deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' into pm-20220912-WinSE-documentation

Browse Source
This commit is contained in:
Paolo Matarazzo 2022-09-20 12:12:54 -04:00 committed by GitHub
commit 1f367e573f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
62 changed files with 1873 additions and 1345 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.openpublishing.redirection.json
View File

@ -19644,6 +19644,11 @@
"source_path": "windows/security/identity-protection/access-control/dynamic-access-control.md", "source_path": "windows/security/identity-protection/access-control/dynamic-access-control.md",
"redirect_url": "/windows-server/identity/solution-guides/dynamic-access-control-overview", "redirect_url": "/windows-server/identity/solution-guides/dynamic-access-control-overview",
"redirect_document_id": false "redirect_document_id": false
},
{
"source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md",
"redirect_url": "windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md",
"redirect_document_id": false
} }
] ]
} }

22
CONTRIBUTING.md
View File

@ -2,7 +2,7 @@
Thank you for your interest in the Windows IT professional documentation! We appreciate your feedback, edits, and additions to our docs. Thank you for your interest in the Windows IT professional documentation! We appreciate your feedback, edits, and additions to our docs.
This page covers the basic steps for editing our technical documentation. This page covers the basic steps for editing our technical documentation.
For a more up-to-date and complete contribution guide, see the main [contributor guide overview](https://docs.microsoft.com/contribute/). For a more up-to-date and complete contribution guide, see the main [contributor guide overview](https://learn.microsoft.com/contribute/).
## Sign a CLA ## Sign a CLA
@ -19,10 +19,10 @@ We've tried to make editing an existing, public file as simple as possible.
### To edit a topic ### To edit a topic
1. Browse to the [Microsoft Docs](https://docs.microsoft.com/) article that you want to update. 1. Browse to the [Microsoft Docs](https://learn.microsoft.com/) article that you want to update.
> **Note**<br> > **Note**<br>
> If you're a Microsoft employee or vendor, before you edit the article, append `review.` to the beginning of the URL. This action lets you use the private repository, **windows-docs-pr**. For more information, see the [internal contributor guide](https://review.docs.microsoft.com/help/get-started/edit-article-in-github?branch=main). > If you're a Microsoft employee or vendor, before you edit the article, append `review.` to the beginning of the URL. This action lets you use the private repository, **windows-docs-pr**. For more information, see the [internal contributor guide](https://review.learn.microsoft.com/help/get-started/edit-article-in-github?branch=main).
1. Then select the **Pencil** icon. 1. Then select the **Pencil** icon.
@ -37,7 +37,7 @@ We've tried to make editing an existing, public file as simple as possible.
![GitHub Web, showing the Pencil icon.](images/pencil-icon.png) ![GitHub Web, showing the Pencil icon.](images/pencil-icon.png)
1. Using Markdown language, make your changes to the file. For info about how to edit content using Markdown, see the [Docs Markdown reference](https://docs.microsoft.com/contribute/markdown-reference) and GitHub's [Mastering Markdown](https://guides.github.com/features/mastering-markdown/) documentation. 1. Using Markdown language, make your changes to the file. For info about how to edit content using Markdown, see the [Docs Markdown reference](https://learn.microsoft.com/contribute/markdown-reference) and GitHub's [Mastering Markdown](https://guides.github.com/features/mastering-markdown/) documentation.
1. Make your suggested change, and then select **Preview changes** to make sure it looks correct. 1. Make your suggested change, and then select **Preview changes** to make sure it looks correct.
@ -57,16 +57,16 @@ We've tried to make editing an existing, public file as simple as possible.
The pull request is sent to the writer of the topic and your edits are reviewed. If your request is accepted, updates are published to their respective article. This repository contains articles on some of the following topics: The pull request is sent to the writer of the topic and your edits are reviewed. If your request is accepted, updates are published to their respective article. This repository contains articles on some of the following topics:
- [Windows client documentation for IT Pros](https://docs.microsoft.com/windows/resources/) - [Windows client documentation for IT Pros](https://learn.microsoft.com/windows/resources/)
- [Microsoft Store](https://docs.microsoft.com/microsoft-store) - [Microsoft Store](https://learn.microsoft.com/microsoft-store)
- [Windows 10 for Education](https://docs.microsoft.com/education/windows) - [Windows 10 for Education](https://learn.microsoft.com/education/windows)
- [Windows 10 for SMB](https://docs.microsoft.com/windows/smb) - [Windows 10 for SMB](https://learn.microsoft.com/windows/smb)
- [Internet Explorer 11](https://docs.microsoft.com/internet-explorer/) - [Internet Explorer 11](https://learn.microsoft.com/internet-explorer/)
## Making more substantial changes ## Making more substantial changes
To make substantial changes to an existing article, add or change images, or contribute a new article, you'll need to create a local clone of the content. To make substantial changes to an existing article, add or change images, or contribute a new article, you'll need to create a local clone of the content.
For info about creating a fork or clone, see [Set up a local Git repository](https://docs.microsoft.com/contribute/get-started-setup-local). The GitHub docs topic, [Fork a Repo](https://docs.github.com/articles/fork-a-repo), is also insightful. For info about creating a fork or clone, see [Set up a local Git repository](https://learn.microsoft.com/contribute/get-started-setup-local). The GitHub docs topic, [Fork a Repo](https://docs.github.com/articles/fork-a-repo), is also insightful.
Fork the official repo into your personal GitHub account, and then clone the fork down to your local device. Work locally, then push your changes back into your fork. Finally, open a pull request back to the main branch of the official repo. Fork the official repo into your personal GitHub account, and then clone the fork down to your local device. Work locally, then push your changes back into your fork. Finally, open a pull request back to the main branch of the official repo.
@ -82,4 +82,4 @@ In the new issue form, enter a brief title. In the body of the form, describe th
- You can use your favorite text editor to edit Markdown files. We recommend [Visual Studio Code](https://code.visualstudio.com/), a free lightweight open source editor from Microsoft. - You can use your favorite text editor to edit Markdown files. We recommend [Visual Studio Code](https://code.visualstudio.com/), a free lightweight open source editor from Microsoft.
- You can learn the basics of Markdown in just a few minutes. To get started, check out [Mastering Markdown](https://guides.github.com/features/mastering-markdown/). - You can learn the basics of Markdown in just a few minutes. To get started, check out [Mastering Markdown](https://guides.github.com/features/mastering-markdown/).
- Microsoft technical documentation uses several custom Markdown extensions. To learn more, see the [Docs Markdown reference](https://docs.microsoft.com/contribute/markdown-reference). - Microsoft technical documentation uses several custom Markdown extensions. To learn more, see the [Docs Markdown reference](https://learn.microsoft.com/contribute/markdown-reference).

56
bcs/docfx.json
View File

@ -1,56 +0,0 @@
{
"build": {
"content": [
{
"files": [
"**/*.md",
"**/*.yml"
],
"exclude": [
"**/obj/**",
"**/includes/**",
"_themes/**",
"_themes.pdf/**",
"README.md",
"LICENSE",
"LICENSE-CODE",
"ThirdPartyNotices"
]
}
],
"resource": [
{
"files": [
"**/*.png",
"**/*.jpg"
],
"exclude": [
"**/obj/**",
"**/includes/**",
"_themes/**",
"_themes.pdf/**"
]
}
],
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/microsoft-365/business/breadcrumb/toc.json",
"extendBreadcrumb": true,
"contributors_to_exclude": [
"rjagiewich",
"traya1",
"rmca14",
"claydetels19",
"jborsecnik",
"tiburd",
"garycentric"
]
},
"fileMetadata": {},
"template": [],
"dest": "bcs-vsts",
"markdownEngineName": "dfm"
}
}

75
devices/hololens/docfx.json
View File

@ -1,75 +0,0 @@
{
"build": {
"content": [
{
"files": [
"**/*.md",
"**/**.yml"
],
"exclude": [
"**/obj/**",
"devices/hololens/**",
"**/includes/**"
]
}
],
"resource": [
{
"files": [
"**/*.png",
"**/*.jpg",
"**/*.gif"
],
"exclude": [
"**/obj/**",
"devices/hololens/**",
"**/includes/**"
]
}
],
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/hololens/breadcrumb/toc.json",
"ms.technology": "windows",
"ms.topic": "article",
"audience": "ITPro",
"manager": "dansimp",
"ms.date": "04/05/2017",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
"feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "Win.itpro-hololens",
"folder_relative_path_in_docset": "./"
}
},
"contributors_to_exclude": [
"rjagiewich",
"traya1",
"rmca14",
"claydetels19",
"jborsecnik",
"tiburd",
"garycentric"
]
},
"fileMetadata": {},
"template": [],
"dest": "devices/hololens",
"markdownEngineName": "markdig"
},
"contributors_to_exclude": [
"rjagiewich",
"traya1",
"rmca14",
"claydetels19",
"Kellylorenebaker",
"jborsecnik",
"tiburd",
"garycentric"
]
}

63
devices/surface-hub/docfx.json
View File

@ -1,63 +0,0 @@
{
"build": {
"content": [
{
"files": [
"**/**.md",
"**/**.yml"
],
"exclude": [
"**/obj/**"
]
}
],
"resource": [
{
"files": [
"**/images/**",
"**/*.pptx",
"**/*.pdf"
],
"exclude": [
"**/obj/**"
]
}
],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/surface-hub/breadcrumb/toc.json",
"ROBOTS": "INDEX, FOLLOW",
"ms.technology": "windows",
"audience": "ITPro",
"ms.topic": "article",
"manager": "dansimp",
"ms.mktglfcycl": "manage",
"ms.sitesec": "library",
"ms.date": "05/23/2017",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
"feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "Win.surface-hub",
"folder_relative_path_in_docset": "./"
}
},
"contributors_to_exclude": [
"rjagiewich",
"traya1",
"rmca14",
"claydetels19",
"Kellylorenebaker",
"jborsecnik",
"tiburd",
"garycentric"
],
"titleSuffix": "Surface Hub"
},
"externalReference": [],
"template": "op.html",
"dest": "devices/surface-hub",
"markdownEngineName": "markdig"
}
}

59
devices/surface/docfx.json
View File

@ -1,59 +0,0 @@
{
"build": {
"content": [
{
"files": [
"**/**.md",
"**/**.yml"
],
"exclude": [
"**/obj/**"
]
}
],
"resource": [
{
"files": [
"**/images/**"
],
"exclude": [
"**/obj/**"
]
}
],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/surface/breadcrumb/toc.json",
"ROBOTS": "INDEX, FOLLOW",
"ms.technology": "windows",
"audience": "ITPro",
"ms.topic": "article",
"manager": "dansimp",
"ms.date": "05/09/2017",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
"feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "Win.surface",
"folder_relative_path_in_docset": "./"
}
},
"contributors_to_exclude": [
"rjagiewich",
"traya1",
"rmca14",
"claydetels19",
"Kellylorenebaker",
"jborsecnik",
"tiburd",
"garycentric"
],
"titleSuffix": "Surface"
},
"externalReference": [],
"template": "op.html",
"dest": "devices/surface",
"markdownEngineName": "markdig"
}
}

49
education/includes/education-content-updates.md
View File

@ -2,6 +2,16 @@
## Week of September 12, 2022
| Published On |Topic title | Change |
|------|------------|--------|
| 9/13/2022 | [Chromebook migration guide (Windows 10)](/education/windows/chromebook-migration-guide) | modified |
| 9/14/2022 | [Windows 11 SE Overview](/education/windows/windows-11-se-overview) | modified |
| 9/14/2022 | [Windows 11 SE settings list](/education/windows/windows-11-se-settings-list) | modified |
## Week of September 05, 2022 ## Week of September 05, 2022
@ -40,42 +50,3 @@
| Published On |Topic title | Change | | Published On |Topic title | Change |
|------|------------|--------| |------|------------|--------|
| 8/17/2022 | [For IT administrators get Minecraft Education Edition](/education/windows/school-get-minecraft) | modified | | 8/17/2022 | [For IT administrators get Minecraft Education Edition](/education/windows/school-get-minecraft) | modified |
## Week of August 08, 2022
| Published On |Topic title | Change |
|------|------------|--------|
| 8/10/2022 | [Reset devices with Autopilot Reset](/education/windows/autopilot-reset) | modified |
| 8/10/2022 | [Change history for Windows 10 for Education (Windows 10)](/education/windows/change-history-edu) | modified |
| 8/10/2022 | [Change to Windows 10 Education from Windows 10 Pro](/education/windows/change-to-pro-education) | modified |
| 8/10/2022 | [Chromebook migration guide (Windows 10)](/education/windows/chromebook-migration-guide) | modified |
| 8/10/2022 | [Windows 10 configuration recommendations for education customers](/education/windows/configure-windows-for-education) | modified |
| 8/10/2022 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified |
| 8/10/2022 | [Deploy Windows 10 in a school (Windows 10)](/education/windows/deploy-windows-10-in-a-school) | modified |
| 8/10/2022 | [Deployment recommendations for school IT administrators](/education/windows/edu-deployment-recommendations) | modified |
| 8/10/2022 | [Education scenarios Microsoft Store for Education](/education/windows/education-scenarios-store-for-business) | modified |
| 8/10/2022 | [Enable S mode on Surface Go devices for Education](/education/windows/enable-s-mode-on-surface-go-devices) | modified |
| 8/10/2022 | [Get Minecraft Education Edition](/education/windows/get-minecraft-for-education) | modified |
| 8/10/2022 | [Windows 10 for Education (Windows 10)](/education/windows/index) | modified |
| 8/10/2022 | [Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode](/education/windows/s-mode-switch-to-edu) | modified |
| 8/10/2022 | [For IT administrators get Minecraft Education Edition](/education/windows/school-get-minecraft) | modified |
| 8/10/2022 | [Azure AD Join with Set up School PCs app](/education/windows/set-up-school-pcs-azure-ad-join) | modified |
| 8/10/2022 | [What's in Set up School PCs provisioning package](/education/windows/set-up-school-pcs-provisioning-package) | modified |
| 8/10/2022 | [Shared PC mode for school devices](/education/windows/set-up-school-pcs-shared-pc-mode) | modified |
| 8/10/2022 | [Set up School PCs app technical reference overview](/education/windows/set-up-school-pcs-technical) | modified |
| 8/10/2022 | [What's new in the Windows Set up School PCs app](/education/windows/set-up-school-pcs-whats-new) | modified |
| 8/10/2022 | [Set up student PCs to join domain](/education/windows/set-up-students-pcs-to-join-domain) | modified |
| 8/10/2022 | [Provision student PCs with apps](/education/windows/set-up-students-pcs-with-apps) | modified |
| 8/10/2022 | [Set up Windows devices for education](/education/windows/set-up-windows-10) | modified |
| 8/10/2022 | [Take a Test app technical reference](/education/windows/take-a-test-app-technical) | modified |
| 8/10/2022 | [Set up Take a Test on multiple PCs](/education/windows/take-a-test-multiple-pcs) | modified |
| 8/10/2022 | [Set up Take a Test on a single PC](/education/windows/take-a-test-single-pc) | modified |
| 8/10/2022 | [Take tests in Windows 10](/education/windows/take-tests-in-windows-10) | modified |
| 8/10/2022 | [For teachers get Minecraft Education Edition](/education/windows/teacher-get-minecraft) | modified |
| 8/10/2022 | [Test Windows 10 in S mode on existing Windows 10 education devices](/education/windows/test-windows10s-for-edu) | modified |
| 8/10/2022 | [Use Set up School PCs app](/education/windows/use-set-up-school-pcs-app) | modified |
| 8/10/2022 | [What is Windows 11 SE](/education/windows/windows-11-se-overview) | modified |
| 8/10/2022 | [Windows 11 SE settings list](/education/windows/windows-11-se-settings-list) | modified |
| 8/10/2022 | [Windows 10 editions for education customers](/education/windows/windows-editions-for-education-customers) | modified |

4
education/index.yml
View File

@ -73,7 +73,7 @@ productDirectory:
text: IT admin help text: IT admin help
- url: https://support.office.com/education - url: https://support.office.com/education
text: Education help center text: Education help center
- url: /learn/educator-center/ - url: /training/educator-center/
text: Teacher training packs text: Teacher training packs
# Card # Card
- title: Check out our education journey - title: Check out our education journey
@ -115,4 +115,4 @@ additionalContent:
# Card # Card
- title: Education Partner community Yammer group - title: Education Partner community Yammer group
summary: Sign in with your Microsoft Partner account and join the Education Partner community private group on Yammer. summary: Sign in with your Microsoft Partner account and join the Education Partner community private group on Yammer.
url: https://www.yammer.com/mepn/ url: https://www.yammer.com/mepn/

3
education/windows/windows-11-se-overview.md
View File

@ -87,7 +87,6 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| Application | Supported version | App Type | Vendor | | Application | Supported version | App Type | Vendor |
|-----------------------------------------|-------------------|----------|------------------------------| |-----------------------------------------|-------------------|----------|------------------------------|
| AirSecure | 8.0.0 | Win32 | AIR | | AirSecure | 8.0.0 | Win32 | AIR |
| Alertus Desktop | 5.4.44.0 | Win32 | Alertus technologies |
| Brave Browser | 1.34.80 | Win32 | Brave | | Brave Browser | 1.34.80 | Win32 | Brave |
| Bulb Digital Portfolio | 0.0.7.0 | Store | Bulb | | Bulb Digital Portfolio | 0.0.7.0 | Store | Bulb |
| Cisco Umbrella | 3.0.110.0 | Win32 | Cisco | | Cisco Umbrella | 3.0.110.0 | Win32 | Cisco |
@ -119,7 +118,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| Mozilla Firefox | 99.0.1 | Win32 | Mozilla | | Mozilla Firefox | 99.0.1 | Win32 | Mozilla |
| NAPLAN | 2.5.0 | Win32 | NAP | | NAPLAN | 2.5.0 | Win32 | NAP |
| Netref Student | 22.2.0 | Win32 | NetRef | | Netref Student | 22.2.0 | Win32 | NetRef |
| NetSupport Manager | 12.01.0011 | Win32 | NetSupport | | NetSupport Manager | 12.01.0014 | Win32 | NetSupport |
| NetSupport Notify | 5.10.1.215 | Win32 | NetSupport | | NetSupport Notify | 5.10.1.215 | Win32 | NetSupport |
| NetSupport School | 14.00.0011 | Win32 | NetSupport | | NetSupport School | 14.00.0011 | Win32 | NetSupport |
| NextUp Talker | 1.0.49 | Win32 | NextUp Technologies | | NextUp Talker | 1.0.49 | Win32 | NextUp Technologies |

55
gdpr/docfx.json
View File

@ -1,55 +0,0 @@
{
"build": {
"content": [
{
"files": [
"**/*.md",
"**/*.yml"
],
"exclude": [
"**/obj/**",
"**/includes/**",
"README.md",
"LICENSE",
"LICENSE-CODE",
"ThirdPartyNotices"
]
}
],
"resource": [
{
"files": [
"**/*.png",
"**/*.jpg"
],
"exclude": [
"**/obj/**",
"**/includes/**"
]
}
],
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"author": "eross-msft",
"ms.author": "lizross",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
"feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
"contributors_to_exclude": [
"rjagiewich",
"traya1",
"rmca14",
"claydetels19",
"jborsecnik",
"tiburd",
"garycentric"
]
},
"fileMetadata": {},
"template": [],
"dest": "gdpr",
"markdownEngineName": "dfm"
}
}

63
mdop/docfx.json
View File

@ -1,63 +0,0 @@
{
"build": {
"content": [
{
"files": [
"**/**.md",
"**/**.yml"
],
"exclude": [
"**/obj/**"
]
}
],
"resource": [
{
"files": [
"**/images/**"
],
"exclude": [
"**/obj/**"
]
}
],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/microsoft-desktop-optimization-pack/breadcrumb/toc.json",
"ROBOTS": "INDEX, FOLLOW",
"ms.technology": "windows",
"audience": "ITPro",
"manager": "dansimp",
"ms.prod": "w10",
"ms.author": "dansimp",
"author": "dansimp",
"ms.sitesec": "library",
"ms.topic": "article",
"ms.date": "04/05/2017",
"feedback_system": "GitHub",
"feedback_github_repo": "https://github.com/MicrosoftDocs/mdop-docs",
"feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "Win.mdop",
"folder_relative_path_in_docset": "./"
}
},
"contributors_to_exclude": [
"rjagiewich",
"traya1",
"rmca14",
"claydetels19",
"Kellylorenebaker",
"jborsecnik",
"tiburd",
"garycentric"
],
"titleSuffix": "Microsoft Desktop Optimization Pack"
},
"externalReference": [],
"template": "op.html",
"dest": "mdop",
"markdownEngineName": "markdig"
}
}

4
store-for-business/whats-new-microsoft-store-business-education.md
View File

@ -41,7 +41,7 @@ We've been working on bug fixes and performance improvements to provide you a be
| ![Private store performance icon.](images/perf-improvement-icon.png) |**Performance improvements in private store**<br /><br /> We've made it significantly faster for you to update the private store. Many changes to the private store are available immediately after you make them. <br /><br />[Get more info](./manage-private-store-settings.md#private-store-performance)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education | | ![Private store performance icon.](images/perf-improvement-icon.png) |**Performance improvements in private store**<br /><br /> We've made it significantly faster for you to update the private store. Many changes to the private store are available immediately after you make them. <br /><br />[Get more info](./manage-private-store-settings.md#private-store-performance)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
| <iframe width="288" height="232" src="https://www.youtube-nocookie.com/embed/IpLIZU_j7Z0" frameborder="0" allowfullscreen></iframe>| **Manage Windows device deployment with Windows Autopilot Deployment** <br /><br /> In Microsoft Store for Business, you can manage devices for your organization and apply an Autopilot deployment profile to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows, based on the Autopilot deployment profile you applied to the device.<br /><br />[Get more info](add-profile-to-devices.md)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education | | <iframe width="288" height="232" src="https://www.youtube-nocookie.com/embed/IpLIZU_j7Z0" frameborder="0" allowfullscreen></iframe>| **Manage Windows device deployment with Windows Autopilot Deployment** <br /><br /> In Microsoft Store for Business, you can manage devices for your organization and apply an Autopilot deployment profile to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows, based on the Autopilot deployment profile you applied to the device.<br /><br />[Get more info](add-profile-to-devices.md)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
| ![Microsoft Store for Business Settings page, Distribute tab showing app requests setting.](images/msfb-wn-1709-app-request.png) |**Request an app**<br /><br />People in your organization can request additional licenses for apps in your private store, and then Admins or Purchasers can make the purchases. <br /><br />[Get more info](./acquire-apps-microsoft-store-for-business.md#request-apps)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education | | ![Microsoft Store for Business Settings page, Distribute tab showing app requests setting.](images/msfb-wn-1709-app-request.png) |**Request an app**<br /><br />People in your organization can request additional licenses for apps in your private store, and then Admins or Purchasers can make the purchases. <br /><br />[Get more info](./acquire-apps-microsoft-store-for-business.md#request-apps)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
|| ![Image showing Add a Collection.](images/msfb-add-collection.png) |**Private store collections**<br /><br> You can groups of apps in your private store with **Collections**. This can help you organize apps and help people find apps for their job or classroom. <br /><br />[Get more info](https://review.docs.microsoft.com/microsoft-store/manage-private-store-settings?branch=msfb-14856406#add-a-collection)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education | || ![Image showing Add a Collection.](images/msfb-add-collection.png) |**Private store collections**<br /><br> You can groups of apps in your private store with **Collections**. This can help you organize apps and help people find apps for their job or classroom. <br /><br />[Get more info](https://review.learn.microsoft.com/microsoft-store/manage-private-store-settings?branch=msfb-14856406#add-a-collection)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
--> -->
## Previous releases and updates ## Previous releases and updates
@ -97,4 +97,4 @@ We've been working on bug fixes and performance improvements to provide you a be
- Manage prepaid Office 365 subscriptions - Manage prepaid Office 365 subscriptions
- Manage Office 365 subscriptions acquired by partners - Manage Office 365 subscriptions acquired by partners
- Edge extensions in Microsoft Store - Edge extensions in Microsoft Store
- Search results in Microsoft Store for Business - Search results in Microsoft Store for Business

12
template.md
View File

@ -28,7 +28,7 @@ When you create a new markdown file article, **Save as** this template to a new
## Metadata ## Metadata
The full metadata block is above the markdown between the `---` lines. For more information, see [Metadata attributes](https://review.docs.microsoft.com/en-us/help/contribute/metadata-attributes?branch=main) in the contributor guide. Some key notes: The full metadata block is above the markdown between the `---` lines. For more information, see [Metadata attributes](https://review.learn.microsoft.com/help/contribute/metadata-attributes?branch=main) in the contributor guide. Some key notes:
- You _must_ have a space between the colon (`:`) and the value for a metadata element. - You _must_ have a space between the colon (`:`) and the value for a metadata element.
@ -65,7 +65,7 @@ The full metadata block is above the markdown between the `---` lines. For more
All basic and Github-flavored markdown (GFM) is supported. For more information, see the following articles: All basic and Github-flavored markdown (GFM) is supported. For more information, see the following articles:
- [Docs Markdown reference in the Contributor Guide](https://review.docs.microsoft.com/help/contribute/markdown-reference?branch=main) - [Docs Markdown reference in the Contributor Guide](https://review.learn.microsoft.com/help/contribute/markdown-reference?branch=main)
- [Baseline markdown syntax](https://daringfireball.net/projects/markdown/syntax) - [Baseline markdown syntax](https://daringfireball.net/projects/markdown/syntax)
- [Github-flavored markdown (GFM) documentation](https://docs.github.com/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax) - [Github-flavored markdown (GFM) documentation](https://docs.github.com/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax)
@ -79,7 +79,7 @@ Second-level headings (`##`, also known as H2) generate the on-page TOC that app
Limit the length of second-level headings to avoid excessive line wraps. Limit the length of second-level headings to avoid excessive line wraps.
Make sure _all_ headings of any level have a unique name for the article. The build creates an anchor for all headings on the page using kebab formatting. For example, from the [Docs Markdown reference](https://review.docs.microsoft.com/help/contribute/markdown-reference?branch=main) article, the heading **Alerts (Note, Tip, Important, Caution, Warning)** becomes the anchor `#alerts-note-tip-important-caution-warning`. If there are duplicate headings, then the anchors don't behave properly. This behavior also applies when using include files, make sure the headings are unique across the main markdown file, and all include markdown files. Make sure _all_ headings of any level have a unique name for the article. The build creates an anchor for all headings on the page using kebab formatting. For example, from the [Docs Markdown reference](https://review.learn.microsoft.com/help/contribute/markdown-reference?branch=main) article, the heading **Alerts (Note, Tip, Important, Caution, Warning)** becomes the anchor `#alerts-note-tip-important-caution-warning`. If there are duplicate headings, then the anchors don't behave properly. This behavior also applies when using include files, make sure the headings are unique across the main markdown file, and all include markdown files.
Don't skip levels. For example, don't have an H3 (`###`) without a parent H2 (`##`). Don't skip levels. For example, don't have an H3 (`###`) without a parent H2 (`##`).
@ -111,7 +111,7 @@ _Italics_ (a single asterisk (`*`) also works, but the underscore (`_`) helps di
> >
> It supports headings in the current and other files too! (Just not the custom `bkmk` anchors that are sometimes used in this content.) > It supports headings in the current and other files too! (Just not the custom `bkmk` anchors that are sometimes used in this content.)
For more information, see [Add links to articles](https://review.docs.microsoft.com/help/contribute/links-how-to?branch=main) in the contributor guide. For more information, see [Add links to articles](https://review.learn.microsoft.com/help/contribute/links-how-to?branch=main) in the contributor guide.
### Article in the same repo ### Article in the same repo
@ -149,7 +149,7 @@ There's a broken link report that runs once a week in the build system, get the
Don't use URL shorteners like `go.microsoft.com/fwlink` or `aka.ms`. Include the full URL to the target. Don't use URL shorteners like `go.microsoft.com/fwlink` or `aka.ms`. Include the full URL to the target.
For more information, see [Add links to articles](https://review.docs.microsoft.com/help/contribute/links-how-to?branch=main) in the contributor guide. For more information, see [Add links to articles](https://review.learn.microsoft.com/help/contribute/links-how-to?branch=main) in the contributor guide.
## Lists ## Lists
@ -289,4 +289,4 @@ Always include alt text for accessibility, and always end it with a period.
## docs.ms extensions ## docs.ms extensions
> [!div class="nextstepaction"] > [!div class="nextstepaction"]
> [Microsoft Endpoint Configuration Manager documentation](https://docs.microsoft.com/mem/configmgr) > [Microsoft Endpoint Configuration Manager documentation](https://learn.microsoft.com/mem/configmgr)

61
windows/access-protection/docfx.json
View File

@ -1,61 +0,0 @@
{
"build": {
"content": [
{
"files": [
"**/*.md",
"**/*.yml"
],
"exclude": [
"**/obj/**",
"**/includes/**",
"README.md",
"LICENSE",
"LICENSE-CODE",
"ThirdPartyNotices"
]
}
],
"resource": [
{
"files": [
"**/*.png",
"**/*.jpg",
"**/*.gif"
],
"exclude": [
"**/obj/**",
"**/includes/**"
]
}
],
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows",
"audience": "ITPro",
"ms.topic": "article",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.win-access-protection",
"folder_relative_path_in_docset": "./"
}
},
"contributors_to_exclude": [
"rjagiewich",
"traya1",
"rmca14",
"claydetels19",
"jborsecnik",
"tiburd",
"garycentric"
]
},
"fileMetadata": {},
"template": [],
"dest": "win-access-protection",
"markdownEngineName": "markdig"
}
}

3
windows/client-management/manage-corporate-devices.md
View File

@ -44,6 +44,3 @@ You can use the same management tools to manage all device types running Windows
[Microsoft Intune End User Enrollment Guide](/samples/browse/?redirectedfrom=TechNet-Gallery) [Microsoft Intune End User Enrollment Guide](/samples/browse/?redirectedfrom=TechNet-Gallery)
[Windows 10 (and Windows 11) and Azure Active Directory: Embracing the Cloud](https://go.microsoft.com/fwlink/p/?LinkId=615768) [Windows 10 (and Windows 11) and Azure Active Directory: Embracing the Cloud](https://go.microsoft.com/fwlink/p/?LinkId=615768)
Microsoft Virtual Academy course: [Configuration Manager & Windows Intune](/learn/)
 

12
windows/client-management/mdm/configuration-service-provider-reference.md
View File

@ -531,6 +531,18 @@ Additional lists:
<!--EndSKU--> <!--EndSKU-->
<!--EndCSP--> <!--EndCSP-->
<!--StartCSP-->
[Local Administrator Password Solution CSP](laps-csp.md)
<!--StartSKU-->
|Home|Pro|Business|Enterprise|Education|
|--- |--- |--- |--- |--- |
|Yes|Yes|Yes|Yes|Yes|
<!--EndSKU-->
<!--EndCSP-->
<!--StartCSP--> <!--StartCSP-->
[MultiSIM CSP](multisim-csp.md) [MultiSIM CSP](multisim-csp.md)

4
windows/client-management/mdm/diagnosticlog-csp.md
View File

@ -565,7 +565,7 @@ The data type is string.
Default string is as follows: Default string is as follows:
`https://docs.microsoft.com/windows/'desktop/WES/eventmanifestschema-channeltype-complextype` `https://learn.microsoft.com/windows/'desktop/WES/eventmanifestschema-channeltype-complextype`
Add **SDDL** Add **SDDL**
@ -1677,4 +1677,4 @@ To read a log file:
## Related topics ## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md) [Configuration service provider reference](configuration-service-provider-reference.md)

8
windows/client-management/mdm/diagnosticlog-ddf.md
View File

@ -2028,7 +2028,7 @@ The content below are the latest versions of the DDF files:
<Delete /> <Delete />
<Replace /> <Replace />
</AccessType> </AccessType>
<Description>SDDL String controlling access to the channel. Default: https://docs.microsoft.com/windows/desktop/WES/eventmanifestschema-channeltype-complextype</Description> <Description>SDDL String controlling access to the channel. Default: https://learn.microsoft.com/windows/desktop/WES/eventmanifestschema-channeltype-complextype</Description>
<DFFormat> <DFFormat>
<chr /> <chr />
</DFFormat> </DFFormat>
@ -2178,9 +2178,3 @@ The content below are the latest versions of the DDF files:
   
   

2
windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
View File

@ -219,7 +219,7 @@ Requirements:
4. Rename the extracted Policy Definitions folder to `PolicyDefinitions`. 4. Rename the extracted Policy Definitions folder to `PolicyDefinitions`.
5. Copy the PolicyDefinitions folder to `\\SYSVOL\contoso.com\policies\PolicyDefinitions`. 5. Copy the PolicyDefinitions folder to `\\contoso.com\SYSVOL\contoso.com\policies\PolicyDefinitions`.
If this folder doesn't exist, then you'll be switching to a [central policy store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for your entire domain. If this folder doesn't exist, then you'll be switching to a [central policy store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for your entire domain.

8
windows/client-management/mdm/healthattestation-ddf.md
View File

@ -92,7 +92,7 @@ The XML below is the current version for this CSP.
<AccessType> <AccessType>
<Get /> <Get />
</AccessType> </AccessType>
<Description>Provides the current status of the device health request. For the complete list of status see https://docs.microsoft.com/en-us/windows/client-management/mdm/healthattestation-csp#device-healthattestation-csp-status-and-error-codes</Description> <Description>Provides the current status of the device health request. For the complete list of status see https://learn.microsoft.com/windows/client-management/mdm/healthattestation-csp#device-healthattestation-csp-status-and-error-codes</Description>
<DFFormat> <DFFormat>
<int /> <int />
</DFFormat> </DFFormat>
@ -456,9 +456,3 @@ The XML below is the current version for this CSP.
   
   

760
windows/client-management/mdm/laps-csp.md Normal file
View File

@ -0,0 +1,760 @@
---
title: Local Administrator Password Solution CSP
description: Learn how the Local Administrator Password Solution configuration service provider (CSP) is used by the enterprise to manage backup of local administrator account passwords.
ms.author: jsimmons
ms.topic: article
ms.prod: w11
ms.technology: windows
author: jsimmons
ms.localizationpriority: medium
ms.date: 07/04/2022
ms.reviewer: jsimmons
manager: jsimmons
---
# Local Administrator Password Solution CSP
The Local Administrator Password Solution (LAPS) configuration service provider (CSP) is used by the enterprise to manage back up of local administrator account passwords. This CSP was added in Windows 11 as of version 25145.
> [!IMPORTANT]
> Windows LAPS is currently only available in Windows Insider builds as of 25145 and later. Support for the Windows LAPS Azure AD scenario is currently limited to a small group of Windows Insiders.
The following example shows the LAPS CSP in tree format.
```xml
./Device/Vendor/MSFT
LAPS
----Policies
--------BackupDirectory
--------PasswordAgeDays
--------PasswordLength
--------PasswordComplexity
--------PasswordExpirationProtectionEnabled
--------AdministratorAccountName
--------ADPasswordEncryptionEnabled
--------ADPasswordEncryptionPrincipal
--------ADEncryptedPasswordHistorySize
--------PostAuthenticationResetDelay
--------PostAuthenticationActions
----Actions
--------ResetPassword
--------ResetPasswordStatus
```
The LAPS CSP can be used to manage devices that are either joined to Azure AD or joined to both Azure AD and Active Directory (hybrid-joined). The LAPS CSP manages a mix of AAD-only and AD-only settings. The AD-only settings are only applicable for hybrid-joined devices, and then only when BackupDirectory is set to 2.
|Setting name|Azure-joined|Hybrid-joined|
|---|---|---|
|BackupDirectory|Yes|Yes
|PasswordAgeDays|Yes|Yes
|PasswordLength|Yes|Yes|
|PasswordComplexity|Yes|Yes|
|PasswordExpirationProtectionEnabled|No|Yes|
|AdministratorAccountName|Yes|Yes|
|ADPasswordEncryptionEnabled|No|Yes|
|ADPasswordEncryptionPrincipal|No|Yes|
|ADEncryptedPasswordHistorySize|No|Yes|
|PostAuthenticationResetDelay|Yes|Yes|
|PostAuthenticationActions|Yes|Yes|
|ResetPassword|Yes|Yes|
|ResetPasswordStatus|Yes|Yes|
> [!IMPORTANT]
> Windows supports a LAPS Group Policy Object that is entirely separate from the LAPS CSP. Many of the various settings are common across both the LAPS GPO and CSP (GPO does not support any of the Action-related settings). As long as at least one LAPS setting is configured via CSP, any GPO-configured settings will be ignored. Also see the TBD reference on LAPS policy configuration.
## ./Device/Vendor/MSFT/LAPS
Defines the root node for the LAPS CSP.
<!--Policy-->
### Policies
Defines the interior parent node for all configuration-related settings in the LAPS CSP.
<!--/Policy-->
<!--Policy-->
### BackupDirectory
<!--Description-->
Allows the administrator to configure which directory the local administrator account password is backed up to.
<!--/Description-->
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|Yes|
|Pro|No|Yes|
|Business|No|Yes|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
Data type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--SupportedValues-->
The allowable settings are:
|Value|Description of setting|
|--- |--- |
|0|Disabled (password won't be backed up)|
|1|Back up the password to Azure AD only|
|2|Back up the password to Active Directory only|
If not specified, this setting will default to 0 (disabled).
<!--/SupportedValues-->
<!--/Policy-->
<!--Policy-->
### PasswordAgeDays
<!--Description-->
Use this policy to configure the maximum password age of the managed local administrator account.
<!--/Description-->
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|Yes|
|Pro|No|Yes|
|Business|No|Yes|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
<!--SupportedValues-->
If not specified, this setting will default to 30 days
This setting has a minimum allowed value of 1 day when backing the password to on-premises Active Directory, and 7 days when backing the password Azure AD.
This setting has a maximum allowed value of 365 days.
<!--/SupportedValues-->
Data type is integer.
Supported operations are Add, Get, Replace, and Delete.
<!--/Policy-->
<!--Policy-->
### PasswordComplexity
<!--Description-->
Use this setting to configure password complexity of the managed local administrator account.
<!--/Description-->
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|Yes|
|Pro|No|Yes|
|Business|No|Yes|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
<!--SupportedValues-->
The allowable settings are:
|Value|Description of setting|
|--- |--- |
|1|Large letters|
|2|Large letters + small letters|
|3|Large letters + small letters + numbers|
|4|Large letters + small letters + numbers + special characters|
If not specified, this setting will default to 4.
> [!IMPORTANT]
> Windows supports the lower password complexity settings (1, 2, and 3) only for backwards compatibility with older versions of LAPS. Microsoft recommends that this setting always be configured to 4.
<!--/SupportedValues-->
Data type is integer.
Supported operations are Add, Get, Replace, and Delete.
<!--/Policy-->
<!--Policy-->
### PasswordLength
<!--Description-->
Use this setting to configure the length of the password of the managed local administrator account.
<!--/Description-->
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|Yes|
|Pro|No|Yes|
|Business|No|Yes|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
<!--SupportedValues-->
If not specified, this setting will default to 14 characters.
This setting has a minimum allowed value of 8 characters.
This setting has a maximum allowed value of 64 characters.
<!--/SupportedValues-->
Data type is integer.
Supported operations are Add, Get, Replace, and Delete.
<!--/Policy-->
<!--Policy-->
### AdministratorAccountName
<!--Description-->
Use this setting to configure the name of the managed local administrator account.
<!--/Description-->
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|Yes|
|Pro|No|Yes|
|Business|No|Yes|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
<!--SupportedValues-->
If not specified, the default built-in local administrator account will be located by well-known SID (even if renamed).
If specified, the specified account's password will be managed.
> [!IMPORTANT]
> If a custom account name is specified in this setting, the specified account must be created via other means. Specifying a name in this setting will not cause the account to be created.
<!--/SupportedValues-->
Data type is string.
Supported operations are Add, Get, Replace, and Delete.
<!--/Policy-->
<!--Policy-->
### PasswordExpirationProtectionEnabled
<!--Description-->
Use this setting to configure additional enforcement of maximum password age for the managed local administrator account.
<!--/Description-->
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|Yes|
|Pro|No|Yes|
|Business|No|Yes|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
<!--SupportedValues-->
When this setting is set to True, planned password expiration that would result in a password age greater than what is specified by the "PasswordAgeDays" policy is NOT allowed. When such expiration is detected, the password is changed immediately, and the new password expiration date is set according to policy.
If not specified, this setting defaults to True.
> [!IMPORTANT]
> This setting is ignored unless BackupDirectory is configured to back up the password to Active Directory.
<!--/SupportedValues-->
Data type is boolean.
Supported operations are Add, Get, Replace, and Delete.
<!--/Policy-->
<!--Policy-->
### ADPasswordEncryptionEnabled
<!--Description-->
Use this setting to configure whether the password is encrypted before being stored in Active Directory.
<!--/Description-->
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|Yes|
|Pro|No|Yes|
|Business|No|Yes|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
<!--SupportedValues-->
This setting is ignored if the password is currently being stored in Azure.
If this setting is set to True, and the Active Directory domain meets the 2016 DFL prerequisite, the password is encrypted before being stored in Active Directory.
If this setting is missing or set to False, or the Active Directory domain doesn't meet the DFL prerequisite, the password is stored as clear-text in Active Directory.
If not specified, this setting defaults to False.
> [!IMPORTANT]
> This setting is ignored unless BackupDirectory is configured to back up the password to Active Directory, AND the the Active Directory domain is at Windows Server 2016 Domain Functional Level or higher.
<!--/SupportedValues-->
Data type is boolean.
Supported operations are Add, Get, Replace, and Delete.
<!--/Policy-->
<!--Policy-->
### ADPasswordEncryptionPrincipal
<!--Description-->
Use this setting to configure the name or SID of a user or group that can decrypt the password stored in Active Directory.
<!--/Description-->
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|Yes|
|Pro|No|Yes|
|Business|No|Yes|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
<!--SupportedValues-->
This setting is ignored if the password is currently being stored in Azure.
If not specified, the password can only be decrypted by the Domain Admins group in the device's domain.
If specified, the specified user or group will be able to decrypt the password stored in Active Directory.
If the specified user or group account is invalid the device will fall back to using the Domain Admins group in the device's domain.
> [!IMPORTANT]
> The string stored in this setting must be either a SID in string form or the fully qualified name of a user or group. Valid examples include:
>
> "S-1-5-21-2127521184-1604012920-1887927527-35197"
>
> "contoso\LAPSAdmins"
>
> "lapsadmins@contoso.com"
>
> The principal identified (either by SID or user\group name) must exist and be resolvable by the device.
> [!IMPORTANT]
> This setting is ignored unless ADPasswordEncryptionEnabled is configured to True and all other prerequisites are met.
<!--/SupportedValues-->
Data type is string.
Supported operations are Add, Get, Replace, and Delete.
<!--/Policy-->
<!--Policy-->
### ADEncryptedPasswordHistorySize
<!--Description-->
Use this setting to configure how many previous encrypted passwords will be remembered in Active Directory.
<!--/Description-->
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|Yes|
|Pro|No|Yes|
|Business|No|Yes|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
<!--SupportedValues-->
If not specified, this setting will default to 0 passwords (disabled).
This setting has a minimum allowed value of 0 passwords.
This setting has a maximum allowed value of 12 passwords.
> [!IMPORTANT]
> This setting is ignored unless ADPasswordEncryptionEnabled is configured to True and all other prerequisites are met.
<!--/SupportedValues-->
Data type is integer.
Supported operations are Add, Get, Replace, and Delete.
<!--/Policy-->
<!--Policy-->
### PostAuthenticationResetDelay
<!--Description-->
Use this setting to specify the amount of time (in hours) to wait after an authentication before executing the specified post-authentication actions (see the PostAuthenticationActions setting below).
<!--/Description-->
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|Yes|
|Pro|No|Yes|
|Business|No|Yes|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
<!--SupportedValues-->
If not specified, this setting will default to 24 hours.
This setting has a minimum allowed value of 0 hours (this disables all post-authentication actions).
This setting has a maximum allowed value of 24 hours.
<!--/SupportedValues-->
Data type is integer.
Supported operations are Add, Get, Replace, and Delete.
<!--/Policy-->
<!--Policy-->
### PostAuthenticationActions
<!--Description-->
Use this setting to specify the actions to take upon expiration of the configured grace period (see the PostAuthenticationResetDelay setting above).
<!--/Description-->
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|Yes|
|Pro|No|Yes|
|Business|No|Yes|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
<!--SupportedValues-->
This setting can have ONE of the following values:
|Value|Name|Action(s) taken upon expiry of the grace period|
|--- |--- |--- |
|1|Reset password|The managed account password will be reset|
|3|Reset password and log off|The managed account password will be reset and any interactive logon sessions using the managed account will be terminated|
|5|Reset password and reboot|The managed account password will be reset and the managed device will be immediately rebooted.|
If not specified, this setting will default to 3.
> [!IMPORTANT]
> The allowed post-authentication actions are intended to help limit the amount of time that a LAPS password may be used before being reset. Logging off the managed account - or rebooting the device - are options to help ensure this. Abrupt termination of logon sessions, or rebooting the device, may result in data loss.
> [!IMPORTANT]
> From a security perspective, a malicious user who acquires administrative privileges on a device using a valid LAPS password does have the ultimate ability to prevent or circumvent these mechanisms.
<!--/SupportedValues-->
Data type is integer.
Supported operations are Add, Get, Replace, and Delete.
<!--/Policy-->
<!--Policy-->
## Actions
Defines the parent interior node for all action-related settings in the LAPS CSP.
<!--/Policy-->
<!--Policy-->
### ResetPassword
<!--Description-->
Use this Execute action to request an immediate reset of the local administrator account password, ignoring the normal constraints such as PasswordLengthDays, etc.
<!--/Description-->
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|Yes|
|Pro|No|Yes|
|Business|No|Yes|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
<!--SupportedValues-->
<!--/SupportedValues-->
Data type is integer.
Supported operations are Execute.
<!--/Policy-->
<!--Policy-->
### ResetPasswordStatus
<!--Description-->
Use this setting to query the status of the last submitted ResetPassword action.
<!--/Description-->
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|Yes|
|Pro|No|Yes|
|Business|No|Yes|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
<!--SupportedValues-->
The value returned is an HRESULT code.
S_OK (0x0) - the last submitted ResetPassword action succeeded.
E_PENDING (0x8000000) - the last submitted ResetPassword action is still executing.
other - the last submitted ResetPassword action encountered the returned error.
<!--/SupportedValues-->
Data type is integer.
Supported operations are Get.
<!--/Policy-->
### SyncML examples
The following examples are provided to show proper format and shouldn't be taken as a recommendation.
#### Azure-joined device backing password up to Azure AD
This example is configuring an Azure-joined device to back up its password to Azure Active Directory:
```xml
<SyncMl xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Add>
<CmdId>1</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/BackupDirectory</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>1</Data>
</Item>
</Add>
<Add>
<CmdId>2</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/PasswordAgeDays</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>7</Data>
</Item>
</Add>
<Add>
<CmdId>3</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/PasswordComplexity</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>4</Data>
</Item>
</Add>
<Add>
<CmdId>4</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/PasswordLength</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>32</Data>
</Item>
</Add>
<Add>
<CmdId>5</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/AdministratorAccountName</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
<Type>text/plain</Type>
</Meta>
<Data>ContosoLocalLapsAdmin</Data>
</Item>
</Add>
<Add>
<CmdId>6</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/PostAuthenticationResetDelay</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>8</Data>
</Item>
</Add>
<Add>
<CmdId>7</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/PostAuthenticationActions</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>3</Data>
</Item>
</Add>&lt;Final/&gt;</SyncBody>
</SyncMl>
```
#### Hybrid-joined device backing password up to Active Directory
This example is configuring a hybrid device to back up its password to Active Directory with password encryption enabled:
```xml
<SyncMl xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Add>
<CmdId>1</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/BackupDirectory</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>2</Data>
</Item>
</Add>
<Add>
<CmdId>2</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/PasswordAgeDays</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>20</Data>
</Item>
</Add>
<Add>
<CmdId>3</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/PasswordComplexity</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>3</Data>
</Item>
</Add>
<Add>
<CmdId>4</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/PasswordLength</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>14</Data>
</Item>
</Add>
<Add>
<CmdId>5</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/AdministratorAccountName</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
<Type>text/plain</Type>
</Meta>
<Data>ContosoLocalLapsAdmin</Data>
</Item>
</Add>
<Add>
<CmdId>6</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/PasswordExpirationProtectionEnabled</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
<Type>text/plain</Type>
</Meta>
<Data>True</Data>
</Item>
</Add>
<Add>
<CmdId>7</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/ADPasswordEncryptionEnabled</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
<Type>text/plain</Type>
</Meta>
<Data>True</Data>
</Item>
</Add>
<Add>
<CmdId>8</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/ADPasswordEncryptionPrincipal</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
<Type>text/plain</Type>
</Meta>
<Data>LAPSAdmins@contoso.com</Data>
</Item>
</Add>
<Add>
<CmdId>9</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/ADEncryptedPasswordHistorySize</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>6</Data>
</Item>
</Add>
<Add>
<CmdId>10</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/PostAuthenticationResetDelay</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>4</Data>
</Item>
</Add>
<Add>
<CmdId>11</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/PostAuthenticationActions</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>5</Data>
</Item>
</Add>&lt;Final/&gt;</SyncBody>
</SyncMl>
```
## Related articles
[Configuration service provider reference](configuration-service-provider-reference.md)

654
windows/client-management/mdm/laps-ddf-file.md Normal file
View File

@ -0,0 +1,654 @@
---
title: LAPS DDF file
description: Learn about the OMA DM device description framework (DDF) for the Local Administrator Password Solution configuration service provider.
ms.author: jsimmons
ms.topic: article
ms.prod: w11
ms.technology: windows
author: jsimmons
ms.localizationpriority: medium
ms.date: 07/04/2022
ms.reviewer: jsimmons
manager: jsimmons
---
# Local Administrator Password Solution DDF file
This article shows the OMA DM device description framework (DDF) for the Local Administrator Password Solution (LAPS) configuration service provider.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
The XML below is the current version for this CSP.
```xml
<?xml version='1.0' encoding='utf-8' standalone='yes'?>
<identity
xmlns="urn:Microsoft.CompPlat/ManifestSchema.v1.00"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
owner="Microsoft"
namespace="Windows-DeviceManagement-CspDefinition"
name="LAPS">
<cspDefinition>
<MgmtTree>
<VerDTD>1.2</VerDTD>
<BinaryPath>"%windir%\system32\LapsCSP.dll</BinaryPath>
<Diagnostics></Diagnostics>
<ComClsid>{298a6f17-03e7-4bd4-971c-544f359527b7}</ComClsid>
<Node>
<NodeName>LAPS</NodeName>
<Path>./Device/Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The root node for the LAPS configuration service provider.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
<Applicability>
<OsBuildVersion>99.9.99999</OsBuildVersion>
<CspVersion>1.0</CspVersion>
</Applicability>
<ExposedTo>
<Mdm />
</ExposedTo>
</DFProperties>
<Node>
<NodeName>Policies</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Root node for LAPS policies.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFTitle>Policies</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
<AtomicRequired />
</DFProperties>
<Node>
<NodeName>BackupDirectory</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>Use this setting to configure which directory the local admin account password is backed up to.
The allowable settings are:
0=Disabled (password will not be backed up)
1=Backup the password to Azure AD only
2=Backup the password to Active Directory only
If not specified, this setting will default to 0.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<AllowedValues ValueType="ENUM">
<Enum>
<Value>0</Value>
<ValueDescription>Disabled (password will not be backed up)</ValueDescription>
</Enum>
<Enum>
<Value>1</Value>
<ValueDescription>Backup the password to Azure AD only</ValueDescription>
</Enum>
<Enum>
<Value>2</Value>
<ValueDescription>Backup the password to Active Directory only</ValueDescription>
</Enum>
</AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>PasswordAgeDays</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>30</DefaultValue>
<Description>Use this policy to configure the maximum password age of the managed local administrator account.
If not specified, this setting will default to 30 days
This setting has a minimum allowed value of 1 day when backing the password to onpremises Active Directory, and 7 days when backing the password to Azure AD.
This setting has a maximum allowed value of 365 days.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<AllowedValues ValueType="Range">
<Value>[1-365]</Value>
</AllowedValues>
<DependencyBehavior>
<DependencyGroup FriendlyId="BackupDirectory">
<DependencyChangedAllowedValues ValueType="Range">
<Value>[7-365]</Value>
</DependencyChangedAllowedValues>
<Dependency Type="DependsOn">
<DependencyUri>Vendor/MSFT/LAPS/Policies/BackupDirectory</DependencyUri>
<DependencyAllowedValue ValueType="ENUM">
<Enum>
<Value>1</Value>
<ValueDescription>BackupDirectory configured to Azure AD</ValueDescription>
</Enum>
</DependencyAllowedValue>
</Dependency>
</DependencyGroup>
</DependencyBehavior>
</DFProperties>
</Node>
<Node>
<NodeName>PasswordComplexity</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>4</DefaultValue>
<Description>Use this setting to configure password complexity of the managed local administrator account.
The allowable settings are:
1=Large letters
2=Large letters + small letters
3=Large letters + small letters + numbers
4=Large letters + small letters + numbers + special characters
If not specified, this setting will default to 4.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<AllowedValues ValueType="ENUM">
<Enum>
<Value>1</Value>
<ValueDescription>Large letters</ValueDescription>
</Enum>
<Enum>
<Value>2</Value>
<ValueDescription>Large letters + small letters</ValueDescription>
</Enum>
<Enum>
<Value>3</Value>
<ValueDescription>Large letters + small letters + numbers</ValueDescription>
</Enum>
<Enum>
<Value>4</Value>
<ValueDescription>Large letters + small letters + numbers + special characters</ValueDescription>
</Enum>
</AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>PasswordLength</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>14</DefaultValue>
<Description>Use this setting to configure the length of the password of the managed local administrator account.
If not specified, this setting will default to 14 characters.
This setting has a minimum allowed value of 8 characters.
This setting has a maximum allowed value of 64 characters.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<AllowedValues ValueType="Range">
<Value>[8-64]</Value>
</AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>AdministratorAccountName</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Use this setting to configure the name of the managed local administrator account.
If not specified, the default built-in local administrator account will be located by well-known SID (even if renamed).
If specified, the specified account's password will be managed.
Note: if a custom managed local administrator account name is specified in this setting, that account must be created via other means. Specifying a name in this setting will not cause the account to be created.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>PasswordExpirationProtectionEnabled</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>True</DefaultValue>
<Description>Use this setting to configure additional enforcement of maximum password age for the managed local administrator account.
When this setting is enabled, planned password expiration that would result in a password age greater than that dictated by "PasswordAgeDays" policy is NOT allowed. When such expiration is detected, the password is changed immediately and the new password expiration date is set according to policy.
If not specified, this setting defaults to True.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<AllowedValues ValueType="ENUM">
<Enum>
<Value>false</Value>
<ValueDescription>Allow configured password expiriration timestamp to exceed maximum password age</ValueDescription>
</Enum>
<Enum>
<Value>true</Value>
<ValueDescription>Do not allow configured password expiriration timestamp to exceed maximum password age</ValueDescription>
</Enum>
</AllowedValues>
<DependencyBehavior>
<DependencyGroup FriendlyId="BackupDirectory">
<Dependency Type="DependsOn">
<DependencyUri>Vendor/MSFT/LAPS/Policies/BackupDirectory</DependencyUri>
<DependencyAllowedValue ValueType="ENUM">
<Enum>
<Value>2</Value>
<ValueDescription>BackupDirectory configured to Active Directory</ValueDescription>
</Enum>
</DependencyAllowedValue>
</Dependency>
</DependencyGroup>
</DependencyBehavior>
</DFProperties>
</Node>
<Node>
<NodeName>ADPasswordEncryptionEnabled</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>False</DefaultValue>
<Description>Use this setting to configure whether the password is encrypted before being stored in Active Directory.
This setting is ignored if the password is currently being stored in Azure.
This setting is only honored when the Active Directory domain is at Windows Server 2016 Domain Functional Level or higher.
If this setting is enabled, and the Active Directory domain meets the DFL prerequisite, the password will be encrypted before before being stored in Active Directory.
If this setting is disabled, or the Active Directory domain does not meet the DFL prerequisite, the password will be stored as clear-text in Active Directory.
If not specified, this setting defaults to False.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<AllowedValues ValueType="ENUM">
<Enum>
<Value>false</Value>
<ValueDescription>Store the password in clear-text form in Active Directory</ValueDescription>
</Enum>
<Enum>
<Value>true</Value>
<ValueDescription>Store the password in encrypted form in Active Directory</ValueDescription>
</Enum>
</AllowedValues>
<DependencyBehavior>
<DependencyGroup FriendlyId="BackupDirectory">
<Dependency Type="DependsOn">
<DependencyUri>Vendor/MSFT/LAPS/Policies/BackupDirectory</DependencyUri>
<DependencyAllowedValue ValueType="ENUM">
<Enum>
<Value>2</Value>
<ValueDescription>BackupDirectory configured to Active Directory</ValueDescription>
</Enum>
</DependencyAllowedValue>
</Dependency>
</DependencyGroup>
</DependencyBehavior>
</DFProperties>
</Node>
<Node>
<NodeName>ADPasswordEncryptionPrincipal</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Use this setting to configure the name or SID of a user or group that can decrypt the password stored in Active Directory.
This setting is ignored if the password is currently being stored in Azure.
If not specified, the password will be decryptable by the Domain Admins group in the device's domain.
If specified, the specified user or group will be able to decrypt the password stored in Active Directory.
If the specified user or group account is invalid the device will fallback to using the Domain Admins group in the device's domain.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<DependencyBehavior>
<DependencyGroup FriendlyId="BackupDirectory">
<Dependency Type="DependsOn">
<DependencyUri>Vendor/MSFT/LAPS/Policies/BackupDirectory</DependencyUri>
<DependencyAllowedValue ValueType="ENUM">
<Enum>
<Value>2</Value>
<ValueDescription>BackupDirectory configured to Active Directory</ValueDescription>
</Enum>
</DependencyAllowedValue>
</Dependency>
</DependencyGroup>
</DependencyBehavior>
</DFProperties>
</Node>
<Node>
<NodeName>ADEncryptedPasswordHistorySize</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>Use this setting to configure how many previous encrypted passwords will be remembered in Active Directory.
If not specified, this setting will default to 0 passwords (disabled).
This setting has a minimum allowed value of 0 passwords.
This setting has a maximum allowed value of 12 passwords.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<AllowedValues ValueType="Range">
<Value>[0-12]</Value>
</AllowedValues>
<DependencyBehavior>
<DependencyGroup FriendlyId="BackupDirectory">
<Dependency Type="DependsOn">
<DependencyUri>Vendor/MSFT/LAPS/Policies/BackupDirectory</DependencyUri>
<DependencyAllowedValue ValueType="ENUM">
<Enum>
<Value>2</Value>
<ValueDescription>BackupDirectory configured to Active Directory</ValueDescription>
</Enum>
</DependencyAllowedValue>
</Dependency>
</DependencyGroup>
</DependencyBehavior>
</DFProperties>
</Node>
<Node>
<NodeName>PostAuthenticationResetDelay</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>24</DefaultValue>
<Description>Use this setting to specify the amount of time (in hours) to wait after an authentication before executing the specified post-authentication actions.
If not specified, this setting will default to 24 hours.
This setting has a minimum allowed value of 0 hours (this disables all post-authentication actions).
This setting has a maximum allowed value of 24 hours.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<AllowedValues ValueType="Range">
<Value>[0-24]</Value>
</AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>PostAuthenticationActions</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>3</DefaultValue>
<Description>Use this setting to specify the actions to take upon expiration of the configured grace period.
If not specified, this setting will default to 3 (Reset the password and logoff the managed account).
</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<AllowedValues ValueType="ENUM">
<Enum>
<Value>1</Value>
<ValueDescription>Reset password: upon expiry of the grace period, the managed account password will be reset.</ValueDescription>
</Enum>
<Enum>
<Value>3</Value>
<ValueDescription>Reset the password and logoff the managed account: upon expiry of the grace period, the managed account password will be reset and any interactive logon sessions using the managed account will terminated.</ValueDescription>
</Enum>
<Enum>
<Value>5</Value>
<ValueDescription>Reset the password and reboot: upon expiry of the grace period, the managed account password will be reset and the managed device will be immediately rebooted.</ValueDescription>
</Enum>
</AllowedValues>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Actions</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFTitle>Actions</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>ResetPassword</NodeName>
<DFProperties>
<AccessType>
<Exec />
</AccessType>
<Description>Use this setting to tell the CSP to immediately generate and store a new password for the managed local administrator account.</Description>
<DFFormat>
<null />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<AsynchronousTracking ResourceSuccessURI="ResetPasswordStatus" ResourceSuccessValues="0" ResourceInProgressValues="10" ResourceFailureValues="20"/>
</DFProperties>
</Node>
<Node>
<NodeName>ResetPasswordStatus</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>Use this setting to query the status of the last submitted ResetPassword execute action.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>ResetPasswordStatus</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</MgmtTree>
</cspDefinition>
</identity>
```
## Related articles
[LAPS configuration service provider](laps-csp.md)

229
windows/client-management/mdm/policy-csp-kerberos.md
View File

@ -31,6 +31,18 @@ manager: aaroncz
</dd> </dd>
<dd> <dd>
<a href="#kerberos-pkinithashalgorithmconfiguration">Kerberos/PKInitHashAlgorithmConfiguration</a> <a href="#kerberos-pkinithashalgorithmconfiguration">Kerberos/PKInitHashAlgorithmConfiguration</a>
</dd>
<dd>
<a href="#kerberos-pkinithashalgorithmsha1">Kerberos/PKInitHashAlgorithmSHA1</a>
</dd>
<dd>
<a href="#kerberos-pkinithashalgorithmsha256">Kerberos/PKInitHashAlgorithmSHA256</a>
</dd>
<dd>
<a href="#kerberos-pkinithashalgorithmsha384">Kerberos/PKInitHashAlgorithmSHA384</a>
</dd>
<dd>
<a href="#kerberos-pkinithashalgorithmsha512">Kerberos/PKInitHashAlgorithmSHA512</a>
</dd> </dd>
<dd> <dd>
<a href="#kerberos-requirekerberosarmoring">Kerberos/RequireKerberosArmoring</a> <a href="#kerberos-requirekerberosarmoring">Kerberos/RequireKerberosArmoring</a>
@ -231,22 +243,20 @@ ADMX Info:
This policy setting controls hash or checksum algorithms used by the Kerberos client when performing certificate authentication. This policy setting controls hash or checksum algorithms used by the Kerberos client when performing certificate authentication.
If you enable this policy, you'll be able to configure one of four states for each algorithm: If you enable this policy, you'll be able to configure one of four states for each hash algorithm (SHA1, SHA256, SHA384, and SHA512) using their respective policies.
* **Default**: This state sets the algorithm to the recommended state.
* **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security.
* **Audited**: This state enables usage of the algorithm and reports an event (ID 205) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled.
* **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure.
If you disable or don't configure this policy, each algorithm will assume the **Default** state. If you disable or don't configure this policy, each algorithm will assume the **Default** state.
* 0 - **Disabled**
* 1 - **Enabled**
More information about the hash and checksum algorithms supported by the Windows Kerberos client and their default states can be found https://go.microsoft.com/fwlink/?linkid=2169037. More information about the hash and checksum algorithms supported by the Windows Kerberos client and their default states can be found https://go.microsoft.com/fwlink/?linkid=2169037.
<!--/Description--> <!--/Description-->
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP Friendly name: *Introducing agility to PKINIT in Kerberos protocol* - GP Friendly name: *Configure Hash algorithms for certificate logon*
- GP name: *PKInitHashAlgorithmConfiguration* - GP name: *PKInitHashAlgorithmConfiguration*
- GP path: *System/Kerberos* - GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx* - GP ADMX file name: *Kerberos.admx*
@ -256,6 +266,209 @@ ADMX Info:
<hr/> <hr/>
<!--Policy-->
<a href="" id="kerberos-pkinithashalgorithmsha1"></a>**Kerberos/PKInitHashAlgorithmSHA1**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting controls the configuration of the SHA1 algorithm used by the Kerberos client when performing certificate authentication. This policy is only enforced if Kerberos/PKInitHashAlgorithmConfiguration is enabled. You can configure one of four states for this algorithm:
* 0 - **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure.
* 1 - **Default**: This state sets the algorithm to the recommended state.
* 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled.
* 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security.
If you don't configure this policy, the SHA1 algorithm will assume the **Default** state.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Configure Hash algorithms for certificate logon*
- GP name: *PKInitHashAlgorithmConfiguration*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="kerberos-pkinithashalgorithmsha256"></a>**Kerberos/PKInitHashAlgorithmSHA256**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting controls the configuration of the SHA256 algorithm used by the Kerberos client when performing certificate authentication. This policy is only enforced if Kerberos/PKInitHashAlgorithmConfiguration is enabled. You can configure one of four states for this algorithm:
* 0 - **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure.
* 1 - **Default**: This state sets the algorithm to the recommended state.
* 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled.
* 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security.
If you don't configure this policy, the SHA256 algorithm will assume the **Default** state.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Configure Hash algorithms for certificate logon*
- GP name: *PKInitHashAlgorithmConfiguration*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="kerberos-pkinithashalgorithmsha384"></a>**Kerberos/PKInitHashAlgorithmSHA384**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting controls the configuration of the SHA384 algorithm used by the Kerberos client when performing certificate authentication. This policy is only enforced if Kerberos/PKInitHashAlgorithmConfiguration is enabled. You can configure one of four states for this algorithm:
* 0 - **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure.
* 1 - **Default**: This state sets the algorithm to the recommended state.
* 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled.
* 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security.
If you don't configure this policy, the SHA384 algorithm will assume the **Default** state.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Configure Hash algorithms for certificate logon*
- GP name: *PKInitHashAlgorithmConfiguration*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="kerberos-pkinithashalgorithmsha512"></a>**Kerberos/PKInitHashAlgorithmSHA512**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting controls the configuration of the SHA512 algorithm used by the Kerberos client when performing certificate authentication. This policy is only enforced if Kerberos/PKInitHashAlgorithmConfiguration is enabled. You can configure one of four states for this algorithm:
* 0 - **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure.
* 1 - **Default**: This state sets the algorithm to the recommended state.
* 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled.
* 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security.
If you don't configure this policy, the SHA512 algorithm will assume the **Default** state.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Configure Hash algorithms for certificate logon*
- GP name: *PKInitHashAlgorithmConfiguration*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy--> <!--Policy-->
<a href="" id="kerberos-requirekerberosarmoring"></a>**Kerberos/RequireKerberosArmoring** <a href="" id="kerberos-requirekerberosarmoring"></a>**Kerberos/RequireKerberosArmoring**
@ -456,4 +669,4 @@ Devices joined to Azure Active Directory in a hybrid environment need to interac
## Related topics ## Related topics
[Policy configuration service provider](policy-configuration-service-provider.md) [Policy configuration service provider](policy-configuration-service-provider.md)

5
windows/client-management/mdm/toc.yml
View File

@ -299,6 +299,11 @@ items:
items: items:
- name: HealthAttestation DDF - name: HealthAttestation DDF
href: healthattestation-ddf.md href: healthattestation-ddf.md
- name: Local Administrator Password Solution CSP
href: laps-csp.md
items:
- name: Local Administrator Password Solution DDF
href: laps-ddf-file.md
- name: MultiSIM CSP - name: MultiSIM CSP
href: multisim-csp.md href: multisim-csp.md
items: items:

2
windows/configuration/customize-taskbar-windows-11.md
View File

@ -157,7 +157,7 @@ Use the following steps to add your XML file to a group policy, and apply the po
4. When you apply the policy, the taskbar includes your changes. The next time users sign in, they'll see the changes. 4. When you apply the policy, the taskbar includes your changes. The next time users sign in, they'll see the changes.
For more information on using group policies, see [Implement Group Policy Objects](/learn/modules/implement-group-policy-objects/). For more information on using group policies, see [Implement Group Policy Objects](/training/modules/implement-group-policy-objects/).
### Create a Microsoft Endpoint Manager policy to deploy your XML file ### Create a Microsoft Endpoint Manager policy to deploy your XML file

8
windows/configuration/kiosk-xml.md
View File

@ -59,7 +59,7 @@ ms.topic: article
<!-- A link file is required for desktop applications to show on start layout, the link file can be placed under <!-- A link file is required for desktop applications to show on start layout, the link file can be placed under
"%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs" if the link file is shared for all users or "%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs" if the link file is shared for all users or
"%AppData%\Microsoft\Windows\Start Menu\Programs" if the link file is for the specific user only "%AppData%\Microsoft\Windows\Start Menu\Programs" if the link file is for the specific user only
see document https://docs.microsoft.com/windows/configuration/start-layout-xml-desktop see document https://learn.microsoft.com/windows/configuration/start-layout-xml-desktop
--> -->
<!-- for inbox desktop applications, a link file might already exist and can be used directly --> <!-- for inbox desktop applications, a link file might already exist and can be used directly -->
<start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Accessories\paint.lnk" /> <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Accessories\paint.lnk" />
@ -192,7 +192,7 @@ This sample demonstrates that both UWP and Win32 apps can be configured to autom
<!-- A link file is required for desktop applications to show on start layout, the link file can be placed under <!-- A link file is required for desktop applications to show on start layout, the link file can be placed under
"%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs" if the link file is shared for all users or "%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs" if the link file is shared for all users or
"%AppData%\Microsoft\Windows\Start Menu\Programs" if the link file is for the specific user only "%AppData%\Microsoft\Windows\Start Menu\Programs" if the link file is for the specific user only
see document https://docs.microsoft.com/windows/configuration/start-layout-xml-desktop see document https://learn.microsoft.com/windows/configuration/start-layout-xml-desktop
--> -->
<!-- for inbox desktop applications, a link file might already exist and can be used directly --> <!-- for inbox desktop applications, a link file might already exist and can be used directly -->
<start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Accessories\paint.lnk" /> <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Accessories\paint.lnk" />
@ -313,7 +313,7 @@ This sample demonstrates that only a global profile is used, with no active user
<!-- A link file is required for desktop applications to show on start layout, the link file can be placed under <!-- A link file is required for desktop applications to show on start layout, the link file can be placed under
"%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs" if the link file is shared for all users or "%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs" if the link file is shared for all users or
"%AppData%\Microsoft\Windows\Start Menu\Programs" if the link file is for the specific user only "%AppData%\Microsoft\Windows\Start Menu\Programs" if the link file is for the specific user only
see document https://docs.microsoft.com/windows/configuration/start-layout-xml-desktop see document https://learn.microsoft.com/windows/configuration/start-layout-xml-desktop
--> -->
<!-- for inbox desktop applications, a link file might already exist and can be used directly --> <!-- for inbox desktop applications, a link file might already exist and can be used directly -->
<start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Accessories\paint.lnk" /> <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Accessories\paint.lnk" />
@ -365,7 +365,7 @@ Below sample shows dedicated profile and global profile mixed usage, a user woul
<!-- A link file is required for desktop applications to show on start layout, the link file can be placed under <!-- A link file is required for desktop applications to show on start layout, the link file can be placed under
"%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs" if the link file is shared for all users or "%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs" if the link file is shared for all users or
"%AppData%\Microsoft\Windows\Start Menu\Programs" if the link file is for the specific user only "%AppData%\Microsoft\Windows\Start Menu\Programs" if the link file is for the specific user only
see document https://docs.microsoft.com/windows/configuration/start-layout-xml-desktop see document https://learn.microsoft.com/windows/configuration/start-layout-xml-desktop
--> -->
<!-- for inbox desktop applications, a link file might already exist and can be used directly --> <!-- for inbox desktop applications, a link file might already exist and can be used directly -->
<start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Accessories\paint.lnk" /> <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Accessories\paint.lnk" />

2
windows/configuration/lock-down-windows-10-to-specific-apps.md
View File

@ -458,7 +458,7 @@ Usage is demonstrated below, by using the new XML namespace and specifying `Glob
<!-- A link file is required for desktop applications to show on start layout, the link file can be placed under <!-- A link file is required for desktop applications to show on start layout, the link file can be placed under
"%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs" if the link file is shared for all users or "%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs" if the link file is shared for all users or
"%AppData%\Microsoft\Windows\Start Menu\Programs" if the link file is for the specific user only "%AppData%\Microsoft\Windows\Start Menu\Programs" if the link file is for the specific user only
see document https://docs.microsoft.com/windows/configuration/start-layout-xml-desktop see document https://learn.microsoft.com/windows/configuration/start-layout-xml-desktop
--> -->
<!-- for inbox desktop applications, a link file might already exist and can be used directly --> <!-- for inbox desktop applications, a link file might already exist and can be used directly -->
<start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Accessories\paint.lnk" /> <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Accessories\paint.lnk" />

2
windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
View File

@ -179,6 +179,6 @@ Here is a list of CSPs supported on Windows 10 Enterprise:
- [Update CSP](/windows/client-management/mdm/update-csp) - [Update CSP](/windows/client-management/mdm/update-csp)
- [VPN CSP](/windows/client-management/mdm/vpn-csp) - [VPN CSP](/windows/client-management/mdm/vpn-csp)
- [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp) - [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp)
- [Wi-Fi CSP](/documentation/) - [Wi-Fi CSP](/windows/client-management/mdm/wifi-csp)
- [WindowsLicensing CSP](/windows/client-management/mdm/windowslicensing-csp) - [WindowsLicensing CSP](/windows/client-management/mdm/windowslicensing-csp)
- [WindowsSecurityAuditing CSP](/windows/client-management/mdm/windowssecurityauditing-csp) - [WindowsSecurityAuditing CSP](/windows/client-management/mdm/windowssecurityauditing-csp)

57
windows/configure/docfx.json
View File

@ -1,57 +0,0 @@
{
"build": {
"content": [
{
"files": [
"**/*.md",
"**/*.yml"
],
"exclude": [
"**/obj/**",
"**/includes/**",
"README.md",
"LICENSE",
"LICENSE-CODE",
"ThirdPartyNotices"
]
}
],
"resource": [
{
"files": [
"**/*.png",
"**/*.jpg"
],
"exclude": [
"**/obj/**",
"**/includes/**"
]
}
],
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"feedback_system": "None",
"hideEdit": true,
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.windows-configure"
}
},
"contributors_to_exclude": [
"rjagiewich",
"traya1",
"rmca14",
"claydetels19",
"jborsecnik",
"tiburd",
"garycentric"
]
},
"fileMetadata": {},
"template": [],
"dest": "windows-configure",
"markdownEngineName": "markdig"
}
}

56
windows/deploy/docfx.json
View File

@ -1,56 +0,0 @@
{
"build": {
"content": [
{
"files": [
"**/*.md",
"**/*.yml"
],
"exclude": [
"**/obj/**",
"**/includes/**",
"README.md",
"LICENSE",
"LICENSE-CODE",
"ThirdPartyNotices"
]
}
],
"resource": [
{
"files": [
"**/*.png",
"**/*.jpg"
],
"exclude": [
"**/obj/**",
"**/includes/**"
]
}
],
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.windows-deploy",
"folder_relative_path_in_docset": "./"
}
},
"contributors_to_exclude": [
"rjagiewich",
"traya1",
"rmca14",
"claydetels19",
"jborsecnik",
"tiburd",
"garycentric"
]
},
"fileMetadata": {},
"template": [],
"dest": "windows-deploy",
"markdownEngineName": "markdig"
}
}

6
windows/deployment/index.yml
View File

@ -100,8 +100,8 @@ landingContent:
- linkListType: learn - linkListType: learn
links: links:
- text: Plan to deploy updates for Windows 10 and Microsoft 365 Apps - text: Plan to deploy updates for Windows 10 and Microsoft 365 Apps
url: /learn/modules/windows-plan url: /training/modules/windows-plan
- text: Prepare to deploy updates for Windows 10 and Microsoft 365 Apps - text: Prepare to deploy updates for Windows 10 and Microsoft 365 Apps
url: /learn/modules/windows-prepare/ url: /training/modules/windows-prepare/
- text: Deploy updates for Windows 10 and Microsoft 365 Apps - text: Deploy updates for Windows 10 and Microsoft 365 Apps
url: /learn/modules/windows-deploy url: /training/modules/windows-deploy

75
windows/deployment/update/check-release-health.md
View File

@ -1,11 +1,14 @@
--- ---
title: "How to check Windows release health" title: How to check Windows release health
description: Check the release health status of Microsoft 365 services before you call support to see if there's an active service interruption.
ms.date: 08/16/2022
ms.author: v-nishmi ms.author: v-nishmi
author: DocsPreview author: DocsPreview
manager: jren manager: jren
ms.topic: article ms.reviewer: mstewart
ms.topic: how-to
ms.prod: w10 ms.prod: w10
localization_priority: Normal localization_priority: medium
ms.custom: ms.custom:
- Adm_O365 - Adm_O365
- 'O365P_ServiceHealthModern' - 'O365P_ServiceHealthModern'
@ -21,36 +24,35 @@ search.appverid:
- MOE150 - MOE150
- BCS160 - BCS160
- IWA160 - IWA160
description: "Check the release health status of Microsoft 365 services before you call support to see if there is an active service interruption."
--- ---
# How to check Windows release health # How to check Windows release health
The Windows release health page in the Microsoft 365 admin center enables you to view the latest information on known issues for Windows monthly and feature updates. A known issue is an issue that has been identified in a Windows monthly update or feature update that impacts Windows devices. The Windows release health page is designed to inform you about known issues so you can troubleshoot issues your users may be experiencing and/or to determine when, and at what scale, to deploy an update in your organization. The Windows release health page in the Microsoft 365 admin center enables you to view the latest information on known issues for Windows monthly and feature updates. A known issue is an issue that has been identified in a Windows monthly update or feature update that impacts Windows devices. The Windows release health page is designed to inform you about known issues. You can use this information to troubleshoot issues your users may be experiencing. You can also determine when, and at what scale, to deploy an update in your organization.
If you are unable to sign in to the Microsoft 365 admin portal, check the [Microsoft 365 service health](https://status.office365.com) status page to check for known issues preventing you from logging into your tenant. If you're unable to sign in to the Microsoft 365 admin portal, check the [Microsoft 365 service health](https://status.office365.com) status page to check for known issues preventing you from signing into your tenant.
To be informed about the latest updates and releases, follow us on Twitter [@WindowsUpdate](https://twitter.com/windowsupdate). To be informed about the latest updates and releases, follow [@WindowsUpdate](https://twitter.com/windowsupdate) on Twitter.
## How to review Windows release health information ## How to review Windows release health information
1. Go to the Microsoft 365 admin center at [https://admin.microsoft.com](https://go.microsoft.com/fwlink/p/?linkid=2024339), and sign in with an administrator account. 1. Go to the [Microsoft 365 admin center](https://admin.microsoft.com), and sign in with an administrator account.
> [!NOTE] > [!NOTE]
> By default, the Windows release health page is available to individuals who have been assigned the global admin or service administrator role for their tenant. To allow Exchange, SharePoint, and Skype for Business admins to view the Windows release health page, you must first assign them to a Service admin role. For more information about roles that can view service health, see [About admin roles](/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide&preserve-view=true#roles-available-in-the-microsoft-365-admin-center). > By default, the Windows release health page is available to individuals who have been assigned the global admin or service administrator role for their tenant. To allow Exchange, SharePoint, and Skype for Business admins to view the Windows release health page, you must first assign them to a Service admin role. For more information about roles that can view service health, see [About admin roles](/microsoft-365/admin/add-users/about-admin-roles#commonly-used-microsoft-365-admin-center-roles).
2. To view Windows release health in the Microsoft 365 Admin Center, go to **Health > Windows release health**. 2. To view Windows release health in the Microsoft 365 Admin Center, go to **Health > Windows release health**.
3. On the **Windows release health** page, you will have access to known issue information for all supported versions of the Windows operating system. 3. On the **Windows release health** page, you'll have access to known issue information for all supported versions of the Windows operating system.
The **All versions** tab (the default view) shows all Windows products with access to their posted known issues. The **All versions** tab (the default view) shows all Windows products with access to their posted known issues.
![View of current issues in release health.](images/WRH-menu.png) ![View of current issues in release health.](images/WRH-menu.png)
A known issue is an issue that has been identified in a Windows monthly update or feature update that impacts Windows devices. The **Active and recently resolved** column provides a link to the **Known issues** tab filtered to the version selected. Selecting the **Known issues** tab will show known issues that are active or resolved within the last 30 days. A known issue is an issue that has been identified in a Windows monthly update or feature update that impacts Windows devices. The **Active and recently resolved** column provides a link to the **Known issues** tab filtered to the version selected. Selecting the **Known issues** tab will show known issues that are active or resolved within the last 30 days.
![View of known issues in release health.](images/WRH-known-issues-20H2.png) ![View of known issues in release health.](images/WRH-known-issues-20H2.png)
The **History** tab shows the history of known issues that have been resolved for up to 6 months. The **History** tab shows the history of known issues that have been resolved for up to 6 months.
![View of history issues in release health.](images/WRH-history-20H2.png) ![View of history issues in release health.](images/WRH-history-20H2.png)
@ -63,24 +65,23 @@ To be informed about the latest updates and releases, follow us on Twitter [@Win
- **Originating KB** - The KB number where the issue was first identified. - **Originating KB** - The KB number where the issue was first identified.
- **Originating build** - The build number for the KB. - **Originating build** - The build number for the KB.
Select the **Issue title** to access more information, including a link to the history of all status updates posted while we work on a solution. Here is an example: Select the **Issue title** to access more information, including a link to the history of all status updates posted while we work on a solution. For example:
![A screenshot showing issue details.](images/WRH-known-issue-detail.png) ![A screenshot showing issue details.](images/WRH-known-issue-detail.png)
## Status definitions ## Status definitions
In the **Windows release health** experience, every known issue is assigned as status. Those statuses are defined as follows: In the **Windows release health** experience, every known issue is assigned as status. Those statuses are defined as follows:
| Status | Definition | | Status | Definition |
|:-----|:-----| |:-----|:-----|
|**Reported** | An issue has been brought to the attention of the Windows teams. At this stage, there is no confirmation that users are affected. | |**Reported** | An issue has been brought to the attention of the Windows teams. At this stage, there's no confirmation that users are affected. |
|**Investigating** | The issue is believed to affect users and efforts are underway to gather more information about the issues scope of impact, mitigation steps, and root cause. | |**Investigating** | The issue is believed to affect users and efforts are underway to gather more information about the issue's scope, mitigation steps, and root cause. |
|**Confirmed** | After close review, Microsoft teams have determined the issue is affecting Windows users, and progress is being made on mitigation steps and root cause. | |**Confirmed** | After close review, Microsoft has determined the issue is affecting Windows users, and progress is being made on mitigation steps and root cause. |
|**Mitigated** | A workaround is available and communicated to Windows customers for a known issue. A known issue will stay in this state until a KB article is released by Microsoft to resolve the known issue. | |**Mitigated** | A workaround is available and communicated to Windows customers for a known issue. A known issue will stay in this state until a KB article is released by Microsoft to resolve the known issue. |
|**Mitigated: External** | A workaround is available and communicated to Windows customers for a known issue that was caused by a software or driver from a third-party software or device manufacturer. A known issue will stay in this state until the issue is resolved by Microsoft or the third-party. | |**Mitigated: External** | A workaround is available and communicated to Windows customers for a known issue that was caused by a software or driver from a third-party software or device manufacturer. A known issue will stay in this state until the issue is resolved by Microsoft or the third-party. |
|**Resolved** | A solution has been released by Microsoft and has been documented in a KB article that will resolve the known issue once its deployed in the customers environment. | |**Resolved** | A solution has been released by Microsoft and has been documented in a KB article that will resolve the known issue once it's deployed in the customer's environment. |
|**Resolved: External** | A solution has been released by a Microsoft or a third-party that will resolve the known issue once its deployed in the customers environment. | |**Resolved: External** | A solution has been released by a Microsoft or a third-party that will resolve the known issue once it's deployed in the customer's environment. |
## Known issue history ## Known issue history
@ -96,29 +97,29 @@ A list of all status updates posted in the selected timeframe will be displayed,
### Windows release health coverage ### Windows release health coverage
- **What is Windows release health?** - **What is Windows release health?**
Windows release health is a Microsoft informational service created to keep licensed Windows customers aware of identified known issues and important announcements. Windows release health is a Microsoft informational service created to keep licensed Windows customers aware of identified known issues and important announcements.
- **Microsoft 365 service health content is specific to my tenants and services. Is the content in Windows release health specific to my Windows environment?** - **Microsoft 365 service health content is specific to my tenants and services. Is the content in Windows release health specific to my Windows environment?**
Windows release health does not monitor user environments or collect customer environment information. In Windows release health, all known issue content across all supported Windows versions is published to all subscribed customers. Future iterations of the solution may target content based on customer location, industry, or Windows version. Windows release health doesn't monitor user environments or collect customer environment information. In Windows release health, all known issue content across all supported Windows versions is published to all subscribed customers. Future iterations of the solution may target content based on customer location, industry, or Windows version.
- **Where do I find Windows release health?** - **Where do I find Windows release health?**
After logging into Microsoft 365 admin center, expand the left-hand menu using **…Show All**, click **Health** and youll see **Windows release health**. After logging into Microsoft 365 admin center, expand the left-hand menu using **…Show All**, select **Health** and you'll see **Windows release health**.
- **Is the Windows release health content published to Microsoft 365 admin center the same as the content on Windows release health on Docs.microsoft.com?** - **Is the Windows release health content published to Microsoft 365 admin center the same as the content on Windows release health on Docs.microsoft.com?**
No. While the content is similar, you may see more issues and more technical details published to Windows release health on Microsoft 365 admin center to better support the IT admin. For example, youll find details to help you diagnose issues in your environment, steps to mitigate issues, and root cause analysis. No. While the content is similar, you may see more issues and technical details published to Windows release health on Microsoft 365 admin center to better support the IT admin. For example, you'll find details to help you diagnose issues in your environment, steps to mitigate issues, and root cause analysis.
- **How often will content be updated?** - **How often will content be updated?**
In an effort to ensure Windows customers have important information as soon as possible, all major known issues will be shared with Windows customers on both Docs.microsoft.com and the Microsoft 365 admin center. We may also update the details available for Windows release health in the Microsoft 365 admin center when we have additional details on workarounds, root cause, or other information to help you plan for updates and handle issues in your environment. To ensure Windows customers have important information as soon as possible, all major known issues will be shared with Windows customers on both Docs.microsoft.com and the Microsoft 365 admin center. We may also update the details available for Windows release health in the Microsoft 365 admin center when we have more details on workarounds, root cause, or other information to help you plan for updates and handle issues in your environment.
- **Can I share this content publicly or with other Windows customers?** - **Can I share this content publicly or with other Windows customers?**
Windows release health is provided to you as a licensed Windows customer and is not to be shared publicly. Windows release health is provided to you as a licensed Windows customer and isn't to be shared publicly.
- **Is the content redundant? How is the content organized in the different tabs?** - **Is the content redundant? How is the content organized in the different tabs?**
Windows release health provides three tabs. The landing **All versions** tab allows you to click into a specific version of Windows. The Known issues tab shows the list of issues that are active or resolved in the past 30 days. The History tab shows a six-month history of known issues that have been resolved. Windows release health provides three tabs. The landing **All versions** tab allows you to select a specific version of Windows. The **Known issues** tab shows the list of issues that are active or resolved in the past 30 days. The **History** tab shows a six-month history of known issues that have been resolved.
- **How do I find information for the versions of Windows Im managing?** - **How do I find information for the versions of Windows I'm managing?**
On the **All versions** tab, you can select any Windows version. This will take you to the Known issues tab filtered for the version you selected. The known issues tab provides the list of active known issues and those resolved in the last 30 days. This selection persists throughout your session until changed. From the History tab you can view the list of resolved issues for that version. To change versions, use the filter in the tab. On the **All versions** tab, you can select any Windows version. This action takes you to the **Known issues** tab filtered for the version you selected. The **Known issues** tab provides the list of active known issues and the issues resolved in the last 30 days. This selection persists throughout your session until changed. From the **History** tab, you can view the list of resolved issues for that version. To change versions, use the filter in the tab.
### Microsoft 365 Admin Center functions ### Microsoft 365 Admin Center functions
@ -126,13 +127,13 @@ A list of all status updates posted in the selected timeframe will be displayed,
You can search Microsoft 365 admin center pages using keywords. For Windows release health, go to the desired product page and search using KB numbers, build numbers, or keywords. You can search Microsoft 365 admin center pages using keywords. For Windows release health, go to the desired product page and search using KB numbers, build numbers, or keywords.
- **How do I add other Windows admins?** - **How do I add other Windows admins?**
Using the left-hand menu, go to Users, then select the Active Users tab and follow the prompts to add a new user, or assign an existing user, to the role of “Service Support admin.” Using the left-hand menu, go to Users, then select the Active Users tab and follow the prompts to add a new user, or assign an existing user, to the role of **Service Support admin**.
- **Why cant I click to the KB article from the Known issues or History tabs?** - **Why can't I click to the KB article from the Known issues or History tabs?**
Within the issue description, youll find links to the KB articles. In the Known issue and History tabs, the entire row is a clickable entry to the issues Details pane. Within the issue description, you'll find links to the KB articles. In the Known issue and History tabs, the entire row is a clickable entry to the issue's Details pane.
- **Microsoft 365 admin center has a mobile app but I dont see Windows release health under the Health menu. Is this an open issue?** - **Microsoft 365 admin center has a mobile app but I don't see Windows release health under the Health menu. Is this an open issue?**
We are working to build the Windows release health experience on mobile devices in a future release. We're working to build the Windows release health experience on mobile devices in a future release.
### Help and support ### Help and support
@ -140,7 +141,7 @@ A list of all status updates posted in the selected timeframe will be displayed,
Seek assistance through Premier support, the [Microsoft Support website](https://support.microsoft.com), or connect with your normal channels for Windows support. Seek assistance through Premier support, the [Microsoft Support website](https://support.microsoft.com), or connect with your normal channels for Windows support.
- **When reaching out to Support, they asked me for an advisory ID. What is this and where can it?** - **When reaching out to Support, they asked me for an advisory ID. What is this and where can it?**
The advisory ID can be found in the upper left-hand corner of the known issue Details pane. To find it, select the Known issue youre seeking help on, click the Details pane and youll find the ID under the issue title. It will be the letters WI followed by a number, similar to “WI123456”. The advisory ID can be found in the upper left-hand corner of the known issue Details pane. To find it, select the known issue you're seeking help on, select the **Details** pane, and you'll find the ID under the issue title. It will be the letters `WI` followed by a number, similar to `WI123456`.
- **How can I learn more about expanding my use of Microsoft 365 admin center?** - **How can I learn more about expanding my use of Microsoft 365 admin center?**
To learn more, see the [Microsoft 365 admin center documentation](/microsoft-365/admin/admin-overview/about-the-admin-center). For more information, see the [Microsoft 365 admin center documentation](/microsoft-365/admin/admin-overview/about-the-admin-center).

4
windows/deployment/update/deployment-service-overview.md
View File

@ -88,8 +88,8 @@ The Microsoft Graph SDK includes a PowerShell extension that you can use to scri
### Building your own application ### Building your own application
Microsoft Graph makes deployment service APIs available through. Get started with these learning paths: Microsoft Graph makes deployment service APIs available through. Get started with these learning paths:
- Learning Path: [Microsoft Graph Fundamentals](/learn/paths/m365-msgraph-fundamentals/) - Learning path: [Microsoft Graph Fundamentals](/training/paths/m365-msgraph-fundamentals/)
- Learning Path: [Build apps with Microsoft Graph](/learn/paths/m365-msgraph-associate/) - Learning path: [Build apps with Microsoft Graph](/training/paths/m365-msgraph-associate/)
Once you are familiar with Microsoft Graph development, see [Windows updates API overview in Microsoft Graph](/graph/windowsupdates-concept-overview) for more. Once you are familiar with Microsoft Graph development, see [Windows updates API overview in Microsoft Graph](/graph/windowsupdates-concept-overview) for more.

8
windows/deployment/upgrade/setupdiag.md
View File

@ -444,14 +444,14 @@ System Information:
Error: SetupDiag reports Optional Component installation failed to open OC Package. Package Name: Foundation, Error: 0x8007001F Error: SetupDiag reports Optional Component installation failed to open OC Package. Package Name: Foundation, Error: 0x8007001F
Recommend you check the "Windows Modules Installer" service (Trusted Installer) is started on the system and set to automatic start, reboot and try the update again. Optionally, you can check the status of optional components on the system (search for Windows Features), uninstall any unneeded optional components, reboot and try the update again. Recommend you check the "Windows Modules Installer" service (Trusted Installer) is started on the system and set to automatic start, reboot and try the update again. Optionally, you can check the status of optional components on the system (search for Windows Features), uninstall any unneeded optional components, reboot and try the update again.
Error: SetupDiag reports down-level failure, Operation: Finalize, Error: 0x8007001F - 0x50015 Error: SetupDiag reports down-level failure, Operation: Finalize, Error: 0x8007001F - 0x50015
Refer to https://docs.microsoft.com/windows/deployment/upgrade/upgrade-error-codes for error information. Refer to https://learn.microsoft.com/windows/deployment/upgrade/upgrade-error-codes for error information.
``` ```
### XML log sample ### XML log sample
```xml ```xml
<?xml version="1.0" encoding="utf-16"?> <?xml version="1.0" encoding="utf-16"?>
<SetupDiag xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="https://docs.microsoft.com/windows/deployment/upgrade/setupdiag"> <SetupDiag xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="https://learn.microsoft.com/windows/deployment/upgrade/setupdiag">
<Version>1.6.0.0</Version> <Version>1.6.0.0</Version>
<ProfileName>FindSPFatalError</ProfileName> <ProfileName>FindSPFatalError</ProfileName>
<ProfileGuid>A4028172-1B09-48F8-AD3B-86CDD7D55852</ProfileGuid> <ProfileGuid>A4028172-1B09-48F8-AD3B-86CDD7D55852</ProfileGuid>
@ -494,7 +494,7 @@ Error: 0x00000057</FailureData>
<FailureData>LogEntry: 2019-06-06 21:47:11, Error SP Error converting install time 5/2/2019 to structure[gle=0x00000057]</FailureData> <FailureData>LogEntry: 2019-06-06 21:47:11, Error SP Error converting install time 5/2/2019 to structure[gle=0x00000057]</FailureData>
<FailureData>LogEntry: 2019-06-06 21:47:11, Error SP Error converting install time 5/2/2019 to structure[gle=0x00000057]</FailureData> <FailureData>LogEntry: 2019-06-06 21:47:11, Error SP Error converting install time 5/2/2019 to structure[gle=0x00000057]</FailureData>
<FailureData> <FailureData>
Refer to "https://docs.microsoft.com/windows/desktop/Debug/system-error-codes" for error information.</FailureData> Refer to "https://learn.microsoft.com/windows/desktop/Debug/system-error-codes" for error information.</FailureData>
<FailureDetails>Err = 0x00000057, LastOperation = Gather data, scope: EVERYTHING, LastPhase = Downlevel</FailureDetails> <FailureDetails>Err = 0x00000057, LastOperation = Gather data, scope: EVERYTHING, LastPhase = Downlevel</FailureDetails>
</SetupDiag> </SetupDiag>
``` ```
@ -548,7 +548,7 @@ Refer to "https://docs.microsoft.com/windows/desktop/Debug/system-error-codes" f
"LogEntry: 2019-06-06 21:47:11, Error SP Error converting install time 5\/2\/2019 to structure[ "LogEntry: 2019-06-06 21:47:11, Error SP Error converting install time 5\/2\/2019 to structure[
gle=0x00000057 gle=0x00000057
]", ]",
"\u000aRefer to \"https:\/\/docs.microsoft.com\/en-us\/windows\/desktop\/Debug\/system-error-codes\" for error information." "\u000aRefer to \"https:\/\/learn.microsoft.com\/windows\/desktop\/Debug\/system-error-codes\" for error information."
], ],
"FailureDetails":"Err = 0x00000057, LastOperation = Gather data, scope: EVERYTHING, LastPhase = Downlevel", "FailureDetails":"Err = 0x00000057, LastOperation = Gather data, scope: EVERYTHING, LastPhase = Downlevel",
"DeviceDriverInfo":null, "DeviceDriverInfo":null,

13
windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md
View File

@ -1,7 +1,7 @@
--- ---
title: Post-device registration readiness checks title: Post-device registration readiness checks
description: This article details how post-device registration readiness checks are performed in Windows Autopatch description: This article details how post-device registration readiness checks are performed in Windows Autopatch
ms.date: 09/15/2022 ms.date: 09/16/2022
ms.prod: w11 ms.prod: w11
ms.technology: windows ms.technology: windows
ms.topic: conceptual ms.topic: conceptual
@ -12,7 +12,10 @@ manager: dougeby
msreviewer: andredm7 msreviewer: andredm7
--- ---
# Post-device registration readiness checks # Post-device registration readiness checks (public preview)
> [!IMPORTANT]
> This feature is in "public preview". It is being actively developed, and may not be complete. They're made available on a “Preview” basis. You can test and use these features in production environments and scenarios, and provide feedback.
One of the most expensive aspects of the software update management process is to make sure devices are always healthy to receive and report software updates for each software update release cycle. One of the most expensive aspects of the software update management process is to make sure devices are always healthy to receive and report software updates for each software update release cycle.
@ -57,7 +60,7 @@ A healthy or active device in Windows Autopatch is:
- Actively sending data - Actively sending data
- Passes all post-device registration readiness checks - Passes all post-device registration readiness checks
The post-device registration readiness checks are powered by the **Microsoft Cloud Managed Desktop Extension**. It's installed right after devices are successfully registered with Windows Autopatch. The **Microsoft Cloud Managed Desktop Extension** has the Device Readiness Check Plugin responsible for performing the readiness checks in devices and report back to the service. The **Microsoft Cloud Managed Desktop Extension** is a subcomponent of the overall Windows Autopatch service. The post-device registration readiness checks are powered by the **Microsoft Cloud Managed Desktop Extension**. It's installed right after devices are successfully registered with Windows Autopatch. The **Microsoft Cloud Managed Desktop Extension** has the Device Readiness Check Plugin. The Device Readiness Check Plugin is responsible for performing the readiness checks and reporting the results back to the service. The **Microsoft Cloud Managed Desktop Extension** is a subcomponent of the overall Windows Autopatch service.
The following list of post-device registration readiness checks is performed in Windows Autopatch: The following list of post-device registration readiness checks is performed in Windows Autopatch:
@ -72,9 +75,9 @@ The following list of post-device registration readiness checks is performed in
| **Microsoft Edge network endpoints** | There's a set of [network endpoints](../prepare/windows-autopatch-configure-network.md) that devices with Microsoft Edge must be able to reach for software updates management. | | **Microsoft Edge network endpoints** | There's a set of [network endpoints](../prepare/windows-autopatch-configure-network.md) that devices with Microsoft Edge must be able to reach for software updates management. |
| **Internet connectivity** | Checks to see if a device has internet connectivity to communicate with Microsoft cloud services. Windows Autopatch uses the PingReply class. Windows Autopatch tries to ping at least three different Microsofts public URLs two times each, to confirm that ping results aren't coming from the devices cache. | | **Internet connectivity** | Checks to see if a device has internet connectivity to communicate with Microsoft cloud services. Windows Autopatch uses the PingReply class. Windows Autopatch tries to ping at least three different Microsofts public URLs two times each, to confirm that ping results aren't coming from the devices cache. |
## Daily operations in Windows Autopatch ## Post-device registration readiness checks workflow
See the following end-to-end IT admin operation workflow: See the following diagram for the post-device registration readiness checks workflow:
:::image type="content" source="../media/windows-autopatch-post-device-registration-readiness-checks.png" alt-text="Post-device registration readiness checks" lightbox="../media/windows-autopatch-post-device-registration-readiness-checks.png"::: :::image type="content" source="../media/windows-autopatch-post-device-registration-readiness-checks.png" alt-text="Post-device registration readiness checks" lightbox="../media/windows-autopatch-post-device-registration-readiness-checks.png":::

10
windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
View File

@ -1,7 +1,7 @@
--- ---
title: Prerequisites title: Prerequisites
description: This article details the prerequisites needed for Windows Autopatch description: This article details the prerequisites needed for Windows Autopatch
ms.date: 08/04/2022 ms.date: 09/16/2022
ms.prod: w11 ms.prod: w11
ms.technology: windows ms.technology: windows
ms.topic: conceptual ms.topic: conceptual
@ -24,7 +24,7 @@ Getting started with Windows Autopatch has been designed to be easy. This articl
| Licensing | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Azure Active Directory Premium and Microsoft Intune are required. For details about the specific service plans, see [more about licenses](#more-about-licenses).<p><p>For more information on available licenses, see [Microsoft 365 licensing](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans).<p><p>For more information about licensing terms and conditions for products and services purchased through Microsoft Commercial Volume Licensing Programs, see the [Product Terms site](https://www.microsoft.com/licensing/terms/). | | Licensing | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Azure Active Directory Premium and Microsoft Intune are required. For details about the specific service plans, see [more about licenses](#more-about-licenses).<p><p>For more information on available licenses, see [Microsoft 365 licensing](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans).<p><p>For more information about licensing terms and conditions for products and services purchased through Microsoft Commercial Volume Licensing Programs, see the [Product Terms site](https://www.microsoft.com/licensing/terms/). |
| Connectivity | All Windows Autopatch devices require connectivity to multiple Microsoft service endpoints from the corporate network.<p><p>For the full list of required IPs and URLs, see [Configure your network](../prepare/windows-autopatch-configure-network.md). | | Connectivity | All Windows Autopatch devices require connectivity to multiple Microsoft service endpoints from the corporate network.<p><p>For the full list of required IPs and URLs, see [Configure your network](../prepare/windows-autopatch-configure-network.md). |
| Azure Active Directory | Azure Active Directory must either be the source of authority for all user accounts, or user accounts must be synchronized from on-premises Active Directory using the latest supported version of Azure Active Directory Connect to enable Hybrid Azure Active Directory join.<br><ul><li>For more information, see [Azure Active Directory Connect](/azure/active-directory/hybrid/whatis-azure-ad-connect) and [Hybrid Azure Active Directory join](/azure/active-directory/devices/howto-hybrid-azure-ad-join)</li><li>For more information on supported Azure Active Directory Connect versions, see [Azure AD Connect:Version release history](/azure/active-directory/hybrid/reference-connect-version-history).</li></ul> | | Azure Active Directory | Azure Active Directory must either be the source of authority for all user accounts, or user accounts must be synchronized from on-premises Active Directory using the latest supported version of Azure Active Directory Connect to enable Hybrid Azure Active Directory join.<br><ul><li>For more information, see [Azure Active Directory Connect](/azure/active-directory/hybrid/whatis-azure-ad-connect) and [Hybrid Azure Active Directory join](/azure/active-directory/devices/howto-hybrid-azure-ad-join)</li><li>For more information on supported Azure Active Directory Connect versions, see [Azure AD Connect:Version release history](/azure/active-directory/hybrid/reference-connect-version-history).</li></ul> |
| Device management | Windows Autopatch devices must be managed by Microsoft Intune. Intune must be set as the Mobile Device Management (MDM) authority or co-management must be turned on and enabled on the target devices.<p><p>At a minimum, the Windows Update, Device configuration and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see Co-management requirements for Windows Autopatch below.<p>Other device management prerequisites include:<ul><li>Devices must be corporate-owned. Windows bring-your-own-devices (BYOD) are blocked during device registration prerequisite checks.</li><li>Devices must be managed by either Intune or Configuration Manager Co-management. Devices only managed by Configuration Manager aren't supported.</li><li>Devices must be in communication with Microsoft Intune in the **last 28 days**. Otherwise, the devices won't be registered with Autopatch.</li><li>Devices must be connected to the internet.</li><li>Devices must have a **Serial number**, **Model** and **Manufacturer**. Device emulators that don't generate this information fail to meet **Intune or Cloud-attached** prerequisite check.</li></ul><p>See [Register your devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices) for more details on device prerequisites and on how the device registration process works.<p>For more information on co-management, see [Co-management for Windows devices](/mem/configmgr/comanage/overview).</p> | | Device management | Windows Autopatch devices must be managed by Microsoft Intune. Intune must be set as the Mobile Device Management (MDM) authority or co-management must be turned on and enabled on the target devices.<p><p>At a minimum, the Windows Update, Device configuration and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see [co-management requirements for Windows Autopatch](#configuration-manager-co-management-requirements).<p>Other device management prerequisites include:<ul><li>Devices must be corporate-owned. Windows bring-your-own-devices (BYOD) are blocked during device registration prerequisite checks.</li><li>Devices must be managed by either Intune or Configuration Manager co-management. Devices only managed by Configuration Manager aren't supported.</li><li>Devices must be in communication with Microsoft Intune in the **last 28 days**. Otherwise, the devices won't be registered with Autopatch.</li><li>Devices must be connected to the internet.</li><li>Devices must have a **Serial number**, **Model** and **Manufacturer**. Device emulators that don't generate this information fail to meet **Intune or Cloud-attached** prerequisite check.</li></ul><p>See [Register your devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices) for more details on device prerequisites and on how the device registration process works.<p>For more information on co-management, see [co-management for Windows devices](/mem/configmgr/comanage/overview).</p> |
| Data and privacy | For more information on Windows Autopatch privacy practices, see [Windows Autopatch Privacy](../references/windows-autopatch-privacy.md). | | Data and privacy | For more information on Windows Autopatch privacy practices, see [Windows Autopatch Privacy](../references/windows-autopatch-privacy.md). |
## More about licenses ## More about licenses
@ -45,13 +45,13 @@ The following Windows OS 10 editions, 1809 builds and architecture are supported
- Windows 10 (1809+)/11 Enterprise - Windows 10 (1809+)/11 Enterprise
- Windows 10 (1809+)/11 Pro for Workstations - Windows 10 (1809+)/11 Pro for Workstations
## Configuration Manager Co-management requirements ## Configuration Manager co-management requirements
Windows Autopatch fully supports co-management. The following co-management requirements apply: Windows Autopatch fully supports co-management. The following co-management requirements apply:
- Use a currently supported [Configuration Manager version](/mem/configmgr/core/servers/manage/updates#supported-versions). - Use a currently supported [Configuration Manager version](/mem/configmgr/core/servers/manage/updates#supported-versions).
- ConfigMgr must be [cloud-attached with Intune (Co-management)](/mem/configmgr/cloud-attach/overview) and must have the following Co-management workloads enabled: - ConfigMgr must be [cloud-attached with Intune (co-management)](/mem/configmgr/cloud-attach/overview) and must have the following co-management workloads enabled:
- Set the [Windows Update workload](/mem/configmgr/comanage/workloads#windows-update-policies) to Pilot Intune or Intune. - Set the [Windows Update policies workload](/mem/configmgr/comanage/workloads#windows-update-policies) to Pilot Intune or Intune.
- Set the [Device configuration workload](/mem/configmgr/comanage/workloads#device-configuration) to Pilot Intune or Intune. - Set the [Device configuration workload](/mem/configmgr/comanage/workloads#device-configuration) to Pilot Intune or Intune.
- Set the [Office Click-to-Run apps workload](/mem/configmgr/comanage/workloads#office-click-to-run-apps) to Pilot Intune or Intune. - Set the [Office Click-to-Run apps workload](/mem/configmgr/comanage/workloads#office-click-to-run-apps) to Pilot Intune or Intune.

61
windows/device-security/docfx.json
View File

@ -1,61 +0,0 @@
{
"build": {
"content": [
{
"files": [
"**/*.md",
"**/*.yml"
],
"exclude": [
"**/obj/**",
"**/includes/**",
"README.md",
"LICENSE",
"LICENSE-CODE",
"ThirdPartyNotices"
]
}
],
"resource": [
{
"files": [
"**/*.png",
"**/*.jpg",
"**/*.gif"
],
"exclude": [
"**/obj/**",
"**/includes/**"
]
}
],
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows",
"ms.topic": "article",
"ms.date": "04/05/2017",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.win-device-security",
"folder_relative_path_in_docset": "./"
}
},
"contributors_to_exclude": [
"rjagiewich",
"traya1",
"rmca14",
"claydetels19",
"jborsecnik",
"tiburd",
"garycentric"
]
},
"fileMetadata": {},
"template": [],
"dest": "win-device-security",
"markdownEngineName": "markdig"
}
}

57
windows/eulas/docfx.json
View File

@ -1,57 +0,0 @@
{
"build": {
"content": [
{
"files": [
"**/*.md",
"**/*.yml"
],
"exclude": [
"**/obj/**",
"**/includes/**",
"_themes/**",
"_themes.pdf/**",
"README.md",
"LICENSE",
"LICENSE-CODE",
"ThirdPartyNotices"
]
}
],
"resource": [
{
"files": [
"**/*.png",
"**/*.jpg"
],
"exclude": [
"**/obj/**",
"**/includes/**",
"_themes/**",
"_themes.pdf/**"
]
}
],
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/windows/eulas/breadcrumb/toc.json",
"extendBreadcrumb": true,
"feedback_system": "None",
"contributors_to_exclude": [
"rjagiewich",
"traya1",
"rmca14",
"claydetels19",
"jborsecnik",
"tiburd",
"garycentric"
]
},
"fileMetadata": {},
"template": [],
"dest": "eula-vsts",
"markdownEngineName": "markdig"
}
}

57
windows/keep-secure/docfx.json
View File

@ -1,57 +0,0 @@
{
"build": {
"content": [
{
"files": [
"**/*.md",
"**/*.yml"
],
"exclude": [
"**/obj/**",
"**/includes/**",
"README.md",
"LICENSE",
"LICENSE-CODE",
"ThirdPartyNotices"
]
}
],
"resource": [
{
"files": [
"**/*.png",
"**/*.jpg"
],
"exclude": [
"**/obj/**",
"**/includes/**"
]
}
],
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"feedback_system": "None",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.keep-secure",
"folder_relative_path_in_docset": "./"
}
},
"contributors_to_exclude": [
"rjagiewich",
"traya1",
"rmca14",
"claydetels19",
"jborsecnik",
"tiburd",
"garycentric"
]
},
"fileMetadata": {},
"template": [],
"dest": "keep-secure",
"markdownEngineName": "markdig"
}
}

58
windows/known-issues/docfx.json
View File

@ -1,58 +0,0 @@
{
"build": {
"content": [
{
"files": [
"**/*.md",
"**/*.yml"
],
"exclude": [
"**/obj/**",
"**/includes/**",
"_themes/**",
"_themes.pdf/**",
"README.md",
"LICENSE",
"LICENSE-CODE",
"ThirdPartyNotices"
]
}
],
"resource": [
{
"files": [
"**/*.png",
"**/*.jpg"
],
"exclude": [
"**/obj/**",
"**/includes/**",
"_themes/**",
"_themes.pdf/**"
]
}
],
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
"feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
"contributors_to_exclude": [
"rjagiewich",
"traya1",
"rmca14",
"claydetels19",
"jborsecnik",
"tiburd",
"garycentric"
]
},
"fileMetadata": {},
"template": [],
"dest": "known-issues",
"markdownEngineName": "markdig"
}
}

2
windows/manage/TOC.yml
View File

@ -1,2 +0,0 @@
- name: Test
href: test.md

56
windows/manage/docfx.json
View File

@ -1,56 +0,0 @@
{
"build": {
"content": [
{
"files": [
"**/*.md",
"**/*.yml"
],
"exclude": [
"**/obj/**",
"**/includes/**",
"README.md",
"LICENSE",
"LICENSE-CODE",
"ThirdPartyNotices"
]
}
],
"resource": [
{
"files": [
"**/*.png",
"**/*.jpg"
],
"exclude": [
"**/obj/**",
"**/includes/**"
]
}
],
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.windows-manage",
"folder_relative_path_in_docset": "./"
}
},
"contributors_to_exclude": [
"rjagiewich",
"traya1",
"rmca14",
"claydetels19",
"jborsecnik",
"tiburd",
"garycentric"
]
},
"fileMetadata": {},
"template": [],
"dest": "windows-manage",
"markdownEngineName": "markdig"
}
}

19
windows/manage/test.md
View File

@ -1,19 +0,0 @@
---
title: Test
description: Test
ms.prod: w11
ms.mktglfcycl: deploy
ms.sitesec: library
author: dstrome
ms.author: dstrome
ms.reviewer:
manager: dstrome
ms.topic: article
---
# Test
## Deployment planning
This article provides guidance to help you plan for Windows 11 in your organization.

56
windows/plan/docfx.json
View File

@ -1,56 +0,0 @@
{
"build": {
"content": [
{
"files": [
"**/*.md",
"**/*.yml"
],
"exclude": [
"**/obj/**",
"**/includes/**",
"README.md",
"LICENSE",
"LICENSE-CODE",
"ThirdPartyNotices"
]
}
],
"resource": [
{
"files": [
"**/*.png",
"**/*.jpg"
],
"exclude": [
"**/obj/**",
"**/includes/**"
]
}
],
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.windows-plan",
"folder_relative_path_in_docset": "./"
}
},
"contributors_to_exclude": [
"rjagiewich",
"traya1",
"rmca14",
"claydetels19",
"jborsecnik",
"tiburd",
"garycentric"
]
},
"fileMetadata": {},
"template": [],
"dest": "windows-plan",
"markdownEngineName": "markdig"
}
}

36
windows/privacy/index.yml
View File

@ -68,50 +68,50 @@ productDirectory:
# # Card # # Card
# - title: cardtitle1 # - title: cardtitle1
# links: # links:
# - url: file1.md OR https://docs.microsoft.com/file1 # - url: file1.md OR https://learn.microsoft.com/file1
# itemType: itemType # itemType: itemType
# text: linktext1 # text: linktext1
# - url: file2.md OR https://docs.microsoft.com/file2 # - url: file2.md OR https://learn.microsoft.com/file2
# itemType: itemType # itemType: itemType
# text: linktext2 # text: linktext2
# - url: file3.md OR https://docs.microsoft.com/file3 # - url: file3.md OR https://learn.microsoft.com/file3
# itemType: itemType # itemType: itemType
# text: linktext3 # text: linktext3
# # footerLink (optional) # # footerLink (optional)
# footerLink: # footerLink:
# url: filefooter.md OR https://docs.microsoft.com/filefooter # url: filefooter.md OR https://learn.microsoft.com/filefooter
# text: See more # text: See more
# # Card # # Card
# - title: cardtitle2 # - title: cardtitle2
# links: # links:
# - url: file1.md OR https://docs.microsoft.com/file1 # - url: file1.md OR https://learn.microsoft.com/file1
# itemType: itemType # itemType: itemType
# text: linktext1 # text: linktext1
# - url: file2.md OR https://docs.microsoft.com/file2 # - url: file2.md OR https://learn.microsoft.com/file2
# itemType: itemType # itemType: itemType
# text: linktext2 # text: linktext2
# - url: file3.md OR https://docs.microsoft.com/file3 # - url: file3.md OR https://learn.microsoft.com/file3
# itemType: itemType # itemType: itemType
# text: linktext3 # text: linktext3
# # footerLink (optional) # # footerLink (optional)
# footerLink: # footerLink:
# url: filefooter.md OR https://docs.microsoft.com/filefooter # url: filefooter.md OR https://learn.microsoft.com/filefooter
# text: See more # text: See more
# # Card # # Card
# - title: cardtitle3 # - title: cardtitle3
# links: # links:
# - url: file1.md OR https://docs.microsoft.com/file1 # - url: file1.md OR https://learn.microsoft.com/file1
# itemType: itemType # itemType: itemType
# text: linktext1 # text: linktext1
# - url: file2.md OR https://docs.microsoft.com/file2 # - url: file2.md OR https://learn.microsoft.com/file2
# itemType: itemType # itemType: itemType
# text: linktext2 # text: linktext2
# - url: file3.md OR https://docs.microsoft.com/file3 # - url: file3.md OR https://learn.microsoft.com/file3
# itemType: itemType # itemType: itemType
# text: linktext3 # text: linktext3
# # footerLink (optional) # # footerLink (optional)
# footerLink: # footerLink:
# url: filefooter.md OR https://docs.microsoft.com/filefooter # url: filefooter.md OR https://learn.microsoft.com/filefooter
# text: See more # text: See more
# # tools section (optional) # # tools section (optional)
@ -122,15 +122,15 @@ productDirectory:
# # Card # # Card
# - title: cardtitle1 # - title: cardtitle1
# # imageSrc should be square in ratio with no whitespace # # imageSrc should be square in ratio with no whitespace
# imageSrc: ./media/index/image1.svg OR https://docs.microsoft.com/media/logos/image1.svg # imageSrc: ./media/index/image1.svg OR https://learn.microsoft.com/media/logos/image1.svg
# url: file1.md # url: file1.md
# # Card # # Card
# - title: cardtitle2 # - title: cardtitle2
# imageSrc: ./media/index/image2.svg OR https://docs.microsoft.com/media/logos/image2.svg # imageSrc: ./media/index/image2.svg OR https://learn.microsoft.com/media/logos/image2.svg
# url: file2.md # url: file2.md
# # Card # # Card
# - title: cardtitle3 # - title: cardtitle3
# imageSrc: ./media/index/image3.svg OR https://docs.microsoft.com/media/logos/image3.svg # imageSrc: ./media/index/image3.svg OR https://learn.microsoft.com/media/logos/image3.svg
# url: file3.md # url: file3.md
# additionalContent section (optional) # additionalContent section (optional)
@ -144,15 +144,15 @@ productDirectory:
# # Card # # Card
# - title: cardtitle1 # - title: cardtitle1
# summary: cardsummary1 # summary: cardsummary1
# url: file1.md OR https://docs.microsoft.com/file1 # url: file1.md OR https://learn.microsoft.com/file1
# # Card # # Card
# - title: cardtitle2 # - title: cardtitle2
# summary: cardsummary2 # summary: cardsummary2
# url: file1.md OR https://docs.microsoft.com/file2 # url: file1.md OR https://learn.microsoft.com/file2
# # Card # # Card
# - title: cardtitle3 # - title: cardtitle3
# summary: cardsummary3 # summary: cardsummary3
# url: file1.md OR https://docs.microsoft.com/file3 # url: file1.md OR https://learn.microsoft.com/file3
# # footer (optional) # # footer (optional)
# footer: "footertext [linktext](/footerfile)" # footer: "footertext [linktext](/footerfile)"

61
windows/release-information/docfx.json
View File

@ -1,61 +0,0 @@
{
"build": {
"content": [
{
"files": [
"**/*.md",
"**/*.yml"
],
"exclude": [
"**/obj/**",
"**/includes/**",
"_themes/**",
"_themes.pdf/**",
"README.md",
"LICENSE",
"LICENSE-CODE",
"ThirdPartyNotices"
]
}
],
"resource": [
{
"files": [
"**/*.png",
"**/*.jpg"
],
"exclude": [
"**/obj/**",
"**/includes/**",
"_themes/**",
"_themes.pdf/**"
]
}
],
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/windows/release-information/breadcrumb/toc.json",
"ms.prod": "w10",
"ms.date": "4/30/2019",
"audience": "ITPro",
"titleSuffix": "Windows Release Information",
"extendBreadcrumb": true,
"feedback_system": "None",
"contributors_to_exclude": [
"rjagiewich",
"traya1",
"rmca14",
"claydetels19",
"jborsecnik",
"tiburd",
"garycentric"
]
},
"fileMetadata": {},
"template": [],
"dest": "release-information",
"markdownEngineName": "markdig"
}
}

10
windows/security/identity-protection/credential-guard/dg-readiness-tool.md
View File

@ -25,6 +25,8 @@ appliesto:
param([switch]$Capable, [switch]$Ready, [switch]$Enable, [switch]$Disable, $SIPolicyPath, [switch]$AutoReboot, [switch]$DG, [switch]$CG, [switch]$HVCI, [switch]$HLK, [switch]$Clear, [switch]$ResetVerifier) param([switch]$Capable, [switch]$Ready, [switch]$Enable, [switch]$Disable, $SIPolicyPath, [switch]$AutoReboot, [switch]$DG, [switch]$CG, [switch]$HVCI, [switch]$HLK, [switch]$Clear, [switch]$ResetVerifier)
Set-StrictMode -Version Latest
$path = "C:\DGLogs\" $path = "C:\DGLogs\"
$LogFile = $path + "DeviceGuardCheckLog.txt" $LogFile = $path + "DeviceGuardCheckLog.txt"
@ -796,7 +798,13 @@ function CheckOSArchitecture
function CheckSecureBootState function CheckSecureBootState
{ {
$_secureBoot = Confirm-SecureBootUEFI try {
$_secureBoot = Confirm-SecureBootUEFI
}
catch
{
$_secureBoot = $false
}
Log $_secureBoot Log $_secureBoot
if($_secureBoot) if($_secureBoot)
{ {

10
windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
View File

@ -35,7 +35,7 @@ This guide assumes that baseline infrastructure exists which meets the requireme
- Multi-factor Authentication is required during Windows Hello for Business provisioning - Multi-factor Authentication is required during Windows Hello for Business provisioning
- Proper name resolution, both internal and external names - Proper name resolution, both internal and external names
- Active Directory and an adequate number of domain controllers per site to support authentication - Active Directory and an adequate number of domain controllers per site to support authentication
- Active Directory Certificate Services 2012 or later (Note: certificate services are not needed for cloud trust deployments) - Active Directory Certificate Services 2012 or later (Note: certificate services are not needed for cloud Kerberos trust deployments)
- One or more workstation computers running Windows 10, version 1703 or later - One or more workstation computers running Windows 10, version 1703 or later
If you are installing a server role for the first time, ensure the appropriate server operating system is installed, updated with the latest patches, and joined to the domain. This document provides guidance to install and configure the specific roles on that server. If you are installing a server role for the first time, ensure the appropriate server operating system is installed, updated with the latest patches, and joined to the domain. This document provides guidance to install and configure the specific roles on that server.
@ -44,23 +44,23 @@ Do not begin your deployment until the hosting servers and infrastructure (not r
## Deployment and trust models ## Deployment and trust models
Windows Hello for Business has three deployment models: Azure AD cloud only, hybrid, and on-premises. Hybrid has three trust models: *Key trust*, *certificate trust*, and *cloud trust*. On-premises deployment models only support *Key trust* and *certificate trust*. Windows Hello for Business has three deployment models: Azure AD cloud only, hybrid, and on-premises. Hybrid has three trust models: *Key Trust*, *Certificate Trust*, and *cloud Kerberos trust*. On-premises deployment models only support *Key Trust* and *Certificate Trust*.
Hybrid deployments are for enterprises that use Azure Active Directory. On-premises deployments are for enterprises who exclusively use on-premises Active Directory. Remember that the environments that use Azure Active Directory must use the hybrid deployment model for all domains in that forest. Hybrid deployments are for enterprises that use Azure Active Directory. On-premises deployments are for enterprises who exclusively use on-premises Active Directory. Remember that the environments that use Azure Active Directory must use the hybrid deployment model for all domains in that forest.
The trust model determines how you want users to authenticate to the on-premises Active Directory: The trust model determines how you want users to authenticate to the on-premises Active Directory:
- The key-trust model is for enterprises who do not want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication. This still requires Active Directory Certificate Services for domain controller certificates. - The key-trust model is for enterprises who do not want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication. This still requires Active Directory Certificate Services for domain controller certificates.
- The cloud-trust model is also for hybrid enterprises who do not want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication. This trust model is simpler to deploy than key trust and does not require Active Directory Certificate Services. We recommend using cloud trust instead of key trust if the clients in your enterprise support it. - The cloud-trust model is also for hybrid enterprises who do not want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication. This trust model is simpler to deploy than key trust and does not require Active Directory Certificate Services. We recommend using **cloud Kerberos trust** instead of **Key Trust** if the clients in your enterprise support it.
- The certificate-trust model is for enterprises that *do* want to issue end-entity certificates to their users and have the benefits of certificate expiration and renewal, similar to how smart cards work today. - The certificate-trust model is for enterprises that *do* want to issue end-entity certificates to their users and have the benefits of certificate expiration and renewal, similar to how smart cards work today.
- The certificate trust model also supports enterprises which are not ready to deploy Windows Server 2016 Domain Controllers. - The certificate trust model also supports enterprises which are not ready to deploy Windows Server 2016 Domain Controllers.
> [!Note] > [!Note]
> RDP does not support authentication with Windows Hello for Business key trust or cloud trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business key trust and cloud trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md). > RDP does not support authentication with Windows Hello for Business Key Trust or cloud Kerberos trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business Key Trust and cloud Kerberos trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md).
Following are the various deployment guides and models included in this topic: Following are the various deployment guides and models included in this topic:
- [Hybrid Azure AD Joined Cloud Trust Deployment](hello-hybrid-cloud-trust.md) - [Hybrid Azure AD Joined cloud Kerberos trust Deployment](hello-hybrid-cloud-kerberos-trust.md)
- [Hybrid Azure AD Joined Key Trust Deployment](hello-hybrid-key-trust.md) - [Hybrid Azure AD Joined Key Trust Deployment](hello-hybrid-key-trust.md)
- [Hybrid Azure AD Joined Certificate Trust Deployment](hello-hybrid-cert-trust.md) - [Hybrid Azure AD Joined Certificate Trust Deployment](hello-hybrid-cert-trust.md)
- [Azure AD Join Single Sign-on Deployment Guides](hello-hybrid-aadj-sso.md) - [Azure AD Join Single Sign-on Deployment Guides](hello-hybrid-aadj-sso.md)

4
windows/security/identity-protection/hello-for-business/hello-faq.yml
View File

@ -29,9 +29,9 @@ sections:
- name: Ignored - name: Ignored
questions: questions:
- question: What is Windows Hello for Business cloud trust? - question: What is Windows Hello for Business cloud Kerberos trust?
answer: | answer: |
Windows Hello for Business cloud trust is a new trust model that is currently in preview. This trust model will enable Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). Cloud trust is the preferred deployment model if you do not need to support certificate authentication scenarios. For more information, see [Hybrid Cloud Trust Deployment (Preview)](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust). Windows Hello for Business cloud Kerberos trust is a new trust model that is currently in preview. This trust model will enable Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). cloud Kerberos trust is the preferred deployment model if you do not need to support certificate authentication scenarios. For more information, see [Hybrid cloud Kerberos trust Deployment (Preview)](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust).
- question: What about virtual smart cards? - question: What about virtual smart cards?

4
windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
View File

@ -96,8 +96,8 @@ Using Group Policy, Microsoft Intune or a compatible MDM solution, you can confi
|--- |--- |--- | |--- |--- |--- |
|**Functionality**|The user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned.|You must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. For more information on how to deploy the Microsoft PIN reset service and client policy, see [Connect Azure Active Directory with the PIN reset service](#connect-azure-active-directory-with-the-pin-reset-service). During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed.| |**Functionality**|The user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned.|You must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. For more information on how to deploy the Microsoft PIN reset service and client policy, see [Connect Azure Active Directory with the PIN reset service](#connect-azure-active-directory-with-the-pin-reset-service). During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed.|
|**Windows editions and versions**|Reset from settings - Windows 10, version 1703 or later, Windows 11. Reset above Lock - Windows 10, version 1709 or later, Windows 11.|Windows 10, version 1709 to 1809, Enterprise Edition. There is no licensing requirement for this feature since version 1903. Enterprise Edition and Pro edition with Windows 10, version 1903 and newer Windows 11.| |**Windows editions and versions**|Reset from settings - Windows 10, version 1703 or later, Windows 11. Reset above Lock - Windows 10, version 1709 or later, Windows 11.|Windows 10, version 1709 to 1809, Enterprise Edition. There is no licensing requirement for this feature since version 1903. Enterprise Edition and Pro edition with Windows 10, version 1903 and newer Windows 11.|
|**Azure Active Directory Joined**|Cert Trust, Key Trust, and Cloud Trust|Cert Trust, Key Trust, and Cloud Trust| |**Azure Active Directory Joined**|Cert Trust, Key Trust, and cloud Kerberos trust|Cert Trust, Key Trust, and cloud Kerberos trust|
|**Hybrid Azure Active Directory Joined**|Cert Trust and Cloud Trust for both settings and above the lock support destructive PIN reset. Key Trust doesn't support this from above the lock screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. It does support from the settings page and the users must have a corporate network connectivity to the DC. |Cert Trust, Key Trust, and Cloud Trust for both settings and above the lock support non-destructive PIN reset. No network connection is required for the DC.| |**Hybrid Azure Active Directory Joined**|Cert Trust and cloud Kerberos trust for both settings and above the lock support destructive PIN reset. Key Trust doesn't support this from above the lock screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. It does support from the settings page and the users must have a corporate network connectivity to the DC. |Cert Trust, Key Trust, and cloud Kerberos trust for both settings and above the lock support non-destructive PIN reset. No network connection is required for the DC.|
|**On Premises**|If ADFS is being used for on premises deployments, users must have a corporate network connectivity to federation services. |The PIN reset service relies on Azure Active Directory identities, so it is only available for Hybrid Azure Active Directory Joined and Azure Active Directory Joined devices.| |**On Premises**|If ADFS is being used for on premises deployments, users must have a corporate network connectivity to federation services. |The PIN reset service relies on Azure Active Directory identities, so it is only available for Hybrid Azure Active Directory Joined and Azure Active Directory Joined devices.|
|**Additional Configuration required**|Supported by default and doesn't require configuration|Deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature On-board the Microsoft PIN reset service to respective Azure Active Directory tenant Configure Windows devices to use PIN reset using Group *Policy\MDM*.| |**Additional Configuration required**|Supported by default and doesn't require configuration|Deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature On-board the Microsoft PIN reset service to respective Azure Active Directory tenant Configure Windows devices to use PIN reset using Group *Policy\MDM*.|
|**MSA/Enterprise**|MSA and Enterprise|Enterprise only.| |**MSA/Enterprise**|MSA and Enterprise|Enterprise only.|

10
windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
View File

@ -21,10 +21,10 @@ Windows Hello for Business authentication is passwordless, two-factor authentica
Azure Active Directory-joined devices authenticate to Azure during sign-in and can optionally authenticate to Active Directory. Hybrid Azure Active Directory-joined devices authenticate to Active Directory during sign-in, and authenticate to Azure Active Directory in the background. Azure Active Directory-joined devices authenticate to Azure during sign-in and can optionally authenticate to Active Directory. Hybrid Azure Active Directory-joined devices authenticate to Active Directory during sign-in, and authenticate to Azure Active Directory in the background.
- [Azure AD join authentication to Azure Active Directory](#azure-ad-join-authentication-to-azure-active-directory) - [Azure AD join authentication to Azure Active Directory](#azure-ad-join-authentication-to-azure-active-directory)
- [Azure AD join authentication to Active Directory using Azure AD Kerberos (cloud trust preview)](#azure-ad-join-authentication-to-active-directory-using-azure-ad-kerberos-cloud-trust-preview) - [Azure AD join authentication to Active Directory using Azure AD Kerberos (cloud Kerberos trust)](#azure-ad-join-authentication-to-active-directory-using-azure-ad-kerberos-cloud-kerberos-trust)
- [Azure AD join authentication to Active Directory using a key](#azure-ad-join-authentication-to-active-directory-using-a-key) - [Azure AD join authentication to Active Directory using a key](#azure-ad-join-authentication-to-active-directory-using-a-key)
- [Azure AD join authentication to Active Directory using a certificate](#azure-ad-join-authentication-to-active-directory-using-a-certificate) - [Azure AD join authentication to Active Directory using a certificate](#azure-ad-join-authentication-to-active-directory-using-a-certificate)
- [Hybrid Azure AD join authentication using Azure AD Kerberos (cloud trust preview)](#hybrid-azure-ad-join-authentication-using-azure-ad-kerberos-cloud-trust-preview) - [Hybrid Azure AD join authentication using Azure AD Kerberos (cloud Kerberos trust)](#hybrid-azure-ad-join-authentication-using-azure-ad-kerberos-cloud-kerberos-trust)
- [Hybrid Azure AD join authentication using a key](#hybrid-azure-ad-join-authentication-using-a-key) - [Hybrid Azure AD join authentication using a key](#hybrid-azure-ad-join-authentication-using-a-key)
- [Hybrid Azure AD join authentication using a certificate](#hybrid-azure-ad-join-authentication-using-a-certificate) - [Hybrid Azure AD join authentication using a certificate](#hybrid-azure-ad-join-authentication-using-a-certificate)
@ -43,7 +43,7 @@ Azure Active Directory-joined devices authenticate to Azure during sign-in and c
|D | The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.| |D | The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.|
|E | The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT, and informs winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.| |E | The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT, and informs winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
## Azure AD join authentication to Active Directory using Azure AD Kerberos (cloud trust preview) ## Azure AD join authentication to Active Directory using Azure AD Kerberos (cloud Kerberos trust)
![Azure Active Directory join authentication to Azure AD.](images/howitworks/auth-aadj-cloudtrust-kerb.png) ![Azure Active Directory join authentication to Azure AD.](images/howitworks/auth-aadj-cloudtrust-kerb.png)
@ -78,13 +78,13 @@ Azure Active Directory-joined devices authenticate to Azure during sign-in and c
> [!NOTE] > [!NOTE]
> You may have an on-premises domain federated with Azure AD. Once you have successfully provisioned Windows Hello for Business PIN/Bio on, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Azure AD to get PRT, as well as authenticate against your DC (if LOS to DC is available) to get Kerberos as mentioned previously. AD FS federation is used only when Enterprise PRT calls are placed from the client. You need to have device write-back enabled to get "Enterprise PRT" from your federation. > You may have an on-premises domain federated with Azure AD. Once you have successfully provisioned Windows Hello for Business PIN/Bio on, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Azure AD to get PRT, as well as authenticate against your DC (if LOS to DC is available) to get Kerberos as mentioned previously. AD FS federation is used only when Enterprise PRT calls are placed from the client. You need to have device write-back enabled to get "Enterprise PRT" from your federation.
## Hybrid Azure AD join authentication using Azure AD Kerberos (cloud trust preview) ## Hybrid Azure AD join authentication using Azure AD Kerberos (cloud Kerberos trust)
![Hybrid Azure AD join authentication using Azure AD Kerberos](images/howitworks/auth-haadj-cloudtrust.png) ![Hybrid Azure AD join authentication using Azure AD Kerberos](images/howitworks/auth-haadj-cloudtrust.png)
| Phase | Description | | Phase | Description |
| :----: | :----------- | | :----: | :----------- |
|A | Authentication begins when the user dismisses the lock screen, which triggers winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to winlogon. Winlogon passes the collected credentials to lsass. Lsass queries Windows Hello for Business policy to check if cloud trust is enabled. If cloud trust is enabled, Lsass passes the collected credentials to the Cloud Authentication security support provider, or Cloud AP. Cloud AP requests a nonce from Azure Active Directory. Azure AD returns a nonce. |A | Authentication begins when the user dismisses the lock screen, which triggers winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to winlogon. Winlogon passes the collected credentials to lsass. Lsass queries Windows Hello for Business policy to check if cloud Kerberos trust is enabled. If cloud Kerberos trust is enabled, Lsass passes the collected credentials to the Cloud Authentication security support provider, or Cloud AP. Cloud AP requests a nonce from Azure Active Directory. Azure AD returns a nonce.
|B | Cloud AP signs the nonce using the user's private key and returns the signed nonce to Azure AD. |B | Cloud AP signs the nonce using the user's private key and returns the signed nonce to Azure AD.
|C | Azure AD validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and creates a Partial TGT from Azure AD Kerberos and returns them to Cloud AP. |C | Azure AD validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and creates a Partial TGT from Azure AD Kerberos and returns them to Cloud AP.
|D | Cloud AP receives the encrypted PRT with session key. Using the device's private transport key, Cloud AP decrypts the session key and protects the session key using the device's TPM (if available). Cloud AP returns a successful authentication response to lsass. Lsass caches the PRT and the Partial TGT. |D | Cloud AP receives the encrypted PRT with session key. Using the device's private transport key, Cloud AP decrypts the session key and protects the session key using the device's TPM (if available). Cloud AP returns a successful authentication response to lsass. Lsass caches the PRT and the Partial TGT.

8
windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
View File

@ -26,7 +26,7 @@ List of provisioning flows:
- [Azure AD joined provisioning in a managed environment](#azure-ad-joined-provisioning-in-a-managed-environment) - [Azure AD joined provisioning in a managed environment](#azure-ad-joined-provisioning-in-a-managed-environment)
- [Azure AD joined provisioning in a federated environment](#azure-ad-joined-provisioning-in-a-federated-environment) - [Azure AD joined provisioning in a federated environment](#azure-ad-joined-provisioning-in-a-federated-environment)
- [Hybrid Azure AD joined provisioning in a cloud trust (preview) deployment in a managed environment](#hybrid-azure-ad-joined-provisioning-in-a-cloud-trust-preview-deployment-in-a-managed-environment) - [Hybrid Azure AD joined provisioning in a cloud Kerberos trust deployment in a managed environment](#hybrid-azure-ad-joined-provisioning-in-a-cloud-kerberos-trust-deployment-in-a-managed-environment)
- [Hybrid Azure AD joined provisioning in a key trust deployment in a managed environment](#hybrid-azure-ad-joined-provisioning-in-a-key-trust-deployment-in-a-managed-environment) - [Hybrid Azure AD joined provisioning in a key trust deployment in a managed environment](#hybrid-azure-ad-joined-provisioning-in-a-key-trust-deployment-in-a-managed-environment)
- [Hybrid Azure AD joined provisioning in a synchronous certificate trust deployment in a federated environment](#hybrid-azure-ad-joined-provisioning-in-a-synchronous-certificate-trust-deployment-in-a-federated-environment) - [Hybrid Azure AD joined provisioning in a synchronous certificate trust deployment in a federated environment](#hybrid-azure-ad-joined-provisioning-in-a-synchronous-certificate-trust-deployment-in-a-federated-environment)
- [Domain joined provisioning in an On-premises key trust deployment](#domain-joined-provisioning-in-an-on-premises-key-trust-deployment) - [Domain joined provisioning in an On-premises key trust deployment](#domain-joined-provisioning-in-an-on-premises-key-trust-deployment)
@ -62,9 +62,9 @@ List of provisioning flows:
[Return to top](#windows-hello-for-business-provisioning) [Return to top](#windows-hello-for-business-provisioning)
## Hybrid Azure AD joined provisioning in a cloud trust (preview) deployment in a managed environment ## Hybrid Azure AD joined provisioning in a cloud Kerberos trust deployment in a managed environment
![Hybrid Azure AD joined provisioning in a cloud trust deployment in a Managed environment.](images/howitworks/prov-haadj-cloudtrust-managed.png) ![Hybrid Azure AD joined provisioning in a cloud Kerberos trust deployment in a Managed environment.](images/howitworks/prov-haadj-cloudtrust-managed.png)
[Full size image](images/howitworks/prov-haadj-cloudtrust-managed.png) [Full size image](images/howitworks/prov-haadj-cloudtrust-managed.png)
| Phase | Description | | Phase | Description |
@ -74,7 +74,7 @@ List of provisioning flows:
| C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID to the application which signals the end of user provisioning and the application exits. | | C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID to the application which signals the end of user provisioning and the application exits. |
> [!NOTE] > [!NOTE]
> Windows Hello for Business Cloud Trust does not require users' keys to be synced from Azure AD to AD. Users can immediately authenticate to Azure Active Directory and AD after provisioning their credential. > Windows Hello for Business cloud Kerberos trust does not require users' keys to be synced from Azure AD to AD. Users can immediately authenticate to Azure Active Directory and AD after provisioning their credential.
[Return to top](#windows-hello-for-business-provisioning) [Return to top](#windows-hello-for-business-provisioning)

110
windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md → windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
View File

@ -1,6 +1,6 @@
--- ---
title: Hybrid Cloud Trust Deployment (Windows Hello for Business) title: Hybrid cloud Kerberos trust Deployment (Windows Hello for Business)
description: Learn the information you need to successfully deploy Windows Hello for Business in a hybrid cloud trust scenario. description: Learn the information you need to successfully deploy Windows Hello for Business in a hybrid cloud Kerberos trust scenario.
ms.prod: m365-security ms.prod: m365-security
author: paolomatarazzo author: paolomatarazzo
ms.author: paoloma ms.author: paoloma
@ -11,37 +11,39 @@ ms.topic: article
localizationpriority: medium localizationpriority: medium
ms.date: 2/15/2022 ms.date: 2/15/2022
appliesto: appliesto:
- ✅ <b>Windows 10 21H2 and later</b> - ✅ <b>Windows 10, version 21H2 and later</b>
- ✅ <b>Windows 11</b> - ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Cloud Kerberos trust</b>
--- ---
# Hybrid Cloud Trust Deployment (Preview) # Hybrid Cloud Kerberos Trust Deployment (Preview)
Windows Hello for Business replaces username and password Windows sign-in with strong authentication using an asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid cloud trust scenario. Windows Hello for Business replaces username and password Windows sign-in with strong authentication using an asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid cloud Kerberos trust scenario.
## Introduction to Cloud Trust ## Introduction to Cloud Kerberos Trust
The goal of the Windows Hello for Business cloud trust is to bring the simplified deployment experience of [on-premises SSO with passwordless security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises) to Windows Hello for Business. This deployment model can be used for new Windows Hello for Business deployments or existing deployments can move to this model using policy controls. The goal of the Windows Hello for Business cloud Kerberos trust is to bring the simplified deployment experience of [on-premises SSO with passwordless security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises) to Windows Hello for Business. This deployment model can be used for new Windows Hello for Business deployments or existing deployments can move to this model using policy controls.
Windows Hello for Business cloud trust uses Azure Active Directory (AD) Kerberos to address pain points of the key trust deployment model: Windows Hello for Business cloud Kerberos trust uses Azure Active Directory (AD) Kerberos to address pain points of the key trust deployment model:
- Windows Hello for Business cloud trust provides a simpler deployment experience because it doesn't require the deployment of public key infrastructure (PKI) or changes to existing PKI. - Windows Hello for Business cloud Kerberos trust provides a simpler deployment experience because it doesn't require the deployment of public key infrastructure (PKI) or changes to existing PKI.
- Cloud trust doesn't require syncing of public keys between Azure AD and on-premises domain controllers (DCs) for users to access on-premises resources and applications. This change means there isn't a delay between the user provisioning and being able to authenticate. - Cloud Kerberos trust doesn't require syncing of public keys between Azure AD and on-premises domain controllers (DCs) for users to access on-premises resources and applications. This change means there isn't a delay between the user provisioning and being able to authenticate.
- Deploying Windows Hello for Business cloud trust enables you to also deploy passwordless security keys with minimal extra setup. - Deploying Windows Hello for Business cloud Kerberos trust enables you to also deploy passwordless security keys with minimal extra setup.
> [!NOTE] > [!NOTE]
> Windows Hello for Business cloud trust is recommended instead of key trust if you meet the prerequisites to deploy cloud trust. Cloud trust is the preferred deployment model if you do not need to support certificate authentication scenarios. > Windows Hello for Business cloud Kerberos trust is recommended instead of key trust if you meet the prerequisites to deploy cloud Kerberos trust. cloud Kerberos trust is the preferred deployment model if you do not need to support certificate authentication scenarios.
## Azure Active Directory Kerberos and Cloud Trust Authentication ## Azure Active Directory Kerberos and Cloud Kerberos Trust Authentication
Key trust and certificate trust use certificate authentication based Kerberos for requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires PKI for DC certificates, and requires end-user certificates for certificate trust. Single sign-on (SSO) to on-premises resources from Azure AD-joined devices requires more PKI configuration to publish a certificate revocation list (CRL) to a public endpoint. Cloud trust uses Azure AD Kerberos that doesn't require any of the above PKI to get the user a TGT. Key trust and certificate trust use certificate authentication based Kerberos for requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires PKI for DC certificates, and requires end-user certificates for certificate trust. Single sign-on (SSO) to on-premises resources from Azure AD-joined devices requires more PKI configuration to publish a certificate revocation list (CRL) to a public endpoint. cloud Kerberos trust uses Azure AD Kerberos that doesn't require any of the above PKI to get the user a TGT.
With Azure AD Kerberos, Azure AD can issue TGTs for one or more of your AD domains. Windows can request a TGT from Azure AD when authenticating with Windows Hello for Business and use the returned TGT for logon or to access traditional AD-based resources. Kerberos service tickets and authorization continue to be controlled by your on-premises AD DCs. With Azure AD Kerberos, Azure AD can issue TGTs for one or more of your AD domains. Windows can request a TGT from Azure AD when authenticating with Windows Hello for Business and use the returned TGT for logon or to access traditional AD-based resources. Kerberos service tickets and authorization continue to be controlled by your on-premises AD DCs.
When you enable Azure AD Kerberos in a domain, an Azure AD Kerberos Server object is created in your on-premises AD. This object will appear as a Read Only Domain Controller (RODC) object but isn't associated with any physical servers. This resource is only used by Azure Active Directory to generate TGTs for your Active Directory Domain. The same rules and restrictions used for RODCs apply to the Azure AD Kerberos Server object. When you enable Azure AD Kerberos in a domain, an Azure AD Kerberos Server object is created in your on-premises AD. This object will appear as a Read Only Domain Controller (RODC) object but isn't associated with any physical servers. This resource is only used by Azure Active Directory to generate TGTs for your Active Directory Domain. The same rules and restrictions used for RODCs apply to the Azure AD Kerberos Server object.
More details on how Azure AD Kerberos enables access to on-premises resources are available in our documentation on [enabling passwordless security key sign-in to on-premises resources](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). There's more information on how Azure AD Kerberos works with Windows Hello for Business cloud trust in the [Windows Hello for Business authentication technical deep dive](hello-how-it-works-authentication.md#hybrid-azure-ad-join-authentication-using-azure-ad-kerberos-cloud-trust-preview). More details on how Azure AD Kerberos enables access to on-premises resources are available in our documentation on [enabling passwordless security key sign-in to on-premises resources](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). There's more information on how Azure AD Kerberos works with Windows Hello for Business cloud Kerberos trust in the [Windows Hello for Business authentication technical deep dive](hello-how-it-works-authentication.md#hybrid-azure-ad-join-authentication-using-azure-ad-kerberos-cloud-kerberos-trust).
If you're using the hybrid cloud trust deployment model, you _must_ ensure that you have adequate (one or more, depending on your authentication load) Windows Server 2016 or later read-write domain controllers in each Active Directory site where users will be authenticating for Windows Hello for Business. If you're using the hybrid cloud Kerberos trust deployment model, you _must_ ensure that you have adequate (one or more, depending on your authentication load) Windows Server 2016 or later read-write domain controllers in each Active Directory site where users will be authenticating for Windows Hello for Business.
## Prerequisites ## Prerequisites
@ -51,26 +53,26 @@ If you're using the hybrid cloud trust deployment model, you _must_ ensure that
| Patched Windows 10 version 21H2 or patched Windows 11 and later | If you're using Windows 10 21H2, KB5010415 must be installed. If you're using Windows 11 21H2, KB5010414 must be installed. There's no Windows version support difference between Azure AD joined and Hybrid Azure AD-joined devices. | | Patched Windows 10 version 21H2 or patched Windows 11 and later | If you're using Windows 10 21H2, KB5010415 must be installed. If you're using Windows 11 21H2, KB5010414 must be installed. There's no Windows version support difference between Azure AD joined and Hybrid Azure AD-joined devices. |
| Fully patched Windows Server 2016 or later Domain Controllers | Domain controllers should be fully patched to support updates needed for Azure AD Kerberos. If you're using Windows Server 2016, [KB3534307](https://support.microsoft.com/en-us/topic/january-23-2020-kb4534307-os-build-14393-3474-b181594e-2c6a-14ea-e75b-678efea9d27e) must be installed. If you're using Server 2019, [KB4534321](https://support.microsoft.com/en-us/topic/january-23-2020-kb4534321-os-build-17763-1012-023e84c3-f9aa-3b55-8aff-d512911c459f) must be installed. | | Fully patched Windows Server 2016 or later Domain Controllers | Domain controllers should be fully patched to support updates needed for Azure AD Kerberos. If you're using Windows Server 2016, [KB3534307](https://support.microsoft.com/en-us/topic/january-23-2020-kb4534307-os-build-14393-3474-b181594e-2c6a-14ea-e75b-678efea9d27e) must be installed. If you're using Server 2019, [KB4534321](https://support.microsoft.com/en-us/topic/january-23-2020-kb4534321-os-build-17763-1012-023e84c3-f9aa-3b55-8aff-d512911c459f) must be installed. |
| Azure AD Kerberos PowerShell module | This module is used for enabling and managing Azure AD Kerberos. It's available through the [PowerShell Gallery](https://www.powershellgallery.com/packages/AzureADHybridAuthenticationManagement).| | Azure AD Kerberos PowerShell module | This module is used for enabling and managing Azure AD Kerberos. It's available through the [PowerShell Gallery](https://www.powershellgallery.com/packages/AzureADHybridAuthenticationManagement).|
| Device management | Windows Hello for Business cloud trust can be managed with group policy or through mobile device management (MDM) policy. This feature is disabled by default and must be enabled using policy. | | Device management | Windows Hello for Business cloud Kerberos trust can be managed with group policy or through mobile device management (MDM) policy. This feature is disabled by default and must be enabled using policy. |
### Unsupported Scenarios ### Unsupported Scenarios
The following scenarios aren't supported using Windows Hello for Business cloud trust: The following scenarios aren't supported using Windows Hello for Business cloud Kerberos trust:
- On-premises only deployments - On-premises only deployments
- RDP/VDI scenarios using supplied credentials (RDP/VDI can be used with Remote Credential Guard or if a certificate is enrolled into the Windows Hello for Business container) - RDP/VDI scenarios using supplied credentials (RDP/VDI can be used with Remote Credential Guard or if a certificate is enrolled into the Windows Hello for Business container)
- Scenarios that require a certificate for authentication - Scenarios that require a certificate for authentication
- Using cloud trust for "Run as" - Using cloud Kerberos trust for "Run as"
- Signing in with cloud trust on a Hybrid Azure AD joined device without previously signing in with DC connectivity - Signing in with cloud Kerberos trust on a Hybrid Azure AD joined device without previously signing in with DC connectivity
> [!NOTE] > [!NOTE]
> The default security policy for AD does not grant permission to sign high privilege accounts on to on-premises resources with Cloud Trust or FIDO2 security keys. > The default security policy for AD does not grant permission to sign high privilege accounts on to on-premises resources with cloud Kerberos trust or FIDO2 security keys.
> >
> To unblock the accounts, use Active Directory Users and Computers to modify the msDS-NeverRevealGroup property of the Azure AD Kerberos Computer object (CN=AzureADKerberos,OU=Domain Controllers,\<domain-DN\>). > To unblock the accounts, use Active Directory Users and Computers to modify the msDS-NeverRevealGroup property of the Azure AD Kerberos Computer object (CN=AzureADKerberos,OU=Domain Controllers,\<domain-DN\>).
## Deployment Instructions ## Deployment Instructions
Deploying Windows Hello for Business cloud trust consists of two steps: Deploying Windows Hello for Business cloud Kerberos trust consists of two steps:
1. Set up Azure AD Kerberos in your hybrid environment. 1. Set up Azure AD Kerberos in your hybrid environment.
1. Configure Windows Hello for Business policy and deploy it to devices. 1. Configure Windows Hello for Business policy and deploy it to devices.
@ -79,11 +81,11 @@ Deploying Windows Hello for Business cloud trust consists of two steps:
If you've already deployed on-premises SSO for passwordless security key sign-in, then you've already deployed Azure AD Kerberos in your hybrid environment. You don't need to redeploy or change your existing Azure AD Kerberos deployment to support Windows Hello for Business and you can skip this section. If you've already deployed on-premises SSO for passwordless security key sign-in, then you've already deployed Azure AD Kerberos in your hybrid environment. You don't need to redeploy or change your existing Azure AD Kerberos deployment to support Windows Hello for Business and you can skip this section.
If you haven't deployed Azure AD Kerberos, follow the instructions in the [Enable passwordless security key sign-in to on-premises resources by using Azure AD](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises#install-the-azure-ad-kerberos-powershell-module) documentation. This page includes information on how to install and use the Azure AD Kerberos Powershell module. Use the module to create an Azure AD Kerberos Server object for the domains where you want to use Windows Hello for Business cloud trust. If you haven't deployed Azure AD Kerberos, follow the instructions in the [Enable passwordless security key sign-in to on-premises resources by using Azure AD](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises#install-the-azure-ad-kerberos-powershell-module) documentation. This page includes information on how to install and use the Azure AD Kerberos Powershell module. Use the module to create an Azure AD Kerberos Server object for the domains where you want to use Windows Hello for Business cloud Kerberos trust.
### Configure Windows Hello for Business Policy ### Configure Windows Hello for Business Policy
After setting up the Azure AD Kerberos Object, Windows Hello for business cloud trust must be enabled using policy. By default, cloud trust won't be used by Hybrid Azure AD joined or Azure AD-joined devices. After setting up the Azure AD Kerberos Object, Windows Hello for business cloud Kerberos trust must be enabled using policy. By default, cloud Kerberos trust won't be used by Hybrid Azure AD joined or Azure AD-joined devices.
#### Configure Using Group Policy #### Configure Using Group Policy
@ -93,14 +95,14 @@ The Enable Windows Hello for Business Group Policy setting is used by Windows to
You can configure the Enable Windows Hello for Business Group Policy setting for computers or users. Deploying this policy setting to computers results in all users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence. You can configure the Enable Windows Hello for Business Group Policy setting for computers or users. Deploying this policy setting to computers results in all users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence.
Cloud trust requires setting a dedicated policy for it to be enabled. This policy is only available as a computer configuration. cloud Kerberos trust requires setting a dedicated policy for it to be enabled. This policy is only available as a computer configuration.
> [!NOTE] > [!NOTE]
> If you deployed Windows Hello for Business configuration using both Group Policy and Microsoft Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about deploying Windows Hello for Business configuration using Microsoft Intune, see [Windows device settings to enable Windows Hello for Business in Intune](/mem/intune/protect/identity-protection-windows-settings) and [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp). For more information about policy conflicts, see [Policy conflicts from multiple policy sources](hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources) > If you deployed Windows Hello for Business configuration using both Group Policy and Microsoft Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about deploying Windows Hello for Business configuration using Microsoft Intune, see [Windows device settings to enable Windows Hello for Business in Intune](/mem/intune/protect/identity-protection-windows-settings) and [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp). For more information about policy conflicts, see [Policy conflicts from multiple policy sources](hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources)
##### Update Group Policy Objects ##### Update Group Policy Objects
You may need to update your Group Policy definitions to be able to configure the cloud trust policy. You can copy the ADMX and ADML files from a Windows 10 21H2 or Windows 11 device that supports cloud trust to their respective language folder on your Group Policy management server. Windows Hello for Business settings are in the Passport.admx and Passport.adml files. You may need to update your Group Policy definitions to be able to configure the cloud Kerberos trust policy. You can copy the ADMX and ADML files from a Windows 10 21H2 or Windows 11 device that supports cloud Kerberos trust to their respective language folder on your Group Policy management server. Windows Hello for Business settings are in the Passport.admx and Passport.adml files.
You can also create a Group Policy Central Store and copy them their respective language folder. For more information, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store). You can also create a Group Policy Central Store and copy them their respective language folder. For more information, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store).
@ -116,23 +118,23 @@ Sign-in a domain controller or management workstations with *Domain Admin* equiv
1. In the navigation pane, expand **Policies** under **Device Configuration**. 1. In the navigation pane, expand **Policies** under **Device Configuration**.
1. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**. 1. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**.
1. In the content pane, double-click **Use Windows Hello for Business**. Click **Enable** and click **OK**. 1. In the content pane, double-click **Use Windows Hello for Business**. Click **Enable** and click **OK**.
1. In the content pane, double-click **Use cloud trust for on-premises authentication**. Click **Enable** and click **OK**. 1. In the content pane, double-click **Use cloud Kerberos trust for on-premises authentication**. Click **Enable** and click **OK**.
1. *Optional but recommended*: In the content pane, double-click **Use a hardware security device**. Click **Enable** and click **OK**. 1. *Optional but recommended*: In the content pane, double-click **Use a hardware security device**. Click **Enable** and click **OK**.
This group policy should be targeted at the computer group that you've created for that you want to use Windows Hello for Business. This group policy should be targeted at the computer group that you've created for that you want to use Windows Hello for Business.
> [!Important] > [!Important]
> If the Use certificate for on-premises authentication policy is enabled, we will enforce certificate trust instead of cloud trust on the client. Please make sure that any machines that you want to use Windows Hello for Business cloud trust have this policy not configured or disabled. > If the Use certificate for on-premises authentication policy is enabled, we will enforce certificate trust instead of cloud Kerberos trust on the client. Please make sure that any machines that you want to use Windows Hello for Business cloud Kerberos trust have this policy not configured or disabled.
#### Configure Using Intune #### Configure Using Intune
Windows Hello for Business can be enabled using device enrollment or device configuration policy. Device enrollment policy is only applied at device enrollment time. Any modifications to the configuration in Intune won't apply to already enrolled devices. Device configuration policy is applied after device enrollment. Changes to this policy type in Intune are applied to already enrolled devices. Windows Hello for Business can be enabled using device enrollment or device configuration policy. Device enrollment policy is only applied at device enrollment time. Any modifications to the configuration in Intune won't apply to already enrolled devices. Device configuration policy is applied after device enrollment. Changes to this policy type in Intune are applied to already enrolled devices.
The cloud trust policy needs to be configured using a custom template and is configured separately from enabling Windows Hello from Business. The cloud Kerberos trust policy needs to be configured using a custom template and is configured separately from enabling Windows Hello from Business.
##### Create a user Group that will be targeted for Windows Hello for Business ##### Create a user Group that will be targeted for Windows Hello for Business
If you have an existing group you want to target with Windows Hello for Business cloud trust policy, you can skip this step. If you have an existing group you want to target with Windows Hello for Business cloud Kerberos trust policy, you can skip this step.
1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). 1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
1. Browse to **Groups** and select **New group**. 1. Browse to **Groups** and select **New group**.
@ -140,13 +142,13 @@ If you have an existing group you want to target with Windows Hello for Business
1. Group type: "Security" 1. Group type: "Security"
1. Group name: "WHFBCloudTrustUsers" or a group name of your choosing 1. Group name: "WHFBCloudTrustUsers" or a group name of your choosing
1. Membership type: Assigned 1. Membership type: Assigned
1. Select **Members** and add users that you want to target with Windows Hello for Business cloud trust. 1. Select **Members** and add users that you want to target with Windows Hello for Business cloud Kerberos trust.
You can also create a group through the Azure portal instead of using the Microsoft Endpoint Manager admin center. You can also create a group through the Azure portal instead of using the Microsoft Endpoint Manager admin center.
##### Enable Windows Hello for Business ##### Enable Windows Hello for Business
If you already enabled Windows Hello for Business for a target set of users or devices, you can skip below to configuring the cloud trust policy. Otherwise, follow the instructions at [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello) to create a Windows Hello for Business device enrollment policy. If you already enabled Windows Hello for Business for a target set of users or devices, you can skip below to configuring the cloud Kerberos trust policy. Otherwise, follow the instructions at [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello) to create a Windows Hello for Business device enrollment policy.
You can also follow these steps to create a device configuration policy instead of a device enrollment policy: You can also follow these steps to create a device configuration policy instead of a device enrollment policy:
@ -162,25 +164,25 @@ You can also follow these steps to create a device configuration policy instead
1. Select Next to move to **Assignments**. 1. Select Next to move to **Assignments**.
1. Under Included groups, select **Add groups**. 1. Under Included groups, select **Add groups**.
1. Select the user group you would like to use Windows Hello for Business cloud trust. This group may be WHFBCloudTrustUsers or a group of your choosing. 1. Select the user group you would like to use Windows Hello for Business cloud Kerberos trust. This group may be WHFBCloudTrustUsers or a group of your choosing.
1. Select Next to move to the Applicability Rules. 1. Select Next to move to the Applicability Rules.
1. Select Next again to move to the **Review + create** tab and select the option to create the policy. 1. Select Next again to move to the **Review + create** tab and select the option to create the policy.
Windows Hello for Business settings are also available in the settings catalog. For more information, see [Use the settings catalog to configure settings on Windows and macOS devices - preview](/mem/intune/configuration/settings-catalog). Windows Hello for Business settings are also available in the settings catalog. For more information, see [Use the settings catalog to configure settings on Windows and macOS devices - preview](/mem/intune/configuration/settings-catalog).
##### Configure Cloud Trust policy ##### Configure Cloud Kerberos Trust policy
To configure the cloud trust policy, follow the steps below: To configure the cloud Kerberos trust policy, follow the steps below:
1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). 1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
1. Browse to Devices > Windows > Configuration Profiles > Create profile. 1. Browse to Devices > Windows > Configuration Profiles > Create profile.
1. For Platform, select Windows 10 and later. 1. For Platform, select Windows 10 and later.
1. For Profile Type, select **Templates** and select the **Custom** Template. 1. For Profile Type, select **Templates** and select the **Custom** Template.
1. Name the profile with a familiar name. For example, "Windows Hello for Business cloud trust". 1. Name the profile with a familiar name. For example, "Windows Hello for Business cloud Kerberos trust".
1. In Configuration Settings, add a new configuration with the following settings: 1. In Configuration Settings, add a new configuration with the following settings:
- Name: "Windows Hello for Business cloud trust" or another familiar name - Name: "Windows Hello for Business cloud Kerberos trust" or another familiar name
- Description: Enable Windows Hello for Business cloud trust for sign-in and on-premises SSO. - Description: Enable Windows Hello for Business cloud Kerberos trust for sign-in and on-premises SSO.
- OMA-URI: ./Device/Vendor/MSFT/PassportForWork/*tenant ID*/Policies/UseCloudTrustForOnPremAuth - OMA-URI: ./Device/Vendor/MSFT/PassportForWork/*tenant ID*/Policies/UseCloudTrustForOnPremAuth
>[!IMPORTANT] >[!IMPORTANT]
@ -193,22 +195,22 @@ To configure the cloud trust policy, follow the steps below:
1. Select Next to navigate to **Assignments**. 1. Select Next to navigate to **Assignments**.
1. Under Included groups, select **Add groups**. 1. Under Included groups, select **Add groups**.
1. Select the user group you would like to use Windows Hello for Business cloud trust. This group may be WHFBCloudTrustUsers or a group of your choosing. 1. Select the user group you would like to use Windows Hello for Business cloud Kerberos trust. This group may be WHFBCloudTrustUsers or a group of your choosing.
1. Select Next to move to the Applicability Rules. 1. Select Next to move to the Applicability Rules.
1. Select Next again to move to the **Review + create** tab and select the option to create the policy. 1. Select Next again to move to the **Review + create** tab and select the option to create the policy.
> [!Important] > [!Important]
> If the Use certificate for on-premises authentication policy is enabled, we will enforce certificate trust instead of cloud trust on the client. Please make sure that any machines that you want to use Windows Hello for Business cloud trust have this policy not configured or disabled. > If the Use certificate for on-premises authentication policy is enabled, we will enforce certificate trust instead of cloud Kerberos trust on the client. Please make sure that any machines that you want to use Windows Hello for Business cloud Kerberos trust have this policy not configured or disabled.
## Provisioning ## Provisioning
The Windows Hello for Business provisioning process begins immediately after a user has signed in if certain prerequisite checks are passed. Windows Hello for Business cloud trust adds a prerequisite check for Hybrid Azure AD-joined devices when cloud trust is enabled by policy. The Windows Hello for Business provisioning process begins immediately after a user has signed in if certain prerequisite checks are passed. Windows Hello for Business cloud Kerberos trust adds a prerequisite check for Hybrid Azure AD-joined devices when cloud Kerberos trust is enabled by policy.
You can determine the status of the prerequisite check by viewing the **User Device Registration** admin log under **Applications and Services Logs\Microsoft\Windows**. This information is also available using the [**dsregcmd /status**](/azure/active-directory/devices/troubleshoot-device-dsregcmd) command from a console. You can determine the status of the prerequisite check by viewing the **User Device Registration** admin log under **Applications and Services Logs\Microsoft\Windows**. This information is also available using the [**dsregcmd /status**](/azure/active-directory/devices/troubleshoot-device-dsregcmd) command from a console.
![Cloud trust prerequisite check in the user device registration log](./images/cloud-trust-prereq-check.png) ![cloud Kerberos trust prerequisite check in the user device registration log](./images/cloud-trust-prereq-check.png)
The cloud trust prerequisite check detects whether the user has a partial TGT before allowing provisioning to start. The purpose of this check is to validate whether Azure AD Kerberos is set up for the user's domain and tenant. If Azure AD Kerberos is set up, the user will receive a partial TGT during sign-in with one of their other unlock methods. This check has three states: Yes, No, and Not Tested. The *Not Tested* state is reported if cloud trust is not being enforced by policy or if the device is Azure AD joined. The cloud Kerberos trust prerequisite check detects whether the user has a partial TGT before allowing provisioning to start. The purpose of this check is to validate whether Azure AD Kerberos is set up for the user's domain and tenant. If Azure AD Kerberos is set up, the user will receive a partial TGT during sign-in with one of their other unlock methods. This check has three states: Yes, No, and Not Tested. The *Not Tested* state is reported if cloud Kerberos trust is not being enforced by policy or if the device is Azure AD joined.
This prerequisite check isn't done for provisioning on Azure AD-joined devices. If Azure AD Kerberos isn't provisioned, a user on an Azure AD joined device will still be able to sign in. This prerequisite check isn't done for provisioning on Azure AD-joined devices. If Azure AD Kerberos isn't provisioned, a user on an Azure AD joined device will still be able to sign in.
@ -228,11 +230,11 @@ After a successful MFA, the provisioning flow asks the user to create and valida
### Sign-in ### Sign-in
Once a user has set up a PIN with cloud trust, it can be used immediately for sign-in. On a Hybrid Azure AD joined device, the first use of the PIN requires line of sight to a DC. Once the user has signed in or unlocked with the DC, cached logon can be used for subsequent unlocks without line of sight or network connectivity. Once a user has set up a PIN with cloud Kerberos trust, it can be used immediately for sign-in. On a Hybrid Azure AD joined device, the first use of the PIN requires line of sight to a DC. Once the user has signed in or unlocked with the DC, cached logon can be used for subsequent unlocks without line of sight or network connectivity.
## Troubleshooting ## Troubleshooting
If you encounter issues or want to share feedback about Windows Hello for Business cloud trust, share via the Windows Feedback Hub app by following these steps: If you encounter issues or want to share feedback about Windows Hello for Business cloud Kerberos trust, share via the Windows Feedback Hub app by following these steps:
1. Open **Feedback Hub**, and make sure that you're signed in. 1. Open **Feedback Hub**, and make sure that you're signed in.
1. Submit feedback by selecting the following categories: 1. Submit feedback by selecting the following categories:
@ -241,24 +243,24 @@ If you encounter issues or want to share feedback about Windows Hello for Busine
## Frequently Asked Questions ## Frequently Asked Questions
### Does Windows Hello for Business cloud trust work in my on-premises environment? ### Does Windows Hello for Business cloud Kerberos trust work in my on-premises environment?
This feature doesn't work in a pure on-premises AD domain services environment. This feature doesn't work in a pure on-premises AD domain services environment.
### Does Windows Hello for Business cloud trust work in a Windows login with RODC present in the hybrid environment? ### Does Windows Hello for Business cloud Kerberos trust work in a Windows login with RODC present in the hybrid environment?
Windows Hello for Business cloud trust looks for a writeable DC to exchange the partial TGT. As long as you have at least one writeable DC per site, login with cloud trust will work. Windows Hello for Business cloud Kerberos trust looks for a writeable DC to exchange the partial TGT. As long as you have at least one writeable DC per site, login with cloud Kerberos trust will work.
### Do I need line of sight to a domain controller to use Windows Hello for Business cloud trust? ### Do I need line of sight to a domain controller to use Windows Hello for Business cloud Kerberos trust?
Windows Hello for Business cloud trust requires line of sight to a domain controller for some scenarios: Windows Hello for Business cloud Kerberos trust requires line of sight to a domain controller for some scenarios:
- The first sign-in or unlock with Windows Hello for Business after provisioning on a Hybrid Azure AD joined device - The first sign-in or unlock with Windows Hello for Business after provisioning on a Hybrid Azure AD joined device
- When attempting to access an on-premises resource from an Azure AD joined device - When attempting to access an on-premises resource from an Azure AD joined device
### Can I use RDP/VDI with Windows Hello for Business cloud trust? ### Can I use RDP/VDI with Windows Hello for Business cloud Kerberos trust?
Windows Hello for Business cloud trust cannot be used as a supplied credential with RDP/VDI. Similar to key trust, cloud trust can be used for RDP with [remote credential guard](/windows/security/identity-protection/remote-credential-guard) or if a [certificate is enrolled into Windows Hello for Business](hello-deployment-rdp-certs.md) for this purpose. Windows Hello for Business cloud Kerberos trust cannot be used as a supplied credential with RDP/VDI. Similar to key trust, cloud Kerberos trust can be used for RDP with [remote credential guard](/windows/security/identity-protection/remote-credential-guard) or if a [certificate is enrolled into Windows Hello for Business](hello-deployment-rdp-certs.md) for this purpose.
### Do all my domain controllers need to be fully patched as per the prerequisites for me to use Windows Hello for Business cloud trust? ### Do all my domain controllers need to be fully patched as per the prerequisites for me to use Windows Hello for Business cloud Kerberos trust?
No, only the number necessary to handle the load from all cloud trust devices. No, only the number necessary to handle the load from all cloud Kerberos trust devices.

4
windows/security/identity-protection/hello-for-business/hello-identity-verification.md
View File

@ -31,7 +31,7 @@ This article lists the infrastructure requirements for the different deployment
The table shows the minimum requirements for each deployment. For key trust in a multi-domain/multi-forest deployment, the following requirements are applicable for each domain/forest that hosts Windows Hello for business components or is involved in the Kerberos referral process. The table shows the minimum requirements for each deployment. For key trust in a multi-domain/multi-forest deployment, the following requirements are applicable for each domain/forest that hosts Windows Hello for business components or is involved in the Kerberos referral process.
| Requirement | Cloud trust (Preview)<br/>Group Policy or Modern managed | Key trust<br/>Group Policy or Modern managed | Certificate trust<br/>Mixed managed | Certificate trust<br/>Modern managed | | Requirement | cloud Kerberos trust<br/>Group Policy or Modern managed | Key trust<br/>Group Policy or Modern managed | Certificate Trust<br/>Mixed managed | Certificate Trust<br/>Modern managed |
| --- | --- | --- | --- | --- | | --- | --- | --- | --- | --- |
| **Windows Version** | Windows 10, version 21H2 with KB5010415; Windows 11 with KB5010414; or later | Windows 10, version 1511 or later| **Hybrid Azure AD Joined:**<br> *Minimum:* Windows 10, version 1703<br> *Best experience:* Windows 10, version 1709 or later (supports synchronous certificate enrollment).<br/>**Azure AD Joined:**<br> Windows 10, version 1511 or later| Windows 10, version 1511 or later | | **Windows Version** | Windows 10, version 21H2 with KB5010415; Windows 11 with KB5010414; or later | Windows 10, version 1511 or later| **Hybrid Azure AD Joined:**<br> *Minimum:* Windows 10, version 1703<br> *Best experience:* Windows 10, version 1709 or later (supports synchronous certificate enrollment).<br/>**Azure AD Joined:**<br> Windows 10, version 1511 or later| Windows 10, version 1511 or later |
| **Schema Version** | No specific Schema requirement | Windows Server 2016 or later Schema | Windows Server 2016 or later Schema | Windows Server 2016 or later Schema | | **Schema Version** | No specific Schema requirement | Windows Server 2016 or later Schema | Windows Server 2016 or later Schema | Windows Server 2016 or later Schema |
@ -44,7 +44,7 @@ The table shows the minimum requirements for each deployment. For key trust in a
| **Azure AD License** | Azure AD Premium, optional | Azure AD Premium, optional | Azure AD Premium, needed for device write-back | Azure AD Premium, optional. Intune license required | | **Azure AD License** | Azure AD Premium, optional | Azure AD Premium, optional | Azure AD Premium, needed for device write-back | Azure AD Premium, optional. Intune license required |
> [!Important] > [!Important]
> - Hybrid deployments support non-destructive PIN reset that works with certificate trust, key trust and cloud trust models. > - Hybrid deployments support non-destructive PIN reset that works with Certificate Trust, Key Trust and cloud Kerberos trust models.
> >
> **Requirements:** > **Requirements:**
> - Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903 > - Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903

4
windows/security/identity-protection/hello-for-business/hello-overview.md
View File

@ -94,9 +94,9 @@ For details, see [How Windows Hello for Business works](hello-how-it-works.md).
## Comparing key-based and certificate-based authentication ## Comparing key-based and certificate-based authentication
Windows Hello for Business can use either keys (hardware or software) or certificates in hardware or software. Enterprises that have a public key infrastructure (PKI) for issuing and managing end user certificates can continue to use PKI in combination with Windows Hello for Business. Enterprises that don't use PKI or want to reduce the effort associated with managing user certificates can rely on key-based credentials for Windows Hello. This functionality still uses certificates on the domain controllers as a root of trust. Starting with Windows 10 version 21H2, there's a feature called cloud trust for hybrid deployments, which uses Azure AD as the root of trust. Cloud trust uses key-based credentials for Windows Hello but doesn't require certificates on the domain controller. Windows Hello for Business can use either keys (hardware or software) or certificates in hardware or software. Enterprises that have a public key infrastructure (PKI) for issuing and managing end user certificates can continue to use PKI in combination with Windows Hello for Business. Enterprises that don't use PKI or want to reduce the effort associated with managing user certificates can rely on key-based credentials for Windows Hello. This functionality still uses certificates on the domain controllers as a root of trust. Starting with Windows 10 version 21H2, there's a feature called cloud Kerberos trust for hybrid deployments, which uses Azure AD as the root of trust. cloud Kerberos trust uses key-based credentials for Windows Hello but doesn't require certificates on the domain controller.
Windows Hello for Business with a key, including cloud trust, doesn't support supplied credentials for RDP. RDP doesn't support authentication with a key or a self signed certificate. RDP with Windows Hello for Business is supported with certificate based deployments as a supplied credential. Windows Hello for Business with a key credential can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md). Windows Hello for Business with a key, including cloud Kerberos trust, doesn't support supplied credentials for RDP. RDP doesn't support authentication with a key or a self signed certificate. RDP with Windows Hello for Business is supported with certificate based deployments as a supplied credential. Windows Hello for Business with a key credential can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md).
## Learn more ## Learn more

2
windows/security/identity-protection/hello-for-business/hello-planning-guide.md
View File

@ -93,7 +93,7 @@ It's fundamentally important to understand which deployment model to use for a s
A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory. There are two trust types: key trust and certificate trust. A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory. There are two trust types: key trust and certificate trust.
> [!NOTE] > [!NOTE]
> Windows Hello for Business is introducing a new trust model called cloud trust in early 2022. This trust model will enable deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). More information will be available on Windows Hello for Business cloud trust once it is generally available. > Windows Hello for Business introduced a new trust model called cloud Kerberos trust, in early 2022. This model enables deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see ./hello-hybrid-cloud-kerberos-trust.md.
The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.

4
windows/security/identity-protection/hello-for-business/index.yml
View File

@ -65,8 +65,8 @@ landingContent:
url: hello-identity-verification.md url: hello-identity-verification.md
- linkListType: how-to-guide - linkListType: how-to-guide
links: links:
- text: Hybrid Cloud Trust Deployment - text: Hybrid Cloud Kerberos Trust Deployment
url: hello-hybrid-cloud-trust.md url: hello-hybrid-cloud-kerberos-trust.md
- text: Hybrid Azure AD Joined Key Trust Deployment - text: Hybrid Azure AD Joined Key Trust Deployment
url: hello-hybrid-key-trust.md url: hello-hybrid-key-trust.md
- text: Hybrid Azure AD Joined Certificate Trust Deployment - text: Hybrid Azure AD Joined Certificate Trust Deployment

4
windows/security/identity-protection/hello-for-business/toc.yml
View File

@ -35,8 +35,8 @@
href: hello-prepare-people-to-use.md href: hello-prepare-people-to-use.md
- name: Deployment Guides - name: Deployment Guides
items: items:
- name: Hybrid Cloud Trust Deployment - name: Hybrid Cloud Kerberos Trust Deployment
href: hello-hybrid-cloud-trust.md href: hello-hybrid-cloud-kerberos-trust.md
- name: Hybrid Azure AD Joined Key Trust - name: Hybrid Azure AD Joined Key Trust
items: items:
- name: Hybrid Azure AD Joined Key Trust Deployment - name: Hybrid Azure AD Joined Key Trust Deployment

62
windows/threat-protection/docfx.json
View File

@ -1,62 +0,0 @@
{
"build": {
"content": [
{
"files": [
"**/*.md",
"**/*.yml"
],
"exclude": [
"**/obj/**",
"**/includes/**",
"README.md",
"LICENSE",
"LICENSE-CODE",
"ThirdPartyNotices"
]
}
],
"resource": [
{
"files": [
"**/*.png",
"**/*.jpg",
"**/*.gif"
],
"exclude": [
"**/obj/**",
"**/includes/**"
]
}
],
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows",
"ms.topic": "article",
"audience": "ITPro",
"ms.date": "04/05/2017",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.win-threat-protection",
"folder_relative_path_in_docset": "./"
}
},
"contributors_to_exclude": [
"rjagiewich",
"traya1",
"rmca14",
"claydetels19",
"jborsecnik",
"tiburd",
"garycentric"
]
},
"fileMetadata": {},
"template": [],
"dest": "win-threat-protection",
"markdownEngineName": "markdig"
}
}

56
windows/update/docfx.json
View File

@ -1,56 +0,0 @@
{
"build": {
"content": [
{
"files": [
"**/*.md",
"**/*.yml"
],
"exclude": [
"**/obj/**",
"**/includes/**",
"README.md",
"LICENSE",
"LICENSE-CODE",
"ThirdPartyNotices"
]
}
],
"resource": [
{
"files": [
"**/*.png",
"**/*.jpg"
],
"exclude": [
"**/obj/**",
"**/includes/**"
]
}
],
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.windows-update",
"folder_relative_path_in_docset": "./"
}
},
"contributors_to_exclude": [
"rjagiewich",
"traya1",
"rmca14",
"claydetels19",
"jborsecnik",
"tiburd",
"garycentric"
]
},
"fileMetadata": {},
"template": [],
"dest": "windows-update",
"markdownEngineName": "markdig"
}
}

2
windows/whats-new/windows-11-plan.md
View File

@ -114,4 +114,4 @@ You might already be using App Assure and Test Base in your Windows 10 environme
## Also see ## Also see
[Plan to deploy updates for Windows 10 and Microsoft 365 Apps](/learn/modules/windows-plan/) [Plan to deploy updates for Windows 10 and Microsoft 365 Apps](/training/modules/windows-plan/)

2
windows/whats-new/windows-11-prepare.md
View File

@ -125,7 +125,7 @@ Don't overlook the importance of user readiness to deliver an effective, enterpr
## Learn more ## Learn more
See the [Stay current with Windows 10 and Microsoft 365 Apps](/learn/paths/m365-stay-current/) learning path. See the [Stay current with Windows 10 and Microsoft 365 Apps](/training/paths/m365-stay-current/) learning path.
- The learning path was created for Windows 10, but the basic principles and tasks outlined for the plan, prepare, and deploy phases also apply to your deployment of Windows 11. - The learning path was created for Windows 10, but the basic principles and tasks outlined for the plan, prepare, and deploy phases also apply to your deployment of Windows 11.