diff --git a/README.md b/README.md index 98c771d56d..97874f3f91 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ Anyone who is interested can contribute to the topics. When you contribute, your ### Quickly update an article using GitHub.com -Contributors who only make infrequent or small updates can edit the file directly on GitHub.com without having to install any additional software. This article shows you how. [This two-minute video](https://www.microsoft.com/videoplayer/embed/RE1XQTG) also covers how to contribute. +Contributors who only make infrequent or small updates can edit the file directly on GitHub.com without having to install any additional software. This article shows you how. [This two-minute video](https://learn-video.azurefd.net/vod/player?id=b5167c5a-9c69-499b-99ac-e5467882bc92) also covers how to contribute. 1. Make sure you're signed in to GitHub.com with your GitHub account. 2. Browse to the page you want to edit on Microsoft Learn. diff --git a/education/index.yml b/education/index.yml index 1da8d77fdb..d70de3747c 100644 --- a/education/index.yml +++ b/education/index.yml @@ -8,7 +8,7 @@ metadata: title: Microsoft 365 Education Documentation description: Learn about product documentation and resources available for school IT administrators, teachers, students, and education app developers. ms.topic: hub-page - ms.date: 07/22/2024 + ms.date: 12/05/2024 productDirectory: title: For IT admins diff --git a/education/windows/configure-aad-google-trust.md b/education/windows/configure-aad-google-trust.md index 54bf350d77..4f9ce1a8ed 100644 --- a/education/windows/configure-aad-google-trust.md +++ b/education/windows/configure-aad-google-trust.md @@ -1,7 +1,7 @@ --- -title: Configure federation between Google Workspace and Microsoft Entra ID +title: Configure Federation Between Google Workspace And Microsoft Entra Id description: Configuration of a federated trust between Google Workspace and Microsoft Entra ID, with Google Workspace acting as an identity provider (IdP) for Microsoft Entra ID. -ms.date: 04/10/2024 +ms.date: 12/02/2024 ms.topic: how-to appliesto: --- @@ -43,10 +43,10 @@ To test federation, the following prerequisites must be met: 1. In the search results page, hover over the *Microsoft Office 365 - Web (SAML)* app and select **Select** :::image type="content" source="images/google/google-admin-search-app.png" alt-text="Screenshot showing Google Workspace and the search button for Microsoft Office 365 SAML app."::: 1. On the **Google Identity Provider details** page, select **Download Metadata** and take note of the location where the **IdP metadata** - *GoogleIDPMetadata.xml* - file is saved, as it's used to set up Microsoft Entra ID later -1. On the **Service provider detail's** page +1. On the **Service provider detail's** page: - Select the option **Signed response** - Verify that the Name ID format is set to **PERSISTENT** - - Depending on how the Microsoft Entra users have been provisioned in Microsoft Entra ID, you might need to adjust the **Name ID** mapping.\ + - Depending on how the Microsoft Entra users have been provisioned in Microsoft Entra ID, you might need to adjust the **Name ID** mapping\ If using Google autoprovisioning, select **Basic Information > Primary email** - Select **Continue** 1. On the **Attribute mapping** page, map the Google attributes to the Microsoft Entra attributes @@ -139,4 +139,4 @@ From a private browser session, navigate to https://portal.azure.com and sign in 1. The user is redirected to Google Workspace to sign in 1. After Google Workspace authentication, the user is redirected back to Microsoft Entra ID and signed in -:::image type="content" source="images/google/google-sso.gif" alt-text="A GIF that shows the user authenticating the Azure portal using a Google Workspace federated identity."::: + :::image type="content" source="images/google/google-sso.gif" alt-text="A GIF that shows the user authenticating the Azure portal using a Google Workspace federated identity."::: diff --git a/education/windows/edu-stickers.md b/education/windows/edu-stickers.md index 889b10b393..bdd5d2761c 100644 --- a/education/windows/edu-stickers.md +++ b/education/windows/edu-stickers.md @@ -1,7 +1,7 @@ --- -title: Configure Stickers for Windows 11 SE +title: Configure Stickers For Windows 11 SE description: Learn about the Stickers feature and how to configure it via Intune and provisioning package. -ms.date: 04/10/2024 +ms.date: 12/02/2024 ms.topic: how-to appliesto: - ✅ Windows 11 SE diff --git a/education/windows/edu-themes.md b/education/windows/edu-themes.md index b0d6efa639..727c1a26bd 100644 --- a/education/windows/edu-themes.md +++ b/education/windows/edu-themes.md @@ -1,7 +1,7 @@ --- -title: Configure education themes for Windows 11 +title: Configure Education Themes For Windows 11 description: Learn about education themes for Windows 11 and how to configure them via Intune and provisioning package. -ms.date: 04/10/2024 +ms.date: 12/02/2024 ms.topic: how-to appliesto: - ✅ Windows 11 diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md index d5a0cb61fa..8d3050097f 100644 --- a/education/windows/get-minecraft-for-education.md +++ b/education/windows/get-minecraft-for-education.md @@ -1,8 +1,8 @@ --- -title: Get and deploy Minecraft Education +title: Deploy Minecraft Education To Windows Devices description: Learn how to obtain and distribute Minecraft Education to Windows devices. ms.topic: how-to -ms.date: 04/10/2024 +ms.date: 12/5/2024 ms.collection: - education - tier2 @@ -48,7 +48,7 @@ To purchase direct licenses: 1. Select the quantity of licenses you'd like to purchase and select **Place Order** 1. After you've purchased licenses, you'll need to [assign Minecraft Education licenses to your users](#assign-minecraft-education-licenses) -If you need more licenses for Minecraft Education, see [Buy or remove subscription licenses](/microsoft-365/commerce/licenses/buy-licenses). + If you need more licenses for Minecraft Education, see [Buy or remove subscription licenses](/microsoft-365/commerce/licenses/buy-licenses) ### Volume licensing @@ -88,14 +88,14 @@ You must be a *Global*, *License*, or *User admin* to assign licenses. For more 1. Go to [https://admin.microsoft.com](https://admin.microsoft.com) and sign in with an account that can assign licenses in your organization 1. From the left-hand menu in Microsoft Admin Center, select *Users* 1. From the Users list, select the users you want to add or remove for Minecraft Education access -1. Add the relevant Minecraft Education, A1 for device or A3/A5 license if it not assigned already +1. Add the relevant Minecraft Education, A1 for device or A3/A5 license if it is not assigned already > [!Note] - > If you add a faculty license, the user will be assigned a *teacher* role in the application and will have elevated permissions. + > If you add a faculty license, the user will be assigned a *teacher* role in the application and will have elevated permissions 1. If you've assigned a Microsoft 365 A3 or A5 license, after selecting the product license, ensure to toggle *Minecraft Education* on > [!Note] > If you turn off this setting after students have been using Minecraft Education, they will have up to 30 more days to use Minecraft Education before they don't have access -:::image type="content" source="images/minecraft/admin-center-minecraft-license.png" alt-text="Screenshot of the Microsoft 365 admin center - assignment of a Minecraft Education license to a user." lightbox="images/minecraft/admin-center-minecraft-license.png"::: + :::image type="content" source="images/minecraft/admin-center-minecraft-license.png" alt-text="Screenshot of the Microsoft 365 admin center - assignment of a Minecraft Education license to a user." lightbox="images/minecraft/admin-center-minecraft-license.png"::: For more information about license assignment, see [Manage Licenses in the Admin Center][EDU-5]. @@ -118,31 +118,31 @@ If you're using Microsoft Intune to manage your devices, follow these steps to d 1. Select **Next** 1. On the *Review + Create* screen, select **Create** -Intune will install Minecraft Education at the next device check-in, or will make it available in Company Portal for on-demand installs. + Intune will install Minecraft Education at the next device check-in, or will make it available in Company Portal for on-demand installs. -:::image type="content" source="images/minecraft/win11-minecraft-education.png" alt-text="Screenshot of Minecraft Education executing on a Windows 11 device."::: + :::image type="content" source="images/minecraft/win11-minecraft-education.png" alt-text="Screenshot of Minecraft Education executing on a Windows 11 device."::: -For more information how to deploy Minecraft Education, see: + For more information how to deploy Minecraft Education, see: -- [Windows installation guide][EDU-6] -- [Chromebook installation guide][EDU-7] -- [iOS installation guide][EDU-8] -- [macOS installation guide][EDU-9] + - [Windows installation guide][EDU-6] + - [Chromebook installation guide][EDU-7] + - [iOS installation guide][EDU-8] + - [macOS installation guide][EDU-9] -If you're having trouble installing the app, you can get more help on the [Minecraft Education support page][AKA-1]. + If you're having trouble installing the app, you can get more help on the [Minecraft Education support page][AKA-1]. - -[EDU-1]: https://educommunity.minecraft.net/hc/articles/360047116432 -[EDU-2]: https://educommunity.minecraft.net/hc/articles/360061371532 -[EDU-3]: https://www.microsoft.com/education/products/office -[EDU-4]: https://educommunity.minecraft.net/hc/articles/360061369812 -[EDU-6]: https://educommunity.minecraft.net/hc/articles/13106858087956 -[EDU-5]: https://educommunity.minecraft.net/hc/articles/360047118672 -[EDU-7]: https://educommunity.minecraft.net/hc/articles/4404625978516 -[EDU-8]: https://educommunity.minecraft.net/hc/articles/360047556351 -[EDU-9]: https://educommunity.minecraft.net/hc/articles/360047118792 + + [EDU-1]: https://educommunity.minecraft.net/hc/articles/360047116432 + [EDU-2]: https://educommunity.minecraft.net/hc/articles/360061371532 + [EDU-3]: https://www.microsoft.com/education/products/office + [EDU-4]: https://educommunity.minecraft.net/hc/articles/360061369812 + [EDU-6]: https://educommunity.minecraft.net/hc/articles/13106858087956 + [EDU-5]: https://educommunity.minecraft.net/hc/articles/360047118672 + [EDU-7]: https://educommunity.minecraft.net/hc/articles/4404625978516 + [EDU-8]: https://educommunity.minecraft.net/hc/articles/360047556351 + [EDU-9]: https://educommunity.minecraft.net/hc/articles/360047118792 -[M365-1]: /microsoft-365/commerce/billing-and-payments/pay-for-your-subscription -[M365-2]: /microsoft-365/admin/add-users/about-admin-roles + [M365-1]: /microsoft-365/commerce/billing-and-payments/pay-for-your-subscription + [M365-2]: /microsoft-365/admin/add-users/about-admin-roles -[AKA-1]: https://aka.ms/minecraftedusupport + [AKA-1]: https://aka.ms/minecraftedusupport diff --git a/education/windows/suspcs/provisioning-package.md b/education/windows/suspcs/provisioning-package.md index 677b9b7b6f..bde1800fa4 100644 --- a/education/windows/suspcs/provisioning-package.md +++ b/education/windows/suspcs/provisioning-package.md @@ -1,7 +1,7 @@ --- -title: What's in Set up School PCs provisioning package +title: What's In Set up School PCs Provisioning Package description: Learn about the settings that are configured in the provisioning package created with the Set up School PCs app. -ms.date: 04/10/2024 +ms.date: 12/02/2024 ms.topic: reference appliesto: - ✅ Windows 11 diff --git a/education/windows/tutorial-deploy-apps-winse/considerations.md b/education/windows/tutorial-deploy-apps-winse/considerations.md index 7f2a9f9207..54cb82322a 100644 --- a/education/windows/tutorial-deploy-apps-winse/considerations.md +++ b/education/windows/tutorial-deploy-apps-winse/considerations.md @@ -1,7 +1,7 @@ --- -title: Important considerations before deploying apps with managed installer +title: Important Considerations Before Deploying Apps With Managed Installer For Windows 11 SE description: Learn about important aspects to consider before deploying apps with managed installer. -ms.date: 04/10/2024 +ms.date: 12/02/2024 ms.topic: tutorial appliesto: - ✅ Windows 11 SE, version 22H2 and later diff --git a/education/windows/tutorial-deploy-apps-winse/create-policies.md b/education/windows/tutorial-deploy-apps-winse/create-policies.md index 26e022bbbf..e7fdd29782 100644 --- a/education/windows/tutorial-deploy-apps-winse/create-policies.md +++ b/education/windows/tutorial-deploy-apps-winse/create-policies.md @@ -1,7 +1,7 @@ --- -title: Create policies to enable applications +title: Create Policies To Enable Applications In Windows 11 SE description: Learn how to create policies to enable the installation and execution of apps on Windows SE. -ms.date: 04/10/2024 +ms.date: 12/02/2024 ms.topic: tutorial appliesto: - ✅ Windows 11 SE, version 22H2 and later @@ -54,7 +54,7 @@ To create supplemental policies, download and install the [WDAC Policy Wizard][E The following video provides an overview and explains how to create supplemental policies for apps blocked by the Windows 11 SE base policy. -> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWWReO] +> [!VIDEO https://learn-video.azurefd.net/vod/player?id=1eedb284-5592-43e7-9446-ce178953502d] ### Create a supplemental policy for Win32 apps diff --git a/education/windows/tutorial-deploy-apps-winse/deploy-apps.md b/education/windows/tutorial-deploy-apps-winse/deploy-apps.md index 62442e2058..4ab613f7f0 100644 --- a/education/windows/tutorial-deploy-apps-winse/deploy-apps.md +++ b/education/windows/tutorial-deploy-apps-winse/deploy-apps.md @@ -1,7 +1,7 @@ --- -title: Applications deployment considerations +title: Applications Deployment Considerations In Windows 11 SE description: Learn how to deploy different types of applications to Windows 11 SE and some considerations before deploying them. -ms.date: 04/10/2024 +ms.date: 12/02/2024 ms.topic: tutorial appliesto: - ✅ Windows 11 SE, version 22H2 and later diff --git a/education/windows/tutorial-deploy-apps-winse/deploy-policies.md b/education/windows/tutorial-deploy-apps-winse/deploy-policies.md index 63f6143853..990f4c894b 100644 --- a/education/windows/tutorial-deploy-apps-winse/deploy-policies.md +++ b/education/windows/tutorial-deploy-apps-winse/deploy-policies.md @@ -1,7 +1,7 @@ --- -title: Deploy policies to enable applications +title: Deploy Policies To Enable Applications In Windows 11 SE description: Learn how to deploy AppLocker policies to enable apps execution on Windows SE devices. -ms.date: 04/10/2024 +ms.date: 12/02/2024 ms.topic: tutorial appliesto: - ✅ Windows 11 SE, version 22H2 and later diff --git a/education/windows/tutorial-deploy-apps-winse/index.md b/education/windows/tutorial-deploy-apps-winse/index.md index 1c09685eed..c96283ec0c 100644 --- a/education/windows/tutorial-deploy-apps-winse/index.md +++ b/education/windows/tutorial-deploy-apps-winse/index.md @@ -1,7 +1,7 @@ --- -title: Deploy applications to Windows 11 SE with Intune +title: Deploy Applications To Windows 11 SE With Intune description: Learn how to deploy applications to Windows 11 SE with Intune and how to validate the apps. -ms.date: 04/10/2024 +ms.date: 12/02/2024 ms.topic: tutorial appliesto: - ✅ Windows 11 SE, version 22H2 and later diff --git a/education/windows/tutorial-deploy-apps-winse/troubleshoot.md b/education/windows/tutorial-deploy-apps-winse/troubleshoot.md index 38a3ee9d4c..f23a6c4034 100644 --- a/education/windows/tutorial-deploy-apps-winse/troubleshoot.md +++ b/education/windows/tutorial-deploy-apps-winse/troubleshoot.md @@ -1,7 +1,7 @@ --- -title: Troubleshoot app deployment issues in Windows SE +title: Troubleshoot App Deployment Issues In Windows Se description: Troubleshoot common issues when deploying apps to Windows SE devices. -ms.date: 04/10/2024 +ms.date: 12/02/2024 ms.topic: tutorial appliesto: - ✅ Windows 11 SE, version 22H2 and later diff --git a/education/windows/tutorial-deploy-apps-winse/validate-apps.md b/education/windows/tutorial-deploy-apps-winse/validate-apps.md index 211638de72..4cfa11748b 100644 --- a/education/windows/tutorial-deploy-apps-winse/validate-apps.md +++ b/education/windows/tutorial-deploy-apps-winse/validate-apps.md @@ -1,7 +1,7 @@ --- -title: Validate the applications deployed to Windows SE devices +title: Validate The Applications Deployed To Windows Se Devices description: Learn how to validate the applications deployed to Windows SE devices via Intune. -ms.date: 04/10/2024 +ms.date: 12/02/2024 ms.topic: tutorial appliesto: - ✅ Windows 11 SE, version 22H2 and later diff --git a/includes/iot/supported-os-enterprise-plus.md b/includes/iot/supported-os-enterprise-plus.md new file mode 100644 index 0000000000..b6c086d649 --- /dev/null +++ b/includes/iot/supported-os-enterprise-plus.md @@ -0,0 +1,8 @@ +--- +author: TerryWarwick +ms.author: twarwick +ms-topic: include +ms.date: 09/30/2024 +--- + +**Supported Editions**
✅ IoT Enterprise LTSC
✅ IoT Enterprise
✅ Enterprise LTSC
✅ Enterprise
✅ Education diff --git a/windows/client-management/images/9598546-copilot-key-settings.png b/windows/client-management/images/9598546-copilot-key-settings.png new file mode 100644 index 0000000000..e4c6e3ed8d Binary files /dev/null and b/windows/client-management/images/9598546-copilot-key-settings.png differ diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index d2904f504a..0a9bcbce94 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -1,9 +1,9 @@ --- -title: Updated Windows and Microsoft Copilot experience +title: Updated Windows and Microsoft 365 Copilot Chat experience description: Learn about changes to the Copilot in Windows experience for commercial environments and how to configure it for your organization. ms.topic: overview ms.subservice: windows-copilot -ms.date: 09/18/2024 +ms.date: 01/15/2025 ms.author: mstewart author: mestew ms.collection: @@ -13,62 +13,62 @@ appliesto: - ✅ Windows 11, version 22H2 or later --- -# Updated Windows and Microsoft Copilot experience +# Updated Windows and Microsoft 365 Copilot Chat experience ->**Looking for consumer information?** See [Welcome to Copilot in Windows](https://support.microsoft.com/topic/675708af-8c16-4675-afeb-85a5a476ccb0). **Looking for more information on Microsoft Copilot experiences?** See [Understanding the different Microsoft Copilot experiences](https://support.microsoft.com/topic/cfff4791-694a-4d90-9c9c-1eb3fb28e842). +>**Looking for consumer information?** See [Welcome to Copilot in Windows](https://support.microsoft.com/topic/675708af-8c16-4675-afeb-85a5a476ccb0). **Looking for more information on Microsoft 365 Copilot Chat experiences?** See [Understanding the different Microsoft 365 Copilot Chat experiences](https://support.microsoft.com/topic/cfff4791-694a-4d90-9c9c-1eb3fb28e842). ## Enhanced data protection with enterprise data protection -The Copilot experience on Windows is changing to enhance data security, privacy, compliance, and simplify the user experience, for users signed in with a Microsoft Entra work or school account. [Microsoft Copilot will offer enterprise data protection](https://techcommunity.microsoft.com/t5/copilot-for-microsoft-365/updates-to-microsoft-copilot-to-bring-enterprise-data-protection/ba-p/4217152) at no additional cost and redirect users to a new simplified interface designed for work and education. [Enterprise data protection (EDP)](/copilot/microsoft-365/enterprise-data-protection) refers to controls and commitments, under the Data Protection Addendum and Product Terms, that apply to customer data for users of Copilot for Microsoft 365 and Microsoft Copilot. This means that security, privacy, compliance controls and commitments available for Copilot for Microsoft 365 will extend to Microsoft Copilot prompts and responses. Prompts and responses are protected by the same terms and commitments that are widely trusted by our customers - not only for Copilot for Microsoft 365, but also for emails in Exchange and files in SharePoint. This is an improvement on top of the previous commercial data protection (CDP) promise. This update is rolling out now. For more information, see the [Microsoft Copilot updates and enterprise data protection FAQ](/copilot/edpfaq). +The Copilot experience on Windows is changing to enhance data security, privacy, compliance, and simplify the user experience, for users signed in with a Microsoft Entra work or school account. [Microsoft 365 Copilot Chat](https://techcommunity.microsoft.com/t5/copilot-for-microsoft-365/updates-to-microsoft-copilot-to-bring-enterprise-data-protection/ba-p/4217152) is available at no additional cost and it redirects users to a new simplified interface designed for work and education. [Enterprise data protection (EDP)](/copilot/microsoft-365/enterprise-data-protection) refers to controls and commitments, under the Data Protection Addendum and Product Terms, that apply to customer data for users of Microsoft 365 Copilot and Microsoft 365 Copilot Chat. This means that security, privacy, compliance controls and commitments available for Microsoft 365 Copilot will extend to Microsoft 365 Copilot Chat prompts and responses. Prompts and responses are protected by the same terms and commitments that are widely trusted by our customers. This is an improvement on top of the previous commercial data protection (CDP) promise. This update is rolling out now. For more information, see the [Microsoft 365 Copilot Chat updates and enterprise data protection FAQ](/copilot/edpfaq). > [!IMPORTANT] > To streamline the user experience, updates to the Copilot entry points in Windows are being made for users. **Copilot in Windows (preview) will be removed from Windows**. The experience will slightly vary depending on whether your organization has already opted into using Copilot in Windows (preview) or not. ## Copilot in Windows (preview) isn't enabled -If your organization hasn't enabled Copilot in Windows (preview), your existing preferences are respected. Neither the Microsoft Copilot app nor the Microsoft 365 app are pinned to the taskbar. To prepare for the eventual removal of the [Copilot in Windows policy](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot), admins should [set Microsoft Copilot pinning options](/copilot/microsoft-365/pin-copilot) in the Microsoft 365 admin center. +If your organization hasn't enabled Copilot in Windows (preview), your existing preferences are respected. Neither Microsoft 365 Copilot Chat or the Microsoft 365 Copilot app (formerly the Microsoft 365 app) are pinned to the taskbar. To prepare for the eventual removal of the [Copilot in Windows policy](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot), admins should [set pinning options](/copilot/microsoft-365/pin-copilot) in the Microsoft 365 admin center. > [!NOTE] > Although we won't be pinning any app to the taskbar by default, IT has the capability to use policies to enforce their preferred app pinning. ## Copilot in Windows (preview) is enabled -If you had previously activated Copilot in Windows (in preview) for your workforce, we want to thank you for your enthusiasm. To provide the best Copilot experience for your employees moving forward, and support greater efficiency and productivity, we won't automatically pin the Microsoft 365 app to the taskbar in Windows. Rather, we'll ensure that you have control over how you enable the Copilot experience within your organization. Our focus remains on empowering IT to seamlessly manage AI experiences and adopt those experiences at a pace that suits your organizational needs. +If you had previously activated Copilot in Windows (in preview) for your workforce, we want to thank you for your enthusiasm. To provide the best Copilot experience for your users moving forward, and support greater efficiency and productivity, we won't automatically pin the Microsoft 365 Copilot app to the taskbar in Windows. Rather, we ensure that you have control over how you enable the Copilot experience within your organization. Our focus remains on empowering IT to seamlessly manage AI experiences and adopt those experiences at a pace that suits your organizational needs. -If you have already activated Copilot in Windows (preview) - and want your users to have uninterrupted access to Copilot on the taskbar after the update - use the [configuration options](/windows/configuration/taskbar/?pivots=windows-11) to pin the Microsoft 365 app to the taskbar as Copilot in Windows (preview) icon will be removed from the taskbar. +If you have already activated Copilot in Windows (preview) - and want your users to have uninterrupted access to Copilot on the taskbar after the update - use the [configuration options](/windows/configuration/taskbar/?pivots=windows-11) to pin the Microsoft 365 Copilot app to the taskbar as Copilot in Windows (preview) icon will be removed from the taskbar. ## Users signing in to new PCs with Microsoft Entra accounts For users signing in to new PCs with work or school accounts, the following experience occurs: -- The Microsoft 365 app is pinned to the taskbar - this is the app comes preinstalled with Windows and includes convenient access to Office apps such as Word, PowerPoint, etc. -- Users that have the Microsoft 365 Copilot license will have Microsoft Copilot pinned by default inside the Microsoft 365 app. -- Within the Microsoft 365 app, the Microsoft Copilot icon is situated next to the home button. - - Microsoft Copilot (`web` grounding chat) isn't the same as Microsoft 365 Copilot (`web` and `work` scope), which is a separate add-on license. - - Microsoft Copilot is available at no additional cost to customers with a Microsoft Entra account. Microsoft Copilot is the entry point for Copilot at work. While the Copilot chat experience helps users ground their conversations in web data, Microsoft 365 Copilot allows users to incorporate both web and work data they have access to into their conversations by switching between work and web modes in Business Chat. - - For users with the Microsoft 365 Copilot license, they can toggle between the web grounding-based chat capabilities of Microsoft Copilot and the work scoped chat capabilities of Microsoft 365 Copilot. -- Customers that don't have a license for Microsoft 365 Copilot are asked if they want to pin Microsoft Copilot to ensure they have easy access to Copilot. To set the default behavior, admins should [set Microsoft Copilot pinning options](/copilot/microsoft-365/pin-copilot) in the Microsoft 365 admin center. -- If admins elect not to pin Copilot and indicate that users may be asked, users will be asked to pin it themselves in the Microsoft 365 app, Outlook, and Teams. -- If admins elect not to pin Microsoft Copilot and indicate that users may not be asked, Microsoft Copilot won't be available via the Microsoft 365 app, Outlook, or Teams. Users will have access to Microsoft Copilot from unless that URL is blocked by the IT admin. -- If the admins make no selection, users will be asked to pin Microsoft Copilot by themselves for easy access. +- The Microsoft 365 Copilot app is pinned to the taskbar - this is the app comes preinstalled with Windows and includes convenient access to Office apps such as Word, PowerPoint, etc. +- Users that have the Microsoft 365 Copilot license have Microsoft 365 Copilot Chat pinned by default inside the Microsoft 365 Copilot app. +- Within the Microsoft 365 Copilot app, the Microsoft 365 Copilot Chat icon is situated next to the home button. + - Microsoft 365 Copilot Chat (`web` grounding chat) isn't the same as Microsoft 365 Copilot (`web` and `work` scope), which is a separate add-on license. + - Microsoft 365 Copilot Chat is available at no additional cost to customers with a Microsoft Entra account. Microsoft 365 Copilot Chat is the entry point for Copilot at work. While the Copilot chat experience helps users ground their conversations in web data, Microsoft 365 Copilot allows users to incorporate both web and work data they have access to into their conversations by switching between work and web modes in Business Chat. + - For users with the Microsoft 365 Copilot license, they can toggle between the web grounding-based chat capabilities of Microsoft 365 Copilot Chat and the work scoped chat capabilities of Microsoft 365 Copilot. +- Customers that don't have a license for Microsoft 365 Copilot are asked if they want to pin Microsoft 365 Copilot Chat to ensure they have easy access to Copilot. To set the default behavior, admins should [set taskbar pinning options](/copilot/microsoft-365/pin-copilot) in the Microsoft 365 admin center. +- If admins elect not to pin Copilot and indicate that users can be asked, users will be asked to pin it themselves in the Microsoft 365 Copilot app, Outlook, and Teams. +- If admins elect not to pin Microsoft 365 Copilot Chat and indicate that users can't be asked, Microsoft 365 Copilot Chat won't be available via the Microsoft 365 Copilot app, Outlook, or Teams. Users have access to Microsoft 365 Copilot Chat from unless that URL is blocked by the IT admin. +- If the admins make no selection, users will be asked to pin Microsoft 365 Copilot Chat by themselves for easy access. ## When will this happen? -The update to Microsoft Copilot to offer enterprise data protection is rolling out now. - -The shift to the Microsoft 365 app as the entry point for Microsoft Copilot is coming soon. Changes will be rolled out to managed PCs starting with the optional nonsecurity preview release on September 24, 2024, and following with the monthly security update release on October 8 for all supported versions of Windows 11. These changes will be applied to Windows 10 PCs the month after. This update is replacing the current Copilot in Windows experience. - -> [!IMPORTANT] -> Want to get started? You can enable the Microsoft Copilot experience for your users now by using the [TurnOffWindowsCopilot](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot) policy and pin the Microsoft 365 app using the existing policies for taskbar pinning. +The update to Microsoft 365 Copilot Chat to offer enterprise data protection is rolling out now. +The shift to Microsoft 365 Copilot Chat is coming soon. Changes will be rolled out to managed PCs starting with the September 2024 optional nonsecurity preview release, and following with the October 2024 monthly security update for all supported versions of Windows 11. These changes will be applied to Windows 10 PCs the month after. This update is replacing the current Copilot in Windows experience. + +The Microsoft 365 Copilot app will be automatically enabled after you install the Windows updates listed above if you haven't previously enabled a group policy to prevent the installation of Copilot. The [AppLocker policy](/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview) is available to control this Copilot experience before installing these Windows updates mentioned above or any subsequent Windows updates. + +Note that the Microsoft 365 Copilot app doesn't support Microsoft Entra authentication and users trying to sign in to the app using a Microsoft Entra account will be redirected to https://copilot.cloud.microsoft/ in their default browser. For users authenticating with a Microsoft Entra account, they should access Copilot through the Microsoft 365 Copilot app as the entry point. We recommend you pin Copilot to the navigation bar of the Microsoft 365 Copilot app to enable easy access. -## Policy information +## Policy information for previous Copilot in Windows (preview) experience -Admins should configure the [pinning options](/copilot/microsoft-365/pin-copilot) to enable access to Microsoft Copilot within the Microsoft 365 app in the Microsoft 365 admin center. +Admins should configure the [pinning options](/copilot/microsoft-365/pin-copilot) to enable access to Microsoft 365 Copilot Chat within the Microsoft 365 Copilot app in the Microsoft 365 admin center. -The following policy to manage Copilot in Windows (preview) will be removed in the future: +The following policy to manage Copilot in Windows (preview) will be removed in the future and is considered a legacy policy: |   | Setting | @@ -76,3 +76,83 @@ The following policy to manage Copilot in Windows (preview) will be removed in t | **CSP** | ./User/Vendor/MSFT/Policy/Config/WindowsAI/[TurnOffWindowsCopilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot) | | **Group policy** | User Configuration > Administrative Templates > Windows Components > Windows Copilot > **Turn off Windows Copilot** | +## Remove or prevent installation of the Copilot app + +You can remove or uninstall the Copilot app from your device by using one of the following methods: + +1. Enterprise users can uninstall the Copilot app by going to **Settings** > **Apps** >**Installed Apps**. Select the three dots appearing on the right side of the app and select **Uninstall** from the dropdown list. + +1. If you are an IT administrator, you can prevent installation of the app or remove the Copilot app using one of the following methods: + 1. Prevent installation of the Copilot app: + - Configure [AppLocker policy](/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview) before installing Windows update. AppLocker helps you control which apps and files users can run. Note: AppLocker policy should be used instead of the [Turn Off Windows Copilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot) legacy policy setting and its MDM equivalent, [TurnOffWindowsCopilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot). The policy is subject to near-term deprecation. + - The Applocker policy can be configured by following one of the methods listed in [Edit an AppLocker policy](/windows/security/application-security/application-control/app-control-for-business/applocker/edit-an-applocker-policy) and adding the below text to the policy: +
**Publisher**: CN=MICROSOFT CORPORATION, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US +
**Package name**: MICROSOFT.COPILOT +
**Package version**: * (and above) + + 1. Remove the Copilot app using PowerShell script: + 1. Open a Windows PowerShell window. You can do this by opening the Start menu, typing `PowerShell`, and selecting **Windows PowerShell** from the results. + 1. Once the PowerShell window is open, enter the following commands: + ```powershell + # Get the package full name of the Microsoft 365 Copilot app + $packageFullName = Get-AppxPackage -Name "Microsoft.Copilot" | Select-Object -ExpandProperty PackageFullName + # Remove the Microsoft 365 Copilot app + Remove-AppxPackage -Package $packageFullName + ``` + + +## Implications for the Copilot hardware key + +The Microsoft 365 Copilot app is now available only to consumer users authenticating with a Microsoft account and won't work for commercial users authenticating with a Microsoft Entra account. With this change, IT admins need to take steps to ensure users authenticating with a Microsoft Entra account can still access Copilot with the Copilot key. Users attempting to sign in to the Copilot app with their Microsoft Entra account will be redirected to the browser version of Microsoft 365 Copilot Chat for work (https://copilot.cloud.microsoft). + +For the optimal experience, enterprise customers should go to Windows client policies, such as Group Policy or Configuration Service Provider (CSP) policies to update the target of the key to the Microsoft 365 Copilot app so that users can access Copilot within the Microsoft 365 Copilot app. End users can also configure this from the **Settings** page. + +The Microsoft 365 Copilot app comes preinstalled on all Windows 11 PCs. If your organization uninstalled the Microsoft 365 Copilot app, we suggest you reinstall it from the Microsoft Store or your preferred application management solution so that the Copilot key can be remapped to the Microsoft 365 Copilot app. We also suggest you [Pin Microsoft 365 Copilot Chat](/copilot/microsoft-365/pin-copilot) to the navigation bar of the Microsoft 365 Copilot app. + +To avoid confusion for users as to which entry point for Microsoft 365 Copilot Chat to use, we recommend you uninstall the Copilot app. + +Use the table below to help determine the experience for your managed organization: + +| Configuration | Copilot experience | Copilot key invokes | +| ---| --- | --- | +| Copilot **not enabled** in environment | Neither Copilot in Windows (preview) nor the Microsoft 365 Copilot app are present. | Windows Search | +| Copilot **enabled** + **do not authenticate** with Microsoft Entra | Copilot in Windows (preview) is removed and replaced by the Microsoft 365 Copilot app, which is not pinned to the taskbar unless you elect to do so. | Microsoft 365 Copilot app | +| Copilot **enabled** + **authenticate** with Microsoft Entra + **new device** | Copilot in Windows (preview) is not present. Microsoft 365 Copilot Chat is accessed through the Microsoft 365 Copilot app (after post-setup update). | Microsoft 365 Copilot Chat within the Microsoft 365 Copilot app (after post-setup update). | +| Copilot **enabled** + **authenticate** with Microsoft Entra + **existing device** | Copilot in Windows (preview) is removed. Existing users with Copilot enabled on their devices will still see the Microsoft 365 Copilot app. | IT admins should use policy to remap the Copilot key to the Microsoft 365 Copilot app, or prompt users to choose. | + + +## Policies to manage the Copilot key + +Policies are available to configure the target app of the Copilot hardware key. For more information, see [WindowsAI Policy CSP](mdm/policy-csp-windowsai.md). + +To configure the Copilot key, use the following policy: + +|   | Setting | +|---|---| +| **CSP** | ./User/Vendor/MSFT/Policy/Config/WindowsAI/[SetCopilotHardwareKey](mdm/policy-csp-windowsai.md#setcopilothardwarekey) | +| **Group policy** | User Configuration > Administrative Templates > Windows Components > Windows Copilot > **Set Copilot Hardware Key** | + + +## End user settings for the Copilot key + +If you choose to provide users in your organization with the choice to manage their own experience, a protocol to launch the **Settings** app remap the Copilot key is available. The following can be used by apps and scripts to bring the user to the setting so they can modify it to meet their needs: + +`ms-settings:personalization-textinput-copilot-hardwarekey` + +:::image type="content" border="true" source="./images/9598546-copilot-key-settings.png" alt-text="Screenshot of the text input page in Settings." lightbox="./images/9598546-copilot-key-settings.png"::: + + + +If a user signed in with their Microsoft Entra account doesn't already have the key mapped to the Microsoft 365 Copilot app, they can select the app by going to **Settings** > **Personalization** > **Text input**, then selecting from the dropdown menu in the setting called **Customize Copilot key on keyboard**. This dropdown has options for: **Search**, **Custom**, or a currently mapped app if one is selected. + +To map the key to the Microsoft 365 Copilot app, the user should select **Custom** and then choose the Microsoft 365 Copilot app from the app picker. If this app picker is empty or doesn't include the Microsoft 365 Copilot app, they should reinstall it from the Microsoft Store. + +Users can also choose to have the Copilot key launch an app that is MSIX packaged and signed, ensuring the app options the Copilot key can remap to meet security and privacy requirements. + + +## Copilot installation with Windows updates and controls + +If you're an IT administrator and have enabled group policies to prevent the installation of Copilot, the Copilot app won't be installed on the configured devices. If you haven't enabled a group policy, you can remove the Copilot app by following one of the steps in the [Remove or prevent installation of the Copilot app](#remove-or-prevent-installation-of-the-copilot-app) section or configure the [AppLocker policy](/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview) before installing Windows updates. When the AppLocker policy for Copilot is enabled, it will: + +- Prevent the app from being installed if it isn't already on the device. +- Block the app from being launched if it's already installed. \ No newline at end of file diff --git a/windows/client-management/mdm/accounts-csp.md b/windows/client-management/mdm/accounts-csp.md index e32ee78e33..2774e66244 100644 --- a/windows/client-management/mdm/accounts-csp.md +++ b/windows/client-management/mdm/accounts-csp.md @@ -54,7 +54,7 @@ Available naming macros: Supported operation is Add. > [!Note] -> For desktop PCs on Windows 10, version 2004 or later, use the **Ext/Microsoft/DNSComputerName** node in [DevDetail CSP](devdetail-csp.md). +> For desktop PCs on supported versions of Windows 10 or later, use the **Ext/Microsoft/DNSComputerName** node in [DevDetail CSP](devdetail-csp.md). **Users** Interior node for the user account information. @@ -62,12 +62,26 @@ Interior node for the user account information. **Users/_UserName_** This node specifies the username for a new local user account. This setting can be managed remotely. +> [!IMPORTANT] +> The username is limited to 20 characters. + **Users/_UserName_/Password** This node specifies the password for a new local user account. This setting can be managed remotely. Supported operation is Add. GET operation isn't supported. This setting will report as failed when deployed from Intune. +> [!IMPORTANT] +> This string needs to meet the current password policy requirements. +> +> Escape any special characters in the string. For example, +> +> | Character | Escape sequence | +> |:---|:---| +> | `<` | `<` | +> | `>` | `>` | +> | `&` | `&` | + **Users/_UserName_/LocalUserGroup** This optional node specifies the local user group that a local user account should be joined to. If the node isn't set, the new local user account is joined just to the Standard Users group. Set the value to 2 for Administrators group. This setting can be managed remotely. diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index cc69b6bb5a..279c109882 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -1,7 +1,7 @@ --- title: AssignedAccess CSP description: Learn more about the AssignedAccess CSP. -ms.date: 04/10/2024 +ms.date: 11/26/2024 --- @@ -126,7 +126,7 @@ To learn how to configure xml file, see [Create an Assigned Access configuration This node can accept and return json string which comprises of account name, and AUMID for Kiosk mode app. -Example: `{"User":"domain\\user", "AUMID":"Microsoft. WindowsCalculator_8wekyb3d8bbwe!App"}`. +Example: `{"User":"domain\\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}`. When configuring kiosk mode app, account name will be used to find the target user. Account name includes domain name and user name. Domain name can be optional if user name is unique across the system. For a local account, domain name should be machine name. When "Get" is executed on this node, domain name is always returned in the output. diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index 9841e9f442..ac0fd65b21 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -1,7 +1,7 @@ --- title: Defender CSP description: Learn more about the Defender CSP. -ms.date: 09/27/2024 +ms.date: 11/27/2024 --- @@ -3775,9 +3775,9 @@ Enable this policy to specify when devices receive Microsoft Defender security i | Value | Description | |:--|:--| -| 0 (Default) | Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. | -| 4 | Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%). | -| 5 | Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). | +| 0 (Default) | Not configured (Default). Microsoft will either assign the device to Current Channel (Broad) or a beta channel early in the gradual release cycle. The channel selected by Microsoft might be one that receives updates early during the gradual release cycle, which may not be suitable for devices in a production or critical environment. | +| 4 | Current Channel (Staged): Same as Current Channel (Broad). | +| 5 | Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in all populations, including production. | diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md index 2055d5bdf0..1e199886e7 100644 --- a/windows/client-management/mdm/defender-ddf.md +++ b/windows/client-management/mdm/defender-ddf.md @@ -1,7 +1,7 @@ --- title: Defender DDF file description: View the XML file containing the device description framework (DDF) for the Defender configuration service provider. -ms.date: 09/27/2024 +ms.date: 11/27/2024 --- @@ -1627,15 +1627,15 @@ The following XML file contains the device description framework (DDF) for the D 0 - Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. + Not configured (Default). Microsoft will either assign the device to Current Channel (Broad) or a beta channel early in the gradual release cycle. The channel selected by Microsoft might be one that receives updates early during the gradual release cycle, which may not be suitable for devices in a production or critical environment 4 - Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%). + Current Channel (Staged): Same as Current Channel (Broad). 5 - Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). + Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in all populations, including production. diff --git a/windows/client-management/mdm/devdetail-csp.md b/windows/client-management/mdm/devdetail-csp.md index ef825d0541..a348f66fcb 100644 --- a/windows/client-management/mdm/devdetail-csp.md +++ b/windows/client-management/mdm/devdetail-csp.md @@ -1,7 +1,7 @@ --- title: DevDetail CSP description: Learn more about the DevDetail CSP. -ms.date: 08/06/2024 +ms.date: 11/26/2024 --- @@ -1259,7 +1259,7 @@ Returns the name of the Original Equipment Manufacturer (OEM) as a string, as de -Returns the Windows 10 OS software version in the format MajorVersion. MinorVersion. BuildNumber. QFEnumber. Currently the BuildNumber returns the build number on the desktop and mobile build number on the phone. In the future, the build numbers may converge. +Returns the Windows 10 OS software version in the format `MajorVersion.MinorVersion.BuildNumber.QFEnumber`. Currently the BuildNumber returns the build number on the desktop and mobile build number on the phone. In the future, the build numbers may converge. diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md index 10c971f332..79e8b34817 100644 --- a/windows/client-management/mdm/dmclient-csp.md +++ b/windows/client-management/mdm/dmclient-csp.md @@ -1,7 +1,7 @@ --- title: DMClient CSP description: Learn more about the DMClient CSP. -ms.date: 08/06/2024 +ms.date: 11/26/2024 --- @@ -1654,7 +1654,7 @@ This node allows the MDM to set custom error text, detailing what the user needs -This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. E. G. ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2 Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps. +This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example, `./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2` Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps. @@ -1694,7 +1694,7 @@ This node contains a list of LocURIs that refer to App Packages the ISV expects -This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. E. G. ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2 Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps. +This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example, `./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2` Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps. @@ -4311,7 +4311,7 @@ This node allows the MDM to set custom error text, detailing what the user needs -This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. E. G. ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2 Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps. This is per user. +This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example, `./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2` Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps. This is per user. @@ -4351,7 +4351,7 @@ This node contains a list of LocURIs that refer to App Packages the ISV expects -This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. E. G. ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2 Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps. This is per user. +This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example, `./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2` Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps. This is per user. diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md index 6357958bf3..fc8a278aae 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md @@ -1,7 +1,7 @@ --- title: EnterpriseModernAppManagement CSP description: Learn more about the EnterpriseModernAppManagement CSP. -ms.date: 09/11/2024 +ms.date: 11/26/2024 --- @@ -6951,7 +6951,7 @@ Interior node for all managed app setting values. -The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the Managed. App. Settings container. +The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the `Managed.App.Settings` container. @@ -8193,7 +8193,7 @@ This node is only supported in the user context. -The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the Managed. App. Settings container. +The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the `Managed.App.Settings` container. @@ -9495,7 +9495,7 @@ This node is only supported in the user context. -The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the Managed. App. Settings container. +The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the `Managed.App.Settings` container. diff --git a/windows/client-management/mdm/personaldataencryption-csp.md b/windows/client-management/mdm/personaldataencryption-csp.md index afef3cb25e..1efd2767f5 100644 --- a/windows/client-management/mdm/personaldataencryption-csp.md +++ b/windows/client-management/mdm/personaldataencryption-csp.md @@ -1,7 +1,7 @@ --- title: Personal Data Encryption CSP description: Learn more about the Personal Data Encryption CSP. -ms.date: 01/18/2024 +ms.date: 11/27/2024 --- @@ -19,7 +19,13 @@ The following list shows the Personal Data Encryption configuration service prov - ./User/Vendor/MSFT/PDE - [EnablePersonalDataEncryption](#enablepersonaldataencryption) + - [ProtectFolders](#protectfolders) + - [ProtectDesktop](#protectfoldersprotectdesktop) + - [ProtectDocuments](#protectfoldersprotectdocuments) + - [ProtectPictures](#protectfoldersprotectpictures) - [Status](#status) + - [FolderProtectionStatus](#statusfolderprotectionstatus) + - [FoldersProtected](#statusfoldersprotected) - [PersonalDataEncryptionStatus](#statuspersonaldataencryptionstatus) @@ -72,6 +78,191 @@ The [UserDataProtectionManager Class](/uwp/api/windows.security.dataprotection.u + +## ProtectFolders + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ❌ Device
✅ User | ❌ Pro
✅ Enterprise
✅ Education
❌ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later | + + + +```User +./User/Vendor/MSFT/PDE/ProtectFolders +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `node` | +| Access Type | Get | + + + + + + + + + +### ProtectFolders/ProtectDesktop + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ❌ Device
✅ User | ❌ Pro
✅ Enterprise
✅ Education
❌ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later | + + + +```User +./User/Vendor/MSFT/PDE/ProtectFolders/ProtectDesktop +``` + + + + +Allows the Admin to enable Personal Data Encryption on Desktop folder. Set to '1' to set this policy. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Delete, Get, Replace | +| Dependency [EnablePersonalDataEncryptionDependency] | Dependency Type: `DependsOn`
Dependency URI: `User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`
Dependency Allowed Value: `1`
Dependency Allowed Value Type: `ENUM`
| + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Disable Personal Data Encryption on the folder. If the folder is currently protected by Personal Data Encryption, this will result in unprotecting the folder. | +| 1 | Enable Personal Data Encryption on the folder. | + + + + + + + + + +### ProtectFolders/ProtectDocuments + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ❌ Device
✅ User | ❌ Pro
✅ Enterprise
✅ Education
❌ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later | + + + +```User +./User/Vendor/MSFT/PDE/ProtectFolders/ProtectDocuments +``` + + + + +Allows the Admin to enable Personal Data Encryption on Documents folder. Set to '1' to set this policy. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Delete, Get, Replace | +| Dependency [EnablePersonalDataEncryptionDependency] | Dependency Type: `DependsOn`
Dependency URI: `User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`
Dependency Allowed Value: `1`
Dependency Allowed Value Type: `ENUM`
| + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Disable Personal Data Encryption on the folder. If the folder is currently protected by Personal Data Encryption, this will result in unprotecting the folder. | +| 1 | Enable Personal Data Encryption on the folder. | + + + + + + + + + +### ProtectFolders/ProtectPictures + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ❌ Device
✅ User | ❌ Pro
✅ Enterprise
✅ Education
❌ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later | + + + +```User +./User/Vendor/MSFT/PDE/ProtectFolders/ProtectPictures +``` + + + + +Allows the Admin to enable Personal Data Encryption on Pictures folder. Set to '1' to set this policy. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Delete, Get, Replace | +| Dependency [EnablePersonalDataEncryptionDependency] | Dependency Type: `DependsOn`
Dependency URI: `User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`
Dependency Allowed Value: `1`
Dependency Allowed Value Type: `ENUM`
| + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Disable Personal Data Encryption on the folder. If the folder is currently protected by Personal Data Encryption, this will result in unprotecting the folder. | +| 1 | Enable Personal Data Encryption on the folder. | + + + + + + + + ## Status @@ -114,6 +305,95 @@ Reports the current status of Personal Data Encryption for the user. + +### Status/FolderProtectionStatus + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ❌ Device
✅ User | ❌ Pro
✅ Enterprise
✅ Education
❌ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later | + + + +```User +./User/Vendor/MSFT/PDE/Status/FolderProtectionStatus +``` + + + + +This node reports folder protection status for a user. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Get | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Protection not started. | +| 1 | Protection is completed with no failures. | +| 2 | Protection in progress. | +| 3 | Protection failed. | + + + + + + + + + +### Status/FoldersProtected + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ❌ Device
✅ User | ❌ Pro
✅ Enterprise
✅ Education
❌ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later | + + + +```User +./User/Vendor/MSFT/PDE/Status/FoldersProtected +``` + + + + +This node reports all folders (full path to each folder) that have been protected. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `chr` (string) | +| Access Type | Get | + + + + + + + + ### Status/PersonalDataEncryptionStatus diff --git a/windows/client-management/mdm/personaldataencryption-ddf-file.md b/windows/client-management/mdm/personaldataencryption-ddf-file.md index 165f97507c..e59ad7a14f 100644 --- a/windows/client-management/mdm/personaldataencryption-ddf-file.md +++ b/windows/client-management/mdm/personaldataencryption-ddf-file.md @@ -1,14 +1,14 @@ --- -title: PDE DDF file -description: View the XML file containing the device description framework (DDF) for the PDE configuration service provider. -ms.date: 06/28/2024 +title: Personal Data Encryption DDF file +description: View the XML file containing the device description framework (DDF) for the Personal Data Encryption configuration service provider. +ms.date: 11/26/2024 --- -# PDE DDF file +# Personal Data Encryption DDF file -The following XML file contains the device description framework (DDF) for the PDE configuration service provider. +The following XML file contains the device description framework (DDF) for the Personal Data Encryption configuration service provider. ```xml @@ -76,6 +76,171 @@ The following XML file contains the device description framework (DDF) for the P + + ProtectFolders + + + + + + + + + + + + + + + + + + 10.0.26100 + 1.0 + + + + ProtectDocuments + + + + + + + + Allows the Admin to enable PDE on Documents folder. Set to '1' to set this policy. + + + + + + + + + + + + + + + 0 + Disable PDE on the folder. If the folder is currently protected by PDE, this will result in unprotecting the folder. + + + 1 + Enable PDE on the folder. + + + + + + User/Vendor/MSFT/PDE/EnablePersonalDataEncryption + + + 1 + Requires EnablePersonalDataEncryption to be set to 1. + + + + + + + + + ProtectDesktop + + + + + + + + Allows the Admin to enable PDE on Desktop folder. Set to '1' to set this policy. + + + + + + + + + + + + + + + 0 + Disable PDE on the folder. If the folder is currently protected by PDE, this will result in unprotecting the folder. + + + 1 + Enable PDE on the folder. + + + + + + User/Vendor/MSFT/PDE/EnablePersonalDataEncryption + + + 1 + Requires EnablePersonalDataEncryption to be set to 1. + + + + + + + + + ProtectPictures + + + + + + + + Allows the Admin to enable PDE on Pictures folder. Set to '1' to set this policy. + + + + + + + + + + + + + + + 0 + Disable PDE on the folder. If the folder is currently protected by PDE, this will result in unprotecting the folder. + + + 1 + Enable PDE on the folder. + + + + + + User/Vendor/MSFT/PDE/EnablePersonalDataEncryption + + + 1 + Requires EnablePersonalDataEncryption to be set to 1. + + + + + + + + Status @@ -116,6 +281,74 @@ The following XML file contains the device description framework (DDF) for the P + + FolderProtectionStatus + + + + + This node reports folder protection status for a user. + + + + + + + + + + + + + + 10.0.26100 + 1.0 + + + + 0 + Protection not started. + + + 1 + Protection is completed with no failures. + + + 2 + Protection in progress. + + + 3 + Protection failed. + + + + + + FoldersProtected + + + + + This node reports all folders (full path to each folder) that have been protected. + + + + + + + + + + + + + + 10.0.26100 + 1.0 + + + @@ -123,4 +356,4 @@ The following XML file contains the device description framework (DDF) for the P ## Related articles -[PDE configuration service provider reference](personaldataencryption-csp.md) +[Personal Data Encryption configuration service provider reference](personaldataencryption-csp.md) diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md index ea1f4f9b24..057bf0381f 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md @@ -1,7 +1,7 @@ --- title: Policies supported by Windows 10 Team description: Learn about the policies supported by Windows 10 Team. -ms.date: 11/05/2024 +ms.date: 11/27/2024 --- @@ -382,8 +382,10 @@ This article lists the policies that are applicable for the Surface Hub operatin ## Start +- [AlwaysShowNotificationIcon](policy-csp-start.md#alwaysshownotificationicon) - [HideRecommendedPersonalizedSites](policy-csp-start.md#hiderecommendedpersonalizedsites) - [StartLayout](policy-csp-start.md#startlayout) +- [TurnOffAbbreviatedDateTimeFormat](policy-csp-start.md#turnoffabbreviateddatetimeformat) ## System diff --git a/windows/client-management/mdm/policies-in-preview.md b/windows/client-management/mdm/policies-in-preview.md index 34a182dd13..0e4249d643 100644 --- a/windows/client-management/mdm/policies-in-preview.md +++ b/windows/client-management/mdm/policies-in-preview.md @@ -1,7 +1,7 @@ --- title: Configuration service provider preview policies description: Learn more about configuration service provider (CSP) policies that are available for Windows Insider Preview. -ms.date: 11/22/2024 +ms.date: 11/27/2024 --- @@ -62,6 +62,7 @@ This article lists the policies that are applicable for Windows Insider Preview ## Display - [ConfigureMultipleDisplayMode](policy-csp-display.md#configuremultipledisplaymode) +- [SetClonePreferredResolutionSource](policy-csp-display.md#setclonepreferredresolutionsource) ## DMClient CSP @@ -106,6 +107,10 @@ This article lists the policies that are applicable for Windows Insider Preview - [ConfigureDeviceStandbyAction](policy-csp-mixedreality.md#configuredevicestandbyaction) - [ConfigureDeviceStandbyActionTimeout](policy-csp-mixedreality.md#configuredevicestandbyactiontimeout) +## NewsAndInterests + +- [DisableWidgetsOnLockScreen](policy-csp-newsandinterests.md#disablewidgetsonlockscreen) + ## PassportForWork CSP - [DisablePostLogonProvisioning](passportforwork-csp.md#devicetenantidpoliciesdisablepostlogonprovisioning) @@ -118,6 +123,11 @@ This article lists the policies that are applicable for Windows Insider Preview - [TS_SERVER_REMOTEAPP_USE_SHELLAPPRUNTIME](policy-csp-remotedesktopservices.md#ts_server_remoteapp_use_shellappruntime) +## Start + +- [AlwaysShowNotificationIcon](policy-csp-start.md#alwaysshownotificationicon) +- [TurnOffAbbreviatedDateTimeFormat](policy-csp-start.md#turnoffabbreviateddatetimeformat) + ## SurfaceHub CSP - [ExchangeModernAuthEnabled](surfacehub-csp.md#deviceaccountexchangemodernauthenabled) @@ -137,14 +147,13 @@ This article lists the policies that are applicable for Windows Insider Preview ## WindowsAI -- [DisableAIDataAnalysis](policy-csp-windowsai.md#disableaidataanalysis) -- [SetCopilotHardwareKey](policy-csp-windowsai.md#setcopilothardwarekey) - [SetDenyAppListForRecall](policy-csp-windowsai.md#setdenyapplistforrecall) - [SetDenyUriListForRecall](policy-csp-windowsai.md#setdenyurilistforrecall) - [SetMaximumStorageSpaceForRecallSnapshots](policy-csp-windowsai.md#setmaximumstoragespaceforrecallsnapshots) - [SetMaximumStorageDurationForRecallSnapshots](policy-csp-windowsai.md#setmaximumstoragedurationforrecallsnapshots) - [DisableImageCreator](policy-csp-windowsai.md#disableimagecreator) - [DisableCocreator](policy-csp-windowsai.md#disablecocreator) +- [DisableGenerativeFill](policy-csp-windowsai.md#disablegenerativefill) - [AllowRecallEnablement](policy-csp-windowsai.md#allowrecallenablement) ## WindowsLicensing CSP diff --git a/windows/client-management/mdm/policy-csp-admx-bits.md b/windows/client-management/mdm/policy-csp-admx-bits.md index 00b4cf5513..c31407acd6 100644 --- a/windows/client-management/mdm/policy-csp-admx-bits.md +++ b/windows/client-management/mdm/policy-csp-admx-bits.md @@ -1,7 +1,7 @@ --- title: ADMX_Bits Policy CSP description: Learn more about the ADMX_Bits Area in Policy CSP. -ms.date: 08/06/2024 +ms.date: 11/26/2024 --- @@ -348,7 +348,7 @@ This policy setting limits the network bandwidth that Background Intelligent Tra - If you enable this policy setting, you can define a separate set of network bandwidth limits and set up a schedule for the maintenance period. -You can specify a limit to use for background jobs during a maintenance schedule. For example, if normal priority jobs are currently limited to 256 Kbps on a work schedule, you can further limit the network bandwidth of normal priority jobs to 0 Kbps from 8:00 A. M. to 10:00 A. M. on a maintenance schedule. +You can specify a limit to use for background jobs during a maintenance schedule. For example, if normal priority jobs are currently limited to 256 Kbps on a work schedule, you can further limit the network bandwidth of normal priority jobs to 0 Kbps from 8:00 A.M. to 10:00 A.M. on a maintenance schedule. - If you disable or don't configure this policy setting, the limits defined for work or nonwork schedules will be used. @@ -412,7 +412,7 @@ This policy setting limits the network bandwidth that Background Intelligent Tra - If you enable this policy setting, you can set up a schedule for limiting network bandwidth during both work and nonwork hours. After the work schedule is defined, you can set the bandwidth usage limits for each of the three BITS background priority levels: high, normal, and low. -You can specify a limit to use for background jobs during a work schedule. For example, you can limit the network bandwidth of low priority jobs to 128 Kbps from 8:00 A. M. to 5:00 P. M. on Monday through Friday, and then set the limit to 512 Kbps for nonwork hours. +You can specify a limit to use for background jobs during a work schedule. For example, you can limit the network bandwidth of low priority jobs to 128 Kbps from 8:00 A.M. to 5:00 P.M. on Monday through Friday, and then set the limit to 512 Kbps for nonwork hours. - If you disable or don't configure this policy setting, BITS uses all available unused bandwidth for background job transfers. diff --git a/windows/client-management/mdm/policy-csp-admx-controlpanel.md b/windows/client-management/mdm/policy-csp-admx-controlpanel.md index b819fe73bf..db99a6aa70 100644 --- a/windows/client-management/mdm/policy-csp-admx-controlpanel.md +++ b/windows/client-management/mdm/policy-csp-admx-controlpanel.md @@ -1,7 +1,7 @@ --- title: ADMX_ControlPanel Policy CSP description: Learn more about the ADMX_ControlPanel Area in Policy CSP. -ms.date: 08/06/2024 +ms.date: 11/26/2024 --- @@ -36,7 +36,7 @@ This setting allows you to display or hide specified Control Panel items, such a If you enable this setting, you can select specific items not to display on the Control Panel window and the Start screen. -To hide a Control Panel item, enable this policy setting and click Show to access the list of disallowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter Microsoft. Mouse, Microsoft. System, or Microsoft. Personalization. +To hide a Control Panel item, enable this policy setting and click Show to access the list of disallowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter `Microsoft.Mouse`, `Microsoft.System`, or `Microsoft.Personalization`. > [!NOTE] > For Windows Vista, Windows Server 2008, and earlier versions of Windows, the module name should be entered, for example timedate.cpl or inetcpl.cpl. If a Control Panel item doesn't have a CPL file, or the CPL file contains multiple applets, then its module name and string resource identification number should be entered, for example @systemcpl.dll,-1 for System, or @themecpl.dll,-1 for Personalization. A complete list of canonical and module names can be found in MSDN by searching "Control Panel items". @@ -243,7 +243,7 @@ If users try to select a Control Panel item from the Properties item on a contex This policy setting controls which Control Panel items such as Mouse, System, or Personalization, are displayed on the Control Panel window and the Start screen. The only items displayed in Control Panel are those you specify in this setting. This setting affects the Start screen and Control Panel, as well as other ways to access Control Panel items such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings. -To display a Control Panel item, enable this policy setting and click Show to access the list of allowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter Microsoft. Mouse, Microsoft. System, or Microsoft. Personalization. +To display a Control Panel item, enable this policy setting and click Show to access the list of allowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter `Microsoft.Mouse`, `Microsoft.System`, or `Microsoft.Personalization`. > [!NOTE] > For Windows Vista, Windows Server 2008, and earlier versions of Windows, the module name, for example timedate.cpl or inetcpl.cpl, should be entered. If a Control Panel item doesn't have a CPL file, or the CPL file contains multiple applets, then its module name and string resource identification number should be entered. For example, enter @systemcpl.dll,-1 for System or @themecpl.dll,-1 for Personalization. A complete list of canonical and module names of Control Panel items can be found in MSDN by searching "Control Panel items". diff --git a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md index fa0478440b..3afb3d8385 100644 --- a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md +++ b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md @@ -1,7 +1,7 @@ --- title: ADMX_ControlPanelDisplay Policy CSP description: Learn more about the ADMX_ControlPanelDisplay Area in Policy CSP. -ms.date: 09/27/2024 +ms.date: 11/26/2024 --- @@ -519,7 +519,7 @@ Prevents users from changing the background image shown when the machine is lock By default, users can change the background image shown when the machine is locked or displaying the logon screen. -If you enable this setting, the user won't be able to change their lock screen and logon image, and they will instead see the default image. +If you enable this setting, the user won't be able to change their lock screen and logon image, and they'll instead see the default image. diff --git a/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md b/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md index fd3f6d2bcd..a1d1ae6ea2 100644 --- a/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md +++ b/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md @@ -1,7 +1,7 @@ --- title: ADMX_DiskDiagnostic Policy CSP description: Learn more about the ADMX_DiskDiagnostic Area in Policy CSP. -ms.date: 08/06/2024 +ms.date: 11/26/2024 --- @@ -32,7 +32,7 @@ ms.date: 08/06/2024 -This policy setting substitutes custom alert text in the disk diagnostic message shown to users when a disk reports a S. M. A. R. T. fault. +This policy setting substitutes custom alert text in the disk diagnostic message shown to users when a disk reports a S.M.A.R.T. fault. - If you enable this policy setting, Windows displays custom alert text in the disk diagnostic message. The custom text may not exceed 512 characters. @@ -97,15 +97,15 @@ This policy setting only takes effect if the Disk Diagnostic scenario policy set -This policy setting determines the execution level for S. M. A. R. T.-based disk diagnostics. +This policy setting determines the execution level for S.M.A.R.T.-based disk diagnostics. -Self-Monitoring And Reporting Technology (S. M. A. R. T). is a standard mechanism for storage devices to report faults to Windows. A disk that reports a S. M. A. R. T. fault may need to be repaired or replaced. The Diagnostic Policy Service (DPS) detects and logs S. M. A. R. T. faults to the event log when they occur. +Self-Monitoring And Reporting Technology (S.M.A.R.T). is a standard mechanism for storage devices to report faults to Windows. A disk that reports a S.M.A.R.T. fault may need to be repaired or replaced. The Diagnostic Policy Service (DPS) detects and logs S.M.A.R.T. faults to the event log when they occur. -- If you enable this policy setting, the DPS also warns users of S. M. A. R. T. faults and guides them through backup and recovery to minimize potential data loss. +- If you enable this policy setting, the DPS also warns users of S.M.A.R.T. faults and guides them through backup and recovery to minimize potential data loss. -- If you disable this policy, S. M. A. R. T. faults are still detected and logged, but no corrective action is taken. +- If you disable this policy, S.M.A.R.T. faults are still detected and logged, but no corrective action is taken. -- If you don't configure this policy setting, the DPS enables S. M. A. R. T. fault resolution by default. +- If you don't configure this policy setting, the DPS enables S.M.A.R.T. fault resolution by default. This policy setting takes effect only if the diagnostics-wide scenario execution policy isn't configured. diff --git a/windows/client-management/mdm/policy-csp-admx-dnsclient.md b/windows/client-management/mdm/policy-csp-admx-dnsclient.md index dc1ec2aa56..38077183bb 100644 --- a/windows/client-management/mdm/policy-csp-admx-dnsclient.md +++ b/windows/client-management/mdm/policy-csp-admx-dnsclient.md @@ -1,7 +1,7 @@ --- title: ADMX_DnsClient Policy CSP description: Learn more about the ADMX_DnsClient Area in Policy CSP. -ms.date: 09/27/2024 +ms.date: 11/26/2024 --- @@ -602,11 +602,11 @@ You can use this policy setting to prevent users, including local administrators Specifies if the DNS client performing dynamic DNS registration will register A and PTR resource records with a concatenation of its computer name and a connection-specific DNS suffix, in addition to registering these records with a concatenation of its computer name and the primary DNS suffix. -By default, a DNS client performing dynamic DNS registration registers A and PTR resource records with a concatenation of its computer name and the primary DNS suffix. For example, a computer name of mycomputer and a primary DNS suffix of microsoft.com will be registered as: mycomputer.microsoft.com. +By default, a DNS client performing dynamic DNS registration registers A and PTR resource records with a concatenation of its computer name and the primary DNS suffix. For example, a computer name of mycomputer and a primary DNS suffix of microsoft.com will be registered as: `mycomputer.microsoft.com`. - If you enable this policy setting, the DNS client will register A and PTR resource records with its connection-specific DNS suffix, in addition to the primary DNS suffix. This applies to all network connections used by the DNS client. -For example, with a computer name of mycomputer, a primary DNS suffix of microsoft.com, and a connection specific DNS suffix of VPNconnection, the DNS client will register A and PTR resource records for mycomputer. VPNconnection and mycomputer.microsoft.com when this policy setting is enabled. +For example, with a computer name of mycomputer, a primary DNS suffix of microsoft.com, and a connection specific DNS suffix of VPNconnection, the DNS client will register A and PTR resource records for `mycomputer.VPNconnection` and `mycomputer.microsoft.com` when this policy setting is enabled. > [!IMPORTANT] > This policy setting is ignored by the DNS client if dynamic DNS registration is disabled. diff --git a/windows/client-management/mdm/policy-csp-admx-explorer.md b/windows/client-management/mdm/policy-csp-admx-explorer.md index e9a61f1c6b..ab3f86952a 100644 --- a/windows/client-management/mdm/policy-csp-admx-explorer.md +++ b/windows/client-management/mdm/policy-csp-admx-explorer.md @@ -1,7 +1,7 @@ --- title: ADMX_Explorer Policy CSP description: Learn more about the ADMX_Explorer Area in Policy CSP. -ms.date: 08/06/2024 +ms.date: 11/26/2024 --- @@ -120,7 +120,7 @@ This policy setting configures File Explorer to always display the menu bar. | Name | Value | |:--|:--| | Name | AlwaysShowClassicMenu | -| Friendly Name | Display the menu bar in File Explorer | +| Friendly Name | Display the menu bar in File Explorer | | Location | User Configuration | | Path | WindowsComponents > File Explorer | | Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | diff --git a/windows/client-management/mdm/policy-csp-admx-filerevocation.md b/windows/client-management/mdm/policy-csp-admx-filerevocation.md index f62f39edaf..d75b0ff1aa 100644 --- a/windows/client-management/mdm/policy-csp-admx-filerevocation.md +++ b/windows/client-management/mdm/policy-csp-admx-filerevocation.md @@ -1,7 +1,7 @@ --- title: ADMX_FileRevocation Policy CSP description: Learn more about the ADMX_FileRevocation Area in Policy CSP. -ms.date: 08/06/2024 +ms.date: 11/26/2024 --- @@ -36,7 +36,7 @@ Windows Runtime applications can protect content which has been associated with Example value: -Contoso.com,ContosoIT. HumanResourcesApp_m5g0r7arhahqy. +`Contoso.com,ContosoIT.HumanResourcesApp_m5g0r7arhahqy` - If you enable this policy setting, the application identified by the Package Family Name will be permitted to revoke access to all content protected using the specified EID on the device. diff --git a/windows/client-management/mdm/policy-csp-admx-filesys.md b/windows/client-management/mdm/policy-csp-admx-filesys.md index 1b08f87864..7e30bbd527 100644 --- a/windows/client-management/mdm/policy-csp-admx-filesys.md +++ b/windows/client-management/mdm/policy-csp-admx-filesys.md @@ -1,7 +1,7 @@ --- title: ADMX_FileSys Policy CSP description: Learn more about the ADMX_FileSys Area in Policy CSP. -ms.date: 09/27/2024 +ms.date: 11/26/2024 --- @@ -317,7 +317,7 @@ Enabling Win32 long paths will allow manifested win32 applications and packaged These settings provide control over whether or not short names are generated during file creation. Some applications require short names for compatibility, but short names have a negative performance impact on the system. -If you enable short names on all volumes then short names will always be generated. If you disable them on all volumes then they will never be generated. If you set short name creation to be configurable on a per volume basis then an on-disk flag will determine whether or not short names are created on a given volume. If you disable short name creation on all data volumes then short names will only be generated for files created on the system volume. +If you enable short names on all volumes then short names will always be generated. If you disable them on all volumes then they'll never be generated. If you set short name creation to be configurable on a per volume basis then an on-disk flag will determine whether or not short names are created on a given volume. If you disable short name creation on all data volumes then short names will only be generated for files created on the system volume. diff --git a/windows/client-management/mdm/policy-csp-admx-globalization.md b/windows/client-management/mdm/policy-csp-admx-globalization.md index 6dc909c654..80d999ad7a 100644 --- a/windows/client-management/mdm/policy-csp-admx-globalization.md +++ b/windows/client-management/mdm/policy-csp-admx-globalization.md @@ -1,7 +1,7 @@ --- title: ADMX_Globalization Policy CSP description: Learn more about the ADMX_Globalization Area in Policy CSP. -ms.date: 08/06/2024 +ms.date: 11/26/2024 --- @@ -638,7 +638,7 @@ This policy setting is related to the "Turn off handwriting personalization" pol -This policy setting restricts the permitted system locales to the specified list. If the list is empty, it locks the system locale to its current value. This policy setting doesn't change the existing system locale; however, the next time that an administrator attempts to change the computer's system locale, they will be restricted to the specified list. +This policy setting restricts the permitted system locales to the specified list. If the list is empty, it locks the system locale to its current value. This policy setting doesn't change the existing system locale; however, the next time that an administrator attempts to change the computer's system locale, they'll be restricted to the specified list. The locale list is specified using language names, separated by a semicolon (;). For example, en-US is English (United States). Specifying "en-US;en-CA" would restrict the system locale to English (United States) and English (Canada). @@ -1097,7 +1097,7 @@ This policy setting prevents the user from customizing their locale by changing Any existing overrides in place when this policy is enabled will be frozen. To remove existing user overrides, first reset the user(s) values to the defaults and then apply this policy. -When this policy setting is enabled, users can still choose alternate locales installed on the system unless prevented by other policies, however, they will be unable to customize those choices. The user can't customize their user locale with user overrides. +When this policy setting is enabled, users can still choose alternate locales installed on the system unless prevented by other policies, however, they'll be unable to customize those choices. The user can't customize their user locale with user overrides. - If this policy setting is disabled or not configured, then the user can customize their user locale overrides. @@ -1166,7 +1166,7 @@ This policy setting prevents the user from customizing their locale by changing Any existing overrides in place when this policy is enabled will be frozen. To remove existing user overrides, first reset the user(s) values to the defaults and then apply this policy. -When this policy setting is enabled, users can still choose alternate locales installed on the system unless prevented by other policies, however, they will be unable to customize those choices. The user can't customize their user locale with user overrides. +When this policy setting is enabled, users can still choose alternate locales installed on the system unless prevented by other policies, however, they'll be unable to customize those choices. The user can't customize their user locale with user overrides. - If this policy setting is disabled or not configured, then the user can customize their user locale overrides. diff --git a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md index 2664598272..4eee3e095e 100644 --- a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md +++ b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md @@ -1,7 +1,7 @@ --- title: ADMX_MicrosoftDefenderAntivirus Policy CSP description: Learn more about the ADMX_MicrosoftDefenderAntivirus Area in Policy CSP. -ms.date: 09/27/2024 +ms.date: 11/26/2024 --- @@ -2938,7 +2938,7 @@ This policy setting allows you to manage whether or not end users can pause a sc -This policy setting allows you to configure the maximum directory depth level into which archive files such as . ZIP or . CAB are unpacked during scanning. The default directory depth level is 0. +This policy setting allows you to configure the maximum directory depth level into which archive files such as .ZIP or .CAB are unpacked during scanning. The default directory depth level is 0. - If you enable this setting, archive files will be scanned to the directory depth level specified. @@ -2997,7 +2997,7 @@ This policy setting allows you to configure the maximum directory depth level in -This policy setting allows you to configure the maximum size of archive files such as . ZIP or . CAB that will be scanned. The value represents file size in kilobytes (KB). The default value is 0 and represents no limit to archive size for scanning. +This policy setting allows you to configure the maximum size of archive files such as .ZIP or .CAB that will be scanned. The value represents file size in kilobytes (KB). The default value is 0 and represents no limit to archive size for scanning. - If you enable this setting, archive files less than or equal to the size specified will be scanned. @@ -3056,7 +3056,7 @@ This policy setting allows you to configure the maximum size of archive files su -This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as . ZIP or . CAB files. +This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as .ZIP or .CAB files. - If you enable or don't configure this setting, archive files will be scanned. diff --git a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md index f7467145fb..1c2b4f1df2 100644 --- a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md +++ b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md @@ -1,7 +1,7 @@ --- title: ADMX_OfflineFiles Policy CSP description: Learn more about the ADMX_OfflineFiles Area in Policy CSP. -ms.date: 08/06/2024 +ms.date: 11/26/2024 --- @@ -352,7 +352,7 @@ This setting replaces the Default Cache Size setting used by pre-Windows Vista s Determines how computers respond when they're disconnected from particular offline file servers. This setting overrides the default response, a user-specified response, and the response specified in the "Action on server disconnect" setting. -To use this setting, click Show. In the Show Contents dialog box in the Value Name column box, type the server's computer name. Then, in the Value column box, type "0" if users can work offline when they're disconnected from this server, or type "1" if they cannot. +To use this setting, click Show. In the Show Contents dialog box in the Value Name column box, type the server's computer name. Then, in the Value column box, type "0" if users can work offline when they're disconnected from this server, or type "1" if they can't. This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured for a particular server, the setting in Computer Configuration takes precedence over the setting in User Configuration. Both Computer and User configuration take precedence over a user's setting. This setting doesn't prevent users from setting custom actions through the Offline Files tab. However, users are unable to change any custom actions established via this setting. @@ -413,7 +413,7 @@ This setting appears in the Computer Configuration and User Configuration folder Determines how computers respond when they're disconnected from particular offline file servers. This setting overrides the default response, a user-specified response, and the response specified in the "Action on server disconnect" setting. -To use this setting, click Show. In the Show Contents dialog box in the Value Name column box, type the server's computer name. Then, in the Value column box, type "0" if users can work offline when they're disconnected from this server, or type "1" if they cannot. +To use this setting, click Show. In the Show Contents dialog box in the Value Name column box, type the server's computer name. Then, in the Value column box, type "0" if users can work offline when they're disconnected from this server, or type "1" if they can't. This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured for a particular server, the setting in Computer Configuration takes precedence over the setting in User Configuration. Both Computer and User configuration take precedence over a user's setting. This setting doesn't prevent users from setting custom actions through the Offline Files tab. However, users are unable to change any custom actions established via this setting. diff --git a/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md b/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md index 01ba02840f..32edc6861a 100644 --- a/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md +++ b/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md @@ -1,7 +1,7 @@ --- title: ADMX_UserExperienceVirtualization Policy CSP description: Learn more about the ADMX_UserExperienceVirtualization Area in Policy CSP. -ms.date: 08/06/2024 +ms.date: 11/26/2024 --- @@ -7541,7 +7541,7 @@ This policy setting configures where custom settings location templates are stor - If you enable this policy setting, the UE-V Agent checks the specified location once each day and updates its synchronization behavior based on the templates in this location. Settings location templates added or updated since the last check are registered by the UE-V Agent. The UE-V Agent deregisters templates that were removed from this location. -If you specify a UNC path and leave the option to replace the default Microsoft templates unchecked, the UE-V Agent will use the default Microsoft templates installed by the UE-V Agent and custom templates in the settings template catalog. If there are custom templates in the settings template catalog which use the same ID as the default Microsoft templates, they will be ignored. +If you specify a UNC path and leave the option to replace the default Microsoft templates unchecked, the UE-V Agent will use the default Microsoft templates installed by the UE-V Agent and custom templates in the settings template catalog. If there are custom templates in the settings template catalog which use the same ID as the default Microsoft templates, they'll be ignored. If you specify a UNC path and check the option to replace the default Microsoft templates, all of the default Microsoft templates installed by the UE-V Agent will be deleted from the computer and only the templates located in the settings template catalog will be used. diff --git a/windows/client-management/mdm/policy-csp-admx-userprofiles.md b/windows/client-management/mdm/policy-csp-admx-userprofiles.md index f6d72112f3..2283c9803a 100644 --- a/windows/client-management/mdm/policy-csp-admx-userprofiles.md +++ b/windows/client-management/mdm/policy-csp-admx-userprofiles.md @@ -1,7 +1,7 @@ --- title: ADMX_UserProfiles Policy CSP description: Learn more about the ADMX_UserProfiles Area in Policy CSP. -ms.date: 08/06/2024 +ms.date: 11/26/2024 --- @@ -157,7 +157,7 @@ This policy setting controls whether Windows forcefully unloads the user's regis This policy setting determines whether the system retains a roaming user's Windows Installer and Group Policy based software installation data on their profile deletion. -By default Windows deletes all information related to a roaming user (which includes the user's settings, data, Windows Installer related data, and the like) when their profile is deleted. As a result, the next time a roaming user whose profile was previously deleted on that client logs on, they will need to reinstall all apps published via policy at logon increasing logon time. You can use this policy setting to change this behavior. +By default Windows deletes all information related to a roaming user (which includes the user's settings, data, Windows Installer related data, and the like) when their profile is deleted. As a result, the next time a roaming user whose profile was previously deleted on that client logs on, they'll need to reinstall all apps published via policy at logon increasing logon time. You can use this policy setting to change this behavior. - If you enable this policy setting, Windows won't delete Windows Installer or Group Policy software installation data for roaming users when profiles are deleted from the machine. This will improve the performance of Group Policy based Software Installation during user logon when a user profile is deleted and that user subsequently logs on to the machine. diff --git a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md index 9100a4bbb3..edcd5eab3e 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md @@ -1,7 +1,7 @@ --- title: ADMX_WindowsExplorer Policy CSP description: Learn more about the ADMX_WindowsExplorer Area in Policy CSP. -ms.date: 09/27/2024 +ms.date: 11/26/2024 --- @@ -4468,7 +4468,7 @@ Shows or hides sleep from the power options menu. -This policy setting allows up to five Libraries or Search Connectors to be pinned to the "Search again" links and the Start menu links. The "Search again" links at the bottom of the Search Results view allow the user to reconduct a search but in a different location. To add a Library or Search Connector link, specify the path of the . Library-ms or .searchConnector-ms file in the "Location" text box (for example, "C:\sampleLibrary. Library-ms" for the Documents library, or "C:\sampleSearchConnector.searchConnector-ms" for a Search Connector). The pinned link will only work if this path is valid and the location contains the specified . Library-ms or .searchConnector-ms file. +This policy setting allows up to five Libraries or Search Connectors to be pinned to the "Search again" links and the Start menu links. The "Search again" links at the bottom of the Search Results view allow the user to reconduct a search but in a different location. To add a Library or Search Connector link, specify the path of the `.Library-ms or .searchConnector-ms` file in the "Location" text box (for example, "C:\sampleLibrary.Library-ms" for the Documents library, or "C:\sampleSearchConnector.searchConnector-ms" for a Search Connector). The pinned link will only work if this path is valid and the location contains the specified `.Library-ms or .searchConnector-ms` file. You can add up to five additional links to the "Search again" links at the bottom of results returned in File Explorer after a search is executed. These links will be shared between Internet search sites and Search Connectors/Libraries. Search Connector/Library links take precedence over Internet search links. diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index 885f96e31a..64cecc6c0c 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -1,7 +1,7 @@ --- title: ApplicationManagement Policy CSP description: Learn more about the ApplicationManagement Area in Policy CSP. -ms.date: 09/27/2024 +ms.date: 11/26/2024 --- @@ -371,7 +371,7 @@ If the setting is enabled or not configured, then Recording and Broadcasting (st Manages a Windows app's ability to share data between users who have installed the app. -- If you enable this policy, a Windows app can share app data with other instances of that app. Data is shared through the SharedLocal folder. This folder is available through the Windows. Storage API. +- If you enable this policy, a Windows app can share app data with other instances of that app. Data is shared through the SharedLocal folder. This folder is available through the `Windows.Storage` API. - If you disable this policy, a Windows app can't share app data with other instances of that app. If this policy was previously enabled, any previously shared app data will remain in the SharedLocal folder. @@ -629,7 +629,7 @@ Disable turns off the launch of all apps from the Microsoft Store that came pre- | Name | Value | |:--|:--| | Name | DisableStoreApps | -| Friendly Name | Disable all apps from Microsoft Store | +| Friendly Name | Disable all apps from Microsoft Store | | Location | Computer Configuration | | Path | Windows Components > Store | | Registry Key Name | Software\Policies\Microsoft\WindowsStore | @@ -867,7 +867,7 @@ This policy setting directs Windows Installer to use elevated permissions when i Denies access to the retail catalog in the Microsoft Store, but displays the private store. -- If you enable this setting, users won't be able to view the retail catalog in the Microsoft Store, but they will be able to view apps in the private store. +- If you enable this setting, users won't be able to view the retail catalog in the Microsoft Store, but they'll be able to view apps in the private store. - If you disable or don't configure this setting, users can access the retail catalog in the Microsoft Store. diff --git a/windows/client-management/mdm/policy-csp-attachmentmanager.md b/windows/client-management/mdm/policy-csp-attachmentmanager.md index 63caf16da0..c6597902db 100644 --- a/windows/client-management/mdm/policy-csp-attachmentmanager.md +++ b/windows/client-management/mdm/policy-csp-attachmentmanager.md @@ -1,7 +1,7 @@ --- title: AttachmentManager Policy CSP description: Learn more about the AttachmentManager Area in Policy CSP. -ms.date: 01/18/2024 +ms.date: 11/26/2024 --- @@ -154,7 +154,7 @@ This policy setting allows you to manage whether users can manually remove the z -This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they will all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer's email server, additional calls would be redundant. +This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they'll all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer's email server, additional calls would be redundant. - If you enable this policy setting, Windows tells the registered antivirus program to scan the file when a user opens a file attachment. If the antivirus program fails, the attachment is blocked from being opened. diff --git a/windows/client-management/mdm/policy-csp-bits.md b/windows/client-management/mdm/policy-csp-bits.md index 01dbd07987..40fec4ce18 100644 --- a/windows/client-management/mdm/policy-csp-bits.md +++ b/windows/client-management/mdm/policy-csp-bits.md @@ -1,7 +1,7 @@ --- title: BITS Policy CSP description: Learn more about the BITS Area in Policy CSP. -ms.date: 01/18/2024 +ms.date: 11/26/2024 --- @@ -32,7 +32,7 @@ ms.date: 01/18/2024 This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers. (This policy setting doesn't affect foreground transfers). -You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A. M. to 5:00 P. M., and use all available unused bandwidth the rest of the day's hours. +You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A.M. to 5:00 P.M., and use all available unused bandwidth the rest of the day's hours. - If you enable this policy setting, BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0. @@ -98,7 +98,7 @@ Consider using this setting to prevent BITS transfers from competing for network This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers. (This policy setting doesn't affect foreground transfers). -You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A. M. to 5:00 P. M., and use all available unused bandwidth the rest of the day's hours. +You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A.M. to 5:00 P.M., and use all available unused bandwidth the rest of the day's hours. - If you enable this policy setting, BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0. @@ -164,7 +164,7 @@ Consider using this setting to prevent BITS transfers from competing for network This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers. (This policy setting doesn't affect foreground transfers). -You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A. M. to 5:00 P. M., and use all available unused bandwidth the rest of the day's hours. +You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A.M. to 5:00 P.M., and use all available unused bandwidth the rest of the day's hours. - If you enable this policy setting, BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0. diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md index 863938353d..62f0079893 100644 --- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md +++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md @@ -37,7 +37,7 @@ If set to 1 then any MDM policy that's set that has an equivalent GP policy will > [!NOTE] -> MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs such as the [Defender CSP](defender-csp.md). +> MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs such as the [Defender CSP](defender-csp.md). As a result, it is recommended that the same settings should not be configured in both GPO and MDM policies unless the settings are under the control of MDMWinsOverGP. Otherwise, there will be a race condition and no guarantee which one wins. This policy is used to ensure that MDM policy wins over GP when policy is configured on MDM channel. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1. diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index 2eef54311e..fc264fa2a8 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -1,7 +1,7 @@ --- title: Defender Policy CSP description: Learn more about the Defender Area in Policy CSP. -ms.date: 09/27/2024 +ms.date: 11/26/2024 --- @@ -30,7 +30,7 @@ ms.date: 09/27/2024 -This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as . ZIP or . CAB files. +This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as .ZIP or .CAB files. - If you enable or don't configure this setting, archive files will be scanned. diff --git a/windows/client-management/mdm/policy-csp-display.md b/windows/client-management/mdm/policy-csp-display.md index 01753099d8..52da6d75c4 100644 --- a/windows/client-management/mdm/policy-csp-display.md +++ b/windows/client-management/mdm/policy-csp-display.md @@ -1,7 +1,7 @@ --- title: Display Policy CSP description: Learn more about the Display Area in Policy CSP. -ms.date: 11/05/2024 +ms.date: 11/27/2024 --- @@ -32,7 +32,7 @@ ms.date: 11/05/2024 -This policy set the default display to set the arrangement between cloning or extending. +This policy sets the default display arrangement to pick between clone or extend. @@ -66,7 +66,7 @@ This policy set the default display to set the arrangement between cloning or ex |:--|:--| | Name | ConfigureMultipleDisplayMode | | Path | Display > AT > System > DisplayCat | -| Element Name | ConfigureMultipleDisplayModePrompt | +| Element Name | DisplayConfigureMultipleDisplayModeSettings | @@ -298,6 +298,66 @@ Enabling this setting lets you specify the system-wide default for desktop appli + +## SetClonePreferredResolutionSource + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Display/SetClonePreferredResolutionSource +``` + + + + +This policy sets the cloned monitor preferred resolution source to an internal or external monitor by default. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Default. | +| 1 (Default) | Internal. | +| 2 | External. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | SetClonePreferredResolutionSource | +| Path | Display > AT > System > DisplayCat | +| Element Name | DisplaySetClonePreferredResolutionSourceSettings | + + + + + + + + ## TurnOffGdiDPIScalingForApps diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index bfcf5c6f27..5cb73b8c77 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -1,7 +1,7 @@ --- title: InternetExplorer Policy CSP description: Learn more about the InternetExplorer Area in Policy CSP. -ms.date: 09/27/2024 +ms.date: 11/26/2024 --- @@ -2472,11 +2472,11 @@ This policy setting determines whether Internet Explorer requires that all file- -This setting determines whether IE automatically downloads updated versions of Microsoft's VersionList. XML. IE uses this file to determine whether an ActiveX control should be stopped from loading. +This setting determines whether IE automatically downloads updated versions of Microsoft's VersionList.XML. IE uses this file to determine whether an ActiveX control should be stopped from loading. -- If you enable this setting, IE stops downloading updated versions of VersionList. XML. Turning off this automatic download breaks the out-of-date ActiveX control blocking feature by not letting the version list update with newly outdated controls, potentially compromising the security of your computer. +- If you enable this setting, IE stops downloading updated versions of VersionList.XML. Turning off this automatic download breaks the out-of-date ActiveX control blocking feature by not letting the version list update with newly outdated controls, potentially compromising the security of your computer. -- If you disable or don't configure this setting, IE continues to download updated versions of VersionList. XML. +- If you disable or don't configure this setting, IE continues to download updated versions of VersionList.XML. For more information, see "Out-of-date ActiveX control blocking" in the Internet Explorer TechNet library. @@ -4429,7 +4429,7 @@ This policy setting allows you to manage a list of domains on which Internet Exp - If you enable this policy setting, you can enter a custom list of domains for which outdated ActiveX controls won't be blocked in Internet Explorer. Each domain entry must be formatted like one of the following: -1. "domain.name. TLD". For example, if you want to include *.contoso.com/*, use "contoso.com" +1. "domain.name.TLD". For example, if you want to include *.contoso.com/*, use "contoso.com" 2. "hostname". For example, if you want to include https://example, use "example". 3. "file:///path/filename.htm". For example, use "file:///C:/Users/contoso/Desktop/index.htm". @@ -5272,7 +5272,7 @@ This policy setting allows you to manage the loading of Extensible Application M -This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. +This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. - If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. @@ -6825,7 +6825,7 @@ This policy setting allows you to manage the opening of windows and frames and a -This policy setting allows you to manage whether . NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. +This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. - If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components. @@ -7337,7 +7337,7 @@ This policy setting allows you to manage whether Web sites from less privileged -This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. +This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. - If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. @@ -8410,7 +8410,7 @@ This policy setting allows you to manage whether Web sites from less privileged -This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. +This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. - If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. @@ -9325,7 +9325,7 @@ This policy setting allows you to manage whether Web sites from less privileged -This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. +This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. - If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. @@ -10174,7 +10174,7 @@ This policy setting allows you to manage whether Web sites from less privileged -This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. +This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. - If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. @@ -10883,7 +10883,7 @@ This policy setting allows you to manage whether Web sites from less privileged -This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. +This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. - If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. @@ -11662,7 +11662,7 @@ This policy setting allows you to manage whether Web sites from less privileged -This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. +This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. - If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. @@ -12441,7 +12441,7 @@ This policy setting allows you to manage whether Web sites from less privileged -This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. +This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. - If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. @@ -13373,7 +13373,7 @@ For more information, see "Outdated ActiveX Controls" in the Internet Explorer T | Name | Value | |:--|:--| | Name | VerMgmtDisableRunThisTime | -| Friendly Name | Remove "Run this time" button for outdated ActiveX controls in Internet Explorer | +| Friendly Name | Remove "Run this time" button for outdated ActiveX controls in Internet Explorer | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Security Features > Add-on Management | | Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Ext | @@ -14307,7 +14307,7 @@ This policy setting allows you to manage whether a user's browser can be redirec -This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. +This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. - If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. @@ -15862,7 +15862,7 @@ If you selected Prompt in the drop-down box, users are asked to choose whether t -This policy setting allows you to manage whether . NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. +This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. - If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components. @@ -16472,7 +16472,7 @@ Also, see the "Security zones: Don't allow users to change policies" policy. | Name | Value | |:--|:--| | Name | Security_HKLM_only | -| Friendly Name | Security Zones: Use only machine settings | +| Friendly Name | Security Zones: Use only machine settings | | Location | Computer Configuration | | Path | Windows Components > Internet Explorer | | Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings | @@ -16981,7 +16981,7 @@ This policy setting allows you to manage whether Web sites from less privileged -This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. +This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. - If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index bdd4e1fcd0..3c37204919 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -9,7 +9,7 @@ ms.date: 11/05/2024 # Policy CSP - LocalPoliciesSecurityOptions -[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)] +[!INCLUDE [Windows Windows Insider Preview tip](includes/mdm-insider-csp-note.md)] @@ -517,7 +517,7 @@ Audit: Shut down system immediately if unable to log security audits This securi -Devices: Allowed to format and eject removable media This security setting determines who is allowed to format and eject removable NTFS media. This capability can be given to: Administrators Administrators and Interactive Users Default: This policy isn't defined and only Administrators have this ability. +Devices: Allowed to format and eject removable media This security setting determines who is allowed to format and eject removable NTFS media. This capability can be given to: Administrators and Interactive Users Default: This policy isn't defined and only Administrators have this ability. @@ -1117,7 +1117,7 @@ Domain member: Require strong (Windows 2000 or later) session key This security -Interactive Logon:Display user information when the session is locked User display name, domain and user names (1) User display name only (2) Don't display user information (3) Domain and user names only (4) +Interactive Logon: Display user information when the session is locked User display name, domain and user names (1) User display name only (2) Don't display user information (3) Domain and user names only (4) @@ -1556,7 +1556,7 @@ Interactive logon: Message title for users attempting to log on This security se | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later | +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -1568,6 +1568,9 @@ Interactive logon: Message title for users attempting to log on This security se Interactive logon: Number of previous logons to cache (in case domain controller isn't available) Each unique user's logon information is cached locally so that, in the event that a domain controller is unavailable during subsequent logon attempts, they're able to log on. The cached logon information is stored from the previous logon session. If a domain controller is unavailable and a user's logon information isn't cached, the user is prompted with this message: There are currently no logon servers available to service the logon request. In this policy setting, a value of 0 disables logon caching. Any value above 50 only caches 50 logon attempts. Windows supports a maximum of 50 cache entries and the number of entries consumed per user depends on the credential. For example, a maximum of 50 unique password user accounts can be cached on a Windows system, but only 25 smart card user accounts can be cached because both the password information and the smart card information are stored. When a user with cached logon information logs on again, the user's individual cached information is replaced. Default: Windows Server 2008: 25 All Other Versions: 10. + +> [!NOTE] +> This setting previously showed as applicable to Windows 11, version 24H2 [10.0.26100] and later in error. MDM solutions may show as applicable to that version until a future release. @@ -1780,7 +1783,7 @@ Microsoft network client: Digitally sign communications (if server agrees) This - If this setting is enabled, the Microsoft network client will ask the server to perform SMB packet signing upon session setup. If packet signing has been enabled on the server, packet signing will be negotiated. -- If this policy is disabled, the SMB client will never negotiate SMB packet signing. Notes All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference:< https://go.microsoft.com/fwlink/?LinkID=787136>. +- If this policy is disabled, the SMB client will never negotiate SMB packet signing. Notes All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. If both client-side and server-side SMB signing are enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference:< https://go.microsoft.com/fwlink/?LinkID=787136>. @@ -2021,7 +2024,7 @@ Microsoft network server: Digitally sign communications (if client agrees) This - If this policy is disabled, the SMB client will never negotiate SMB packet signing. on domain controllers only. > [!IMPORTANT] -> For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the server running Windows 2000: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature Notes All Windows operating systems support both a client-side SMB component and a server-side SMB component. For Windows 2000 and above, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference:< https://go.microsoft.com/fwlink/?LinkID=787136>. +> For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the server running Windows 2000: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature Notes All Windows operating systems support both a client-side SMB component and a server-side SMB component. For Windows 2000 and above, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. If both client-side and server-side SMB signing are enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference:< https://go.microsoft.com/fwlink/?LinkID=787136>. diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md index d2ccb8d7eb..c2b7e4d9b0 100644 --- a/windows/client-management/mdm/policy-csp-mixedreality.md +++ b/windows/client-management/mdm/policy-csp-mixedreality.md @@ -1,7 +1,7 @@ --- title: MixedReality Policy CSP description: Learn more about the MixedReality Area in Policy CSP. -ms.date: 09/11/2024 +ms.date: 11/26/2024 --- @@ -139,7 +139,7 @@ This opt-in policy can help with the setup of new devices in new areas or new us -By default, launching applications via Launcher API (Launcher Class (Windows. System) - Windows UWP applications | Microsoft Docs) is disabled in single app kiosk mode. To enable applications to launch in single app kiosk mode on HoloLens devices, set the policy value to true. +By default, launching applications via Launcher API is disabled in single app kiosk mode. To enable applications to launch in single app kiosk mode on HoloLens devices, set the policy value to true. diff --git a/windows/client-management/mdm/policy-csp-newsandinterests.md b/windows/client-management/mdm/policy-csp-newsandinterests.md index 16fabdc822..df2f909bd6 100644 --- a/windows/client-management/mdm/policy-csp-newsandinterests.md +++ b/windows/client-management/mdm/policy-csp-newsandinterests.md @@ -1,7 +1,7 @@ --- title: NewsAndInterests Policy CSP description: Learn more about the NewsAndInterests Area in Policy CSP. -ms.date: 01/18/2024 +ms.date: 11/27/2024 --- @@ -9,6 +9,8 @@ ms.date: 01/18/2024 # Policy CSP - NewsAndInterests +[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)] + @@ -82,6 +84,64 @@ This policy applies to the entire widgets experience, including content on the t + +## DisableWidgetsOnLockScreen + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/NewsAndInterests/DisableWidgetsOnLockScreen +``` + + + + +Disable widgets on lock screen. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Enabled. | +| 1 | Disabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableWidgetsOnLockScreen | +| Path | NewsAndInterests > AT > WindowsComponents > NewsAndInterests | + + + + + + + + diff --git a/windows/client-management/mdm/policy-csp-remotedesktopservices.md b/windows/client-management/mdm/policy-csp-remotedesktopservices.md index a3d59bef8b..898fb3e01b 100644 --- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md +++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md @@ -1,7 +1,7 @@ --- title: RemoteDesktopServices Policy CSP description: Learn more about the RemoteDesktopServices Area in Policy CSP. -ms.date: 11/05/2024 +ms.date: 11/26/2024 --- @@ -197,7 +197,7 @@ This policy applies only when using legacy authentication to authenticate to the | Name | Value | |:--|:--| | Name | TS_DISCONNECT_ON_LOCK_POLICY | -| Friendly Name | Disconnect remote session on lock for legacy authentication | +| Friendly Name | Disconnect remote session on lock for legacy authentication | | Location | Computer Configuration | | Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security | | Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | diff --git a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md index 1def7d700f..53395cdd0b 100644 --- a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md +++ b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md @@ -1,7 +1,7 @@ --- title: RemoteProcedureCall Policy CSP description: Learn more about the RemoteProcedureCall Area in Policy CSP. -ms.date: 01/18/2024 +ms.date: 11/26/2024 --- @@ -105,11 +105,11 @@ This policy setting impacts all RPC applications. In a domain environment this p This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they're making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) can't process authentication information supplied in this manner. -- If you disable this policy setting, RPC clients won't authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Endpoint Mapper Service on Windows NT4 Server. +- If you disable this policy setting, RPC clients won't authenticate to the Endpoint Mapper Service, but they'll be able to communicate with the Endpoint Mapper Service on Windows NT4 Server. - If you enable this policy setting, RPC clients will authenticate to the Endpoint Mapper Service for calls that contain authentication information. Clients making such calls won't be able to communicate with the Windows NT4 Server Endpoint Mapper Service. -- If you don't configure this policy setting, it remains disabled. RPC clients won't authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Windows NT4 Server Endpoint Mapper Service. +- If you don't configure this policy setting, it remains disabled. RPC clients won't authenticate to the Endpoint Mapper Service, but they'll be able to communicate with the Windows NT4 Server Endpoint Mapper Service. > [!NOTE] > This policy won't be applied until the system is rebooted. diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md index 418199d466..bd79220cf2 100644 --- a/windows/client-management/mdm/policy-csp-start.md +++ b/windows/client-management/mdm/policy-csp-start.md @@ -1,7 +1,7 @@ --- title: Start Policy CSP description: Learn more about the Start Area in Policy CSP. -ms.date: 08/06/2024 +ms.date: 11/27/2024 --- @@ -9,6 +9,8 @@ ms.date: 08/06/2024 # Policy CSP - Start +[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)] + @@ -513,6 +515,63 @@ This policy controls the visibility of the Videos shortcut on the Start menu. Th + +## AlwaysShowNotificationIcon + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ❌ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | + + + +```User +./User/Vendor/MSFT/Policy/Config/Start/AlwaysShowNotificationIcon +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Auto-hide notification bell icon. | +| 1 | Show notification bell icon. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AlwaysShowNotificationIcon | +| Path | Taskbar > AT > StartMenu | + + + + + + + + ## ConfigureStartPins @@ -2247,6 +2306,63 @@ For more information on how to customize the Start layout, see [Customize the St + +## TurnOffAbbreviatedDateTimeFormat + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ❌ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | + + + +```User +./User/Vendor/MSFT/Policy/Config/Start/TurnOffAbbreviatedDateTimeFormat +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Show abbreviated time and date format. | +| 1 | Show classic time and date format. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | TurnOffAbbreviatedDateTimeFormat | +| Path | Taskbar > AT > StartMenu | + + + + + + + + diff --git a/windows/client-management/mdm/policy-csp-sudo.md b/windows/client-management/mdm/policy-csp-sudo.md index dbcd21af22..796c69e84b 100644 --- a/windows/client-management/mdm/policy-csp-sudo.md +++ b/windows/client-management/mdm/policy-csp-sudo.md @@ -1,7 +1,7 @@ --- title: Sudo Policy CSP description: Learn more about the Sudo Area in Policy CSP. -ms.date: 09/27/2024 +ms.date: 11/27/2024 --- @@ -19,7 +19,7 @@ ms.date: 09/27/2024 | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE
❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later | +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later | diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index a77f87712f..19a069926b 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -1,7 +1,7 @@ --- title: Update Policy CSP description: Learn more about the Update Area in Policy CSP. -ms.date: 09/27/2024 +ms.date: 11/27/2024 --- @@ -2522,7 +2522,7 @@ Minimum number of days from update installation until restarts occur automatical | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later | +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later | @@ -2601,7 +2601,7 @@ This policy will override the following policies: | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later | +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later | @@ -3237,7 +3237,7 @@ These policies are not exclusive and can be used in any combination. Together wi - the IT admin to schedule the time of the update installation. The data type is a integer. Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. The default value is 3. +Enables the IT admin to schedule the time of the update installation. The data type is a integer. Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. The default value is 3. diff --git a/windows/client-management/mdm/policy-csp-webthreatdefense.md b/windows/client-management/mdm/policy-csp-webthreatdefense.md index 96d9296b8a..08d092b065 100644 --- a/windows/client-management/mdm/policy-csp-webthreatdefense.md +++ b/windows/client-management/mdm/policy-csp-webthreatdefense.md @@ -1,7 +1,7 @@ --- title: WebThreatDefense Policy CSP description: Learn more about the WebThreatDefense Area in Policy CSP. -ms.date: 09/27/2024 +ms.date: 11/26/2024 --- @@ -308,7 +308,7 @@ This policy setting determines whether Enhanced Phishing Protection in Microsoft - If you disable this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen is off and it won't capture events, send telemetry, or notify users. Additionally, your users are unable to turn it on. -- If you don't configure this setting, users can decide whether or not they will enable Enhanced Phishing Protection in Microsoft Defender SmartScreen. +- If you don't configure this setting, users can decide whether or not they'll enable Enhanced Phishing Protection in Microsoft Defender SmartScreen. diff --git a/windows/client-management/mdm/policy-csp-windowsai.md b/windows/client-management/mdm/policy-csp-windowsai.md index 5db33c8daf..8633998eec 100644 --- a/windows/client-management/mdm/policy-csp-windowsai.md +++ b/windows/client-management/mdm/policy-csp-windowsai.md @@ -1,7 +1,7 @@ --- title: WindowsAI Policy CSP description: Learn more about the WindowsAI Area in Policy CSP. -ms.date: 11/22/2024 +ms.date: 12/09/2024 --- @@ -38,7 +38,7 @@ This policy setting allows you to determine whether the Recall optional componen - If this policy is disabled, the Recall component will be in disabled state and the bits for Recall will be removed from the device. If snapshots were previously saved on the device, they'll be deleted when this policy is disabled. Removing Recall requires a device restart. -- If the policy is enabled, end users will have Recall available on their device. Depending on the state of the DisableAIDataAnalysis policy (Turn off saving snapshots for use with Recall), end users are able to choose if they want to save snapshots of their screen and use Recall to find things they've seen on their device. +- If the policy is enabled, end users will have Recall available on their device. Depending on the state of the DisableAIDataAnalysis policy (Turn off saving snapshots for use with Recall), end users will be able to choose if they want to save snapshots of their screen and use Recall to find things they've seen on their device. @@ -90,7 +90,7 @@ This policy setting allows you to determine whether the Recall optional componen | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | +| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later | @@ -219,6 +219,68 @@ This policy setting allows you to control whether Cocreator functionality is dis + +## DisableGenerativeFill + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsAI/DisableGenerativeFill +``` + + + + +This policy setting allows you to control whether generative fill functionality is disabled in the Windows Paint app. + +- If this policy is enabled, generative fill functionality won't be accessible in the Paint app. + +- If this policy is disabled or not configured, users will be able to access generative fill functionality. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Generative fill is enabled. | +| 1 | Generative fill is disabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableGenerativeFill | +| Path | WindowsAI > AT > WindowsComponents > Paint | + + + + + + + + ## DisableImageCreator @@ -287,7 +349,7 @@ This policy setting allows you to control whether Image Creator functionality is | Scope | Editions | Applicable OS | |:--|:--|:--| -| ❌ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | +| ❌ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 with [KB5044380](https://support.microsoft.com/help/5044380) [10.0.22621.4391] and later | @@ -360,7 +422,7 @@ This policy setting determines which app opens when the user presses the Copilot This policy allows you to define a list of apps that won't be included in snapshots for Recall. -Users are able to add additional applications to exclude from snapshots using Recall settings. +Users will be able to add additional applications to exclude from snapshots using Recall settings. The list can include Application User Model IDs (AUMID) or name of the executable file. @@ -429,7 +491,7 @@ For example: `code.exe;Microsoft.WindowsNotepad_8wekyb3d8bbwe!App;ms-teams.exe` This policy setting lets you define a list of URIs that won't be included in snapshots for Recall when a supported browser is used. People within your organization can use Recall settings to add more websites to the list. Define the list using a semicolon to separate URIs. -For example: `https://www.Contoso.com;https://www.WoodgroveBank.com;https://www.Adatum.com`. +For example: `https://www.Contoso.com;https://www.WoodgroveBank.com;https://www.Adatum.com` Adding `https://www.WoodgroveBank.com` to the list would also filter `https://Account.WoodgroveBank.com` and `https://www.WoodgroveBank.com/Account`. @@ -628,6 +690,9 @@ When this setting isn't configured, the OS configures the storage allocation for ## TurnOffWindowsCopilot +> [!NOTE] +> This policy is deprecated and may be removed in a future release. + | Scope | Editions | Applicable OS | |:--|:--|:--| @@ -646,13 +711,14 @@ This policy setting allows you to turn off Windows Copilot. - If you enable this policy setting, users won't be able to use Copilot. The Copilot icon won't appear on the taskbar either. -- If you disable or don't configure this policy setting, users are able to use Copilot when it's available to them. +- If you disable or don't configure this policy setting, users will be able to use Copilot when it's available to them. > [!NOTE] > - The TurnOffWindowsCopilot policy isn't for the [new Copilot experience](https://techcommunity.microsoft.com/blog/windows-itpro-blog/evolving-copilot-in-windows-for-your-workforce/4141999) that's in some [Windows Insider builds](https://blogs.windows.com/windows-insider/2024/05/22/releasing-windows-11-version-24h2-to-the-release-preview-channel/) and that will be gradually rolling out to Windows 11 and Windows 10 devices. +> - This policy also applies to upgrade scenarios to prevent installation of the Copilot app from an image that would have had the Copilot in Windows pane. diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md index c7a7fe256c..64a1352741 100644 --- a/windows/client-management/mdm/policy-csp-windowslogon.md +++ b/windows/client-management/mdm/policy-csp-windowslogon.md @@ -1,7 +1,7 @@ --- title: WindowsLogon Policy CSP description: Learn more about the WindowsLogon Area in Policy CSP. -ms.date: 09/27/2024 +ms.date: 11/26/2024 --- @@ -349,7 +349,7 @@ This policy setting allows you to control whether users see the first sign-in an | Name | Value | |:--|:--| | Name | EnableFirstLogonAnimation | -| Friendly Name | Show first sign-in animation | +| Friendly Name | Show first sign-in animation | | Location | Computer Configuration | | Path | System > Logon | | Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | diff --git a/windows/client-management/mdm/policy-csp-windowssandbox.md b/windows/client-management/mdm/policy-csp-windowssandbox.md index a22172669f..3c26ac2f1a 100644 --- a/windows/client-management/mdm/policy-csp-windowssandbox.md +++ b/windows/client-management/mdm/policy-csp-windowssandbox.md @@ -1,7 +1,7 @@ --- title: WindowsSandbox Policy CSP description: Learn more about the WindowsSandbox Area in Policy CSP. -ms.date: 09/27/2024 +ms.date: 11/27/2024 --- @@ -19,7 +19,7 @@ ms.date: 09/27/2024 | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later | +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.4950] and later
✅ Windows 10, version 20H2 [10.0.19042.4950] and later
✅ Windows 10, version 21H1 [10.0.19043.4950] and later
✅ Windows 11, version 21H2 [10.0.22000] and later | @@ -54,10 +54,18 @@ Note that there may be security implications of exposing host audio input to the |:--|:--| | Format | `int` | | Access Type | Add, Delete, Get, Replace | -| Allowed Values | Range: `[0-1]` | | Default Value | 1 | + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + **Group policy mapping**: @@ -84,7 +92,7 @@ Note that there may be security implications of exposing host audio input to the | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later | +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.4950] and later
✅ Windows 10, version 20H2 [10.0.19042.4950] and later
✅ Windows 10, version 21H1 [10.0.19043.4950] and later
✅ Windows 11, version 21H2 [10.0.22000] and later | @@ -117,10 +125,18 @@ This policy setting enables or disables clipboard sharing with the sandbox. |:--|:--| | Format | `int` | | Access Type | Add, Delete, Get, Replace | -| Allowed Values | Range: `[0-1]` | | Default Value | 1 | + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + **Group policy mapping**: @@ -182,10 +198,18 @@ Note that there may be security implications of exposing folders from the host i |:--|:--| | Format | `int` | | Access Type | Add, Delete, Get, Replace | -| Allowed Values | Range: `[0-1]` | | Default Value | 1 | + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + **Group policy mapping**: @@ -212,7 +236,7 @@ Note that there may be security implications of exposing folders from the host i | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later | +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.4950] and later
✅ Windows 10, version 20H2 [10.0.19042.4950] and later
✅ Windows 10, version 21H1 [10.0.19043.4950] and later
✅ Windows 11, version 21H2 [10.0.22000] and later | @@ -247,10 +271,18 @@ Note that enabling networking can expose untrusted applications to the internal |:--|:--| | Format | `int` | | Access Type | Add, Delete, Get, Replace | -| Allowed Values | Range: `[0-1]` | | Default Value | 1 | + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + **Group policy mapping**: @@ -277,7 +309,7 @@ Note that enabling networking can expose untrusted applications to the internal | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later | +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.4950] and later
✅ Windows 10, version 20H2 [10.0.19042.4950] and later
✅ Windows 10, version 21H1 [10.0.19043.4950] and later
✅ Windows 11, version 21H2 [10.0.22000] and later | @@ -310,10 +342,18 @@ This policy setting enables or disables printer sharing from the host into the S |:--|:--| | Format | `int` | | Access Type | Add, Delete, Get, Replace | -| Allowed Values | Range: `[0-1]` | | Default Value | 1 | + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + **Group policy mapping**: @@ -340,7 +380,7 @@ This policy setting enables or disables printer sharing from the host into the S | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later | +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.4950] and later
✅ Windows 10, version 20H2 [10.0.19042.4950] and later
✅ Windows 10, version 21H1 [10.0.19043.4950] and later
✅ Windows 11, version 21H2 [10.0.22000] and later | @@ -375,10 +415,18 @@ Note that enabling virtualized GPU can potentially increase the attack surface o |:--|:--| | Format | `int` | | Access Type | Add, Delete, Get, Replace | -| Allowed Values | Range: `[0-1]` | | Default Value | 1 | + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + **Group policy mapping**: @@ -405,7 +453,7 @@ Note that enabling virtualized GPU can potentially increase the attack surface o | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later | +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.4950] and later
✅ Windows 10, version 20H2 [10.0.19042.4950] and later
✅ Windows 10, version 21H1 [10.0.19043.4950] and later
✅ Windows 11, version 21H2 [10.0.22000] and later | @@ -440,10 +488,18 @@ Note that there may be security implications of exposing host video input to the |:--|:--| | Format | `int` | | Access Type | Add, Delete, Get, Replace | -| Allowed Values | Range: `[0-1]` | | Default Value | 1 | + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + **Group policy mapping**: @@ -505,11 +561,19 @@ Note that there may be security implications of exposing folders from the host i |:--|:--| | Format | `int` | | Access Type | Add, Delete, Get, Replace | -| Allowed Values | Range: `[0-1]` | | Default Value | 1 | | Dependency [WindowsSandbox_AllowWriteToMappedFolders_DependencyGroup] | Dependency Type: `DependsOn`
Dependency URI: `Device/Vendor/MSFT/Policy/Config/WindowsSandbox/AllowMappedFolders`
Dependency Allowed Value: `[1]`
Dependency Allowed Value Type: `Range`
| + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + **Group policy mapping**: diff --git a/windows/client-management/mdm/supl-csp.md b/windows/client-management/mdm/supl-csp.md index 3793140f08..687edec2d2 100644 --- a/windows/client-management/mdm/supl-csp.md +++ b/windows/client-management/mdm/supl-csp.md @@ -1,7 +1,7 @@ --- title: SUPL CSP description: Learn more about the SUPL CSP. -ms.date: 01/18/2024 +ms.date: 11/27/2024 --- @@ -289,7 +289,7 @@ Required. The AppID for SUPL is automatically set to "ap0004". This is a read-on -Optional. Determines the full version (X. Y. Z where X, Y and Z are major version, minor version, service indicator, respectively) of the SUPL protocol to use. The default is 1.0.0. If FullVersion is defined, Version field is ignored. +Optional. Determines the full version (`X.Y.Z` where X, Y and Z are major version, minor version, service indicator, respectively) of the SUPL protocol to use. The default is 1.0.0. If FullVersion is defined, Version field is ignored. diff --git a/windows/configuration/assigned-access/shell-launcher/index.md b/windows/configuration/assigned-access/shell-launcher/index.md index 4c942afd74..5ffc4c6801 100644 --- a/windows/configuration/assigned-access/shell-launcher/index.md +++ b/windows/configuration/assigned-access/shell-launcher/index.md @@ -78,7 +78,7 @@ $shellLauncherConfiguration = @" $namespaceName="root\cimv2\mdm\dmmap" $className="MDM_AssignedAccess" $obj = Get-CimInstance -Namespace $namespaceName -ClassName $className -$obj.Configuration = [System.Net.WebUtility]::HtmlEncode($shellLauncherConfiguration) +$obj.ShellLauncher = [System.Net.WebUtility]::HtmlEncode($shellLauncherConfiguration) $obj = Set-CimInstance -CimInstance $obj -ErrorVariable cimSetError -ErrorAction SilentlyContinue if($cimSetError) { Write-Output "An ERROR occurred. Displaying error record and attempting to retrieve error logs...`n" @@ -86,6 +86,7 @@ if($cimSetError) { $timeout = New-TimeSpan -Seconds 30 $stopwatch = [System.Diagnostics.Stopwatch]::StartNew() + $eventLogFilterHashTable = @{ LogName='Microsoft-Windows-AssignedAccess/Admin' } do{ $events = Get-WinEvent -FilterHashtable $eventLogFilterHashTable -ErrorAction Ignore } until ($events.Count -or $stopwatch.Elapsed -gt $timeout) # wait for the log to be available diff --git a/windows/configuration/cellular/provisioning-apn.md b/windows/configuration/cellular/provisioning-apn.md index 8fcf389cf7..860024c72c 100644 --- a/windows/configuration/cellular/provisioning-apn.md +++ b/windows/configuration/cellular/provisioning-apn.md @@ -2,7 +2,7 @@ title: Configure cellular settings description: Learn how to provision cellular settings for devices with built-in modems or plug-in USB modem dongles. ms.topic: concept-article -ms.date: 04/23/2024 +ms.date: 12/05/2024 --- # Configure cellular settings diff --git a/windows/configuration/index.yml b/windows/configuration/index.yml index fa1a297ecf..a1e1606862 100644 --- a/windows/configuration/index.yml +++ b/windows/configuration/index.yml @@ -11,7 +11,7 @@ metadata: author: paolomatarazzo ms.author: paoloma manager: aaroncz - ms.date: 04/25/2024 + ms.date: 12/05/2024 # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new diff --git a/windows/configuration/keyboard-filter/disable-all-blocked-key-combinations.md b/windows/configuration/keyboard-filter/disable-all-blocked-key-combinations.md new file mode 100644 index 0000000000..c8e6da2064 --- /dev/null +++ b/windows/configuration/keyboard-filter/disable-all-blocked-key-combinations.md @@ -0,0 +1,76 @@ +--- +title: Disable all blocked key combinations +description: Disable all blocked key combinations +author: TerryWarwick +ms.author: twarwick +ms.date: 01/13/2025 +ms.topic: reference +--- + +# Disable all blocked key combinations + +[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)] + +The following sample Windows PowerShell script uses the WMI providers to disable all blocked key combinations for Keyboard Filter by using the Windows Management Instrumentation (WMI) providers for Keyboard Filter. The key combination configurations aren't removed, but Keyboard Filter stops blocking any keys. + +## Disable-all-rules.ps1 + +```powershell +# +# Copyright (C) Microsoft. All rights reserved. +# + +<# +.Synopsis + This Windows PowerShell script shows how to enumerate all existing keyboard filter + rules and how to disable them by setting the Enabled property directly. +.Description + For each instance of WEKF_PredefinedKey, WEKF_CustomKey, and WEKF_Scancode, + set the Enabled property to false/0 to disable the filter rule, thus + allowing all key sequences through the filter. +.Parameter ComputerName + Optional parameter to specify the remote computer that this script should + manage. If not specified, the script will execute all WMI operations + locally. +#> + +param( + [String]$ComputerName +) + +$CommonParams = @{"namespace"="root\standardcimv2\embedded"} +$CommonParams += $PSBoundParameters + +Get-WMIObject -class WEKF_PredefinedKey @CommonParams | + foreach { + if ($_.Enabled) { + $_.Enabled = 0; + $_.Put() | Out-Null; + Write-Host Disabled $_.Id + } + } + +Get-WMIObject -class WEKF_CustomKey @CommonParams | + foreach { + if ($_.Enabled) { + $_.Enabled = 0; + $_.Put() | Out-Null; + Write-Host Disabled $_.Id + } + } + +Get-WMIObject -class WEKF_Scancode @CommonParams | + foreach { + if ($_.Enabled) { + $_.Enabled = 0; + $_.Put() | Out-Null; + "Disabled {0}+{1:X4}" -f $_.Modifiers,$_.Scancode + } + } +``` + +## Related articles + +- [Windows PowerShell script samples for keyboard filter](keyboardfilter-powershell-script-samples.md) +- [Keyboard filter WMI provider reference](keyboardfilter-wmi-provider-reference.md) +- [Keyboard filter](index.md) diff --git a/windows/configuration/keyboard-filter/index.md b/windows/configuration/keyboard-filter/index.md new file mode 100644 index 0000000000..cb761c4814 --- /dev/null +++ b/windows/configuration/keyboard-filter/index.md @@ -0,0 +1,146 @@ +--- +title: Keyboard Filter +description: Keyboard Filter +author: TerryWarwick +ms.author: twarwick +ms.date: 01/13/2025 +ms.topic: overview +--- + +# Keyboard Filter + +[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)] + +You can use Keyboard Filter to suppress undesirable key presses or key combinations. Normally, a customer can use certain Microsoft Windows key combinations like Ctrl+Alt+Delete or Ctrl+Shift+Tab to alter the operation of a device by locking the screen or using Task Manager to close a running application. This behavior might not be desirable if your device is intended for a dedicated purpose. + +The Keyboard Filter feature works with physical keyboards, the Windows on-screen keyboard, and the touch keyboard. Switching from one language to another might cause the location of suppressed keys on the keyboard layout to change. Keyboard Filter detects these dynamic layout changes and continues to suppress keys correctly. + +> [!NOTE] +> Keyboard filter is not supported in a remote desktop session. + +## Terminology + +- **Turn on, enable:** Make the setting available to the device and optionally apply the settings to the device. Generally *turn on* is used in the user interface or control panel, whereas *enable* is used for command line +- **Configure:** To customize the setting or subsettings +- **Embedded Keyboard Filter:** This feature is called Embedded Keyboard Filter in Windows 10, version 1511 +- **Keyboard Filter:** This feature is called Keyboard Filter in Windows 10, version 1607 and later + +## Turn on Keyboard Filter + +By default, Keyboard Filter isn't turned on. You can turn Keyboard Filter on or off for your device by using the following steps. + +Turning on an off Keyboard Filter requires that you restart your device. Keyboard Filter is automatically enabled after the restart. + +### Turn on Keyboard Filter by using Control Panel + +1. In the Windows search bar, type **Turn Windows features on or off** and either press **Enter** or tap or select **Turn Windows features on or off** to open the **Windows Features** window. +1. In the **Windows Features** window, expand the **Device Lockdown** node, and select (to turn on) or clear (to turn off) the checkbox for **Keyboard Filter**. +1. Select **OK**. The **Windows Features** window indicates that Windows is searching for required files and displays a progress bar. Once found, the window indicates that Windows is applying the changes. When completed, the window indicates the requested changes are completed. +1. Restart your device to apply the changes. + +### Configure Keyboard using Unattend + +1. You can configure the Unattend settings in the [Microsoft-Windows-Embedded-KeyboardFilterService](/windows-hardware/customize/desktop/unattend/microsoft-windows-embedded-keyboardfilterservice) component to add Keyboard Filter features to your image during the design or imaging phase. +1. You can manually create an Unattend answer file or use Windows System Image Manager (Windows SIM) to add the appropriate settings to your answer file. For more information about the keyboard filter settings and XML examples, see the settings in [Microsoft-Windows-Embedded-KeyboardFilterService](/windows-hardware/customize/desktop/unattend/microsoft-windows-embedded-keyboardfilterservice). + +### Turn on and configure Keyboard Filter using Windows Configuration Designer + +The Keyboard Filter settings are also available as Windows provisioning settings so you can configure these settings to be applied during the image deployment time or runtime. You can set one or all keyboard filter settings by creating a provisioning package using Windows Configuration Designer and then applying the provisioning package during image deployment time or runtime. + +1. Build a provisioning package in Windows Configuration Designer by following the instructions in [Create a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package), selecting the **Advanced Provisioning** option. + + > [!Note] + > In the **Choose which settings to view and configure** window, choose **Common to all Windows desktop editions**. + +1. On the **Available customizations** page, select **Runtime settings** > **SMISettings**, and then set the desired values for the keyboard filter settings. +1. Once you have finished configuring the settings and building the provisioning package, you can apply the package to the image deployment time or runtime. For more information, see [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package). + +This example uses a Windows image called install.wim, but you can use the same procedure to apply a provisioning package. For more information on DISM, see [What Is Deployment Image Servicing and Management](/windows-hardware/manufacture/desktop/what-is-dism). + +### Turn on and configure Keyboard Filter by using DISM + +1. Open a command prompt with administrator privileges. +1. Enable the feature using the following command. + + ```cmd + Dism /online /Enable-Feature /FeatureName:Client-KeyboardFilter + ``` + +1. Once the script completes, restart the device to apply the change. + +## Keyboard Filter features + +Keyboard Filter has the following features: + +- Supports hardware keyboards, the standard Windows on-screen keyboard, and the touch keyboard (TabTip.exe) +- Suppresses key combinations even when they come from multiple keyboards + + For example, if a user presses the Ctrl key and the Alt key on a hardware keyboard, while at the same time pressing Delete on a software keyboard, Keyboard Filter can still detect and suppress the Ctrl+Alt+Delete functionality. + +- Supports numeric keypads and keys designed to access media player and browser functionality +- Can configure a key to breakout of a locked down user session to return to the Welcome screen +- Automatically handles dynamic layout changes +- Can be enabled or disabled for administrator accounts +- Can force disabling of Ease of Access functionality +- Supports x86 and x64 architectures + +## Keyboard scan codes and layouts + +When a key is pressed on a physical keyboard, the keyboard sends a scan code to the keyboard driver. The driver then sends the scan code to the OS and the OS converts the scan code into a virtual key based on the current active layout. The layout defines the mapping of keys on the physical keyboard, and has many variants. A key on a keyboard always sends the same scan code when pressed, however this scan code can map to different virtual keys for different layouts. For example, in the English (United States) keyboard layout, the key to the right of the P key maps to `{`. However, in the Swedish (Sweden) keyboard layout, the same key maps to `Å`. + +Keyboard Filter can block keys either by the scan code or the virtual key. Blocking keys by the scan code is useful for custom keyboards that have special scan codes that don't translate into any single virtual key. Blocking keys by the virtual key is more convenient because it's easier to read and Keyboard Filter suppresses the key correctly even when the location of the key changes because of a layout change. + +When you configure Keyboard Filter to block keys by using the virtual key, you must use the English names for the virtual keys. For more information about the names of the virtual keys, see keyboard filter key names. + +For the Windows on-screen keyboard, keyboard filter converts each keystroke into a scan code based on the layout, and back into a virtual key. This allows keyboard filter to suppress the on-screen keyboard keys in the same manner as physical keyboard keys if they're configured with either scan code or virtual key. + +## Keyboard Filter and ease of access features + +By default, ease of access features are enabled and Keyboard Filter is disabled for administrator accounts. + +If Sticky Keys are enabled, a user can bypass Keyboard Filter in certain situations. You can configure keyboard filter to disable all ease of access features and prevent users from enabling them. + +You can enable ease of access features for administrator accounts, while still disabling them for standard user accounts, by making sure that Keyboard Filter is disabled for administrator accounts. + +## Keyboard Filter configuration + +You can configure the following options for Keyboard Filter: + +- Set/unset predefined key combinations to be suppressed +- Add/remove custom defined key combinations to be suppressed +- Enable/disable keyboard filter for administrator accounts +- Force disabling ease of access features +- Configure a breakout key sequence to break out of a locked down account + +Most configuration changes take effect immediately. Some changes, such as enabling or disabling Keyboard Filter for administrators, don't take effect until the user signs out of the account and then back in. If you change the breakout key scan code, you must restart the device before the change take effect. + +You can configure keyboard filter by using Windows Management Instrumentation (WMI) providers. You can use the Keyboard Filter WMI providers directly in a PowerShell script or in an application. + +For more information about Keyboard Filter WMI providers, see [Keyboard Filter WMI provider reference](keyboardfilter-wmi-provider-reference.md). + +## Keyboard breakout + +You may need to sign in to a locked down device with a different account in order to service or configure the device. You can configure a breakout key to break out of a locked down account by specifying a key scan code. A user can press this key consecutively five times to switch to the Welcome screen so that you can sign in to a different account. + +The breakout key is set to the scan code for the left Windows logo key by default. You can use the [WEKF_Settings](wekf-settings.md) WMI class to change the breakout key scan code. If you change the breakout key scan code, you must restart the device before the change takes effect. + +## Keyboard Filter considerations + +Starting a device in Safe Mode bypasses keyboard filter. The Keyboard Filter service isn't loaded in Safe Mode, and keys aren't blocked in Safe Mode. + +Keyboard filter can't block the Sleep key. + +Some hardware keys, such as rotation lock, don't have a defined virtual key. You can still block these keys by using the scan code of the key. + +The add (+), multiply (\*), subtract (-), divide (/), and decimal (.) keys have different virtual keys and scan codes on the numeric keypad than on the main keyboard. You must block both keys to block these keys. For example, to block the multiply key, you must add a rule to block "\*" and a rule to block Multiply. + +When locking the screen by using the on-screen keyboard, or a combination of a physical keyboard and the on-screen keyboard, the on-screen keyboard sends an extra Windows logo key keystroke to the OS. If your device is using the Windows 10 shell and you use keyboard filter to block Windows logo key+L, the extra Windows logo key keystroke causes the shell to switch between the **Start** screen and the last active app when a user attempts to lock the device by using the on-screen keyboard, which may be unexpected behavior. + +Some custom keyboard software, such as Microsoft IntelliType Pro, can install Keyboard Filter drivers that prevent Keyboard Filter from being able to block some or all keys, typically extended keys like BrowserHome and Search. + +## In this section + +- [Keyboard Filter key names](keyboardfilter-key-names.md) +- [Predefined key combinations](predefined-key-combinations.md) +- [Keyboard Filter WMI provider reference](keyboardfilter-wmi-provider-reference.md) +- [Windows PowerShell script samples for Keyboard Filter](keyboardfilter-powershell-script-samples.md) \ No newline at end of file diff --git a/windows/configuration/keyboard-filter/keyboardfilter-add-blocked-key-combinations.md b/windows/configuration/keyboard-filter/keyboardfilter-add-blocked-key-combinations.md new file mode 100644 index 0000000000..acb297b422 --- /dev/null +++ b/windows/configuration/keyboard-filter/keyboardfilter-add-blocked-key-combinations.md @@ -0,0 +1,163 @@ +--- +title: Add blocked key combinations +description: Add blocked key combinations +ms.assetid: f51892fc-0262-4b25-b117-6e131b86fb68 +author: TerryWarwick +ms.author: twarwick +ms.date: 01/13/2025 +ms.topic: reference +--- + +# Add blocked key combinations + +[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)] + +The following sample Windows PowerShell script uses the Windows Management Instrumentation (WMI) providers for Keyboard Filter to create three functions to configure Keyboard Filter so that Keyboard Filter blocks key combinations. It demonstrates several ways to use each function. + +The first function, `Enable-Predefine-Key`, blocks key combinations that are predefined for Keyboard Filter. + +The second function, `Enable-Custom-Key`, blocks custom key combinations by using the English key names. + +The third function, `Enable-Scancode`, blocks custom key combinations by using the keyboard scan code for the key. + +## Enable-rules.ps1 + +```powershell +# +# Copyright (C) Microsoft. All rights reserved. +# + +<# +.Synopsis + This script shows how to use the built in WMI providers to enable and add + keyboard filter rules through Windows PowerShell on the local computer. +.Parameter ComputerName + Optional parameter to specify a remote machine that this script should + manage. If not specified, the script will execute all WMI operations + locally. +#> +param ( + [String] $ComputerName +) + +$CommonParams = @{"namespace"="root\standardcimv2\embedded"} +$CommonParams += $PSBoundParameters + +function Enable-Predefined-Key($Id) { + <# + .Synopsis + Toggle on a Predefined Key keyboard filter Rule + .Description + Use Get-WMIObject to enumerate all WEKF_PredefinedKey instances, + filter against key value "Id", and set that instance's "Enabled" + property to 1/true. + .Example + Enable-Predefined-Key "Ctrl+Alt+Del" + Enable CAD filtering +#> + + $predefined = Get-WMIObject -class WEKF_PredefinedKey @CommonParams | + where { + $_.Id -eq "$Id" + }; + + if ($predefined) { + $predefined.Enabled = 1; + $predefined.Put() | Out-Null; + Write-Host Enabled $Id + } else { + Write-Error "$Id is not a valid predefined key" + } +} + + +function Enable-Custom-Key($Id) { + <# + .Synopsis + Toggle on a Custom Key keyboard filter Rule + .Description + Use Get-WMIObject to enumerate all WEKF_CustomKey instances, + filter against key value "Id", and set that instance's "Enabled" + property to 1/true. + + In the case that the Custom instance does not exist, add a new + instance of WEKF_CustomKey using Set-WMIInstance. + .Example + Enable-Custom-Key "Ctrl+V" + Enable filtering of the Ctrl + V sequence. +#> + + $custom = Get-WMIObject -class WEKF_CustomKey @CommonParams | + where { + $_.Id -eq "$Id" + }; + + if ($custom) { +# Rule exists. Just enable it. + $custom.Enabled = 1; + $custom.Put() | Out-Null; + "Enabled Custom Filter $Id."; + + } else { + Set-WMIInstance ` + -class WEKF_CustomKey ` + -argument @{Id="$Id"} ` + @CommonParams | Out-Null + "Added Custom Filter $Id."; + } +} + +function Enable-Scancode($Modifiers, [int]$Code) { + <# + .Synopsis + Toggle on a Scancode keyboard filter Rule + .Description + Use Get-WMIObject to enumerate all WEKF_Scancode instances, + filter against key values of "Modifiers" and "Scancode", and set + that instance's "Enabled" property to 1/true. + + In the case that the Scancode instance does not exist, add a new + instance of WEKF_Scancode using Set-WMIInstance. + .Example + Enable-Scancode "Ctrl" 37 + Enable filtering of the Ctrl + keyboard scancode 37 (base-10) + sequence. +#> + + $scancode = + Get-WMIObject -class WEKF_Scancode @CommonParams | + where { + ($_.Modifiers -eq $Modifiers) -and ($_.Scancode -eq $Code) + } + + if($scancode) { + $scancode.Enabled = 1 + $scancode.Put() | Out-Null + "Enabled Custom Scancode {0}+{1:X4}" -f $Modifiers, $Code + } else { + Set-WMIInstance ` + -class WEKF_Scancode ` + -argument @{Modifiers="$Modifiers"; Scancode=$Code} ` + @CommonParams | Out-Null + + "Added Custom Scancode {0}+{1:X4}" -f $Modifiers, $Code + } +} + +# Some example uses of the functions defined above. +Enable-Predefined-Key "Ctrl+Alt+Del" +Enable-Predefined-Key "Ctrl+Esc" +Enable-Custom-Key "Ctrl+V" +Enable-Custom-Key "Numpad0" +Enable-Custom-Key "Shift+Numpad1" +Enable-Custom-Key "%" +Enable-Scancode "Ctrl" 37 +``` + +## Related topics + +[Windows PowerShell script samples for keyboard filter](keyboardfilter-powershell-script-samples.md) + +[Keyboard filter WMI provider reference](keyboardfilter-wmi-provider-reference.md) + +[Keyboard filter](index.md) diff --git a/windows/configuration/keyboard-filter/keyboardfilter-key-names.md b/windows/configuration/keyboard-filter/keyboardfilter-key-names.md new file mode 100644 index 0000000000..39de2bc029 --- /dev/null +++ b/windows/configuration/keyboard-filter/keyboardfilter-key-names.md @@ -0,0 +1,181 @@ +--- +title: Keyboard Filter key names +description: Keyboard Filter key names +author: TerryWarwick +ms.author: twarwick +ms.date: 01/13/2025 +ms.topic: reference +--- + +# Keyboard Filter key names + +[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)] + +You can configure Keyboard Filter to block keys or key combinations. A key combination consists of one or more modifier keys, separated by a plus sign (+), and either a key name or a key scan code. In addition to the keys listed in the following tables, you can use the predefined key combinations names as custom key combinations. However, we recommend using the predefined key settings when enabling or disabling predefined key combinations. + +The key names are grouped as follows: + +- [Modifier keys](#modifier-keys) +- [System keys](#system-keys) +- [Cursor and edit keys](#cursor-and-edit-keys) +- [State keys](#state-keys) +- [OEM keys](#oem-keys) +- [Function keys](#function-keys) +- [Numeric keypad keys](#numeric-keypad-keys) + +## Modifier keys + +You can use the modifier keys listed in the following table when you configure keyboard filter. Multiple modifiers are separated by a plus sign (+). You can also configure Keyboard Filter to block any modifier key even if it's not part of a key combination. + +| Modifier key name | Virtual key | Description | +| ----------------- | ----------- | ----------- | +| `Ctrl` | VK_CONTROL | The Ctrl key | +| `LCtrl` | VK_LCONTROL | The left Ctrl key | +| `RCtrl` | VK_RCONTROL | The right Ctrl key | +| `Control` | VK_CONTROL | The Ctrl key | +| `LControl` | VK_LCONTROL | The left Ctrl key | +| `RControl` | VK_RCONTROL | The right Ctrl key | +| `Alt` | VK_MENU | The Alt key | +| `LAlt` | VK_LMENU | The left Alt key | +| `RAlt` | VK_RMENU | The right Alt key | +| `Shift` | VK_SHIFT | The Shift key | +| `LShift` | VK_LSHIFT | The left Shift key | +| `RShift` | VK_RSHIFT | The right Shift key | +| `Win` | VK_WIN | The Windows logo key | +| `LWin` | VK_LWIN | The left Windows logo key | +| `RWin` | VK_RWIN | The right Windows logo key | +| `Windows` | VK_WIN | The Windows logo key | +| `LWindows` | VK_LWIN | The left Windows logo key | +| `RWindows` | VK_RWIN | The right Windows key | + +## System keys + +| Modifier key name | Virtual key | Description | +| ----------------- | ----------- | ----------- | +| `Ctrl` | VK_CONTROL | The Ctrl key | +| `LCtrl` | VK_LCONTROL | The left Ctrl key | +| `RCtrl` | VK_RCONTROL | The right Ctrl key | +| `Control` | VK_CONTROL | The Ctrl key | +| `LControl` | VK_LCONTROL | The left Ctrl key | +| `RControl` | VK_RCONTROL | The right Ctrl key | +| `Alt` | VK_MENU | The Alt key | +| `LAlt` | VK_LMENU | The left Alt key | +| `RAlt` | VK_RMENU | The right Alt key | +| `Shift` | VK_SHIFT | The Shift key | +| `LShift` | VK_LSHIFT | The left Shift key | +| `RShift` | VK_RSHIFT | The right Shift key | +| `Win` | VK_WIN | The Windows logo key | +| `LWin` | VK_LWIN | The left Windows logo key | +| `RWin` | VK_RWIN | The right Windows logo key | +| `Windows` | VK_WIN | The Windows logo key | +| `LWindows` | VK_LWIN | The left Windows logo key | +| `RWindows` | VK_RWIN | The right Windows logo key | + +## Cursor and edit keys + +| Key name | Virtual key | Description | +| ----------------- | ----------- | ----------- | +| `PageUp` | VK_PRIOR | The Page Up key | +| `Prior` | VK_PRIOR | The Page Up key | +| `PgUp` | VK_PRIOR | The Page Up key | +| `PageDown` | VK_NEXT | The Page Down key | +| `PgDown` | VK_NEXT | The Page Down key | +| `Next` | VK_NEXT | The Page Down key | +| `End` | VK_END | The End key | +| `Home` | VK_HOME | The Home key | +| `Left` | VK_LEFT | The Left Arrow key | +| `Up` | VK_UP | The Up Arrow key | +| `Right` | VK_RIGHT | The Right Arrow key | +| `Down` | VK_DOWN | The Down Arrow key | +| `Insert` | VK_INSERT | The Insert key | +| `Delete` | VK_DELETE | The Delete key | +| `Del` | VK_DELETE | The Delete key | +| `Separator` | VK_SEPARATOR | The Separator key | + +## State keys + +| Key name | Virtual key | Description | +| ----------------- | ----------- | ----------- | +| `NumLock` | VK_NUMLOCK | The Num Lock key | +| `ScrollLock` | VK_SCROLL | The Scroll Lock key | +| `Scroll` | VK_SCROLL | The Scroll Lock key | +| `CapsLock` | VK_CAPITAL | The Caps Lock key | +| `Capital` | VK_CAPITAL | The Caps Lock key | + +## OEM keys + +| Key name | Virtual key | Description | +| ----------------- | ----------- | ----------- | +| `KeypadEqual` | VK_OEM_NEC_EQUAL | The Equals (=) key on the numeric keypad (OEM-specific) | +| `Dictionary` | VK_OEM_FJ_JISHO | The Dictionary key (OEM-specific) | +| `Unregister` | VK_OEM_FJ_MASSHOU | The Unregister Word key (OEM-specific) | +| `Register` | VK_OEM_FJ_TOUROKU | The Register Word key (OEM-specific) | +| `LeftOyayubi` | VK_OEM_FJ_LOYA | The Left OYAYUBI key (OEM-specific) | +| `RightOyayubi` | VK_OEM_FJ_ROYA | The Right OYAYUBI key (OEM-specific) | +| `OemPlus` | VK_OEM_PLUS | For any country/region, the Plus Sign (+) key | +| `OemComma` | VK_OEM_COMMA | For any country/region, the Comma (,) key | +| `OemMinus` | VK_OEM_MINUS | For any country/region, the Minus Sign (-) key | +| `OemPeriod` | VK_OEM_PERIOD | For any country/region, the Period (.) key | +| `Oem1` | VK_OEM_1 | Varies by keyboard | +| `Oem2` | VK_OEM_2 | Varies by keyboard | +| `Oem3` | VK_OEM_3 | Varies by keyboard | +| `Oem4` | VK_OEM_4 | Varies by keyboard | +| `Oem5` | VK_OEM_5 | Varies by keyboard | +| `Oem6` | VK_OEM_6 | Varies by keyboard | +| `Oem7` | VK_OEM_7 | Varies by keyboard | +| `Oem8` | VK_OEM_8 | Varies by keyboard | +| `OemAX` | VK_OEM_AX | The AX key on a Japanese AX keyboard | +| `Oem102` | VK_OEM_102 | Either the angle bracket key or the backslash key on the RT 102-key keyboard | + +## Function keys + +| Key name | Virtual key | Description | +| ----------------- | ----------- | ----------- | +| `F1` | VK_F1 | The F1 key | +| `F2` | VK_F2 | The F2 key | +| `F3` | VK_F3 | The F3 key | +| `F4` | VK_F4 | The F4 key | +| `F5` | VK_F5 | The F5 key | +| `F6` | VK_F6 | The F6 key | +| `F7` | VK_F7 | The F7 key | +| `F8` | VK_F8 | The F8 key | +| `F9` | VK_F9 | The F9 key | +| `F10` | VK_F10 | The F10 key | +| `F11` | VK_F11 | The F11 key | +| `F12` | VK_F12 | The F12 key | +| `F13` | VK_F13 | The F13 key | +| `F14` | VK_F14 | The F14 key | +| `F15` | VK_F15 | The F15 key | +| `F16` | VK_F16 | The F16 key | +| `F17` | VK_F17 | The F17 key | +| `F18` | VK_F18 | The F18 key | +| `F19` | VK_F19 | The F19 key | +| `F20` | VK_F20 | The F20 key | +| `F21` | VK_F21 | The F21 key | +| `F22` | VK_F22 | The F22 key | +| `F23` | VK_F23 | The F23 key | +| `F24` | VK_F24 | The F24 key | + +## Numeric keypad keys + +| Key name | Virtual key | Description | +| ----------------- | ----------- | ----------- | +| `Numpad0` | VK_NUMPAD0 | The 0 key on the numeric keypad | +| `Numpad1` | VK_NUMPAD1 | The 1 key on the numeric keypad | +| `Numpad2` | VK_NUMPAD2 | The 2 key on the numeric keypad | +| `Numpad3` | VK_NUMPAD3 | The 3 key on the numeric keypad | +| `Numpad4` | VK_NUMPAD4 | The 4 key on the numeric keypad | +| `Numpad5` | VK_NUMPAD5 | The 5 key on the numeric keypad | +| `Numpad6` | VK_NUMPAD6 | The 6 key on the numeric keypad | +| `Numpad7` | VK_NUMPAD7 | The 7 key on the numeric keypad | +| `Numpad8` | VK_NUMPAD8 | The 8 key on the numeric keypad | +| `Numpad9` | VK_NUMPAD9 | The 9 key on the numeric keypad | +| `Multiply` | VK_MULTIPLY | The Multiply (*) key on the numeric keypad | +| `Add` | VK_ADD | The Add (+) key on the numeric keypad | +| `Subtract` | VK_SUBTRACT | The Subtract (-) key on the numeric keypad | +| `Decimal` | VK_DECIMAL | The Decimal (.) key on the numeric keypad | +| `Divide` | VK_DIVIDE | The Divide (/) key on the numeric keypad | + +## Related articles + +- [Keyboard filter](index.md) diff --git a/windows/configuration/keyboard-filter/keyboardfilter-list-all-configured-key-combinations.md b/windows/configuration/keyboard-filter/keyboardfilter-list-all-configured-key-combinations.md new file mode 100644 index 0000000000..2fa1f6d8e2 --- /dev/null +++ b/windows/configuration/keyboard-filter/keyboardfilter-list-all-configured-key-combinations.md @@ -0,0 +1,73 @@ +--- +title: List all configured key combinations +description: List all configured key combinations +author: TerryWarwick +ms.author: twarwick +ms.date: 01/13/2025 +ms.topic: reference +--- + +# List all configured key combinations + +[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)] + +The following sample Windows PowerShell script uses the Windows Management Instrumentation (WMI) providers for Keyboard Filter to displays all key combination configurations for Keyboard Filter. + +## List-rules.ps1 + +```powershell +# +# Copyright (C) Microsoft. All rights reserved. +# + +<# +.Synopsis + Enumerate all active keyboard filter rules on the system. +.Description + For each instance of WEKF_PredefinedKey, WEKF_CustomKey, and WEKF_Scancode, + get the Enabled property. If Enabled, then output a short description + of the rule. +.Parameter ComputerName + Optional parameter to specify the remote machine that this script should + manage. If not specified, the script will execute all WMI operations + locally. +#> +param ( + [String] $ComputerName +) + +$CommonParams = @{"namespace"="root\standardcimv2\embedded"} +$CommonParams += $PSBoundParameters + +write-host Enabled Predefined Keys -foregroundcolor cyan +Get-WMIObject -class WEKF_PredefinedKey @CommonParams | + foreach { + if ($_.Enabled) { + write-host $_.Id + } + } + +write-host Enabled Custom Keys -foregroundcolor cyan +Get-WMIObject -class WEKF_CustomKey @CommonParams | + foreach { + if ($_.Enabled) { + write-host $_.Id + } + } + +write-host Enabled Scancodes -foregroundcolor cyan +Get-WMIObject -class WEKF_Scancode @CommonParams | + foreach { + if ($_.Enabled) { + "{0}+{1:X4}" -f $_.Modifiers, $_.Scancode + } + } +``` + +## Related articles + +[Windows PowerShell script samples for keyboard filter](keyboardfilter-powershell-script-samples.md) + +[Keyboard filter WMI provider reference](keyboardfilter-wmi-provider-reference.md) + +[Keyboard filter](index.md) diff --git a/windows/configuration/keyboard-filter/keyboardfilter-powershell-script-samples.md b/windows/configuration/keyboard-filter/keyboardfilter-powershell-script-samples.md new file mode 100644 index 0000000000..8f8048582e --- /dev/null +++ b/windows/configuration/keyboard-filter/keyboardfilter-powershell-script-samples.md @@ -0,0 +1,28 @@ +--- +title: Windows PowerShell script samples for Keyboard Filter +description: Windows PowerShell script samples for Keyboard Filter +author: TerryWarwick +ms.author: twarwick +ms.date: 01/13/2025 +ms.topic: reference +--- + +# Windows PowerShell script samples for Keyboard Filter + +[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)] + +The list below describes sample Windows PowerShell scripts that demonstrate how to use the Windows Management Instrumentation (WMI) providers for Keyboard Filter. + +| Script | Description | +| ------ | ----------- | +| [Add blocked key combinations](keyboardfilter-add-blocked-key-combinations.md) | Demonstrates how to block key combinations for Keyboard Filter.| +| [Disable all blocked key combinations](disable-all-blocked-key-combinations.md) | Demonstrates how to disable all blocked key combinations for Keyboard Filter. | +| [List all configured key combinations](keyboardfilter-list-all-configured-key-combinations.md) | Demonstrates how to list all defined key combination configurations for Keyboard Filter. | +| [Modify global settings](modify-global-settings.md) | Demonstrates how to modify global settings for Keyboard Filter. | +| [Remove key combination configurations](remove-key-combination-configurations.md) | Demonstrates how to remove a custom defined key combination configuration for Keyboard Filter. | + +## Related articles + +[Keyboard Filter WMI provider reference](keyboardfilter-wmi-provider-reference.md) + +[Keyboard Filter](index.md) diff --git a/windows/configuration/keyboard-filter/keyboardfilter-wmi-provider-reference.md b/windows/configuration/keyboard-filter/keyboardfilter-wmi-provider-reference.md new file mode 100644 index 0000000000..798cef5c0f --- /dev/null +++ b/windows/configuration/keyboard-filter/keyboardfilter-wmi-provider-reference.md @@ -0,0 +1,25 @@ +--- +title: Keyboard Filter WMI provider reference +description: Keyboard Filter WMI provider reference +author: TerryWarwick +ms.author: twarwick +ms.date: 01/13/2025 +ms.topic: reference +--- + +# Keyboard Filter WMI provider reference + +[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)] + +Describes the Windows Management Instrumentation (WMI) provider classes that you use to configure Keyboard Filter during run time. + +| WMI Provider Class | Description | +| ------------------ | ----------- | +| [WEKF_CustomKey](wekf-customkey.md) | Blocks or unblocks custom defined key combinations. | +| [WEKF_PredefinedKey](wekf-predefinedkey.md) | Blocks or unblocks predefined key combinations. | +| [WEKF_Scancode](wekf-scancode.md) | Blocks or unblocks key combinations by using keyboard scan codes. | +| [WEKF_Settings](wekf-settings.md) | Enables or disables settings for Keyboard Filter. | + +## Related topics + +[Keyboard filter](index.md) diff --git a/windows/configuration/keyboard-filter/modify-global-settings.md b/windows/configuration/keyboard-filter/modify-global-settings.md new file mode 100644 index 0000000000..2b69a9de23 --- /dev/null +++ b/windows/configuration/keyboard-filter/modify-global-settings.md @@ -0,0 +1,174 @@ +--- +title: Modify global settings +description: Modify global settings +author: TerryWarwick +ms.author: twarwick +ms.date: 01/13/2025 +ms.topic: how-to +--- + +# Modify global settings + +[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)] + +The following sample Windows PowerShell scripts use the Windows Management Instrumentation (WMI) providers to modify global settings for Keyboard Filter. + +The function **Get-Setting** retrieves the value of a global setting for Keyboard Filter. + +In the first script, the function **Set-DisableKeyboardFilterForAdministrators** modifies the value of the **DisableKeyboardFilterForAdministrators** setting. + +In the second script, the function **Set-ForceOffAccessibility** modifies the value of the **ForceOffAccessibility** setting. + +## Set-DisableKeyboardFilterForAdministrators.ps1 + +```powershell +# +# Copyright (C) Microsoft. All rights reserved. +# + +<# +.Synopsis + This script shows how to enumerate WEKF_Settings to find global settings + that can be set on the keyboard filter. In this specific script, the + global setting to be set is "DisableKeyboardFilterForAdministrators". +.Parameter ComputerName + Optional parameter to specify a remote computer that this script should + manage. If not specified, the script will execute all WMI operations + locally. +.Parameter On + Switch if present that sets "DisableKeyboardFilterForAdministrators" to + true. If not present, sets the setting to false. +#> + +param ( + [Switch] $On = $False, + [String] $ComputerName +) + +$CommonParams = @{"namespace"="root\standardcimv2\embedded"}; +if ($PSBoundParameters.ContainsKey("ComputerName")) { + $CommonParams += @{"ComputerName" = $ComputerName}; +} + +function Get-Setting([String] $Name) { + <# + .Synopsis + Get a WMIObject by name from WEKF_Settings + .Parameter Name + The name of the setting, which is the key for the WEKF_Settings class. +#> + $Entry = Get-WMIObject -class WEKF_Settings @CommonParams | + where { + $_.Name -eq $Name + } + + return $Entry +} + +function Set-DisableKeyboardFilterForAdministrators([Bool] $Value) { + <# + .Synopsis + Set the DisableKeyboardFilterForAdministrators setting to true or + false. + .Description + Set DisableKeyboardFilterForAdministrators to true or false based + on $Value + .Parameter Value + A Boolean value +#> + + $Setting = Get-Setting("DisableKeyboardFilterForAdministrators") + if ($Setting) { + if ($Value) { + $Setting.Value = "true" + } else { + $Setting.Value = "false" + } + $Setting.Put() | Out-Null; + } else { + Write-Error "Unable to find DisableKeyboardFilterForAdministrators setting"; + } +} + +Set-DisableKeyboardFilterForAdministrators $On +``` + +## Set-ForceOffAccessibility.ps1 + +```powershell +# +# Copyright (C) Microsoft. All rights reserved. +# + +<# +.Synopsis + This script shows how to enumerate WEKF_Settings to find global settings + that can be set on the keyboard filter. In this specific script, the + global setting to be set is "ForceOffAccessibility". +.Parameter ComputerName + Optional parameter to specify a remote computer that this script should + manage. If not specified, the script will execute all WMI operations + locally. +.Parameter Enabled + Switch if present that sets "ForceOffAccessibility" to true. If not + present, sets the setting to false. +#> + +param ( + [Switch] $Enabled = $False, + [String] $ComputerName +) + +$CommonParams = @{"namespace"="root\standardcimv2\embedded"}; +if ($PSBoundParameters.ContainsKey("ComputerName")) { + $CommonParams += @{"ComputerName" = $ComputerName}; +} + +function Get-Setting([String] $Name) { + <# + .Synopsis + Get a WMIObject by name from WEKF_Settings + .Parameter Name + The name of the setting, which is the key for the WEKF_Settings class. +#> + $Entry = Get-WMIObject -class WEKF_Settings @CommonParams | + where { + $_.Name -eq $Name + } + + return $Entry +} + +function Set-ForceOffAccessibility([Bool] $Value) { + <# + .Synopsis + Set the ForceOffAccessibility setting to true or false. + .Description + Set ForceOffAccessibility to true or false based on $Value + .Parameter Value + A Boolean value +#> + + $Setting = Get-Setting("ForceOffAccessibility") + if ($Setting) { + if ($Value) { + $Setting.Value = "true" + } else { + $Setting.Value = "false" + } + $Setting.Put() | Out-Null; + } else { + Write-Error "Unable to find ForceOffAccessibility setting"; + } +} + +Set-ForceOffAccessibility $Enabled +``` + +## Related topics + +[Windows PowerShell script samples for keyboard filter](keyboardfilter-powershell-script-samples.md) + +[WEKF_Settings](wekf-settings.md) + +[Keyboard filter](index.md) diff --git a/windows/configuration/keyboard-filter/predefined-key-combinations.md b/windows/configuration/keyboard-filter/predefined-key-combinations.md new file mode 100644 index 0000000000..17df2fd3a5 --- /dev/null +++ b/windows/configuration/keyboard-filter/predefined-key-combinations.md @@ -0,0 +1,162 @@ +--- +title: Predefined key combinations +description: Predefined key combinations +author: TerryWarwick +ms.author: twarwick +ms.date: 01/13/2025 +ms.topic: reference +--- + +# Predefined key combinations + +[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)] + +This topic lists a set of key combinations that are predefined by a keyboard filter. You can list the value of the WEKF_PredefinedKey.Id to get a complete list of key combinations defined by a keyboard filter. + +You can use the values in the WEKF_PredefinedKey.Id column to configure the Windows Management Instrumentation (WMI) class [WEKF_PredefinedKey](wekf-predefinedkey.md). + +## Accessibility keys + +The following table contains predefined key combinations for accessibility: + +| Key combination | WEKF_PredefinedKey.Id | Blocked behavior | +|:-------------------------------------|:--------------------------|:----------------------------| +| Left Alt + Left Shift + Print Screen | **LShift+LAlt+PrintScrn** | Open High Contrast. | +| Left Alt + Left Shift + Num Lock | **LShift+LAlt+NumLock** | Open Mouse Keys. | +| Windows logo key + U | **Win+U** | Open Ease of Access Center. | + +## Application keys + +The following table contains predefined key combinations for controlling application state: + +| Key combination | WEKF_PredefinedKey.Id | Blocked behavior | +|:----------------------|:----------------------|:-------------------| +| Alt + F4 | **Alt+F4** | Close application. | +| Ctrl + F4 | **Ctrl+F4** | Close window. | +| Windows logo key + F1 | **Win+F1** | Open Windows Help. | + +## Shell keys + +The following table contains predefined key combinations for general UI control: + +| Key combination | WEKF_PredefinedKey.Id | Blocked behavior | +|:---------------------------------------|:----------------------|:-------------------------------------------------------------------------------------------------------------------------------------| +| Alt + Spacebar | **Alt+Space** | Open shortcut menu for the active window. | +| Ctrl + Esc | **Ctrl+Esc** | Open the Start screen. | +| Ctrl + Windows logo key + F | **Ctrl+Win+F** | Open Find Computers. | +| Windows logo key + Break | **Win+Break** | Open System dialog box. | +| Windows logo key + E | **Win+E** | Open Windows Explorer. | +| Windows + F | **Win+F** | Open Search. | +| Windows logo key + P | **Win+P** | Cycle through Presentation Mode. Also blocks the Windows logo key + Shift + P and the Windows logo key + Ctrl + P key combinations. | +| Windows logo key + R | **Win+R** | Open Run dialog box. | +| Alt + Tab | **Alt+Tab** | Switch task. Also blocks the Alt + Shift + Tab key combination. | +| Ctrl + Tab | **Ctrl+Tab** | Switch window. | +| Windows logo key + Tab | **Win+Tab** | Cycle through Microsoft Store apps. Also blocks the Windows logo key + Ctrl + Tab and Windows logo key + Shift + Tab key combinations. | +| Windows logo key + D | **Win+D** | Show desktop. | +| Windows logo key + M | **Win+M** | Minimize all windows. | +| Windows logo key + Home | **Win+Home** | Minimize or restore all inactive windows. | +| Windows logo key + T | **Win+T** | Set focus on taskbar and cycle through programs. | +| Windows logo key + B | **Win+B** | Set focus in the notification area. | +| Windows logo key + Minus Sign | **Win+-** | Zoom out. | +| Windows logo key + Plus Sign | **Win++** | Zoom in. | +| Windows logo key + Esc | **Win+Esc** | Close Magnifier application. | +| Windows logo key + Up Arrow | **Win+Up** | Maximize the active window. | +| Windows logo key + Down Arrow | **Win+Down** | Minimize the active window. | +| Windows logo key + Left Arrow | **Win+Left** | Snap the active window to the left half of screen. | +| Windows logo key + Right Arrow | **Win+Right** | Snap the active window to the right half of screen. | +| Windows logo key + Shift + Up Arrow | **Win+Shift+Up** | Maximize the active window vertically. | +| Windows logo key + Shift + Down Arrow | **Win+Shift+Down** | Minimize the active window. | +| Windows logo key + Shift + Left Arrow | **Win+Shift+Left** | Move the active window to left monitor. | +| Windows logo key + Shift + Right Arrow | **Win+Shift+Right** | Move the active window to right monitor. | +| Windows logo key + Spacebar | **Win+Space** | Switch layout. | +| Windows logo key + O | **Win+O** | Lock device orientation. | +| Windows logo key + Page Up | **Win+PageUp** | Move a Microsoft Store app to the left monitor. | +| Windows logo key + Page Down | **Win+PageDown** | Move a Microsoft Store app to right monitor. | +| Windows logo key + Period | **Win+.** | Snap the current screen to the left or right gutter. Also blocks the Windows logo key + Shift + Period key combination. | +| Windows logo key + C | **Win+C** | Activate Cortana in listening mode (after user has enabled the shortcut through the UI). | +| Windows logo key + I | **Win+I** | Open Settings charm. | +| Windows logo key + K | **Win+K** | Open Connect charm. | +| Windows logo key + H | **Win+H** | Start dictation. | +| Windows logo key + Q | **Win+Q** | Open Search charm. | +| Windows logo key + W | **Win+W** | Open Windows Ink workspace. | +| Windows logo key + Z | **Win+Z** | Open app bar. | +| Windows logo key + / | **Win+/** | Open input method editor (IME). | +| Windows logo key + J | **Win+J** | Swap between snapped and filled applications. | +| Windows logo key + Comma | **Win+,** | Peek at the desktop. | +| Windows logo key + V | **Win+V** | Cycle through toasts in reverse order. | + +## Modifier keys + +The following table contains predefined key combinations for modifier keys (such as Shift and Ctrl): + +| Key combination | WEKF_PredefinedKey.Id | Blocked key | +|:-----------------|:----------------------|:-----------------------| +| Alt | **Alt** | Both Alt keys | +| Application | **Application** | Application key | +| Ctrl | **Ctrl** | Both Ctrl keys | +| Shift | **Shift** | Both Shift keys | +| Windows logo key | **Windows** | Both Windows logo keys | + +## Security keys + +The following table contains predefined key combinations for OS security: + +| Key combination | WEKF_PredefinedKey.Id | Blocked behavior | +|:-----------------------|:----------------------|:----------------------------------| +| Ctrl + Alt + Delete | **Ctrl+Alt+Del** | Open the Windows Security screen. | +| Ctrl + Shift + Esc | **Shift+Ctrl+Esc** | Open Task Manager. | +| Windows logo key + L | **Win+L** | Lock the device. | + +## Extended shell keys + +The following table contains predefined key combinations for extended shell functions (such as automatically opening certain apps): + +| Key combination | WEKF_PredefinedKey.Id | Blocked key | +|:--------------------|:----------------------|:------------------------| +| LaunchMail | **LaunchMail** | Start Mail key | +| LaunchMediaSelect | **LaunchMediaSelect** | Select Media key | +| LaunchApp1 | **LaunchApp1** | Start Application 1 key | +| LaunchApp2 | **LaunchApp2** | Start Application 2 key | + +## Browser keys + +The following table contains predefined key combinations for controlling the browser: + +| Key combination | WEKF_PredefinedKey.Id | Blocked key | +|:-----------------|:----------------------|:---------------------------| +| BrowserBack | **BrowserBack** | Browser Back key | +| BrowserForward | **BrowserForward** | Browser Forward key | +| BrowserRefresh | **BrowserRefresh** | Browser Refresh key | +| BrowserStop | **BrowserStop** | Browser Stop key | +| BrowserSearch | **BrowserSearch** | Browser Search key | +| BrowserFavorites | **BrowserFavorites** | Browser Favorites key | +| BrowserHome | **BrowserHome** | Browser Start and Home key | + +## Media keys + +The following table contains predefined key combinations for controlling media playback: + +| Key combination | WEKF_PredefinedKey.Id | Blocked key | +|:----------------|:----------------------|:---------------------| +| VolumeMute | **VolumeMute** | Volume Mute key | +| VolumeDown | **VolumeDown** | Volume Down key | +| VolumeUp | **VolumeUp** | Volume Up key | +| MediaNext | **MediaNext** | Next Track key | +| MediaPrev | **MediaPrev** | Previous Track key | +| MediaStop | **MediaStop** | Stop Media key | +| MediaPlayPause | **MediaPlayPause** | Play/Pause Media key | + +## Microsoft Surface keyboard keys + +The following table contains predefined key combinations for Microsoft Surface devices: + +| Key combination | WEKF_PredefinedKey.Id | Blocked key | +|:------------------------------|:----------------------|:-------------| +| Left Alt + Windows logo key | **AltWin** | Share key | +| Left Ctrl + Windows logo key | **CtrlWin** | Devices key | +| Left Shift + Windows logo key | **ShiftWin** | Search key | +| F21 | **F21** | Settings key | + +## Related topics + +[Keyboard filter](index.md) diff --git a/windows/configuration/keyboard-filter/remove-key-combination-configurations.md b/windows/configuration/keyboard-filter/remove-key-combination-configurations.md new file mode 100644 index 0000000000..eadd760d93 --- /dev/null +++ b/windows/configuration/keyboard-filter/remove-key-combination-configurations.md @@ -0,0 +1,108 @@ +--- +title: Remove key combination configurations +description: Remove key combination configurations +author: TerryWarwick +ms.author: twarwick +ms.date: 01/13/2025 +ms.topic: reference +--- + +# Remove key combination configurations + +[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)] + +The following sample Windows PowerShell script uses the Windows Management Instrumentation (WMI) providers for Keyboard Filter to create two functions to remove custom-defined key combination configurations from Keyboard Filter. It demonstrates several ways to use each function. + +The first function, **Remove-Custom-Key**, removes custom key combination configurations. + +The second function, **Remove-Scancode**, removes custom scan code configurations. + +You can't remove the predefined key combination configurations for Keyboard Filter, but you can disable them. + +## Remove-rules.ps1 + +```powershell +# +# Copyright (C) Microsoft. All rights reserved. +# + +<# +.Synopsis + This script shows how to use the build in WMI providers to remove keyboard filter rules. Rules of type WEKF_PredefinedKey cannot be removed. +.Parameter ComputerName + Optional parameter to specify the remote computer that this script should + manage. If not specified, the script will execute all WMI operations + locally. +#> + +param( + [string] $ComputerName +) + +$CommonParams = @{"namespace"="root\standardcimv2\embedded"} +$CommonParams += $PSBoundParameters + +function Remove-Custom-Key($Id) { + <# + .Synopsis + Remove an instance of WEKF_CustomKey + .Description + Enumerate all instances of WEKF_CustomKey. When an instance has an + Id that matches $Id, delete it. + .Example + Remove-Custom-Key "Ctrl+V" + + This removes the instance of WEKF_CustomKey with a key Id of "Ctrl+V" +#> + + $customInstance = Get-WMIObject -class WEKF_CustomKey @CommonParams | + where {$_.Id -eq $Id} + + if ($customInstance) { + $customInstance.Delete(); + "Removed Custom Filter $Id."; + } else { + "Custom Filter $Id does not exist."; + } +} + +function Remove-Scancode($Modifiers, [int]$Code) { + <# + .Synopsis + Remove and instance of WEKF_Scancode + .Description + Enumerate all instances of WEKF_Scancode. When an instance has a + matching modifiers and code, delete it. + .Example + Remove-Scancode "Ctrl" 37 + + This removes the instance of WEKF_Scancode with Modifiers="Ctrl" and + Scancode=37. +#> + + $scancodeInstance = Get-WMIObject -class WEKF_Scancode @CommonParams | + where {($_.Modifiers -eq $Modifiers) -and ($_.Scancode -eq $Code)} + + if ($scancodeInstance) { + $scancodeInstance.Delete(); + "Removed Scancode $Modifiers+$Code."; + } else { + "Scancode $Modifiers+$Code does not exist."; + } +} + +# Some example uses of the functions defined above. +Remove-Custom-Key "Ctrl+V" +Remove-Custom-Key "Numpad0" +Remove-Custom-Key "Shift+Numpad1" +Remove-Custom-Key "%" +Remove-Scancode "Ctrl" 37 +``` + +## Related articles + +[Windows PowerShell script samples for keyboard filter](keyboardfilter-powershell-script-samples.md) + +[Keyboard filter WMI provider reference](keyboardfilter-wmi-provider-reference.md) + +[Keyboard filter](index.md) diff --git a/windows/configuration/keyboard-filter/toc.yml b/windows/configuration/keyboard-filter/toc.yml new file mode 100644 index 0000000000..7c09e1a75c --- /dev/null +++ b/windows/configuration/keyboard-filter/toc.yml @@ -0,0 +1,53 @@ +items: +- name: Keyboard Filter + items: + - name: About keyboard filter + href: index.md + - name: Key Names + href: keyboardfilter-key-names.md + - name: Predefined Key Combinations + href: keyboardfilter-list-all-configured-key-combinations.md + - name: WMI Provider Reference + items: + - name: Overview + href: keyboardfilter-wmi-provider-reference.md + - name: Class WEKF_CustomKey + items: + - name: Overview + href: wekf-customkey.md + - name: Add + href: wekf-customkeyadd.md + - name: Remove + href: wekf-customkeyremove.md + - name: Class WEKF_PredefinedKey + items: + - name: Overview + href: wekf-predefinedkey.md + - name: Disable + href: wekf-predefinedkeydisable.md + - name: Enable + href: wekf-predefinedkeyenable.md + - name: Class WEKF_Scancode + items: + - name: Overview + href: wekf-scancode.md + - name: Add + href: wekf-scancodeadd.md + - name: Remove + href: wekf-scancoderemove.md + - name: Class WEKF-Settings + href: wekf-settings.md + - name: PowerShell script samples + items: + - name: Overview + href: keyboardfilter-powershell-script-samples.md + - name: Add blocked key Combinations + href: keyboardfilter-add-blocked-key-combinations.md + - name: Disable all blocked key Combinations + href: disable-all-blocked-key-combinations.md + - name: List all configured key combinations + href: keyboardfilter-list-all-configured-key-combinations.md + - name: Modify global settings + href: modify-global-settings.md + - name: Remove key combination configurations + href: remove-key-combination-configurations.md \ No newline at end of file diff --git a/windows/configuration/keyboard-filter/wekf-customkey.md b/windows/configuration/keyboard-filter/wekf-customkey.md new file mode 100644 index 0000000000..d1869903ee --- /dev/null +++ b/windows/configuration/keyboard-filter/wekf-customkey.md @@ -0,0 +1,130 @@ +--- +title: WEKF_CustomKey +description: WEKF_CustomKey +author: TerryWarwick +ms.author: twarwick +ms.date: 01/13/2025 +ms.topic: reference +--- + + +# WEKF_CustomKey + +[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)] + +Adds or removes custom-defined key combinations. + +## Syntax + +```powershell +class WEKF_CustomKey { + [Static] uint32 Add( + [In] string CustomKey + ); + [Static] uint32 Remove( + [In] string CustomKey + ); + + [Key] string Id; + [Read, Write] boolean Enabled; +}; +``` + +## Members + +The following tables list any methods and properties that belong to this class. + +### Methods + +| Methods | Description | +|---------|-------------| +| [WEKF_CustomKey.Add](wekf-customkeyadd.md) | Creates a new custom key combination and enables Keyboard Filter to block the new key combination. | +| [WEKF_CustomKey.Remove](wekf-customkeyremove.md) | Removes the specified custom key combination. Keyboard Filter stops blocking the key combination that was removed. | + +### Properties + +| Property | Data type | Qualifiers | Description | +|----------|----------------|------------|--------------| +| **Id** | string | [key] | The name of the custom key combination. | +| **Enabled** | Boolean | [read, write] | Indicates if the key is blocked or unblocked. This property can be one of the following values
- **true** Indicates that the key is blocked.
- **false** Indicates that the key isn't blocked. | + +### Remarks + +You can specify key combinations by including the modifier keys in the name. The most common modifier names are >Ctrl, >Shift, >Alt, and >Win. You can't block a combination of non-modifier keys. For example, you can block a key combination of >Ctrl+>Shift+>F, but you can't block a key combination of >A+>D. + +When you block a >Shift-modified key, you must enter the key as >Shift + the unmodified key. For example, to block the >% key on an English keyboard layout, you must specify the key as >Shift+>5. Attempting to block >%, results in Keyboard Filter blocking >5 instead. + +When you specify the key combination to block, you must use the English names for the keys. For a list of the key names you can specify, see Keyboard Filter key names. + +## Example + +The following code demonstrates how to add or enable a custom key combination that Keyboard Filter will block by using the Windows Management Instrumentation (WMI) providers for Keyboard Filter. This example modifies the properties directly and doesn't call any of the methods defined in **WEKF_CustomKey**. + +```powershell +<# +.Synopsis + This script shows how to use the WMI provider to enable and add + Keyboard Filter rules through Windows PowerShell on the local computer. +.Parameter ComputerName + Optional parameter to specify a remote machine that this script should + manage. If not specified, the script will execute all WMI operations + locally. +#> +param ( + [String] $ComputerName +) + +$CommonParams = @{"namespace"="root\standardcimv2\embedded"} +$CommonParams += $PSBoundParameters + +function Enable-Custom-Key($Id) { + <# + .Synopsis + Toggle on a Custom Key Keyboard Filter Rule + .Description + Use Get-WMIObject to enumerate all WEKF_CustomKey instances, + filter against key value "Id", and set that instance's "Enabled" + property to 1/true. + + In the case that the Custom instance does not exist, add a new + instance of WEKF_CustomKey using Set-WMIInstance. + .Example + Enable-Custom-Key "Ctrl+V" + + Enable filtering of the Ctrl + V sequence. +#> + + $custom = Get-WMIObject -class WEKF_CustomKey @CommonParams | + where { + $_.Id -eq "$Id" + }; + + if ($custom) { +# Rule exists. Just enable it. + $custom.Enabled = 1; + $custom.Put() | Out-Null; + "Enabled Custom Filter $Id."; + + } else { + Set-WMIInstance ` + -class WEKF_CustomKey ` + -argument @{Id="$Id"} ` + @CommonParams | Out-Null + + "Added Custom Filter $Id."; + } +} + + +# Some example uses of the function defined above. + +Enable-Custom-Key "Ctrl+V" +Enable-Custom-Key "Numpad0" +Enable-Custom-Key "Shift+Numpad1" +``` + +## Related articles + +[Keyboard Filter WMI provider reference](keyboardfilter-wmi-provider-reference.md) + +[Keyboard Filter key names](keyboardfilter-key-names.md) diff --git a/windows/configuration/keyboard-filter/wekf-customkeyadd.md b/windows/configuration/keyboard-filter/wekf-customkeyadd.md new file mode 100644 index 0000000000..cd56a93da5 --- /dev/null +++ b/windows/configuration/keyboard-filter/wekf-customkeyadd.md @@ -0,0 +1,96 @@ +--- +title: WEKF_CustomKey.Add +description: WEKF_CustomKey.Add +author: TerryWarwick +ms.author: twarwick +ms.date: 01/13/2025 +ms.topic: reference +--- + +# WEKF_CustomKey.Add + +[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)] + +Creates a new custom key combination and enables Keyboard Filter to block the new key combination. + +## Syntax + +```powershell +[Static] uint32 Add( + [In] string CustomKey +); +``` + +## Parameters + +**CustomKey**
\[in\] The custom key combination to add. For a list of valid key names, see [Keyboard Filter key names](keyboardfilter-key-names.md). + +## Return Value + +Returns an HRESULT value that indicates a [WMI Non-Error Constant](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI Error Constant](/windows/win32/wmisdk/wmi-error-constants). + +## Remarks + +**WEKF_CustomKey.Add** creates a new **WEKF_CustomKey** object and sets the **Enabled** property of the new object to **true**, and the **Id** property to *CustomKey*. + +If a **WEKF_CustomKey** object already exists with the **Id** property equal to *CustomKey*, then **WEKF_CustomKey.Add** returns an error code and doesn't create a new object or modify any properties of the existing object. If the existing **WEKF_CustomKey** object has the **Enabled** property set to **false**, Keyboard Filter does not block the custom key combination. + +## Example + +The following code demonstrates how to add or enable a custom key that Keyboard Filter will block by using the Windows Management Instrumentation (WMI) providers for Keyboard Filter. + +```powershell +$COMPUTER = "localhost" +$NAMESPACE = "root\standardcimv2\embedded" + +# Create a handle to the class instance so we can call the static methods +$classCustomKey = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WEKF_CustomKey" + +# Create a function to add or enable a key combination for Keyboard Filter to block +function Enable-Custom-Key($KeyId) { + +# Check to see if the custom key object already exists + $objCustomKey = Get-WMIObject -namespace $NAMESPACE -class WEKF_CustomKey | + where {$_.Id -eq "$KeyId"}; + + if ($objCustomKey) { + +# The custom key already exists, so just enable it + $objCustomKey.Enabled = 1; + $objCustomKey.Put() | Out-Null; + "Enabled ${KeyId}."; + + } else { + +# Create a new custom key object by calling the static Add method + $retval = $classCustomKey.Add($KeyId); + +# Check the return value to verify that the Add is successful + if ($retval.ReturnValue -eq 0) { + "Added ${KeyID}." + } else { + "Unknown Error: " + "{0:x0}" -f $retval.ReturnValue + } + } +} + +# Enable Keyboard Filter to block several custom keys + +Enable-Custom-Key "Ctrl+v" +Enable-Custom-Key "Ctrl+v" +Enable-Custom-Key "Shift+4" +Enable-Custom-Key "Ctrl+Alt+w" + +# List all the currently existing custom keys + +$objCustomKeyList = get-WMIObject -namespace $NAMESPACE -class WEKF_CustomKey +foreach ($objCustomKeyItem in $objCustomKeyList) { + "Custom key: " + $objCustomKeyItem.Id + " enabled: " + $objCustomKeyItem.Enabled + } +``` + +## Related articles + +- [WEKF_CustomKey](wekf-customkey.md) +- [Keyboard Filter](index.md) diff --git a/windows/configuration/keyboard-filter/wekf-customkeyremove.md b/windows/configuration/keyboard-filter/wekf-customkeyremove.md new file mode 100644 index 0000000000..5fdceb9f5a --- /dev/null +++ b/windows/configuration/keyboard-filter/wekf-customkeyremove.md @@ -0,0 +1,88 @@ +--- +title: WEKF_CustomKey.Remove +description: WEKF_CustomKey.Remove +ms.date: 01/13/2025 +ms.topic: reference +author: TerryWarwick +ms.author: twarwick +--- + +# WEKF_CustomKey.Remove + +[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)] + +Removes a custom key combination, causing Keyboard Filter to stop blocking the removed key combination. + +## Syntax + +```powershell +[Static] uint32 Remove( + [In] string CustomKey +); +``` + +## Parameters + +**CustomKey**
\[in\] The custom key combination to remove. + +## Return Value + +Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants). + +## Remarks + +**WEKF_CustomKey.Remove** removes an existing **WEKF_CustomKey** object. If the object doesn't exist, **WEKF_CustomKey.Remove** returns an error with the value 0x8007007B. + +Because this method is static, you can't call it on an object instance, but must instead call it at the class level. + +## Example + +The following code demonstrates how to remove a custom key from Keyboard Filter so it's no longer blocked by using the Windows Management Instrumentation (WMI) providers for Keyboard Filter. + +```powershell +$COMPUTER = "localhost" +$NAMESPACE = "root\standardcimv2\embedded" + +# Create a handle to the class instance so we can call the static methods +$classCustomKey = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WEKF_CustomKey" + +# Create a function to remove a key combination +function Remove-Custom-Key($KeyId) { + +# Call the static Remove() method on the class reference + $retval = $classCustomKey.Remove($KeyId) + +# Check the return value for status + if ($retval.ReturnValue -eq 0) { + +# Custom key combination removed successfully + "Removed ${KeyID}." + } elseif ($retval.ReturnValue -eq 2147942523) { + +# No object exists with the specified custom key + "Failed to remove ${KeyID}. No object found." + } else { + +# Unknown error, report error code in hexadecimal + "Failed to remove ${KeyID}. Unknown Error: " + "{0:x0}" -f $retval.ReturnValue + } +} + + +# Example of removing a custom key so that Keyboard Filter stops blocking it +Remove-Custom-Key "Ctrl+Alt+w" + +# Example of removing all custom keys that have the Enabled property set to false +$objDisabledCustomKeys = Get-WmiObject -Namespace $NAMESPACE -Class WEKF_CustomKey; + +foreach ($objCustomKey in $objDisabledCustomKeys) { + if (!$objCustomKey.Enabled) { + Remove-Custom-Key($objCustomKey.Id); + } +} +``` + +## Related topics + +- [WEKF_CustomKey](wekf-customkey.md) +- [Keyboard Filter](index.md) diff --git a/windows/configuration/keyboard-filter/wekf-predefinedkey.md b/windows/configuration/keyboard-filter/wekf-predefinedkey.md new file mode 100644 index 0000000000..d81f72d801 --- /dev/null +++ b/windows/configuration/keyboard-filter/wekf-predefinedkey.md @@ -0,0 +1,114 @@ +--- +title: WEKF_PredefinedKey +description: WEKF_PredefinedKey +author: TerryWarwick +ms.author: twarwick +ms.date: 01/13/2025 +ms.topic: reference +--- + +# WEKF_PredefinedKey + +[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)] + +This class blocks or unblocks predefined key combinations, such as Ctrl+Alt+Delete. + +## Syntax + +```powershell +class WEKF_PredefinedKey { + [Static] uint32 Enable ( + [In] string PredefinedKey + ); + [Static] uint32 Disable ( + [In] string PredefinedKey + ); + + [Key] string Id; + [Read, Write] boolean Enabled; +}; +``` + +## Members + +The following tables list any constructors, methods, fields, and properties that belong to this class. + +### Methods + +| Methods | Description | +|:-----------------------------------------------------------|:---------------------------------------| +| [WEKF_PredefinedKey.Enable](wekf-predefinedkeyenable.md) | Blocks the specified predefined key. | +| [WEKF_PredefinedKey.Disable](wekf-predefinedkeydisable.md) | Unblocks the specified predefined key. | + +### Properties + +| Property | Data type | Qualifiers | Description | +|:------------|:----------|:--------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **Id** | string | [key] | The name of the predefined key combination. | +| **Enabled** | Boolean | [read, write] | Indicates whether the key is blocked or unblocked. To indicate that the key is blocked, specify **true**. To indicate that the key isn't blocked, specify **false**. | + +### Remarks + +All accounts have read access to the **WEKF_PRedefinedKey** class, but only administrator accounts can modify the class. + +For a list of predefined key combinations for Keyboard Filter, see [Predefined key combinations](predefined-key-combinations.md). + +## Example + +The following sample Windows PowerShell script blocks the Ctrl+Alt+Delete and the Ctrl+Esc key combinations when the Keyboard Filter service is running. + +```powershell +<# +.Synopsis + This script shows how to use the built in WMI providers to enable and add + Keyboard Filter rules through Windows PowerShell on the local computer. +.Parameter ComputerName + Optional parameter to specify a remote machine that this script should + manage. If not specified, the script will execute all WMI operations + locally. +#> +param ( + [String] $ComputerName +) + +$CommonParams = @{"namespace"="root\standardcimv2\embedded"} +$CommonParams += $PSBoundParameters + +function Enable-Predefined-Key($Id) { + <# + .Synposis + Toggle on a Predefined Key Keyboard Filter Rule + .Description + Use Get-WMIObject to enumerate all WEKF_PredefinedKey instances, + filter against key value "Id", and set that instance's "Enabled" + property to 1/true. + .Example + Enable-Predefined-Key "Ctrl+Alt+Delete" + + Enable CAD filtering +#> + + $predefined = Get-WMIObject -class WEKF_PredefinedKey @CommonParams | + where { + $_.Id -eq "$Id" + }; + + if ($predefined) { + $predefined.Enabled = 1; + $predefined.Put() | Out-Null; + Write-Host Enabled $Id + } else { + Write-Error $Id is not a valid predefined key + } +} + +# Some example uses of the function defined above. + +Enable-Predefined-Key "Ctrl+Alt+Delete" +Enable-Predefined-Key "Ctrl+Esc" +``` + +## Related articles + +- [Keyboard Filter WMI provider reference](keyboardfilter-wmi-provider-reference.md) +- [Keyboard Filter](index.md) diff --git a/windows/configuration/keyboard-filter/wekf-predefinedkeydisable.md b/windows/configuration/keyboard-filter/wekf-predefinedkeydisable.md new file mode 100644 index 0000000000..8b954dee19 --- /dev/null +++ b/windows/configuration/keyboard-filter/wekf-predefinedkeydisable.md @@ -0,0 +1,36 @@ +--- +title: WEKF_PredefinedKey.Disable +description: WEKF_PredefinedKey.Disable +author: TerryWarwick +ms.author: twarwick +ms.date: 01/13/2025 +ms.topic: reference +--- + +# WEKF_PredefinedKey.Disable + +[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)] + +Unblocks the specified predefined key combination. + +## Syntax + +```powershell +[Static] uint32 Disable( + [In] string PredefinedKey +); +``` + +## Parameters + +**PredefinedKey**
\[in\] The predefined key combination to unblock. For a list of predefined keys, see [Predefined key combinations](predefined-key-combinations.md). + +## Return Value + +Returns an HRESULT value that indicates [WMI Non-error constant](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error constant](/windows/win32/wmisdk/wmi-error-constants). + + +## Related articles + +- [WEKF_PredefinedKey](wekf-predefinedkey.md) +- [Keyboard Filter](index.md) diff --git a/windows/configuration/keyboard-filter/wekf-predefinedkeyenable.md b/windows/configuration/keyboard-filter/wekf-predefinedkeyenable.md new file mode 100644 index 0000000000..a96fbd4365 --- /dev/null +++ b/windows/configuration/keyboard-filter/wekf-predefinedkeyenable.md @@ -0,0 +1,35 @@ +--- +title: WEKF_PredefinedKey.Enable +description: WEKF_PredefinedKey.Enable +author: TerryWarwick +ms.author: twarwick +ms.date: 01/13/2025 +ms.topic: reference +--- + +# WEKF_PredefinedKey.Enable + +[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)] + +This method blocks the specified predefined key combination. + +## Syntax + +```powershell +[Static] uint32 Enable( + [In] string PredefinedKey +); +``` + +## Parameters + +**PredefinedKey**
The predefined key combination to block. For a list of predefined keys, see [Predefined key combinations](predefined-key-combinations.md). + +## Return Value + +Returns an HRESULT value that indicates [WMI non-error constant](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error constant](/windows/win32/wmisdk/wmi-error-constants). + +## Related articles + +- [WEKF_PredefinedKey](wekf-predefinedkey.md) +- [Keyboard Filter](index.md) diff --git a/windows/configuration/keyboard-filter/wekf-scancode.md b/windows/configuration/keyboard-filter/wekf-scancode.md new file mode 100644 index 0000000000..d24df9ed10 --- /dev/null +++ b/windows/configuration/keyboard-filter/wekf-scancode.md @@ -0,0 +1,128 @@ +--- +title: WEKF_Scancode +description: WEKF_Scancode +author: TerryWarwick +ms.author: twarwick +ms.date: 01/13/2025 +ms.topic: reference +--- + +# WEKF_Scancode + +[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)] + +Blocks or unblocks key combinations by using the keyboard scan code, which is an integer number that is generated whenever a key is pressed or released. + +## Syntax + +```powershell +class WEKF_Scancode { + [Static] uint32 Add( + [In] string Modifiers, + [In] uint16 scancode + ); + [Static] uint32 Remove( + [In] string Modifiers, + [In] uint16 Scancode + ); + + [Key] string Modifiers; + [Key] uint16 Scancode; + [Read, Write] boolean Enabled; +} +``` + +## Members + +The following tables list any constructors, methods, fields, and properties that belong to this class. + +### Methods + +| Methods | Description | +|---------|-------------| +| [WEKF_Scancode.Add](wekf-scancodeadd.md) | Adds a new custom scan code combination and enables Keyboard Filter to block the new scan code combination. | +| [WEKF_Scancode.Remove](wekf-scancoderemove.md) | Removes the specified custom scan code combination. Keyboard Filter stops blocking the scan code combination that was removed. | + +### Properties + +| Property | Data type | Qualifiers | Description | +|----------|----------------|------------|-------------| +| **Modifiers** | string | [key] | The modifier keys that are part of the key combination to block. | +| **Scancode** | uint16 | [key] | The scan code part of the key combination to block. | +| **Enabled** | Boolean | [read, write] | Indicates whether the scan code is blocked or unblocked. This property can be one of the following values:
- **true** Indicates that the scan code is blocked.
- **false** Indicates that the scan code isn't blocked. | + +### Remarks + +Scan codes are generated by the keyboard whenever a key is pressed. The same physical key will always generate the same scan code, regardless of which keyboard layout is currently being used by the system. + +You can specify key combinations by including the modifier keys in the *Modifiers* parameter of the **Add** method or by modifying the **Modifiers** property. The most common modifier names are >Ctrl, >Shift, >Alt, and >Win. + +## Example + +The following code demonstrates how to add or enable a keyboard scan code that Keyboard Filter will block by using the Windows Management Instrumentation (WMI) providers for Keyboard Filter. This example modifies the properties directly, and doesn't call any of the methods defined in **WEKF_Scancode**. + +```powershell +<# +.Synopsis + This script shows how to use the WMI provider to enable and add + Keyboard Filter rules through Windows Powershell on the local computer. +.Parameter ComputerName + Optional parameter to specify a remote machine that this script should + manage. If not specified, the script will execute all WMI operations + locally. +#> +param ( + [String] $ComputerName +) + +$CommonParams = @{"namespace"="root\standardcimv2\embedded"} +$CommonParams += $PSBoundParameters + + +function Enable-Scancode($Modifiers, [int]$Code) { + <# + .Synopsis + Toggle on a Scancode Keyboard Filter Rule + .Description + Use Get-WMIObject to enumerate all WEKF_Scancode instances, + filter against key values of "Modifiers" and "Scancode", and set + that instance's "Enabled" property to 1/true. + + In the case that the Scancode instance does not exist, add a new + instance of WEKF_Scancode using Set-WMIInstance. + .Example + Enable-Predefined-Key "Ctrl+V" + + Enable filtering of the Ctrl + V sequence. +#> + + $scancode = + Get-WMIObject -class WEKF_Scancode @CommonParams | + where { + ($_.Modifiers -eq $Modifiers) -and ($_.Scancode -eq $Code) + } + + if($scancode) { + $scancode.Enabled = 1 + $scancode.Put() | Out-Null + "Enabled Custom Scancode {0}+{1:X4}" -f $Modifiers, $Code + } else { + Set-WMIInstance ` + -class WEKF_Scancode ` + -argument @{Modifiers="$Modifiers"; Scancode=$Code} ` + @CommonParams | Out-Null + + "Added Custom Scancode {0}+{1:X4}" -f $Modifiers, $Code + } +} + +# Some example uses of the function defined above. + +Enable-Scancode "Ctrl" 37 +``` + +## Related articles + +[Keyboard Filter WMI provider reference](keyboardfilter-wmi-provider-reference.md) + +[Keyboard Filter](index.md) diff --git a/windows/configuration/keyboard-filter/wekf-scancodeadd.md b/windows/configuration/keyboard-filter/wekf-scancodeadd.md new file mode 100644 index 0000000000..1174273038 --- /dev/null +++ b/windows/configuration/keyboard-filter/wekf-scancodeadd.md @@ -0,0 +1,44 @@ +--- +title: WEKF_Scancode.Add +description: WEKF_Scancode.Add +author: TerryWarwick +ms.author: twarwick +ms.date: 01/13/2025 +ms.topic: reference +--- + +# WEKF_Scancode.Add + +[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)] + +This method adds a new custom scan code combination and enables Keyboard Filter to block the new combination. + +## Syntax + +```powershell +[Static] uint32 Add( + [In] string Modifiers, + [In] uint16 Scancode +); +``` + +## Parameters + +**Modifers**
The modifier keys that are part of the key combination to block. + +**Scancode**
The hardware scan code of the key to block. + +## Return Value + +Returns an HRESULT value that indicates [WMI non-error constant](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error constant](/windows/win32/wmisdk/wmi-error-constants). + +## Remarks + +**WEKF_Scancode.Add** creates a new **WEKF_Scancode** object and sets the **Enabled** property of the new object to **true**. + +If a **WEKF_Scancode** object already exists with same *Modifiers* and *Scancode* properties, then **WEKF_Scancode.Add** returns an error code and doesn't create a new object or modify any properties of the existing object. If the existing **WEKF_Scancode** object has the **Enabled** property set to **false**, Keyboard Filter doesn't block the scan code. + +## Related articles + +- [WEKF_Scancode](wekf-scancode.md) +- [Keyboard Filter](index.md) diff --git a/windows/configuration/keyboard-filter/wekf-scancoderemove.md b/windows/configuration/keyboard-filter/wekf-scancoderemove.md new file mode 100644 index 0000000000..ae761e5b61 --- /dev/null +++ b/windows/configuration/keyboard-filter/wekf-scancoderemove.md @@ -0,0 +1,44 @@ +--- +title: WEKF_Scancode.Remove +description: WEKF_Scancode.Remove +author: TerryWarwick +ms.author: twarwick +ms.date: 01/13/2025 +ms.topic: reference +--- + +# WEKF_Scancode.Remove + +[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)] + +This method removes a custom scan code key combination, causing Keyboard Filter to stop blocking the removed combination. + +## Syntax + +```powershell +[Static] uint32 Remove( + [In] string Modifiers, + [In] uint16 Scancode +); +``` + +## Parameters + +**Modifiers**
The modifier keys of the combination to remove. + +**Scancode**
The scan code of the combination to remove. + +## Return Value + +Returns an HRESULT value that indicates [WMI non-error constant](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error constant](/windows/win32/wmisdk/wmi-error-constants). + +## Remarks + +**WEKF_Scancode.Remove** removes an existing **WEKF_Scancode** object. If the object doesn't exist, **WEKF_Scancode.Remove** returns an error with the value 0x8007007B. + +Because this method is static, you can't call it on an object instance, but must instead call it at the class level. + +## Related articles + +- [WEKF_Scancode](wekf-scancode.md) +- [Keyboard Filter](index.md) diff --git a/windows/configuration/keyboard-filter/wekf-settings.md b/windows/configuration/keyboard-filter/wekf-settings.md new file mode 100644 index 0000000000..0aa64a5a7d --- /dev/null +++ b/windows/configuration/keyboard-filter/wekf-settings.md @@ -0,0 +1,97 @@ +--- +title: WEKF_Settings +description: WEKF_Settings +author: TerryWarwick +ms.author: twarwick +ms.date: 01/13/2025 +ms.topic: reference +--- + +# WEKF_Settings + +[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)] + +Enables or disables settings for Keyboard Filter. + +## Syntax + +```powershell +class WEKF_Settings { + [Key] string Name; + [Read, Write] string Value; +}; +``` + +## Members + +The following tables list any methods and properties that belong to this class. + +### Properties + +| Property | Data type | Qualifiers | Description | +|----------|----------------|------------|-------------| +| **Name** | string | [key] | Indicates the name of the Keyboard Filter setting that this object represents. See the Remarks section for a list of valid setting names. | +| **Value** | string | [read, write] | Represents the value of the **Name** setting. The value isn't case-sensitive.
See the Remarks section for a list of valid values for each setting. | + +### Remarks + +You must be signed in to an administrator account to make any changes to this class. + +Each **WEKF_Settings** object represents a single Keyboard Filter setting. You can enumerate across all **WEKF_Settings** objects to see the value of all Keyboard Filter settings. + +The following table lists all settings available for Keyboard Filter. + +| Setting name | Description | +|--------------|-------------| +| **DisableKeyboardFilterForAdministrators** | This setting specifies whether Keyboard Filter is enabled or disabled for administrator accounts. Set to **true** to disable Keyboard Filter for administrator accounts; otherwise, set to **false**. Set to **true** by default. | +| **ForceOffAccessibility** | This setting specifies whether Keyboard Filter blocks users from enabling Ease of Access features. Set to **true** to force disabling the Ease of Access features. Set to **false** to allow enabling the Ease of Access features. Set to **false** by default.
Changing this setting to **false** doesn't automatically enable Ease of Access features; you must manually enable them. | +| **BreakoutKeyScanCode** | This setting specifies the scan code of the key that enables a user to break out of an account that is locked down with Keyboard Filter. A user can press this key consecutively five times to switch to the Welcome screen.
By default, the BreakoutKeyScanCode is set to the scan code for the left Windows logo key. | + +One instance of the **WEKF_Settings** class exists for each valid setting. + +Changes to the **DisableKeyboardFilterForAdministrator** setting are applied when an administrator account signs in, and applies to all applications run during the user session. If a user without an administrator account runs an application as an administrator, Keyboard Filter is still enabled, regardless of the **DisableKeyboardFilterForAdministrator** setting. + +Changes to the **BreakoutKeyScanCode** setting don't take effect until you restart the device. + +If the **BreakoutKeyScanCode** is set to the scan code for either the left Windows logo key or the right Windows logo key, both Windows Logo keys will work as the breakout key. + +The **BreakoutKeyScanCode** setting only applies to accounts where Keyboard Filter is active. If the scan code is set to a value that doesn't map to any key, such as 0 (zero), then you must use another method to access the Welcome screen if you need to service the device, such as remotely connecting, or restarting the device if automatic sign-in isn't enabled. + +> [!IMPORTANT] +> On some devices, if the breakout key is pressed too rapidly, the key presses may not register. We recommend that you include a slight pause between each breakout key press. + +> [!WARNING] +> When setting the **BreakoutKeyScanCode**, be sure to use the scan code of the key, and not the virtual key value. + +### Example + +The following Windows PowerShell script demonstrates how to use this class to modify the breakout mode key for Keyboard Filter. This example sets the **BreakoutKeyScanCode** setting to the scan code for the Home key on a standard keyboard. + +```powershell +#---Define variables--- + +$COMPUTER = "localhost" +$NAMESPACE = "root\standardcimv2\embedded" + +# Define the decimal scan code of the Home key + +$HomeKeyScanCode = 71 + +# Get the BreakoutKeyScanCode setting from WEKF_Settings + +$BreakoutMode = get-wmiobject -class wekf_settings -namespace $NAMESPACE | where {$_.name -eq "BreakoutKeyScanCode"} + +# Set the breakout key to the Home key. + +$BreakoutMode.value = $HomeKeyScanCode + +# Push the change into the WMI configuration. You must restart your device before this change takes effect. + +$BreakoutMode.put() +``` + +## Related articles + +[Keyboard Filter WMI provider reference](keyboardfilter-wmi-provider-reference.md) + +[Keyboard Filter](index.md) diff --git a/windows/configuration/start/index.md b/windows/configuration/start/index.md index 0627e33663..2294ebe5cc 100644 --- a/windows/configuration/start/index.md +++ b/windows/configuration/start/index.md @@ -1,8 +1,8 @@ --- -title: Configure the Start menu +title: Configure The Windows Start Menu With Policy Settings description: Learn how to configure the Windows Start menu to provide quick access to the tools and applications that users need most. ms.topic: overview -ms.date: 04/10/2024 +ms.date: 12/02/2024 zone_pivot_groups: windows-versions-11-10 ms.collection: - essentials-manage diff --git a/windows/configuration/start/layout.md b/windows/configuration/start/layout.md index 81f5d11c75..af0a608300 100644 --- a/windows/configuration/start/layout.md +++ b/windows/configuration/start/layout.md @@ -1,8 +1,8 @@ --- -title: Customize the Start layout +title: Customize The Start Layout For Managed Windows Devices description: Learn how to customize the Windows Start layout, export its configuration, and deploy the customization to other devices. ms.topic: how-to -ms.date: 04/10/2024 +ms.date: 12/02/2024 zone_pivot_groups: windows-versions-11-10 appliesto: --- diff --git a/windows/configuration/start/xsd.md b/windows/configuration/start/xsd.md index 714f0aa70f..ba0f818bc7 100644 --- a/windows/configuration/start/xsd.md +++ b/windows/configuration/start/xsd.md @@ -2,7 +2,7 @@ title: Start XML Schema Definition (XSD) description: Start XSD reference article. ms.topic: reference -ms.date: 04/10/2024 +ms.date: 12/02/2024 appliesto: - ✅ Windows 10 --- diff --git a/windows/configuration/store/index.md b/windows/configuration/store/index.md index 09c92aea0f..b6b7609319 100644 --- a/windows/configuration/store/index.md +++ b/windows/configuration/store/index.md @@ -1,8 +1,8 @@ --- -title: Configure access to the Microsoft Store app +title: Configure Access To The Microsoft Store App For Windows Devices description: Learn how to configure access to the Microsoft Store app. ms.topic: how-to -ms.date: 03/13/2024 +ms.date: 12/02/2024 --- # Configure access to the Microsoft Store app diff --git a/windows/configuration/windows-spotlight/index.md b/windows/configuration/windows-spotlight/index.md index 6c056b86f1..c16b4fb35a 100644 --- a/windows/configuration/windows-spotlight/index.md +++ b/windows/configuration/windows-spotlight/index.md @@ -2,7 +2,7 @@ title: Configure Windows spotlight description: Learn how to configure Windows spotlight using Group Policy and mobile device management (MDM) settings. ms.topic: how-to -ms.date: 04/23/2024 +ms.date: 12/05/2024 ms.author: paoloma author: paolomatarazzo appliesto: @@ -21,6 +21,9 @@ Windows spotlight is a feature that displays different wallpapers and offers sug :::image type="content" source="images/lockscreen-11.png" alt-text="Screenshot of the Windows 11 lock screen with Windows Spotlight enabled." border="false"::: +> [!NOTE] +> After installing the [KB5046633 (October 22, 2024)](https://support.microsoft.com/topic/22631-4460-6ff7b117-cd80-471a-a9ac-48a794bda2d6), the default Windows wallpaper changes to Windows spotlight. To modify this behavior, use the [AllowSpotlightCollection policy setting](#policy-settings), or configure a custom lock screen and background image. + ::: zone-end ::: zone pivot="windows-10" @@ -31,6 +34,9 @@ Windows spotlight is a feature that displays different wallpapers and offers sug :::image type="content" source="images/lockscreen-10.png" alt-text="Screenshot of the Windows 10 lock screen with Windows Spotlight enabled." border="false"::: +> [!NOTE] +> After installing the [KB5048652 (December 10, 2024)](https://support.microsoft.com/topic/19045-5247-454fbd4c-0723-449e-915b-8515ab41f8e3), the default Windows wallpaper changes to Windows spotlight. To modify this behavior, configure a custom lock screen and background image. + ::: zone-end ## Windows edition and licensing requirements diff --git a/windows/deployment/do/mcc-ent-deploy-to-linux.md b/windows/deployment/do/mcc-ent-deploy-to-linux.md index 0fc31cdf23..8280d47b34 100644 --- a/windows/deployment/do/mcc-ent-deploy-to-linux.md +++ b/windows/deployment/do/mcc-ent-deploy-to-linux.md @@ -26,6 +26,10 @@ Before deploying Connected Cache to a Linux host machine, ensure that the host m 1. Within the Azure portal, navigate to the **Provisioning** tab of your cache node and copy the provisioning command. 1. Download the provisioning package using the option at the top of the Cache Node Configuration page and extract the package onto the host machine. 1. Open a command line window *as administrator* on the host machine, then change directory to the extracted provisioning package. + + >[!Note] + >* If you are deploying your cache node to a Linux host machine that uses a TLS-inspecting proxy (e.g. ZScaler), ensure that you've [configured the proxy settings](mcc-ent-create-resource-and-cache.md#proxy-settings) for your cache node, then place the proxy certificate file (.pem) in the extracted provisioning package directory and add `proxyTlsCertificatePath="/path/to/pem/file"` to the provisioning command. + 1. Set access permissions to allow the `provisionmcc.sh` script within the provisioning package directory to execute. 1. Run the provisioning command on the host machine. @@ -42,6 +46,10 @@ To deploy a cache node programmatically, you'll need to use Azure CLI to get the 1. Save the resulting output. These values will be passed as parameters within the provisioning command. 1. Download and extract the [Connected Cache provisioning package for Linux](https://aka.ms/MCC-Ent-InstallScript-Linux) to your host machine. 1. Open a command line window *as administrator* on the host machine, then change directory to the extracted provisioning package. + + >[!Note] + >* If you are deploying your cache node to a host machine that uses a TLS-inspecting proxy (e.g. ZScaler), ensure that you've [configured the proxy settings](mcc-ent-create-resource-and-cache.md#proxy-settings) for your cache node, then place the proxy certificate file (.pem) in the extracted provisioning package directory and add `proxyTlsCertificatePath="/path/to/pem/file"` to the provisioning command. + 1. Set access permissions to allow the `provisionmcc.sh` script within the provisioning package directory to execute. 1. Replace the values in the following provisioning command before running it on the host machine. diff --git a/windows/deployment/do/mcc-ent-deploy-to-windows.md b/windows/deployment/do/mcc-ent-deploy-to-windows.md index ba27a5f82f..275b637871 100644 --- a/windows/deployment/do/mcc-ent-deploy-to-windows.md +++ b/windows/deployment/do/mcc-ent-deploy-to-windows.md @@ -17,7 +17,7 @@ appliesto: This article describes how to deploy Microsoft Connected Cache for Enterprise and Education caching software to a Windows host machine. -Deploying Connected Cache to a Windows host machine requires designating a [Group Managed Service Account (gMSA)](/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts) or a [Local User Account](https://support.microsoft.com/windows/create-a-local-user-or-administrator-account-in-windows-20de74e0-ac7f-3502-a866-32915af2a34d) as the Connected Cache runtime account. This prevents tampering with the Connected Cache container and the cached content on the host machine. +Deploying Connected Cache to a Windows host machine requires designating a [Group Managed Service Account (gMSA)](/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts) or a [local user account](https://support.microsoft.com/topic/20de74e0-ac7f-3502-a866-32915af2a34d) as the Connected Cache runtime account. This prevents tampering with the Connected Cache container and the cached content on the host machine. Before deploying Connected Cache to a Windows host machine, ensure that the host machine meets all [requirements](mcc-ent-prerequisites.md), and that you have [created and configured your Connected Cache Azure resource](mcc-ent-create-resource-and-cache.md). @@ -26,14 +26,25 @@ Before deploying Connected Cache to a Windows host machine, ensure that the host # [Azure portal](#tab/portal) 1. Within the Azure portal, navigate to the **Provisioning** tab of your cache node and copy the provisioning command. -1. Download the provisioning package using the option at the top of the Cache Node Configuration page and extract the package onto the host machine. **Note**: The installer should be in a folder that isn't synced to OneDrive, as this will interfere with the installation process. +1. Download the provisioning package using the option at the top of the Cache Node Configuration page and extract the archive onto the host machine. + + >[!Note] + >* The provisioning package should be extracted to a directory that isn't synced to OneDrive, as the sychronization process will interfere with the installation. It is recommended to extract the provisioning package to the root directory of the host machine (e.g. C:\mccInstaller) + 1. Open a PowerShell window *as administrator* on the host machine, then change directory to the extracted provisioning package. + + >[!Note] + >* If you are deploying your cache node to a Windows host machine that uses a TLS-inspecting proxy (e.g. ZScaler), ensure that you've [configured the proxy settings](mcc-ent-create-resource-and-cache.md#proxy-settings) for your cache node, then place the proxy certificate file (.pem) in the extracted provisioning package directory and add `-proxyTlsCertificatePemFileName "mycert.pem"` to the provisioning command. + 1. Set the Execution Policy to *Unrestricted* to allow the provisioning scripts to run. -1. Create a `$User` environment variable containing the username of the account you intend to designate as the Connected Cache runtime account. +1. Create a `$User` PowerShell variable containing the username of the account you intend to designate as the Connected Cache runtime account. - For gMSAs, the value should be formatted as `"Domain\Username$"`. For Local User accounts, `$User` should be formatted as `"LocalMachineName\Username"`. + For gMSAs, the `$User` PowerShell variable should be formatted as `"Domain\Username$"`. For local user accounts, `$User` PowerShell variable should be formatted as `"LocalMachineName\Username"`. - If you're using a Local User account as the Connected Cache runtime account, you'll also need to create a [PSCredential Object](/dotnet/api/system.management.automation.pscredential) named `$myLocalAccountCredential`. **Note**: You'll need to apply a local security policy to permit the Local User account to `Log on as a batch job`. + If you're using a local user account as the Connected Cache runtime account, you'll also need to create a [PSCredential Object](/dotnet/api/system.management.automation.pscredential) named `$myLocalAccountCredential`. + + >[!Note] + >* You'll need to apply a local security policy to permit the local user account to `Log on as a batch job`. 1. Run the provisioning command on the host machine. @@ -48,22 +59,33 @@ To deploy a cache node programmatically, you'll need to use Azure CLI to get the ``` 1. Save the resulting output. These values will be passed as parameters within the provisioning command. -1. Download and extract the [Connected Cache provisioning package for Windows](https://aka.ms/MCC-Ent-InstallScript-WSL) to your host machine. **Note**: The installer should be in a folder that isn't synced to OneDrive, as this will interfere with the installation process. +1. Download and extract the [Connected Cache provisioning package for Windows](https://aka.ms/MCC-Ent-InstallScript-WSL) to your host machine. + + >[!Note] + >* The provisioning package should be extracted to a directory that isn't synced to OneDrive, as the sychronization process will interfere with the installation. It is recommended to extract the provisioning package to the root directory of the host machine (e.g. C:\mccInstaller) + 1. Open a PowerShell window *as administrator* on the host machine, then change directory to the extracted provisioning package. + + >[!Note] + >* If you are deploying your cache node to a host machine that uses a TLS-inspecting proxy (e.g. ZScaler), ensure that you've [configured the proxy settings](mcc-ent-create-resource-and-cache.md#proxy-settings) for your cache node, then place the proxy certificate file (.pem) in the extracted provisioning package directory and add `-proxyTlsCertificatePath "path/to/pem/file"` to the provisioning command. + 1. Set the Execution Policy to *Unrestricted* to allow the provisioning scripts to run. -1. Create a `$User` environment variable containing the username of the account you intend to designate as the Connected Cache runtime account. +1. Create a `$User` PowerShell variable containing the username of the account you intend to designate as the Connected Cache runtime account. - For gMSAs, the value should be formatted as `"Domain\Username$"`. For Local User accounts, `$User` should be formatted as `"LocalMachineName\Username"`. + For gMSAs, the `$User` PowerShell variable should be formatted as `"Domain\Username$"`. For local user accounts, the `$User` PowerShell variable should be formatted as `"LocalMachineName\Username"`. - If you're using a Local User account as the Connected Cache runtime account, you'll also need to create a [PSCredential Object](/dotnet/api/system.management.automation.pscredential) named `$myLocalAccountCredential`. **Note**: You'll need to apply a local security policy to permit the Local User account to `Log on as a batch job`. + If you're using a local user account as the Connected Cache runtime account, you'll also need to create a [PSCredential Object](/dotnet/api/system.management.automation.pscredential) named `$myLocalAccountCredential`. -1. Replace the values in the following provisioning command before running it on the host machine. **Note**: `-mccLocalAccountCredential $myLocalAccountCredential` is only needed if you're using a Local User account as the Connected Cache runtime account. + >[!Note] + >* You'll need to apply a local security policy to permit the local user account to `Log on as a batch job`. + +1. Replace the values in the following provisioning command before running it on the host machine. ```powershell-interactive ./provisionmcconwsl.ps1 -installationFolder c:\mccwsl01 -customerid [enter mccResourceId here] -cachenodeid [enter cacheNodeId here] -customerkey [enter customerKey here] -registrationkey [enter registration key] -cacheDrives "/var/mcc,enter drive size" -shouldUseProxy [enter true if present, enter false if not] -proxyurl "http://[enter proxy host name]:[enter port]" -mccRunTimeAccount $User -mccLocalAccountCredential $myLocalAccountCredential ``` ---- +--- ## Steps to point Windows client devices at Connected Cache node diff --git a/windows/deployment/do/mcc-ent-edu-overview.md b/windows/deployment/do/mcc-ent-edu-overview.md index 125aed12f4..a09f4f9a76 100644 --- a/windows/deployment/do/mcc-ent-edu-overview.md +++ b/windows/deployment/do/mcc-ent-edu-overview.md @@ -29,9 +29,9 @@ Microsoft Connected Cache deployed directly to Windows relies on [Windows Subsys ## Supported scenarios and configurations -Microsoft Connected Cache for Enterprise and Education (preview) is intended to support the following content delivery scenarios: +Microsoft Connected Cache for Enterprise and Education (preview) is intended to support all Windows cloud downloads that use Delivery Optimization including, but not limited to, the following content delivery scenarios: -- Pre-provisioning of devices using Windows Autopilot +- Windows Autopilot deployment scenarios - Co-managed clients that get monthly updates and Win32 apps from Microsoft Intune - Cloud-only managed devices, such as Intune-enrolled devices without the Configuration Manager client, that get monthly updates and Win32 apps from Microsoft Intune diff --git a/windows/deployment/do/mcc-ent-monitoring.md b/windows/deployment/do/mcc-ent-monitoring.md index 9a4894896e..98c00bdcf4 100644 --- a/windows/deployment/do/mcc-ent-monitoring.md +++ b/windows/deployment/do/mcc-ent-monitoring.md @@ -18,25 +18,25 @@ ms.date: 10/30/2024 Tracking the status and performance of your Connected Cache node is essential to making sure you're getting the most out of the service. -For basic monitoring, navigate to the **Overview** tab. Here you'll be able to view a collection of predefined metrics and charts. All the monitoring in this section will function right after your Connected Cache node has been deployed. +For basic monitoring, navigate to the **Overview** tab. Here you can view a collection of predefined metrics and charts. All the monitoring in this section will function right after your Connected Cache node has been deployed. You can view more details about each cache node by navigating to the **Cache Nodes** section under the **Cache Node Management** tab. This page displays cache node information such as Status, Host machine OS, Software Version, and Cache Node ID. -For advanced monitoring, navigate to the **Metrics** section under the **Monitoring** tab. Here you'll be able to access more sampled metrics (hits, misses, inbound traffic) and specify different aggregations (count, avg, min, max, sum). You can then use this data to create customized charts and configure alerts. +For advanced monitoring, navigate to the **Metrics** section under the **Monitoring** tab. Here you can access more sampled metrics (hits, misses, inbound traffic) and specify different aggregations (count, avg, min, max, sum). You can then use this data to create customized charts and configure alerts. -Between the two monitoring sections, you'll be able to gather essential insights into the health, performance, and efficiency of your Connected Cache nodes. +Using the two monitoring sections, you can gather essential insights into the health, performance, and efficiency of your Connected Cache nodes. ## Basic Monitoring ### Cache node summary -Below are the metrics you'll find in the **Cache Node Summary** dashboard, along with their descriptions. This dashboard only reflects data received from cache nodes in the last 24 hours. +Below are the metrics found in the **Cache Node Summary** dashboard, along with their descriptions. This dashboard only reflects data received from cache nodes in the last 24 hours. ![Screenshot of cache node summary in the Azure portal interface.](../images/mcc-ent-cache-node-summary.png) | Metric | Description | | --- | --- | -| Healthy nodes | Your Connected Cache node will periodically send heartbeat messages to the Connected Cache service. If the Connected Cache service has received a heartbeat message from your Connected Cache node in the last 24 hours, the node will be labeled as healthy. | -| Unhealthy nodes | If the Connected Cache service hasn't received a heartbeat message from your Connected Cache node in the last 24 hours, the node will be labeled as unhealthy. | -| Max in | The maximum ingress in Megabits per second (Mbps) that your node has pulled from CDN endpoints in the last 24 hours. | +| Healthy nodes | Your Connected Cache node will periodically send heartbeat messages to the Connected Cache service. If the Connected Cache service has received a heartbeat message from your Connected Cache node in the last 24 hours, the node is labeled as healthy. | +| Unhealthy nodes | If the Connected Cache service hasn't received a heartbeat message from your Connected Cache node in the last 24 hours, the node is labeled as unhealthy. | +| Max in | The maximum ingress in Megabits per second (Mbps) that your node has pulled from Content Delivery Network (CDN) endpoints in the last 24 hours. | | Max out | The minimum egress in Mbps that your node has sent to Windows devices in its network over the last 24 hours. | | Average in | The average ingress in Mbps that your node has pulled from CDN endpoints in the last 24 hours. | | Average out | The average egress in Mbps that your node has sent to Windows devices in its network over the last 24 hours. | @@ -65,6 +65,20 @@ This chart displays the volume of each supported content type in bytes (B) that The content types displayed in the chart each have a distinct color and are sorted in descending order of volume. The bar chart is stacked such that you can visually compare total volume being delivered at different points in time. +### Cache node details + +The **Cache Nodes** section under the **Cache Node Management** tab displays cache node information such as Status, Host machine OS, Software Version, and Cache Node ID. + +![Screenshot of cache node details in the Azure portal interface.](../images/mcc-ent-cache-node-details.png) + +| Metric | Description | +| --- | --- | +| Cache node name | The user-defined name of the cache node. | +| Status | The heartbeat status of the cache node. | +| OS | The host machine OS that this cache node is compatible with. | +| Software version | The version number of the cache node's Connected Cache container. | +| Cache node ID | The unique identifier of the cache node. | + ## Advanced Monitoring To expand upon the metrics shown in the Overview tab, navigate to the **Metrics** tab in the left side toolbar of Azure portal. @@ -79,13 +93,13 @@ Listed below are the metrics you can access in this section: ### Customizable Dashboards -Once you select the charts you would like to track, you can save them to a personalized dashboard. You can configure the chart title, filters, range, legend, and more. You can also use this personalized dashboard to set up alerts that will notify you if your Connected Cache node dips in performance. +Once you select the charts you would like to track, you can save them to a personalized dashboard. You can configure the chart title, filters, range, legend, and more. You can also use this personalized dashboard to set up alerts that notify you if your Connected Cache node dips in performance. Some example scenarios where you would want to set up a custom alert: - My Connected Cache node is being shown as unhealthy and I want to know exactly when it stopped egressing last - A new Microsoft Word update was released last night and I want to know if my Connected Cache node is helping deliver this content to my Windows devices -## Additional Metrics +## Client-Side Metrics Your Connected Cache node can keep track of how much content has been sent to requesting Windows devices, but the node can't track whether the content was successfully received by the device. For more information on accessing client-side data from your Windows devices, see [Monitor Delivery Optimization](waas-delivery-optimization-monitor.md). diff --git a/windows/deployment/do/mcc-ent-troubleshooting.md b/windows/deployment/do/mcc-ent-troubleshooting.md index 0f5b02bc00..c814c909f2 100644 --- a/windows/deployment/do/mcc-ent-troubleshooting.md +++ b/windows/deployment/do/mcc-ent-troubleshooting.md @@ -19,6 +19,18 @@ ms.date: 10/30/2024 This article contains instructions on how to troubleshoot different issues you may encounter while using Connected Cache. These issues are categorized by the task in which they may be encountered. +## Known issues + +This section describes known issues with the latest release of Microsoft Connected Cache for Enterprise and Education. See the [Release Notes page](mcc-ent-release-notes.md) for more details on the fixes included in the latest release. + +### Cache node monitoring chart in the Azure portal user interface displays incorrect information + +### Script provisionmcconwsl.ps1 fails when executed on a Windows 11 host machine configured to use Japanese language + +In the Connected Cache installation script (provisionmcconwsl.ps1), the check processing is executed until the value of the last execution code (Last Result) of the installation task becomes 0 in the following processing. However, in Japanese OS, the return value is null because "Last Result" is displayed, and an exception occurs. + +As a temporary workaround, the above error doesn't occur by changing the language setting of the local administrator user from Japanese to English and then executing the script. + ## Steps to obtain an Azure subscription ID @@ -38,7 +50,7 @@ If you're encountering a validation error, check that you have filled out all re If your configuration doesn't appear to be taking effect, check that you have selected the **Save** option at the top of the configuration page in the Azure portal user interface. -If you have changed the proxy configuration, you will need to re-provision the Connected Cache software on the host machine for the proxy configuration to take effect. +If you have changed the proxy configuration, you'll need to re-provision the Connected Cache software on the host machine for the proxy configuration to take effect. ## Troubleshooting cache nodes created during early preview @@ -50,7 +62,7 @@ As such, we strongly recommend you [recreate your existing resources in Azure](m ### Collecting Windows-hosted installation logs -[Deploying a Connected Cache node to a Windows host machine](mcc-ent-deploy-to-windows.md) involves running a series of PowerShell scripts contained within the Windows provisioning package. These scripts will attempt to write log files to the installation directory specified in the provisioning command (`C:\mccwsl01\InstallLogs` by default). +[Deploying a Connected Cache node to a Windows host machine](mcc-ent-deploy-to-windows.md) involves running a series of PowerShell scripts contained within the Windows provisioning package. These scripts attempt to write log files to the installation directory specified in the provisioning command (`C:\mccwsl01\InstallLogs` by default). There are three types of installation log files: @@ -60,9 +72,19 @@ There are three types of installation log files: The Registered Task Transcript is usually the most useful for diagnosing the installation issue. -### WSL2 fails to install with message "A specified logon session does not exist" +### Collecting other Windows-hosted logs -If you are encountering this failure message when attempting to run the PowerShell command `wsl.exe --install --no-distribution` on your Windows host machine, verify that you are logged on as a local administrator and running the command from an elevated PowerShell window. +Once the cache node has been successfully installed on the Windows host machine, it will periodically write log files to the installation directory (`C:\mccwsl01\` by default). + +You can expect to see the following types of log files: + +1. **WSL_Mcc_Monitor_FromRegisteredTask_Transcript**: This log file records the output of the "MCC_Monitor_Task" scheduled task that is responsible for ensuring that the Connected Cache continues running. +1. **WSL_Mcc_UserUninstall_Transcript**: This log file records the output of the "uninstallmcconwsl.ps1" script that the user can run to uninstall MCC software from the host machine. +1. **WSL_Mcc_Uninstall_FromRegisteredTask_Transcript**: This log file records the output of the "MCC_Uninstall_Task" scheduled task that is responsible for uninstalling the MCC software from the host machine when called by the "uninstallmcconwsl.ps1" script. + +### WSL2 fails to install with message "A specified logon session doesn't exist" + +If you're encountering this failure message when attempting to run the PowerShell command `wsl.exe --install --no-distribution` on your Windows host machine, verify that you're logged on as a local administrator and running the command from an elevated PowerShell window. ### Updating the WSL2 kernel @@ -94,6 +116,20 @@ You can use Task Scheduler on the host machine to check the status of this sched > [!Note] > If the password of the runtime account changes, you'll need to update the user in all of the Connected Cache scheduled tasks in order for the Connected Cache node to continue functioning properly. +### Cache node successfully deployed but not serving requests + +If your cache node isn't responding to requests outside of localhost, it may be because the host machine's port forwarding rules weren't correctly set during Connected Cache installation. + +To check your host machine's port forwarding rules, use the following PowerShell command. + +`netsh interface portproxy show v4tov4` + +If you don't see any port forwarding rules for port 80 to 0.0.0.0, you can run the following command from an elevated PowerShell instance to set the proper forwarding to WSL. + +`netsh interface portproxy add v4tov4 listenport=80 listenaddress=0.0.0.0 connectport=80 connectaddress=` + +You can retrieve the WSL IP Address from the `wslip.txt` file that should be present in the installation directory you specified in the Connected Cache provisioning command ("c:\mccwsl01" by default). + ## Troubleshooting cache node deployment to Linux host machine [Deploying a Connected Cache node to a Linux host machine](mcc-ent-deploy-to-linux.md) involves running a series of Bash scripts contained within the Linux provisioning package. @@ -106,6 +142,31 @@ If it shows the **edgeAgent** and **edgeHub** containers but doesn't show **MCC* You can also reboot the IoT Edge runtime using `sudo systemctl restart iotedge`. +## Generating cache node diagnostic support bundle + +You can generate a support bundle with detailed diagnostic information by running the `collectMccDiagnostics.sh` script included in the installation package. + +For Windows host machines, you'll need to do the following: + +1. Launch a PowerShell process as the account specified as the runtime account during the Connected Cache install +1. Change directory to the "MccScripts" directory within the extracted Connected Cache provisioning package and verify the presence of `collectmccdiagnostics.sh` +1. Run `wsl bash collectmccdiagnostics.sh` to generate the diagnostic support bundle +1. Once the script has completed, note the console output describing the location of the diagnostic support bundle + + For example, "Successfully zipped package, please send file created at /etc/mccdiagnostics/support_bundle_2024_12_03__11_05_39__AM.tar.gz" + +1. Run the `wsl cp` command to copy the support bundle from the location within the Ubuntu distribution to the Windows host OS + + For example, `wsl cp /etc/mccdiagnostics/support_bundle_2024_12_03__11_05_39__AM.tar.gz /mnt/c/mccwsl01/SupportBundles` + +For Linux host machines, you'll need to do the following: + +1. Change directory to the "MccScripts" directory within the extracted Connected Cache provisioning package and verify the presence of `collectmccdiagnostics.sh` +1. Run `collectmccdiagnostics.sh` to generate the diagnostic support bundle +1. Once the script has completed, note the console output describing the location of the diagnostic support bundle + + For example, "Successfully zipped package, please send file created at /etc/mccdiagnostics/support_bundle_2024_12_03__11_05_39__AM.tar.gz" + ## Troubleshooting cache node monitoring Connected Cache node status and performance can be [monitored using the Azure portal user interface](mcc-ent-monitoring.md). @@ -116,4 +177,4 @@ If the issue persists, check that you have configured the Timespan and Cache nod ## Diagnose and Solve -You can also use the **Diagnose and solve problems** functionality provided by the Azure portal interface. This tab within the Microsoft Connected Cache Azure resource will walk you through a few prompts to help narrow down the solution to your issue. +You can also use the **Diagnose and solve problems** functionality provided by the Azure portal interface. This tab within the Microsoft Connected Cache Azure resource walks you through a few prompts to help narrow down the solution to your issue. diff --git a/windows/deployment/do/mcc-isp-faq.yml b/windows/deployment/do/mcc-isp-faq.yml index a5c2e9f782..26322219d3 100644 --- a/windows/deployment/do/mcc-isp-faq.yml +++ b/windows/deployment/do/mcc-isp-faq.yml @@ -15,7 +15,7 @@ metadata: appliesto: - ✅ Windows 11 - ✅ Windows 10 - ms.date: 05/23/2024 + ms.date: 01/14/2025 title: Microsoft Connected Cache Frequently Asked Questions summary: | Frequently asked questions about Microsoft Connected Cache @@ -35,10 +35,10 @@ sections: answer: | - Azure subscription - Hardware to host Microsoft Connected Cache - - Ubuntu 20.04 LTS on a physical server or VM of your choice. + - Ubuntu 22.04 LTS on a physical server or VM of your choice. > [!NOTE] - > The Microsoft Connected Cache is deployed and managed using Azure IoT Edge and Ubuntu 20.04 is an [Azure IoT Edge Tier 1 operating system](/azure/iot-edge/support?view=iotedge-2020-11#tier-1). Additionally, the Microsoft Connected Cache module is optimized for Ubuntu 20.04 LTS. + > The Microsoft Connected Cache is deployed and managed using Azure IoT Edge and Ubuntu 22.04 is an [Azure IoT Edge Tier 1 operating system](/azure/iot-edge/support#tier-1). Additionally, the Microsoft Connected Cache module is optimized for Ubuntu 22.04 LTS. The following are recommended hardware configurations: diff --git a/windows/deployment/do/mcc-isp-signup.md b/windows/deployment/do/mcc-isp-signup.md index 284269f52e..5b9d4a5f66 100644 --- a/windows/deployment/do/mcc-isp-signup.md +++ b/windows/deployment/do/mcc-isp-signup.md @@ -13,7 +13,7 @@ appliesto: - ✅ Windows 11 - ✅ Windows 10 - ✅ Microsoft Connected Cache for ISPs -ms.date: 05/23/2024 +ms.date: 01/14/2024 --- # Operator sign up and service onboarding for Microsoft Connected Cache @@ -36,7 +36,7 @@ Before you begin sign up, ensure you have the following components: 1. **Peering DB**: Ensure your organization's [Peering DB](https://www.peeringdb.com/) page is up-to-date and active. Check that the NOC email listed is accurate, and that you have access to this email. -1. **Server**: Ensure the server you wish to install Microsoft Connected Cache on is ready, and that the server is installed on Ubuntu 20.04 LTS. +1. **Server**: Ensure the server you wish to install Microsoft Connected Cache on is ready, and that the server is installed on Ubuntu 22.04 LTS. 1. **Configure cache drive**: Make sure that you have a data drive configured with full permissions on your server. You'll need to specify the location for this cache drive during the cache node configuration process. The minimum size for the data drive is 100 GB. For instructions to mount a disk on a Linux VM, see [Attach a data disk to a Linux VM](/azure/virtual-machines/linux/attach-disk-portal#find-the-disk). ## Resource creation and sign up process diff --git a/windows/deployment/do/mcc-isp-support.md b/windows/deployment/do/mcc-isp-support.md index dbced5230c..2eb833af48 100644 --- a/windows/deployment/do/mcc-isp-support.md +++ b/windows/deployment/do/mcc-isp-support.md @@ -13,7 +13,7 @@ appliesto: - ✅ Windows 11 - ✅ Windows 10 - ✅ Microsoft Connected Cache for ISPs -ms.date: 05/23/2024 +ms.date: 01/14/2025 --- # Support and troubleshooting @@ -97,6 +97,15 @@ Rerun the IoT Edge Check command to validate proper connectivity: ```bash iotedge check -verbose ``` +
+ +## Updating from Ubuntu 20.04 to 22.04 +You can now provision Microsoft Connected Cache for ISP on Ubuntu 22.04. +If you have a cache node provisioned on Ubuntu 20.04, you will need to uninstall it first before updating to Ubuntu 22.04. +Once you have updated the system, download the provisioning package from Azure portal and run the provisioning script on the portal. +For more information on provisioning cache node, visit, [Create, provision and deploy cache node](mcc-isp-create-provision-deploy.md#provision-your-server). + +
## Diagnose and Solve Problems @@ -110,6 +119,7 @@ Within **Diagnose and solve problems**, select **Troubleshoot** under the type o :::image type="content" source="images/mcc-isp-diagnose-solve-troubleshoot.png" alt-text="A screenshot of Azure portal showing the option to select Troubleshoot to continue troubleshooting common issues related to the installation of Microsoft Connected Cache." lightbox="images/mcc-isp-diagnose-solve-troubleshoot.png"::: + ## Steps to obtain an Azure subscription ID To onboard onto Microsoft Connected Cache, you'll need an Azure subscription ID. Use the following steps to obtain your subscription ID: diff --git a/windows/deployment/do/mcc-isp-vm-performance.md b/windows/deployment/do/mcc-isp-vm-performance.md index f3d3079534..6df9fd0b0b 100644 --- a/windows/deployment/do/mcc-isp-vm-performance.md +++ b/windows/deployment/do/mcc-isp-vm-performance.md @@ -12,7 +12,7 @@ ms.reviewer: mstewart ms.collection: tier3 appliesto: - ✅ Microsoft Connected Cache for ISPs -ms.date: 05/23/2024 +ms.date: 01/14/2025 --- # Enhancing cache performance @@ -21,7 +21,7 @@ To make sure you're maximizing the performance of your cache node, review the fo #### OS requirements -The Microsoft Connected Cache module is optimized for Ubuntu 20.04 LTS. Install Ubuntu 20.04 LTS on a physical server or VM of your choice. +The Microsoft Connected Cache module is optimized for Ubuntu 22.04 LTS. Install Ubuntu 22.04 LTS on a physical server or VM of your choice. #### NIC requirements diff --git a/windows/deployment/images/mcc-ent-cache-node-details.png b/windows/deployment/images/mcc-ent-cache-node-details.png new file mode 100644 index 0000000000..f73bd2e006 Binary files /dev/null and b/windows/deployment/images/mcc-ent-cache-node-details.png differ diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md index ecd4861cbb..51a6fb4e62 100644 --- a/windows/deployment/mbr-to-gpt.md +++ b/windows/deployment/mbr-to-gpt.md @@ -4,7 +4,7 @@ description: Use MBR2GPT.EXE to convert a disk from the Master Boot Record (MBR) ms.service: windows-client author: frankroj ms.author: frankroj -ms.date: 11/16/2023 +ms.date: 11/26/2024 manager: aaroncz ms.localizationpriority: high ms.topic: how-to @@ -29,10 +29,10 @@ See the following video for a detailed description and demonstration of MBR2GPT. > [!VIDEO https://www.youtube-nocookie.com/embed/hfJep4hmg9o] -You can use MBR2GPT to: +MBR2GPT can be used to: -- Convert any attached MBR-formatted system disk to the GPT partition format. You can't use the tool to convert non-system disks from MBR to GPT. -- Convert an MBR disk with BitLocker-encrypted volumes as long as protection is suspended. To resume BitLocker after conversion, you'll need to delete the existing protectors and recreate them. +- Convert any attached MBR-formatted system disk to the GPT partition format. The tool can't be used to convert non-system disks from MBR to GPT. +- Convert an MBR disk with BitLocker-encrypted volumes as long as protection is suspended. To resume BitLocker after conversion, the existing protectors need to be deleted and then recreated. - Convert an operating system disk from MBR to GPT using Microsoft Configuration Manager or Microsoft Deployment Toolkit (MDT). Offline conversion of system disks with earlier versions of Windows installed, such as Windows 7, 8, or 8.1 aren't officially supported. The recommended method to convert these disks is to upgrade the operating system to a currently supported version of Windows, then perform the MBR to GPT conversion. @@ -41,7 +41,7 @@ Offline conversion of system disks with earlier versions of Windows installed, s > > After the disk has been converted to GPT partition style, the firmware must be reconfigured to boot in UEFI mode. > -> Make sure that your device supports UEFI before attempting to convert the disk. +> Make sure the device supports UEFI before attempting to convert the disk. ## Disk Prerequisites @@ -93,7 +93,7 @@ MBR2GPT: Validation completed successfully In the following example: -1. The current disk partition layout is displayed prior to conversion using DiskPart - three partitions are present on the MBR disk (disk 0): +1. Using DiskPart the current disk partition layout is displayed before the conversion. Three partitions are present on the MBR disk (disk 0): - A system reserved partition. - A Windows partition. @@ -110,7 +110,7 @@ In the following example: 1. The OS volume is selected again. The detail displays that the OS volume is converted to the [GPT partition type](/windows/win32/api/winioctl/ns-winioctl-partition_information_gpt) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type. -As noted in the output from the MBR2GPT tool, you must make changes to the computer firmware so that the new EFI system partition boots properly. +As noted in the output from the MBR2GPT tool, changes to the computer firmware need to be made so that the new EFI system partition boots properly.
@@ -267,7 +267,7 @@ If the existing MBR system partition isn't reused for the EFI system partition, > [!IMPORTANT] > -> If the existing MBR system partition is not reused for the EFI system partition, it might be assigned a drive letter. If you do not wish to use this small partition, you must manually hide the drive letter. +> If the existing MBR system partition isn't reused for the EFI system partition, it might be assigned a drive letter. If this small partition isn't going to be used, its drive letter must be manually hidden. ### Partition type mapping and partition attributes @@ -290,11 +290,11 @@ For more information about partition types, see: ### Persisting drive letter assignments -The conversion tool attempts to remap all drive letter assignment information contained in the registry that corresponds to the volumes of the converted disk. If a drive letter assignment can't be restored, an error is displayed at the console and in the log, so that you can manually perform the correct assignment of the drive letter. +The conversion tool attempts to remap all drive letter assignment information contained in the registry that corresponds to the volumes of the converted disk. If a drive letter assignment can't be restored, an error is displayed at the console and in the log, so that correct assignment of the drive letter can be manually performed. > [!IMPORTANT] > -> This code runs after the layout conversion has taken place, so the operation cannot be undone at this stage. +> This code runs after the layout conversion takes place, so the operation can't be undone at this stage. The conversion tool will obtain volume unique ID data before and after the layout conversion, organizing this information into a lookup table. It then iterates through all the entries in **HKLM\SYSTEM\MountedDevices**, and for each entry it does the following: @@ -398,7 +398,7 @@ The partition type can be determined in one of three ways: #### Windows PowerShell -You can enter the following command at a Windows PowerShell prompt to display the disk number and partition type: +The following command can be entered at a Windows PowerShell prompt to display the disk number and partition type: ```powershell Get-Disk | ft -Auto @@ -417,7 +417,7 @@ Number Friendly Name Serial Number HealthStatus OperationalStatus To #### Disk Management tool -You can view the partition type of a disk by using the Disk Management tool: +The partition type of a disk can be viewed by using the Disk Management tool: 1. Right-click on the Start Menu and select **Disk Management**. Alternatively, right-click on the Start Menu and select **Run**. In the **Run** dialog box that appears, enter `diskmgmt.msc` and then select **OK**. diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md index 5b67de2653..18e7af7514 100644 --- a/windows/deployment/update/waas-wu-settings.md +++ b/windows/deployment/update/waas-wu-settings.md @@ -14,7 +14,7 @@ ms.localizationpriority: medium appliesto: - ✅ Windows 11 - ✅ Windows 10 -ms.date: 09/03/2024 +ms.date: 12/27/2024 --- # Manage additional Windows Update settings @@ -213,6 +213,12 @@ To do this, follow these steps: * **7**: Notify for install and notify for restart. (Windows Server 2016 and later only) + * ScheduledInstallEveryWeek (REG_DWORD): + + * **0**: Do not enforce a once-per-week scheduled installation + + * **1**: Enforce automatic installations once a week on the specified day and time. (Requires ***ScheduledInstallDay*** and ***ScheduledInstallTime*** to be set.) + * ScheduledInstallDay (REG_DWORD): * **0**: Every day. @@ -294,7 +300,7 @@ On new devices, Windows Update doesn't begin installing background updates until In scenarios where initial sign-in is delayed, setting the following registry values allow devices to begin background update work before a user first signs in: -- **Registry key**: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator +- **Registry key**: `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator` - **DWORD value name**: ScanBeforeInitialLogonAllowed - **Value data**: 1 diff --git a/windows/deployment/update/windows-update-error-reference.md b/windows/deployment/update/windows-update-error-reference.md index b6dbfb03a0..f5d53887cf 100644 --- a/windows/deployment/update/windows-update-error-reference.md +++ b/windows/deployment/update/windows-update-error-reference.md @@ -257,6 +257,7 @@ The PnP enumerated device is removed from the System Spec because one of the har | Error code | Message | Description | |------------|-----------------------------------|--------------------------------------------------------------| +| `0x80070020` | `InstallFileLocked`| Couldn't access the file because it is already in use. This can occur when the installer tries to replace a file that an antivirus, antimalware or backup program is currently scanning. | | `0x80240001` | `WU_E_NO_SERVICE` | Windows Update Agent was unable to provide the service. | `0x80240002` | `WU_E_MAX_CAPACITY_REACHED` | The maximum capacity of the service was exceeded. | `0x80240003` | `WU_E_UNKNOWN_ID` | An ID can't be found. diff --git a/windows/deployment/update/wufb-reports-workbook.md b/windows/deployment/update/wufb-reports-workbook.md index cefc7b717e..faa2671fbe 100644 --- a/windows/deployment/update/wufb-reports-workbook.md +++ b/windows/deployment/update/wufb-reports-workbook.md @@ -159,7 +159,8 @@ Just like the [**Quality updates**](#quality-updates-tab) and [**Feature updates The **Update status** group for driver updates contains the following items: -- **Update states for all driver updates**: Chart containing the number of devices in a specific state, such as installing, for driver updates. +- **Update states for all driver updates**: Chart containing the number of driver updates in a specific state, such as installing. + - **Distribution of Driver Classes**: Chart containing the number of drivers in a specific class. - **Update alerts for all driver updates**: Chart containing the count of active errors and warnings for driver updates. diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md index c5f450553f..c4a299bb50 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md @@ -36,7 +36,7 @@ Device readiness in Windows Autopatch is divided into two different scenarios: ### Device readiness checks available for each scenario -| Required device readiness (prerequisite checks) before device registration (powered by Intune Graph API) | Required post-device registration readiness checks (powered by Microsoft Cloud Managed Desktop Extension) | +| Required device readiness (prerequisite checks) before device registration (powered by Intune Graph API) | Required post-device registration readiness checks (powered by Microsoft Cloud Managed Desktop Extension and Windows Autopatch Client Broker) | | ----- | ----- | |
  • Windows OS (build, architecture, and edition)
  • Managed by either Intune or ConfigMgr co-management
  • ConfigMgr co-management workloads
  • Last communication with Intune
  • Personal or non-Windows devices
|
  • Windows OS (build, architecture, and edition)
  • Windows updates & Office Group Policy Object (GPO) versus Intune mobile device management (MDM) policy conflict
  • Bind network endpoints (Microsoft Defender, Microsoft Teams, Microsoft Edge, Microsoft Office)
  • Internet connectivity
| @@ -66,7 +66,7 @@ A healthy or active device in Windows Autopatch is: - Actively sending data - Passes all post-device registration readiness checks -The post-device registration readiness checks are powered by the **Microsoft Cloud Managed Desktop Extension**. It's installed right after devices are successfully registered with Windows Autopatch. The **Microsoft Cloud Managed Desktop Extension** has the Device Readiness Check Plugin. The Device Readiness Check Plugin is responsible for performing the readiness checks and reporting the results back to the service. The **Microsoft Cloud Managed Desktop Extension** is a subcomponent of the overall Windows Autopatch service. +The post-device registration readiness checks are powered by the **Microsoft Cloud Managed Desktop Extension**. It's installed right after devices are successfully registered with Windows Autopatch. The **Microsoft Cloud Managed Desktop Extension** and **Windows Autopatch Client Broker** has the Device Readiness Check Plugin. The Device Readiness Check Plugin is responsible for performing the readiness checks and reporting the results back to the service. The **Microsoft Cloud Managed Desktop Extension** and **Windows Autopatch Client Broker** are subcomponents of the overall Windows Autopatch service. The following list of post-device registration readiness checks is performed in Windows Autopatch: @@ -90,8 +90,8 @@ See the following diagram for the post-device registration readiness checks work | Step | Description | | ----- | ----- | | **Steps 1-7** | For more information, see the [Device registration overview diagram](windows-autopatch-device-registration-overview.md).| -| **Step 8: Perform readiness checks** |
  1. Once devices are successfully registered with Windows Autopatch, the devices are added to the **Ready** tab.
  2. The Microsoft Cloud Managed Desktop Extension agent performs readiness checks against devices in the **Ready** tab every 24 hours.
| -| **Step 9: Check readiness status** |
  1. The Microsoft Cloud Managed Desktop Extension service evaluates the readiness results gathered by its agent.
  2. The readiness results are sent from the Microsoft Cloud Managed Desktop Extension service component to the Device Readiness component within the Windows Autopatch's service.
| +| **Step 8: Perform readiness checks** |
  1. Once devices are successfully registered with Windows Autopatch, the devices are added to the **Ready** tab.
  2. The Microsoft Cloud Managed Desktop Extension and Windows Autopatch Client Broker agents perform readiness checks against devices in the **Ready** tab every 24 hours.
| +| **Step 9: Check readiness status** |
  1. The Microsoft Cloud Managed Desktop Extension and Windows Autopatch Client Broker service evaluates the readiness results gathered by its agent.
  2. The readiness results are sent from the Microsoft Cloud Managed Desktop Extension and Windows Autopatch Client Broker service component to the Device Readiness component within the Windows Autopatch's service.
| | **Step 10: Add devices to the Not ready** | When devices don't pass one or more readiness checks, even if they're registered with Windows Autopatch, they're added to the **Not ready** tab so IT admins can remediate devices based on Windows Autopatch recommendations. | | **Step 11: IT admin understands what the issue is and remediates** | The IT admin checks and remediates issues in the Devices blade (**Not ready** tab). It can take up to 24 hours for devices to show in the **Ready** tab. | @@ -99,7 +99,7 @@ See the following diagram for the post-device registration readiness checks work | Question | Answer | | ----- | ----- | -| **How frequent are the post-device registration readiness checks performed?** |
  • The **Microsoft Cloud Managed Desktop Extension** agent collects device readiness statuses when it runs (once a day).
  • Once the agent collects results for the post-device registration readiness checks, it generates readiness results in the device in the `%programdata%\Microsoft\CMDExtension\Plugins\DeviceReadinessPlugin\Logs\DRCResults.json.log`.
  • The readiness results are sent over to the **Microsoft Cloud Managed Desktop Extension service**.
  • The **Microsoft Cloud Managed Desktop Extension** service component sends the readiness results to the Device Readiness component. The results appear in the Windows Autopatch Devices blade (**Not ready** tab).
| +| **How frequent are the post-device registration readiness checks performed?** |
  • The **Microsoft Cloud Managed Desktop Extension** and **Windows Autopatch Client Broker** agents collect device readiness statuses when it runs (once a day).
  • Once the agent collects results for the post-device registration readiness checks, it generates readiness results in the device in the `%programdata%\Microsoft\CMDExtension\Plugins\DeviceReadinessPlugin\Logs\DRCResults.json.log`.
  • The readiness results are sent over to **Microsoft Cloud Managed Desktop Extension** and **Windows Autopatch Client Broker** service.
  • The **Microsoft Cloud Managed Desktop Extension** and **Windows Autopatch Client Broker** service component sends the readiness results to the Device Readiness component. The results appear in the Windows Autopatch Devices blade (**Not ready** tab).
| | **What to expect when one or more checks fail?** | Devices are automatically sent to the **Ready** tab once they're successfully registered with Windows Autopatch. When devices don't meet one or more post-device registration readiness checks, the devices are moved to the **Not ready** tab. IT admins can learn about these devices and take appropriate actions to remediate them. Windows Autopatch provides information about the failure and how to potentially remediate devices.

Once devices are remediated, it can take up to **24 hours** to appear in the **Ready** tab.

| ## Additional resources diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md index f59aeefc45..026f05bd13 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md @@ -20,7 +20,7 @@ ms.collection: [!INCLUDE [windows-autopatch-applies-to-all-licenses](../includes/windows-autopatch-applies-to-all-licenses.md)] > [!IMPORTANT] -> This feature is in public preview. It is being actively developed and might not be complete. They're made available on a "Preview" basis. You can test and use these features in production environments and scenarios and provide feedback. +> This feature is in public preview. It's being actively developed and might not be complete. They're made available on a "Preview" basis. You can test and use these features in production environments and scenarios and provide feedback. Hotpatch updates are [Monthly B release security updates](/windows/deployment/update/release-cycle#monthly-security-update-release) that can be installed without requiring you to restart the device. Hotpatch updates are designed to reduce downtime and disruptions. By minimizing the need to restart, these updates help ensure faster compliance, making it easier for organizations to maintain security while keeping workflows uninterrupted. @@ -30,6 +30,25 @@ Hotpatch updates are [Monthly B release security updates](/windows/deployment/up - No changes are required to your existing update ring configurations. Your existing ring configurations are honored alongside Hotpatch policies. - The [Hotpatch quality update report](../monitor/windows-autopatch-hotpatch-quality-update-report.md) provides a per policy level view of the current update statuses for all devices that receive Hotpatch updates. +## Operating system configuration prerequisites + +To prepare a device to receive Hotpatch updates, configure the following operating system settings on the device. You must configure these settings for the device to be offered the Hotpatch update and to apply all Hotpatch updates. + +### Virtualization based security (VBS) + +VBS must be turned on for a device to be offered Hotpatch updates. For information on how to set and detect if VBS is enabled, see [Virtualization-based Security (VBS)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity?tabs=security). + +### Arm 64 devices must disable compiled hybrid PE usage (CHPE) (Arm 64 CPU Only) + +This requirement only applies to Arm 64 CPU devices when using Hotpatch updates. Hotpatch updates aren't compatible with servicing CHPE OS binaries located in the `%SystemRoot%\SyChpe32` folder. To ensure all the Hotpatch updates are applied, you must set the CHPE disable flag and restart the device to disable CHPE usage. You only need to set this flag one time. The registry setting remains applied through updates. To disable CHPE, set the following registry key: +Path: `**HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management**` +Key value: `**HotPatchRestrictions=1**` + +> [!IMPORTANT] +> This setting is required because it forces the operating system to use the emulation x86-only binaries instead of CHPE binaries on Arm 64 devices. CHPE binaries include native Arm 64 code to improve performance, excluding the CHPE binaries might affect performance or compatibility. Be sure to test application compatibility and performance before rolling out Hotpatch updates widely on Arm 64 CPU based devices. + +If you choose to no longer use Hotpatch updates, clear the CHPE disable flag (`HotPatchRestrictions=0`) then restart the device to turn on CHPE usage. + ## Eligible devices To benefit from Hotpatch updates, devices must meet the following prerequisites: @@ -57,7 +76,7 @@ For more information about the release calendar for Hotpatch updates, see [Relea ## Enroll devices to receive Hotpatch updates > [!NOTE] -> If you're using Autopatch groups and want your devices to receive Hotpatch updates, you must create a Hotpatch policy and assign devices to it. Turning on Hotpatch updates doesn't change the deferral setting applied to devices within an Autopatch group. +> If you're using Autopatch groups and want your devices to receive Hotpatch updates, you must create a Hotpatch policy and assign devices to it. Turning on Hotpatch updates doesn't change the deferral setting applied to devices within an Autopatch group. **To enroll devices to receive Hotpatch updates:** @@ -67,7 +86,7 @@ For more information about the release calendar for Hotpatch updates, see [Relea 1. Go to the **Quality updates** tab. 1. Select **Create**, and select **Windows quality update policy (preview)**. 1. Under the **Basics** section, enter a name for your new policy and select Next. -1. Under the **Settings** section, set **"When available, apply without restarting the device ("hotpatch")** to **Allow**. Then, select **Next**. +1. Under the **Settings** section, set **"When available, apply without restarting the device ("Hotpatch")** to **Allow**. Then, select **Next**. 1. Select the appropriate Scope tags or leave as Default and select **Next**. 1. Assign the devices to the policy and select **Next**. 1. Review the policy and select **Create**. @@ -75,4 +94,4 @@ For more information about the release calendar for Hotpatch updates, see [Relea These steps ensure that targeted devices, which are [eligible](#eligible-devices) to receive Hotpatch updates, are configured properly. [Ineligible devices](#ineligible-devices) are offered the latest cumulative updates (LCU). > [!NOTE] -> Turning on Hotpatch updates doesn't change the existing deadline-driven or scheduled install configurations on your managed devices. Deferral and active hour settings will still apply. +> Turning on Hotpatch updates doesn't change the existing deadline-driven or scheduled install configurations on your managed devices. Deferral and active hour settings still apply. diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-autopatch-groups.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-autopatch-groups.md index cce3435eec..ffcd082e07 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-autopatch-groups.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-autopatch-groups.md @@ -78,6 +78,9 @@ Before you start managing Autopatch groups, ensure you meet the [Windows Autopat > [!IMPORTANT] > Windows Autopatch creates the device-based Microsoft Entra ID assigned groups based on the choices made in the deployment ring composition page. Additionally, the service assigns the update ring policies for each deployment ring created in the Autopatch group based on the choices made in the Windows Update settings page as part of the Autopatch group guided end-user experience. +> [!CAUTION] +> If a device that was previously added to an Autopatch group uses an Entra group (via Assigned groups or Dynamic distribution method) is removed from the Entra group, the device is removed and de-registered from the Autopatch service. The removed device no longer has any Autopatch service-created policies applied to it and the device won't appear in the Autopatch devices reports. + ## Rename an Autopatch group **To rename an Autopatch group:** diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-driver-and-firmware-updates.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-driver-and-firmware-updates.md index ddab13c440..e968491819 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-driver-and-firmware-updates.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-driver-and-firmware-updates.md @@ -68,7 +68,7 @@ For deployment rings set to **Automatic**, you can choose the deferral period fo The deferral period allows you to delay the installation of driver and firmware updates on the devices in the specified deployment ring in case you want to test the update on a smaller group of devices first or avoid potential disruptions during a busy period. -The deferral period can be set from 0 to 14 days, and it can be different for each deployment ring. +The deferral period can be set from 0 to 30 days, and it can be different for each deployment ring. > [!NOTE] > The deferral period only applies to automatically approved driver and firmware updates. An admin must specify the date to start offering a driver with any manual approval. diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-update-rings.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-update-rings.md index e68df90cbb..81669a6614 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-update-rings.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-update-rings.md @@ -1,7 +1,7 @@ --- title: Manage Update rings description: How to manage update rings -ms.date: 09/16/2024 +ms.date: 12/10/2024 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -43,7 +43,7 @@ Imported rings automatically register all targeted devices into Windows Autopatc 2. Select **Devices** from the left navigation menu. 3. Under the **Manage updates** section, select **Windows updates**. 4. In the **Windows updates** blade, go to the **Update rings** tab. -5. Select **Enroll policies**. +5. Select **Enroll policies**. **This step only applies if you've gone through [feature activation](../prepare/windows-autopatch-feature-activation.md)**. 6. Select the existing rings you would like to import. 7. Select **Import**. diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-programmatic-controls.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-programmatic-controls.md index 77acf64924..2aefa858cc 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-programmatic-controls.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-programmatic-controls.md @@ -14,7 +14,7 @@ ms.localizationpriority: medium appliesto: - ✅ Windows 11 - ✅ Windows 10 -ms.date: 09/24/2024 +ms.date: 12/10/2024 --- # Programmatic controls for expedited Windows quality updates @@ -34,6 +34,9 @@ In this article, you will: All of the [Windows Autopatch prerequisites](../prepare/windows-autopatch-prerequisites.md) must be met, including ensuring that the *Update Health Tools* is installed on the clients. +> [!IMPORTANT] +> This step isn't required if your device is running Windows 11 24H2 and later. + - The *Update Health Tools* are installed starting with [KB4023057](https://support.microsoft.com/kb/4023057). To confirm the presence of the Update Health Tools on a device, use one of the following methods: - Run a [readiness test for expedited updates](#readiness-test-for-expediting-updates) - Look for the folder **C:\Program Files\Microsoft Update Health Tools** or review *Add Remove Programs* for **Microsoft Update Health Tools**. @@ -269,7 +272,7 @@ The request returns a 201 Created response code and a [deployment](/graph/api/re ## Add members to the deployment audience -The **Audience ID**, `d39ad1ce-0123-4567-89ab-cdef01234567`, was created when the deployment was created. The **Audience ID** is used to add members to the deployment audience. After the deployment audience is updated, Windows Update starts offering the update to the devices according to the deployment settings. As long as the deployment exists and the device is in the audience, the update will be expedited. +The **Audience ID**, `d39ad1ce-0123-4567-89ab-cdef01234567`, was created when the deployment was created. The **Audience ID** is used to add members to the deployment audience. After the deployment audience is updated, Windows Update starts offering the update to the devices according to the deployment settings. As long as the deployment exists and the device is in the audience, the update is expedited. The following example adds two devices to the deployment audience using the **Microsoft Entra ID** for each device: @@ -299,7 +302,7 @@ To verify the devices were added to the audience, run the following query using ## Delete a deployment -To stop an expedited deployment, DELETE the deployment. Deleting the deployment will prevent the content from being offered to devices if they haven't already received it. To resume offering the content, a new approval will need to be created. +To stop an expedited deployment, DELETE the deployment. Deleting the deployment prevents the content from being offered to devices if they haven't already received it. To resume offering the content, a new approval must be created. The following example deletes the deployment with a **Deployment ID** of `de910e12-3456-7890-abcd-ef1234567890`: @@ -309,7 +312,7 @@ DELETE https://graph.microsoft.com/beta/admin/windows/updates/deployments/de910e ## Readiness test for expediting updates -You can verify the readiness of clients to receive expedited updates by using [isReadinessTest](/graph/api/resources/windowsupdates-expeditesettings). Create a deployment that specifies it's an expedite readiness test, then add members to the deployment audience. The service will check to see if the clients meet the prerequisites for expediting updates. The results of the test are displayed in the [Windows Update for Business reports workbook](/windows/deployment/update/wufb-reports-workbook#quality-updates-tab). Under the **Quality updates** tab, select the **Expedite status** tile, which opens a flyout with a **Readiness** tab with the readiness test results. +You can verify the readiness of clients to receive expedited updates by using [isReadinessTest](/graph/api/resources/windowsupdates-expeditesettings). Create a deployment that specifies it's an expedite readiness test, then add members to the deployment audience. The service checks to see if the clients meet the prerequisites for expediting updates. The results of the test are displayed in the [Windows Update for Business reports workbook](/windows/deployment/update/wufb-reports-workbook#quality-updates-tab). Under the **Quality updates** tab, select the **Expedite status** tile, which opens a flyout with a **Readiness** tab with the readiness test results. ```msgraph-interactive POST https://graph.microsoft.com/beta/admin/windows/updates/deployments diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-summary-dashboard.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-summary-dashboard.md index 3df6e2730f..fe310f106a 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-summary-dashboard.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-summary-dashboard.md @@ -48,6 +48,9 @@ The following information is available in the Summary dashboard: | Not ready | Total device count reporting the Not ready status. For more information, see [Not ready](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices). | | % with the target feature update | Percent of [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices) devices on the targeted feature update. | +> [!NOTE] +> The Windows Autopatch feature update report always displays the higher Windows version a device is taking. If target versions are identical, the report shows the most recent release or binding time. Release takes precedence over standalone DSS policy. + ## Report options The following options are available: diff --git a/windows/security/application-security/application-control/app-control-for-business/deployment/appcontrol-deployment-guide.md b/windows/security/application-security/application-control/app-control-for-business/deployment/appcontrol-deployment-guide.md index 4ee7ef2757..42881a0f12 100644 --- a/windows/security/application-security/application-control/app-control-for-business/deployment/appcontrol-deployment-guide.md +++ b/windows/security/application-security/application-control/app-control-for-business/deployment/appcontrol-deployment-guide.md @@ -43,7 +43,7 @@ All App Control for Business policy changes should be deployed in audit mode bef ## Choose how to deploy App Control policies > [!IMPORTANT] -> Due to a known issue, you should always activate new **signed** App Control Base policies with a reboot on systems with [**memory integrity**](../../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) enabled. We recommend [deploying via script](deploy-appcontrol-policies-with-script.md) in this case. +> Due to a known issue in Windows 11 updates earlier than 2024 (24H2), you should activate new **signed** App Control Base policies with a reboot on systems with [**memory integrity**](../../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) enabled. We recommend [deploying via script](deploy-appcontrol-policies-with-script.md) in this case. > > This issue does not affect updates to signed Base policies that are already active on the system, deployment of unsigned policies, or deployment of supplemental policies (signed or unsigned). It also does not affect deployments to systems that are not running memory integrity. diff --git a/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules.md b/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules.md index 3ce08b2022..67506d5785 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules.md @@ -81,7 +81,7 @@ The following recommended blocklist xml policy file can also be downloaded from ```xml - 10.0.27685.0 + 10.0.27770.0 {2E07F7E4-194C-4D20-B7C9-6F44A6C5A234} @@ -378,6 +378,26 @@ The following recommended blocklist xml policy file can also be downloaded from + + + + + + + + + + + + + + + + + + + + @@ -552,6 +572,12 @@ The following recommended blocklist xml policy file can also be downloaded from + + + + + + @@ -1015,10 +1041,10 @@ The following recommended blocklist xml policy file can also be downloaded from - - - - + + + + @@ -1238,6 +1264,8 @@ The following recommended blocklist xml policy file can also be downloaded from + + @@ -1266,150 +1294,150 @@ The following recommended blocklist xml policy file can also be downloaded from - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -1579,6 +1607,70 @@ The following recommended blocklist xml policy file can also be downloaded from + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -1716,6 +1808,7 @@ The following recommended blocklist xml policy file can also be downloaded from + @@ -1736,6 +1829,7 @@ The following recommended blocklist xml policy file can also be downloaded from + @@ -1781,6 +1875,7 @@ The following recommended blocklist xml policy file can also be downloaded from + @@ -1852,6 +1947,7 @@ The following recommended blocklist xml policy file can also be downloaded from + @@ -1879,6 +1975,7 @@ The following recommended blocklist xml policy file can also be downloaded from + @@ -1898,6 +1995,7 @@ The following recommended blocklist xml policy file can also be downloaded from + @@ -1925,6 +2023,7 @@ The following recommended blocklist xml policy file can also be downloaded from + @@ -1944,6 +2043,7 @@ The following recommended blocklist xml policy file can also be downloaded from + @@ -2016,6 +2116,7 @@ The following recommended blocklist xml policy file can also be downloaded from + @@ -2035,9 +2136,10 @@ The following recommended blocklist xml policy file can also be downloaded from + - + @@ -2053,6 +2155,7 @@ The following recommended blocklist xml policy file can also be downloaded from + @@ -2071,6 +2174,7 @@ The following recommended blocklist xml policy file can also be downloaded from + @@ -2103,7 +2207,7 @@ The following recommended blocklist xml policy file can also be downloaded from - + @@ -2157,6 +2261,7 @@ The following recommended blocklist xml policy file can also be downloaded from + @@ -2176,6 +2281,7 @@ The following recommended blocklist xml policy file can also be downloaded from + @@ -2345,6 +2451,7 @@ The following recommended blocklist xml policy file can also be downloaded from + @@ -2663,7 +2770,17 @@ The following recommended blocklist xml policy file can also be downloaded from - + + + + + + + + + + + @@ -2809,6 +2926,43 @@ The following recommended blocklist xml policy file can also be downloaded from + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2916,12 +3070,40 @@ The following recommended blocklist xml policy file can also be downloaded from + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2929,10 +3111,13 @@ The following recommended blocklist xml policy file can also be downloaded from + + + @@ -2956,6 +3141,10 @@ The following recommended blocklist xml policy file can also be downloaded from + + + + @@ -2967,6 +3156,7 @@ The following recommended blocklist xml policy file can also be downloaded from + @@ -3011,6 +3201,10 @@ The following recommended blocklist xml policy file can also be downloaded from + + + + @@ -3034,6 +3228,7 @@ The following recommended blocklist xml policy file can also be downloaded from + @@ -3071,6 +3266,8 @@ The following recommended blocklist xml policy file can also be downloaded from + + @@ -3382,6 +3579,26 @@ The following recommended blocklist xml policy file can also be downloaded from + + + + + + + + + + + + + + + + + + + + @@ -3556,6 +3773,12 @@ The following recommended blocklist xml policy file can also be downloaded from + + + + + + @@ -4025,9 +4248,9 @@ The following recommended blocklist xml policy file can also be downloaded from - - - + + + @@ -4243,6 +4466,8 @@ The following recommended blocklist xml policy file can also be downloaded from + + @@ -4275,78 +4500,78 @@ The following recommended blocklist xml policy file can also be downloaded from - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -4356,78 +4581,78 @@ The following recommended blocklist xml policy file can also be downloaded from - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -4588,6 +4813,70 @@ The following recommended blocklist xml policy file can also be downloaded from + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -4713,16 +5002,16 @@ The following recommended blocklist xml policy file can also be downloaded from - - - - - - - - - - + + + + + + + + + + @@ -4745,7 +5034,7 @@ The following recommended blocklist xml policy file can also be downloaded from - 10.0.27685.0 + 10.0.27770.0 diff --git a/windows/security/application-security/application-control/app-control-for-business/operations/citool-commands.md b/windows/security/application-security/application-control/app-control-for-business/operations/citool-commands.md index c8bb39fb47..617ba5eb29 100644 --- a/windows/security/application-security/application-control/app-control-for-business/operations/citool-commands.md +++ b/windows/security/application-security/application-control/app-control-for-business/operations/citool-commands.md @@ -9,7 +9,7 @@ appliesto: # CiTool technical reference -CiTool makes App Control for Business policy management easier for IT admins. You can use this tool to manage App Control for Business policies and CI tokens. This article describes how to use CiTool to update and manage policies. It's currently included as part of the Windows image in Windows 11, version 22H2. +CiTool makes App Control for Business policy management easier for IT admins. You can use this tool to manage App Control for Business policies and CI tokens. This article describes how to use CiTool to update and manage policies. It's included in the Windows images starting with Windows 11, version 22H2, and Windows Server 2025. ## Policy commands diff --git a/windows/security/book/application-security-application-and-driver-control.md b/windows/security/book/application-security-application-and-driver-control.md index 9efc2c0f96..d69dbb0445 100644 --- a/windows/security/book/application-security-application-and-driver-control.md +++ b/windows/security/book/application-security-application-and-driver-control.md @@ -1,77 +1,20 @@ --- -title: Windows 11 security book - Application and driver control +title: Windows 11 Security Book - Application And Driver Control description: Application and driver control. ms.topic: overview -ms.date: 11/18/2024 +ms.date: 12/11/2024 --- # Application and driver control :::image type="content" source="images/application-security.png" alt-text="Diagram containing a list of application security features." lightbox="images/application-security.png" border="false"::: -Windows 11 offers a rich application platform with layers of security like isolation and code integrity that help protect your valuable data. Developers can also take advantage of these -capabilities to build in security from the ground up to protect against breaches and malware. +[!INCLUDE [smart-app-control](includes/smart-app-control.md)] -## Smart App Control +[!INCLUDE [app-control-for-business](includes/app-control-for-business.md)] -Smart App Control prevents users from running malicious applications by blocking untrusted or unsigned applications. Smart App Control goes beyond previous built-in browser protections by adding another layer of security that is woven directly into the core of the OS at the process level. Using AI, Smart App Control only allows processes to run if they're predicted to be safe based on existing and new intelligence updated daily. +[!INCLUDE [administrator-protection](includes/administrator-protection.md)] -Smart App Control builds on top of the same cloud-based AI used in *App Control for Business* to predict the safety of an application, so that users can be confident that their applications are safe and reliable. Additionally, Smart App Control blocks unknown script files and macros from the web, greatly improving security for everyday users. +[!INCLUDE [microsoft-vulnerable-driver-blocklist](includes/microsoft-vulnerable-driver-blocklist.md)] -We've been making significant improvements to Smart App Control to increase the security, usability, and cloud intelligence response for apps in the Windows ecosystem. Users can get the latest and best experience with Smart App Control by keeping their devices up to date via Windows Update every month. - -To ensure that users have a seamless experience with Smart App Control enabled, we ask developers to sign their applications with a code signing certificate from the Microsoft Trusted Root Program. Developers should include all binaries, such as exe, dll, temp installer files, and uninstallers. Trusted Signing makes the process of obtaining, maintaining, and signing with a trusted certificate simple and secure. - -Smart App Control is disabled on devices enrolled in enterprise management. We suggest enterprises running line-of-business applications continue to use *App Control for Business*. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Smart App Control][LINK-1] - -## App Control for Business - -Your organization is only as secure as the applications that run on your devices. With *application control*, apps must earn trust to run, in contrast to an application trust model where all code is assumed trustworthy. By helping prevent unwanted or malicious code from running, application control is an important part of an effective security strategy. Many organizations cite application control as one of the most effective means of defending against executable file-based malware. - -App Control for Business (previously called *Windows Defender Application Control*) and AppLocker are both included in Windows. App Control for Business is the next-generation app control solution for Windows and provides powerful control over what runs in your environment. Organizations that were using AppLocker on previous versions of Windows, can continue to use the feature as they consider whether to switch to App Control for Business for stronger protection. - -Microsoft Intune[\[4\]](conclusion.md#footnote4) can configure App Control for Business in the admin console, including setting up Intune as a managed installer. Intune includes built-in options for App Control for Business and the possibility to upload policies as an XML file for Intune to package and deploy. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Application Control for Windows][LINK-2] -- [Automatically allow apps deployed by a managed installer with App Control for Business][LINK-3] - -## :::image type="icon" source="images/soon-button-title.svg" border="false"::: Administrator protection - -When users sign in with administrative rights to Windows, they have the power to make significant changes to the system, which can impact its overall security. These rights can be a target for malicious software. - -Administrator protection is a new security feature in Windows 11 designed to safeguard these administrative rights. It allows administrators to perform all necessary functions with **just-in-time administrative rights**, while running most tasks without administrative privileges. The goal of administrator protection is to provide a secure and seamless experience, ensuring users operate with the least required privileges. - -When administrator protection is enabled, if an app needs special permissions like administrative rights, the user is asked for approval. When an approval is needed, Windows Hello provides a secure and easy way to approve or deny these requests. - -> [!NOTE] -> Administrator protection is currently in preview. For devices running previous versions of Windows, refer to [User Account Control (UAC)][LINK-5]. - -## Microsoft vulnerable driver blocklist - -The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Microsoft works with ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers. To prevent vulnerable versions of drivers from running, Windows has a *block policy* turned on by default. Users can configure the policy from the Windows Security app. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Microsoft recommended driver block rules][LINK-4] - -## :::image type="icon" source="images/new-button-title.svg" border="false"::: Trusted Signing - -Trusted Signing is a Microsoft fully managed, end-to-end signing solution that simplifies the signing process and empowers third-party developers to easily build and distribute applications. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [What is Trusted Signing](/azure/trusted-signing/overview) - - - -[LINK-1]: /windows/apps/develop/smart-app-control/overview -[LINK-2]: /windows/security/application-security/application-control/windows-defender-application-control/wdac -[LINK-3]: /windows/security/application-security/application-control/app-control-for-business/design/configure-authorized-apps-deployed-with-a-managed-installer -[LINK-4]: /windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules -[LINK-5]: /windows/security/identity-protection/user-account-control/how-user-account-control-works +[!INCLUDE [trusted-signing](includes/trusted-signing.md)] diff --git a/windows/security/book/application-security-application-isolation.md b/windows/security/book/application-security-application-isolation.md index f5a440d04b..00bf51928f 100644 --- a/windows/security/book/application-security-application-isolation.md +++ b/windows/security/book/application-security-application-isolation.md @@ -1,100 +1,20 @@ --- -title: Windows 11 security book - Application isolation +title: Windows 11 Security Book - Application Isolation description: Application isolation. ms.topic: overview -ms.date: 11/18/2024 +ms.date: 12/11/2024 --- # Application isolation :::image type="content" source="images/application-security.png" alt-text="Diagram containing a list of application security features." lightbox="images/application-security.png" border="false"::: -## :::image type="icon" source="images/new-button-title.svg" border="false"::: Win32 app isolation +[!INCLUDE [win32-app-isolation](includes/win32-app-isolation.md)] -Win32 app isolation is a security feature designed to be the default isolation standard on Windows clients. It's built on [AppContainer][LINK-1], and offers several added security features to help the Windows platform defend against attacks that use vulnerabilities in applications or third-party libraries. To isolate their applications, developers can update them using Visual Studio. +[!INCLUDE [app-containers](includes/app-containers.md)] -Win32 app isolation follows a two-step process: +[!INCLUDE [windows-sandbox](includes/windows-sandbox.md)] -- In the first step, the Win32 application is launched as a low-integrity process using AppContainer, which is recognized as a security boundary by Windows. The process is limited to a specific set of Windows APIs by default and is unable to inject code into any process operating at a higher integrity level -- In the second step, least privilege is enforced by granting authorized access to Windows securable objects. This access is determined by capabilities that are added to the application manifest through MSIX packaging. *Securable objects* in this context refers to Windows resources whose access is safeguarded by capabilities. These capabilities enable the implantation of a [Discretionary Access Control List][LINK-2] on Windows +[!INCLUDE [windows-subsystem-for-linux](includes/windows-subsystem-for-linux.md)] -To help ensuring that isolated applications run smoothly, developers must define the access requirements for the application via access capability declarations in the application package manifest. The *Application Capability Profiler (ACP)* simplifies the entire process by allowing the application to run in *learn mode* with low privileges. Instead of denying access if the capability isn't present, ACP allows access and logs additional capabilities required for access if the application were to run isolated. - -To create a smooth user experience that aligns with nonisolated, native Win32 applications, two key factors should be taken into consideration: - -- Approaches for accessing data and privacy information -- Integrating Win32 apps for compatibility with other Windows interfaces - -The first factor relates to implementing methods to manage access to files and privacy information within and outside the isolation boundary AppContainer. The second factor involves integrating Win32 apps with other Windows interfaces in a way that helps enable seamless functionality without causing perplexing user consent prompts. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Win32 app isolation overview][LINK-4] -- [Application Capability Profiler (ACP)][LINK-5] -- [Packaging a Win32 app isolation application with Visual Studio][LINK-6] -- [Sandboxing Python with Win32 app isolation][LINK-7] - -## App containers - -In addition to Windows Sandbox for Win32 apps, Universal Windows Platform (UWP) applications run in Windows containers known as *app containers*. App containers act as process and resource isolation boundaries, but unlike Docker containers, these are special containers designed to run Windows applications. - -Processes that run in app containers operate at a low integrity level, meaning they have limited access to resources they don't own. Because the default integrity level of most resources is medium integrity level, the UWP app can access only a subset of the file system, registry, and other resources. The app container also enforces restrictions on network connectivity. For example, access to a local host isn't allowed. As a result, malware or infected apps have limited footprint for escape. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Windows and app container][LINK-8] - -## Windows Sandbox - -Windows Sandbox provides a lightweight desktop environment to safely run untrusted Win32 applications in isolation, using the same hardware-based virtualization technology as Hyper-V. Any untrusted Win32 app installed in Windows Sandbox stays only in the sandbox and can't affect the host. - -Once Windows Sandbox is closed, nothing persists on the device. All the software with all its files and state are permanently deleted after the untrusted Win32 application is closed. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Windows Sandbox][LINK-9] - -## Windows Subsystem for Linux (WSL) - -With Windows Subsystem for Linux (WSL) you can run a Linux environment on a Windows device, without the need for a separate virtual machine or dual booting. WSL is designed to provide a seamless and productive experience for developers who want to use both Windows and Linux at the same time. - -[!INCLUDE [new-24h2](includes/new-24h2.md)] - -- **Hyper-V Firewall** is a network firewall solution that enables filtering of inbound and outbound traffic to/from WSL containers hosted by Windows -- **DNS Tunneling** is a networking setting that improves compatibility in different networking environments, making use of virtualization features to obtain DNS information rather than a networking packet -- **Auto proxy** is a networking setting that enforces WSL to use Windows' HTTP proxy information. Turn on when using a proxy on Windows, as it makes that proxy automatically apply to WSL distributions - -These features can be set up using a device management solution such as Microsoft Intune[\[7\]](conclusion.md#footnote7). Microsoft Defender for Endpoint (MDE) integrates with WSL, allowing it to monitor activities within a WSL distro and report them to the MDE dashboards. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Hyper-V Firewall][LINK-10] -- [DNS Tunneling][LINK-11] -- [Auto proxy][LINK-12] -- [Intune setting for WSL][LINK-13] -- [Microsoft Defender for Endpoint plug-in for WSL][LINK-14] - -## :::image type="icon" source="images/new-button-title.svg" border="false"::: Virtualization-based security enclaves - -A **Virtualization-based security enclave** is a software-based trusted execution environment (TEE) inside a host application. VBS enclaves enable developers to use VBS to protect their application's secrets from admin-level attacks. VBS enclaves are available on Windows 10 onwards on both x64 and ARM64. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Virtualization-based security enclave][LINK-15] - - - -[LINK-1]: /windows/win32/secauthz/implementing-an-appcontainer -[LINK-2]: /windows/win32/secauthz/access-control-lists -[LINK-4]: /windows/win32/secauthz/app-isolation-overview -[LINK-5]: /windows/win32/secauthz/app-isolation-capability-profiler -[LINK-6]: /windows/win32/secauthz/app-isolation-packaging-with-vs -[LINK-7]: https://blogs.windows.com/windowsdeveloper/2024/03/06/sandboxing-python-with-win32-app-isolation/ -[LINK-8]: /windows/apps/windows-app-sdk/migrate-to-windows-app-sdk/feature-mapping-table?source=recommendations -[LINK-9]: /windows/security/application-security/application-isolation/windows-sandbox -[LINK-10]: /windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall -[LINK-11]: /windows/wsl/networking#dns-tunneling -[LINK-12]: /windows/wsl/networking#auto-proxy -[LINK-13]: /windows/wsl/intune -[LINK-14]: /defender-endpoint/mde-plugin-wsl -[LINK-15]: /windows/win32/trusted-execution/vbs-enclaves +[!INCLUDE [virtualization-based-security-enclaves](includes/virtualization-based-security-enclaves.md)] diff --git a/windows/security/book/application-security.md b/windows/security/book/application-security.md index da054a7d5d..7270a50314 100644 --- a/windows/security/book/application-security.md +++ b/windows/security/book/application-security.md @@ -1,5 +1,5 @@ --- -title: Windows 11 security book - Application security +title: Windows 11 Security Book - Application Security description: Application security chapter. ms.topic: overview ms.date: 11/18/2024 diff --git a/windows/security/book/includes/administrator-protection.md b/windows/security/book/includes/administrator-protection.md new file mode 100644 index 0000000000..e993800f31 --- /dev/null +++ b/windows/security/book/includes/administrator-protection.md @@ -0,0 +1,18 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +ms.service: windows-client +--- + +## :::image type="icon" source="../images/soon-button-title.svg" border="false"::: Administrator protection + +When users sign in with administrative rights to Windows, they have the power to make significant changes to the system, which can impact its overall security. These rights can be a target for malicious software. + +Administrator protection is a new security feature in Windows 11 designed to safeguard these administrative rights. It allows administrators to perform all necessary functions with **just-in-time administrative rights**, while running most tasks without administrative privileges. The goal of administrator protection is to provide a secure and seamless experience, ensuring users operate with the least required privileges. + +When administrator protection is enabled, if an app needs special permissions like administrative rights, the user is asked for approval. When an approval is needed, Windows Hello provides a secure and easy way to approve or deny these requests. + +> [!NOTE] +> Administrator protection is currently in preview. For devices running previous versions of Windows, refer to [User Account Control (UAC)](/windows/security/identity-protection/user-account-control/how-user-account-control-works). \ No newline at end of file diff --git a/windows/security/book/includes/app-containers.md b/windows/security/book/includes/app-containers.md new file mode 100644 index 0000000000..32e39cdd35 --- /dev/null +++ b/windows/security/book/includes/app-containers.md @@ -0,0 +1,17 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +ms.service: windows-client +--- + +## App containers + +In addition to Windows Sandbox for Win32 apps, Universal Windows Platform (UWP) applications run in Windows containers known as *app containers*. App containers act as process and resource isolation boundaries, but unlike Docker containers, these are special containers designed to run Windows applications. + +Processes that run in app containers operate at a low integrity level, meaning they have limited access to resources they don't own. Because the default integrity level of most resources is medium integrity level, the UWP app can access only a subset of the file system, registry, and other resources. The app container also enforces restrictions on network connectivity. For example, access to a local host isn't allowed. As a result, malware or infected apps have limited footprint for escape. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Windows and app container](/windows/apps/windows-app-sdk/migrate-to-windows-app-sdk/feature-mapping-table?source=recommendations) diff --git a/windows/security/book/includes/app-control-for-business.md b/windows/security/book/includes/app-control-for-business.md new file mode 100644 index 0000000000..c6b63cb102 --- /dev/null +++ b/windows/security/book/includes/app-control-for-business.md @@ -0,0 +1,20 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +ms.service: windows-client +--- + +## App Control for Business + +Your organization is only as secure as the applications that run on your devices. With *application control*, apps must earn trust to run, in contrast to an application trust model where all code is assumed trustworthy. By helping prevent unwanted or malicious code from running, application control is an important part of an effective security strategy. Many organizations cite application control as one of the most effective means of defending against executable file-based malware. + +App Control for Business (previously called *Windows Defender Application Control*) and AppLocker are both included in Windows. App Control for Business is the next-generation app control solution for Windows and provides powerful control over what runs in your environment. Organizations that were using AppLocker on previous versions of Windows, can continue to use the feature as they consider whether to switch to App Control for Business for stronger protection. + +Microsoft Intune[\[4\]](..\conclusion.md#footnote4) can configure App Control for Business in the admin console, including setting up Intune as a managed installer. Intune includes built-in options for App Control for Business and the possibility to upload policies as an XML file for Intune to package and deploy. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Application Control for Windows](/windows/security/application-security/application-control/windows-defender-application-control/wdac) +- [Automatically allow apps deployed by a managed installer with App Control for Business](/windows/security/application-security/application-control/app-control-for-business/design/configure-authorized-apps-deployed-with-a-managed-installer) diff --git a/windows/security/book/includes/microsoft-vulnerable-driver-blocklist.md b/windows/security/book/includes/microsoft-vulnerable-driver-blocklist.md new file mode 100644 index 0000000000..73ddeba96b --- /dev/null +++ b/windows/security/book/includes/microsoft-vulnerable-driver-blocklist.md @@ -0,0 +1,15 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +ms.service: windows-client +--- + +## Microsoft vulnerable driver blocklist + +The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Microsoft works with ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers. To prevent vulnerable versions of drivers from running, Windows has a *block policy* turned on by default. Users can configure the policy from the Windows Security app. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Microsoft recommended driver block rules](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules) \ No newline at end of file diff --git a/windows/security/book/includes/smart-app-control.md b/windows/security/book/includes/smart-app-control.md new file mode 100644 index 0000000000..9d3548d40f --- /dev/null +++ b/windows/security/book/includes/smart-app-control.md @@ -0,0 +1,23 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +ms.service: windows-client +--- + +## Smart App Control + +Smart App Control prevents users from running malicious applications by blocking untrusted or unsigned applications. Smart App Control goes beyond previous built-in browser protections by adding another layer of security that is woven directly into the core of the OS at the process level. Using AI, Smart App Control only allows processes to run if they're predicted to be safe based on existing and new intelligence updated daily. + +Smart App Control builds on top of the same cloud-based AI used in *App Control for Business* to predict the safety of an application, so that users can be confident that their applications are safe and reliable. Additionally, Smart App Control blocks unknown script files and macros from the web, greatly improving security for everyday users. + +We've been making significant improvements to Smart App Control to increase the security, usability, and cloud intelligence response for apps in the Windows ecosystem. Users can get the latest and best experience with Smart App Control by keeping their devices up to date via Windows Update every month. + +To ensure that users have a seamless experience with Smart App Control enabled, we ask developers to sign their applications with a code signing certificate from the Microsoft Trusted Root Program. Developers should include all binaries, such as exe, dll, temp installer files, and uninstallers. Trusted Signing makes the process of obtaining, maintaining, and signing with a trusted certificate simple and secure. + +Smart App Control is disabled on devices enrolled in enterprise management. We suggest enterprises running line-of-business applications continue to use *App Control for Business*. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Smart App Control](/windows/apps/develop/smart-app-control/overview) \ No newline at end of file diff --git a/windows/security/book/includes/trusted-signing.md b/windows/security/book/includes/trusted-signing.md new file mode 100644 index 0000000000..123195a9cc --- /dev/null +++ b/windows/security/book/includes/trusted-signing.md @@ -0,0 +1,15 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +ms.service: windows-client +--- + +## :::image type="icon" source="../images/new-button-title.svg" border="false"::: Trusted Signing + +Trusted Signing is a Microsoft fully managed, end-to-end signing solution that simplifies the signing process and empowers third-party developers to easily build and distribute applications. + +[!INCLUDE [learn-more](learn-more.md)] + +- [What is Trusted Signing](/azure/trusted-signing/overview) diff --git a/windows/security/book/includes/virtualization-based-security-enclaves.md b/windows/security/book/includes/virtualization-based-security-enclaves.md new file mode 100644 index 0000000000..238c1d1681 --- /dev/null +++ b/windows/security/book/includes/virtualization-based-security-enclaves.md @@ -0,0 +1,17 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +ms.service: windows-client +--- + +## :::image type="icon" source="../images/new-button-title.svg" border="false"::: Virtualization-based security enclaves + +A **Virtualization-based security enclave** is a software-based trusted execution environment (TEE) inside a host application. VBS enclaves enable developers to use VBS to protect their application's secrets from admin-level attacks. + +VBS enclaves are available starting in Windows 11, version 24H2, and Windows Server 2025 on both x64 and ARM64. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Virtualization-based security enclave](/windows/win32/trusted-execution/vbs-enclaves) diff --git a/windows/security/book/includes/win32-app-isolation.md b/windows/security/book/includes/win32-app-isolation.md new file mode 100644 index 0000000000..88ab8625b0 --- /dev/null +++ b/windows/security/book/includes/win32-app-isolation.md @@ -0,0 +1,41 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +ms.service: windows-client +--- + +## :::image type="icon" source="../images/new-button-title.svg" border="false"::: Win32 app isolation + +Win32 app isolation is a security feature designed to be the default isolation standard on Windows clients. It's built on [AppContainer][LINK-1], and offers several added security features to help the Windows platform defend against attacks that use vulnerabilities in applications or third-party libraries. To isolate their applications, developers can update them using Visual Studio. + +Win32 app isolation follows a two-step process: + +- In the first step, the Win32 application is launched as a low-integrity process using AppContainer, which is recognized as a security boundary by Windows. The process is limited to a specific set of Windows APIs by default and is unable to inject code into any process operating at a higher integrity level +- In the second step, least privilege is enforced by granting authorized access to Windows securable objects. This access is determined by capabilities that are added to the application manifest through MSIX packaging. *Securable objects* in this context refers to Windows resources whose access is safeguarded by capabilities. These capabilities enable the implantation of a [Discretionary Access Control List][LINK-2] on Windows + +To help ensuring that isolated applications run smoothly, developers must define the access requirements for the application via access capability declarations in the application package manifest. The *Application Capability Profiler (ACP)* simplifies the entire process by allowing the application to run in *learn mode* with low privileges. Instead of denying access if the capability isn't present, ACP allows access and logs additional capabilities required for access if the application were to run isolated. + +To create a smooth user experience that aligns with nonisolated, native Win32 applications, two key factors should be taken into consideration: + +- Approaches for accessing data and privacy information +- Integrating Win32 apps for compatibility with other Windows interfaces + +The first factor relates to implementing methods to manage access to files and privacy information within and outside the isolation boundary AppContainer. The second factor involves integrating Win32 apps with other Windows interfaces in a way that helps enable seamless functionality without causing perplexing user consent prompts. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Win32 app isolation overview][LINK-4] +- [Application Capability Profiler (ACP)][LINK-5] +- [Packaging a Win32 app isolation application with Visual Studio][LINK-6] +- [Sandboxing Python with Win32 app isolation][LINK-7] + + + +[LINK-1]: /windows/win32/secauthz/implementing-an-appcontainer +[LINK-2]: /windows/win32/secauthz/access-control-lists +[LINK-4]: /windows/win32/secauthz/app-isolation-overview +[LINK-5]: /windows/win32/secauthz/app-isolation-capability-profiler +[LINK-6]: /windows/win32/secauthz/app-isolation-packaging-with-vs +[LINK-7]: https://blogs.windows.com/windowsdeveloper/2024/03/06/sandboxing-python-with-win32-app-isolation/ diff --git a/windows/security/book/includes/windows-sandbox.md b/windows/security/book/includes/windows-sandbox.md new file mode 100644 index 0000000000..8e2f55f747 --- /dev/null +++ b/windows/security/book/includes/windows-sandbox.md @@ -0,0 +1,17 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +ms.service: windows-client +--- + +## Windows Sandbox + +Windows Sandbox provides a lightweight desktop environment to safely run untrusted Win32 applications in isolation, using the same hardware-based virtualization technology as Hyper-V. Any untrusted Win32 app installed in Windows Sandbox stays only in the sandbox and can't affect the host. + +Once Windows Sandbox is closed, nothing persists on the device. All the software with all its files and state are permanently deleted after the untrusted Win32 application is closed. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Windows Sandbox](/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview) diff --git a/windows/security/book/includes/windows-subsystem-for-linux.md b/windows/security/book/includes/windows-subsystem-for-linux.md new file mode 100644 index 0000000000..957410b0fb --- /dev/null +++ b/windows/security/book/includes/windows-subsystem-for-linux.md @@ -0,0 +1,35 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +ms.service: windows-client +--- + +## Windows Subsystem for Linux (WSL) + +With Windows Subsystem for Linux (WSL) you can run a Linux environment on a Windows device, without the need for a separate virtual machine or dual booting. WSL is designed to provide a seamless and productive experience for developers who want to use both Windows and Linux at the same time. + +[!INCLUDE [new-24h2](new-24h2.md)] + +- **Hyper-V Firewall** is a network firewall solution that enables filtering of inbound and outbound traffic to/from WSL containers hosted by Windows +- **DNS Tunneling** is a networking setting that improves compatibility in different networking environments, making use of virtualization features to obtain DNS information rather than a networking packet +- **Auto proxy** is a networking setting that enforces WSL to use Windows' HTTP proxy information. Turn on when using a proxy on Windows, as it makes that proxy automatically apply to WSL distributions + +These features can be set up using a device management solution such as Microsoft Intune[\[7\]](../conclusion.md#footnote7). Microsoft Defender for Endpoint (MDE) integrates with WSL, allowing it to monitor activities within a WSL distro and report them to the MDE dashboards. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Hyper-V Firewall][LINK-1] +- [DNS Tunneling][LINK-2] +- [Auto proxy][LINK-3] +- [Intune setting for WSL][LINK-4] +- [Microsoft Defender for Endpoint plug-in for WSL][LINK-5] + + + +[LINK-1]: /windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall +[LINK-2]: /windows/wsl/networking#dns-tunneling +[LINK-3]: /windows/wsl/networking#auto-proxy +[LINK-4]: /windows/wsl/intune +[LINK-5]: /defender-endpoint/mde-plugin-wsl diff --git a/windows/security/identity-protection/enterprise-certificate-pinning.md b/windows/security/identity-protection/enterprise-certificate-pinning.md index 55551c53ca..59d5e97382 100644 --- a/windows/security/identity-protection/enterprise-certificate-pinning.md +++ b/windows/security/identity-protection/enterprise-certificate-pinning.md @@ -1,8 +1,8 @@ --- -title: Enterprise certificate pinning +title: Enterprise Certificate Pinning In Windows description: Enterprise certificate pinning is a Windows feature for remembering, or pinning, a root issuing certificate authority, or end-entity certificate to a domain name. ms.topic: concept-article -ms.date: 03/12/2024 +ms.date: 12/02/2024 --- # Enterprise certificate pinning overview diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md index 8c46258086..b0fc5d6b30 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md @@ -49,3 +49,31 @@ You can configure Windows devices to use the **dynamic lock** using a Group Poli The `rssiMin` attribute value signal indicates the strength needed for the device to be considered *in-range*. The default value of `-10` enables a user to move about an average size office or cubicle without triggering Windows to lock the device. The `rssiMaxDelta` has a default value of `-10`, which instruct Windows to lock the device once the signal strength weakens by more than measurement of 10. RSSI measurements are relative and lower as the bluetooth signals between the two paired devices reduces. Therefore a measurement of 0 is stronger than -10, which is stronger than -60, which is an indicator the devices are moving further apart from each other. + +## Configure Dynamic lock with Microsoft Intune + +To configure Dynamic lock using Microsoft Intune, follow these steps: + +1. Open the Microsoft Intune admin center and navigate to Devices > Windows > Configuration policies. +1. Create a new policy: + - Platform: Windows 10 and later + - Profile type: Templates - Custom + - Select Create +1. Configure the profile: + - Name: Provide a name for the profile. + - Description: (Optional) Add a description. +1. Add OMA-URI settings: + - Enable Dynamic lock: + - Name: Enable Dynamic lock + - Description: (Optional) This setting enables Dynamic lock + - OMA-URI: ./Device/Vendor/MSFT/PassportForWork/DynamicLock/DynamicLock + - Data type: Boolean + - Value: True + - Define the Dynamic lock signal rule: + - Name: Dynamic lock Signal Rule + - Description: (Optional) This setting configures Dynamic lock values + - OMA-URI: ./Device/Vendor/MSFT/PassportForWork/DynamicLock/Plugins + - Data type: String + - Value: `` +1. Assign the profile to the appropriate groups. + diff --git a/windows/security/identity-protection/passwordless-experience/index.md b/windows/security/identity-protection/passwordless-experience/index.md index 2301f86f81..cb555bfb78 100644 --- a/windows/security/identity-protection/passwordless-experience/index.md +++ b/windows/security/identity-protection/passwordless-experience/index.md @@ -1,9 +1,9 @@ --- -title: Windows passwordless experience +title: Configure Windows Passwordless Experience With Intune description: Learn how Windows passwordless experience enables your organization to move away from passwords. ms.collection: - tier1 -ms.date: 03/12/2024 +ms.date: 12/02/2024 ms.topic: how-to appliesto: - ✅ Windows 11 diff --git a/windows/security/identity-protection/web-sign-in/index.md b/windows/security/identity-protection/web-sign-in/index.md index 86e2b4b834..a48aa3c89d 100644 --- a/windows/security/identity-protection/web-sign-in/index.md +++ b/windows/security/identity-protection/web-sign-in/index.md @@ -1,7 +1,7 @@ --- -title: Web sign-in for Windows +title: Use Web Sign-In To Enable Passwordless Sign-In In Windows description: Learn how Web sign-in in Windows works, key scenarios, and how to configure it. -ms.date: 04/10/2024 +ms.date: 12/02/2024 ms.topic: how-to appliesto: - ✅ Windows 11 diff --git a/windows/security/licensing-and-edition-requirements.md b/windows/security/licensing-and-edition-requirements.md index 34a527cefe..2e2dc3b457 100644 --- a/windows/security/licensing-and-edition-requirements.md +++ b/windows/security/licensing-and-edition-requirements.md @@ -1,8 +1,8 @@ --- -title: Windows security features licensing and edition requirements +title: Windows Security Features Licensing And Edition Requirements description: Learn about Windows licensing and edition requirements for the features included in Windows. ms.topic: conceptual -ms.date: 04/10/2024 +ms.date: 12/02/2024 appliesto: - ✅ Windows 11 ms.author: paoloma diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker.md b/windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker.md index 3e29796ff1..826ae7e556 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker.md @@ -2,7 +2,7 @@ title: BCD settings and BitLocker description: Learn how BCD settings are used by BitLocker. ms.topic: reference -ms.date: 06/18/2024 +ms.date: 12/05/2024 --- # Boot Configuration Data settings and BitLocker diff --git a/windows/security/operating-system-security/data-protection/bitlocker/configure.md b/windows/security/operating-system-security/data-protection/bitlocker/configure.md index 7fbff47e8c..5ed1607787 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/configure.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/configure.md @@ -2,7 +2,7 @@ title: Configure BitLocker description: Learn about the available options to configure BitLocker and how to configure them via Configuration Service Providers (CSP) or group policy (GPO). ms.topic: how-to -ms.date: 06/18/2024 +ms.date: 12/05/2024 --- # Configure BitLocker diff --git a/windows/security/operating-system-security/data-protection/bitlocker/countermeasures.md b/windows/security/operating-system-security/data-protection/bitlocker/countermeasures.md index 3eda5bed37..4e0d64f71a 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/countermeasures.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/countermeasures.md @@ -2,7 +2,7 @@ title: BitLocker countermeasures description: Learn about technologies and features to protect against attacks on the BitLocker encryption key. ms.topic: concept-article -ms.date: 06/18/2024 +ms.date: 12/05/2024 --- # BitLocker countermeasures diff --git a/windows/security/operating-system-security/data-protection/bitlocker/csv-san.md b/windows/security/operating-system-security/data-protection/bitlocker/csv-san.md index 80b74ed970..131cf2f9c9 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/csv-san.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/csv-san.md @@ -2,7 +2,7 @@ title: Protect cluster shared volumes and storage area networks with BitLocker description: Learn how to protect cluster shared volumes (CSV) and storage area networks (SAN) with BitLocker. ms.topic: how-to -ms.date: 06/18/2024 +ms.date: 12/05/2024 appliesto: - ✅ Windows Server 2025 - ✅ Windows Server 2022 diff --git a/windows/security/operating-system-security/data-protection/bitlocker/faq.yml b/windows/security/operating-system-security/data-protection/bitlocker/faq.yml index b2642afed9..fcbcadf1b9 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/faq.yml +++ b/windows/security/operating-system-security/data-protection/bitlocker/faq.yml @@ -3,7 +3,7 @@ metadata: title: BitLocker FAQ description: Learn more about BitLocker by reviewing the frequently asked questions. ms.topic: faq - ms.date: 06/18/2024 + ms.date: 12/05/2024 title: BitLocker FAQ summary: Learn more about BitLocker by reviewing the frequently asked questions. diff --git a/windows/security/operating-system-security/data-protection/bitlocker/index.md b/windows/security/operating-system-security/data-protection/bitlocker/index.md index 69d9822b91..2b1e13953b 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/index.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/index.md @@ -2,7 +2,7 @@ title: BitLocker overview description: Learn about BitLocker practical applications and requirements. ms.topic: overview -ms.date: 06/18/2024 +ms.date: 12/05/2024 --- # BitLocker overview diff --git a/windows/security/operating-system-security/data-protection/bitlocker/install-server.md b/windows/security/operating-system-security/data-protection/bitlocker/install-server.md index 1e9c124e9c..687f2418cd 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/install-server.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/install-server.md @@ -2,7 +2,7 @@ title: Install BitLocker on Windows Server description: Learn how to install BitLocker on Windows Server. ms.topic: how-to -ms.date: 06/18/2024 +ms.date: 12/05/2024 appliesto: - ✅ Windows Server 2025 - ✅ Windows Server 2022 diff --git a/windows/security/operating-system-security/data-protection/bitlocker/network-unlock.md b/windows/security/operating-system-security/data-protection/bitlocker/network-unlock.md index 15119bdf05..ff99a2de31 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/network-unlock.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/network-unlock.md @@ -2,7 +2,7 @@ title: Network Unlock description: Learn how BitLocker Network Unlock works and how to configure it. ms.topic: how-to -ms.date: 06/18/2024 +ms.date: 12/05/2024 --- # Network Unlock diff --git a/windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md b/windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md index 645cf45add..2a6e018234 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md @@ -2,7 +2,7 @@ title: BitLocker operations guide description: Learn how to use different tools to manage and operate BitLocker. ms.topic: how-to -ms.date: 06/18/2024 +ms.date: 12/05/2024 --- # BitLocker operations guide diff --git a/windows/security/operating-system-security/data-protection/bitlocker/planning-guide.md b/windows/security/operating-system-security/data-protection/bitlocker/planning-guide.md index c54ad2e21e..3c563aa624 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/planning-guide.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/planning-guide.md @@ -2,7 +2,7 @@ title: BitLocker planning guide description: Learn how to plan for a BitLocker deployment in your organization. ms.topic: concept-article -ms.date: 06/18/2024 +ms.date: 12/05/2024 --- # BitLocker planning guide diff --git a/windows/security/operating-system-security/data-protection/bitlocker/preboot-recovery-screen.md b/windows/security/operating-system-security/data-protection/bitlocker/preboot-recovery-screen.md index aaadd7678e..842b2e94c9 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/preboot-recovery-screen.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/preboot-recovery-screen.md @@ -2,7 +2,7 @@ title: BitLocker preboot recovery screen description: Learn about the information displayed in the BitLocker preboot recovery screen, depending on configured policy settings and recovery keys status. ms.topic: concept-article -ms.date: 06/19/2024 +ms.date: 12/05/2024 --- # BitLocker preboot recovery screen diff --git a/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview.md b/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview.md index 808550018a..3db9407c4b 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview.md @@ -2,7 +2,7 @@ title: BitLocker recovery overview description: Learn about BitLocker recovery scenarios, recovery options, and how to determine root cause of failed automatic unlocks. ms.topic: how-to -ms.date: 06/18/2024 +ms.date: 12/05/2024 --- # BitLocker recovery overview diff --git a/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md b/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md index a3cded5a34..421165a49b 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md @@ -2,7 +2,7 @@ title: BitLocker recovery process description: Learn how to obtain BitLocker recovery information for Microsoft Entra joined, Microsoft Entra hybrid joined, and Active Directory joined devices, and how to restore access to a locked drive. ms.topic: how-to -ms.date: 07/18/2024 +ms.date: 12/05/2024 --- # BitLocker recovery process @@ -26,6 +26,9 @@ A recovery key can't be stored in any of the following locations: - The root directory of a nonremovable drive - An encrypted volume +> [!WARNING] +> A recovery key is sensitive information that allows users to unlock an encrypted drive and perform administrative tasks on the drive. For enhanced security, it's recommended to enable self-service in trusted environments only, or rely on helpdesk recovery. + ### Self-recovery with recovery password If you have access to the recovery key, enter the 48-digits in the preboot recovery screen. diff --git a/windows/security/operating-system-security/data-protection/configure-s-mime.md b/windows/security/operating-system-security/data-protection/configure-s-mime.md index 7781de30a9..ef44453923 100644 --- a/windows/security/operating-system-security/data-protection/configure-s-mime.md +++ b/windows/security/operating-system-security/data-protection/configure-s-mime.md @@ -1,8 +1,8 @@ --- -title: Configure S/MIME for Windows +title: Configure S/MIME For Windows description: S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients with a digital ID, also known as a certificate, can read them. Learn how to configure S/MIME for Windows. ms.topic: how-to -ms.date: 04/10/2024 +ms.date: 12/02/2024 --- @@ -68,4 +68,4 @@ When you receive a signed email, the app provides a feature to install correspon 1. Select the digital signature icon in the reading pane 1. Select **Install.** - :::image type="content" alt-text="Screenshot of the Windows Mail app, showing a message to install the sender's encryption certificate." source="images/install-cert.png"::: + :::image type="content" alt-text="Screenshot of the Windows Mail app, showing a message to install the sender's encryption certificate." source="images/install-cert.png"::: diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md index 03607ce506..2f0191609b 100644 --- a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md @@ -25,11 +25,11 @@ Unlike BitLocker that releases data encryption keys at boot, Personal Data Encry To use Personal Data Encryption, the following prerequisites must be met: - Windows 11, version 22H2 and later -- The devices must be [Microsoft Entra joined][AAD-1]. Domain-joined and Microsoft Entra hybrid joined devices aren't supported +- The devices must be [Microsoft Entra joined][ENTRA-1] or [Microsoft Entra hybrid joined][ENTRA-2]. Domain-joined devices aren't supported - Users must sign in using [Windows Hello for Business](../../../identity-protection/hello-for-business/index.md) > [!IMPORTANT] -> If you sign in with a password or a [security key][AAD-2], you can't access Personal Data Encryption protected content. +> If you sign in with a password or a [FIDO2 security key][ENTRA-3], you can't access Personal Data Encryption protected content. [!INCLUDE [personal-data-encryption-pde](../../../../../includes/licensing/personal-data-encryption-pde.md)] @@ -111,5 +111,6 @@ Certain Windows applications support Personal Data Encryption out of the box. If -[AAD-1]: /azure/active-directory/devices/concept-azure-ad-join -[AAD-2]: /azure/active-directory/authentication/howto-authentication-passwordless-security-key +[ENTRA-1]: /entra/identity/devices/concept-directory-join +[ENTRA-2]: /entra/identity/devices/concept-hybrid-join +[ENTRA-3]: /entra/identity/authentication/howto-authentication-passwordless-security-key-windows#sign-in-with-fido2-security-key diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line.md b/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line.md index 61084f5184..85561cf109 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line.md @@ -32,19 +32,19 @@ netsh.exe advfirewall set allprofiles state on ### Control Windows Firewall behavior The global default settings can be defined through the command-line interface. These modifications are also available through the Windows Firewall console. -The following scriptlets set the default inbound and outbound actions, specifies protected network connections, and allows notifications to be displayed to the user when a program is blocked from receiving inbound connections. It allows unicast response to multicast or broadcast network traffic, and it specifies logging settings for troubleshooting. +The following scriptlets set the default inbound and outbound actions, specifies protected network connections, and disallows notifications to be displayed to the user when a program is blocked from receiving inbound connections. It allows unicast response to multicast or broadcast network traffic, and it specifies logging settings for troubleshooting. # [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell) ```powershell -Set-NetFirewallProfile -DefaultInboundAction Block -DefaultOutboundAction Allow -NotifyOnListen True -AllowUnicastResponseToMulticast True -LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log +Set-NetFirewallProfile -DefaultInboundAction Block -DefaultOutboundAction Allow -NotifyOnListen False -AllowUnicastResponseToMulticast True -LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log ``` # [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd) ```cmd netsh advfirewall set allprofiles firewallpolicy blockinbound,allowoutbound -netsh advfirewall set allprofiles settings inboundusernotification enable +netsh advfirewall set allprofiles settings inboundusernotification disable netsh advfirewall set allprofiles settings unicastresponsetomulticast enable netsh advfirewall set allprofiles logging filename %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log ``` diff --git a/windows/security/operating-system-security/network-security/windows-firewall/rules.md b/windows/security/operating-system-security/network-security/windows-firewall/rules.md index 3daf29314e..64b6580098 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/rules.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/rules.md @@ -30,11 +30,13 @@ When first installed, network applications and services issue a *listen call* sp :::row::: :::column span="2"::: - If there's no active application or administrator-defined allow rule(s), a dialog box prompts the user to either allow or block an application's packets the first time the app is launched or tries to communicate in the network: - - - If the user has admin permissions, they're prompted. If they respond *No* or cancel the prompt, block rules are created. Two rules are typically created, one each for TCP and UDP traffic - - If the user isn't a local admin, they won't be prompted. In most cases, block rules are created + If there's no active application or administrator-defined allow rule(s), a dialog box prompts the user to either allow or block an application's packets the first time the app is launched or tries to communicate in the network: + +- If the user has admin permissions, they're prompted. If they respond *No* or cancel the prompt, block rules are created. Two rules are typically created, one each for TCP and UDP traffic +- If the user isn't a local admin and they are prompted, block rules are created. It doesn't matter what option is selected +To disable the notification prompt, you can use the [command line](/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line) or the **Windows Firewall with Advanced Security** console + :::column-end::: :::column span="2"::: :::image type="content" source="images/uac.png" alt-text="Screenshot showing the User Account Control (UAC) prompt to allow Microsoft Teams." border="false"::: diff --git a/windows/security/security-foundations/certification/toc.yml b/windows/security/security-foundations/certification/toc.yml index 33099035c3..98c1522666 100644 --- a/windows/security/security-foundations/certification/toc.yml +++ b/windows/security/security-foundations/certification/toc.yml @@ -9,6 +9,8 @@ items: href: validations/fips-140-windows10.md - name: Previous Windows releases href: validations/fips-140-windows-previous.md + - name: Windows Server 2022 + href: validations/fips-140-windows-server-2022.md - name: Windows Server 2019 href: validations/fips-140-windows-server-2019.md - name: Windows Server 2016 @@ -32,4 +34,4 @@ items: - name: Windows Server semi-annual releases href: validations/cc-windows-server-semi-annual.md - name: Previous Windows Server releases - href: validations/cc-windows-server-previous.md \ No newline at end of file + href: validations/cc-windows-server-previous.md diff --git a/windows/security/security-foundations/certification/validations/cc-windows-previous.md b/windows/security/security-foundations/certification/validations/cc-windows-previous.md index 8d5cd8c275..d648de3a05 100644 --- a/windows/security/security-foundations/certification/validations/cc-windows-previous.md +++ b/windows/security/security-foundations/certification/validations/cc-windows-previous.md @@ -30,14 +30,14 @@ The following tables list the completed Common Criteria certifications for Windo |Product details |Date |Scope |Documents | |---------|---------|---------|---------| -|Validated editions: Enterprise, Ultimate. |March 24, 2011 |Certified against the Protection Profile for General Purpose Operating Systems. |[Security Target][security-target-march-2011]; [Administrative Guide][admin-guide-march-2011]; [Certification Report][certification-report-march-2011] | +|Validated editions: Enterprise, Ultimate. |March 24, 2011 |Certified against the Protection Profile for General Purpose Operating Systems. |[Security Target][security-target-march-2011]; [Certification Report][certification-report-march-2011] | ## Windows Vista |Product details |Date |Scope |Documents | |---------|---------|---------|---------| -|Validated edition: Enterprise. |August 15, 2009 |EAL 4. Controlled Access Protection Profile. CC Part 2: security functional requirements. CC Part 3: security assurance requirements. |[Security Target][security-target-august-2009]; [Administrative Guide][admin-guide-august-2009]; [Certification Report][certification-report-august-2009] | -|Validated edition: Enterprise. |September 17, 2008 |EAL 1. CC Part 2: security functional requirements. CC Part 3: security assurance requirements. |[Security Target][security-target-september-2008]; [Administrative Guide][admin-guide-september-2008]; [Certification Report][certification-report-september-2008] | +|Validated edition: Enterprise. |August 15, 2009 |EAL 4. Controlled Access Protection Profile. CC Part 2: security functional requirements. CC Part 3: security assurance requirements. |[Security Target][security-target-august-2009]; [Certification Report][certification-report-august-2009] | +|Validated edition: Enterprise. |September 17, 2008 |EAL 1. CC Part 2: security functional requirements. CC Part 3: security assurance requirements. |[Security Target][security-target-september-2008]; [Certification Report][certification-report-september-2008] | --- @@ -65,9 +65,6 @@ The following tables list the completed Common Criteria certifications for Windo [admin-guide-january-2015-rt]: https://download.microsoft.com/download/8/6/e/86e8c001-8556-4949-90cf-f5beac918026/microsoft%20windows%208%20microsoft%20windows%20rt%20common%20criteria%20supplemental%20admin.docx [admin-guide-april-2014]: https://download.microsoft.com/download/0/8/4/08468080-540b-4326-91bf-f2a33b7e1764/administrative%20guidance%20for%20software%20full%20disk%20encryption%20clients.pdf [admin-guide-january-2014]: https://download.microsoft.com/download/a/9/f/a9fd7e2d-023b-4925-a62f-58a7f1a6bd47/microsoft%20windows%208%20windows%20server%202012%20supplemental%20admin%20guidance%20ipsec%20vpn%20client.docx -[admin-guide-march-2011]: https://www.microsoft.com/downloads/en/details.aspx?familyid=ee05b6d0-9939-4765-9217-63083bb94a00 -[admin-guide-august-2009]: https://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567 -[admin-guide-september-2008]: https://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567 diff --git a/windows/whats-new/deprecated-features-resources.md b/windows/whats-new/deprecated-features-resources.md index 7c53798b03..87ff332844 100644 --- a/windows/whats-new/deprecated-features-resources.md +++ b/windows/whats-new/deprecated-features-resources.md @@ -34,7 +34,7 @@ Customers concerned about NTLM usage in their environments are encouraged to uti In many cases, applications should be able to replace NTLM with Negotiate using a one-line change in their `AcquireCredentialsHandle` request to the SSPI. One known exception is for applications that have made hard assumptions about the maximum number of round trips needed to complete authentication. In most cases, Negotiate will add at least one additional round trip. Some scenarios may require additional configuration. For more information, see [Kerberos authentication troubleshooting guidance](/troubleshoot/windows-server/windows-security/kerberos-authentication-troubleshooting-guidance). -Negotiate's built-in fallback to NTLM is preserved to mitigate compatibility issues during this transition. For updates on NTLM deprecation, see [https://aka.ms/ntlm](https://aka.ms/ntlm). +Negotiate's built-in fallback to NTLM is preserved to mitigate compatibility issues during this transition. For updates on NTLM deprecation, see [https://aka.ms/ntlm](https://aka.ms/ntlm). ## WordPad diff --git a/windows/whats-new/deprecated-features.md b/windows/whats-new/deprecated-features.md index 386b0a681f..568b781fc7 100644 --- a/windows/whats-new/deprecated-features.md +++ b/windows/whats-new/deprecated-features.md @@ -1,7 +1,7 @@ --- title: Deprecated features in the Windows client description: Review the list of features that Microsoft is no longer actively developing in Windows 10 and Windows 11. -ms.date: 11/14/2024 +ms.date: 12/12/2024 ms.service: windows-client ms.subservice: itpro-fundamentals ms.localizationpriority: medium @@ -47,11 +47,12 @@ The features in this article are no longer being actively developed, and might b | Feature | Details and mitigation | Deprecation announced | |---|---|---| +| Suggested actions | Suggested actions that appear when you copy a phone number or future date in Windows 11 are deprecated and will be removed in a future Windows 11 update. | December 2024 | | Legacy DRM services | Legacy DRM services, used by either Windows Media Player, Silverlight clients, Windows 7, or Windows 8 clients are deprecated. The following functionality won't work when these services are fully retired:
  • Playback of protected content in the legacy Windows Media Player on Windows 7
  • Playback of protected content in a Silverlight client and Windows 8 clients
  • In-home streaming playback from a Silverlight client or Windows 8 client to an Xbox 360
  • Playback of protected content ripped from a personal CD on Windows 7 clients using Windows Media Player
| September 2024 | | Paint 3D | Paint 3D is deprecated and will be removed from the Microsoft Store on November 4, 2024. To view and edit 2D images, you can use [Paint](https://apps.microsoft.com/detail/9pcfs5b6t72h) or [Photos](https://apps.microsoft.com/detail/9wzdncrfjbh4). For viewing 3D content, you can use [3D Viewer](https://apps.microsoft.com/detail/9nblggh42ths). For more information, see [Resources for deprecated features](deprecated-features-resources.md#paint-3d). | August 2024 | | Adobe Type1 fonts | Adobe PostScript Type1 fonts are deprecated and support will be removed in a future release of Windows.

In January 2023, Adobe announced the [end of support for PostScript Type1 fonts](https://helpx.adobe.com/fonts/kb/postscript-type-1-fonts-end-of-support.html) for their latest software offerings. Remove any dependencies on this font type by selecting a supported font type. To display currently installed fonts, go to **Settings** > **Personalization** > **Fonts**. Application developers and content owners should test their apps and data files with the Adobe Type1 fonts removed. For more information, contact the application vendor or Adobe. | August 2024 | | DirectAccess | DirectAccess is deprecated and will be removed in a future release of Windows. We recommend [migrating from DirectAccess to Always On VPN](/windows-server/remote/remote-access/da-always-on-vpn-migration/da-always-on-migration-overview). | June 2024 | -| NTLM | All versions of [NTLM](/windows/win32/secauthn/microsoft-ntlm), including LANMAN, NTLMv1, and NTLMv2, are no longer under active feature development and are deprecated. Use of NTLM will continue to work in the next release of Windows Server and the next annual release of Windows. Calls to NTLM should be replaced by calls to Negotiate, which will try to authenticate with Kerberos and only fall back to NTLM when necessary. For more information, see [Resources for deprecated features](deprecated-features-resources.md). | June 2024 | +| NTLM | All versions of [NTLM](/windows/win32/secauthn/microsoft-ntlm), including LANMAN, NTLMv1, and NTLMv2, are no longer under active feature development and are deprecated. Use of NTLM will continue to work in the next release of Windows Server and the next annual release of Windows. Calls to NTLM should be replaced by calls to Negotiate, which will try to authenticate with Kerberos and only fall back to NTLM when necessary. For more information, see, [Resources for deprecated features](deprecated-features-resources.md).

**[Update - November 2024]**: NTLMv1 is [removed](removed-features.md) starting in Windows 11, version 24H2 and Windows Server 2025. | June 2024 | | Driver Verifier GUI (verifiergui.exe) | Driver Verifier GUI, verifiergui.exe, is deprecated and will be removed in a future version of Windows. You can use the [Verifier Command Line](/windows-hardware/drivers/devtest/verifier-command-line) (verifier.exe) instead of the Driver Verifier GUI.| May 2024 | | NPLogonNotify and NPPasswordChangeNotify APIs | Starting in Windows 11, version 24H2, the inclusion of password payload in MPR notifications is set to disabled by default through group policy in [NPLogonNotify](/windows/win32/api/npapi/nf-npapi-nplogonnotify) and [NPPasswordChangeNotify](/windows/win32/api/npapi/nf-npapi-nppasswordchangenotify) APIs. The APIs may be removed in a future release. The primary reason for disabling this feature is to enhance security. When enabled, these APIs allow the caller to retrieve a user's password, presenting potential risks for password exposure and harvesting by malicious users. To include password payload in MPR notifications, set the [EnableMPRNotifications](/windows/client-management/mdm/policy-csp-windowslogon#enablemprnotifications) policy to `enabled`.| March 2024 | | TLS server authentication certificates using RSA keys with key lengths shorter than 2048 bits | Support for certificates using RSA keys with key lengths shorter than 2048 bits will be deprecated. Internet standards and regulatory bodies disallowed the use of 1024-bit keys in 2013, recommending specifically that RSA keys should have a key length of 2048 bits or longer. For more information, see [Transitioning of Cryptographic Algorithms and Key Sizes - Discussion Paper (nist.gov)](https://csrc.nist.gov/CSRC/media/Projects/Key-Management/documents/transitions/Transitioning_CryptoAlgos_070209.pdf). This deprecation focuses on ensuring that all RSA certificates used for TLS server authentication must have key lengths greater than or equal to 2048 bits to be considered valid by Windows.

TLS certificates issued by enterprise or test certification authorities (CA) aren't impacted with this change. However, we recommend that they be updated to RSA keys greater than or equal to 2048 bits as a security best practice. This change is necessary to preserve security of Windows customers using certificates for authentication and cryptographic purposes.| March 2024| @@ -75,7 +76,7 @@ The features in this article are no longer being actively developed, and might b | Microsoft Support Diagnostic Tool (MSDT) | [MSDT](/windows-server/administration/windows-commands/msdt) is deprecated and will be removed in a future release of Windows. MSDT is used to gather diagnostic data for analysis by support professionals. For more information, see [Resources for deprecated features](deprecated-features-resources.md) | January 2023 | | Universal Windows Platform (UWP) Applications for 32-bit Arm | This change is applicable only to devices with an Arm processor, for example Snapdragon processors from Qualcomm. If you have a PC built with a processor from Intel or AMD, this content isn't applicable. If you aren't sure which type of processor you have, check **Settings** > **System** > **About**.

Support for 32-bit Arm versions of applications will be removed in a future release of Windows 11. After this change, for the small number of applications affected, app features might be different and you might notice a difference in performance. For more technical details about this change, see [Update app architecture from Arm32 to Arm64](/windows/arm/arm32-to-arm64). | January 2023 | | Update Compliance | [Update Compliance](/windows/deployment/update/update-compliance-monitor), a cloud-based service for the Windows client, is no longer being developed. This service was replaced with [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview), which provides reporting on client compliance with Microsoft updates from the Azure portal. | November 2022| -| Windows Information Protection | [Windows Information Protection](/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip) will no longer be developed in future versions of Windows. For more information, see [Announcing sunset of Windows Information Protection (WIP)](https://go.microsoft.com/fwlink/?linkid=2202124).

For your data protection needs, Microsoft recommends that you use [Microsoft Purview Information Protection](/microsoft-365/compliance/information-protection) and [Microsoft Purview Data Loss Prevention](/microsoft-365/compliance/dlp-learn-about-dlp). | July 2022 | +| Windows Information Protection | [Windows Information Protection](/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip) will no longer be developed in future versions of Windows. For more information, see [Announcing sunset of Windows Information Protection (WIP)](https://go.microsoft.com/fwlink/?linkid=2202124).

For your data protection needs, Microsoft recommends that you use [Microsoft Purview Information Protection](/microsoft-365/compliance/information-protection) and [Microsoft Purview Data Loss Prevention](/microsoft-365/compliance/dlp-learn-about-dlp).

Windows Information Protection is removed starting in Windows 11, version 24H2. | July 2022 | | BitLocker To Go Reader | **Note: BitLocker to Go as a feature is still supported.**
Reading of BitLocker-protected removable drives ([BitLocker To Go](/windows/security/information-protection/bitlocker/bitlocker-to-go-faq)) from Windows XP or Windows Vista in later operating systems is deprecated and might be removed in a future release of Windows client.
The following items might not be available in a future release of Windows client:
- ADMX policy: **Allow access to BitLocker-protected removable data drives from earlier versions of Windows**
- Command line parameter: [`manage-bde -DiscoveryVolumeType`](/windows-server/administration/windows-commands/manage-bde-on) (-dv)
- Catalog file: **c:\windows\BitLockerDiscoveryVolumeContents**
- BitLocker 2 Go Reader app: **bitlockertogo.exe** and associated files | 21H1 | | Personalization roaming | Roaming of Personalization settings (including wallpaper, slideshow, accent colors, and lock screen images) is no longer being developed and might be removed in a future release. | 21H1 | | Windows Management Instrumentation command-line (WMIC) utility. | The WMIC utility is deprecated in Windows 10, version 21H1 and the 21H1 General Availability Channel release of Windows Server. This utility is superseded by [Windows PowerShell for WMI](/powershell/scripting/learn/ps101/07-working-with-wmi). Note: This deprecation applies to only the [command-line management utility](/windows/win32/wmisdk/wmic). WMI itself isn't affected.

**[Update - January 2024]**: Currently, WMIC is a Feature on Demand (FoD) that's [preinstalled by default](/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod#wmic) in Windows 11, versions 23H2 and 22H2. In the next release of Windows, the WMIC FoD will be disabled by default. | 21H1 | diff --git a/windows/whats-new/removed-features.md b/windows/whats-new/removed-features.md index 461b15d644..991c787969 100644 --- a/windows/whats-new/removed-features.md +++ b/windows/whats-new/removed-features.md @@ -8,7 +8,7 @@ ms.author: mstewart manager: aaroncz ms.topic: reference ms.subservice: itpro-fundamentals -ms.date: 08/23/2024 +ms.date: 12/09/2024 ms.collection: - highpri - tier1 @@ -38,6 +38,8 @@ The following features and functionalities have been removed from the installed |Feature | Details and mitigation | Support removed | | ----------- | --------------------- | ------ | +| NTLMv1 | NTLMv1 is removed starting in Windows 11, version 24H2 and Windows Server 2025. | 24H2 | +| Windows Information Protection | Windows Information Protection is removed starting in Windows 11, version 24H2. | 24H2 | | Microsoft Defender Application Guard for Edge | [Microsoft Defender Application Guard](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview), including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), is deprecated for Microsoft Edge for Business and is no longer available starting with Windows 11, version 24H2. | 24H2 | | WordPad | WordPad is removed from all editions of Windows starting in Windows 11, version 24H2 and Windows Server 2025. We recommend Microsoft Word for rich text documents like .doc and .rtf and Windows Notepad for plain text documents like .txt. If you're a developer and need information about the affected binaries, see [Resources for deprecated features](deprecated-features-resources.md#wordpad). | October 1, 2024 | | Alljoyn | Microsoft's implementation of AllJoyn, which included the [Windows.Devices.AllJoyn API namespace](/uwp/api/windows.devices.alljoyn), a [Win32 API](/windows/win32/api/_alljoyn/), a [management configuration service provider (CSP)](/windows/client-management/mdm/alljoynmanagement-csp), and an [Alljoyn Router Service](/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#alljoyn-router-service) is retired. [AllJoyn](https://openconnectivity.org/technology/reference-implementation/alljoyn/), sponsored by AllSeen Alliance, was an open source discovery and communication protocol for Internet of Things scenarios such as turning on/off lights or reading temperatures. AllSeen Alliance promoted the AllJoyn project from 2013 until 2016 when it merged with the Open Connectivity Foundation (OCF), the sponsors of [Iotivity.org](https://iotivity.org/), another protocol for Internet of Things scenarios. Customers should refer to the [Iotivity.org](https://iotivity.org/) website for alternatives such as [Iotivity Lite](https://github.com/iotivity/iotivity-lite) or [Iotivity](https://github.com/iotivity/iotivity). | October 1, 2024 | diff --git a/windows/whats-new/whats-new-windows-11-version-24h2.md b/windows/whats-new/whats-new-windows-11-version-24h2.md index a812a10180..a5f7acda5a 100644 --- a/windows/whats-new/whats-new-windows-11-version-24h2.md +++ b/windows/whats-new/whats-new-windows-11-version-24h2.md @@ -242,5 +242,6 @@ The following developer APIs were added or updated: The following [deprecated features](deprecated-features.md) are [removed](removed-features.md) in Windows 11, version 24H2: +- **NTLMv1**: NTLMv1 is removed starting in Windows 11, version 24H2 and Windows Server 2025. - **WordPad**: WordPad is removed from all editions of Windows starting in Windows 11, version 24H2 and Windows Server 2025. - **Alljoyn**: Microsoft's implementation of AllJoyn, which included the [Windows.Devices.AllJoyn API namespace](/uwp/api/windows.devices.alljoyn), a [Win32 API](/windows/win32/api/_alljoyn/), a [management configuration service provider (CSP)](/windows/client-management/mdm/alljoynmanagement-csp), and an [Alljoyn Router Service](/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#alljoyn-router-service) is retired. diff --git a/windows/whats-new/windows-licensing.md b/windows/whats-new/windows-licensing.md index fef13ecd5b..c50c610a28 100644 --- a/windows/whats-new/windows-licensing.md +++ b/windows/whats-new/windows-licensing.md @@ -1,5 +1,5 @@ --- -title: Windows commercial licensing overview +title: Windows Commercial Licensing Overview description: Learn about products and use rights available through Windows commercial licensing. ms.subservice: itpro-security author: paolomatarazzo @@ -8,7 +8,7 @@ manager: aaroncz ms.collection: - tier2 ms.topic: overview -ms.date: 02/29/2024 +ms.date: 12/02/2024 appliesto: - ✅ Windows 11 ms.service: windows-client