made to access a file or folder on a share. The administrator can specify whether to audit only successes, only failures, or both successes and failures.
> [!NOTE]
> There are no system access control lists (SACLs) for shared folders.
@ -2201,7 +2201,7 @@ Volume: High on a file server or domain controller because of SYSVOL network acc
<!-- ObjectAccess_AuditFileShare-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting allows you to audit attempts to access a shared folder. If you configure this policy setting, an audit event is generated when an attempt is made to access a shared folder.
- If this policy setting is defined, the administrator can specify whether to audit only successes, only failures, or both successes and failures
- If this policy setting is defined, the administrator can specify whether to audit only successes, only failures, or both successes and failures.
> [!NOTE]
> There are no system access control lists (SACLs) for shared folders.
@ -2267,7 +2267,7 @@ Volume: High on a file server or domain controller because of SYSVOL network acc
<!-- ObjectAccess_AuditFileSystem-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting allows you to audit user attempts to access file system objects. A security audit event is generated only for objects that have system access control lists (SACL) specified, and only if the type of access requested, such as Write, Read, or Modify and the account making the request match the settings in the SACL. For more information about enabling object access auditing, see <https//go.microsoft.com/fwlink/?LinkId=122083>. If you configure this policy setting, an audit event is generated each time an account accesses a file system object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts.
- If you do not configure this policy setting, no audit event is generated when an account accesses a file system object with a matching SACL
- If you do not configure this policy setting, no audit event is generated when an account accesses a file system object with a matching SACL.
> [!NOTE]
> You can set a SACL on a file system object using the Security tab in that object's Properties dialog box.
@ -2455,7 +2455,7 @@ Volume: High.
<!-- ObjectAccess_AuditHandleManipulation-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting allows you to audit events generated when a handle to an object is opened or closed. Only objects with a matching system access control list (SACL) generate security audit events. If you configure this policy setting, an audit event is generated when a handle is manipulated. Success audits record successful attempts and Failure audits record unsuccessful attempts.
- If you do not configure this policy setting, no audit event is generated when a handle is manipulated
- If you do not configure this policy setting, no audit event is generated when a handle is manipulated.
> [!NOTE]
> Events in this subcategory generate events only for object types where the corresponding Object Access subcategory is enabled. For example, if File system object access is enabled, handle manipulation security audit events are generated. If Registry object access is not enabled, handle manipulation security audit events will not be generated.
@ -2519,7 +2519,7 @@ Volume: Depends on how SACLs are configured.
<!-- ObjectAccess_AuditKernelObject-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting allows you to audit attempts to access the kernel, which include mutexes and semaphores. Only kernel objects with a matching system access control list (SACL) generate security audit events
This policy setting allows you to audit attempts to access the kernel, which include mutexes and semaphores. Only kernel objects with a matching system access control list (SACL) generate security audit events.
> [!NOTE]
> The Audit Audit the access of global system objects policy setting controls the default SACL of kernel objects.
@ -2645,7 +2645,7 @@ Volume: Low.
<!-- ObjectAccess_AuditRegistry-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have system access control lists (SACLs) specified, and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL. If you configure this policy setting, an audit event is generated each time an account accesses a registry object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts.
- If you do not configure this policy setting, no audit event is generated when an account accesses a registry object with a matching SACL
- If you do not configure this policy setting, no audit event is generated when an account accesses a registry object with a matching SACL.
> [!NOTE]
> You can set a SACL on a registry object using the Permissions dialog box.
@ -2771,10 +2771,10 @@ This policy setting allows you to audit user attempts to access file system obje
<!-- ObjectAccess_AuditSAM-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting allows you to audit events generated by attempts to access to Security Accounts Manager (SAM) objects. SAM objects include the following SAM_ALIAS -- A local group. SAM_GROUP -- A group that is not a local group. SAM_USER - A user account. SAM_DOMAIN - A domain. SAM_SERVER - A computer account. If you configure this policy setting, an audit event is generated when an attempt to access a kernel object is made. Success audits record successful attempts and Failure audits record unsuccessful attempts.
- If you do not configure this policy setting, no audit event is generated when an attempt to access a kernel object is made
- If you do not configure this policy setting, no audit event is generated when an attempt to access a kernel object is made.
> [!NOTE]
> Only the System Access Control List (SACL) for SAM_SERVER can be modified. Volume High on domain controllers. For information about reducing the amount of events generated in this subcategory, see article 841001 in the Microsoft Knowledge Base (<https//go.microsoft.com/fwlink/?LinkId=121698)>.
> Only the System Access Control List (SACL) for SAM_SERVER can be modified. Volume High on domain controllers. For information about reducing the amount of events generated in this subcategory, see [article 841001 in the Microsoft Knowledge Base](https//go.microsoft.com/fwlink/?LinkId=121698).
<!-- ObjectAccess_AuditSAM-Description-End -->
<!-- ObjectAccess_AuditSAM-Editable-Begin -->
@ -2836,7 +2836,7 @@ Volume: High on domain controllers. For more information about reducing the numb
<!-- PolicyChange_AuditAuthenticationPolicyChange-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting allows you to audit events generated by changes to the authentication policy such as the following Creation of forest and domain trusts. Modification of forest and domain trusts. Removal of forest and domain trusts. Changes to Kerberos policy under Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy. Granting of any of the following user rights to a user or group Access This Computer From the Network. Allow Logon Locally. Allow Logon Through Terminal Services. Logon as a Batch Job. Logon a Service. Namespace collision. For example, when a new trust has the same name as an existing namespace name. If you configure this policy setting, an audit event is generated when an attempt to change the authentication policy is made. Success audits record successful attempts and Failure audits record unsuccessful attempts.
- If you do not configure this policy setting, no audit event is generated when the authentication policy is changed
- If you do not configure this policy setting, no audit event is generated when the authentication policy is changed.
> [!NOTE]
> The security audit event is logged when the group policy is applied. It does not occur at the time when the settings are modified.
@ -3147,7 +3147,7 @@ Volume: Low.
<!-- PolicyChange_AuditPolicyChange-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting allows you to audit changes in the security audit policy settings such as the following Settings permissions and audit settings on the Audit Policy object. Changes to the system audit policy. Registration of security event sources. De-registration of security event sources. Changes to the per-user audit settings. Changes to the value of CrashOnAuditFail. Changes to the system access control list on a file system or registry object. Changes to the Special Groups list
This policy setting allows you to audit changes in the security audit policy settings such as the following Settings permissions and audit settings on the Audit Policy object. Changes to the system audit policy. Registration of security event sources. De-registration of security event sources. Changes to the per-user audit settings. Changes to the value of CrashOnAuditFail. Changes to the system access control list on a file system or registry object. Changes to the Special Groups list.
> [!NOTE]
> System access control list (SACL) change auditing is done when a SACL for an object changes and the policy change category is enabled. Discretionary access control list (DACL) and ownership changes are audited when object access auditing is enabled and the object's SACL is configured for auditing of DACL/Owner change.

2
windows/client-management/mdm/policy-csp-browser.md
View File

@ -3248,7 +3248,7 @@ Related Documents:
- [Find a package family name (PFN) for per-app VPN](/mem/configmgr/protect/deploy-use/find-a-pfn-for-per-app-vpn)
- [How to manage volume purchased apps from the Microsoft Store for Business with Microsoft Intune](/mem/intune/apps/windows-store-for-business)
- [Assign apps to groups with Microsoft Intune](/mem/intune/apps-deploy)
- [Assign apps to groups with Microsoft Intune](/mem/intune/apps/apps-deploy)
- [Manage apps from the Microsoft Store for Business and Education with Configuration Manager](/mem/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
- [Add a Windows line-of-business app to Microsoft Intune](/mem/intune/apps/lob-apps-windows)
<!-- PreventTurningOffRequiredExtensions-Editable-End -->

2
windows/client-management/mdm/policy-csp-controlpolicyconflict.md
View File

@ -58,7 +58,7 @@ This ensures that:
- The current Policy Manager policies are refreshed from what MDM has set
- Any values set by scripts/user outside of GP that conflict with MDM are removed
The [Policy DDF](policy-ddf-file.md) contains the following tags to identify the policies with equivalent GP:
The [Policy DDF](configuration-service-provider-ddf.md) contains the following tags to identify the policies with equivalent GP:
- \<MSFT:ADMXBacked\>
- \<MSFT:ADMXMapped\>

8
windows/client-management/mdm/policy-csp-defender.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Defender Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 02/10/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -1164,7 +1164,7 @@ This setting applies to scheduled scans, but it has no effect on scans initiated
<!-- CloudBlockLevel-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting determines how aggressive Windows Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer. If this setting is on, Windows Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency. For more information about specific values that are supported, see the Windows Defender Antivirus documentation site
This policy setting determines how aggressive Windows Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer. If this setting is on, Windows Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency. For more information about specific values that are supported, see [Specify the cloud protection level](/microsoft-365/security/defender-endpoint/specify-cloud-protection-level-microsoft-defender-antivirus).
> [!NOTE]
> This feature requires the Join Microsoft MAPS setting enabled in order to function.
@ -1232,7 +1232,7 @@ This policy setting determines how aggressive Windows Defender Antivirus will be
<!-- CloudExtendedTimeout-Description-Begin -->
<!-- Description-Source-DDF -->
This feature allows Windows Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50. The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an additional 50 seconds. For example, if the desired timeout is 60 seconds, specify 50 seconds in this setting, which will enable the extended cloud check feature, and will raise the total time to 60 seconds
This feature allows Windows Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50. The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an additional 50 seconds. For example, if the desired timeout is 60 seconds, specify 50 seconds in this setting, which will enable the extended cloud check feature, and will raise the total time to 60 seconds.
> [!NOTE]
> This feature depends on three other MAPS settings the must all be enabled- Configure the 'Block at First Sight' feature; Join Microsoft MAPS; Send file samples when further analysis is required.
@ -1980,7 +1980,7 @@ Allows an administrator to specify a list of directory paths to ignore during a
<!-- ExcludedProcesses-Description-Begin -->
<!-- Description-Source-DDF -->
Allows an administrator to specify a list of files opened by processes to ignore during a scan
Allows an administrator to specify a list of files opened by processes to ignore during a scan.
> [!IMPORTANT]
> The process itself is not excluded from the scan, but can be by using the Defender/ExcludedPaths policy to exclude its path. Each file type must be separated by a |. For example, C\Example. exe|C\Example1.exe.

2
windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
View File

@ -19,7 +19,7 @@ ms.topic: reference
<!-- LocalPoliciesSecurityOptions-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE]
> To find data formats (and other policy-related details), see [Policy DDF file](./policy-ddf-file.md).
> To find data formats (and other policy-related details), see [Policy DDF file](./configuration-service-provider-ddf.md).
<!-- LocalPoliciesSecurityOptions-Editable-End -->
<!-- Accounts_BlockMicrosoftAccounts-Begin -->

83
windows/client-management/mdm/policy-csp-update.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Update Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/18/2023
ms.date: 02/03/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -16,6 +16,9 @@ ms.topic: reference
<!-- Update-Begin -->
# Policy CSP - Update
> [!IMPORTANT]
> This CSP contains preview policies that are under development and only applicable for [Windows Insider Preview builds](/windows-insider/). These policies are subject to change and may have dependencies on other features or services in preview.
<!-- Update-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Update-Editable-End -->
@ -23,6 +26,7 @@ ms.topic: reference
Update CSP policies are listed below based on the group policy area:
- [Windows Insider Preview](#windows-insider-preview)
- [AllowTemporaryEnterpriseFeatureControl](#allowtemporaryenterprisefeaturecontrol)
- [ConfigureDeadlineNoAutoRebootForFeatureUpdates](#configuredeadlinenoautorebootforfeatureupdates)
- [ConfigureDeadlineNoAutoRebootForQualityUpdates](#configuredeadlinenoautorebootforqualityupdates)
- [Manage updates offered from Windows Update](#manage-updates-offered-from-windows-update)
@ -103,6 +107,75 @@ Update CSP policies are listed below based on the group policy area:
## Windows Insider Preview
<!-- AllowTemporaryEnterpriseFeatureControl-Begin -->
### AllowTemporaryEnterpriseFeatureControl
<!-- AllowTemporaryEnterpriseFeatureControl-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
<!-- AllowTemporaryEnterpriseFeatureControl-Applicability-End -->
<!-- AllowTemporaryEnterpriseFeatureControl-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Update/AllowTemporaryEnterpriseFeatureControl
```
<!-- AllowTemporaryEnterpriseFeatureControl-OmaUri-End -->
<!-- AllowTemporaryEnterpriseFeatureControl-Description-Begin -->
<!-- Description-Source-ADMX -->
Features introduced via servicing (outside of the annual feature update) are off by default for devices that have their Windows updates managed*.
- If this policy is configured to "Enabled", then all features available in the latest monthly quality update installed will be on.
- If this policy is set to "Not Configured" or "Disabled" then features that are shipped via a monthly quality update (servicing) will remain off until the feature update that includes these features is installed.
*Windows update managed devices are those that have their Windows updates managed via policy; whether via the cloud using Windows Update for Business or on-premises with Windows Server Update Services (WSUS).
<!-- AllowTemporaryEnterpriseFeatureControl-Description-End -->
<!-- AllowTemporaryEnterpriseFeatureControl-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- AllowTemporaryEnterpriseFeatureControl-Editable-End -->
<!-- AllowTemporaryEnterpriseFeatureControl-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- AllowTemporaryEnterpriseFeatureControl-DFProperties-End -->
<!-- AllowTemporaryEnterpriseFeatureControl-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Not allowed. |
| 1 | Allowed. |
<!-- AllowTemporaryEnterpriseFeatureControl-AllowedValues-End -->
<!-- AllowTemporaryEnterpriseFeatureControl-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | AllowTemporaryEnterpriseFeatureControl |
| Friendly Name | Enable features introduced via servicing that are off by default |
| Location | Computer Configuration |
| Path | Windows Components > Windows Update > Manage end user experience |
| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate |
| Registry Value Name | AllowTemporaryEnterpriseFeatureControl |
| ADMX File Name | WindowsUpdate.admx |
<!-- AllowTemporaryEnterpriseFeatureControl-GpMapping-End -->
<!-- AllowTemporaryEnterpriseFeatureControl-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- AllowTemporaryEnterpriseFeatureControl-Examples-End -->
<!-- AllowTemporaryEnterpriseFeatureControl-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Begin -->
### ConfigureDeadlineNoAutoRebootForFeatureUpdates
@ -2589,7 +2662,7 @@ If you select "Apply only during active hours" in conjunction with Option 1 or 2
<!-- ScheduledInstallDay-Description-Begin -->
<!-- Description-Source-DDF -->
Enables the IT admin to schedule the day of the update installation. The data type is a integer.
Enables the IT admin to schedule the day of the update installation. The data type is an integer.
<!-- ScheduledInstallDay-Description-End -->
<!-- ScheduledInstallDay-Editable-Begin -->
@ -2660,7 +2733,7 @@ Enables the IT admin to schedule the day of the update installation. The data ty
<!-- ScheduledInstallEveryWeek-Description-Begin -->
<!-- Description-Source-DDF -->
Enables the IT admin to schedule the update installation on the every week. Value type is integer.
Enables the IT admin to schedule the update installation every week. Value type is integer.
<!-- ScheduledInstallEveryWeek-Description-End -->
<!-- ScheduledInstallEveryWeek-Editable-Begin -->
@ -2985,7 +3058,7 @@ Enables the IT admin to schedule the update installation on the third week of th
<!-- ScheduledInstallTime-Description-Begin -->
<!-- Description-Source-DDF -->
the IT admin to schedule the time of the update installation. The data type is a integer. Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. The default value is 3.
the IT admin to schedule the time of the update installation. The data type is an integer. Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. The default value is 3.
<!-- ScheduledInstallTime-Description-End -->
<!-- ScheduledInstallTime-Editable-Begin -->
@ -3044,7 +3117,7 @@ Enables the IT admin to schedule the update installation on the third week of th
<!-- SetDisablePauseUXAccess-Description-Begin -->
<!-- Description-Source-ADMX -->
This setting allows to remove access to "Pause updates" feature.
This setting allows removing access to "Pause updates" feature.
Once enabled user access to pause updates is removed.
<!-- SetDisablePauseUXAccess-Description-End -->

32
windows/client-management/mdm/policy-ddf-file.md
View File

@ -1,32 +0,0 @@
---
title: Policy DDF file
description: Learn about the OMA DM device description framework (DDF) for the Policy configuration service provider.
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 10/28/2020
---
# Policy DDF file
This topic shows the OMA DM device description framework (DDF) for the **Policy** configuration service provider. DDF files are used only with OMA DM provisioning XML.
You can view various Policy DDF files by clicking the following links:
- [View the Policy DDF file for Windows 10, version 20H2](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/PolicyDDF_all_20H2.xml)
- [View the Policy DDF file for Windows 10, version 2004](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/PolicyDDF_all_2004.xml)
- [View the Policy DDF file for Windows 10, version 1903](https://download.microsoft.com/download/0/C/D/0CD61812-8B9C-4846-AC4A-1545BFD201EE/PolicyDDF_all_1903.xml)
- [View the Policy DDF file for Windows 10, version 1809](https://download.microsoft.com/download/7/3/5/735B8537-82F4-4CD1-B059-93984F9FAAC5/Policy_DDF_all_1809.xml)
- [View the Policy DDF file for Windows 10, version 1803](https://download.microsoft.com/download/4/9/6/496534EE-8F0C-4F12-B084-A8502DA22430/PolicyDDF_all.xml)
- [View the Policy DDF file for Windows 10, version 1803 release C](https://download.microsoft.com/download/4/9/6/496534EE-8F0C-4F12-B084-A8502DA22430/PolicyDDF_all_1809C_release.xml)
- [View the Policy DDF file for Windows 10, version 1709](https://download.microsoft.com/download/8/C/4/8C43C116-62CB-470B-9B69-76A3E2BC32A8/PolicyDDF_all.xml)
- [View the Policy DDF file for Windows 10, version 1703](https://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml)
- [View the Policy DDF file for Windows 10, version 1607](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607.xml)
- [View the Policy DDF file for Windows 10, version 1607 release 8C](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml)
You can download DDF files for various CSPs from [CSP DDF files download](configuration-service-provider-ddf.md).

2
windows/client-management/mdm/toc.yml
View File

@ -34,7 +34,7 @@ items:
href: policy-configuration-service-provider.md
items:
- name: Policy CSP DDF file
href: policy-ddf-file.md
href: configuration-service-provider-ddf.md
- name: Policy CSP support scenarios
items:
- name: ADMX policies in Policy CSP

2
windows/client-management/mdm/uefi-csp.md
View File

@ -31,7 +31,7 @@ The UEFI Configuration Service Provider (CSP) interfaces to UEFI's Device Firmwa
> The UEFI CSP version published in Windows 10, version 1803 is replaced with this one (version 1809).
> [!NOTE]
> The production UEFI CSP is present in 1809, but it depends upon the [Device Firmware Configuration Interface (DFCI) and UEFI firmware](https://microsoft.github.io/mu/dyn/mu_plus/DfciPkg/Docs/Dfci_Feature/) to comply with this interface.
> The production UEFI CSP is present in 1809, but it depends upon the [Device Firmware Configuration Interface (DFCI) and UEFI firmware](https://microsoft.github.io/mu/dyn/mu_feature_dfci/DfciPkg/Docs/Dfci_Feature/) to comply with this interface.
The following shows the UEFI CSP in tree format.
```

3
windows/configuration/docfx.json
View File

@ -34,6 +34,9 @@
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"ms.collection": [
"tier2"
],
"breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"ms.technology": "itpro-configure",

2
windows/deployment/do/TOC.yml
View File

@ -55,7 +55,7 @@
items:
- name: Frequently Asked Questions
href: mcc-isp-faq.yml
- name: Enhancing VM performance
- name: Enhancing cache performance
href: mcc-isp-vm-performance.md
- name: Support and troubleshooting
href: mcc-isp-support.md

BIN
windows/deployment/do/images/mcc-isp-create-resource-fields.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 306 KiB

BIN
windows/deployment/do/images/mcc-isp-create-resource-validated.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 171 KiB

26
windows/deployment/do/mcc-enterprise-appendix.md
View File

@ -12,7 +12,7 @@ ms.technology: itpro-updates
# Appendix
## Steps to obtain an Azure Subscription ID
## Steps to obtain an Azure subscription ID
<!--Using include file, get-azure-subscription.md, do/mcc-isp.md for shared content-->
[!INCLUDE [Get Azure subscription](includes/get-azure-subscription.md)]
@ -23,12 +23,20 @@ If you're not able to sign up for a Microsoft Azure subscription with the **Acco
- [Can't sign up for a Microsoft Azure subscription](/troubleshoot/azure/general/cannot-sign-up-subscription).
- [Troubleshoot issues when you sign up for a new account in the Azure portal](/azure/cost-management-billing/manage/troubleshoot-azure-sign-up).
## Installing on VMWare
## Hardware specifications
We've seen that Microsoft Connected Cache for Enterprise and Education can be successfully installed on VMWare. To do so, there are a couple of additional configurations to be made:
Most customers choose to install their cache node on a Windows Server with a nested Hyper-V VM. If this isn't supported in your network, some customers have also opted to install their cache node using VMware. At this time, a Linux-only solution isn't available and Azure VMs don't support the standalone Microsoft Connected Cache.
### Installing on VMware
We've seen that Microsoft Connected Cache for Enterprise and Education can be successfully installed on VMware. To do so, there are a couple of additional configurations to be made:
1. Ensure that you're using ESX. In the VM settings, turn on the option **Expose hardware assisted virtualization to the guest OS**.
1. Using the HyperV Manager, create an external switch. For the external switch to have internet connection, ensure **"Allow promiscuous mode"**, **"Allow forged transmits"**, and **"Allow MAC changes"** are all switched to **Yes**.
1. Using the Hyper-V Manager, create an external switch. For the external switch to have internet connection, ensure **"Allow promiscuous mode"**, **"Allow forged transmits"**, and **"Allow MAC changes"** are all switched to **Yes**.
### Installing on Hyper-V
To learn more about how to configure Intel and AMD processors to support nested virtualization, see [Run Hyper-V in a Virtual Machine with Nested Virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization).
## Diagnostics Script
@ -65,17 +73,17 @@ communication operations. The runtime performs several functions:
For more information on Azure IoT Edge, see the [Azure IoT Edge documentation](/azure/iot-edge/about-iot-edge).
## Routing local Windows Clients to an MCC
## Routing local Windows clients to an MCC
### Get the IP address of your MCC using ifconfig
There are multiple methods that can be used to apply a policy to PCs that should participate in downloading from the MCC.
#### Registry Key
#### Registry key
You can either set your MCC IP address or FQDN using:
1. Registry Key (version 1709 and later):
1. Registry key (version 1709 and later):
`HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization`
</br>
"DOCacheHost"=" "
@ -86,7 +94,7 @@ You can either set your MCC IP address or FQDN using:
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization" /v DOCacheHost /t REG_SZ /d "10.137.187.38" /f
```
1. MDM Path (version 1809 and later):
1. MDM path (version 1809 and later):
`.Vendor/MSFT/Policy/Config/DeliveryOptimization/DOCacheHost`
@ -95,7 +103,7 @@ You can either set your MCC IP address or FQDN using:
:::image type="content" source="./images/ent-mcc-group-policy-hostname.png" alt-text="Screenshot of the Group Policy editor showing the Cache Server Hostname Group Policy setting." lightbox="./images/ent-mcc-group-policy-hostname.png":::
**Verify Content using the DO Client**
## Verify content using the DO client
To verify that the Delivery Optimization client can download content using MCC, you can use the following steps:

19
windows/deployment/do/mcc-enterprise-deploy.md
View File

@ -31,18 +31,18 @@ To deploy MCC to your server:
For questions regarding these instructions contact [msconnectedcache@microsoft.com](mailto:msconnectedcache@microsoft.com)
### Provide Microsoft with the Azure Subscription ID
### Provide Microsoft with the Azure subscription ID
As part of the MCC preview onboarding process an Azure subscription ID must be provided to Microsoft.
> [!IMPORTANT]
> [Take this survey](https://aka.ms/MSConnectedCacheSignup) and provide your Azure subscription ID and contact information to be added to the allowlist for this preview. You will not be able to proceed if you skip this step.
For information about creating or locating your subscription ID, see [Steps to obtain an Azure Subscription ID](mcc-enterprise-appendix.md#steps-to-obtain-an-azure-subscription-id).
For information about creating or locating your subscription ID, see [Steps to obtain an Azure subscription ID](mcc-enterprise-appendix.md#steps-to-obtain-an-azure-subscription-id).
### Create the MCC resource in Azure
The MCC Azure management portal is used to create and manage MCC nodes. An Azure Subscription ID is used to grant access to the preview and to create the MCC resource in Azure and Cache nodes.
The MCC Azure management portal is used to create and manage MCC nodes. An Azure subscription ID is used to grant access to the preview and to create the MCC resource in Azure and Cache nodes.
Once you take the survey above and the MCC team adds your subscription ID to the allowlist, you'll be given a link to the Azure portal where you can create the resource described below.
@ -221,7 +221,7 @@ Installing MCC on your Windows device is a simple process. A PowerShell script p
1. If this is your first MCC deployment, select **n** so that a new IoT Hub can be created. If you have already configured MCC before, choose **y** so that your MCCs are grouped in the same IoT Hub.
1. You'll be shown a list of existing IoT Hubs in your Azure Subscription. Enter the number corresponding to the IoT Hub to select it. **You'll likely have only 1 IoT Hub in your subscription, in which case you want to enter "1"**
1. You'll be shown a list of existing IoT Hubs in your Azure subscription. Enter the number corresponding to the IoT Hub to select it. **You'll likely have only 1 IoT Hub in your subscription, in which case you want to enter "1"**
:::image type="content" source="./images/ent-mcc-script-select-hub.png" alt-text="Screenshot of the installer script running in PowerShell prompting you to select which IoT Hub to use." lightbox="./images/ent-mcc-script-select-hub.png":::
:::image type="content" source="./images/ent-mcc-script-complete.png" alt-text="Screenshot of the installer script displaying the completion summary in PowerShell." lightbox="./images/ent-mcc-script-complete.png":::
@ -235,7 +235,7 @@ Installing MCC on your Windows device is a simple process. A PowerShell script p
## Verify proper functioning MCC server
#### Verify Client Side
#### Verify client side
Connect to the EFLOW VM and check if MCC is properly running:
@ -305,21 +305,16 @@ sudo iotedge list
:::image type="content" source="./images/ent-mcc-iotedge-list.png" alt-text="Screenshot of the iotedge list command." lightbox="./images/ent-mcc-iotedge-list.png":::
If edgeAgent and edgeHub containers are listed, but not "MCC", you may view the status of the IoT Edge security manager using the command:
If edgeAgent and edgeHub containers are listed, but not "MCC", you may view the status of the IoT Edge security manager by using the command:
```bash
sudo journalctl -u iotedge -f
```
For example, this command will provide the current status of the starting, stopping of a container, or the container pull and start.
This command will provide the current status of the starting, stopping of a container, or the container pull and start.
:::image type="content" source="./images/ent-mcc-journalctl.png" alt-text="Screenshot of the output from journalctl -u iotedge -f." lightbox="./images/ent-mcc-journalctl.png":::
Use this command to check the IoT Edge Journal
```bash
sudo journalctl -u iotedge -f
```
> [!NOTE]
> You should consult the IoT Edge troubleshooting guide ([Common issues and resolutions for Azure IoT Edge](/azure/iot-edge/troubleshoot)) for any issues you may encounter configuring IoT Edge, but we've listed a few issues that we encountered during our internal validation.

6
windows/deployment/do/mcc-enterprise-prerequisites.md
View File

@ -24,13 +24,12 @@ ms.technology: itpro-updates
Your Azure subscription ID is first used to provision MCC services, and enable access to the preview. The MCC server requirement for an Azure subscription will cost you nothing. If you don't have an Azure subscription already, you can create an Azure [Pay-As-You-Go](https://azure.microsoft.com/offers/ms-azr-0003p/) account, which requires a credit card for verification purposes. For more information, see the [Azure Free Account FAQ](https://azure.microsoft.com/free/free-account-faq/).
The resources used for the preview and in the future when this product is ready for production will be free to you, like other caching solutions.
2. **Hardware to host MCC**: The recommended configuration will serve approximately 35000 managed devices, downloading a 2 GB payload in 24-hour timeframe at a sustained rate of 6.5 Gbps.
1. **Hardware to host MCC**: The recommended configuration will serve approximately 35000 managed devices, downloading a 2 GB payload in 24-hour timeframe at a sustained rate of 6.5 Gbps.
> [!NOTE]
> Azure VMs are not currently supported. If you'd like to install your cache node on VMWare, see the [Appendix](mcc-enterprise-appendix.md) for a few additional configurations.
**EFLOW Requires Hyper-V support**
**EFLOW requires Hyper-V support**
- On Windows client, enable the Hyper-V feature
- On Windows Server, install the Hyper-V role and create a default network switch
@ -44,6 +43,7 @@ ms.technology: itpro-updates
VM networking:
- An external virtual switch to support outbound and inbound network communication (created during the installation process)
1. **Content endpoints**: If you're using a proxy or firewall, certain endpoints must be allowed through in order for your MCC to cache and serve content. See [Delivery Optimization and Microsoft Connected Cache content type endpoints](delivery-optimization-endpoints.md) for the list of required endpoints.
## Sizing recommendations

16
windows/deployment/do/mcc-isp-create-provision-deploy.md
View File

@ -10,7 +10,7 @@ ms.date: 12/31/2017
ms.technology: itpro-updates
---
# Create, Configure, provision, and deploy the cache node in Azure portal
# Create, configure, provision, and deploy the cache node in Azure portal
**Applies to**
@ -58,8 +58,8 @@ BGP (Border Gateway Protocol) routing is another method offered for client routi
1. Enter the max allowable egress that your hardware can support.
1. Under **Cache storage**, specify the location of the cache drives to store content along with the size of the cache drives in Gigabytes.
**Note:** Up to nine cache drives are supported.
1. Under **Cache storage**, specify the location of the cache drive folder to store content along with the size of the cache drives in Gigabytes.
**Note:** This is a **required** field. Up to nine cache drive folders are supported.
1. Under **Routing information**, select the routing method you would like to use. For more information, see [Client routing](#client-routing).
@ -110,10 +110,10 @@ There are five IDs that the device provisioning script takes as input in order t
1. Copy and paste the script command line shown in the Azure portal.
1. Run the script in your server terminal for your cache node by . The script may take a few minutes to run. If there were no errors, you have set up your cache node successfully. To verify the server is set up correctly, follow the [verification steps](mcc-isp-verify-cache-node.md).
1. Run the script in your server terminal for your cache node. The script may take a few minutes to run. If there were no errors, you have set up your cache node successfully. To verify the server is set up correctly, follow the [verification steps](mcc-isp-verify-cache-node.md).
> [!NOTE]
> The same script can be used to provision multiple cache nodes, but the command line is unique per cache node. Additionally, if you need to reprovision your server or provision a new server or VM for the cache node, you must copy the command line from the Azure portal again as the "registrationkey" value is unique for each successful execution of the provisioning script.
> The same script can be used to provision multiple cache nodes, but the command line is unique per cache node. Additionally, if you need to re-provision your server or provision a new server or VM for the cache node, you must copy the command line from the Azure portal again as the "registrationkey" value is unique for each successful execution of the provisioning script.
### General configuration fields
@ -127,12 +127,12 @@ There are five IDs that the device provisioning script takes as input in order t
### Storage fields
> [!IMPORTANT]
> All cache drives must have read/write permissions set or the cache node will not function.
> For example, in a terminal you can run: `sudo chmod 777 /path/to/cachedrive`
> All cache drives must have full read/write permissions set or the cache node will not function.
> For example, in a terminal you can run: `sudo chmod 777 /path/to/cachedrivefolder`
| Field Name | Expected Value| Description |
|---|---|---|
| **Cache drive** | File path string | Up to 9 drives can be configured for each cache node to configure cache storage. Enter the file path to each drive. For example: `/dev/folder/` Each cache drive should have read/write permissions configured. |
| **Cache drive folder** | File path string | Up to 9 drive folders accessible by the cache node can be configured for each cache node to configure cache storage. Enter the location of the folder in Ubuntu where the external physical drive is mounted. For example: `/dev/sda3/` Each cache drive should have read/write permissions configured. Ensure your disks are mounted and visit [Attach a data disk to a Linux VM](/azure/virtual-machines/linux/attach-disk-portal#find-the-disk) for more information.|
| **Cache drive size in gigabytes** | Integer in GB | Set the size of each drive configured for the cache node. |
### Client routing fields

10
windows/deployment/do/mcc-isp-faq.yml
View File

@ -69,8 +69,6 @@ sections:
answer: We have already successfully onboarded ISPs in many countries around the world and have received positive feedback! However, you can always start off with a portion of your CIDR blocks to test out the performance of MCC before expanding to more customers.
- question: How does Microsoft Connected Cache populate its content?
answer: Microsoft Connected Cache is a cold cache warmed by client requests. The client requests content and that is what fills up the cache. There's no off-peak cache fill necessary. Microsoft Connected Cache will reach out to different CDN providers just like a client device would. The traffic flow from Microsoft Connected Cache will vary depending on how you currently transit to each of these CDN providers. The content can come from third party CDNs or from AFD.
- question: What do I do if I need more support and have more questions even after reading this FAQ page?
answer: For further support for Microsoft Connected Cache, visit [Troubleshooting Issues for Microsoft Connected Cache for ISP (public preview)](mcc-isp-support.md).
- question: What CDNs will Microsoft Connected Cache pull content from?
answer: |
Microsoft relies on a dynamic mix of 1st and 3rd party CDN providers to ensure enough capacity, redundancy, and performance for the delivery of Microsoft served content. Though we don't provide lists of the CDN vendors we utilize as they can change without notice, our endpoints are public knowledge. If someone were to perform a series of DNS lookups against our endpoints (tlu.dl.delivery.mp.microsoft.com for example), they would be able to determine which CDN or CDNs were in rotation at a given point in time:
@ -82,3 +80,11 @@ sections:
$ whois 13.107.4.50|grep "Organization:"
Organization: Microsoft Corporation (MSFT)
- question: I'm a network service provider and have downstream transit customers. If one of my downstream transit customers onboards to Microsoft Connected Cache, how will it affect my traffic?
answer: If a downstream customer deploys a Microsoft Connected Cache node, the cache controller will prefer the downstream ASN when handling that ASN's traffic.
- question: I signed up for Microsoft Connected Cache, but I'm not receiving the verification email. What should I do?
answer: First, check that the email under the NOC role is correct in your PeeringDB page. If the email associated with NOC role is correct, search for an email from the sender "microsoft-noreply@microsoft.com" with the email subject - "Here's your Microsoft Connected Cache verification code" in your Spam folders. Still can't find it? Ensure that your email admin rules allow emails from the sender "microsoft-noreply@microsoft.com".
- question: I have an active MCC, but I'm noticing I hit the message limit for my IoT Hub each day. Does this affect my MCC performance and should I be concerned?
answer: Even when the quota of 8k messages is hit, the MCC functionality won't be affected. Your client devices will continue to download content as normal. You'll also not be charged above the 8k message limit, so you don't need to worry at all about getting a paid plan. MCC will always be a free service. So if functionality isn't impacted, what is? Instead, messages about the configuration or edge deployment would be impacted. This means that if there was a request to update your MCC and the daily quota was reached, your MCC might not update. In that case, you would just need to wait for the next day to update. This is only a limitation of the private preview and isn't an issue during public preview.
- question: What do I do if I need more support and have more questions even after reading this FAQ page?
answer: For further support for Microsoft Connected Cache, visit [Troubleshooting Issues for Microsoft Connected Cache for ISP (public preview)](mcc-isp-support.md).

67
windows/deployment/do/mcc-isp-signup.md
View File

@ -24,21 +24,37 @@ This article details the process of signing up for Microsoft Connected Cache for
## Prerequisites
Before you begin sign up, ensure you have the following components:
- **Azure Pay-As-You-Go subscription**: Microsoft Connected Cache is a completely free-of-charge service hosted in Azure. You will need to have a Pay-As-You-Go subscription in order to onboard to our service. To create a subscription, [visit this page](https://azure.microsoft.com/offers/ms-azr-0003p/).
- **Access to Azure portal**: Ensure you have the credentials needed to access your organization's Azure portal.
- **Peering DB**: Ensure your organization's [Peering DB](https://www.peeringdb.com/) page is up-to-date and active. Check that the NOC email listed is accurate, and that you have access to this email.
- **Server**: Ensure the server you wish to install Microsoft Connected Cache on is ready, and that the server is installed Ubuntu 20.04 LTS.
1. **Azure Pay-As-You-Go subscription**: Microsoft Connected Cache is a completely free-of-charge service hosted in Azure. You'll need to have a Pay-As-You-Go subscription in order to onboard to our service. To create a subscription, go to the [Pay-As-You-Go subscription page](https://azure.microsoft.com/offers/ms-azr-0003p/).
1. **Access to Azure portal**: Ensure you have the credentials needed to access your organization's Azure portal.
1. **Peering DB**: Ensure your organization's [Peering DB](https://www.peeringdb.com/) page is up-to-date and active. Check that the NOC email listed is accurate, and that you have access to this email.
1. **Server**: Ensure the server you wish to install Microsoft Connected Cache on is ready, and that the server is installed on Ubuntu 20.04 LTS.
1. **Configure cache drive**: Make sure that you have a data drive configured with full permissions on your server. You'll need to specify the location for this cache drive during the cache node configuration process. The minimum size for the data drive is 100 GB. For instructions to mount a disk on a Linux VM, see [Attach a data disk to a Linux VM](/azure/virtual-machines/linux/attach-disk-portal#find-the-disk).
## Resource creation and sign up process
1. Navigate to the [Azure portal](https://www.portal.azure.com). Select **Create a Resource**. Then, search for **Microsoft Connected Cache**.
:::image type="content" source="./images/mcc-isp-search.png" alt-text="Screenshot of the Azure portal that shows the Microsoft Connected Cache resource in Azure marketplace.":::
:::image type="content" source="./images/mcc-isp-search.png" alt-text="Screenshot of the Azure portal that shows the Microsoft Connected Cache resource in Azure marketplace." lightbox="./images/mcc-isp-search.png":::
1. Select **Create** to create a **Microsoft Connected Cache**. When prompted, enter a name for your cache resource.
1. Select **Create** to create a **Microsoft Connected Cache**. When prompted, choose the subscription, resource group, and location of your cache node. Also, enter a name for your cache node.
:::image type="content" source="./images/mcc-isp-create-resource-fields.png" alt-text="Screenshot of the Azure portal that shows the Microsoft Connected Cache resource creation step." lightbox="./images/mcc-isp-create-resource-fields.png":::
> [!IMPORTANT]
> After your resource has been created, we need some information to verify your network operator status and approve you to host Microsoft Connected Cache nodes. Please ensure that your [Peering DB](https://www.peeringdb.com/) organization information is up to date as this information will be used for verification. The NOC contact email will be used to send verification information.
After a few moments, you'll see a "Validation successful" message, indicating you can move onto the next step and select **Create**.
:::image type="content" source="./images/mcc-isp-create-resource-validated.png" alt-text="Screenshot of the Azure portal that shows a green validation successful message for the creation of the Microsoft Connected Cache resource." lightbox="./images/mcc-isp-create-resource-validated.png":::
1. The creation of the cache node may take a few minutes. After a successful creation, you'll see a **Deployment complete** page as below. Select **Go to resource**.
:::image type="content" source="./images/mcc-isp-deployment-complete.png" alt-text="Screenshot of the Azure portal that shows a successful deployment for the creation of the Microsoft Connected Cache resource." lightbox="./images/mcc-isp-deployment-complete.png":::
1. Navigate to **Settings** > **Sign up**. Enter your organization ASN. Indicate whether you're a transit provider. If so, additionally, include any ASN(s) for downstream network operators that you may transit traffic for.
:::image type="content" source="./images/mcc-isp-sign-up.png" alt-text="Screenshot of the sign up page in the Microsoft Connected Cache resource page in Azure portal." lightbox="./images/mcc-isp-sign-up.png":::
@ -48,7 +64,10 @@ Before you begin sign up, ensure you have the following components:
> [!NOTE]
> Verification codes expire in 24 hours. You will need to generate a new code if it expires.
:::image type="content" source="images/mcc-isp-operator-verification.png" alt-text="Screenshot of the sign up verification page on Azure portal for Microsoft Connected Cache." lightbox="./images/mcc-isp-operator-verification.png":::
:::image type="content" source="images/mcc-isp-operator-verification.png" alt-text="Screenshot of the sign up verification page on Azure portal for Microsoft Connected Cache." lightbox="./images/mcc-isp-operator-verification.png":::
> [!NOTE]
> **Can't find the verification email in your inbox?** Check that the email under the NOC role is correct in [Peering DB](https://www.peeringdb.com/). Search for an email from the sender **microsoft-noreply@microsoft.com** with the email subject: "Heres your Microsoft Connected Cache verification code" in your Spam folders. Still can't find it? Ensure that your email admin rules allow emails from the sender **microsoft-noreply@microsoft.com**.
1. Once verified, follow the instructions in [Create, provision, and deploy cache node](mcc-isp-create-provision-deploy.md) to create your cache node.
@ -57,37 +76,3 @@ Before you begin sign up, ensure you have the following components:
During the sign-up process, Microsoft will provide you with a traffic estimation based on your ASN(s). We make estimations based on our predictions on historical data about Microsoft content download volume. We'll use these estimations to recommend hardware or VM configurations. You can review these recommendations within the Azure portal.
We make these estimations based on the Microsoft content types that Microsoft Connected Cache serves. To learn more about the types of content that are supported, see [Delivery Optimization and Microsoft Connected Cache content type endpoints](delivery-optimization-endpoints.md). -->
### Cache performance
To make sure you're maximizing the performance of your cache node, review the following information:
#### OS requirements
The Microsoft Connected Cache module is optimized for Ubuntu 20.04 LTS. Install Ubuntu 20.04 LTS on a physical server or VM of your choice.
#### NIC requirements
- Multiple NICs on a single MCC instance are supported using a *link aggregated* configuration.
- 10 Gbps NIC is the minimum speed recommended, but any NIC is supported.
#### Drive performance
The maximum number of disks supported is 9. When configuring your drives, we recommend SSD drives as cache read speed of SSD is superior to HDD. In addition, using multiple disks is recommended to improve cache performance.
RAID disk configurations are discouraged as cache performance will be impacted. If using RAID disk configurations, ensure striping.
### Hardware configuration example
There are many hardware configurations that suit Microsoft Connected Cache. As an example, a customer has deployed the following hardware configuration and is able to achieve a peak egress of about 35 Gbps:
**Dell PowerEdge R330**
- 2 x Intel(R) Xeon(R) CPU E5-2630 v3 @ 2.40 GHz, total 32 core
- 48 GB, Micron Technology 18ASF1G72PDZ-2G1A1, Speed: 2133 MT/s
- 4 - Transcend SSD230s 1 TB SATA Drives
- Intel Corporation Ethernet 10G 2P X520 Adapter (Link Aggregated)
### Virtual machines
Microsoft Connected Cache supports both physical and virtual machines as cache servers. If you're using a virtual machine as your server, refer to [VM performance](mcc-isp-vm-performance.md) for tips on how to improve your VM performance.

30
windows/deployment/do/mcc-isp-verify-cache-node.md
View File

@ -16,6 +16,28 @@ ms.technology: itpro-updates
This article details how to verify that your cache node(s) are functioning properly and serving traffic. This article also details how to monitor your cache nodes.
## Verify cache node installation is complete
Sign in to the Connected Cache server or use SSH. Run the following command from a terminal to see the running modules (containers):
```bash
sudo iotedge list
```
:::image type="content" source="./images/mcc-isp-running-containers.png" alt-text="Screenshot of the terminal output of iotedge list command, showing the running containers." lightbox="./images/mcc-isp-running-containers.png":::
If it lists the **edgeAgent** and **edgeHub** containers, but doesn't include **MCC**, view the status of the IoT Edge security manager using the command:
```bash
sudo iotedge system logs -- -f
```
For example, this command provides the current status of the starting and stopping of a container, or the container pull and start:
:::image type="content" source="./images/mcc-isp-edge-journalctl.png" alt-text="Terminal output of journalctl command for iotedge." lightbox="./images/mcc-isp-edge-journalctl.png":::
You may need to wait up to 30 minutes for the cache node software to complete downloading and begin caching.
## Verify functionality on Azure portal
Sign into the [Azure portal](https://www.portal.azure.com) and navigate to the **Overview** page. Select the **Monitoring** tab to verify the functionality of your server(s) by validating the number of healthy nodes shown. If you see any **Unhealthy nodes**, select the **Diagnose and Solve** link to troubleshoot and resolve the issue.
@ -48,6 +70,14 @@ http://<CacheServerIP>/mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsup
If the test fails, for more information, see the [FAQ](mcc-isp-faq.yml) article.
## Verify BGP routing configuration
To verify your BGP routes are correctly configured for a cache node, navigate to **Settings > Cache nodes**. Select the cache node you wish to verify BGP routes for.
Verify that under **Routing Information**, the state of **BGP routes received** is True. Verify the IP space is correct. Lastly, select **Download JSON** next to **Download BGP Routes** to view the BGP routes that your cache node is currently advertising.
If **BGP routes received** is False, your **IP Space** is 0, or you're experiencing any BGP routing errors, ensure your **ASN** and **IP address** is entered correctly.
## Monitor cache node health and performance
Within Azure portal, there are many charts and graphs that are available to monitor cache node health and performance.

40
windows/deployment/do/mcc-isp-vm-performance.md
View File

@ -1,5 +1,5 @@
---
title: Enhancing VM performance
title: Enhancing cache performance
manager: aaroncz
description: How to enhance performance on a virtual machine used with Microsoft Connected Cache for ISPs
ms.prod: windows-client
@ -10,11 +10,41 @@ ms.technology: itpro-updates
ms.date: 12/31/2017
---
# Enhancing virtual machine performance
# Enhancing cache performance
To make sure you're maximizing the performance of your cache node, review the following information:
#### OS requirements
The Microsoft Connected Cache module is optimized for Ubuntu 20.04 LTS. Install Ubuntu 20.04 LTS on a physical server or VM of your choice.
#### NIC requirements
- Multiple NICs on a single MCC instance are supported using a *link aggregated* configuration.
- 10 Gbps NIC is the minimum speed recommended, but any NIC is supported.
#### Drive performance
The maximum number of disks supported is 9. When configuring your drives, we recommend SSD drives as cache read speed of SSD is superior to HDD. In addition, using multiple disks is recommended to improve cache performance.
RAID disk configurations are discouraged as cache performance will be impacted. If using RAID disk configurations, ensure striping.
### Hardware configuration example
There are many hardware configurations that suit Microsoft Connected Cache. As an example, a customer has deployed the following hardware configuration and is able to achieve a peak egress of about 35 Gbps:
**Dell PowerEdge R330**
- 2 x Intel(R) Xeon(R) CPU E5-2630 v3 @ 2.40 GHz, total 32 core
- 48 GB, Micron Technology 18ASF1G72PDZ-2G1A1, Speed: 2133 MT/s
- 4 - Transcend SSD230s 1 TB SATA Drives
- Intel Corporation Ethernet 10G 2P X520 Adapter (Link Aggregated)
## Enhancing virtual machine performance
In virtual environments, the cache server egress peaks at around 1.1 Gbps. If you want to maximize the egress in virtual environments, it's critical to change two settings.
## Virtual machine settings
### Virtual machine settings
Change the following settings to maximize the egress in virtual environments:
@ -27,7 +57,3 @@ Change the following settings to maximize the egress in virtual environments:
Microsoft has found these settings to double egress when using a Microsoft Hyper-V deployment.
2. Enable high performance in the BIOS instead of energy savings. Microsoft has found this setting to also nearly double egress in a Microsoft Hyper-V deployment.
## Next steps
[Support and troubleshooting](mcc-isp-support.md)

19
windows/deployment/do/waas-microsoft-connected-cache.md
View File

@ -1,13 +1,12 @@
---
title: Microsoft Connected Cache overview
manager: dougeby
manager: aaroncz
description: This article provides information about Microsoft Connected Cache (MCC), a software-only caching solution.
ms.prod: windows-client
author: carmenf
ms.localizationpriority: medium
ms.author: carmenf
ms.topic: article
ms.custom: seo-marvel-apr2020
ms.technology: itpro-updates
ms.date: 12/31/2017
---
@ -20,13 +19,21 @@ ms.date: 12/31/2017
- Windows 11
> [!IMPORTANT]
> Microsoft Connected Cache is currently a preview feature. To view our early preview documentation, visit [Microsoft Connected Cache for Internet Service Providers (ISPs)](mcc-isp.md). For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
> Microsoft Connected Cache is currently a preview feature. To view our Microsoft Connected Cache for ISPs early preview documentation, visit [Microsoft Connected Cache for Internet Service Providers (ISPs)](mcc-isp.md). For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
Microsoft Connected Cache (MCC) preview is a software-only caching solution that delivers Microsoft content within Enterprise networks. MCC can be deployed to as many bare-metal servers or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying the client policy using management tools such as Intune.
Microsoft Connected Cache is a software-only caching solution that delivers Microsoft content. Microsoft Connected Cache has two main offerings: 1) Microsoft Connected Cache for Internet Service Providers and 2) Microsoft Connected Cache for Enterprise and Education (early preview). Both products are created and managed in the cloud portal.
## Microsoft Connected Cache for ISPs (preview)
Microsoft Connected Cache (MCC) for Internet Service Providers is currently in preview. MCC can be deployed to as many bare-metal servers or VMs as needed and is managed from a cloud portal. When deployed, MCC can help to reduce your network bandwidth usage for Microsoft software content and updates. Cache nodes are created in the cloud portal and are configured to deliver traffic to customers by manual CIDR or BGP routing.
## Microsoft Connected Cache for Enterprise and Education (early preview)
Microsoft Connected Cache (MCC) for Enterprise and Education (early preview) is a software-only caching solution that delivers Microsoft content within Enterprise and Education networks. MCC can be deployed to as many Windows servers, bare-metal servers, or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying the client policy using management tools such as Intune.
MCC is a hybrid (mix of on-premises and cloud resources) SaaS solution built as an Azure IoT Edge module and Docker compatible Linux container deployed to your Windows devices. The Delivery Optimization team chose IoT Edge for Linux on Windows (EFLOW) as a secure, reliable container management infrastructure. EFLOW is a Linux virtual machine, based on Microsoft's first party CBL-Mariner operating system. Its built with the IoT Edge runtime and validated as a tier 1 supported environment for IoT Edge workloads. MCC will be a Linux IoT Edge module running on the Windows Host OS.
Even though your MCC scenario isn't related to IoT, Azure IoT Edge is used as a more generic Linux container deployment and management infrastructure. The Azure IoT Edge runtime sits on your designated MCC device and performs management and communication operations. The runtime performs several functions important to manage MCC on your edge device:
## IoT Edge
Both of Microsoft Connected Cache product offerings use Azure IoT Edge. Even though your MCC scenario isn't related to IoT, Azure IoT Edge is used as a more generic Linux container deployment and management infrastructure. The Azure IoT Edge runtime sits on your designated MCC device and performs management and communication operations. The runtime performs several functions important to manage MCC on your edge device:
1. Installs and updates MCC on your edge device.
1. Maintains Azure IoT Edge security standards on your edge device.
@ -51,8 +58,6 @@ The following diagram displays and overview of how MCC functions:
:::image type="content" source="./images/waas-mcc-diag-overview.png" alt-text="Diagram displaying the components of MCC." lightbox="./images/waas-mcc-diag-overview.png":::
## Next steps
- [Microsoft Connected Cache for Enterprise and Education](mcc-enterprise-prerequisites.md)

3
windows/deployment/docfx.json
View File

@ -34,6 +34,9 @@
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"ms.collection": [
"tier2"
],
"breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"feedback_system": "GitHub",

2
windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md
View File

@ -17,8 +17,6 @@ msreviewer: hathind
> [!IMPORTANT]
> Make sure you've [added and verified your admin contacts](../deploy/windows-autopatch-admin-contacts.md). The Windows Autopatch Service Engineering Team will contact these individuals for assistance with remediating issues.
You can submit support tickets to Microsoft using the Windows Autopatch admin center. Email is the recommended approach to interact with the Windows Autopatch Service Engineering Team.
## Submit a new support request
Support requests are triaged and responded to as they're received.

2
windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md
View File

@ -91,7 +91,7 @@ When the assignment is complete, the **Ring assigned by** column changes to **Ad
Windows Autopatch monitors device membership in its deployment rings, except for the **Modern Workplace Devices-Windows Autopatch-Test** ring, to provide automated deployment ring remediation functions to mitigate the risk of not having its managed devices being part of one of its deployment rings. These automated functions help mitigate risk of potentially having devices in a vulnerable state, and exposed to security threats in case they're not receiving update deployments due to either:
- Changes performed by the IT admin on objects created by the Windows Autopatch tenant enrollment process, or
- An issue occurred which prevented devices from getting a deployment rings assigned during the [device registration process](../deploy/windows-autopatch-device-registration-overview.md).
- An issue occurred which prevented devices from getting a deployment ring assigned during the [device registration process](../deploy/windows-autopatch-device-registration-overview.md).
There are two automated deployment ring remediation functions:

15
windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
View File

@ -1,7 +1,7 @@
---
title: Windows feature updates
description: This article explains how Windows feature updates are managed in Autopatch
ms.date: 02/02/2023
ms.date: 02/07/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
@ -73,6 +73,9 @@ Windows Autopatch provides a permanent pause of a Windows feature update deploym
## Pausing and resuming a release
> [!CAUTION]
> It's only recommended to use Windows Autopatch's end-user experience to pause and resume [Windows quality](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release). If you need assistance with pausing and resuming updates, please [submit a support request](../operate/windows-autopatch-support-request.md).
> [!IMPORTANT]
> Pausing or resuming an update can take up to eight hours to be applied to devices. Windows Autopatch uses Microsoft Intune as its management solution and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.<p>For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).</p>
@ -88,18 +91,18 @@ Windows Autopatch provides a permanent pause of a Windows feature update deploym
8. If you're resuming an update, you can select one or more deployment rings.
9. Select **Okay**.
If you've paused an update, the specified release will have the **Customer Paused** status. The Windows Autopatch service can't overwrite a customer-initiated pause. You must select **Resume** to resume the update.
If you've paused an update, the specified release will have the **Customer Pause** status. The Windows Autopatch service can't overwrite IT admin's pause. You must select **Resume** to resume the update.
> [!NOTE]
> The **Service Paused** status only applies to [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release). Windows Autopatch doesn't pause Windows feature updates on your behalf.
> The **Service Pause** status only applies to [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release). Windows Autopatch doesn't pause Windows feature updates on your behalf.
## Rollback
Windows Autopatch doesnt support the rollback of Windows Feature updates.
Windows Autopatch doesnt support the rollback of Windows feature updates.
> [!CAUTION]
> Its not recommended to use [Microsoft Intunes capabilities](/mem/intune/protect/windows-10-update-rings#manage-your-windows-update-rings) to pause and rollback a Windows feature update. However, if you choose to pause, resume and/or roll back from Intune, Windows Autopatch is **not** responsible for any problems that arise from rolling back the Windows feature update.
> It's only recommended to use Windows Autopatch's end-user experience to pause and resume [Windows quality](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release). If you need assistance with pausing and resuming updates, please [submit a support request](../operate/windows-autopatch-support-request.md).
## Contact support
If youre experiencing issues related to Windows feature updates, you can [submit a support request](../operate/windows-autopatch-support-request.md). Email is the recommended approach to interact with the Windows Autopatch Service Engineering Team.
If youre experiencing issues related to Windows feature updates, you can [submit a support request](../operate/windows-autopatch-support-request.md).

18
windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
View File

@ -1,7 +1,7 @@
---
title: Windows quality updates
description: This article explains how Windows quality updates are managed in Autopatch
ms.date: 12/15/2022
ms.date: 02/07/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
@ -9,7 +9,7 @@ ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
msreviewer: hathind
msreviewer: andredm7
---
# Windows quality updates
@ -89,7 +89,7 @@ By default, the service expedites quality updates as needed. For those organizat
**To turn off service-driven expedited quality updates:**
1. Go to **[Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431)** > **Devices**.
2. Under **Windows Autopatch** > **Release management**, go to the **Release settings** tab and turn off the **Expedited Quality Updates** setting.
2. Under **Windows Autopatch** > **Release management**, go to the **Release settings** tab and turn off the **Expedited quality updates** setting.
> [!NOTE]
> Windows Autopatch doesn't allow customers to request expedited releases.
@ -108,6 +108,11 @@ Windows Autopatch schedules and deploys required Out of Band (OOB) updates relea
### Pausing and resuming a release
> [!CAUTION]
> It's only recommended to use Windows Autopatch's end-user experience to pause and resume [Windows quality](windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release). If you need assistance with pausing and resuming updates, please [submit a support request](../operate/windows-autopatch-support-request.md).
The service-level pause of updates is driven by the various software update deployment-related signals Windows Autopatch receives from Windows Update for Business, and several other product groups within Microsoft.
If Windows Autopatch detects a [significant issue with a release](../operate/windows-autopatch-windows-quality-update-signals.md), we may decide to pause that release.
> [!IMPORTANT]
@ -125,12 +130,13 @@ If Windows Autopatch detects a [significant issue with a release](../operate/win
8. If you're resuming an update, you can select one or more deployment rings.
9. Select **Okay**.
There are two statuses associated with paused quality updates, **Service Paused** and **Customer Paused**.
The three following statuses are associated with paused quality updates:
| Status | Description |
| ----- | ------ |
| Service Paused | If the Windows Autopatch service has paused an update, the release will have the **Service Paused** status. You must [submit a support request](windows-autopatch-support-request.md) to resume the update. |
| Customer Paused | If you've paused an update, the release will have the **Customer Paused** status. The Windows Autopatch service can't overwrite a customer-initiated pause. You must select **Resume** to resume the update. |
| Service Pause | If the Windows Autopatch service has paused an update, the release will have the **Service Pause** status. You must [submit a support request](../operate/windows-autopatch-support-request.md) to resume the update. |
| Customer Pause | If you've paused an update, the release will have the **Customer Pause** status. The Windows Autopatch service can't overwrite an IT admin's pause. You must select **Resume** to resume the update. |
| Customer & Service Pause | If you and Windows Autopatch have both paused an update, the release will have the **Customer & Service Pause** status. If you resume the update, and the **Service Pause** status still remains, you must [submit a support request](../operate/windows-autopatch-support-request.md) for Windows Autopatch to resume the update deployment on your behalf. |
## Remediating Ineligible and/or Not up to Date devices

2
windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md
View File

@ -14,7 +14,7 @@ msreviewer: hathind
# Submit a tenant enrollment support request
If you need more assistance with tenant enrollment, you can submit support requests to the Windows Autopatch Service Engineering Team in the Windows Autopatch enrollment tool. Email is the recommended approach to interact with the Windows Autopatch Service Engineering Team.
If you need more assistance with tenant enrollment, you can submit support requests to the Windows Autopatch Service Engineering Team in the Windows Autopatch enrollment tool.
> [!NOTE]
> After you've successfully enrolled your tenant, this feature will no longer be accessible. You must [submit a support request through the Tenant administration menu](../operate/windows-autopatch-support-request.md).

3
windows/hub/docfx.json
View File

@ -34,6 +34,9 @@
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"ms.collection": [
"tier1"
],
"audience": "ITPro",
"breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",

4
windows/security/cryptography-certificate-mgmt.md
View File

@ -1,7 +1,6 @@
---
title: Cryptography and Certificate Management
description: Get an overview of cryptography and certificate management in Windows
search.appverid: MET150
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
@ -9,9 +8,6 @@ ms.topic: conceptual
ms.date: 09/07/2021
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
ms.collection:
ms.custom:
ms.reviewer: skhadeer, raverma
---

3
windows/security/docfx.json
View File

@ -34,6 +34,9 @@
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"ms.collection": [
"tier2"
],
"breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"ms.localizationpriority": "medium",

34
windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
View File

@ -27,14 +27,12 @@ Windows Hello for Business cloud Kerberos trust uses *Azure AD Kerberos*, which
## Azure AD Kerberos and cloud Kerberos trust authentication
*Key trust* and *certificate trust* use certificate authentication-based Kerberos for requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires a PKI for DC certificates, and requires end-user certificates for certificate trust.\
For *Azure AD joined devices* to have single sign-on (SSO) to on-premises resources protected by Active Directory, they must trust and validate the DC certificates. For this to happen, a certificate revocation list (CRL) must be published to an endpoint accessible by the Azure AD joined devices.
*Key trust* and *certificate trust* use certificate authentication-based Kerberos for requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires a PKI for DC certificates, and requires end-user certificates for certificate trust.
*Cloud Kerberos trust* uses *Azure AD Kerberos*, which doesn't require any of the above PKI to request TGTs.
Cloud Kerberos trust uses Azure AD Kerberos, which doesn't require a PKI to request TGTs.\
With Azure AD Kerberos, Azure AD can issue TGTs for one or more AD domains. Windows can request a TGT from Azure AD when authenticating with Windows Hello for Business, and use the returned TGT for logon or to access traditional AD-based resources. Kerberos service tickets and authorization continue to be controlled by the on-premises Domain Controllers.
With *Azure AD Kerberos*, Azure AD can issue TGTs for one or more AD domains. Windows can request a TGT from Azure AD when authenticating with Windows Hello for Business, and use the returned TGT for logon or to access traditional AD-based resources. Kerberos service tickets and authorization continue to be controlled by the on-premises Domain Controllers.
When *Azure AD Kerberos* is enabled in an Active Directory domain, an *Azure AD Kerberos server object* is created in the domain. This object:
When Azure AD Kerberos is enabled in an Active Directory domain, an *Azure AD Kerberos server object* is created in the domain. This object:
- Appears as a Read Only Domain Controller (RODC) object, but isn't associated with any physical servers
- Is only used by Azure AD to generate TGTs for the Active Directory domain. The same rules and restrictions used for RODCs apply to the Azure AD Kerberos Server object
@ -45,7 +43,7 @@ For more information about how Azure AD Kerberos enables access to on-premises r
For more information about how Azure AD Kerberos works with Windows Hello for Business cloud Kerberos trust, see [Windows Hello for Business authentication technical deep dive](hello-how-it-works-authentication.md#hybrid-azure-ad-join-authentication-using-azure-ad-kerberos-cloud-kerberos-trust).
> [!IMPORTANT]
> When implementing the *hybrid cloud Kerberos trust* deployment model, you *must* ensure that you have an adequate number of *read-write domain controllers* in each Active Directory site where users will be authenticating with Windows Hello for Business. For more information, see [Capacity planning for Active Directory][SERV-1].
> When implementing the cloud Kerberos trust deployment model, you *must* ensure that you have an adequate number of *read-write domain controllers* in each Active Directory site where users will be authenticating with Windows Hello for Business. For more information, see [Capacity planning for Active Directory][SERV-1].
## Prerequisites
@ -73,9 +71,9 @@ The following scenarios aren't supported using Windows Hello for Business cloud
## Deployment steps
Deploying *Windows Hello for Business cloud Kerberos trust* consists of two steps:
Deploying Windows Hello for Business cloud Kerberos trust consists of two steps:
1. Set up *Azure AD Kerberos*
1. Set up Azure AD Kerberos
1. Configure a Windows Hello for Business policy and deploy it to the devices
### Deploy Azure AD Kerberos
@ -86,7 +84,7 @@ If you haven't deployed Azure AD Kerberos, follow the instructions in the [Enabl
### Configure Windows Hello for Business policy
After setting up the *Azure AD Kerberos object*, Windows Hello for business cloud Kerberos trust must be enabled on your Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
After setting up the Azure AD Kerberos object, Windows Hello for business cloud Kerberos trust must be enabled on your Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
#### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune**](#tab/intune)
@ -116,7 +114,7 @@ Windows Hello for Business settings are also available in the settings catalog.
### Configure cloud Kerberos trust policy
To configure the *cloud Kerberos trust* policy, follow the steps below:
To configure the cloud Kerberos trust policy, follow the steps below:
1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Select **Devices** > **Windows** > **Configuration Profiles** > **Create profile**.
@ -156,7 +154,7 @@ You can also create a Group Policy Central Store and copy them their respective
#### Create the Windows Hello for Business group policy object
You can configure Windows devices to enable *Windows Hello for Business cloud Kerberos trust* using a Group Policy Object (GPO).
You can configure Windows Hello for Business cloud Kerberos trust using a Group Policy Object (GPO).
1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer objects in Active Directory
1. Edit the Group Policy object from Step 1
@ -168,7 +166,7 @@ You can configure Windows devices to enable *Windows Hello for Business cloud Ke
---
> [!IMPORTANT]
> If the *Use certificate for on-premises authentication* policy is enabled, *certificate trust* will take precedence over *cloud Kerberos trust*. Ensure that the machines that you want to enable *cloud Kerberos trust* have this policy *not configured* or *disabled*.
> If the *Use certificate for on-premises authentication* policy is enabled, certificate trust will take precedence over cloud Kerberos trust. Ensure that the machines that you want to enable cloud Kerberos trust have this policy *not configured* or *disabled*.
## Provision Windows Hello for Business
@ -196,11 +194,11 @@ This is the process that occurs after a user signs in, to enroll in Windows Hell
### Sign-in
Once a user has set up a PIN with *cloud Kerberos trust*, it can be used **immediately** for sign-in. On a Hybrid Azure AD joined device, the first use of the PIN requires line of sight to a DC. Once the user has signed in or unlocked with the DC, cached sign-in can be used for subsequent unlocks without line of sight or network connectivity.
Once a user has set up a PIN with cloud Kerberos trust, it can be used **immediately** for sign-in. On a Hybrid Azure AD joined device, the first use of the PIN requires line of sight to a DC. Once the user has signed in or unlocked with the DC, cached sign-in can be used for subsequent unlocks without line of sight or network connectivity.
## Migrate from key trust deployment model to cloud Kerberos trust
If you deployed Windows Hello for Business using the *key trust model*, and want to migrate to the *cloud Kerberos trust model*, follow these steps:
If you deployed Windows Hello for Business using the key trust model, and want to migrate to the cloud Kerberos trust model, follow these steps:
1. [Set up Azure AD Kerberos in your hybrid environment](#deploy-azure-ad-kerberos)
1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy)
@ -209,14 +207,14 @@ If you deployed Windows Hello for Business using the *key trust model*, and want
> [!NOTE]
> For hybrid Azure AD joined devices, users must perform the first sign in with new credentials while having line of sight to a DC.
>
> Without line of sight to a DC, even when the client is configured to use *cloud Kerberos trust*, the system will fall back to *key trust* if *cloud Kerberos trust* login fails.
> Without line of sight to a DC, even when the client is configured to use cloud Kerberos trust, the system will fall back to key trust if cloud Kerberos trust login fails.
## Migrate from certificate trust deployment model to cloud Kerberos trust
> [!IMPORTANT]
> There is no *direct* migration path from *certificate trust* deployment to *cloud Kerberos trust* deployment. The Windows Hello container must be deleted before you can migrate to cloud Kerberos trust.
> There is no *direct* migration path from a certificate trust deployment to a cloud Kerberos trust deployment. The Windows Hello container must be deleted before you can migrate to cloud Kerberos trust.
If you deployed Windows Hello for Business using the *certificate trust model*, and want to use the *cloud Kerberos trust model*, you must redeploy Windows Hello for Business by following these steps:
If you deployed Windows Hello for Business using the certificate trust model, and want to use the cloud Kerberos trust model, you must redeploy Windows Hello for Business by following these steps:
1. Disable the certificate trust policy
1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy)

2
windows/security/identity-protection/remote-credential-guard.md
View File

@ -128,7 +128,7 @@ You must enable Restricted Admin or Windows Defender Remote Credential Guard on
- Add a new DWORD value named **DisableRestrictedAdmin**.
- To turn on Restricted Admin and Windows Defender Remote Credential Guard, set the value of this registry setting to 0 to turn on Windows Defender Remote Credential Guard.
- To turn on Restricted Admin and Windows Defender Remote Credential Guard, set the value of this registry setting to 0.
3. Close Registry Editor.

2
windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
View File

@ -36,7 +36,7 @@ Starting with Windows 10 version 1703, the enablement of BitLocker can be trigge
For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if necessary. For older devices that aren't yet encrypted, beginning with Windows 10 version 1703, admins can use the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/) to trigger encryption and store the recovery key in Azure AD. This process and feature is applicable to Azure Hybrid AD as well.
> [!NOTE]
> To manage Bitlocker, except to enable and disable it, one of the following licenses must be assigned to your users:
> To manage Bitlocker via CSP (Configuration Service Provider), except to enable and disable it, regardless of your management platform, one of the following licenses must be assigned to your users:
> - Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, and E5).
> - Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 and A5).

6
windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
View File

@ -35,13 +35,13 @@ Some TPM PCRs are used as checksums of log events. The log events are extended i
To bind the use of a TPM based key to a certain state of the PC, the key can be sealed to an expected set of PCR values. For instance, PCRs 0 through 7 have a well-defined value after the boot process when the OS is loaded. When the hardware, firmware, or boot loader of the machine changes, the change can be detected in the PCR values. Windows uses this capability to make certain cryptographic keys only available at certain times during the boot process. For instance, the BitLocker key can be used at a certain point in the boot, but not before or after.
It is important to note that this binding to PCR values also includes the hashing algorithm used for the PCR. For instance, a key can be bound to a specific value of the SHA-1 PCR\[12\], if using SHA-256 PCR banks, even with the same system configuration. Otherwise, the PCR values will not match.
It is important to note that this binding to PCR values also includes the hashing algorithm used for the PCR. For instance, a key can be bound to a specific value of the SHA-1 PCR\[12\], if using the SHA-256 PCR bank, even with the same system configuration. Otherwise, the PCR values will not match.
## What happens when PCR banks are switched?
When the PCR banks are switched, the algorithm used to compute the hashed values stored in the PCRs during extend operations is changed. Each hash algorithm will return a different cryptographic signature for the same inputs.
As a result, if the currently used PCR bank is switched all keys that have been bound to the previous PCR values will no longer work. For example, if you had a key bound to the SHA-1 value of PCR\[12\] and subsequently changed the PCR banks to SHA-256, the banks wouldnt match, and you would be unable to use that key. The BitLocker key is secured using the PCR banks and Windows will not be able to unseal it if the PCR banks are switched while BitLocker is enabled.
As a result, if the currently used PCR bank is switched all keys that have been bound to the previous PCR values will no longer work. For example, if you had a key bound to the SHA-1 value of PCR\[12\] and subsequently changed the PCR bank to SHA-256, the banks wouldnt match, and you would be unable to use that key. The BitLocker key is secured using the PCR banks and Windows will not be able to unseal it if the PCR banks are switched while BitLocker is enabled.
## What can I do to switch PCRs when BitLocker is already active?
@ -49,7 +49,7 @@ Before switching PCR banks you should suspend or disable BitLocker or have y
## How can I identify which PCR bank is being used?
A TPM can be configured to have multiple PCR banks active. When BIOS is performing measurements it will do so into all active PCR banks, depending on its capability to make these measurements. BIOS may chose to deactivate PCR banks that it does not support or "cap" PCR banks that it does not support by extending a separator. The following registry value identifies which PCR banks are active.
A TPM can be configured to have multiple PCR banks active. When BIOS is performing measurements it will do so into all active PCR banks, depending on its capability to make these measurements. BIOS may choose to deactivate PCR banks that it does not support or "cap" PCR banks that it does not support by extending a separator. The following registry value identifies which PCR banks are active.
- Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices<br>
- DWORD: TPMActivePCRBanks<br>

2
windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md
View File

@ -78,7 +78,7 @@ One of the risks that the UAC feature tries to mitigate is that of malicious pro
### Countermeasure
Configure the **User Account Control: Behavior of the elevation prompt for standard users** to **Automatically deny elevation requests**. This setting requires the user to sign in with an administrative account to run programs that require elevation of privilege. As a security best practice, standard users shouldn't have knowledge of administrative passwords. However, if your users have both standard and administrator-level accounts, we recommend setting **Prompt for credentials** so that the users don't choose to always sign in with their administrator accounts, and they shift their behavior to use the standard user account.
Configure the **User Account Control: Behavior of the elevation prompt for standard users** to **Automatically deny elevation requests**. This setting requires the user to sign in with an administrative account to run programs that require elevation of privilege. As a security best practice, standard users shouldn't have knowledge of administrative passwords. However, if your users have both standard and administrator-level accounts, we recommend setting **Prompt for credentials on the secure desktop** so that the users don't choose to always sign in with their administrator accounts, and they shift their behavior to use the standard user account.
### Potential impact

2
windows/security/threat-protection/windows-defender-application-control/TOC.yml
View File

@ -68,6 +68,8 @@
href: wdac-wizard-create-supplemental-policy.md
- name: Editing a WDAC policy with the Wizard
href: wdac-wizard-editing-policy.md
- name: Creating WDAC Policy Rules from WDAC Events
href: wdac-wizard-parsing-event-logs.md
- name: Merging multiple WDAC policies with the Wizard
href: wdac-wizard-merging-policies.md
- name: WDAC deployment guide

BIN
windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-files-expanded.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 75 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-files.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 41 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-export-expanded.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 165 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-export.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 108 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-parsing-expanded.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 77 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-parsing.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 44 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-system-expanded.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 74 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-system.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 40 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-rule-creation-expanded.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 102 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-rule-creation.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 46 KiB

2691
windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
View File

File diff suppressed because it is too large Load Diff

2
windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md
View File

@ -10,7 +10,7 @@ ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
author: jgeurten
ms.reviewer: isbrahm
ms.reviewer: jsuther1974
ms.author: vinpa
manager: aaroncz
ms.topic: conceptual

141
windows/security/threat-protection/windows-defender-application-control/wdac-wizard-parsing-event-logs.md Normal file
View File

@ -0,0 +1,141 @@
---
title: Windows Defender Application Control Wizard WDAC Event Parsing
description: Creating WDAC policy rules from the WDAC event logs and the MDE Advanced Hunting WDAC events.
keywords: WDAC event parsing, allow listing, block listing, security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
author: jgeurten
ms.reviewer: jsuther1974
ms.author: vinpa
manager: aaroncz
ms.topic: conceptual
ms.date: 02/01/2023
ms.technology: itpro-security
---
# Creating WDAC Policy Rules from WDAC Events in the Wizard
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
As of [version 2.2.0.0](https://webapp-wdac-wizard.azurewebsites.net/archives.html), the WDAC Wizard supports creating WDAC policy rules from the following event log types:
1. [WDAC event log events on the system](#wdac-event-viewer-log-parsing)
2. [Exported WDAC events (EVTX files) from any system](#wdac-event-log-file-parsing)
3. [Exported WDAC events from MDE Advanced Hunting](#mde-advanced-hunting-wdac-event-parsing)
## WDAC Event Viewer Log Parsing
To create rules from the WDAC event logs on the system:
1. Select **Policy Editor** from the WDAC Wizard main page.
2. Select **Convert Event Log to a WDAC Policy**.
3. Select the **Parse Event Logs** button under the **Parse Event Logs from the System Event Viewer to Policy** header.
The Wizard will parse the relevant audit and block events from the CodeIntegrity (WDAC) Operational and AppLocker MSI and Script logs. You'll see a notification when the Wizard successfully finishes reading the events.
> [!div class="mx-imgBorder"]
> [![Parse WDAC and AppLocker event log system events](images/wdac-wizard-event-log-system.png)](images/wdac-wizard-event-log-system-expanded.png)
4. Select the Next button to view the audit and block events and create rules.
5. [Generate rules from the events](#creating-policy-rules-from-the-events).
## WDAC Event Log File Parsing
To create rules from the WDAC `.EVTX` event logs files on the system:
1. Select **Policy Editor** from the WDAC Wizard main page.
2. Select **Convert Event Log to a WDAC Policy**.
3. Select the **Parse Log File(s)** button under the **Parse Event Log evtx Files to Policy** header.
4. Select the WDAC CodeIntegrity Event log EVTX file(s) from the disk to parse.
The Wizard will parse the relevant audit and block events from the selected log files. You'll see a notification when the Wizard successfully finishes reading the events.
> [!div class="mx-imgBorder"]
> [![Parse evtx file WDAC events](images/wdac-wizard-event-log-files.png)](images/wdac-wizard-event-log-files-expanded.png)
5. Select the Next button to view the audit and block events and create rules.
6. [Generate rules from the events](#creating-policy-rules-from-the-events).
## MDE Advanced Hunting WDAC Event Parsing
To create rules from the WDAC events in [MDE Advanced Hunting](querying-application-control-events-centrally-using-advanced-hunting.md):
1. Navigate to the Advanced Hunting section within the MDE console and query the WDAC events. **The Wizard requires the following fields** in the Advanced Hunting csv file export:
```KQL
| project Timestamp, DeviceId, DeviceName, ActionType, FileName, FolderPath, SHA1, SHA256, IssuerName, IssuerTBSHash, PublisherName, PublisherTBSHash, AuthenticodeHash, PolicyId, PolicyName
```
The following Advanced Hunting query is recommended:
```KQL
DeviceEvents
// Take only WDAC events
| where ActionType startswith 'AppControlCodeIntegrity'
// SigningInfo Fields
| extend IssuerName = parsejson(AdditionalFields).IssuerName
| extend IssuerTBSHash = parsejson(AdditionalFields).IssuerTBSHash
| extend PublisherName = parsejson(AdditionalFields).PublisherName
| extend PublisherTBSHash = parsejson(AdditionalFields).PublisherTBSHash
// Audit/Block Fields
| extend AuthenticodeHash = parsejson(AdditionalFields).AuthenticodeHash
| extend PolicyId = parsejson(AdditionalFields).PolicyID
| extend PolicyName = parsejson(AdditionalFields).PolicyName
// Keep only required fields for the WDAC Wizard
| project Timestamp,DeviceId,DeviceName,ActionType,FileName,FolderPath,SHA1,SHA256,IssuerName,IssuerTBSHash,PublisherName,PublisherTBSHash,AuthenticodeHash,PolicyId,PolicyName
```
2. Export the WDAC event results by selecting the **Export** button in the results view.
> [!div class="mx-imgBorder"]
> [![Export the MDE Advanced Hunting results to CSV](images/wdac-wizard-event-log-mde-ah-export.png)](images/wdac-wizard-event-log-mde-ah-export-expanded.png)
3. Select **Policy Editor** from the WDAC Wizard main page.
4. Select **Convert Event Log to a WDAC Policy**.
5. Select the **Parse Log File(s)** button under the "Parse MDE Advanced Hunting Events to Policy" header.
6. Select the WDAC MDE Advanced Hunting export CSV files from the disk to parse.
The Wizard will parse the relevant audit and block events from the selected Advanced Hunting log files. You'll see a notification when the Wizard successfully finishes reading the events.
> [!div class="mx-imgBorder"]
> [![Parse the Advanced Hunting CSV WDAC event files](images/wdac-wizard-event-log-mde-ah-parsing.png)](images/wdac-wizard-event-log-mde-ah-parsing-expanded.png)
7. Select the Next button to view the audit and block events and create rules.
8. [Generate rules from the events](#creating-policy-rules-from-the-events).
## Creating Policy Rules from the Events
On the "Configure Event Log Rules" page, the unique WDAC log events will be shown in the table. Event Ids, filenames, product names, the policy name that audited or blocked the file, and the file publisher are all shown in the table. The table can be sorted alphabetically by clicking on any of the headers.
To create a rule and add it to the WDAC policy:
1. Select an audit or block event in the table by selecting the row of interest.
2. Select a rule type from the dropdown. The Wizard supports creating Publisher, Path, File Attribute, Packaged App and Hash rules.
3. Select the attributes and fields that should be added to the policy rules using the checkboxes provided for the rule type.
4. Select the **Add Allow Rule** button to add the configured rule to the policy generated by the Wizard. The "Added to policy" label will be added to the selected row confirming that the rule will be generated.
> [!div class="mx-imgBorder"]
> [![Adding a publisher rule to the WDAC policy](images/wdac-wizard-event-rule-creation.png)](images/wdac-wizard-event-rule-creation-expanded.png)
5. Select the **Next** button to output the policy. Once generated, the event log policy should be merged with your base or supplemental policies.
> [!WARNING]
> It is not recommended to deploy the event log policy on its own, as it likely lacks rules to authorize Windows and may cause blue screens.
## Up next
- [Merging Windows Defender Application Control (WDAC) policies using the Wizard](wdac-wizard-merging-policies.md)

169
windows/security/threat-protection/windows-platform-common-criteria.md
View File

@ -2,13 +2,13 @@
title: Common Criteria Certifications
description: This topic details how Microsoft supports the Common Criteria certification program.
ms.prod: windows-client
ms.author: paoloma
author: paolomatarazzo
ms.author: sushmanemali
author: s4sush
manager: aaroncz
ms.topic: article
ms.localizationpriority: medium
ms.date: 11/4/2022
ms.reviewer:
ms.reviewer: paoloma
ms.technology: itpro-security
---
@ -24,12 +24,16 @@ The product releases below are currently certified against the cited *Protection
- The *Administrative Guide* provides guidance on configuring the product to match the evaluated configuration
- The *Certification Report or Validation Report* documents the results of the evaluation by the validation team, with the *Assurance Activity Report* providing details on the evaluator's actions
For more details, expand each product section.
### Windows 11, Windows 10 (version 20H2, 21H1, 21H2), Windows Server, Windows Server 2022, Azure Stack HCIv2 version 21H2, Azure Stack Hub and Edge
<br>
Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients and the Module for Virtual Private Network Clients
<details>
<summary><b> Windows 10, version 2004, Windows Server, version 2004, Windows Server Core Datacenter (Azure Fabric Controller), Windows Server Core Datacenter (Azure Stack)</b></summary>
- [Security Target](https://download.microsoft.com/download/c/5/9/c59832ff-414b-4f15-8273-d0c349a0b154/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Security%20Target%20(21H2%20et%20al).pdf)
- [Administrative Guide](https://download.microsoft.com/download/9/1/7/9178ce6a-8117-42e7-be0d-186fc4a89ca6/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Administrative%20Guide%20(21H2%20et%20al).pdf)
- [Assurance Activity Report](https://download.microsoft.com/download/4/1/6/416151fe-63e7-48c0-a485-1d87148c71fe/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Assurance%20Activity%20Report%20(21H2%20et%20al).pdf)
- [Validation Report](https://download.microsoft.com/download/e/3/7/e374af1a-3c5d-42ee-8e19-df47d2c0e3d6/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Validation%20Report%20(21H2%20et%20al).pdf)
### Windows 10, version 2004, Windows Server, version 2004, Windows Server Core Datacenter (Azure Fabric Controller), Windows Server Core Datacenter (Azure Stack)
Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients and the Module for Virtual Private Network Clients
@ -38,10 +42,7 @@ Certified against the Protection Profile for General Purpose Operating Systems,
- [Validation Report](https://download.microsoft.com/download/1/c/b/1cb65e32-f87d-41dd-bc29-88dc943fad9d/Windows%2010%202004%20GP%20OS%20Validation%20Reports.pdf)
- [Assurance Activity Report](https://download.microsoft.com/download/3/2/4/324562b6-0917-4708-8f9d-8d2d12859839/Windows%2010%202004%20GP%20OS%20Assurance%20Activity%20Report-Public%20.pdf)
</details>
<details>
<summary><b> Windows 10, version 1909, Windows Server, version 1909, Windows Server 2019, version 1809 Hyper-V</b></summary>
### Windows 10, version 1909, Windows Server, version 1909, Windows Server 2019, version 1809 Hyper-V
Certified against the Protection Profile for Virtualization, including the Extended Package for Server Virtualization.
@ -50,10 +51,7 @@ Certified against the Protection Profile for Virtualization, including the Exten
- [Validation Report](https://download.microsoft.com/download/4/7/6/476ca991-631d-4943-aa89-b0cd4f448d14/Windows%20+%20Windows%20Server%201909,%20Windows%20Server%202019%20Hyper-V%20Validation%20Report.pdf)
- [Assurance Activities Report](https://download.microsoft.com/download/3/b/4/3b4818d8-62a1-4b8d-8cb4-9b3256564355/Windows%20+%20Windows%20Server%201909,%20Windows%20Server%202019%20Hyper-V%20Assurance%20Activity%20Report.pdf)
</details>
<details>
<summary><b> Windows 10, version 1909, Windows Server, version 1909</b></summary>
### Windows 10, version 1909, Windows Server, version 1909
Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients and the Module for Virtual Private Network Clients.</b></summary>
@ -62,10 +60,7 @@ Certified against the Protection Profile for General Purpose Operating Systems,
- [Certification Report](https://download.microsoft.com/download/9/f/3/9f350b73-1790-4dcb-97f7-a0e65a00b55f/Windows%2010%201909%20GP%20OS%20Certification%20Report.pdf)
- [Assurance Activity Report](https://download.microsoft.com/download/0/0/d/00d26b48-a051-4e9a-8036-850d825f8ef9/Windows%2010%201909%20GP%20OS%20Assurance%20Activity%20Report.pdf)
</details>
<details>
<summary><b> Windows 10, version 1903, Windows Server, version 1903</b></summary>
### Windows 10, version 1903, Windows Server, version 1903
Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients.</b></summary>
@ -74,10 +69,7 @@ Certified against the Protection Profile for General Purpose Operating Systems,
- [Certification Report](https://download.microsoft.com/download/2/1/9/219909ad-2f2a-44cc-8fcb-126f28c74d36/Windows%2010%201903%20GP%20OS%20Certification%20Report.pdf)
- [Assurance Activity Report](https://download.microsoft.com/download/2/a/1/2a103b68-cd12-4476-8945-873746b5f432/Windows%2010%201903%20GP%20OS%20Assurance%20Activity%20Report.pdf)
</details>
<details>
<summary><b> Windows 10, version 1809, Windows Server, version 1809</b></summary>
### Windows 10, version 1809, Windows Server, version 1809
Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients.
@ -86,10 +78,7 @@ Certified against the Protection Profile for General Purpose Operating Systems,
- [Certification Report](https://download.microsoft.com/download/9/4/0/940ac551-7757-486d-9da1-7aa0300ebac0/Windows%2010%20version%201809%20GP%20OS%20Certification%20Report%20-%202018-61-INF-2795.pdf)
- [Assurance Activity Report](https://download.microsoft.com/download/a/6/6/a66bfcf1-f6ef-4991-ab06-5b1c01f91983/Windows%2010%201809%20GP%20OS%20Assurance%20Activity%20Report.pdf)
</details>
<details>
<summary><b> Windows 10, version 1803, Windows Server, version 1803</b></summary>
### Windows 10, version 1803, Windows Server, version 1803
Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients.
@ -98,10 +87,7 @@ Certified against the Protection Profile for General Purpose Operating Systems,
- [Certification Report](https://download.microsoft.com/download/6/7/1/67167BF2-885D-4646-A61E-96A0024B52BB/Windows%2010%201803%20GP%20OS%20Certification%20Report.pdf)
- [Assurance Activity Report](https://download.microsoft.com/download/b/3/d/b3da41b6-6ebc-4a26-a581-2d2ad8d8d1ac/Windows%2010%201803%20GP%20OS%20Assurance%20Activity%20Report.pdf)
</details>
<details>
<summary><b> Windows 10, version 1709, Windows Server, version 1709</b></summary>
### Windows 10, version 1709, Windows Server, version 1709
Certified against the Protection Profile for General Purpose Operating Systems.
@ -110,10 +96,7 @@ Certified against the Protection Profile for General Purpose Operating Systems.
- [Certification Report](https://download.microsoft.com/download/2/C/2/2C20D013-0610-4047-B2FA-516819DFAE0A/Windows%2010%201709%20GP%20OS%20Certification%20Report.pdf)
- [Assurance Activity Report](https://download.microsoft.com/download/e/7/6/e7644e3c-1e59-4754-b071-aec491c71849/Windows%2010%201709%20GP%20OS%20Assurance%20Activity%20Report.pdf)
</details>
<details>
<summary><b> Windows 10, version 1703, Windows Server, version 1703</b></summary>
### Windows 10, version 1703, Windows Server, version 1703
Certified against the Protection Profile for General Purpose Operating Systems.
@ -122,10 +105,7 @@ Certified against the Protection Profile for General Purpose Operating Systems.
- [Certification Report](https://download.microsoft.com/download/3/2/c/32cdf627-dd23-4266-90ff-2f9685fd15c0/2017-49%20inf-2218%20cr.pdf)
- [Assurance Activity Report](https://download.microsoft.com/download/a/e/9/ae9a2235-e1cd-4869-964d-c8260f604367/Windows%2010%201703%20GP%20OS%20Assurance%20Activity%20Report.pdf)
</details>
<details>
<summary><b> Windows 10, version 1607, Windows Server 2016</b></summary>
### Windows 10, version 1607, Windows Server 2016
Certified against the Protection Profile for General Purpose Operating Systems.
@ -134,10 +114,7 @@ Certified against the Protection Profile for General Purpose Operating Systems.
- [Validation Report](https://download.microsoft.com/download/5/4/8/548cc06e-c671-4502-bebf-20d38e49b731/2016-36-inf-1779.pdf)
- [Assurance Activity Report](https://download.microsoft.com/download/a/5/f/a5f08a43-75f9-4433-bd77-aeb14276e587/Windows%2010%201607%20GP%20OS%20Assurance%20Activity%20Report.pdf)
</details>
<details>
<summary><b> Windows 10, version 1507, Windows Server 2012 R2</b></summary>
### Windows 10, version 1507, Windows Server 2012 R2
Certified against the Protection Profile for General Purpose Operating Systems.
@ -146,8 +123,6 @@ Certified against the Protection Profile for General Purpose Operating Systems.
- [Certification Report](https://www.commoncriteriaportal.org/files/epfiles/cr_windows10.pdf)
- [Assurance Activity Report](https://download.microsoft.com/download/7/e/5/7e5575c9-10f9-4f3d-9871-bd7cf7422e3b/Windows%2010%20(1507),%20Windows%20Server%202012%20R2%20GPOS%20Assurance%20Activity%20Report.pdf)
</details>
## Archived certified products
The product releases below were certified against the cited *Protection Profile* and are now archived, as listed on the [Common Criteria Portal](https://www.commoncriteriaportal.org/products/index.cfm?archived=1):
@ -156,12 +131,7 @@ The product releases below were certified against the cited *Protection Profile*
- The *Administrative Guide* provides guidance on configuring the product to match the evaluated configuration
- The *Certification Report or Validation Report* documents the results of the evaluation by the validation team, with the *Assurance Activity Report* providing details on the evaluator's actions
For more details, expand each product section.
<br>
<details>
<summary><b> Windows Server 2016, Windows Server 2012 R2, Windows 10</b></summary>
### Windows Server 2016, Windows Server 2012 R2, Windows 10
Certified against the Protection Profile for Server Virtualization.
@ -170,10 +140,7 @@ Certified against the Protection Profile for Server Virtualization.
- [Validation Report](https://download.microsoft.com/download/a/3/3/a336f881-4ac9-4c79-8202-95289f86bb7a/st_vid10823-vr.pdf)
- [Assurance Activity Report](https://download.microsoft.com/download/3/f/c/3fcc76e1-d471-4b44-9a19-29e69b6ab899/Windows%2010%20Hyper-V,%20Server%202016,%20Server%202012%20R2%20Virtualization%20Assurance%20Activity%20Report.pdf)
</details>
<details>
<summary><b> Windows 10, version 1607, Windows 10 Mobile, version 1607</b></summary>
### Windows 10, version 1607, Windows 10 Mobile, version 1607
Certified against the Protection Profile for Mobile Device Fundamentals.
@ -182,10 +149,7 @@ Certified against the Protection Profile for Mobile Device Fundamentals.
- [Validation Report](https://download.microsoft.com/download/f/2/f/f2f7176e-34f4-4ab0-993c-6606d207bb3c/st_vid10752-vr.pdf)
- [Assurance Activity Report](https://download.microsoft.com/download/9/3/9/939b44a8-5755-4d4c-b020-d5e8b89690ab/Windows%2010%20and%20Windows%2010%20Mobile%201607%20MDF%20Assurance%20Activity%20Report.pdf)
</details>
<details>
<summary><b> Windows 10, version 1607, Windows Server 2016</b></summary>
### Windows 10, version 1607, Windows Server 2016
Certified against the Protection Profile for IPsec Virtual Private Network (VPN) Clients.
@ -194,10 +158,7 @@ Certified against the Protection Profile for IPsec Virtual Private Network (VPN)
- [Validation Report](https://download.microsoft.com/download/2/0/a/20a8e686-3cd9-43c4-a22a-54b552a9788a/st_vid10753-vr.pdf)
- [Assurance Activity Report](https://download.microsoft.com/download/b/8/d/b8ddc36a-408a-4d64-a31c-d41c9c1e9d9e/Windows%2010%201607,%20Windows%20Server%202016%20IPsec%20VPN%20Client%20Assurance%20Activity%20Report.pdf)
</details>
<details>
<summary><b> Windows 10, version 1511</b></summary>
### Windows 10, version 1511
Certified against the Protection Profile for Mobile Device Fundamentals.
@ -206,10 +167,7 @@ Certified against the Protection Profile for Mobile Device Fundamentals.
- [Validation Report](https://download.microsoft.com/download/d/c/b/dcb7097d-1b9f-4786-bb07-3c169fefb579/st_vid10715-vr.pdf)
- [Assurance Activity Report](https://download.microsoft.com/download/1/f/1/1f12ed80-6d73-4a16-806f-d5116814bd7c/Windows%2010%20November%202015%20Update%20(1511)%20MDF%20Assurance%20Activity%20Report.pdf)
</details>
<details>
<summary><b> Windows 10, version 1507, Windows 10 Mobile, version 1507</b></summary>
### Windows 10, version 1507, Windows 10 Mobile, version 1507
Certified against the Protection Profile for Mobile Device Fundamentals.
@ -218,10 +176,7 @@ Certified against the Protection Profile for Mobile Device Fundamentals.
- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10694-vr.pdf)
- [Assurance Activity Report](https://download.microsoft.com/download/a/1/3/a1365491-0a53-42cd-bd73-ca4067c43d86/Windows%2010,%20Windows%2010%20Mobile%20(1507)%20MDF%20Assurance%20Activity%20Report.pdf)
</details>
<details>
<summary><b> Windows 10, version 1507</b></summary>
### Windows 10, version 1507
Certified against the Protection Profile for IPsec Virtual Private Network (VPN) Clients.
@ -230,10 +185,7 @@ Certified against the Protection Profile for IPsec Virtual Private Network (VPN)
- [Validation Report](https://download.microsoft.com/download/9/b/6/9b633763-6078-48aa-b9ba-960da2172a11/st_vid10746-vr.pdf)
- [Assurance Activity Report](https://download.microsoft.com/download/9/3/6/93630ffb-5c06-4fea-af36-164da3e359c9/Windows%2010%20IPsec%20VPN%20Client%20Assurance%20Activity%20Report.pdf)
</details>
<details>
<summary><b> Windows 8.1 with Surface 3, Windows Phone 8.1 with Lumia 635 and Lumia 830</b></summary>
### Windows 8.1 with Surface 3, Windows Phone 8.1 with Lumia 635 and Lumia 830
Certified against the Protection Profile for Mobile Device Fundamentals.
@ -241,10 +193,7 @@ Certified against the Protection Profile for Mobile Device Fundamentals.
- [Administrative Guide](https://download.microsoft.com/download/b/e/3/be365594-daa5-4af3-a6b5-9533d61eae32/surface%20pro%203%20mobile%20operational%20guidance.docx)
- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10635-vr.pdf)
</details>
<details>
<summary><b> Surface Pro 3, Windows 8.1</b></summary>
### Surface Pro 3, Windows 8.1
Certified against the Protection Profile for Mobile Device Fundamentals.
@ -252,10 +201,7 @@ Certified against the Protection Profile for Mobile Device Fundamentals.
- [Administrative Guide](https://download.microsoft.com/download/b/e/3/be365594-daa5-4af3-a6b5-9533d61eae32/surface%20pro%203%20mobile%20operational%20guidance.docx)
- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10632-vr.pdf)
</details>
<details>
<summary><b> Windows 8.1, Windows Phone 8.1</b></summary>
### Windows 8.1, Windows Phone 8.1
Certified against the Protection Profile for Mobile Device Fundamentals.
@ -263,10 +209,7 @@ Certified against the Protection Profile for Mobile Device Fundamentals.
- [Administrative Guide](https://download.microsoft.com/download/b/0/e/b0e30225-5017-4241-ac0a-6c40bc8e6714/mobile%20operational%20guidance.docx)
- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10592-vr.pdf)
</details>
<details>
<summary><b> Windows 8, Windows Server 2012</b></summary>
### Windows 8, Windows Server 2012
Certified against the Protection Profile for General Purpose Operating Systems.
@ -274,10 +217,7 @@ Certified against the Protection Profile for General Purpose Operating Systems.
- [Administrative Guide](https://download.microsoft.com/download/6/0/b/60b27ded-705a-4751-8e9f-642e635c3cf3/microsoft%20windows%208%20windows%20server%202012%20common%20criteria%20supplemental%20admin%20guidance.docx)
- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10520-vr.pdf)
</details>
<details>
<summary><b> Windows 8, Windows RT</b></summary>
### Windows 8, Windows RT
Certified against the Protection Profile for General Purpose Operating Systems.
@ -285,10 +225,7 @@ Certified against the Protection Profile for General Purpose Operating Systems.
- [Administrative Guide](https://download.microsoft.com/download/8/6/e/86e8c001-8556-4949-90cf-f5beac918026/microsoft%20windows%208%20microsoft%20windows%20rt%20common%20criteria%20supplemental%20admin.docx)
- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10620-vr.pdf)
</details>
<details>
<summary><b> Windows 8, Windows Server 2012 BitLocker</b></summary>
### Windows 8, Windows Server 2012 BitLocker
Certified against the Protection Profile for Full Disk Encryption.
@ -296,10 +233,7 @@ Certified against the Protection Profile for Full Disk Encryption.
- [Administrative Guide](https://download.microsoft.com/download/0/8/4/08468080-540b-4326-91bf-f2a33b7e1764/administrative%20guidance%20for%20software%20full%20disk%20encryption%20clients.pdf)
- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10540-vr.pdf)
</details>
<details>
<summary><b> Windows 8, Windows RT, Windows Server 2012 IPsec VPN Client</b></summary>
### Windows 8, Windows RT, Windows Server 2012 IPsec VPN Client
Certified against the Protection Profile for IPsec Virtual Private Network (VPN) Clients.
@ -307,10 +241,7 @@ Certified against the Protection Profile for IPsec Virtual Private Network (VPN)
- [Administrative Guide](https://download.microsoft.com/download/a/9/f/a9fd7e2d-023b-4925-a62f-58a7f1a6bd47/microsoft%20windows%208%20windows%20server%202012%20supplemental%20admin%20guidance%20ipsec%20vpn%20client.docx)
- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10529-vr.pdf)
</details>
<details>
<summary><b> Windows 7, Windows Server 2008 R2</b></summary>
### Windows 7, Windows Server 2008 R2
Certified against the Protection Profile for General Purpose Operating Systems.
@ -318,46 +249,31 @@ Certified against the Protection Profile for General Purpose Operating Systems.
- [Administrative Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=ee05b6d0-9939-4765-9217-63083bb94a00)
- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10390-vr.pdf)
</details>
<details>
<summary><b> Microsoft Windows Server 2008 R2 Hyper-V Role</b></summary>
### Microsoft Windows Server 2008 R2 Hyper-V Role
- [Security Target](https://www.microsoft.com/download/en/details.aspx?id=29305)
- [Administrative Guide](https://www.microsoft.com/download/en/details.aspx?id=29308)
- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/0570a_pdf.pdf)
</details>
<details>
<summary><b> Windows Vista, Windows Server 2008 at EAL4+</b></summary>
### Windows Vista, Windows Server 2008 at EAL4+
- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10291-st.pdf)
- [Administrative Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567)
- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10291-vr.pdf)
</details>
<details>
<summary><b> Windows Vista, Windows Server 2008 at EAL1</b></summary>
### Windows Vista, Windows Server 2008 at EAL1
- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_st_v1.0.pdf)
- [Administrative Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567)
- [Certification Report](https://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_cr_v1.0.pdf)
</details>
<details>
<summary><b> Microsoft Windows Server 2008 Hyper-V Role</b></summary>
### Microsoft Windows Server 2008 Hyper-V Role
- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/0570b_pdf.pdf)
- [Administrative Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=cb19538d-9e13-4ab6-af38-8f48abfdad08)
- [Certification Report](http://www.commoncriteriaportal.org:80/files/epfiles/0570a_pdf.pdf)
</details>
<details>
<summary><b> Windows Server 2003 Certificate Server</b></summary>
### Windows Server 2003 Certificate Server
- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid9507-st.pdf)
- [Administrator's Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=445093d8-45e2-4cf6-884c-8802c1e6cb2d)
@ -366,12 +282,7 @@ Certified against the Protection Profile for General Purpose Operating Systems.
- [Evaluation Technical Report](https://www.microsoft.com/downloads/details.aspx?familyid=a594e77f-dcbb-4787-9d68-e4689e60a314)
- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid9507-vr.pdf)
</details>
<details>
<summary><b> Windows Rights Management Services</b></summary>
### Windows Rights Management Services
- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10224-st.pdf)
- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10224-vr.pdf)
</details>

3
windows/whats-new/docfx.json
View File

@ -34,6 +34,9 @@
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"ms.collection": [
"tier2"
],
"breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"ms.topic": "article",