deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 19:03:46 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'main' into repo_sync_working_branch

Browse Source
This commit is contained in:
Angela Fleischmann
2023-06-05 17:41:31 -06:00
committed by GitHub
parent 6d304124de 2faa33f164
commit 19d6e7ec74
74 changed files with 1061 additions and 1283 deletions
Download Patch File Download Diff File Expand all files Collapse all files

193
.openpublishing.redirection.json
View File

@ -5441,8 +5441,8 @@
"redirect_document_id": false
},
{
"source_path": "windows/device-security/bitlocker/bitlocker-overview.md",
"redirect_url": "/windows/security/information-protection/bitlocker/bitlocker-overview",
"source_path": "windows/device-security/bitlocker/index.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/index",
"redirect_document_id": false
},
{
@ -9836,8 +9836,8 @@
"redirect_document_id": false
},
{
"source_path": "windows/keep-secure/bitlocker-overview.md",
"redirect_url": "/windows/device-security/bitlocker/bitlocker-overview",
"source_path": "windows/keep-secure/index.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/index",
"redirect_document_id": false
},
{
@ -21504,6 +21504,191 @@
"source_path": "windows/security/apps.md",
"redirect_url": "/windows/security/application-security",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/encrypted-hard-drive.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/encrypted-hard-drive",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-basic-deployment",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/bitlocker-countermeasures.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-countermeasures",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-comparison",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-device-encryption-overview-windows-10",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-enable-network-unlock",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-recovery-guide-plan",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/configure-pde-in-intune",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-arso",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-hibernation",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-memory-dumps",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-password-connected-standby",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-wer",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-enable-pde",
"redirect_document_id": false
},
{
"source_path": "windows/security/encryption-data-protection.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/index",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/personal-data-encryption/faq-pde.yml",
"redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/faq-pde",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml",
"redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-and-adds-faq",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml",
"redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-and-administration-faq",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/bitlocker-frequently-asked-question.yml",
"redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-frequently-asked-question",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml",
"redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-key-management-faq",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml",
"redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-network-unlock-faq",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml",
"redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-overview-and-requirements-faq",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/bitlocker-security-faq.yml",
"redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-security-faq",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml",
"redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-to-go-faq",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml",
"redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-upgrading-faq",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml",
"redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-using-with-other-programs-faq",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml",
"redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-frequently-asked-questions",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/bitlocker-overview.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/index",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/personal-data-encryption/overview-pde.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/index",
"redirect_document_id": false
}
]
}

20
education/includes/education-content-updates.md
View File

@ -2,24 +2,10 @@
## Week of May 29, 2023
| Published On |Topic title | Change |
|------|------------|--------|
| 4/11/2023 | [Configure federated sign-in for Windows devices](/education/windows/federated-sign-in) | modified |
## Week of March 20, 2023
| Published On |Topic title | Change |
|------|------------|--------|
| 3/21/2023 | [Windows 11 SE Overview](/education/windows/windows-11-se-overview) | modified |
| 3/22/2023 | [Configure Stickers for Windows 11 SE](/education/windows/edu-stickers) | modified |
| 3/22/2023 | [Configure Take a Test in kiosk mode](/education/windows/edu-take-a-test-kiosk-mode) | modified |
| 3/22/2023 | [Configure federated sign-in for Windows devices](/education/windows/federated-sign-in) | modified |
| 3/22/2023 | [Reset devices with Autopilot Reset](/education/windows/autopilot-reset) | modified |
| 3/22/2023 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified |
| 3/22/2023 | [Deploy Windows 10 in a school (Windows 10)](/education/windows/deploy-windows-10-in-a-school) | modified |
|------|------------|--------|
| 5/30/2023 | [Windows 11 SE Overview](/education/windows/windows-11-se-overview) | modified |

4
education/windows/windows-11-se-overview.md
View File

@ -138,8 +138,8 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| `NextUp Talker` | 1.0.49 | Win32 | `NextUp Technologies` |
| `NonVisual Desktop Access` | 2021.3.1 | Win32 | `NV Access` |
| `NWEA Secure Testing Browser` | 5.4.356.0 | Win32 | `NWEA` |
| `PC Talker NEO` | 2209 | Win32 | `Kochi System Development` |
| `PC Talker NEO Plus` | 2209 | Win32 | `Kochi System Development` |
| `PC Talker Neo` | 2209 | Win32 | `Kochi System Development` |
| `PC Talker Neo Plus` | 2209 | Win32 | `Kochi System Development` |
| `PaperCut` | 22.0.6 | Win32 | `PaperCut Software International Pty Ltd` |
| `Pearson TestNav` | 1.11.3 | `Store` | `Pearson` |
| `Questar Secure Browser` | 5.0.1.456 | Win32 | `Questar, Inc` |

299
windows/application-management/provisioned-apps-windows-client-os.md
View File

@ -4,7 +4,7 @@ description: Use the Windows PowerShell Get-AppxProvisionedPackage command to ge
author: nicholasswhite
ms.author: nwhite
manager: aaroncz
ms.date: 01/12/2023
ms.date: 06/05/2023
ms.topic: article
ms.prod: windows-client
ms.technology: itpro-apps
@ -47,17 +47,47 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
| Uninstall through UI? | 22H2| 21H1 | 20H2 |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ✔️ | ✔️ | ✔️ ||
| ✔️ | ✔️ | ✔️ | ✔️️|
---
- [Bing Weather](ms-windows-store://pdp/?PFN=Microsoft.BingWeather_8wekyb3d8bbwe) | Package name: Microsoft.BingWeather
- [Clipchamp](ms-windows-store://pdp/?ProductId=9P1J8S7CCWWT) | Package name: Clipchamp.Clipchamp
- Supported versions:
---
| Uninstall through UI? | 22H2| 21H1 | 20H2 |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ✔️ | ✔️ | ✔️ | ❌️|
---
- [Cortana](ms-windows-store://pdp/?PFN=Microsoft.549981C3f5f10_8wekyb3d8bbwe) | Package name: Microsoft.549981C3f5f10
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️️|
---
- [Microsoft News](ms-windows-store://pdp/?PFN=Microsoft.BingNews_8wekyb3d8bbwe) | Package name: Microsoft.BingNews
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ✔️ | ✔️ | ✔️ | ✔️️|
---
- [MSN Weather](ms-windows-store://pdp/?PFN=Microsoft.BingWeather_8wekyb3d8bbwe) | Package name: Microsoft.BingWeather
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ✔️ | ✔️ | ✔️ | ✔️️|
@ -67,17 +97,27 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
| Uninstall through UI? | 22H2| 21H1 | 20H2 |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| Use Settings App | ✔️ | ✔️ | ✔️|
---
- [Xbox App](ms-windows-store://pdp/?PFN=Microsoft.GamingApp_8wekyb3d8bbwe) | Package name: Microsoft.GamingApp
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ✔️ | ✔️ | ✔️ | ✔️️|
---
- [Get Help](ms-windows-store://pdp/?PFN=Microsoft.Gethelp_8wekyb3d8bbwe) | Package name: Microsoft.GetHelp
- Supported versions:
---
| Uninstall through UI? |22H2| 21H1 | 20H2 |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
|---| --- | --- | --- |
| ❌ | ✔️| ✔️| ✔️|
@ -87,7 +127,7 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
| Uninstall through UI? |22H2| 21H1 | 20H2 |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️|
@ -97,7 +137,7 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
| Uninstall through UI? |22H2| 21H1 | 20H2 |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️| ✔️| ✔️|
@ -107,39 +147,49 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
| Uninstall through UI? |22H2| 21H1 | 20H2 |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️|||
| ✔️ | ✔️| ✔️| ✔️|
---
>[!NOTE]
>For devices running Windows 11, version 21H2, and any supported version of Windows 10, you need to acquire the [HEVC Video Extensions](ms-windows-store://pdp/?productid=9NMZLZ57R3T7) from the Microsoft Store.
- [Microsoft Edge](ms-windows-store://pdp/?productid=XPFFTQ037JWMHS) | Package name:Microsoft.MicrosoftEdge.Stable
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
---
- [Microsoft Messaging](ms-windows-store://pdp/?PFN=Microsoft.Messaging_8wekyb3d8bbwe) | Package name:Microsoft.Messaging
- Supported versions:
---
| Uninstall through UI? |22H2| 21H1 | 20H2 |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
| ✔️ | ✔️ | ✔️ | ✔️|
---
- [Microsoft 3D Viewer](ms-windows-store://pdp/?PFN=Microsoft.Microsoft3DViewer_8wekyb3d8bbwe) | Package name: Microsoft.Microsoft3DViewer
- [3D Viewer](ms-windows-store://pdp/?PFN=Microsoft.Microsoft3DViewer_8wekyb3d8bbwe) | Package name: Microsoft.Microsoft3DViewer
- Supported versions:
---
| Uninstall through UI? |22H2| 21H1 | 20H2 |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
| ✔️ | ✔️ | ✔️ | ✔️|
---
- [Office](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) | Package name: Microsoft.MicrosoftOfficeHub
- [Microsoft 365 (Office)](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) | Package name: Microsoft.MicrosoftOfficeHub
- Supported versions:
---
| Uninstall through UI? | 22H2| 21H1 | 20H2 |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ✔️ | ✔️ | ✔️ | ✔️️|
@ -149,7 +199,7 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
| Uninstall through UI? | 22H2| 21H1 | 20H2 |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ✔️ | ✔️ | ✔️ | ✔️️|
@ -159,9 +209,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
| Uninstall through UI? |22H2| 21H1 | 20H2 |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
| ✔️ | ✔️ | ✔️ | ✔️|
---
@ -169,19 +219,19 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
| Uninstall through UI? |22H2| 21H1 | 20H2 |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
| ✔️ | ✔️ | ✔️ | ✔️|
---
- [Paint 3D](ms-windows-store://pdp/?PFN=Microsoft.MSPaint_8wekyb3d8bbwe) | Package name: Microsoft.MSPaint
- [MPEG2 Video Extension](ms-windows-store://pdp/?PFN=Microsoft.MPEG2VideoExtension_8wekyb3d8bbwe) | Package name: Microsoft.MPEG2VideoExtension
- Supported versions:
---
| Uninstall through UI? |22H2| 21H1 | 20H2 |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
| ✔️ | ✔️ | ✔️ | ✔️|
---
@ -189,9 +239,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
| Uninstall through UI? | 22H2| 21H1 | 20H2 |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ✔️ | ✔️ | ✔️ | ✔️️|
| ✔️ | | ✔️ | ✔️️|
---
@ -201,25 +251,45 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
---
| Uninstall through UI? |22H2| 21H1 | 20H2 |
| --- | --- | --- | --- |
| ✔️ | ✔️ | ✔️ | ✔️|
---
- OneDrive Sync | Package name: Microsoft.OneDriveSync
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
---
- Microsoft.Outlook.DesktopIntegrationServices
- Outlook Desktop Integration | Package name: Microsoft.OutlookDesktopIntegrationServices
- Supported versions:
---
| Uninstall through UI? |22H2| 21H1 | 20H2 |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
| ✔️ | ✔️ | ✔️ | ✔️|
---
- [Microsoft People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe) | Package name: Microsoft.People
- [Paint](ms-windows-store://pdp/?PFN=Microsoft.paint_8wekyb3d8bbwe) | Package name: Microsoft.Paint
- Supported versions:
---
| Uninstall through UI? |22H2| 21H1 | 20H2 |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ✔️ | ✔️ | ✔️ | ✔️|
---
- [People](ms-windows-store://pdp/?PFN=Microsoft.people_8wekyb3d8bbwe) | Package name: Microsoft.People
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
@ -229,57 +299,78 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
| Uninstall through UI? |22H2| 21H1 | 20H2 |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ❌ | ✔️ | ✔️|
---
- [Raw Image Extension](ms-windows-store://pdp/?PFN=Microsoft.RawImageExtension_8wekyb3d8bbwe) | Package name: Microsoft.RawImageExtension
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
---
- [Snip & Sketch](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe) | Package name: Microsoft.ScreenSketch
- [Snipping Tool](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe) | Package name: Microsoft.ScreenSketch
- Supported versions:
---
| Uninstall through UI? |22H2| 21H1 | 20H2 |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ✔️ | ✔️ | ✔️ | ✔️|
---
- Store Purchase App | Package name: Microsoft.StorePurchaseApp
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
---
- [Skype](ms-windows-store://pdp/?PFN=Microsoft.SkypeApp_kzf8qxf38zg5c) | Package name: Microsoft.SkypeApp
- [Microsoft To Do](ms-windows-store://pdp/?PFN=Microsoft.ToDos_8wekyb3d8bbwe) | Package name: Microsoft.ToDos
- Supported versions:
---
| Uninstall through UI? |22H2| 21H1 | 20H2 |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ✔️ | ✔️ | ✔️ | ✔️|
---
- UI.Xaml | Package name: Microsoft.UI.Xaml
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
---
- [Store Purchase App](ms-windows-store://pdp/?PFN=Microsoft.StorePurchaseApp_8wekyb3d8bbwe) | Package name: Microsoft.StorePurchaseApp
- VCLibs | Package name: Microsoft.VCLibs
- Supported versions:
---
| Uninstall through UI? |22H2| 21H1 | 20H2 |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
---
- Microsoft.VP9VideoExtensions
- [VP9 Video Extensions](ms-windows-store://pdp/?PFN=Microsoft.VP9VideoExtensions_8wekyb3d8bbwe) | Microsoft.VP9VideoExtensions
- Supported versions:
---
| Uninstall through UI? |22H2| 21H1 | 20H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
---
- [Microsoft Pay](ms-windows-store://pdp/?PFN=Microsoft.Wallet_8wekyb3d8bbwe) | Package name: Microsoft.Wallet
- Supported versions:
---
| Uninstall through UI? |22H2| 21H1 | 20H2 |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
@ -289,7 +380,7 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
| Uninstall through UI? |22H2| 21H1 | 20H2 |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
@ -299,17 +390,27 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
| Uninstall through UI? |22H2| 21H1 | 20H2 |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
---
- [Whiteboard](ms-windows-store://pdp/?PFN=Microsoft.Whiteboard_8wekyb3d8bbwe) | Package name: Microsoft.Whiteboard
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ✔️ | ✔️ | ✔️| ✔️|
---
- [Microsoft Photos](ms-windows-store://pdp/?PFN=Microsoft.Windows.Photos_8wekyb3d8bbwe) | Package name: Microsoft.Windows.Photos
- Supported versions:
---
| Uninstall through UI? |22H2| 21H1 | 20H2 |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
@ -319,7 +420,7 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
| Uninstall through UI? |22H2| 21H1 | 20H2 |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
@ -329,9 +430,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
| Uninstall through UI? |22H2| 21H1 | 20H2 |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
| ✔️ | ✔️ | ✔️ | ✔️|
---
@ -339,7 +440,7 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
| Uninstall through UI? |22H2| 21H1 | 20H2 |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
@ -349,7 +450,7 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
| Uninstall through UI? |22H2| 21H1 | 20H2 |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
@ -359,7 +460,7 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
| Uninstall through UI? |22H2| 21H1 | 20H2 |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
@ -369,19 +470,29 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
| Uninstall through UI? |22H2| 21H1 | 20H2 |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
| ✔️ | ✔️ | ✔️ | ✔️|
---
- [Windows Voice Recorder](ms-windows-store://pdp/?PFN=Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe) | Package name: Microsoft.WindowsSoundRecorder
- [Windows Notepad](ms-windows-store://pdp/?PFN=Microsoft.WindowsNotepad_8wekyb3d8bbwe) | Package name: Microsoft.Notepad
- Supported versions:
---
| Uninstall through UI? |22H2| 21H1 | 20H2 |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
| ✔️ | ✔️ | ✔️ | ✔️|
---
- [Windows Sound Recorder](ms-windows-store://pdp/?PFN=Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe) | Package name: Microsoft.WindowsSoundRecorder
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ✔️ | ✔️ | ✔️ | ✔️|
---
@ -389,29 +500,17 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
| Uninstall through UI? |22H2| 21H1 | 20H2 |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
---
- The Store app shouldn't be removed. If you remove the Store app, and want to reinstall it, you must restore your system from a backup, or reset your system. Instead of removing the Store app, use group policies to hide or disable it.
- [Xbox Live in-game experience](ms-windows-store://pdp/?PFN=Microsoft.Xbox.TCUI_8wekyb3d8bbwe) | Package name: Microsoft.Xbox.TCUI
- Supported versions:
---
| Uninstall through UI? |22H2| 21H1 | 20H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
---
- [Xbox Console Companion](ms-windows-store://pdp/?PFN=Microsoft.XboxApp_8wekyb3d8bbwe) | Package name: Microsoft.XboxApp
- Supported versions:
---
| Uninstall through UI? |22H2| 21H1 | 20H2 |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
@ -421,7 +520,7 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
| Uninstall through UI? |22H2| 21H1 | 20H2 |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
@ -431,7 +530,7 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
| Uninstall through UI? |22H2| 21H1 | 20H2 |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
@ -441,37 +540,37 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
| Uninstall through UI? |22H2| 21H1 | 20H2 |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
---
- Microsoft.XboxSpeechToTextOverlay
- Xbox speech to text overlay | Package name: Microsoft.XboxSpeechToTextOverlay
- Supported versions:
---
| Uninstall through UI? |22H2| 21H1 | 20H2 |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
---
- [Your Phone](ms-windows-store://pdp/?PFN=Microsoft.YourPhone_8wekyb3d8bbwe) | Package name: Microsoft.YourPhone
- [Phone Link](ms-windows-store://pdp/?PFN=Microsoft.YourPhone_8wekyb3d8bbwe) | Package name: Microsoft.YourPhone
- Supported versions:
---
| Uninstall through UI? |22H2| 21H1 | 20H2 |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
---
- [Groove Music](ms-windows-store://pdp/?PFN=Microsoft.ZuneMusic_8wekyb3d8bbwe) | Package name: Microsoft.ZuneMusic
- [Windows Media Player](ms-windows-store://pdp/?PFN=Microsoft.ZuneMusic_8wekyb3d8bbwe) | Package name: Microsoft.ZuneMusic
- Supported versions:
---
| Uninstall through UI? |22H2| 21H1 | 20H2 |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
@ -481,8 +580,28 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
| Uninstall through UI? |22H2| 21H1 | 20H2 |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
---
- [Quick Assist](ms-windows-store://pdp/?PFN=MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe) | Package name: MicrosoftCorporationII.QuickAssist
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ✔️ | ✔️ | ✔️ | ✔️|
---
- Windows Web Experience | Package name: MicrosoftWindows.Client.WebExperience
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ❌|
---

277
windows/application-management/system-apps-windows-client-os.md
View File

@ -4,7 +4,7 @@ description: Use the Windows PowerShell Get-AppxPackage command to get a list of
author: nicholasswhite
ms.author: nwhite
manager: aaroncz
ms.date: 2/14/2023
ms.date: 6/05/2023
ms.topic: article
ms.prod: windows-client
ms.technology: itpro-apps
@ -44,314 +44,323 @@ The following information lists the system apps on some Windows Enterprise OS ve
- File Picker | Package name: 1527c705-839a-4832-9118-54d4Bd6a0c89
---
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- File Explorer | Package name: c5e2524a-ea46-4f67-841f-6a9465d9d515
---
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- App Resolver UX | Package name: E2A4F912-2574-4A75-9BB0-0D023378592B
---
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Add Suggested Folders To Library | Package name: F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE
---
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
---
- InputApp
---
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | | | ✔️ |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Microsoft.AAD.Broker.Plugin | Package name: Microsoft.AAD.Broker.Plugin
---
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Microsoft.AccountsControl | Package name: Microsoft.AccountsControl
---
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Microsoft.AsyncTextService | Package name: Microsoft.AsyncTextService
---
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Hello setup UI | Package name: Microsoft.BioEnrollment
---
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Microsoft.CredDialogHost
---
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Microsoft.ECApp
---
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Microsoft.LockApp
---
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Microsoft Edge | Package name: Microsoft.MicrosoftEdge
---
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Microsoft.MicrosoftEdgeDevToolsClient
---
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
---
- Microsoft.PPIProjection
---
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | | | ✔️ |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Microsoft.Win32WebViewHost
---
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Microsoft.Windows.Apprep.ChxApp
---
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
---
- Microsoft.Windows.AssignedAccessLockApp
---
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Microsoft.Windows.CapturePicker
---
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Microsoft.Windows.CloudExperienceHost
---
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Microsoft.Windows.ContentDeliveryManager
---
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Cortana | Package name: Microsoft.Windows.Cortana
- Narrator QuckStart | Package name: Microsoft.Windows.NarratorQuickStart
---
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | | | ✔️ |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Microsoft.Windows.OOBENetworkCaptivePort
---
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Microsoft.Windows.OOBENetworkConnectionFlow
---
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Microsoft.Windows.ParentalControls
---
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- People Hub | Package name: Microsoft.Windows.PeopleExperienceHost
---
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Microsoft.Windows.PinningConfirmationDialog
---
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Microsoft.Windows.SecHealthUI
- Microsoft.Windows.PrintQueueActionCenter
---
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Microsoft.Windows.SecureAssessmentBrowser
- Microsoft.Windows.ShellExperienceHost
---
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Start | Package name: Microsoft.Windows.ShellExperienceHost
- Start | Microsoft.Windows.StartMenuExperienceHost
---
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Microsoft.Windows.XGpuEjectDialog
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Microsoft.XboxGameCallableUI
---
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- MicrosoftWindows.Client.CBS
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- MicrosoftWindows.Client.Core
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- MicrosoftWindows.UndockedDevKit
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- NcsiUwpApp
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Windows.CBSPreview
---
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Settings | Package name: Windows.immersivecontrolpanel
---
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
---
- Print 3D | Package name: Windows.Print3D
---
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ✔️ | ✔️ | | | ✔️ |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Print UI | Package name: Windows.PrintDialog
---
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---

2
windows/deployment/do/TOC.yml
View File

@ -65,7 +65,7 @@
href: mcc-isp-support.md
- name: MCC for ISPs (early preview)
href: mcc-isp.md
- name: Content endpoints for Delivery Optimization and Microsoft Connected Cache
- name: Endpoints for Microsoft Connected Cache content and services
href: delivery-optimization-endpoints.md

2
windows/deployment/do/delivery-optimization-proxy.md
View File

@ -34,7 +34,7 @@ If a user is signed in, the system uses the Internet Explorer proxy.
If no user is signed in, even if both the Internet Explorer proxy and netsh configuration are set, the netsh configuration will take precedence over the Internet Explorer proxy. This can result in download failures. For example, you might receive HTTP_E_STATUS_PROXY_AUTH_REQ or HTTP_E_STATUS_DENIED errors.
You can still use netsh to import the proxy setting from Internet Explorer (`netsh winhttp import proxy source=ie `) if your proxy configuration is a static *proxyServerName:Port*. However, the same limitations mentioned previously apply.
You can still use netsh to import the proxy setting from Internet Explorer (`netsh winhttp import proxy source=ie`) if your proxy configuration is a static *proxyServerName:Port*. However, the same limitations mentioned previously apply.
### Summary of settings behavior

4
windows/deployment/do/delivery-optimization-test.md
View File

@ -90,7 +90,7 @@ The following set of instructions will be used for each machine:
|--------|-------------------------------|
| :::image type="content" source="images/test-scenarios/win10/m1-basic-complete.png" alt-text="Windows 10 21H2 - Machine 1 - Basic Test." lightbox="images/test-scenarios/win10/m1-basic-complete.png"::: | :::image type="content" source="images/test-scenarios/win11/m1-basic-complete.png" alt-text="Windows 11 21H2 - Machine 1 - Basic Test." lightbox="images/test-scenarios/win11/m1-basic-complete.png"::: |
| **Observations** | |
| * No peers were found on the first machine downloading the content.<br>* 'TotalBytesDownloaded' is equal to the file size.<br>* Status is set to 'Caching' the content so future peers can use it.<br>* Download was happening in the foreground.<br>* DownloadMode is set to 'Group' and no peers were found.<br>* No distinct observations seen between Window 10 and Windows 11 devices. |
| *No peers were found on the first machine downloading the content.<br>* 'TotalBytesDownloaded' is equal to the file size.<br>*Status is set to 'Caching' the content so future peers can use it.<br>* Download was happening in the foreground.<br>*DownloadMode is set to 'Group' and no peers were found.<br>* No distinct observations seen between Window 10 and Windows 11 devices. |
*Wait 5 minutes*.
@ -102,7 +102,7 @@ The following set of instructions will be used for each machine:
|--------|--------------------------------|
| :::image type="content" source="images/test-scenarios/win10/m2-basic-complete.png" alt-text="Windows 10 21H2 - Machine 2 - Basic Test." lightbox="images/test-scenarios/win10/m2-basic-complete.png"::: | :::image type="content" source="images/test-scenarios/win11/m2-basic-complete.png" alt-text="Windows 11 21H2 - Machine 2 - Basic Test." lightbox="images/test-scenarios/win11/m2-basic-complete.png":::|
| **Observations** | **Observations**|
| * A peer was found for the content and 87% of total bytes came from the peer. <br> * One peer was found for the piece of content, which is expected as there are only two devices in the peering group. <br> * Download mode was set to 'Group', but since group mode includes both LAN and Group devices, Delivery Optimization prioritizes LAN peers, if found. Therefore, 'BytesFromLanPeers' shows bytes where 'BytesFromGroupPeers' doesn't. <br> * 'DownloadDuration' is roughly the same between machines.|* A peer was found for the content and 90% of total bytes came from the peer. <br> * All other points are the same as Windows 10 results. |
| *A peer was found for the content and 87% of total bytes came from the peer. <br>* One peer was found for the piece of content, which is expected as there are only two devices in the peering group. <br> *Download mode was set to 'Group', but since group mode includes both LAN and Group devices, Delivery Optimization prioritizes LAN peers, if found. Therefore, 'BytesFromLanPeers' shows bytes where 'BytesFromGroupPeers' doesn't. <br>* 'DownloadDuration' is roughly the same between machines.|*A peer was found for the content and 90% of total bytes came from the peer. <br>* All other points are the same as Windows 10 results. |
### Scenario 2: Advance Setup

40
windows/deployment/do/waas-delivery-optimization-faq.yml
View File

@ -23,13 +23,13 @@ sections:
- name: Ignored
questions:
- question: Does Delivery Optimization work with WSUS?
answer: Yes. Devices will obtain the update payloads from the WSUS server, but must also have an internet connection as they communicate with the Delivery Optimization cloud service for coordination.
answer: Yes. Devices obtain the update payloads from the WSUS server, but must also have an internet connection as they communicate with the Delivery Optimization cloud service for coordination.
- question: Which ports does Delivery Optimization use?
answer: |
Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP. The service will register and open this port on the device. The port must be set to accept inbound traffic through your firewall. If you don't allow inbound traffic over port 7680, you can't use the peer-to-peer functionality of Delivery Optimization. However, devices can still successfully download by using HTTP or HTTPS traffic over port 80 (such as for default Windows Update data).
Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP. The service registers and opens this port on the device. The port must be set to accept inbound traffic through your firewall. If you don't allow inbound traffic over port 7680, you can't use the peer-to-peer functionality of Delivery Optimization. However, devices can still successfully download by using HTTP or HTTPS traffic over port 80 (such as for default Windows Update data).
Delivery Optimization will use Teredo to create peer groups, which include devices across NATs (or any form of internal subnet that uses gateways or firewalls between subnets). To enable this scenario, you must allow inbound TCP/IP traffic over port 3544. Look for a "NAT traversal" setting in your firewall to set this up.
Delivery Optimization uses Teredo to create peer groups, which include devices across NATs (or any form of internal subnet that uses gateways or firewalls between subnets). To enable this scenario, you must allow inbound TCP/IP traffic over port 3544. Look for a "NAT traversal" setting in your firewall to set this up.
Delivery Optimization also communicates with its cloud service by using HTTP/HTTPS over port 80.
@ -40,12 +40,11 @@ sections:
answer: |
**For communication between clients and the Delivery Optimization cloud service**:
- `*.do.dsp.mp.microsoft.com`
- `*.prod.do.dsp.mp.microsoft.com`
**For Delivery Optimization metadata**:
- `*.dl.delivery.mp.microsoft.com`
- `*.emdl.ws.microsoft.com`
**For the payloads (optional)**:
@ -66,11 +65,11 @@ sections:
- question: How does Delivery Optimization handle VPNs?
answer: |
Delivery Optimization attempts to identify VPNs by checking the network adapter type and details. A connection will be treated as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure."
Delivery Optimization attempts to identify VPNs by checking the network adapter type and details. A connection is treated as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure."
If the connection is identified as a VPN, Delivery Optimization will suspend uploads to other peers. However, you can allow uploads over a VPN by using the [Enable Peer Caching while the device connects via VPN](../do/waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy.
If the connection is identified as a VPN, Delivery Optimization suspends uploads to other peers. However, you can allow uploads over a VPN by using the [Enable Peer Caching while the device connects via VPN](../do/waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy.
If you have defined a boundary group in Configuration Manager for VPN IP ranges, you can set the [DownloadMode](../do/waas-delivery-optimization-reference.md#download-mode) policy to 0 for that boundary group, to ensure that there will be no peer-to-peer activity over the VPN. When the device isn't connected using a VPN, it can still use peer-to-peer with the default of LAN.
If you have defined a boundary group in Configuration Manager for VPN IP ranges, you can set the [DownloadMode](../do/waas-delivery-optimization-reference.md#download-mode) policy to 0 for that boundary group, to ensure that there's no peer-to-peer activity over the VPN. When the device isn't connected using a VPN, it can still use peer-to-peer with the default of LAN.
With split tunneling, make sure to allow direct access to these endpoints:
@ -80,7 +79,6 @@ sections:
Delivery Optimization metadata:
- `http://emdl.ws.microsoft.com`
- `http://download.windowsupdate.com`
- `http://*.dl.delivery.mp.microsoft.com`
@ -108,3 +106,27 @@ sections:
answer: |
Delivery Optimization uses the cache content on the device to determine what's available for peering. For the upload source device, there's a limited number (4) of slots for cached content that's available for peering at a given time. Delivery Optimization contains logic that rotates the cached content in those slots.
- question: What is the recommended configuration for Delivery Optimization used with cloud proxies (for example, Zscaler)?
answer: |
The recommended configuration for Delivery Optimization Peer-to-Peer to work most efficiently along with cloud proxy solutions (for example, Zscaler) is to allow traffic to the Delivery Optimization services to go directly to the internet and not through the cloud proxy.
At a minimum, the following FQDN that is used for communication between clients and the Delivery Optimization service should be allowed with direct Internet access and bypass the cloud proxy service:
- *.prod.do.dsp.mp.microsoft.com
If allowing direct Internet access isn't an option, try using Group Download Mode '2' to define the peering group. [Learn more](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) about using Group Download mode.
- question: How do I turn off Delivery Optimization?
answer: |
Delivery Optimization is an HTTP downloader used by most content providers from Microsoft. When a device is configured to use Delivery Optimization peering (on by default), it does so with the HTTP downloader capabilities to optimize bandwidth usage.
If you'd like to disable peer-to-peer capabilities of Delivery Optimization, change the Delivery Optimization [Download mode](waas-delivery-optimization-reference.md#download-mode) setting to '0', which will disable peer-to-peer and provide hash checks. [Download mode](waas-delivery-optimization-reference.md#download-mode) set to '99' should only be used when the device is offline and doesn't have internet access.
> [!NOTE]
> Disabling Delivery Optimization won't prevent content from downloading to your devices. If you're looking to pause updates, you need to set policies for the relevant components such as Windows Update, Windows Store or Edge browser. If you're looking to reduce the load on your network, look into using Delivery Optimization Peer-to-Peer, Microsoft Connected Cache or apply the [network throttling policies](waas-delivery-optimization-reference.md#maximum-download-bandwidth) available for Delivery Optimization.
- question: Delivery Optimization is using device resources and I can't tell why?
answer: |
Delivery Optimization is used by most content providers from Microsoft. A complete list can be found [here](waas-delivery-optimization.md#types-of-download-content-supported-by-delivery-optimization). Oftentimes customers may not realize the vast application of Delivery Optimization and how it's used across different apps. Content providers have the option to run downloads in the foreground or background. It's good to check any apps running in the background to see what is running. Also note that depending on the app, closing the app may not necessarily stop the download.
- question: What Delivery Optimization settings are available?
answer: |
There are many different Delivery Optimization [settings](waas-delivery-optimization-reference.md) available. These settings allow you to effectively manage how Delivery Optimization is used within your environment with control s on bandwidth, time of day, etc.

42
windows/deployment/do/waas-delivery-optimization-setup.md
View File

@ -26,15 +26,15 @@ ms.collection: tier3
You can use Group Policy or an MDM solution like Intune to configure Delivery Optimization.
You'll find the Delivery Optimization settings in Group Policy under **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization**.
You find the Delivery Optimization settings in Group Policy under **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization**.
Starting with Microsoft Intune version 1902, you can set many Delivery Optimization policies as a profile, which you can then apply to groups of devices. For more information, see [Delivery Optimization settings in Microsoft Intune](/mem/intune/configuration/delivery-optimization-windows).
**Starting with Windows 10, version 1903**, you can use the Azure Active Directory (Azure AD) Tenant ID as a means to define groups. To do this set the value for [DOGroupIDSource](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) to its new maximum value of 5.
**Starting with Windows 10, version 1903**, you can use the Azure Active Directory (Azure AD) Tenant ID as a means to define groups. To set the value for [DOGroupIDSource](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) to its new maximum value of 5.
## Allow service endpoints
When using a firewall, it's important that the Delivery Optimization Service endpoints are allowed and associated ports are open. For more information, see [Delivery Optimization FAQ](waas-delivery-optimization-faq.yml#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization) for more information.
When using a firewall, it's important that the Delivery Optimization Service endpoints are allowed and associated ports are open. For more information, see [Delivery Optimization FAQ](waas-delivery-optimization-faq.yml#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization).
## Allow content endpoints
@ -42,9 +42,9 @@ When using a firewall, it's important that the content endpoints are allowed and
## Recommended Delivery Optimization settings
Delivery Optimization offers a great many settings to fine-tune its behavior (see [Delivery Optimization reference](waas-delivery-optimization-reference.md) for a comprehensive list), but for the most efficient performance, there are just a few key parameters that will have the greatest impact if particular situations exist in your deployment. If you just need an overview of Delivery Optimization, see [Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md).
Delivery Optimization offers a great many settings to fine-tune its behavior see [Delivery Optimization reference](waas-delivery-optimization-reference.md) for a comprehensive list, but for the most efficient performance, there are just a few key parameters that have the greatest impact if particular situations exist in your deployment. If you just need an overview of Delivery Optimization, see [Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md).
- Does your topology include multiple breakouts to the internet (i.e., a "hybrid WAN") or are there only a few connections to the internet, so that all requests appear to come from a single external IP address (a "hub and spoke" topology)?
- Does your topology include multiple breakouts to the internet that is, a "hybrid WAN" or are there only a few connections to the internet, so that all requests appear to come from a single external IP address a "hub and spoke" topology?
- If you use boundary groups in your topology, how many devices are present in a given group?
- What percentage of your devices are mobile?
- Do your devices have a lot of free space on their drives?
@ -69,17 +69,17 @@ Quick-reference table:
For this scenario, grouping devices by domain allows devices to be included in peer downloads and uploads across VLANs. **Set Download Mode to 2 - Group**. The default group, when the GroupID or GroupIDSource policies aren't set, is the AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. If your domain-based group is too wide, or your Active Directory sites aren't aligned with your site network topology, then you should consider other options for dynamically creating groups, for example by using the [DOGroupIDSource](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) policy.
To do this in Group Policy go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**.
In Group Policy go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**.
To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DODownloadMode](/windows/client-management/mdm/policy-csp-deliveryoptimization#dodownloadmode) to 1 or 2.
Using with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DODownloadMode](/windows/client-management/mdm/policy-csp-deliveryoptimization#dodownloadmode) to 1 or 2.
### Hub and spoke topology with boundary groups
The default download mode setting is **1**; this means all devices breaking out to the internet using the same public IP will be considered as a single peer group. To prevent peer-to-peer activity across your WAN, you should set the download mode to **2**. If you have already defined Active Directory sites per hub or branch office, then you don't need to do anything else since those will be used by default as the source for creation of Group IDs. If you're not using Active Directory sites, you should set a different source for Groups by using the [DOGroupIDSource](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) options or the [DORestrictPeerSelectionBy](waas-delivery-optimization-reference.md#select-a-method-to-restrict-peer-selection) policy to restrict the activity to the subnet.
The default download mode setting is **1**; this means all devices breaking out to the internet using the same public IP is considered as a single peer group. To prevent peer-to-peer activity across your WAN, you should set the download mode to **2**. If you have already defined Active Directory sites per hub or branch office, then you don't need to do anything else since the Active Directory sites are used by default as the source for creation of Group IDs. If you're not using Active Directory sites, you should set a different source for Groups by using the [DOGroupIDSource](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) options or the [DORestrictPeerSelectionBy](waas-delivery-optimization-reference.md#select-a-method-to-restrict-peer-selection) policy to restrict the activity to the subnet.
To do this in Group Policy go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**.
With Group Policy go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**.
To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DODownloadMode](/windows/client-management/mdm/policy-csp-deliveryoptimization#dodownloadmode) to **2**.
Using MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DODownloadMode](/windows/client-management/mdm/policy-csp-deliveryoptimization#dodownloadmode) to **2**.
> [!NOTE]
> For more information about using Delivery Optimization with Configuration Manager boundary groups, see [Delivery Optimization for Configuration Manager](/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#delivery-optimization).
@ -88,25 +88,25 @@ To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimiza
If you have a mobile workforce with a great many mobile devices, set Delivery Optimization to allow uploads on battery power, while limiting the use to prevent battery drain. A setting for **DOMinBatteryPercentageAllowedToUpload** of 60% is a good starting point, though you might want to adjust it later.
To do this in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Allow uploads while the device is on battery while under set Battery level** to 60.
With Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Allow uploads while the device is on battery while under set Battery level** to 60.
To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DOMinBatteryPercentageAllowedToUpload](/windows/client-management/mdm/policy-csp-deliveryoptimization#dominbatterypercentageallowedtoupload) to 60.
Using MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DOMinBatteryPercentageAllowedToUpload](/windows/client-management/mdm/policy-csp-deliveryoptimization#dominbatterypercentageallowedtoupload) to 60.
### Plentiful free space and large numbers of devices
Many devices now come with large internal drives. You can set Delivery Optimization to take better advantage of this space (especially if you have large numbers of devices) by changing the minimum file size to cache. If you've more than 30 devices in your local network or group, change it from the default 50 MB to 10 MB. If you've more than 100 devices (and are running Windows 10, version 1803 or later), set this value to 1 MB.
Many devices now come with large internal drives. You can set Delivery Optimization to take better advantage of this space (especially if you have large numbers of devices) by changing the minimum file size to cache. If you have more than 30 devices in your local network or group, change it from the default 50 MB to 10 MB. If you have more than 100 devices (and are running Windows 10, version 1803 or later), set this value to 1 MB.
To do this in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Minimum Peer Caching Content File Size** to 10 (if you've more than 30 devices) or 1 (if you've more than 100 devices).
With Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Minimum Peer Caching Content File Size** to 10 (if you have more than 30 devices) or 1 (if you have more than 100 devices).
To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DOMinFileSizeToCache](/windows/client-management/mdm/policy-csp-deliveryoptimization#dominfilesizetocache) to 100 (if you've more than 30 devices) or 1 (if you've more than 100 devices).
Using MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DOMinFileSizeToCache](/windows/client-management/mdm/policy-csp-deliveryoptimization#dominfilesizetocache) to 100 (if you have more than 30 devices) or 1 (if you have more than 100 devices).
### Lab scenario
In a lab situation, you typically have a large number of devices that are plugged in and have a lot of free disk space. By increasing the content expiration interval, you can take advantage of these devices, using them as excellent upload sources in order to upload much more content over a longer period.
In a lab situation, you typically have a large number of devices that are plugged in and have a lot of free disk space. By increasing the content expiration interval, you can take advantage of these devices, using them as excellent upload sources in order to upload more content over a longer period.
To do this in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Max Cache Age** to **604800** (7 days) or more (up to 30 days).
With Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Max Cache Age** to **604800** (7 days) or more (up to 30 days).
To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DOMaxCacheAge](/windows/client-management/mdm/policy-csp-deliveryoptimization#domaxcacheage) to 7 or more (up to 30 days).
Using MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DOMaxCacheAge](/windows/client-management/mdm/policy-csp-deliveryoptimization#domaxcacheage) to 7 or more (up to 30 days).
[Learn more](delivery-optimization-test.md) about Delivery Optimization testing scenarios.
@ -140,7 +140,7 @@ Try these steps:
1. Start a download of an app that is larger than 50 MB from the Store (for example "Candy Crush Saga").
2. Run `Get-DeliveryOptimizationStatus` from an elevated PowerShell window and observe the [DODownloadMode](waas-delivery-optimization-reference.md#download-mode) setting. For peering to work, download mode should be 1, 2, or 3.
3. If the download mode is 99, it could indicate your device is unable to reach the Delivery Optimization cloud services. Ensure that the Delivery Optimization host names are allowed access: most importantly **\*.do.dsp.mp.microsoft.com**.
3. If the download mode is 99, it could indicate your device is unable to reach the Delivery Optimization cloud services. Ensure that the Delivery Optimization host names are allowed access: most importantly **\*.prod.do.dsp.mp.microsoft.com**.
### The cloud service doesn't see other peers on the network
@ -148,8 +148,8 @@ Try these steps:
1. Download the same app on two different devices on the same network, waiting 10 15 minutes between downloads.
2. Run `Get-DeliveryOptimizationStatus` from an elevated PowerShell window and ensure that **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** is 1 or 2 on both devices.
3. Run `Get-DeliveryOptimizationPerfSnap` from an elevated PowerShell window on the second device. The **NumberOfPeers** field should be non-zero.
4. If the number of peers is zero and **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** is 1, ensure that both devices are using the same public IP address to reach the internet (you can easily do this by opening a browser window and do a search for “what is my IP”). In the case where devices aren't reporting the same public IP address, configure **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** to 2 (Group) and use a custom **[DOGroupID (Guid)](waas-delivery-optimization-reference.md#group-id)**, to fix this.
3. Run `Get-DeliveryOptimizationPerfSnap` from an elevated PowerShell window on the second device. The **NumberOfPeers** field should be nonzero.
4. If the number of peers is zero and **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** is 1, ensure that both devices are using the same public IP address to reach the internet (you can easily do this by opening a browser window and do a search for “what is my IP”). In the case where devices aren't reporting the same public IP address, configure **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** to 2 (Group) and use a custom **[DOGroupID (Guid)](waas-delivery-optimization-reference.md#group-id)**.
> [!NOTE]
> Starting in Windows 10, version 2004, `Get-DeliveryOptimizationStatus` has a new option `-PeerInfo` which returns a real-time list of potential peers per file, including which peers are successfully connected and the total bytes sent or received from each peer.

10
windows/deployment/do/waas-delivery-optimization.md
View File

@ -23,9 +23,9 @@ ms.date: 12/31/2017
> **Looking for Group Policy objects?** See [Delivery Optimization reference](waas-delivery-optimization-reference.md) or the master spreadsheet available at the Download Center [for Windows 11](https://www.microsoft.com/en-us/download/details.aspx?id=104594) or [for Windows 10](https://www.microsoft.com/en-us/download/details.aspx?id=104678).
Windows updates, upgrades, and applications can contain packages with large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. Delivery Optimization is a reliable HTTP downloader with a cloud-managed solution that allows Windows devices to download those packages from alternate sources if desired (such as other devices on the network and/or a dedicated cache server) in addition to the traditional internet-based servers (referred to as 'HTTP sources' throughout Delivery Optimization documents). You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment however, the use of peer-to-peer is completely optional.
Windows updates, upgrades, and applications can contain packages with large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. Delivery Optimization is a reliable HTTP downloader with a cloud-managed solution that allows Windows devices to download those packages from alternate sources if desired (such as other devices on the network and/or a dedicated cache server) in addition to the traditional internet-based servers (referred to as 'HTTP sources' throughout Delivery Optimization documents). You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment however, the use of peer-to-peer is optional.
To use either the peer-to-peer functionality or the Microsoft Connected Cache features, devices must have access to the Internet and Delivery Optimization cloud services. When Delivery Optimization is configured to use peers and Microsoft Connected Cache (MCC), to achieve the best possible content delivery experience, the client will connect to MCC and peers in parallel. If the desired content can't be obtained from MCC or peers, Delivery Optimization will seamlessly fall back to the HTTP source to get the requested content.
To use either the peer-to-peer functionality or the Microsoft Connected Cache features, devices must have access to the Internet and Delivery Optimization cloud services. When Delivery Optimization is configured to use peers and Microsoft Connected Cache (MCC), to achieve the best possible content delivery experience, the client connects to MCC and peers in parallel. If the desired content can't be obtained from MCC or peers, Delivery Optimization seamlessly falls back to the HTTP source to get the requested content.
You can use Delivery Optimization with Windows Update, Windows Server Update Services (WSUS), Microsoft Intune/Windows Update for Business, or Microsoft Configuration Manager (when installation of Express Updates is enabled).
@ -50,9 +50,9 @@ The following table lists the minimum Windows 10 version that supports Delivery
| Windows Client | Minimum Windows version | HTTP Downloader | Peer to Peer | Microsoft Connected Cache (MCC)
|------------------|---------------|----------------|----------|----------------|
| Windows Update (feature updates quality updates, language packs, drivers) | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| Windows 10 Store files | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| Windows 10 Store for Business files | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| Windows Update ([feature updates quality updates, language packs, drivers](../update/get-started-updates-channels-tools.md#types-of-updates)) | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| Windows 10 Store apps | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| Windows 10 Store for Business apps | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| Windows Defender definition updates | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| Intune Win32 apps| Windows 10 1709, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| Microsoft 365 Apps and updates | Windows 10 1709, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |

3
windows/deployment/do/waas-microsoft-connected-cache.md
View File

@ -23,8 +23,9 @@ ms.collection: tier3
> Microsoft Connected Cache is currently a preview feature. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
Microsoft Connected Cache is a software-only caching solution that delivers Microsoft content. Microsoft Connected Cache has two main offerings:
- Microsoft Connected Cache for Internet Service Providers
- Microsoft Connected Cache for Enterprise and Education (early preview).
- Microsoft Connected Cache for Enterprise and Education (early preview)
Both products are created and managed in the cloud portal.

15
windows/deployment/do/whats-new-do.md
View File

@ -25,14 +25,19 @@ Microsoft Connected Cache (MCC) is a software-only caching solution that deliver
For more information about MCC, see [Microsoft Connected Cache overview](waas-microsoft-connected-cache.md).
## New in Delivery Optimization for Windows 10, version 20H2 and Windows 11
There are two different versions:
- New peer selection options: Currently the available options include: 0 = None, 1 = Subnet mask, and 2 = Local Peer Discovery. The subnet mask option applies to both Download Modes LAN (1) and Group (2). If Group mode is set, Delivery Optimization will connect to locally discovered peers that are also part of the same Group (have the same Group ID)."
- Local Peer Discovery: a new option for **[Restrict Peer Selection By](waas-delivery-optimization-reference.md#select-a-method-to-restrict-peer-selection)** (in Group Policy) or **DORestrictPeerSelectionBy** (in MDM). This option restricts the discovery of local peers using the DNS-SD protocol. When you set Option 2, Delivery Optimization will restrict peer selection to peers that are locally discovered (using DNS-SD). If Group mode is enabled, Delivery Optimization will connect to locally discovered peers that are also part of the same group, for those devices with the same Group ID).
- [Microsoft Connected Cache for Enterprise and Education](mcc-ent-edu-overview.md)
- [Microsoft Connected Cache for ISPs](mcc-isp-overview.md).
## New in Delivery Optimization for Windows
- Delivery Optimization introduced support for receiver side ledbat (rLedbat) in Windows 11 22H2.
- New peer selection options: Currently the available options include: 0 = None, 1 = Subnet mask, and 2 = Local Peer Discovery. The subnet mask option applies to both Download Modes LAN (1) and Group (2). If Group mode is set, Delivery Optimization connects to locally discovered peers that are also part of the same Group (have the same Group ID)."
- Local Peer Discovery: a new option for **[Restrict Peer Selection By](waas-delivery-optimization-reference.md#select-a-method-to-restrict-peer-selection)** (in Group Policy) or **DORestrictPeerSelectionBy** (in MDM). This option restricts the discovery of local peers using the DNS-SD protocol. When you set Option 2, Delivery Optimization restricts peer selection to peers that are locally discovered (using DNS-SD). If Group mode is enabled, Delivery Optimization connects to locally discovered peers that are also part of the same group, for those devices with the same Group ID).
> [!NOTE]
> The Local Peer Discovery (DNS-SD, [RFC 6763](https://datatracker.ietf.org/doc/html/rfc6763)) option can only be set via MDM delivered policies on Windows 11 builds. This feature can be enabled in supported Windows 10 builds by setting the `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization\DORestrictPeerSelectionBy` value to **2**. For more information, see [Delivery Optimization reference](waas-delivery-optimization-reference.md).
- Starting with Windows 11, the Bypass option of [Download Mode](waas-delivery-optimization-reference.md#download-mode) is no longer used.

38
windows/deployment/update/wufb-reports-do.md
View File

@ -11,12 +11,14 @@ ms.technology: itpro-updates
---
# Delivery Optimization data in Windows Update for Business reports
<!--7715481-->
***(Applies to: Windows 11 & Windows 10)***
[Delivery Optimization](../do/waas-delivery-optimization.md) (DO) is a Windows feature that can be used to reduce bandwidth consumption by sharing the work of downloading updates among multiple devices in your environment. You can use DO with many other deployment methods, but it's a cloud-managed solution, and access to the DO cloud services is a requirement.
Windows Update for Business reports provides Delivery Optimization information in the following places:
- The Windows Update for Business reports [workbook](wufb-reports-workbook.md)
- [UCDOAggregatedStatus](wufb-reports-schema-ucdoaggregatedstatus.md)
- [UCDOStatus](wufb-reports-schema-ucdostatus.md)
@ -32,20 +34,21 @@ Windows Update for Business reports uses the following Delivery Optimization ter
- LAN (1)
- Group (2)
- Internet (3)
- **Peering 'OFF'**: Devices where DO peer-to-peer is disabled, set to one of the following modes:
- HTTP Only (0)
- Simple Mode (99)
- Bypass (100), deprecated in Windows 11
- **Bandwidth savings**: The percentage of bandwidth that was downloaded from alternate sources (Peers or Microsoft Connected Cache (MCC) out of the total amount of data downloaded.
- If bandwidth savings are <= 60%, a *Warning* icon is displayed
- When bandwidth savings are <10%, an *Error* icon is displayed.
- If bandwidth savings are <= 60%, a *Warning* icon is displayed
- When bandwidth savings are <10%, an *Error* icon is displayed.
- **Configurations**: Based on the DownloadMode configuration set via MDM, Group Policy, or end-user via the user interface.
- **P2P Device Count**: The device count is the number of devices configured to use peering.
- **Microsoft Connected Cache (MCC)**: Microsoft Connected Cache is a software-only caching solution that delivers Microsoft content. For more information, see [Microsoft Connected Cache overview](../do/waas-microsoft-connected-cache.md).
- **MCC Device Count**: The device count is the number of devices that have received bytes from the cache server, for supported content types.
- **Total # of Devices**: The total number of devices with activity in last 28 days.
- **LAN Bytes**: Bytes delivered from LAN peers.
- **Group Bytes**: Bytes from Group peers. If a device is using Group DownloadMode, Delivery Optimization will first look for peers on the LAN and then in the Group. Therefore, if bytes are delivered from LAN peers, they'll be calculated in 'LAN Bytes'.
- **Group Bytes**: Bytes from Group peers. If a device is using Group DownloadMode, Delivery Optimization first looks for peers on the LAN and then in the Group. Therefore, if bytes are delivered from LAN peers, they are calculated in 'LAN Bytes'.
- **CDN Bytes**: Bytes delivered from Content Delivery Network (CDN).
- **City**: City is determined based on the location of the device where the maximum amount of data is downloaded.
- **Country**: Country is determined based on the location of the device where the maximum amount of data is downloaded.
@ -53,7 +56,7 @@ Windows Update for Business reports uses the following Delivery Optimization ter
## Calculations for Delivery Optimization
There are several calculated values that appear on the Delivery Optimization report. Listed below each calculation is the table that's used for it:
Each calculated values used in the Delivery Optimization report are listed below.
**Efficiency (%) Calculations**:
@ -92,7 +95,7 @@ There are several calculated values that appear on the Delivery Optimization rep
In the **Efficiency By Group** subsection, the **GroupID** is displayed as an encoded SHA256 hash. You can create a mapping of original to encoded GroupIDs using the following PowerShell example:
```powershell
$text = "<myEncodedGroupID>`0"; (the null-terminator (`0) must be included in the string hash)
$text = "<myOriginalGroupID>" ;
$hashObj = [System.Security.Cryptography.HashAlgorithm]::Create('sha256') ; $dig = $hashObj.ComputeHash([System.Text.Encoding]::Unicode.GetBytes($text)) ; $digB64 = [System.Convert]::ToBase64String($dig) ; Write-Host "$text ==> $digB64"
```
@ -106,8 +109,8 @@ Get-DeliveryOptimizationLog -Flush | Set-Content C:\dosvc.log
The below two lines are together in verbose logs:
```text
2023-02-15T12:33:11.3811337Z 1514 1F4 {CGlobalConfigManager::GetGroupId} Using groupID = **<myEncodedGroupId>**
2023-02-15T12:33:11.3811432Z 1514 1F4 {CGlobalConfigManager::GetGroupId} Hashed groupID = **<myDecodedGroupId>**
2023-02-15T12:33:11.3811337Z 1514 1F4 {CGlobalConfigManager::GetGroupId} Using groupID = **<myOriginalGroupId>**
2023-02-15T12:33:11.3811432Z 1514 1F4 {CGlobalConfigManager::GetGroupId} Hashed groupID = **<myEncodedGroupId>**
```
## Sample queries
@ -142,6 +145,19 @@ DeviceCount = count_distinct(GlobalDeviceId) by GroupID | top 10 by DeviceCount
| project GroupID , P2PPercentage , MCCPercentage , VolumeBytesFromPeers , VolumeBytesFromMCC ,VolumeByCDN , DeviceCount
```
### Delivery Optimization Supported Content Types
There are many Microsoft [content types](waas-delivery-optimization.md#types-of-download-content-supported-by-delivery-optimization) that are supported by Delivery Optimization. All of these content types show up in the 'Content Distribution' section in the Delivery Optimization report. See the [complete table](waas-delivery-optimization.md#windows-client) for P2P/MCC support types.
| Content Category | Content Types Included |
| --- | --- |
| Apps | Windows 10 Store apps, Windows 10 Store for Business apps, Windows 11 UWP Store apps |
| Driver Updates | Windows Update [Driver updates](get-started-updates-channels-tools.md#types-of-updates) |
| Feature Updates | Windows Update [Feature updates](get-started-updates-channels-tools.md#types-of-updates) |
| Office | Microsoft 365 Apps and updates |
| Other | Windows Language Packs, Windows Defender definition updates, Intune Win32 apps, Edge Browser updates, Configuration Manager Express updates, Dynamic updates, MDM Agent, Xbox Game Pass (PC), Windows Package Manager, MSIX Installer (includes Windows 11 Store Win32 apps, Windows 11 Teams updates) |
| Quality Updates | Windows Updates [Quality updates](get-started-updates-channels-tools.md#types-of-updates)) |
## Frequency Asked Questions
- **What time period does the Delivery Optimization data include?**
@ -166,4 +182,10 @@ A row in UCDOStatus represents data downloaded by a combination of a single devi
A row in UCDOAggregatedStatus represents data summarized at the tenant level (AzureADTenantID) for each content type (ContentType).
- **How are BytesFromCache calculated when there's a Connected Cache server used by my ISP?**
If there's a Connected Cache server at the ISP level, BytesFromCache will filter out any bytes coming the ISP's Connected Cache.
If there's a Connected Cache server at the ISP level, BytesFromCache filters out any bytes coming the ISP's Connected Cache.
- **How do the results from the Delivery Optimization PowerShell cmdlets compare to the results in the report?**
[Delivery Optimization PowerShell cmdlets](waas-delivery-optimization-setup.md#monitor-delivery-optimization) can be a powerful tool used to monitor Delivery Optimization data on the device. These cmdlets use the cache on the device. The data calculated in the report is taken from the Delivery Optimization telemetry events.
- **The report represents the last 28 days of data, why do some queries include >= seven days?**
The data in the report does represent the last 28 days of data. The query for last seven days is just to get the data for the latest snapshot from past seven days. It's possible that data is delayed for sometime and not available for current day, so we look for past 7 day snapshot in log analytics and show the latest snapshot.

42
windows/security/docfx.json
View File

@ -76,15 +76,26 @@
"application-security/application-control/user-account-control/*.md": "paolomatarazzo",
"application-security/application-isolation/windows-sandbox/**/*.md": "vinaypamnani-msft",
"identity-protection/**/*.md": "paolomatarazzo",
"identity-protection/**/*.yml": "paolomatarazzo",
"operating-system-security/data-protection/**/*.md": "paolomatarazzo",
"operating-system-security/data-protection/**/*.yml": "paolomatarazzo",
"operating-system-security/network-security/**/*.md": "paolomatarazzo",
"operating-system-security/network-security/windows-firewall/**/*.md": "ngangulyms"
"operating-system-security/network-security/**/*.yml": "paolomatarazzo",
"operating-system-security/network-security/windows-firewall/**/*.md": "ngangulyms",
"operating-system-security/network-security/windows-firewall/**/*.yml": "ngangulyms"
},
"ms.author":{
"application-security/application-control/user-account-control/*.md": "paoloma",
"application-security/application-control/user-account-control/*.yml": "paoloma",
"application-security/application-isolation/windows-sandbox/**/*.md": "vinpa",
"identity-protection/**/*.md": "paoloma",
"identity-protection/**/*.yml": "paoloma",
"operating-system-security/data-protection/**/*.md": "paoloma",
"operating-system-security/data-protection/**/*.yml": "paoloma",
"operating-system-security/network-security/**/*.md": "paoloma",
"operating-system-security/network-security/windows-firewall/*.md": "nganguly"
"operating-system-security/network-security/**/*.yml": "paoloma",
"operating-system-security/network-security/windows-firewall/*.md": "nganguly",
"operating-system-security/network-security/windows-firewall/*.yml": "nganguly"
},
"appliesto": {
"application-security/application-isolation/windows-sandbox/**/*.md": [
@ -123,6 +134,26 @@
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2019</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2016</a>"
],
"operating-system-security/data-protection/**/*.md": [
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2022</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2019</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2016</a>"
],
"operating-system-security/data-protection/**/*.yml": [
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2022</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2019</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2016</a>"
],
"operating-system-security/data-protection/personal-data-encryption/*.md": [
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>"
],
"operating-system-security/data-protection/personal-data-encryption/*.yml": [
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>"
],
"operating-system-security/network-security/windows-firewall/**/*.md": [
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>",
@ -136,16 +167,17 @@
"identity-protection/credential-guard/*.md": "zwhittington",
"identity-protection/access-control/*.md": "sulahiri",
"operating-system-security/network-security/windows-firewall/*.md": "paoloma",
"operating-system-security/network-security/vpn/*.md": "pesmith"
"operating-system-security/network-security/vpn/*.md": "pesmith",
"operating-system-security/data-protection/personal-data-encryption/*.md":"rhonnegowda"
},
"ms.collection": {
"identity-protection/hello-for-business/*.md": "tier1",
"information-protection/bitlocker/*.md": "tier1",
"information-protection/personal-data-encryption/*.md": "tier1",
"information-protection/pluton/*.md": "tier1",
"information-protection/tpm/*.md": "tier1",
"threat-protection/auditing/*.md": "tier3",
"threat-protection/windows-defender-application-control/*.md": "tier3",
"operating-system-security/data-protection/bitlocker/*.md": "tier1",
"operating-system-security/data-protection/personal-data-encryption/*.md": "tier1",
"operating-system-security/network-security/windows-firewall/*.md": "tier3"
}
},

1
windows/security/hardware.md
View File

@ -23,3 +23,4 @@ These new threats call for computing hardware that is secure down to the very co
| Enable virtualization-based protection of code integrity | Hypervisor-protected Code Integrity (HVCI) is a virtualization based security (VBS) feature available in Windows. In the Windows Device Security settings, HVCI is referred to as Memory Integrity. <br> HVCI and VBS improve the threat model of Windows and provide stronger protections against malware trying to exploit the Windows Kernel. VBS uses the Windows Hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. HVCI is a critical component that protects and hardens this virtual environment by running kernel mode code integrity within it and restricting kernel memory allocations that could be used to compromise the system. <br><br/> Learn more: [Enable virtualization-based protection of code integrity](threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md).
| Kernel Direct Memory Access (DMA) Protection | PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with an experience identical to USB. Because PCI hot plug ports are external and easily accessible, PCs are susceptible to drive-by Direct Memory Access (DMA) attacks. Memory access protection (also known as Kernel DMA Protection) protects PCs against drive-by DMA attacks that use PCIe hot plug devices by limiting these external peripherals from being able to directly copy memory when the user has locked their PC. <br><br/> Learn more about [Kernel DMA Protection](information-protection/kernel-dma-protection-for-thunderbolt.md). |
| Secured-core PCs | Microsoft is working closely with OEM partners and silicon vendors to build Secured-core PCs that feature deeply integrated hardware, firmware, and software to ensure enhanced security for devices, identities, and data. <br><br/> Secured-core PCs provide protections that are useful against sophisticated attacks and can provide increased assurance when handling mission-critical data in some of the most data-sensitive industries, such as healthcare workers that handle medical records and other personally identifiable information (PII), commercial roles that handle high business impact and highly sensitive data, such as a financial controller with earnings data. <br><br/> Learn more about [Secured-core PCs](/windows-hardware/design/device-experiences/oem-highly-secure).|

2
windows/security/index.yml
View File

@ -63,7 +63,7 @@ landingContent:
- text: System security
url: trusted-boot.md
- text: Encryption and data protection
url: encryption-data-protection.md
url: operating-system-security/data-protection/index.md
- text: Windows security baselines
url: threat-protection/windows-security-configuration-framework/windows-security-baselines.md
- text: Virtual private network guide

8
windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md → windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker.md
View File

@ -1,16 +1,8 @@
---
title: BCD settings and BitLocker
description: This article for IT professionals describes the BCD settings that are used by BitLocker.
ms.reviewer:
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.topic: conceptual
ms.date: 11/08/2022
ms.custom: bitlocker
ms.technology: itpro-security
---
# Boot Configuration Data settings and BitLocker

14
windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml → windows/security/operating-system-security/data-protection/bitlocker/bitlocker-and-adds-faq.yml
View File

@ -1,26 +1,14 @@
### YamlMime:FAQ
metadata:
title: BitLocker and Active Directory Domain Services (AD DS) FAQ (Windows 10)
title: BitLocker and Active Directory Domain Services (AD DS) FAQ
description: Learn more about how BitLocker and Active Directory Domain Services (AD DS) can work together to keep devices secure.
ms.prod: windows-client
ms.technology: itpro-security
author: frankroj
ms.author: frankroj
manager: aaroncz
audience: ITPro
ms.collection:
- highpri
- tier1
ms.topic: faq
ms.date: 11/08/2022
ms.custom: bitlocker
title: BitLocker and Active Directory Domain Services (AD DS) FAQ
summary: |
**Applies to:**
- Windows 10 and later
- Windows Server 2016 and later
sections:
- name: Ignored

16
windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md → windows/security/operating-system-security/data-protection/bitlocker/bitlocker-basic-deployment.md
View File

@ -1,26 +1,12 @@
---
title: BitLocker basic deployment
description: This article for the IT professional explains how BitLocker features can be used to protect your data through drive encryption.
ms.reviewer:
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.topic: conceptual
ms.date: 11/08/2022
ms.custom: bitlocker
ms.technology: itpro-security
---
# BitLocker basic deployment
**Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above
This article for the IT professional explains how BitLocker features can be used to protect data through drive encryption.
## Using BitLocker to encrypt volumes
@ -466,4 +452,4 @@ Disable-BitLocker -MountPoint E:,F:,G:
- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
- [BitLocker recovery guide](bitlocker-recovery-guide-plan.md)
- [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
- [BitLocker overview](bitlocker-overview.md)
- [BitLocker overview](index.md)

18
windows/security/information-protection/bitlocker/bitlocker-countermeasures.md → windows/security/operating-system-security/data-protection/bitlocker/bitlocker-countermeasures.md
View File

@ -1,26 +1,12 @@
---
title: BitLocker Countermeasures
description: Windows uses technologies including TPM, Secure Boot, Trusted Boot, and Early Launch Anti-malware (ELAM) to protect against attacks on the BitLocker encryption key.
ms.reviewer:
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.topic: conceptual
ms.date: 11/08/2022
ms.custom: bitlocker
ms.technology: itpro-security
---
# BitLocker Countermeasures
**Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above
Windows uses technologies including trusted platform module (TPM), secure boot, and measured boot to help protect BitLocker encryption keys against attacks. BitLocker is part of a strategic approach to securing data against offline attacks through encryption technology. Data on a lost or stolen computer is vulnerable. For example, there could be unauthorized access, either by running a software attack tool against the computer or by transferring the computer's hard disk to a different computer.
BitLocker helps mitigate unauthorized data access on lost or stolen computers before the authorized operating system is started. This mitigation is done by:
@ -45,7 +31,7 @@ A trusted platform module (TPM) is a microchip designed to provide basic securit
Unified Extensible Firmware Interface (UEFI) is a programmable boot environment that initializes devices and starts the operating system's bootloader.
The UEFI specification defines a firmware execution authentication process called [Secure Boot](../secure-the-windows-10-boot-process.md). Secure Boot blocks untrusted firmware and bootloaders (signed or unsigned) from being able to start on the system.
The UEFI specification defines a firmware execution authentication process called [Secure Boot](../../../information-protection/secure-the-windows-10-boot-process.md). Secure Boot blocks untrusted firmware and bootloaders (signed or unsigned) from being able to start on the system.
By default, BitLocker provides integrity protection for Secure Boot by utilizing the TPM PCR[7] measurement. An unauthorized EFI firmware, EFI boot application, or bootloader can't run and acquire the BitLocker key.
@ -62,7 +48,7 @@ The next sections cover pre-boot authentication and DMA policies that can provid
### Pre-boot authentication
Pre-boot authentication with BitLocker is a policy setting that requires the use of either user input, such as a PIN, a startup key, or both to authenticate prior to making the contents of the system drive accessible. The Group Policy setting is [Require additional authentication at startup](./bitlocker-group-policy-settings.md) and the corresponding setting in the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) is SystemDrivesRequireStartupAuthentication.
Pre-boot authentication with BitLocker is a policy setting that requires the use of either user input, such as a PIN, a startup key, or both to authenticate prior to making the contents of the system drive accessible. The Group Policy setting is [Require additional authentication at startup](bitlocker-group-policy-settings.md) and the corresponding setting in the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) is SystemDrivesRequireStartupAuthentication.
BitLocker accesses and stores the encryption keys in memory only after pre-boot authentication is completed. If Windows can't access the encryption keys, the device can't read or edit the files on the system drive. The only option for bypassing pre-boot authentication is entering the recovery key.

13
windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml → windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml
View File

@ -1,22 +1,11 @@
### YamlMime:FAQ
metadata:
title: BitLocker deployment and administration FAQ (Windows 10)
title: BitLocker deployment and administration FAQ
description: Browse frequently asked questions about BitLocker deployment and administration, such as, "Can BitLocker deployment be automated in an enterprise environment?"
ms.prod: windows-client
ms.technology: itpro-security
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.topic: faq
ms.date: 11/08/2022
ms.custom: bitlocker
title: BitLocker frequently asked questions (FAQ)
summary: |
**Applies to:**
- Windows 10 and later
- Windows Server 2016 and later
sections:
- name: Ignored
questions:

13
windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md → windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-comparison.md
View File

@ -1,25 +1,12 @@
---
title: BitLocker deployment comparison
description: This article shows the BitLocker deployment comparison chart.
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.topic: conceptual
ms.date: 11/08/2022
ms.custom: bitlocker
ms.technology: itpro-security
---
# BitLocker deployment comparison
**Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above
This article depicts the BitLocker deployment comparison chart.
## BitLocker deployment comparison chart

18
windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md → windows/security/operating-system-security/data-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
View File

@ -1,29 +1,16 @@
---
title: Overview of BitLocker Device Encryption in Windows
description: This article provides an overview of how BitLocker Device Encryption can help protect data on devices running Windows.
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.collection:
- highpri
- tier1
ms.topic: conceptual
ms.date: 11/08/2022
ms.custom: bitlocker
ms.technology: itpro-security
---
# Overview of BitLocker Device Encryption in Windows
# Overview of BitLocker device encryption
**Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above
This article explains how BitLocker Device Encryption can help protect data on devices running Windows. See [BitLocker](bitlocker-overview.md) for a general overview and list of articles.
This article explains how BitLocker Device Encryption can help protect data on devices running Windows. See [BitLocker](index.md) for a general overview and list of articles.
When users travel, their organization's confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives. Windows consistently improves data protection by improving existing options and providing new strategies.
@ -31,7 +18,6 @@ When users travel, their organization's confidential data goes with them. Wherev
The below table lists specific data-protection concerns and how they're addressed in Windows 11, Windows 10, and Windows 7.
| Windows 7 | Windows 11 and Windows 10 |
|---|---|
| When BitLocker is used with a PIN to protect startup, PCs such as kiosks can't be restarted remotely. | Modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box and support SSO to seamlessly protect the BitLocker encryption keys from cold boot attacks.<br><br>Network Unlock allows PCs to start automatically when connected to the internal network. |

14
windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml → windows/security/operating-system-security/data-protection/bitlocker/bitlocker-frequently-asked-questions.yml
View File

@ -2,25 +2,13 @@
metadata:
title: BitLocker FAQ (Windows 10)
description: Find the answers you need by exploring this brief hub page listing FAQ pages for various aspects of BitLocker.
ms.prod: windows-client
ms.technology: itpro-security
author: frankroj
ms.author: frankroj
manager: aaroncz
audience: ITPro
ms.collection:
- highpri
- tier1
ms.topic: faq
ms.date: 11/08/2022
ms.custom: bitlocker
title: BitLocker frequently asked questions (FAQ) resources
summary: |
**Applies to:**
- Windows 10 and later
- Windows Server 2016 and later
This article links to frequently asked questions about BitLocker. BitLocker is a data protection feature that encrypts drives on computers to help prevent data theft or exposure. BitLocker-protected computers can also delete data more securely when they're decommissioned because it's much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive.
summary: This article links to frequently asked questions about BitLocker. BitLocker is a data protection feature that encrypts drives on computers to help prevent data theft or exposure. BitLocker-protected computers can also delete data more securely when they're decommissioned because it's much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive.
- [Overview and requirements](bitlocker-overview-and-requirements-faq.yml)
- [Upgrading](bitlocker-upgrading-faq.yml)

24
windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md → windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings.md
View File

@ -1,35 +1,21 @@
---
title: BitLocker Group Policy settings
description: This article for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption.
ms.reviewer:
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.collection:
- highpri
- tier1
ms.topic: conceptual
ms.date: 11/08/2022
ms.custom: bitlocker
ms.technology: itpro-security
---
# BitLocker group policy settings
**Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above
This article for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption.
Group Policy administrative templates or local computer policy settings can be used to control what BitLocker drive encryption tasks and configurations can be performed by users, for example through the **BitLocker Drive Encryption** control panel. Which of these policies are configured and how they're configured depends on how BitLocker is implemented and what level of interaction is desired for end users.
> [!NOTE]
> A separate set of Group Policy settings supports the use of the Trusted Platform Module (TPM). For details about those settings, see [Trusted Platform Module Group Policy settings](../tpm/trusted-platform-module-services-group-policy-settings.md).
> A separate set of Group Policy settings supports the use of the Trusted Platform Module (TPM). For details about those settings, see [TPM Group Policy settings](../../../information-protection/tpm/trusted-platform-module-services-group-policy-settings.md).
BitLocker Group Policy settings can be accessed using the Local Group Policy Editor and the Group Policy Management Console (GPMC) under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption**.
@ -233,7 +219,7 @@ This policy setting is applied when BitLocker is turned on. The startup PIN must
Originally, BitLocker allowed a length from 4 to 20 characters for a PIN. Windows Hello has its own PIN for sign-in, length of which can be 4 to 127 characters. Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks.
The TPM can be configured to use Dictionary Attack Prevention parameters ([lockout threshold and lockout duration](../tpm/trusted-platform-module-services-group-policy-settings.md)) to control how many failed authorizations attempts are allowed before the TPM is locked out, and how much time must elapse before another attempt can be made.
The TPM can be configured to use Dictionary Attack Prevention parameters ([lockout threshold and lockout duration](../../../information-protection/tpm/trusted-platform-module-services-group-policy-settings.md) to control how many failed authorizations attempts are allowed before the TPM is locked out, and how much time must elapse before another attempt can be made.
The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability. For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time. A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours. This number of attempts totals to a maximum of about 4415 guesses per year. If the PIN is four digits, all 9999 possible PIN combinations could be attempted in a little over two years.
@ -452,7 +438,7 @@ When set to **Do not allow complexity**, no password complexity validation is do
> [!NOTE]
> Passwords can't be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options** specifies whether FIPS compliance is enabled.
For information about this setting, see [System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing](../../threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md).
For information about this setting, see [System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing](../../../threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md).
### Validate smart card certificate usage rule compliance
@ -1306,7 +1292,7 @@ The optional recovery key can be saved to a USB drive. Because recovery password
The FIPS setting can be edited by using the Security Policy Editor (`Secpol.msc`) or by editing the Windows registry. Only administrators can perform these procedures.
For more information about setting this policy, see [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](../../threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md).
For more information about setting this policy, see [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](../../../threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md).
## Power management group policy settings: Sleep and Hibernate
@ -1338,5 +1324,5 @@ PCR 7 measurements are a mandatory logo requirement for systems that support Mod
- [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview)
- [TPM Group Policy settings](/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings)
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml)
- [BitLocker overview](bitlocker-overview.md)
- [BitLocker overview](index.md)
- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)

65
windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md → windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
View File

@ -1,57 +1,32 @@
---
title: BitLocker How to deploy on Windows Server 2012 and later
description: This article for the IT professional explains how to deploy BitLocker and Windows Server 2012 and later
ms.reviewer:
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
title: BitLocker How to deploy on Windows Server
description: This article for the IT professional explains how to deploy BitLocker and Windows Server
ms.topic: conceptual
ms.date: 11/08/2022
ms.custom: bitlocker
ms.technology: itpro-security
---
# BitLocker: How to deploy on Windows Server 2012 and later
# BitLocker: How to deploy on Windows Server
**Applies to:**
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016 and above
This article explains how to deploy BitLocker on Windows Server 2012 and later versions. For all Windows Server editions, BitLocker can be installed using Server Manager or Windows PowerShell cmdlets. BitLocker requires administrator privileges on the server on which it's to be installed.
This article explains how to deploy BitLocker on Windows Server. For all Windows Server editions, BitLocker can be installed using Server Manager or Windows PowerShell cmdlets. BitLocker requires administrator privileges on the server on which it's to be installed.
## Installing BitLocker
### To install BitLocker using server manager
1. Open server manager by selecting the server manager icon or running servermanager.exe.
2. Select **Manage** from the **Server Manager Navigation** bar and select **Add Roles and Features** to start the **Add Roles and Features Wizard.**
3. With the **Add Roles and Features** wizard open, select **Next** at the **Before you begin** pane (if shown).
4. Select **Role-based or feature-based installation** on the **Installation type** pane of the **Add Roles and Features** wizard and select **Next** to continue.
5. Select the **Select a server from the server pool** option in the **Server Selection** pane and confirm the server on which the BitLocker feature is to be installed.
6. Select **Next** on the **Server Roles** pane of the **Add Roles and Features** wizard to proceed to the **Features** pane.
1. Open server manager by selecting the server manager icon or running `servermanager.exe`.
1. Select **Manage** from the **Server Manager Navigation** bar and select **Add Roles and Features** to start the **Add Roles and Features Wizard.**
1. With the **Add Roles and Features** wizard open, select **Next** at the **Before you begin** pane (if shown).
1. Select **Role-based or feature-based installation** on the **Installation type** pane of the **Add Roles and Features** wizard and select **Next** to continue.
1. Select the **Select a server from the server pool** option in the **Server Selection** pane and confirm the server on which the BitLocker feature is to be installed.
1. Select **Next** on the **Server Roles** pane of the **Add Roles and Features** wizard to proceed to the **Features** pane.
> [!NOTE]
> Server roles and features are installed by using the same wizard in Server Manager.
7. Select the check box next to **BitLocker Drive Encryption** within the **Features** pane of the **Add Roles and Features** wizard. The wizard shows the extra management features available for BitLocker. If the extra management features are not needed and/or don't need to be installed, deselect the **Include management tools**.
1. Select the check box next to **BitLocker Drive Encryption** within the **Features** pane of the **Add Roles and Features** wizard. The wizard shows the extra management features available for BitLocker. If the extra management features aren't needed and/or don't need to be installed, deselect the **Include management tools**.
> [!NOTE]
> The **Enhanced Storage** feature is a required feature for enabling BitLocker. This feature enables support for encrypted hard drives on capable systems.
8. Select **Add Features**. Once optional features selection is complete, select **Next** to proceed in the wizard.
9. Select **Install** on the **Confirmation** pane of the **Add Roles and Features** wizard to begin BitLocker feature installation. The BitLocker feature requires a restart for its installation to be complete. Selecting the **Restart the destination server automatically if required** option in the **Confirmation** pane forces a restart of the computer after installation is complete.
10. If the **Restart the destination server automatically if required** check box isn't selected, the **Results** pane of the **Add Roles and Features** wizard displays the success or failure of the BitLocker feature installation. If necessary, a notification of other action necessary to complete the feature installation, such as the restart of the computer, will be displayed in the results text.
1. Select **Add Features**. Once optional features selection is complete, select **Next** to proceed in the wizard.
1. Select **Install** on the **Confirmation** pane of the **Add Roles and Features** wizard to begin BitLocker feature installation. The BitLocker feature requires a restart for its installation to be complete. Selecting the **Restart the destination server automatically if required** option in the **Confirmation** pane forces a restart of the computer after installation is complete.
1. If the **Restart the destination server automatically if required** check box isn't selected, the **Results** pane of the **Add Roles and Features** wizard displays the success or failure of the BitLocker feature installation. If necessary, a notification of other action necessary to complete the feature installation, such as the restart of the computer, will be displayed in the results text.
### To install BitLocker using Windows PowerShell
@ -64,7 +39,7 @@ Windows PowerShell offers administrators another option for BitLocker feature in
The `servermanager` Windows PowerShell module can use either the `Install-WindowsFeature` or `Add-WindowsFeature` to install the BitLocker feature. The `Add-WindowsFeature` cmdlet is merely a stub to the `Install-WindowsFeature`. This example uses the `Install-WindowsFeature` cmdlet. The feature name for BitLocker in the `servermanager` module is `BitLocker`.
By default, installation of features in Windows PowerShell doesn't include optional sub-features or management tools as part of the installation process. What is installed as part of the installation process can be seen using the `-WhatIf` option in Windows PowerShell.
By default, installation of features in Windows PowerShell doesn't include optional subfeatures or management tools as part of the installation process. What is installed as part of the installation process can be seen using the `-WhatIf` option in Windows PowerShell.
```powershell
Install-WindowsFeature BitLocker -WhatIf
@ -72,7 +47,7 @@ Install-WindowsFeature BitLocker -WhatIf
The results of this command show that only the BitLocker Drive Encryption feature is installed using this command.
To see what would be installed with the BitLocker feature, including all available management tools and sub-features, use the following command:
To see what would be installed with the BitLocker feature, including all available management tools and subfeatures, use the following command:
```powershell
Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -WhatIf | fl
@ -88,7 +63,7 @@ The result of this command displays the following list of all the administration
- AD DS Tools
- AD DS and AD LDS Tools
The command to complete a full installation of the BitLocker feature with all available sub-features and then to reboot the server at completion is:
The command to complete a full installation of the BitLocker feature with all available subfeatures and then to reboot the server at completion is:
```powershell
Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart
@ -99,13 +74,13 @@ Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -
### Using the dism module to install BitLocker
The `dism.exe` Windows PowerShell module uses the `Enable-WindowsOptionalFeature` cmdlet to install features. The BitLocker feature name for BitLocker is `BitLocker`. The `dism.exe` module doesn't support wildcards when searching for feature names. To list feature names for the `dism.exe` module, use the `Get-WindowsOptionalFeatures` cmdlet. The following command will list all of the optional features in an online (running) operating system.
The `dism.exe` Windows PowerShell module uses the `Enable-WindowsOptionalFeature` cmdlet to install features. The BitLocker feature name for BitLocker is `BitLocker`. The `dism.exe` module doesn't support wildcards when searching for feature names. To list feature names for the `dism.exe` module, use the `Get-WindowsOptionalFeatures` cmdlet. The following command lists all of the optional features in an online (running) operating system.
```powershell
Get-WindowsOptionalFeature -Online | ft
```
From this output, it can be seen that there are three BitLocker-related optional feature names: **BitLocker**, **BitLocker-Utilities** and **BitLocker-NetworkUnlock**. To install the BitLocker feature, the **BitLocker** and **BitLocker-Utilities** features are the only required items.
From this output, there are three BitLocker-related optional feature names: **BitLocker**, **BitLocker-Utilities** and **BitLocker-NetworkUnlock**. To install the BitLocker feature, the **BitLocker** and **BitLocker-Utilities** features are the only required items.
To install BitLocker using the `dism.exe` module, use the following command:
@ -121,7 +96,7 @@ Enable-WindowsOptionalFeature -Online -FeatureName BitLocker, BitLocker-Utilitie
## Related articles
- [BitLocker overview](bitlocker-overview.md)
- [BitLocker overview](index.md)
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml)
- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
- [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)

16
windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md → windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
View File

@ -1,26 +1,12 @@
---
title: BitLocker - How to enable Network Unlock
description: This article for the IT professional describes how BitLocker Network Unlock works and how to configure it.
ms.reviewer:
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.topic: conceptual
ms.date: 11/08/2022
ms.custom: bitlocker
ms.technology: itpro-security
---
# BitLocker: How to enable Network Unlock
**Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above
This article describes how BitLocker Network Unlock works and how to configure it.
Network Unlock is a BitLocker protector option for operating system volumes. Network Unlock enables easier management for BitLocker-enabled desktops and servers in a domain environment by providing automatic unlock of operating system volumes at system reboot when connected to a wired corporate network. This feature requires the client hardware to have a DHCP driver implemented in its UEFI firmware. Without Network Unlock, operating system volumes protected by TPM+PIN protectors require a PIN to be entered when a computer reboots or resumes from hibernation (for example, by Wake on LAN). Requiring a PIN after a reboot can make it difficult to enterprises to roll out software patches to unattended desktops and remotely administered servers.
@ -462,6 +448,6 @@ Follow these steps to configure Network Unlock on these older systems.
## Related articles
- [BitLocker overview](bitlocker-overview.md)
- [BitLocker overview](index.md)
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml)
- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)

11
windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml → windows/security/operating-system-security/data-protection/bitlocker/bitlocker-key-management-faq.yml
View File

@ -2,21 +2,10 @@
metadata:
title: BitLocker Key Management FAQ (Windows 10)
description: Browse frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.
ms.prod: windows-client
ms.technology: itpro-security
author: frankroj
ms.author: frankroj
manager: aaroncz
audience: ITPro
ms.topic: faq
ms.date: 11/08/2022
ms.custom: bitlocker
title: BitLocker Key Management FAQ
summary: |
**Applies to:**
- Windows 10 and later
- Windows Server 2016 and later
sections:
- name: Ignored

11
windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md → windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises.md
View File

@ -1,24 +1,17 @@
---
title: BitLocker management
description: Refer to relevant documentation, products, and services to learn about managing BitLocker and see recommendations for different computers.
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.topic: conceptual
ms.date: 11/08/2022
ms.custom: bitlocker
ms.technology: itpro-security
---
# BitLocker management
The ideal solution for BitLocker management is to eliminate the need for IT administrators to set management policies using tools or other mechanisms by having Windows perform tasks that are more practical to automate. This vision leverages modern hardware developments. The growth of TPM 2.0, secure boot, and other hardware improvements, for example, have helped to alleviate the support burden on help desks and a decrease in support-call volumes, yielding improved user satisfaction. Windows continues to be the focus for new features and improvements for built-in encryption management, such as automatically enabling encryption on devices that support Modern Standby beginning with Windows 8.1.
Though much Windows [BitLocker documentation](bitlocker-overview.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently asked questions, and also provides BitLocker recommendations for different types of computers.
Though much Windows [BitLocker documentation](index.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently asked questions, and also provides BitLocker recommendations for different types of computers.
[!INCLUDE [bitlocker](../../../../includes/licensing/bitlocker-management.md)]
[!INCLUDE [bitlocker](../../../../../includes/licensing/bitlocker-management.md)]
## Managing domain-joined computers and moving to cloud

12
windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml → windows/security/operating-system-security/data-protection/bitlocker/bitlocker-network-unlock-faq.yml
View File

@ -2,22 +2,10 @@
metadata:
title: BitLocker Network Unlock FAQ (Windows 10)
description: Familiarize yourself with BitLocker Network Unlock. Learn how it can make desktop and server management easier within domain environments.
ms.prod: windows-client
ms.technology: itpro-security
author: frankroj
ms.author: frankroj
manager: aaroncz
audience: ITPro
ms.topic: faq
ms.date: 11/08/2022
ms.reviewer:
ms.custom: bitlocker
title: BitLocker Network Unlock FAQ
summary: |
**Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above
sections:
- name: Ignored

13
windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml → windows/security/operating-system-security/data-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
View File

@ -2,24 +2,13 @@
metadata:
title: BitLocker overview and requirements FAQ (Windows 10)
description: This article for IT professionals answers frequently asked questions concerning the requirements to use BitLocker.
ms.prod: windows-client
ms.technology: itpro-security
author: frankroj
ms.author: frankroj
manager: aaroncz
audience: ITPro
ms.collection:
- highpri
- tier1
ms.topic: faq
ms.date: 11/08/2022
ms.custom: bitlocker
title: BitLocker Overview and Requirements FAQ
summary: |
**Applies to:**
- Windows 10 and later
- Windows Server 2016 and later
sections:
- name: Ignored
@ -39,7 +28,7 @@ sections:
- question: What are the BitLocker hardware and software requirements?
answer: |
For requirements, see [System requirements](bitlocker-overview.md#system-requirements).
For requirements, see [System requirements](index.md#system-requirements).
> [!NOTE]
> Dynamic disks aren't supported by BitLocker. Dynamic data volumes won't be displayed in the Control Panel. Although the operating system volume will always be displayed in the Control Panel, regardless of whether it's a Dynamic disk, if it's a dynamic disk it can't be protected by BitLocker.

16
windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md → windows/security/operating-system-security/data-protection/bitlocker/bitlocker-recovery-guide-plan.md
View File

@ -1,29 +1,15 @@
---
title: BitLocker recovery guide
description: This article for IT professionals describes how to recover BitLocker keys from Active Directory Domain Services (AD DS).
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
ms.reviewer: rafals
manager: aaroncz
ms.collection:
- highpri
- tier1
ms.topic: conceptual
ms.date: 11/08/2022
ms.custom: bitlocker
---
# BitLocker recovery guide
**Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above
This article describes how to recover BitLocker keys from AD DS.
Organizations can use BitLocker recovery information saved in Active Directory Domain Services (AD DS) to access BitLocker-protected data. It's recommended to create a recovery model for BitLocker while planning for BitLocker deployment.
@ -990,4 +976,4 @@ End Function
## Related articles
- [BitLocker overview](bitlocker-overview.md)
- [BitLocker overview](index.md)

13
windows/security/information-protection/bitlocker/bitlocker-security-faq.yml → windows/security/operating-system-security/data-protection/bitlocker/bitlocker-security-faq.yml
View File

@ -2,23 +2,10 @@
metadata:
title: BitLocker Security FAQ
description: Learn more about how BitLocker security works. Browse frequently asked questions, such as, "What form of encryption does BitLocker use?"
ms.prod: windows-client
ms.technology: itpro-security
author: frankroj
ms.author: frankroj
manager: aaroncz
audience: ITPro
ms.topic: faq
ms.date: 11/08/2022
ms.custom: bitlocker
title: BitLocker Security FAQ
summary: |
**Applies to:**
- Windows 10 and later
- Windows Server 2016 and later
sections:
- name: Ignored
questions:

10
windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml → windows/security/operating-system-security/data-protection/bitlocker/bitlocker-to-go-faq.yml
View File

@ -2,20 +2,10 @@
metadata:
title: BitLocker To Go FAQ
description: "Learn more about BitLocker To Go"
ms.prod: windows-client
ms.technology: itpro-security
ms.author: frankroj
author: frankroj
manager: aaroncz
audience: ITPro
ms.topic: faq
ms.date: 11/08/2022
ms.custom: bitlocker
title: BitLocker To Go FAQ
summary: |
**Applies to:**
- Windows 10
sections:
- name: Ignored

11
windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml → windows/security/operating-system-security/data-protection/bitlocker/bitlocker-upgrading-faq.yml
View File

@ -2,21 +2,10 @@
metadata:
title: BitLocker Upgrading FAQ
description: Learn more about upgrading systems that have BitLocker enabled. Find frequently asked questions, such as, "Can I upgrade to Windows 10 with BitLocker enabled?"
ms.prod: windows-client
ms.technology: itpro-security
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.topic: faq
ms.date: 11/08/2022
ms.reviewer:
ms.custom: bitlocker
title: BitLocker Upgrading FAQ
summary: |
**Applies to:**
- Windows 10 and later
- Windows Server 2016 and later
sections:
- name: Ignored

16
windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md → windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
View File

@ -1,29 +1,15 @@
---
title: BitLocker Use BitLocker Drive Encryption Tools to manage BitLocker
description: This article for the IT professional describes how to use tools to manage BitLocker.
ms.reviewer:
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.collection:
- highpri
- tier1
ms.topic: conceptual
ms.date: 11/08/2022
ms.custom: bitlocker
ms.technology: itpro-security
---
# BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker
**Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above
This article for the IT professional describes how to use tools to manage BitLocker.
BitLocker Drive Encryption Tools include the command-line tools manage-bde and repair-bde and the BitLocker cmdlets for Windows PowerShell.
@ -246,7 +232,7 @@ Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup S-1-5-
## Related articles
- [BitLocker overview](bitlocker-overview.md)
- [BitLocker overview](index.md)
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml)
- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
- [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)

10
windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md → windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
View File

@ -1,19 +1,11 @@
---
title: BitLocker Use BitLocker Recovery Password Viewer
description: This article for the IT professional describes how to use the BitLocker Recovery Password Viewer.
ms.reviewer:
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.collection:
- highpri
- tier1
ms.topic: conceptual
ms.date: 11/08/2022
ms.custom: bitlocker
ms.technology: itpro-security
---
# BitLocker: Use BitLocker Recovery Password Viewer
@ -66,7 +58,7 @@ By completing the procedures in this scenario, the recovery passwords for a comp
## Related articles
- [BitLocker Overview](bitlocker-overview.md)
- [BitLocker Overview](index.md)
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml)
- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
- [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md)

9
windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml → windows/security/operating-system-security/data-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml
View File

@ -2,19 +2,10 @@
metadata:
title: Using BitLocker with other programs FAQ
description: Learn how to integrate BitLocker with other software on a device.
ms.prod: windows-client
ms.technology: itpro-security
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.topic: faq
ms.date: 11/08/2022
title: Using BitLocker with other programs FAQ
summary: |
**Applies to:**
- Windows 10 and later
- Windows Server 2016 and later
sections:
- name: Ignored

0
windows/security/information-protection/bitlocker/images/bitlockernetworkunlocksequence.png → windows/security/operating-system-security/data-protection/bitlocker/images/bitlockernetworkunlocksequence.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 4.0 KiB

After

Width:  |  Height:  |  Size: 4.0 KiB

0
windows/security/information-protection/bitlocker/images/bl-intune-custom-url.png → windows/security/operating-system-security/data-protection/bitlocker/images/bl-intune-custom-url.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 18 KiB

After

Width:  |  Height:  |  Size: 18 KiB

0
windows/security/information-protection/bitlocker/images/bl-narrator.png → windows/security/operating-system-security/data-protection/bitlocker/images/bl-narrator.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 395 KiB

After

Width:  |  Height:  |  Size: 395 KiB

0
windows/security/information-protection/bitlocker/images/bl-password-hint1.png → windows/security/operating-system-security/data-protection/bitlocker/images/bl-password-hint1.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 126 KiB

After

Width:  |  Height:  |  Size: 126 KiB

0
windows/security/information-protection/bitlocker/images/bl-password-hint2.png → windows/security/operating-system-security/data-protection/bitlocker/images/bl-password-hint2.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 69 KiB

After

Width:  |  Height:  |  Size: 69 KiB

0
windows/security/information-protection/bitlocker/images/kernel-dma-protection.png → windows/security/operating-system-security/data-protection/bitlocker/images/kernel-dma-protection.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 263 KiB

After

Width:  |  Height:  |  Size: 263 KiB

0
windows/security/information-protection/bitlocker/images/manage-bde-status.png → windows/security/operating-system-security/data-protection/bitlocker/images/manage-bde-status.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 18 KiB

After

Width:  |  Height:  |  Size: 18 KiB

0
windows/security/information-protection/bitlocker/images/pre-boot-authentication-group-policy.png → windows/security/operating-system-security/data-protection/bitlocker/images/pre-boot-authentication-group-policy.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 1.2 MiB

After

Width:  |  Height:  |  Size: 1.2 MiB

0
windows/security/information-protection/bitlocker/images/rp-example1.png → windows/security/operating-system-security/data-protection/bitlocker/images/rp-example1.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 118 KiB

After

Width:  |  Height:  |  Size: 118 KiB

0
windows/security/information-protection/bitlocker/images/rp-example2.png → windows/security/operating-system-security/data-protection/bitlocker/images/rp-example2.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 82 KiB

After

Width:  |  Height:  |  Size: 82 KiB

0
windows/security/information-protection/bitlocker/images/rp-example3.png → windows/security/operating-system-security/data-protection/bitlocker/images/rp-example3.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 96 KiB

After

Width:  |  Height:  |  Size: 96 KiB

0
windows/security/information-protection/bitlocker/images/rp-example4.png → windows/security/operating-system-security/data-protection/bitlocker/images/rp-example4.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 82 KiB

After

Width:  |  Height:  |  Size: 82 KiB

0
windows/security/information-protection/bitlocker/images/rp-example5.png → windows/security/operating-system-security/data-protection/bitlocker/images/rp-example5.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 91 KiB

After

Width:  |  Height:  |  Size: 91 KiB

0
windows/security/information-protection/bitlocker/images/yes-icon.png → windows/security/operating-system-security/data-protection/bitlocker/images/yes-icon.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 916 B

After

Width:  |  Height:  |  Size: 916 B

21
windows/security/information-protection/bitlocker/bitlocker-overview.md → windows/security/operating-system-security/data-protection/bitlocker/index.md
View File

@ -1,32 +1,17 @@
---
title: BitLocker
title: BitLocker overview
description: This article provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features.
ms.author: frankroj
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
manager: aaroncz
ms.collection:
- highpri
- tier1
ms.topic: conceptual
ms.date: 11/08/2022
ms.custom: bitlocker
ms.technology: itpro-security
---
# BitLocker
**Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above
# BitLocker overview
This article provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features.
## BitLocker overview
BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.
BitLocker provides the maximum protection when used with a Trusted Platform Module (TPM) version 1.2 or later versions. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer hasn't been tampered with while the system was offline.
@ -48,7 +33,7 @@ There are two additional tools in the Remote Server Administration Tools that ca
- **BitLocker Drive Encryption Tools**. BitLocker Drive Encryption Tools include the command-line tools, manage-bde and repair-bde, and the BitLocker cmdlets for Windows PowerShell. Both manage-bde and the BitLocker cmdlets can be used to perform any task that can be accomplished through the
BitLocker control panel, and they're appropriate to be used for automated deployments and other scripting scenarios. Repair-bde is provided for disaster recovery scenarios in which a BitLocker-protected drive can't be unlocked normally or by using the recovery console.
[!INCLUDE [bitlocker](../../../../includes/licensing/bitlocker-enablement.md)]
[!INCLUDE [bitlocker](../../../../../includes/licensing/bitlocker-enablement.md)]
## System requirements

18
windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md → windows/security/operating-system-security/data-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
View File

@ -1,26 +1,12 @@
---
title: Prepare the organization for BitLocker Planning and policies
description: This article for the IT professional explains how can to plan for a BitLocker deployment.
ms.reviewer:
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.topic: conceptual
ms.date: 11/08/2022
ms.custom: bitlocker
ms.technology: itpro-security
---
# Prepare an organization for BitLocker: Planning and policies
**Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above
This article for the IT professional explains how to plan BitLocker deployment.
When BitLocker deployment strategy is defined, define the appropriate policies and configuration requirements based on the business requirements of the organization. The following sections will help with collecting information. Use this information to help with the decision-making process about deploying and managing BitLocker systems.
@ -199,9 +185,7 @@ On Windows Server 2012 R2 and Windows 8.1 and older, recovery passwords generate
## Related articles
- [Trusted Platform Module](../tpm/trusted-platform-module-top-node.md)
- [TPM Group Policy settings](../tpm/trusted-platform-module-services-group-policy-settings.md)
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml)
- [BitLocker](bitlocker-overview.md)
- [BitLocker](index.md)
- [BitLocker Group Policy settings](bitlocker-group-policy-settings.md)
- [BitLocker basic deployment](bitlocker-basic-deployment.md)

8
windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md → windows/security/operating-system-security/data-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
View File

@ -1,16 +1,8 @@
---
title: Protecting cluster shared volumes and storage area networks with BitLocker
description: This article for IT pros describes how to protect CSVs and SANs with BitLocker.
ms.reviewer:
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.topic: conceptual
ms.date: 11/08/2022
ms.custom: bitlocker
ms.technology: itpro-security
---
# Protecting cluster shared volumes and storage area networks with BitLocker

74
windows/security/operating-system-security/data-protection/bitlocker/toc.yml Normal file
View File

@ -0,0 +1,74 @@
items:
- name: Overview
href: index.md
- name: BitLocker device encryption
href: bitlocker-device-encryption-overview-windows-10.md
- name: BitLocker frequently asked questions (FAQ)
href: bitlocker-frequently-asked-questions.yml
items:
- name: Overview and requirements
href: bitlocker-overview-and-requirements-faq.yml
- name: Upgrading
href: bitlocker-upgrading-faq.yml
- name: Deployment and administration
href: bitlocker-deployment-and-administration-faq.yml
- name: Key management
href: bitlocker-key-management-faq.yml
- name: BitLocker To Go
href: bitlocker-to-go-faq.yml
- name: Active Directory Domain Services
href: bitlocker-and-adds-faq.yml
- name: Security
href: bitlocker-security-faq.yml
- name: BitLocker Network Unlock
href: bitlocker-network-unlock-faq.yml
- name: General
href: bitlocker-using-with-other-programs-faq.yml
- name: "Prepare your organization for BitLocker: Planning and policies"
href: prepare-your-organization-for-bitlocker-planning-and-policies.md
- name: BitLocker deployment comparison
href: bitlocker-deployment-comparison.md
- name: BitLocker basic deployment
href: bitlocker-basic-deployment.md
- name: Deploy BitLocker on Windows Server 2012 and later
href: bitlocker-how-to-deploy-on-windows-server.md
- name: BitLocker management
href: bitlocker-management-for-enterprises.md
- name: Enable Network Unlock with BitLocker
href: bitlocker-how-to-enable-network-unlock.md
- name: Use BitLocker Drive Encryption Tools to manage BitLocker
href: bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
- name: Use BitLocker Recovery Password Viewer
href: bitlocker-use-bitlocker-recovery-password-viewer.md
- name: BitLocker Group Policy settings
href: bitlocker-group-policy-settings.md
- name: BCD settings and BitLocker
href: bcd-settings-and-bitlocker.md
- name: BitLocker Recovery Guide
href: bitlocker-recovery-guide-plan.md
- name: BitLocker Countermeasures
href: bitlocker-countermeasures.md
- name: Protecting cluster shared volumes and storage area networks with BitLocker
href: protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
- name: Troubleshoot BitLocker
items:
- name: Troubleshoot BitLocker 🔗
href: /troubleshoot/windows-client/windows-security/bitlocker-issues-troubleshooting
- name: "BitLocker cannot encrypt a drive: known issues 🔗"
href: /troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-issues
- name: "Enforcing BitLocker policies by using Intune: known issues 🔗"
href: /troubleshoot/windows-client/windows-security/enforcing-bitlocker-policies-by-using-intune-known-issues
- name: "BitLocker Network Unlock: known issues 🔗"
href: /troubleshoot/windows-client/windows-security/bitlocker-network-unlock-known-issues
- name: "BitLocker recovery: known issues 🔗"
href: /troubleshoot/windows-client/windows-security/bitlocker-recovery-known-issues
- name: "BitLocker configuration: known issues 🔗"
href: /troubleshoot/windows-client/windows-security/bitlocker-configuration-known-issues
- name: Troubleshoot BitLocker and TPM issues
items:
- name: "BitLocker cannot encrypt a drive: known TPM issues 🔗"
href: /troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-tpm-issues
- name: "BitLocker and TPM: other known issues 🔗"
href: /troubleshoot/windows-client/windows-security/bitlocker-and-tpm-other-known-issues
- name: Decode Measured Boot logs to track PCR changes 🔗
href: /troubleshoot/windows-client/windows-security/decode-measured-boot-logs-to-track-pcr-changes

2
windows/security/operating-system-security/data-protection/configure-s-mime.md
View File

@ -3,8 +3,6 @@ title: Configure S/MIME for Windows
description: S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients with a digital ID, also known as a certificate, can read them. Learn how to configure S/MIME for Windows.
ms.topic: how-to
ms.date: 05/31/2023
author: paolomatarazzo
ms.author: paoloma
---

17
windows/security/information-protection/encrypted-hard-drive.md → windows/security/operating-system-security/data-protection/encrypted-hard-drive.md
View File

@ -1,27 +1,12 @@
---
title: Encrypted Hard Drive
description: Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.
ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
author: frankroj
ms.date: 11/08/2022
ms.technology: itpro-security
ms.topic: conceptual
---
# Encrypted Hard Drive
*Applies to:*
- Windows 10
- Windows 11
- Windows Server 2022
- Windows Server 2019
- Windows Server 2016
- Azure Stack HCI
Encrypted hard drive uses the rapid encryption that is provided by BitLocker drive encryption to enhance data security and management.
By offloading the cryptographic operations to hardware, Encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted hard drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity.
@ -48,7 +33,7 @@ Encrypted hard drives are supported natively in the operating system through the
If you're a storage device vendor who is looking for more info on how to implement Encrypted Hard Drive, see the [Encrypted Hard Drive Device Guide](/previous-versions/windows/hardware/design/dn653989(v=vs.85)).
[!INCLUDE [encrypted-hard-drive](../../../includes/licensing/encrypted-hard-drive.md)]
[!INCLUDE [encrypted-hard-drive](../../../../includes/licensing/encrypted-hard-drive.md)]
## System Requirements

13
windows/security/encryption-data-protection.md → windows/security/operating-system-security/data-protection/index.md
View File

@ -1,13 +1,8 @@
---
title: Encryption and data protection in Windows
description: Get an overview encryption and data protection in Windows 11 and Windows 10
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.topic: overview
ms.date: 09/22/2022
ms.prod: windows-client
ms.technology: itpro-security
ms.reviewer: rafals
---
@ -45,10 +40,10 @@ Windows consistently improves data protection by improving existing options and
<!-- Max 5963468 OS 32516487 -->
(*Applies to: Windows 11, version 22H2 and later*)
[!INCLUDE [Personal Data Encryption (PDE) description](information-protection/personal-data-encryption/includes/pde-description.md)]
[!INCLUDE [Personal Data Encryption (PDE) description](personal-data-encryption/includes/pde-description.md)]
## See also
- [Encrypted Hard Drive](information-protection/encrypted-hard-drive.md)
- [BitLocker](information-protection/bitlocker/bitlocker-overview.md)
- [Personal Data Encryption (PDE)](information-protection/personal-data-encryption/overview-pde.md)
- [Encrypted Hard Drive](encrypted-hard-drive.md)
- [BitLocker](bitlocker/index.md)
- [Personal Data Encryption (PDE)](personal-data-encryption/index.md)

25
windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md → windows/security/operating-system-security/data-protection/personal-data-encryption/configure-pde-in-intune.md
View File

@ -1,14 +1,7 @@
---
title: Configure Personal Data Encryption (PDE) in Intune
description: Configuring and enabling Personal Data Encryption (PDE) required and recommended policies in Intune
author: frankroj
ms.author: frankroj
ms.reviewer: rhonnegowda
manager: aaroncz
ms.topic: how-to
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
ms.date: 03/13/2023
---
@ -21,21 +14,17 @@ The various required and recommended policies needed for Personal Data Encryptio
## Required prerequisites
1. [Enable Personal Data Encryption (PDE)](pde-in-intune/intune-enable-pde.md)
1. [Disable Winlogon automatic restart sign-on (ARSO)](pde-in-intune/intune-disable-arso.md)
1. [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
1. [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
## Security hardening recommendations
1. [Disable kernel-mode crash dumps and live dumps](pde-in-intune/intune-disable-memory-dumps.md)
1. [Disable Windows Error Reporting (WER)/user-mode crash dumps](pde-in-intune/intune-disable-wer.md)
1. [Disable hibernation](pde-in-intune/intune-disable-hibernation.md)
1. [Disable allowing users to select when a password is required when resuming from connected standby](pde-in-intune/intune-disable-password-connected-standby.md)
1. [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
1. [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
1. [Disable hibernation](intune-disable-hibernation.md)
1. [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
## See also
- [Personal Data Encryption (PDE)](overview-pde.md)
- [Personal Data Encryption (PDE)](index.md)
- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)

14
windows/security/information-protection/personal-data-encryption/faq-pde.yml → windows/security/operating-system-security/data-protection/personal-data-encryption/faq-pde.yml
View File

@ -3,19 +3,9 @@
metadata:
title: Frequently asked questions for Personal Data Encryption (PDE)
description: Answers to common questions regarding Personal Data Encryption (PDE).
author: frankroj
ms.author: frankroj
ms.reviewer: rhonnegowda
manager: aaroncz
ms.topic: faq
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
ms.date: 03/13/2023
# Max 5963468 OS 32516487
# Max 6946251
title: Frequently asked questions for Personal Data Encryption (PDE)
summary: |
Here are some answers to common questions regarding Personal Data Encryption (PDE)
@ -65,7 +55,7 @@ sections:
- question: Can users manually encrypt and decrypt files with PDE?
answer: |
Currently users can decrypt files manually but they can't encrypt files manually. For information on how a user can manually decrypt a file, see the section **Disable PDE and decrypt files** in [Personal Data Encryption (PDE)](overview-pde.md).
Currently users can decrypt files manually but they can't encrypt files manually. For information on how a user can manually decrypt a file, see the section **Disable PDE and decrypt files** in [Personal Data Encryption (PDE)](index.md).
- question: If a user signs into Windows with a password instead of Windows Hello for Business, will they be able to access their PDE protected content?
answer: |
@ -77,6 +67,6 @@ sections:
additionalContent: |
## See also
- [Personal Data Encryption (PDE)](overview-pde.md)
- [Personal Data Encryption (PDE)](index.md)
- [Configure Personal Data Encryption (PDE) polices in Intune](configure-pde-in-intune.md)

14
windows/security/information-protection/personal-data-encryption/includes/pde-description.md → windows/security/operating-system-security/data-protection/personal-data-encryption/includes/pde-description.md
View File

@ -1,22 +1,14 @@
---
title: Personal Data Encryption (PDE) description
description: Personal Data Encryption (PDE) description include file
author: frankroj
ms.author: frankroj
ms.reviewer: rhonnegowda
manager: aaroncz
ms.topic: include
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
ms.date: 03/13/2023
---
<!-- Max 5963468 OS 32516487 -->
<!-- Max 6946251 -->
Personal data encryption (PDE) is a security feature introduced in Windows 11, version 22H2 that provides additional encryption features to Windows. PDE differs from BitLocker in that it encrypts individual files and content instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker.
Starting in Windows 11, version 22H2, Personal Data Encryption (PDE) is a security feature that provides more encryption capabilities to Windows.
PDE differs from BitLocker in that it encrypts individual files and content instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker.
PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. This feature can minimize the number of credentials the user has to remember to gain access to content. For example, when using BitLocker with PIN, a user would need to authenticate twice - once with the BitLocker PIN and a second time with Windows credentials. This requirement requires users to remember two different credentials. With PDE, users only need to enter one set of credentials via Windows Hello for Business.

36
windows/security/information-protection/personal-data-encryption/overview-pde.md → windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
View File

@ -1,44 +1,30 @@
---
title: Personal Data Encryption (PDE)
description: Personal Data Encryption unlocks user encrypted files at user sign-in instead of at boot.
author: frankroj
ms.author: frankroj
ms.reviewer: rhonnegowda
manager: aaroncz
ms.topic: how-to
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
ms.date: 03/13/2023
---
<!-- Max 5963468 OS 32516487 -->
<!-- Max 6946251 -->
# Personal Data Encryption (PDE)
**Applies to:**
- Windows 11, version 22H2 and later Enterprise and Education editions
[!INCLUDE [Personal Data Encryption (PDE) description](includes/pde-description.md)]
[!INCLUDE [personal-data-encryption-pde](../../../../includes/licensing/personal-data-encryption-pde.md)]
[!INCLUDE [personal-data-encryption-pde](../../../../../includes/licensing/personal-data-encryption-pde.md)]
## Prerequisites
### Required
- [Azure AD joined device](/azure/active-directory/devices/concept-azure-ad-join)
- [Windows Hello for Business](../../identity-protection/hello-for-business/hello-overview.md)
- [Windows Hello for Business Overview](../../../identity-protection/hello-for-business/hello-overview.md)
- Windows 11, version 22H2 and later Enterprise and Education editions
### Not supported with PDE
- [FIDO/security key authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)
- [Winlogon automatic restart sign-on (ARSO)](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-)
- For information on disabling ARSO via Intune, see [Disable Winlogon automatic restart sign-on (ARSO)](pde-in-intune/intune-disable-arso.md).
- [Windows Information Protection (WIP)](../windows-information-protection/protect-enterprise-data-using-wip.md)
- For information on disabling ARSO via Intune, see [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md).
- [Protect your enterprise data using Windows Information Protection (WIP)](../../../information-protection/windows-information-protection/protect-enterprise-data-using-wip.md)
- [Hybrid Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
- Remote Desktop connections
@ -46,15 +32,15 @@ ms.date: 03/13/2023
- [Kernel-mode crash dumps and live dumps disabled](/windows/client-management/mdm/policy-csp-memorydump#memorydump-policies)
Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps. For information on disabling crash dumps and live dumps via Intune, see [Disable kernel-mode crash dumps and live dumps](pde-in-intune/intune-disable-memory-dumps.md).
Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps. For information on disabling crash dumps and live dumps via Intune, see [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md).
- [Windows Error Reporting (WER) disabled/User-mode crash dumps disabled](/windows/client-management/mdm/policy-csp-errorreporting#errorreporting-disablewindowserrorreporting)
Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. For more information on disabling crash dumps via Intune, see [Disable Windows Error Reporting (WER)/user-mode crash dumps](pde-in-intune/intune-disable-wer.md).
Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. For more information on disabling crash dumps via Intune, see [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md).
- [Hibernation disabled](/windows/client-management/mdm/policy-csp-power#power-allowhibernate)
Hibernation files can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable hibernation. For more information on disabling crash dumps via Intune, see [Disable hibernation](pde-in-intune/intune-disable-hibernation.md).
Hibernation files can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable hibernation. For more information on disabling crash dumps via Intune, see [Disable hibernation](intune-disable-hibernation.md).
- [Allowing users to select when a password is required when resuming from connected standby disabled](/windows/client-management/mdm/policy-csp-admx-credentialproviders#admx-credentialproviders-allowdomaindelaylock)
@ -76,11 +62,11 @@ ms.date: 03/13/2023
Because of this undesired outcome, it's recommended to explicitly disable this policy on Azure AD joined devices instead of leaving it at the default of **Not configured**.
For information on disabling this policy via Intune, see [Disable allowing users to select when a password is required when resuming from connected standby](pde-in-intune/intune-disable-password-connected-standby.md).
For information on disabling this policy via Intune, see [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md).
### Highly recommended
- [BitLocker Drive Encryption](../bitlocker/bitlocker-overview.md) enabled
- [BitLocker Drive Encryption](../bitlocker/index.md) enabled
Although PDE will work without BitLocker, it's recommended to also enable BitLocker. PDE is meant to work alongside BitLocker for increased security. PDE isn't a replacement for BitLocker.
@ -88,7 +74,7 @@ ms.date: 03/13/2023
In certain scenarios such as TPM resets or destructive PIN resets, the keys used by PDE to protect content will be lost. In such scenarios, any content protected with PDE will no longer be accessible. The only way to recover such content would be from backup.
- [Windows Hello for Business PIN reset service](../../identity-protection/hello-for-business/hello-feature-pin-reset.md)
- [Windows Hello for Business PIN reset service](../../../identity-protection/hello-for-business/hello-feature-pin-reset.md)
Destructive PIN resets will cause keys used by PDE to protect content to be lost. A destructive PIN reset will make any content protected with PDE no longer accessible after the destructive PIN reset has occurred. Content protected with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets.
@ -137,7 +123,7 @@ There's also a [PDE CSP](/windows/client-management/mdm/personaldataencryption-c
> [!NOTE]
> Enabling the PDE policy on devices only enables the PDE feature. It does not protect any content. To protect content via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled.
For information on enabling PDE via Intune, see [Enable Personal Data Encryption (PDE)](pde-in-intune/intune-enable-pde.md).
For information on enabling PDE via Intune, see [Enable Personal Data Encryption (PDE)](intune-enable-pde.md).
## Differences between PDE and BitLocker

97
windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md → windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-arso.md
View File

@ -1,15 +1,8 @@
---
title: Disable Winlogon automatic restart sign-on (ARSO) for PDE in Intune
description: Disable Winlogon automatic restart sign-on (ARSO) for PDE in Intune
author: frankroj
ms.author: frankroj
ms.reviewer: rhonnegowda
manager: aaroncz
ms.topic: how-to
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
ms.date: 03/13/2023
ms.date: 06/01/2023
---
# Disable Winlogon automatic restart sign-on (ARSO) for PDE
@ -20,81 +13,51 @@ Winlogon automatic restart sign-on (ARSO) isn't supported for use with Personal
To disable ARSO using Intune, follow the below steps:
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. In the **Home** screen, select **Devices** in the left pane.
1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**.
1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**.
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
1. In the **Home** screen, select **Devices** in the left pane
1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
1. In the **Create profile** window that opens:
1. Under **Platform**, select **Windows 10 and later**.
1. Under **Profile type**, select **Templates**.
1. When the templates appear, under **Template name**, select **Administrative templates**.
1. Under **Platform**, select **Windows 10 and later**
1. Under **Profile type**, select **Templates**
1. When the templates appear, under **Template name**, select **Administrative templates**
1. Select **Create** to close the **Create profile** window.
1. The **Create profile** screen will open. In the **Basics** page:
1. Next to **Name**, enter **Disable ARSO**.
1. Next to **Description**, enter a description.
1. Select **Next**.
1. Next to **Name**, enter **Disable ARSO**
1. Next to **Description**, enter a description
1. Select **Next**
1. In the **Configuration settings** page:
1. On the left pane of the page, make sure **Computer Configuration** is selected.
1. Under **Setting name**, scroll down and select **Windows Components**.
1. Under **Setting name**, scroll down and select **Windows Logon Options**. You may need to navigate between pages on the bottom right corner before finding the **Windows Logon Options** option.
1. Under **Setting name** of the **Windows Logon Options** pane, select **Sign-in and lock last interactive user automatically after a restart**.
1. In the **Sign-in and lock last interactive user automatically after a restart** window that opens, select **Disabled**, and then select **OK**.
1. Select **Next**.
1. In the **Scope tags** page, configure if necessary and then select **Next**.
1. On the left pane of the page, make sure **Computer Configuration** is selected
1. Under **Setting name**, scroll down and select **Windows Components**
1. Under **Setting name**, scroll down and select **Windows Logon Options**. You may need to navigate between pages on the bottom right corner before finding the **Windows Logon Options** option
1. Under **Setting name** of the **Windows Logon Options** pane, select **Sign-in and lock last interactive user automatically after a restart**
1. In the **Sign-in and lock last interactive user automatically after a restart** window that opens, select **Disabled**, and then select **OK**
1. Select **Next**
1. In the **Scope tags** page, configure if necessary and then select **Next**
1. In the **Assignments** page:
1. Under **Included groups**, select **Add groups**.
1. Under **Included groups**, select **Add groups**
> [!NOTE]
>
> Make sure to select **Add groups** under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window.
1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**.
1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**.
1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
## Additional PDE configurations in Intune
The following PDE configurations can also be configured using Intune:
### Required prerequisites
### Prerequisites
- [Enable Personal Data Encryption (PDE)](../pde-in-intune/intune-enable-pde.md)
- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
### Security hardening recommendations
- [Disable kernel-mode crash dumps and live dumps](../pde-in-intune/intune-disable-memory-dumps.md)
- [Disable Windows Error Reporting (WER)/user-mode crash dumps](../pde-in-intune/intune-disable-wer.md)
- [Disable hibernation](../pde-in-intune/intune-disable-hibernation.md)
- [Disable allowing users to select when a password is required when resuming from connected standby](../pde-in-intune/intune-disable-password-connected-standby.md)
- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
- [Disable hibernation](intune-disable-hibernation.md)
- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
## More information
- [Personal Data Encryption (PDE)](../overview-pde.md)
- [Personal Data Encryption (PDE) FAQ](../faq-pde.yml)
- [Personal Data Encryption (PDE)](index.md)
- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)

92
windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md → windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-hibernation.md
View File

@ -1,14 +1,7 @@
---
title: Disable hibernation for PDE in Intune
description: Disable hibernation for PDE in Intune
author: frankroj
ms.author: frankroj
ms.reviewer: rhonnegowda
manager: aaroncz
ms.topic: how-to
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
ms.date: 03/13/2023
---
@ -20,79 +13,50 @@ Hibernation files can potentially cause the keys used by Personal Data Encryptio
To disable hibernation using Intune, follow the below steps:
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. In the **Home** screen, select **Devices** in the left pane.
1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**.
1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**.
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
1. In the **Home** screen, select **Devices** in the left pane
1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
1. In the **Create profile** window that opens:
1. Under **Platform**, select **Windows 10 and later**.
1. Under **Profile type**, select **Settings catalog**.
1. Select **Create** to close the **Create profile** window.
1. Under **Platform**, select **Windows 10 and later**
1. Under **Profile type**, select **Settings catalog**
1. Select **Create** to close the **Create profile** window
1. The **Create profile** screen will open. In the **Basics** page:
1. Next to **Name**, enter **Disable Hibernation**.
1. Next to **Description**, enter a description.
1. Select **Next**.
1. Next to **Name**, enter **Disable Hibernation**
1. Next to **Description**, enter a description
1. Select **Next**
1. In the **Configuration settings** page:
1. select **Add settings**.
1. select **Add settings**
1. In the **Settings picker** window that opens:
1. Under **Browse by category**, scroll down and select **Power**.
1. When the settings for the **Power** category appear under **Setting name** in the lower pane, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window.
1. Change **Allow Hibernate** from **Allow** to **Block** by selecting the slider next to the option.
1. Select **Next**.
1. In the **Scope tags** page, configure if necessary and then select **Next**.
1. Under **Browse by category**, scroll down and select **Power**
1. When the settings for the **Power** category appear under **Setting name** in the lower pane, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
1. Change **Allow Hibernate** from **Allow** to **Block** by selecting the slider next to the option
1. Select **Next**
1. In the **Scope tags** page, configure if necessary and then select **Next**
1. In the **Assignments** page:
1. Under **Included groups**, select **Add groups**.
1. Under **Included groups**, select **Add groups**
> [!NOTE]
>
> Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window.
1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**.
1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**.
1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
## Additional PDE configurations in Intune
The following PDE configurations can also be configured using Intune:
### Required prerequisites
### Prerequisites
- [Enable Personal Data Encryption (PDE)](../pde-in-intune/intune-enable-pde.md)
- [Disable Winlogon automatic restart sign-on (ARSO)](../pde-in-intune/intune-disable-arso.md)
- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
### Security hardening recommendations
- [Disable kernel-mode crash dumps and live dumps](../pde-in-intune/intune-disable-memory-dumps.md)
- [Disable Windows Error Reporting (WER)/user-mode crash dumps](../pde-in-intune/intune-disable-wer.md)
- [Disable allowing users to select when a password is required when resuming from connected standby](../pde-in-intune/intune-disable-password-connected-standby.md)
- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
## More information
- [Personal Data Encryption (PDE)](../overview-pde.md)
- [Personal Data Encryption (PDE) FAQ](../faq-pde.yml)
- [Personal Data Encryption (PDE)](index.md)
- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)

87
windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md → windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-memory-dumps.md
View File

@ -1,14 +1,7 @@
---
title: Disable kernel-mode crash dumps and live dumps for PDE in Intune
description: Disable kernel-mode crash dumps and live dumps for PDE in Intune
author: frankroj
ms.author: frankroj
ms.reviewer: rhonnegowda
manager: aaroncz
ms.topic: how-to
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
ms.date: 03/13/2023
---
@ -20,77 +13,49 @@ Kernel-mode crash dumps and live dumps can potentially cause the keys used by Pe
To disable kernel-mode crash dumps and live dumps using Intune, follow the below steps:
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. In the **Home** screen, select **Devices** in the left pane.
1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**.
1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**.
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
1. In the **Home** screen, select **Devices** in the left pane
1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
1. In the **Create profile** window that opens:
1. Under **Platform**, select **Windows 10 and later**.
1. Under **Profile type**, select **Settings catalog**.
1. Select **Create** to close the **Create profile** window.
1. Under **Platform**, select **Windows 10 and later**
1. Under **Profile type**, select **Settings catalog**
1. Select **Create** to close the **Create profile** window
1. The **Create profile** screen will open. In the **Basics** page:
1. Next to **Name**, enter **Disable Kernel-Mode Crash Dumps**.
1. Next to **Name**, enter **Disable Kernel-Mode Crash Dumps**
1. Next to **Description**, enter a description.
1. Select **Next**.
1. Select **Next**
1. In the **Configuration settings** page:
1. Select **Add settings**.
1. Select **Add settings**
1. In the **Settings picker** window that opens:
1. Under **Browse by category**, scroll down and select **Memory Dump**.
1. When the settings for the **Memory Dump** category appear under **Setting name** in the lower pane, select both **Allow Crash Dump** and **Allow Live Dump**, and then select the **X** in the top right corner of the **Settings picker** window to close the window.
1. Change both **Allow Live Dump** and **Allow Crash Dump** from **Allow** to **Block** by selecting the slider next to each option, and then select **Next**.
1. In the **Scope tags** page, configure if necessary and then select **Next**.
1. Under **Browse by category**, scroll down and select **Memory Dump**
1. When the settings for the **Memory Dump** category appear under **Setting name** in the lower pane, select both **Allow Crash Dump** and **Allow Live Dump**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
1. Change both **Allow Live Dump** and **Allow Crash Dump** from **Allow** to **Block** by selecting the slider next to each option, and then select **Next**
1. In the **Scope tags** page, configure if necessary and then select **Next**
1. In the **Assignments** page:
1. Under **Included groups**, select **Add groups**.
1. Under **Included groups**, select **Add groups**
> [!NOTE]
>
> Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window.
1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**.
1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**.
1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
## Additional PDE configurations in Intune
The following PDE configurations can also be configured using Intune:
### Required prerequisites
### Prerequisites
- [Enable Personal Data Encryption (PDE)](../pde-in-intune/intune-enable-pde.md)
- [Disable Winlogon automatic restart sign-on (ARSO)](../pde-in-intune/intune-disable-arso.md)
- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
### Security hardening recommendations
- [Disable Windows Error Reporting (WER)/user-mode crash dumps](../pde-in-intune/intune-disable-wer.md)
- [Disable hibernation](../pde-in-intune/intune-disable-hibernation.md)
- [Disable allowing users to select when a password is required when resuming from connected standby](../pde-in-intune/intune-disable-password-connected-standby.md)
- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
- [Disable hibernation](intune-disable-hibernation.md)
- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
## More information
- [Personal Data Encryption (PDE)](../overview-pde.md)
- [Personal Data Encryption (PDE) FAQ](../faq-pde.yml)
- [Personal Data Encryption (PDE)](index.md)
- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)

110
windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md → windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-password-connected-standby.md
View File

@ -1,14 +1,7 @@
---
title: Disable allowing users to select when a password is required when resuming from connected standby for PDE in Intune
description: Disable allowing users to select when a password is required when resuming from connected standby for PDE in Intune
author: frankroj
ms.author: frankroj
ms.reviewer: rhonnegowda
manager: aaroncz
ms.topic: how-to
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
ms.date: 03/13/2023
---
@ -17,18 +10,12 @@ ms.date: 03/13/2023
When the **Disable allowing users to select when a password is required when resuming from connected standby** policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including Azure Active Directory joined devices, is different:
- On-premises Active Directory joined devices:
- A user can't change the amount of time after the device´s screen turns off before a password is required when waking the device.
- A password is required immediately after the screen turns off.
The above is the desired outcome, but PDE isn't supported with on-premises Active Directory joined devices.
- A user can't change the amount of time after the device's screen turns off before a password is required when waking the device
- A password is required immediately after the screen turns off
The above is the desired outcome, but PDE isn't supported with on-premises Active Directory joined devices
- Workgroup devices, including Azure AD joined devices:
- A user on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device.
- During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. This outcome isn't a desired outcome.
- A user on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device
- During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. This outcome isn't a desired outcome
Because of this undesired outcome, it's recommended to explicitly disable this policy on Azure AD joined devices instead of leaving it at the default of **Not configured**.
@ -36,83 +23,54 @@ Because of this undesired outcome, it's recommended to explicitly disable this p
To disable the policy **Disable allowing users to select when a password is required when resuming from connected standby** using Intune, follow the below steps:
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. In the **Home** screen, select **Devices** in the left pane.
1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**.
1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**.
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
1. In the **Home** screen, select **Devices** in the left pane
1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
1. In the **Create profile** window that opens:
1. Under **Platform**, select **Windows 10 and later**.
1. Under **Profile type**, select **Settings catalog**.
1. Select **Create** to close the **Create profile** window.
1. Under **Platform**, select **Windows 10 and later**
1. Under **Profile type**, select **Settings catalog**
1. Select **Create** to close the **Create profile** window
1. The **Create profile** screen will open. In the **Basics** page:
1. Next to **Name**, enter **Disable allowing users to select when a password is required when resuming from connected standby**.
1. Next to **Description**, enter a description.
1. Next to **Name**, enter **Disable allowing users to select when a password is required when resuming from connected standby**
1. Next to **Description**, enter a description
1. Select **Next**.
1. In the **Configuration settings** page:
1. Select **Add settings**.
1. Select **Add settings**
1. In the **Settings picker** window that opens:
1. Under **Browse by category**, expand **Administrative Templates**
1. Under **Administrative Templates**, scroll down and expand **System**
1. Under **System**, scroll down and select **Logon**
1. When the settings for the **Logon** subcategory appear under **Setting name** in the lower pane, select **Allow users to select when a password is required when resuming from connected standby**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
1. Leave the slider for **Allow users to select when a password is required when resuming from connected standby** at the default of **Disabled**
1. select **Next**
1. Under **Browse by category**, expand **Administrative Templates**.
1. Under **Administrative Templates**, scroll down and expand **System**.
1. Under **System**, scroll down and select **Logon**.
1. When the settings for the **Logon** subcategory appear under **Setting name** in the lower pane, select **Allow users to select when a password is required when resuming from connected standby**, and then select the **X** in the top right corner of the **Settings picker** window to close the window.
1. Leave the slider for **Allow users to select when a password is required when resuming from connected standby** at the default of **Disabled**.
1. select **Next**.
1. In the **Scope tags** page, configure if necessary and then select **Next**.
1. In the **Scope tags** page, configure if necessary and then select **Next**
1. In the **Assignments** page:
1. Under **Included groups**, select **Add groups**.
1. Under **Included groups**, select **Add groups**
> [!NOTE]
>
> Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window.
1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**.
1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**.
1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
## Additional PDE configurations in Intune
The following PDE configurations can also be configured using Intune:
### Required prerequisites
### Prerequisites
- [Enable Personal Data Encryption (PDE)](../pde-in-intune/intune-enable-pde.md)
- [Disable Winlogon automatic restart sign-on (ARSO)](../pde-in-intune/intune-disable-arso.md)
- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
### Security hardening recommendations
- [Disable kernel-mode crash dumps and live dumps](../pde-in-intune/intune-disable-memory-dumps.md)
- [Disable Windows Error Reporting (WER)/user-mode crash dumps](../pde-in-intune/intune-disable-wer.md)
- [Disable hibernation](../pde-in-intune/intune-disable-hibernation.md)
- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
- [Disable hibernation](intune-disable-hibernation.md)
## More information
- [Personal Data Encryption (PDE)](../overview-pde.md)
- [Personal Data Encryption (PDE) FAQ](../faq-pde.yml)
- [Personal Data Encryption (PDE)](index.md)
- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)

98
windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md → windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-wer.md
View File

@ -1,14 +1,7 @@
---
title: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE in Intune
description: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE in Intune
author: frankroj
ms.author: frankroj
ms.reviewer: rhonnegowda
manager: aaroncz
ms.topic: how-to
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
ms.date: 03/13/2023
---
@ -20,83 +13,52 @@ Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode cras
To disable Windows Error Reporting (WER) and user-mode crash dumps using Intune, follow the below steps:
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. In the **Home** screen, select **Devices** in the left pane.
1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**.
1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**.
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
1. In the **Home** screen, select **Devices** in the left pane
1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
1. In the **Create profile** window that opens:
1. Under **Platform**, select **Windows 10 and later**.
1. Under **Profile type**, select **Settings catalog**.
1. Select **Create** to close the **Create profile** window.
1. Under **Platform**, select **Windows 10 and later**
1. Under **Profile type**, select **Settings catalog**
1. Select **Create** to close the **Create profile** window
1. The **Create profile** screen will open. In the **Basics** page:
1. Next to **Name**, enter **Disable Windows Error Reporting (WER)**.
1. Next to **Description**, enter a description.
1. Select **Next**.
1. Next to **Name**, enter **Disable Windows Error Reporting (WER)**
1. Next to **Description**, enter a description
1. Select **Next**
1. In the **Configuration settings** page:
1. Select **Add settings**.
1. Select **Add settings**
1. In the **Settings picker** window that opens:
1. Under **Browse by category**, expand **Administrative Templates**.
1. Under **Administrative Templates**, scroll down and expand **Windows Components**.
1. Under **Windows Components**, scroll down and select **Windows Error Reporting**. Make sure to only select **Windows Error Reporting** and not to expand it.
1. When the settings for the **Windows Error Reporting** subcategory appear under **Setting name** in the lower pane, select **Disable Windows Error Reporting**, and then select the **X** in the top right corner of the **Settings picker** window to close the window.
1. Change **Disable Windows Error Reporting** from **Disabled** to **Enabled** by selecting the slider next to the option.
1. Select **Next**.
1. In the **Scope tags** page, configure if necessary and then select **Next**.
1. Under **Browse by category**, expand **Administrative Templates**
1. Under **Administrative Templates**, scroll down and expand **Windows Components**
1. Under **Windows Components**, scroll down and select **Windows Error Reporting**. Make sure to only select **Windows Error Reporting** and not to expand it
1. When the settings for the **Windows Error Reporting** subcategory appear under **Setting name** in the lower pane, select **Disable Windows Error Reporting**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
1. Change **Disable Windows Error Reporting** from **Disabled** to **Enabled** by selecting the slider next to the option
1. Select **Next**
1. In the **Scope tags** page, configure if necessary and then select **Next**
1. In the **Assignments** page:
1. Under **Included groups**, select **Add groups**.
1. Under **Included groups**, select **Add groups**
> [!NOTE]
>
> Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window.
1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**.
1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**.
1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
## Additional PDE configurations in Intune
The following PDE configurations can also be configured using Intune:
### Required prerequisites
### Prerequisites
- [Enable Personal Data Encryption (PDE)](../pde-in-intune/intune-enable-pde.md)
- [Disable Winlogon automatic restart sign-on (ARSO)](../pde-in-intune/intune-disable-arso.md)
- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
### Security hardening recommendations
- [Disable kernel-mode crash dumps and live dumps](../pde-in-intune/intune-disable-memory-dumps.md)
- [Disable hibernation](../pde-in-intune/intune-disable-hibernation.md)
- [Disable allowing users to select when a password is required when resuming from connected standby](../pde-in-intune/intune-disable-password-connected-standby.md)
- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
- [Disable hibernation](intune-disable-hibernation.md)
- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
## More information
- [Personal Data Encryption (PDE)](../overview-pde.md)
- [Personal Data Encryption (PDE) FAQ](../faq-pde.yml)
- [Personal Data Encryption (PDE)](index.md)
- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)

102
windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md → windows/security/operating-system-security/data-protection/personal-data-encryption/intune-enable-pde.md
View File

@ -1,14 +1,7 @@
---
title: Enable Personal Data Encryption (PDE) in Intune
description: Enable Personal Data Encryption (PDE) in Intune
author: frankroj
ms.author: frankroj
ms.reviewer: rhonnegowda
manager: aaroncz
ms.topic: how-to
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
ms.date: 03/13/2023
---
@ -24,89 +17,54 @@ By default, Personal Data Encryption (PDE) is not enabled on devices. Before PDE
To enable Personal Data Encryption (PDE) using Intune, follow the below steps:
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. In the **Home** screen, select **Devices** in the left pane.
1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**.
1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**.
1. In the **Home** screen, select **Devices** in the left pane
1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
1. In the **Create profile** window that opens:
1. Under **Platform**, select **Windows 10 and later**.
1. Under **Profile type**, select **Templates**.
1. When the templates appears, under **Template name**, select **Custom**.
1. Select **Create** to close the **Create profile** window.
1. Under **Platform**, select **Windows 10 and later**
1. Under **Profile type**, select **Templates**
1. When the templates appears, under **Template name**, select **Custom**
1. Select **Create** to close the **Create profile** window
1. The **Custom** screen will open. In the **Basics** page:
1. Next to **Name**, enter **Personal Data Encryption**.
1. Next to **Description**, enter a description.
1. Select **Next**.
1. Next to **Name**, enter **Personal Data Encryption**
1. Next to **Description**, enter a description
1. Select **Next**
1. In **Configuration settings** page:
1. Next to **OMA-URI Settings**, select **Add**.
1. Next to **OMA-URI Settings**, select **Add**
1. In the **Add Row** window that opens:
1. Next to **Name**, enter **Personal Data Encryption**.
1. Next to **Description**, enter a description.
1. Next to **Name**, enter **Personal Data Encryption**
1. Next to **Description**, enter a description
1. Next to **OMA-URI**, enter in:
**`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`**
1. Next to **Data type**, select **Integer**.
1. Next to **Value**, enter in **1**.
1. Select **Save** to close the **Add Row** window.
1. Select **Next**.
1. Next to **Data type**, select **Integer**
1. Next to **Value**, enter in **1**
1. Select **Save** to close the **Add Row** window
1. Select **Next**
1. In the **Assignments** page:
1. Under **Included groups**, select **Add groups**.
1. Under **Included groups**, select **Add groups**
> [!NOTE]
>
> Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window.
1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**.
1. In **Applicability Rules**, configure if necessary and then select **Next**.
1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**.
1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
1. In **Applicability Rules**, configure if necessary and then select **Next**
1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
## Additional PDE configurations in Intune
The following PDE configurations can also be configured using Intune:
### Required prerequisites
### Prerequisites
- [Disable Winlogon automatic restart sign-on (ARSO)](../pde-in-intune/intune-disable-arso.md)
- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
### Security hardening recommendations
- [Disable kernel-mode crash dumps and live dumps](../pde-in-intune/intune-disable-memory-dumps.md)
- [Disable Windows Error Reporting (WER)/user-mode crash dumps](../pde-in-intune/intune-disable-wer.md)
- [Disable hibernation](../pde-in-intune/intune-disable-hibernation.md)
- [Disable allowing users to select when a password is required when resuming from connected standby](../pde-in-intune/intune-disable-password-connected-standby.md)
- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
- [Disable hibernation](intune-disable-hibernation.md)
- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
## More information
- [Personal Data Encryption (PDE)](../overview-pde.md)
- [Personal Data Encryption (PDE) FAQ](../faq-pde.yml)
- [Personal Data Encryption (PDE)](index.md)
- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)

19
windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml Normal file
View File

@ -0,0 +1,19 @@
items:
- name: Overview
href: index.md
- name: Configure PDE with Intune
href: configure-pde-in-intune.md
- name: Enable Personal Data Encryption (PDE)
href: intune-enable-pde.md
- name: Disable Winlogon automatic restart sign-on (ARSO) for PDE
href: intune-disable-arso.md
- name: Disable kernel-mode crash dumps and live dumps for PDE
href: intune-disable-memory-dumps.md
- name: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE
href: intune-disable-wer.md
- name: Disable hibernation for PDE
href: intune-disable-hibernation.md
- name: Disable allowing users to select when a password is required when resuming from connected standby for PDE
href: intune-disable-password-connected-standby.md
- name: PDE frequently asked questions (FAQ)
href: faq-pde.yml

100
windows/security/operating-system-security/data-protection/toc.yml
View File

@ -1,104 +1,12 @@
items:
- name: Overview
href: ../../encryption-data-protection.md
href: index.md
- name: BitLocker
href: ../../information-protection/bitlocker/bitlocker-overview.md
items:
- name: Overview of BitLocker Device Encryption in Windows
href: ../../information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
- name: BitLocker frequently asked questions (FAQ)
href: ../../information-protection/bitlocker/bitlocker-frequently-asked-questions.yml
items:
- name: Overview and requirements
href: ../../information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
- name: Upgrading
href: ../../information-protection/bitlocker/bitlocker-upgrading-faq.yml
- name: Deployment and administration
href: ../../information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml
- name: Key management
href: ../../information-protection/bitlocker/bitlocker-key-management-faq.yml
- name: BitLocker To Go
href: ../../information-protection/bitlocker/bitlocker-to-go-faq.yml
- name: Active Directory Domain Services
href: ../../information-protection/bitlocker/bitlocker-and-adds-faq.yml
- name: Security
href: ../../information-protection/bitlocker/bitlocker-security-faq.yml
- name: BitLocker Network Unlock
href: ../../information-protection/bitlocker/bitlocker-network-unlock-faq.yml
- name: General
href: ../../information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml
- name: "Prepare your organization for BitLocker: Planning and policies"
href: ../../information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
- name: BitLocker deployment comparison
href: ../../information-protection/bitlocker/bitlocker-deployment-comparison.md
- name: BitLocker basic deployment
href: ../../information-protection/bitlocker/bitlocker-basic-deployment.md
- name: Deploy BitLocker on Windows Server 2012 and later
href: ../../information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
- name: BitLocker management
href: ../../information-protection/bitlocker/bitlocker-management-for-enterprises.md
- name: Enable Network Unlock with BitLocker
href: ../../information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
- name: Use BitLocker Drive Encryption Tools to manage BitLocker
href: ../../information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
- name: Use BitLocker Recovery Password Viewer
href: ../../information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
- name: BitLocker Group Policy settings
href: ../../information-protection/bitlocker/bitlocker-group-policy-settings.md
- name: BCD settings and BitLocker
href: ../../information-protection/bitlocker/bcd-settings-and-bitlocker.md
- name: BitLocker Recovery Guide
href: ../../information-protection/bitlocker/bitlocker-recovery-guide-plan.md
- name: BitLocker Countermeasures
href: ../../information-protection/bitlocker/bitlocker-countermeasures.md
- name: Protecting cluster shared volumes and storage area networks with BitLocker
href: ../../information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
- name: Troubleshoot BitLocker
items:
- name: Troubleshoot BitLocker
href: /troubleshoot/windows-client/windows-security/bitlocker-issues-troubleshooting
- name: "BitLocker cannot encrypt a drive: known issues"
href: /troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-issues
- name: "Enforcing BitLocker policies by using Intune: known issues"
href: /troubleshoot/windows-client/windows-security/enforcing-bitlocker-policies-by-using-intune-known-issues
- name: "BitLocker Network Unlock: known issues"
href: /troubleshoot/windows-client/windows-security/bitlocker-network-unlock-known-issues
- name: "BitLocker recovery: known issues"
href: /troubleshoot/windows-client/windows-security/bitlocker-recovery-known-issues
- name: "BitLocker configuration: known issues"
href: /troubleshoot/windows-client/windows-security/bitlocker-configuration-known-issues
- name: Troubleshoot BitLocker and TPM issues
items:
- name: "BitLocker cannot encrypt a drive: known TPM issues"
href: /troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-tpm-issues
- name: "BitLocker and TPM: other known issues"
href: /troubleshoot/windows-client/windows-security/bitlocker-and-tpm-other-known-issues
- name: Decode Measured Boot logs to track PCR changes
href: /troubleshoot/windows-client/windows-security/decode-measured-boot-logs-to-track-pcr-changes
href: bitlocker/toc.yml
- name: Encrypted Hard Drive
href: ../../information-protection/encrypted-hard-drive.md
href: encrypted-hard-drive.md
- name: Personal Data Encryption (PDE)
items:
- name: Personal Data Encryption (PDE) overview
href: ../../information-protection/personal-data-encryption/overview-pde.md
- name: Personal Data Encryption (PDE) frequently asked questions (FAQ)
href: ../../information-protection/personal-data-encryption/faq-pde.yml
- name: Configure Personal Data Encryption (PDE) in Intune
items:
- name: Configure Personal Data Encryption (PDE) in Intune
href: ../../information-protection/personal-data-encryption/configure-pde-in-intune.md
- name: Enable Personal Data Encryption (PDE)
href: ../../information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md
- name: Disable Winlogon automatic restart sign-on (ARSO) for PDE
href: ../../information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md
- name: Disable kernel-mode crash dumps and live dumps for PDE
href: ../../information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md
- name: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE
href: ../../information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md
- name: Disable hibernation for PDE
href: ../../information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md
- name: Disable allowing users to select when a password is required when resuming from connected standby for PDE
href: ../../information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md
href: personal-data-encryption/toc.yml
- name: Configure S/MIME for Windows
href: configure-s-mime.md
- name: Windows Information Protection (WIP)

2
windows/security/operating-system.md
View File

@ -25,7 +25,7 @@ Use the links in the following table to learn more about the operating system se
Cryptography and certificate management|Cryptography uses code to convert data so that only a specific recipient can read it by using a key. Cryptography enforces privacy to prevent anyone except the intended recipient from reading data, integrity to ensure data is free of tampering, and authentication that verifies identity to ensure that communication is secure. <br><br/> Learn more about [Cryptography and certificate management](cryptography-certificate-mgmt.md). <br/><br/>|
Windows Security app | The Windows built-in security application found in settings provides an at-a-glance view of the security status and health of your device. These insights help you identify issues and take action to make sure you're protected. You can quickly see the status of your virus and threat protection, firewall and network security, device security controls, and more. <br><br/> Learn more about the [Windows Security app](threat-protection/windows-defender-security-center/windows-defender-security-center.md).|
| Encryption and data protection | Wherever confidential data is stored, it must be protected against unauthorized access, whether through physical device theft or from malicious applications. Windows provides strong at-rest data-protection solutions that guard against nefarious attackers. <br/><br/> Learn more about [Encryption](encryption-data-protection.md).
| BitLocker | BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later. <br/> <br/> Learn more about [BitLocker](information-protection/bitlocker/bitlocker-overview.md). |
| BitLocker | BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later. <br/> <br/> Learn more about [BitLocker ](operating-system-security/data-protection/bitlocker/index.md). |
| Encrypted Hard Drive | Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management. <br> By offloading the cryptographic operations to hardware, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted Hard Drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity. <br/><br/> Learn more about [Encrypted Hard Drives](information-protection/encrypted-hard-drive.md).|
| S/MIME | S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. <br/><br/> Learn more about [S/MIME for Windows](operating-system-security/data-protection/configure-s-mime.md).|
| Security baselines | A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers. <br/><br/>Security baselines are included in the [Security Compliance Toolkit](threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md) that you can download from the Microsoft Download Center.<br/><br/>Learn more about [security baselines](threat-protection/windows-security-configuration-framework/windows-security-baselines.md). |

2
windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
View File

@ -48,7 +48,7 @@ The Security Compliance Toolkit consists of:
- Microsoft 365 Apps for Enterprise Version 2206
- Microsoft Edge security baseline
- Edge version 107
- Edge version 114
- Tools
- Policy Analyzer